[squid-users] Invalid Request on Squid-2.6S4
Hi all, I got this error messages after implement tproxy and transparent interceptions on Squid-2.6.S4. ---cache.log 2006/11/01 01:05:36| clientReadRequest: FD 15 (192.168.1.2:2327) Invalid Request 2006/11/01 01:05:36| clientReadRequest: FD 15 (192.168.1.2:2328) Invalid Request 2006/11/01 01:05:37| clientReadRequest: FD 15 (192.168.1.3:24163) Invalid Request 2006/11/01 01:05:42| clientReadRequest: FD 15 (192.168.1.3:24164) Invalid Request ---access.log 1162317936.603 0 192.168.1.2 TCP_DENIED/400 2512 GET error:invalid-request - NONE/- text/html 1162317936.767 0 192.168.1.2 TCP_DENIED/400 2436 POST error:invalid-request - NONE/- text/html 1162317937.452 0 192.168.1.3 TCP_DENIED/400 1875 GET error:invalid-request - NONE/- text/html 1162317942.598 0 192.168.1.3 TCP_DENIED/400 1875 GET error:invalid-request - NONE/- text/html squid is running but none can browsing internet. Any idea how to solve this? tia, Zul We have the perfect Group for you. Check out the handy changes to Yahoo! Groups (http://groups.yahoo.com)
Re: [squid-users] Invalid Request on Squid-2.6S4
Hi all, I got this error messages after implement tproxy and transparent interceptions on Squid-2.6.S4. ---cache.log 2006/11/01 01:05:36| clientReadRequest: FD 15 ... Which error(s) are seen in the browser ? M.
Re: [squid-users] Max Object Size and Download Speeds
On 03.11.06 10:17, Ow Mun Heng wrote: When setting Max Object size to it's default 4MB, I get good browsing and download speeds (large files). When I increase the Size to say 50MB (so that more BIG files gets cached), I noticed that the download speeds becomes slower. (~ 1/2) probably because more files get cached, which leads to higher cache load. Is there a correlation to the Max Object size to the file-size? yes, object size is very close the filesize + HTTP headers size or do you guys think it's only due to the Speed of the Hardware? BTW, this is a white box server on a 7200 RPM IDE disk serving ~300 users. see FAQ on squid performance tuning. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: [squid-users] Invalid Request on Squid-2.6S4
--- Mark Elsen [EMAIL PROTECTED] wrote: - Check the squid faq on interception , you need extra setting in squid.conf, for that , don't know them on the fly. M. Here is my squid.conf and iptables rule ---squid.conf http_port 3128 tproxy transparent acl john src 192.168.1.2/255.255.255.255 acl mary src 192.168.1.3/255.255.255.255 http_access allow john http_access allow mary http_access deny all http_reply_access allow all icp_access allow all miss_access allow all cache_effective_user squid cache_effective_group squid tcp_outgoing_address 192.168.1.2 john tcp_outgoing_address 192.168.1.3 mary ---iptables rule iptables -t tproxy -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 did I miss something? Thanks. rgds, Zul Everyone is raving about the all-new Yahoo! Mail (http://advision.webevents.yahoo.com/mailbeta/)
Re: [squid-users] tproxy and transparent interception fails on squid-2.6stable4 ?
tor 2006-11-02 klockan 04:13 -0800 skrev zulkarnain: The kernel and iptables has been patched with the tproxy patches. This patches should be work since I saw iptable_tproxy and ipt_tproxy is loaded on kernel. After squid is start, none can browse the website and I found many Invalid Request (clientReadRequest TCP_DENIED) on both access.log and cache.log. How is your http_port configured? Need to use the transparent and tproxy options. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] purge + load question
tor 2006-11-02 klockan 11:44 -0800 skrev Dan Thomson: I have a quick question about what really happens when you purge an object from the cache. Depends on if the object is using Vary or not. If it's not using Vary then it gets deleted from the cache. If Vary is involved then it gets a bit more complicated and purge most often doesn't work well. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Max Object Size and Download Speeds
fre 2006-11-03 klockan 10:17 +0800 skrev Ow Mun Heng: When setting Max Object size to it's default 4MB, I get good browsing and download speeds (large files). When I increase the Size to say 50MB (so that more BIG files gets cached), I noticed that the download speeds becomes slower. (~ 1/2) Did you also increase max_object_size_in_memory? Don't. The memory cache is terribly inefficient in handling large objects.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] HTTP/1.1
Does squid handle HTTP/1.1 requests like this one (Taken from the error page, never mind the lack of whitespace)? POST /uniprot/Q99M31 HTTP/1.1 TE: deflate,gzip;q=0.3Connection: TE, closeHost: http://www.expasy.orgUser-Agent: MyAgent/0.1 libwww-perl/5.805 -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED]
Re: [squid-users] http_access and proxy_auth
fre 2006-11-03 klockan 08:06 +0100 skrev Mark Elsen: --- acl my_auth proxy_auth REQUIRED acl google dstdomain .google.com http_access allow my_auth http_access deny google my_auth http_access deny all In this case if the user requests www.google.com then the second http_access line matches and triggers re-authentication. Remember: it's always the last ACL on a http_access line that matches. --- No, it's the first ACL on a http_access line that matches, in your case, the 2 last ones will never be reached. The section is talking about deny_info and text is correct but the config example broken for the reasons mentioned.. For deny_info it's the last acl on the http_access deny line that matches. In http_access it's the first http_access line matching the request that tell if the request is allowed or denied. The rest of the http_access lines is never reached. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] have some acl to limite the request frequency
fre 2006-11-03 klockan 14:28 +0800 skrev huang mingyou: hi,list. I want limit the client's request frequency. example, only allow have 100 request in 1 minute. have some acl or patch can do this? Not today, but it should not be very hard to add one. The required information is there in the clientdb, it's just to implement a new acl type matching the value. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Re: HTTP/1.1
* Ralf Hildebrandt [EMAIL PROTECTED]: Does squid handle HTTP/1.1 requests like this one (Taken from the error page, never mind the lack of whitespace)? POST /uniprot/Q99M31 HTTP/1.1 TE: deflate,gzip;q=0.3Connection: TE, closeHost: http://www.expasy.orgUser-Agent: MyAgent/0.1 libwww-perl/5.805 The error message as displayed in German on screen: Während des Versuches, die Anfrage POST /uniprot/Q99M31 HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: www.expasy.org User-Agent: MyAgent/0.1 libwww-perl/5.805 zu verarbeiten, trat der folgende Fehler auf: Ungültige Anfrage Ein Teil der HTTP-Anfrage ist ungültig. Mögliche Gründe: Fehlende oder unbekannte Anfrage-Methode (GET, POST) Fehlender URL Fehlender HTTP Identifier (HTTP/1.0) Anfrage ist zu groß Content-Length fehlt für POST- oder PUT-Anfragen Ungültige Zeichen im Hostnamen - z.B. Unterstriche ('_'), Umlaute und Kommata sind nicht erlaubt. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED]
Re: [squid-users] Invalid Request on Squid-2.6S4
fre 2006-11-03 klockan 01:13 -0800 skrev zulkarnain: http_port 3128 tproxy transparent Ok. ---iptables rule iptables -t tproxy -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 Also looks fine. No idea what goes wrong. Should work from what I can tell, but I don't have an environment where I can test tproxy. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] forwarding loop in interception caching
ons 2006-11-01 klockan 16:28 +0200 skrev genco yilmaz: After looking into my configuration I found that that header is caused by our redirector process. Then I have added this; redirect_rewrites_host_header off Ok. Wasn't aware you are using a redirector. Do you have any cache_peer lines in squid.conf? What does your interception rule look like? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] page goes into a loop
tis 2006-10-31 klockan 10:31 +0200 skrev genco yilmaz: When I try to view this page http://portal.osym.gov.tr/; using squid, browser goes into a loop and does not display the page but if I disable using proxy, it is displayed properly. Page content seems to have a loop that calls itself. Do you have any idea about this weird problem? What does access.log say? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] HTTP/1.1
Does squid handle HTTP/1.1 requests like this one (Taken from the error page, never mind the lack of whitespace)? POST /uniprot/Q99M31 HTTP/1.1 TE: deflate,gzip;q=0.3Connection: TE, closeHost: http://www.expasy.orgUser-Agent: MyAgent/0.1 libwww-perl/5.805 - Check access.log for the request - Check cache.log for further (error) info. - Set browser to use http1.0 tru proxy (if possible), as test to check whether it works then. M.
Re: [squid-users] HTTP/1.1
fre 2006-11-03 klockan 11:46 +0100 skrev Ralf Hildebrandt: Does squid handle HTTP/1.1 requests like this one (Taken from the error page, never mind the lack of whitespace)? POST /uniprot/Q99M31 HTTP/1.1 TE: deflate,gzip;q=0.3Connection: TE, closeHost: http://www.expasy.orgUser-Agent: MyAgent/0.1 libwww-perl/5.805 This is not a proxy request.. The URI in POST should be a full URL in proxy mode, not just the local URI on the requested web server.. Other than that there was nothing obvious to get upset about. What's said in cache.log? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] cache log Warnings
2006/09/25 07:45:10| WARNING: Disk space over limit: 194960 KB 102400 KB 2006/09/25 07:45:21| WARNING: Disk space over limit: 187308 KB 102400 KB 2006/09/25 07:45:32| WARNING: Disk space over limit: 175636 KB 102400 KB 2006/09/25 07:45:43| WARNING: Disk space over limit: 161808 KB 102400 KB 2006/09/25 07:45:54| WARNING: Disk space over limit: 148768 KB 102400 KB 2006/09/25 07:46:05| WARNING: Disk space over limit: 141440 KB 102400 KB 2006/09/25 07:46:17| WARNING: Disk space over limit: 128740 KB 102400 KB 2006/09/25 07:46:28| WARNING: Disk space over limit: 119816 KB 102400 KB Hello , Disk space over limit might be because the swap.state file has been corrupted. Such corruption can occur on unexpected system shutdowns (power failure, kernel panic etc). This can be solve by the following 1. Shutdown squid. 2. Remove the swap.state files from your cache directories. 3. Start Squid again. It will rebuild swap.state from the cache files. Thanks, ViSolve Squid Team. www.visolve.com/squid/
Re: [squid-users] Max Object Size and Download Speeds
On Fri, 2006-11-03 at 11:42 +0100, Henrik Nordstrom wrote: fre 2006-11-03 klockan 10:17 +0800 skrev Ow Mun Heng: When setting Max Object size to it's default 4MB, I get good browsing and download speeds (large files). When I increase the Size to say 50MB (so that more BIG files gets cached), I noticed that the download speeds becomes slower. (~ 1/2) Did you also increase max_object_size_in_memory? Don't. The memory cache is terribly inefficient in handling large objects.. Nope. Nothing has been changed except for the Max Obj Size. maximum_object_size_in_memory = 64KB Regards Henrik
Re: [squid-users] Max Object Size and Download Speeds
On Fri, 2006-11-03 at 10:00 +0100, Matus UHLAR - fantomas wrote: On 03.11.06 10:17, Ow Mun Heng wrote: When setting Max Object size to it's default 4MB, I get good browsing and download speeds (large files). When I increase the Size to say 50MB (so that more BIG files gets cached), I noticed that the download speeds becomes slower. (~ 1/2) probably because more files get cached, which leads to higher cache load. Initially I thought iwas due to the HD, but looking at iostat numbers,..it doesn;t seem so. avg-cpu: %user %nice%sys %iowait %idle 12.500.00 32.505.25 49.75 Device:tpskB_read/skB_wrtn/skB_readkB_wrtn hda 15.0840.20 251.26 80500 hda1 0.00 0.00 0.00 0 0 hda2 0.00 0.00 0.00 0 0 hda3 70.3540.20 251.26 80500 or do you guys think it's only due to the Speed of the Hardware? BTW, this is a white box server on a 7200 RPM IDE disk serving ~300 users. see FAQ on squid performance tuning.
Re: [squid-users] squid reverse proxy with ssl: access denied
i found out that i could remove this line: sslproxy_flags DONT_VERIFY_PEER but as soon as i removed sslflags=DONT_VERIFY_PEER in the cache_peer line i was not able to connect to wl81machine from the internet, and the terminal window on wl81machine spat out stuff like this: Error Security BEA-090133 Could not load a jks keystore from the file /usr/bea/jdk142_05/jre/lib/security/cacerts. Exception: java.io.IOException: Keystore was tampered with, or password was incorrect Warning Security BEA-090164 Failed to load trusted certificates from keystore /usr/bea/jdk142_05/jre/lib/security/cacerts of type jks Warning Security BEA-090172 No trusted certificates have been loaded. Server will not trust to any certificate it receives. Info WebLogicServer BEA-000307 Exportable key maximum lifespan set to 500 uses. Info WebLogicServer BEA-000300 Certificate contents: 1 certificate(s): fingerprint = 9159e9828376b26ccc9e68daadeb0f0d, not before = Tue Oct 31 09:38:10 CET 2006, not after = Mon Jan 29 09:38:10 CET 2007, holder = C=se SP=minkommune L=minby O=minbedrift OU=teknisk CN=minbedrift.no-ip.com , issuer = C=se SP=minkommune L=minby O=minbedrift OU=teknisk CN=minbedrift.no-ip.com , key = modulus length=129, exponent length=3 ... Warning Security BEA-090487 UNKNOWN_CA alert received from deb3machine.lan - 192.168.0.9. The peer is rejecting the certificate chain as being untrusted or incomplete. - where deb3machine is the one running the squid reverse proxy with ssl... it also works just fine with and without originserver in the cache_peer line...wierd...it seems to make no difference. thanks for the cosmetic note =) implemented ;) for those interested, here's my squid.conf: http://norgesinternettforum.no/showpost.php?p=2652postcount=2 one question i still have though is, when something does go wrong, the error page shows the ip address to the internal machine. i don't want that. is that an error page template i need to edit to remove that? how would i get it to display the external domain name instead (if possible)? thanks Nick Humphrey 2006/11/2, Henrik Nordstrom [EMAIL PROTECTED]: tor 2006-11-02 klockan 15:54 +0100 skrev nick humphrey: cache_peer 192.168.0.150 parent 8080 3130 ssl sslflags=DONT_VERIFY_PEER no-query DONT_VERIFY_PEER opens you to man-in-the-middle attacks. Better to give it the CA information needed to validate the peer.. Also you need the originserver option to tell Squid it's an origin server. Cosmetic note: I find it easier to read using ICP port 0 when using the no-query option. Regards Henrik
[squid-users] Squid logs only Subnet Address (and not real IP)
Hi there, I made an upgrade of my debian, updating some of the packets I used on the past on my Debian Sarge. I use stable packets of squid: v. 2.5.9-10sarge2 and sarg (as log analyzer): 2.0.5 Before, I was using squid and sarg and everything was working fine. Now, squid works very well, but doesn't log the IP addresses of the clients of my company, but only the subnet address (192.168.7.0). Cristopher Haas (thx!!), who is posting here, then told me to check the client_netmask setting and actually, it was set so that no IP would have been logged. I chenged client_netmask from 255.255.255.255 to 255.255.255.0, but the result is the same. I am sure that squid upon load reads the correct config file, but still I don't know why it doesn't work. Thanks in advance! Marco Nicoloso
Re: [squid-users] Squid logs only Subnet Address (and not real IP)
Hi there, I made an upgrade of my debian, updating some of the packets I used on the past on my Debian Sarge. I use stable packets of squid: v. 2.5.9-10sarge2 and sarg (as log analyzer): 2.0.5 Before, I was using squid and sarg and everything was working fine. Now, squid works very well, but doesn't log the IP addresses of the clients of my company, but only the subnet address (192.168.7.0). Cristopher Haas (thx!!), who is posting here, then told me to check the client_netmask setting and actually, it was set so that no IP would have been logged. I chenged client_netmask from 255.255.255.255 to 255.255.255.0, but the result is the same. I am sure that squid upon load reads the correct config file, but still I don't know why it doesn't work. To verify the used config file, use cachemgr , where you can retrieve the config file (again). Double check netmask setting. M.
Re: [squid-users] squid reverse proxy with ssl: access denied
fre 2006-11-03 klockan 14:48 +0100 skrev nick humphrey: but as soon as i removed sslflags=DONT_VERIFY_PEER in the cache_peer line i was not able to connect to wl81machine from the internet, and the terminal window on wl81machine spat out stuff like this: OpenSSL on your Squid did not know/trust the CA who have signed the key of the web server. The list of trusted CA:s can be definied in many ways, i.e. cafile= or capath=, or even OpenSSL builtin default locations. cafile want's a file containing the public certificates of the trusted CA's. in PEM format. capath wants an OpenSSL hashed directory of CA certificates. it also works just fine with and without originserver in the cache_peer line...wierd...it seems to make no difference. The originserver options is a bit subtle. Most servers work kind of acceptable without it, but not all. Also some protocol features like persistent connections or authentication require it to be set properly. one question i still have though is, when something does go wrong, the error page shows the ip address to the internal machine. i don't want that. is that an error page template i need to edit to remove that? Yes, it's in the error directory. how would i get it to display the external domain name instead (if possible)? The available template codes can be found in the FAQ section on writing custom error messages. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] http_access and proxy_auth
Try http_access deny !my_auth -Original Message- From: Colin Campbell [mailto:[EMAIL PROTECTED] Sent: Thursday, November 02, 2006 11:18 PM To: squid-users@squid-cache.org Subject: [squid-users] http_access and proxy_auth Hi, I should know this but reading FAQ and things is just confusing me. If we have: acl authenticated proxy_auth REQUIRED When would any http_access lines even get used if they appear after something like: http-access permit authenticated I ask because my understanding is that anyone who has authenticated would match this line and never go past it. If I'm not stupid and that is in fact the case, then is the following, from http://workaround.org/moin/HowSquidAclsWork, incorrect? --- acl my_auth proxy_auth REQUIRED acl google dstdomain .google.com http_access allow my_auth http_access deny google my_auth http_access deny all In this case if the user requests www.google.com then the second http_access line matches and triggers re-authentication. Remember: it's always the last ACL on a http_access line that matches. --- If the user has authenticated, when would the second or indeed the third http_access line ever be reached? Colin -- Colin Campbell Unix Support/Postmaster/Hostmaster Citec +61 7 3227 6334
Re: [squid-users] Transparent Caching with Cisco PIX
On Fri, 2006-11-03 at 04:20 +0300, Andrew Pantyukhin wrote: Tanks for all replies! I'll try that wccp thing. (next week) I'll post a working config, if it will work :-) Greetings, Rainer. On 11/1/06, Rainer Schweitzer [EMAIL PROTECTED] wrote: Hi, Some of the cisco cracks may have an advice for me? I want to set up a transparent proxy and I want the PIX to redirect all webtraffic (i.e. dest. port 80) from the LAN-users to the Proxy in the DMZ. Maybe the Firewall software 7 offers a good solution? I know, this problem is more cisco-related than squid-related. Pix 7.x supports wccp. I don't know of any solution for squid + pix 6.x.
[squid-users] delay pools problem
Hello ppl, I'm trying to configure delay pools under squid but it seems that the restrictions I configure don't get applied. I'm running UBUNTU 6.10 with squid 2.6STABLE1. my squid.conf (part of it) is this: acl nets src 10.0.88.0/24 acl nets src 10.0.92.0/24 acl nets src 10.0.244.0/24 acl nets src 10.9.96.0/24 acl alunos src 10.9.160.0/24 acl nets src 10.9.252.0/24 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access allow Safe_ports http_access deny !Safe_ports http_access allow SSL_ports http_access deny CONNECT !SSL_ports #http_access allow all http_access allow localhost #http_access allow alunos http_access deny all http_reply_access allow all #http_reply_access allow alunos icp_access allow all cache_effective_user proxy cache_effective_group proxy httpd_suppress_version_string on visible_hostname proxy.e-U delay_pools 1 delay_class 1 3 delay_access 1 allow alunos delay_access 1 deny all delay_parameters 1 8/8 -1/-1 16000/16000 I'm trying to limit the bandwith of each IP address to 16Kbytes/s , but in all my tests I can download an ISO at 70 - 80 Kbytes/s in firefox without any download manager. I've also tried this: #delay_pools 2 #delay_class 1 2 #delay_parameters 1 8/8 8000/8000 #delay_access 1 allow alunos #delay_access 1 deny all #delay_access 2 allow nets #delay_access 2 deny all #delay_class 2 1 #delay_parameters 2 -1/-1 I haven't got it either. I'm the only person connected to the proxy at the moment because i'm still configuring it. Am I doing something wrong? Is it the fact that i'm the only one, or the abobe config should limit my download speed at 16Kbytes?? Please help Rui Silva PS. My english is not as good as I would like. Sorry -- Rui Silva http://rukinhas.no-ip.org
Re: [squid-users] Max Object Size and Download Speeds
fre 2006-11-03 klockan 21:11 +0800 skrev Ow Mun Heng: Initially I thought iwas due to the HD, but looking at iostat numbers,..it doesn;t seem so. What cache_dir type are you using? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid logs only Subnet Address (and not real IP)
fre 2006-11-03 klockan 16:55 +0300 skrev Marco Nicoloso: I chenged client_netmask from 255.255.255.255 to 255.255.255.0, but the result is the same. A client_netmask of 255.255.255.0 will mask away the last portion of the IP address, always logging XX.XX.XX.0 REgards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] delay pools problem
fre 2006-11-03 klockan 17:54 + skrev Rui Silva: Hello ppl, I'm trying to configure delay pools under squid but it seems that the restrictions I configure don't get applied. I'm running UBUNTU 6.10 with squid 2.6STABLE1. Please try upgrade. There has been issues with delay pools for some time. All should be fixed in the current 2.6.STABLE5 release. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Invalid Request on Squid-2.6S4
Hi Henrik, Now I upgrade and compile squid to 2.6Stable5. If squid.conf configured not to use specific ip address on tcp_outgoing_address, there an error messages on cache.log as shown below. How ever with this config I'm able to browser website but unable to spoof client ipaddress. 2006/11/04 02:25:03| tproxy ip=192.168.1.2,0x1b9f5bcb,port=0 ERROR ASSIGN 2006/11/04 02:25:08| tproxy ip=192.168.1.2,0x1b9f5bcb,port=0 ERROR ASSIGN 2006/11/04 02:25:12| tproxy ip=192.168.1.3,0x1c9f5bcb,port=0 ERROR ASSIGN 2006/11/04 02:25:15| tproxy ip=192.168.1.2,0x1c9f5bcb,port=0 ERROR ASSIGN and If I'm using specific ip address, the error messages as below and none can't access websites. 2006/11/04 01:05:46| commBind: Cannot bind socket FD 16 to 192.168.1.3:0: (99) Cannot assign requested address 2006/11/04 01:05:46| commBind: Cannot bind socket FD 16 to 192.168.1.2:0: (99) Cannot assign requested address 2006/11/04 01:05:46| commBind: Cannot bind socket FD 16 to 192.168.1.3:0: (99) Cannot assign requested address any help would be great. Thanks. rgds, Zul --- Henrik Nordstrom [EMAIL PROTECTED] wrote: fre 2006-11-03 klockan 01:13 -0800 skrev zulkarnain: http_port 3128 tproxy transparent Ok. ---iptables rule iptables -t tproxy -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 Also looks fine. No idea what goes wrong. Should work from what I can tell, but I don't have an environment where I can test tproxy. Regards Henrik Low, Low, Low Rates! Check out Yahoo! Messenger's cheap PC-to-Phone call rates (http://voice.yahoo.com)
[squid-users] Blocking sites with squd and squidguard
Hi all, is it possible to block web sites using squidguard and ACL's from squid.conf ??? Or do I have to use just one method ??? Because I use the redirect_program /usr/bin/squidGuard tag perfectly but if I built an ACL into the squid.conf like this: acl web_xxx dstdomain .gemidos.com.ar and then: http_access deny web_xxx I can enter to www.gemidos.com.ar without any restriction, the ACL does not work. Can you help me ??? Thanks a lot, alejandro
Re: [squid-users] Blocking sites with squd and squidguard
On 03.11.06 18:12, Alejandro wrote: Hi all, is it possible to block web sites using squidguard and ACL's from squid.conf ??? Or do I have to use just one method ??? you can do both. Because I use the redirect_program /usr/bin/squidGuard tag perfectly but if I built an ACL into the squid.conf like this: acl web_xxx dstdomain .gemidos.com.ar and then: http_access deny web_xxx I can enter to www.gemidos.com.ar without any restriction, the ACL does not work. it depends on other rules... you don't have to use squidguard just because of this problem, however using it is more efficient in some cases. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
[squid-users] Re: Anyone have sibling caches working on a reverse proxy?
bump On 10/28/06, Edward Rosinzonsky [EMAIL PROTECTED] wrote: Does anyone have sibling caches working on a reverse proxy (accelerating a server), in 2.6? If so, can you please send me your configuration file. Thanks.
Re: [squid-users] Problem with TCP_MEM_HITs
Santiago del Castillo wrote: Hi, sry, when I said maximum_object_size I wanted to say maximum_object_size_in_memory :P. Right now (i don't know how) it's working. Here is some info: Cache information for squid: Request Hit Ratios:5min: 92.0%, 60min: 92.3% Byte Hit Ratios:5min: 35.5%, 60min: 34.7% Request Memory Hit Ratios:5min: 61.6%, 60min: 60.2% Request Disk Hit Ratios:5min: 0.5%, 60min: 0.4% Memory usage for squid via mallinfo(): Total space in arena: 79176 KB Ordinary blocks:71934 KB 9224 blks Small blocks: 0 KB 0 blks Holding blocks: 432 KB 2 blks Free Small blocks: 0 KB Free Ordinary blocks:7241 KB Total in use: 72366 KB 91% Total free: 7241 KB 9% Total size: 79608 KB It's very VERY good compared with I was getting before. My box is a P4 3.0 with 4 GB RAM under FedoraCore 5. Cheers and thanks, Santiago del Castillo For what it's worth (and last I read), Squid only stores fetched-from-the-source objects in memory. Once an object has been flushed to disk (like on shutdown) it will not pull subsequent CACHE_HITS in to the memory cache. Hence the suggestion of letting the OS use the majority of memory for disk caching. Chris
Re: [squid-users] delay pools problem
fre 2006-11-03 klockan 21:32 + skrev Rui Silva: so my configuration was right?? I think so, but I have not verified fully as I don't trust the delay pools of the old Squid-2.6.STABLE1 version you were using at all. Any release earlier than 2.6.STABLE5 will behave oddly in delay pools in most configurations. And releases earlier than 2.6.STABLE3 will often give a lot more bandwidth than intended, often ignoring the delay pool settings completely. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] delay pools problem
fre 2006-11-03 klockan 23:30 + skrev Rui Silva: anda are you sure that in 2.6S5 all these problems are solved. I've checked the diff, and they didn't say anything about that. Yes. http://www.squid-cache.org/Versions/v2/2.6/ChangeLog.txt In 2.6.STABLE1 to 4 and to some extent earlier releases delay pools are unevently distributed to the waiting clients. This was fixed in 2.6.STABLE5. In 2.6.STABLE1 2 delay pools is quite broken, often resulting in unlimited bandwidth. This was fixed in STABLE3. In 2.5.STABLE12 and earlier squid -k reconfigure is broken, doubling the restore rate on each squid -k reconfigure. This was fixed in 2.5.STABLE13. Have you tested it? Yes, as part of writing the fixes. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Re: cache_peer problenms in accelerator mode
ok, I solved my problem. I had the following line in my conf file: hierarchy_stoplist cgi-bin ? And since all of my queries have a ? in them, no icp requests were sent. Removing the line solved the problem. Thanks. On 10/28/06, Henrik Nordstrom [EMAIL PROTECTED] wrote: fre 2006-10-27 klockan 21:39 -0700 skrev Edward Rosinzonsky: unfortunately I still haven't been able to get sibling caches to work. However I occasionaly see the following line in acess.log: 1162009609.788 0 192.168.1.136 TCP_MISS/200 299 GET internal://rele132.relevad.lan/squid-internal-dynamic/netdb - NONE/- - what does that mean exactly? netdb exchanges between the proxies. Regards Henrik
[squid-users] multicast peers: Does squid join the multicast group?
Hi, I'm trying to configure multicast peers, but it doesn't look like the group is being joined. When I configure it with the all-hosts group like so: cache_peer 224.0.0.1 multicast 80 3130 ttl=4 The icp queries are received and everything works. However when I use a different multicast group, like 224.9.9.9 or 239.0.0.2, the peers do not receive icp queries. Also, when I do cat /proc/net/igmp, I see the 224.0.0.1 group but not the others. Any help would be very appreciated. Thanks.
Re: [squid-users] multicast peers: Does squid join the multicast group?
Could you please put this into the Squid Bugzilla so we can track this as a bug? Thanks, Adrian On Fri, Nov 03, 2006, Edward Rosinzonsky wrote: Hi, I'm trying to configure multicast peers, but it doesn't look like the group is being joined. When I configure it with the all-hosts group like so: cache_peer 224.0.0.1 multicast 80 3130 ttl=4 The icp queries are received and everything works. However when I use a different multicast group, like 224.9.9.9 or 239.0.0.2, the peers do not receive icp queries. Also, when I do cat /proc/net/igmp, I see the 224.0.0.1 group but not the others. Any help would be very appreciated. Thanks.