Re: [squid-users] How to run squid with root capability?
--- "L.TK" <[EMAIL PROTECTED]> wrote: > > > comment these lines below in src/main.c > if (geteuid() == 0) { > debug(0, 0) ("Squid is not safe to run as root! If > you must\n"); > debug(0, 0) ("start Squid as root, then you must > configure\n"); > debug(0, 0) ("it to run as a non-priveledged user > with the\n"); > debug(0, 0) ("'cache_effective_user' option in the > config file.\n"); > fatal("Don't run Squid as root, set > 'cache_effective_user'!"); > } > > recompile squid and there you go unable to compile this, here is the error; main.c:490:17: error: missing binary operator before token "(" main.c:490:1: error: unterminated #if main.c: In function 'setEffectiveUser': main.c:486: error: expected declaration or statement at end of input make[3]: *** [main.o] Error 1 make[3]: *** Waiting for unfinished jobs Have a burning question? Go to www.Answers.yahoo.com and get answers from real people who know.
Re: [squid-users] can any transparent mode handle SSL and FTP for access control
tis 2006-12-12 klockan 08:13 +0800 skrev Adrian Chadd: > Apparently the old cisco cache engines implemented -something- to do with > transparent FTP proxying but I've been concentrated on the web cache service > stuff. Most clients do not verify the server identity on the data channel, so you only need to intercept port 21, then run the data channel as if they connected directly to you. But some clients do verify the data channel to actually be from/to the requested server... Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] generic kerberos support in 2.6?
On Tue, 2006-12-12 at 05:29 +0100, Henrik Nordstrom wrote: > > In theory it may be possible to use Samba ntlm_auth without an ADS > setup. Yeah, I had wondered too if ntlm_auth could be used with Samba configured to use either PAM locally, which would use kerberos or if Samba had any direct kerberos support in it (doubtful). Doesn't ntlm_auth with spnego need samba >-4 though? > But I don't know if it will work or how one configures Samba for > such setups. Indeed. Certainly if one has Samba already configured and in use, it would hopefully not be much more, but to install and configure Samba just for squid is a bit much -- I suppose if one really wants SSO though. But my suggestion of using ntlm_auth was not so much in it's binary form but as a source of SPNEGO handling. IIUC, ntlm_auth takes the SPNEGO blob from the client via squid and unpacks it and does the NTLM auth with the MS Goop(tm) doesn't it? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell signature.asc Description: This is a digitally signed message part
Re: [squid-users] generic kerberos support in 2.6?
mån 2006-12-11 klockan 18:54 -0500 skrev Brian J. Murrell: > Wouldn't an existing helper, like the ntlm_auth helper in Samba be of > use? Does it not take the SPNEGO data from the browser and hand it off > to some MS Goop(tm) for an authentication response? That would at least > take care of the SPNEGO stuff, no? In theory it may be possible to use Samba ntlm_auth without an ADS setup. But I don't know if it will work or how one configures Samba for such setups. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] can any transparent mode handle SSL and FTP for access control
On Tue, Dec 12, 2006, Adrian Chadd wrote: > The second part, as Henrik replied, is in the case of a parent proxy. > In this case its not going to be end-to-end transparent anyway so you might > be able to get away with Squid issuing a CONNECT to the upstream proxy and > handing back the unencrypted data. handing back the encrypted data. (Adrian shouldn't be posting to squid-users before having morning coffee.)
Re: [squid-users] can any transparent mode handle SSL and FTP for access control
On Mon, Dec 11, 2006, Shaun Skillin (home) wrote: > Thanks Adrian, I understand. Could you expand at on "hacking up squid"? > I have an immediate need for access control of all web requests, > including SSL. I know that if I set it in the browser, squid handles I'd implement in two parts - the first part, for the transparent, non parent case, is to use a TCP tunnel between client and server. tproxy will ensure that the client thinks its talking direct to server and server talks directly to client. There might be other stuff you can do for ACL matching on the SSL stream before things get nastily encrypted (eg match on the negotiation phase) but I haven't looked into it in that much depth. The second part, as Henrik replied, is in the case of a parent proxy. In this case its not going to be end-to-end transparent anyway so you might be able to get away with Squid issuing a CONNECT to the upstream proxy and handing back the unencrypted data. In both cases you'll only be able to build ACLs that use src/destination IP (and stuff like time, etc.) > all connections, including web, ssl, and ftp without a problem. So my > real question is, if squid can (obviously) handle this traffic, can it > be done in a transparent way instead of having to modify the browser. I > think I need more education on how the packets are presented to squid in > transparent vs. browser-based mode - browser-based sends everything via > 3128, so squid gets it on port 3128 - couldn't I just do another NAT > using iptables for this, and point 443 and 21 to 3128 as well as the > current 80? I've thought about transparently proxying FTP but it would require a little bit of hackery to do it with WCCPv2 without breaking clients. test-2(config)#wccp ? custom-web-cache Custom web caching service dns Caching Domain Name Service flow-redirect Redirect moved flows ftp Transparent FTP proxy caching service Apparently the old cisco cache engines implemented -something- to do with transparent FTP proxying but I've been concentrated on the web cache service stuff. I'd be happy to do the feasability work required but I can't say if/when I'm going to get a chance to implement this. Of course, if someone wanted to hire myself or Henrik to implement it in a short period of time I'm sure one of us could take care of it pretty quickly. It'd definitely help me finish off my WCCPv2 test lab as mask assignment-capable switch routers aren't cheap and I doubt anyone's going to donate one.. :) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
Re: [squid-users] generic kerberos support in 2.6?
On Mon, 2006-12-11 at 00:11 +0100, Henrik Nordstrom wrote: > > What is missing is the helper... Indeed. I think that is basically what I summarized in my followup e-mail. Pity. > None of the squid developers knows Kerberos APIs or Microsoft SPNEGO > packet format to write such helper, but we would be happy to guide > anyone knowing the Kerberos and SPNEGO side of things how to interface > with Squid. Wouldn't an existing helper, like the ntlm_auth helper in Samba be of use? Does it not take the SPNEGO data from the browser and hand it off to some MS Goop(tm) for an authentication response? That would at least take care of the SPNEGO stuff, no? > It's not a difficult thing at all if you have a SPNEGO > authentication backend. Indeed. Ten+ years ago and I'd be coding this up. Unfortunately so many other constraints on my time limit my hacking time these days. 'Tis a pity that this is the only piece missing. Much appreciate your input on answering this though. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell signature.asc Description: This is a digitally signed message part
Re: [squid-users] AOL's webmail and logging in
On 12/12/06, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: No ideas at the moment, safe for getting packet level traffic captures of both sessions and starting at them to see if anything obvious sticks out.. Thanks Henrik. I'll run a few tcpdump sessions and see what I can come up with. Btw, is this a transparent interception setup, or is the browser configured to use the proxy? If transparent interception try configuring the browser to use the proxy. The browsers are configured to explicitly use the proxy. We do not do transparent proxying since it does not play nicely with integrated AD authentication schemes. Regards, -- Scott Jarkoff
Re: [squid-users] AOL's webmail and logging in
tis 2006-12-12 klockan 07:43 +0900 skrev Scott Jarkoff: > I have not enabled any of the anonymization features and make no use > of any header_access directives. Do you have any other ideas as to why > this might be happening or areas that you can point me towards? No ideas at the moment, safe for getting packet level traffic captures of both sessions and starting at them to see if anything obvious sticks out.. Btw, is this a transparent interception setup, or is the browser configured to use the proxy? If transparent interception try configuring the browser to use the proxy. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] can any transparent mode handle SSL and FTP for access control
mån 2006-12-11 klockan 13:26 -0700 skrev Shaun Skillin (home): > think I need more education on how the packets are presented to squid in > transparent vs. browser-based mode Squid does not look at packets. Squid looks at HTTP messages ontop of TCP connections. As HTTP is also using HTTP messages (it's the HTTP protocol) having port 80 (http) redirected to Squid kind of works. But Squid need to be aware that this is done as the HTTP request format differs slightly for proxy vs origin server requests, and may also need correct interception support for the interception method used to find the intended destination as it's not always indicated in the supposedly direct connection to the server. FTP is not HTTP, but an HTTP client configured to use an HTTP proxy for FTP forwards the requested ftp:// URL in an HTTP proxy request to the proxy, just as if it was a request for an http:// URL. Same thing for gopher etc.. SSL/https is different. As browsers behind a HTTP proxy also need to be able to access encrypted https content the HTTP protocol has a special proxy method for SSL connections, the CONNECT method. This method allows the browser to request the proxy to make a "direct" connection to the requested server with the proxy only acting as a dumb communication relay shuffling data between the two. When the method have completed the browser is given a full duplex TCP connection to the requested server:port and the proxy looks no further at the data exchanged (only shuffles it). You could say it's an escape hatch for HTTP clients out from a network where direct connections is not allowed. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] AOL's webmail and logging in
On 12/10/06, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: Have you perhaps enabled any of the anonymization features, possibly stripping cookies? See is you have any header_access directives in your squid.conf. Default is none, applying no anonymization. I have not enabled any of the anonymization features and make no use of any header_access directives. Do you have any other ideas as to why this might be happening or areas that you can point me towards? Regards, -- Scott Jarkoff
Re: [squid-users] can any transparent mode handle SSL and FTP for access control
mån 2006-12-11 klockan 08:11 -0700 skrev Shaun Skillin (home): > I've been doing way too much reading, and so far not a "yes" answer, but > thought I'd ask the list anyway... It's a maybe.. FTP can be transparently intercepted by a FTP proxy capable of operating in that mode. See for example frox which also interoperates with Squid for caching. Squid is not an FTP proxy. Squid is an HTTP proxy capable of acting as an HTTP->FTP gateway for HTTP clients. SSL is trickier as everything including the requested hostname is encrypted when not configured to use a proxy. When configured to use a proxy the hostname is revealed to the proxy in a CONNECT request. Adding support for intercepting SSL connections, transforming them into "anonymous" CONNECT ip:port request isn't a very difficult thing to do, but none of the Squid developers have considered this important as the usability of such function is very limited compared to have the browser configured to use the proxy. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] How to run squid with root capability?
mån 2006-12-11 klockan 04:17 -0800 skrev zulkarnain: > How to started squid as root? If starting Squid manually either log in as root, or su to root before starting Squid.. If Squid is started from init scripts then it is started as root. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid cannot start because it "can't open 'on' for writing..."
mån 2006-12-11 klockan 17:53 +0100 skrev Marcello Romani: > The only changes I have made to squid.conf is the addition of a few > domains in a couple of ACLs. (I have posted my squid.conf in this thread). I haven't seen your squid.conf posted and neither can it be found in the archives, only cache.log output showing the abort.. Note: we need the exact squid.conf from at the time you had the problem, so getting it now after you somehow managed to get rid of the problem is probably useless.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] can any transparent mode handle SSL and FTP for access control
Thanks Adrian, I understand. Could you expand at on "hacking up squid"? I have an immediate need for access control of all web requests, including SSL. I know that if I set it in the browser, squid handles all connections, including web, ssl, and ftp without a problem. So my real question is, if squid can (obviously) handle this traffic, can it be done in a transparent way instead of having to modify the browser. I think I need more education on how the packets are presented to squid in transparent vs. browser-based mode - browser-based sends everything via 3128, so squid gets it on port 3128 - couldn't I just do another NAT using iptables for this, and point 443 and 21 to 3128 as well as the current 80? Thanks again, Shaun -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Monday, December 11, 2006 8:17 AM To: Shaun Skillin (home) Cc: Squid Users Subject: Re: [squid-users] can any transparent mode handle SSL and FTP for access control On Mon, Dec 11, 2006, Shaun Skillin (home) wrote: > I have squid working fine for HTTP traffic using WCCPv2, and have used > it with policy routing without issue. I know that squid can't cache SSL > connections, but is there a way (in a transparent mode, not configuring > each browser) to use squid for access control of SSL and FTP > connections? I've got some ideas for doing SSL access control (based on just source/destination IPs for the time being) for WCCPv2-intercepted SSL in client-ip-spoofing modes (eg with TPROXY.) But it first requires a better WCCPv2 implementation, so I'm working on that in my spare time. So, the answer atm is "not without hacking up Squid".. Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
Re: [squid-users] tproxy performance overhead ?
Adrian asked me to put this information in a wiki. I will do it this week and notify in the list. Regards Edinilson - ATINET-Professional Web Hosting Tel Voz: (0xx11) 4412-0876 http://www.atinet.com.br - Original Message - From: "zulkarnain" <[EMAIL PROTECTED]> To: "Edinilson J. Santos" Cc: Sent: Monday, December 11, 2006 11:50 AM Subject: Re: [squid-users] tproxy performance overhead ? --- "Edinilson J. Santos" wrote: > Here we use static routes and this machine is the > border/default gateway for > the all net. > This is means you linux box is running as squid+tproxy and gateway? would you please draw the diagram and share your configuration? I'm having trouble implementing squid with tproxy. Thanks! regards, Zul Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited
Re: [squid-users] Squid cannot start because it "can't open 'on' for writing..."
[EMAIL PROTECTED] ha scritto: Quoting Marcello Romani <[EMAIL PROTECTED]>: [EMAIL PROTECTED] ha scritto: Quoting Marcello Romani <[EMAIL PROTECTED]>: Hi, I'm having a strange problem with squid. When I stop and restart the program, it fails to start; cache.log says it can't open "on" for writing, and suggests to check that the parent directory be writable by the user "squid". I don't think this is a file permission issue, because even changing 777 permission to the entire /var/cache dir doesn't solve the problem. I also tried lsof to check for locks on that file, but didn't find anything. Yesterday I solved the problem by deleting the entire cache directory and upgrading squid (now I'm running 2.6.STABLE4). Googling around with strings from the message in the cache.log didn't give much help, which makes me think I'm nearly the only one having this issue. The relevant lines from cache.log are: - 8< Squid Cache (Version 2.6.STABLE3): Terminated abnormally. CPU Usage: 0.008 seconds = 0.008 user + 0.000 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 2006/12/06 13:43:13| Starting Squid Cache version 2.6.STABLE3 for i686-pc-linux-gnu... 2006/12/06 13:43:13| Process ID 15637 2006/12/06 13:43:13| With 1024 file descriptors available 2006/12/06 13:43:13| Using epoll for the IO loop 2006/12/06 13:43:13| Performing DNS Tests... 2006/12/06 13:43:13| Successful DNS name lookup tests... 2006/12/06 13:43:13| DNS Socket created at 0.0.0.0, port 33030, FD 5 2006/12/06 13:43:13| Adding nameserver 192.9.200.200 from /etc/resolv.conf 2006/12/06 13:43:13| Adding nameserver 151.99.125.1 from /etc/resolv.conf 2006/12/06 13:43:13| Adding nameserver 151.99.125.2 from /etc/resolv.conf 2006/12/06 13:43:13| Adding nameserver 151.99.125.3 from /etc/resolv.conf 2006/12/06 13:43:13| Adding nameserver 212.216.172.222 from /etc/resolv.conf 2006/12/06 13:43:13| Adding nameserver 212.216.112.112 from /etc/resolv.conf FATAL: Cannot open 'on' for writing. The parent directory must be writeable by the user 'squid', which is the cache_effective_user set in squid.conf. Squid Cache (Version 2.6.STABLE3): Terminated abnormally. CPU Usage: 0.008 seconds = 0.008 user + 0.000 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 - >8 --- Thanks in advance. --Marcello Romani Responsabile IT Ottotecnica s.r.l. http://www.ottotecnica.com Does your squid user own the cache directory. Or it sounds like you may Squid doesn't own the cache dir, but even trying to chown -R squid:squid /var/cache and chmod -R 777 /var/cache doesn't help... have an error in your .conf file. FATAL: Cannot open 'on' for writing, sounds like it is looking for a directory named 'on'. Dont suppose you In fact there's a file named 'on' in the cache directory. made any changes to squid prior to this? If you mean changes to the squid source code, no I didn't. Just changes to squid.conf. --Dwayne Hottinger Network Administrator Harrisonburg City Public Schools Thanks --Marcello Romani Responsabile IT Ottotecnica s.r.l. http://www.ottotecnica.com Try starting squid with the -z option after you chown the cache directory to squid. I would also check your squid.conf for any changes you may have made. Sounds like you may have an error in your squid.conf that has it writting to a directory named 'on'. If you have a file in your squid cache dir named 'on' delete it then start squid -z. But Im betting on an error in your squid.conf. I usually make a backup copy of When I spotted ths problem, I also noticed that gentoo had an updated version of squid. Therefore I removed the old squid cache directory and upgraded the squid package. After this operation, everything is working fine. What I'm trying to do here is understand why that strange error appeared, since the old installation has been running fine for months. I don't want to re-install squid next time a service restart is needed! my .conf files with cp before I edit them. That way, when I mess it up, I can quickly cp the good copy and start squid. Please include the The only changes I have made to squid.conf is the addition of a few domains in a couple of ACLs. (I have posted my squid.conf in this thread). squid mailing list in the email, so all can benefit from your experience. ;-] Sorry, I just hit the "Reply" button, and the mailing list was in the "CC" field instead of the "To" one. ddh --Dwayne Hottinger Network Administrator Harrisonburg City Public Schools -- Marcello Romani Responsabile IT Ottotecnica s.r.l. http://www.ottotecnica.com
Re: [squid-users] can any transparent mode handle SSL and FTP for access control
On Mon, Dec 11, 2006, Shaun Skillin (home) wrote: > I have squid working fine for HTTP traffic using WCCPv2, and have used > it with policy routing without issue. I know that squid can't cache SSL > connections, but is there a way (in a transparent mode, not configuring > each browser) to use squid for access control of SSL and FTP > connections? I've got some ideas for doing SSL access control (based on just source/destination IPs for the time being) for WCCPv2-intercepted SSL in client-ip-spoofing modes (eg with TPROXY.) But it first requires a better WCCPv2 implementation, so I'm working on that in my spare time. So, the answer atm is "not without hacking up Squid".. Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
[squid-users] can any transparent mode handle SSL and FTP for access control
Hi there, I've been doing way too much reading, and so far not a "yes" answer, but thought I'd ask the list anyway... I have squid working fine for HTTP traffic using WCCPv2, and have used it with policy routing without issue. I know that squid can't cache SSL connections, but is there a way (in a transparent mode, not configuring each browser) to use squid for access control of SSL and FTP connections? Shaun
Re: [squid-users] How to run squid with root capability?
zulkarnain 写道: > --- Henrik Nordstrom <[EMAIL PROTECTED]> > wrote: > > >> You should not. cache_effective_user should not be >> root, not even while >> using tproxy. But Squid needs to be started as root >> when unsing tproxy. >> >> > > How to started squid as root? > > regards, > Zul > > > > > Do you Yahoo!? > Everyone is raving about the all-new Yahoo! Mail beta. > http://new.mail.yahoo.com > > > comment these lines below in src/main.c if (geteuid() == 0) { debug(0, 0) ("Squid is not safe to run as root! If you must\n"); debug(0, 0) ("start Squid as root, then you must configure\n"); debug(0, 0) ("it to run as a non-priveledged user with the\n"); debug(0, 0) ("'cache_effective_user' option in the config file.\n"); fatal("Don't run Squid as root, set 'cache_effective_user'!"); } recompile squid and there you go
Re: [squid-users] Weird Counter behavior
mån 2006-12-11 klockan 10:58 -0300 skrev Pablo García: > Exactly, I'm using those directives, I did't thought they would affect > the snmp counters or the cachemgr counters also log_access allow|deny acl acl... This options allows you to control which requests gets logged to access.log (see access_log directive). Requests denied for logging will also not be accounted for in performance counters. An alternative is to use the access_log directive sending the requests to the "none" lög.. access_log [ [acl acl ...]] To disable logging of a request use the filepath "none", in which case a logformat name should not be specified. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Weird Counter behavior
Exactly, I'm using those directives, I did't thought they would affect the snmp counters or the cachemgr counters also, I'm not really using them right now, since I disabled logging by access_log none. This solved my problem, but is this the right behavior ? Regards, Pablo On 12/7/06, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: ons 2006-12-06 klockan 19:49 -0300 skrev Pablo García: > Hi, I have a Load balancer distributing request across servers, the > statistics of the LB shows that my squid server is serving ~400 req/s, > an mrtg polling snmp info against the squid is showing ~30 req/s and > the squidclient mgr:5min counter shows 0 req/s. I made a capture on > the interface it makes the requests and found that http req/s is > acording the stats from the LB. > Any ideas of what might be happening ? Never seen anything like it. The request counters is pretty stable. Only cause I can think of is if you deny logging by using the log_access directive. REgards Henrik
Re: [squid-users] Squid freebsd error signal 4
On 07.12.06 11:25, Erick Dantas Rotole wrote: > I have 2 squids working together using freebsd carp an round Robin to > balance the load. When server 1 gets all the load i have no proplem, but > when server 2 gets all the load squit stops with signal 4. Server 1 has > 2 processor and server 2 has 1 processor. Can this error be caused due > to high load??? I have squid-2.6 on FreeBSD-4.11 and I have no ptoblems with it. Which sub-version of squid, FreeBSD and what cache_dir types do you use? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them
Re: [squid-users] tproxy performance overhead ?
--- "Edinilson J. Santos" wrote: > Here we use static routes and this machine is the > border/default gateway for > the all net. > This is means you linux box is running as squid+tproxy and gateway? would you please draw the diagram and share your configuration? I'm having trouble implementing squid with tproxy. Thanks! regards, Zul Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited
Re: [squid-users] tproxy performance overhead ?
one more question, do you run squid+tproxy with wccp -No router or linux router? -No Here we use static routes and this machine is the border/default gateway for the all net. Regards Edinilson
Re: [squid-users] tproxy performance overhead ?
--- "Edinilson J. Santos" wrote: > I'm using squid's default: > # cache_effective_user nobody > > cache_effective_group > # none > > Regards > > Edinilson one more question, do you run squid+tproxy with wccp router or linux router? if with linux router, do you run it on seperate or the same machine with squid+tproxy? Thank you! regards, Zul Any questions? Get answers on any topic at www.Answers.yahoo.com. Try it now.
Re: [squid-users] How to run squid with root capability?
--- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > You should not. cache_effective_user should not be > root, not even while > using tproxy. But Squid needs to be started as root > when unsing tproxy. > How to started squid as root? regards, Zul Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com
Re: [squid-users] tproxy performance overhead ?
I'm using squid's default: # cache_effective_user nobody cache_effective_group # none Regards Edinilson - ATINET-Professional Web Hosting Tel Voz: (0xx11) 4412-0876 http://www.atinet.com.br - Original Message - From: "zulkarnain" <[EMAIL PROTECTED]> To: "Edinilson J. Santos" Cc: Sent: Monday, December 11, 2006 12:32 AM Subject: Re: [squid-users] tproxy performance overhead ? Edinilson, what is your setting for cache_effective_user and cache_effective_group? regards, Zul --- "Edinilson J. Santos" wrote: > I'm using tproxy with the following configuration > (without problems): > > Dual Xeon 2.4 Ghz, 4gb RAM, 2 SCSI 72gb 160mb/s > Debian with Kernel 2.6.18 + tproxy for this kernel > Squid 2.6 Stable 5 compiled with the following > options: > Squid Cache: Version 2.6.STABLE5 > configure options: '--prefix=/usr/local/squid' > '--enable-storeio=coss,ufs,aufs' > '--enable-removal-policies=lru,heap' > '--enable-snmp' > '--enable-default-err-language=Portuguese' > '--enable-linux-netfilter' > '--disable-hostname-checks' > '--enable-underscores' '--enable-epoll' > '--enable-linux-tproxy' > '--enable-follow-x-forwarded-for' > '--enable-coss-aio-ops' > '--with-large-files' > > Edinilson > - > ATINET-Professional Web Hosting > Tel Voz: (0xx11) 4412-0876 > http://www.atinet.com.br Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited
Re: [squid-users] Squid as interception proxy with pf
Thanks to you for all informations... and i'm so sorry I've made a little error : you can only enable one transparent mode in squid... and you must not forget to change accces on /dev/pf device. After it looks ok. Ghislain Le 9 déc. 06 à 07:49, Agung T. Apriyanto a écrit : --- Ghislain Garçon <[EMAIL PROTECTED]> wrote: PF is really filtering and not only squid : yes I have build pf integration with my freebsd kernel. If I look in squid's sources, there is a problem with these declarations. I don't known how to test IPNAT_NAME or IPL_NAT #ifdef IPNAT_NAME natfd = open(IPNAT_NAME, O_RDONLY, 0); #else natfd = open(IPL_NAT, O_RDONLY, 0); #endif I looked in kernel sources... and it's look like the lines above open a device created by ipfilter... but pf doesn't need ipfilter in order to work. Regards, Ghislain seems that somehow your squid was looking for IPF ? but you said earlier that you've enabled pf-transparent while compiling squid ? it should looking for /dev/pf if you enable-pf-transparent btw was the problem same for 3.0 and 2.6S5 ? because you also said that you've tried both version in earlier email ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com
Re: [squid-users] How to run squid with root capability?
sön 2006-12-10 klockan 19:57 -0800 skrev zulkarnain: > would you please be more detail? I don't know how to > run squid as root accept by changing > cache_effective_user and cache_effective_group to > "root". But with this setting, squid will crash after > started. You should not. cache_effective_user should not be root, not even while using tproxy. But Squid needs to be started as root when unsing tproxy. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel