Re: [squid-users] ignoring no-cache-requests?
Thanks, that did it! Regards and Happy New Year -stefan- On Wed, 2006-12-27 at 19:31 +0100, Henrik Nordstrom wrote: mån 2006-12-25 klockan 13:51 +0100 skrev Stefan Palme: Is there a way to force squid to ignore all Pragma: no-cache and similar directives, so that squid *always* returns cached content, when it is available? refresh_pattern ... ignore-reload Regards Henrik -- --- Dipl. Inf. (FH) Stefan Palme email: [EMAIL PROTECTED] www: http://hbci4java.kapott.org icq: 36376278 phon: +49 341 3910484 fax: +49 1212 517956219 mobil: +49 178 3227887 key fingerprint: 1BA7 D217 36A1 534C A5AD F18A E2D1 488A E904 F9EC ---
[squid-users] Reverse Proxy and Apache logging
Hello and Happy New Year! I have one question which I need some clues about. I am running Squid-2.6 in accelerator mode. The site being accelerated is being served by apache which is residing on the same box as Squid. Squid is listening on the public IP of the box while Apache listens on the loopback interface (127.0.0.1). Now, for the purpose of getting access statitics for the websites being accelerated My Squid config for acceleration is as follows: # Since apache is on the same host, we make apache bind to 127.0.0.1 and # Squid listens on the public IP http_port a.b.c.d:80 defaultsite=www.domain.tld vhost cache_peer 127.0.0.1 parent 80 0 no-query originserver Now, when I check the Apache logs, there are no details of the actual hosts accessing the website: 127.0.0.1 - - [02/Jan/2007:13:08:53 +0300] POST /searchmyresults.php HTTP/1.0 302 18844 127.0.0.1 - - [02/Jan/2007:13:08:52 +0300] GET /kcperesults.php HTTP/1.0 200 33729 127.0.0.1 - - [02/Jan/2007:13:08:52 +0300] GET /kcperesults.php?start=21 HTTP/1.0 200 33789 127.0.0.1 - - [02/Jan/2007:13:08:54 +0300] GET /kcpe2006res.php?id=1477429cenno=603030 HTTP/1.0 200 19026 127.0.0.1 - - [02/Jan/2007:13:08:53 +0300] GET /kcperesults.php HTTP/1.0 200 33714 127.0.0.1 - - [02/Jan/2007:13:08:55 +0300] POST /juan1.php HTTP/1.0 302 - 127.0.0.1 - - [02/Jan/2007:13:08:55 +0300] GET /kcpe2006res.php?id=1917448cenno=401116 HTTP/1.0 200 19026 127.0.0.1 - - [02/Jan/2007:13:08:55 +0300] GET /searchmyresults.php HTTP/1.0 200 18844 127.0.0.1 - - [02/Jan/2007:13:08:56 +0300] GET /kcpe.php HTTP/1.0 200 18083 127.0.0.1 - - [02/Jan/2007:13:08:56 +0300] GET / HTTP/1.0 200 20460 Is there something that I need to put in squid.conf so that it can forward to apache the actual details (IP, name) of the connecting host for logging? I'd like to be able generate access stats for the websites using apache logs. Thank you in advance.. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Honk if you hate bumper stickers that say Honk if ...
Re: [squid-users] Reverse Proxy and Apache logging
On Tue, Jan 02, 2007, Odhiambo WASHINGTON wrote: Is there something that I need to put in squid.conf so that it can forward to apache the actual details (IP, name) of the connecting host for logging? I'd like to be able generate access stats for the websites using apache logs. It will be; Squid will be setting X-Forwarded-For with the details of the origin host. I believe there's a way to log the contents of that particular header in apache.log but I don't have it on hand at the moment. Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
Re: [squid-users] generic kerberos support in 2.6?
Hi Henrik and Brian, and happy new year to the squid mailing list ! Hrm. Firefox seems to disagree, at least in it's implementation. Squid sends Negotiate as the authentication mechanism and Firefox responds with Kerberos. The Negotiate HTTP scheme is defined by Internet RFC4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows, which specifies Kerberos within GSS-API as applied by SPNEGO.. Quote: The Negotiate auth-scheme calls for the use of SPNEGO GSSAPI tokens that the specific mechanism type specifies. Relevant RFCs: RFC4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows (Negotiate) RFC4178 The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism (SPNEGO) RFC2743 Generic Security Service Application Program Interface Version 2, Update 1. (GSS-API) Now I am not an expert on how this translates to wire format so I leave it to you to read and consider if what your Firefox does is sufficient to meet the specifications or not.. I have been looking for the same setup as you are (transparent authentication proxy in a full linux environment, ie linux/firefox + linux/heimdal kerberos + linux/squid) for some time already, and I asked the same question a few month ago with the same answer (need of a helper). So I have read this thread with much interest, and think I may add a few bits of information here. You have mentionned in a previous post that your firefox was doing native KRB5 nego instead of SPNEGO/KRB5. It may go back to the original implementation that can be found at http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html : quoteSince we don't have any SPNEGO implementation we are using directly Kerberos implementation of GSS API. /quote . I don't know if spnego has been added since then. The interesting bit is that the same people have developped an apache authentication module corresponding to the mozilla negotiation implementation (http://modauthkerb.sourceforge.net/index.html) . Please correct me if I'm wrong, but a apache auth module and a squid auth helper should be quite similar, shouldn't it? Current maintainer of the apache kerberos auth module is Daniel Kouril, who is working/studying in a Czesk university. He is working on the myproxy project, whose goal is to ease the authentication/authorization management using certificates, especially in grid computing environement. I'll drop him an email to see if he is interested to collaborate with the squid community. Cheers, Denis Regards Henrik -- Denis Cardon Tranquil IT Systems 10 rue du Docteur Bouchard 49400 Saumur tel : +33 (0) 2.41.67.56.99 fax : +33 (0) 2.40.56.09.81 mob : +33 (0) 6 81 66 27 62 http://www.tranquil-it-systems.fr
Re: [squid-users] generic kerberos support in 2.6?
Hi again, I have been looking for the same setup as you are (transparent authentication proxy in a full linux environment, ie linux/firefox + linux/heimdal kerberos + linux/squid) for some time already, and I asked the same question a few month ago with the same answer (need of a helper). So I have read this thread with much interest, and think I may add a few bits of information here. You have mentionned in a previous post that your firefox was doing native KRB5 nego instead of SPNEGO/KRB5. It may go back to the original implementation that can be found at http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html : quoteSince we don't have any SPNEGO implementation we are using directly Kerberos implementation of GSS API. /quote . I don't know if spnego has been added since then. I answer to my own question here. According to the tutorial http://www.grolmsnet.de/kerbtut/ (Using mod_auth_kerb and Windows 2000/2003 as KDC), mod_auth_kerb can serve IE clients. So I guess it must be able to handle SPNEGO. Cheers, Denis The interesting bit is that the same people have developped an apache authentication module corresponding to the mozilla negotiation implementation (http://modauthkerb.sourceforge.net/index.html) . Please correct me if I'm wrong, but a apache auth module and a squid auth helper should be quite similar, shouldn't it? Current maintainer of the apache kerberos auth module is Daniel Kouril, who is working/studying in a Czesk university. He is working on the myproxy project, whose goal is to ease the authentication/authorization management using certificates, especially in grid computing environement. I'll drop him an email to see if he is interested to collaborate with the squid community. Cheers, Denis Regards Henrik -- Denis Cardon Tranquil IT Systems 10 rue du Docteur Bouchard 49400 Saumur tel : +33 (0) 2.41.67.56.99 fax : +33 (0) 2.40.56.09.81 mob : +33 (0) 6 81 66 27 62 http://www.tranquil-it-systems.fr
[squid-users] Squid 2.6 Simple Reverse Proxy Question
Hello, I am running squid-2.6STABLE6 as a reverse proxy. I have two hosts that I want reverse proxied: foo1.bar1.com and foo2.bar2.com I've set up my squid.conf as follows: http_port 80 vhost http_access allow all cache_peer foo1.bar1.com parent 80 0 no-query originserver cache_peer foo2.bar2.com parent 80 0 no-query originserver acl server1 dstdomain .foo1.bar1.com acl server2 dstdomain .foo2.bar2.com cache_peer_access foo1.bar1.com allow server1 cache_peer_access foo1.bar1.com deny all cache_peer_access foo2.bar2.com allow server2 cache_peer_access foo2.bar2.com deny all The problem I'm having is that when I access foo2.bar2.com through the proxy, I'm handed out the webpage for foo1.bar1.com. What am I missing? Thanks, J. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [squid-users] Yet Another Can't Open Website
Thanks again Henrik, having a problem applying the patch though. Copied and pasted the patch into squid 2.6 source dir as squid-http11.patch. CD to source dir and issued the command: patch -pl ./squid-http11.patch Got the following: patch: strip count l is not a number Tried a few odds and ends to get it to run but no luck. Any advice? Thanks, Dave Rhodes -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Friday, December 29, 2006 11:42 PM To: Dave Rhodes Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Yet Another Can't Open Website fre 2006-12-29 klockan 10:06 -0500 skrev Dave Rhodes: Thanks Henrik, but no joy when the suggeted code is added to the conf file. I agree that the site is broken but since I am sure there will be others, I need a workaround. Anything else you can think of? Indeed.. site seems quite broken wrt http/1.0 clients.. You can try the patch found at http://www.henriknordstrom.net/code/squid-http11.patch it's designed for a different purpose, but may solve your problem as well. The patch is a first step towards making Squid-2.x HTTP/1.1. Regards Henrik
RE: [squid-users] Yet Another Can't Open Website
Henrik, Please ignore my previous message, Typed Pee-ELL instead of Pee-One (I really do know better - that's what hurts!). The patch has been applied. Can't install and test until later today though. I'll let you know how it goes. Thanks, Dave Rhodes -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Friday, December 29, 2006 11:42 PM To: Dave Rhodes Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Yet Another Can't Open Website fre 2006-12-29 klockan 10:06 -0500 skrev Dave Rhodes: Thanks Henrik, but no joy when the suggeted code is added to the conf file. I agree that the site is broken but since I am sure there will be others, I need a workaround. Anything else you can think of? Indeed.. site seems quite broken wrt http/1.0 clients.. You can try the patch found at http://www.henriknordstrom.net/code/squid-http11.patch it's designed for a different purpose, but may solve your problem as well. The patch is a first step towards making Squid-2.x HTTP/1.1. Regards Henrik
RE: [squid-users] Yet Another Can't Open Website
Happy New Year Henrik! There is joy in the world, the site works! So far, nothing seems broken by the patch either. Very nice, thank you! Dave -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Friday, December 29, 2006 11:42 PM To: Dave Rhodes Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Yet Another Can't Open Website fre 2006-12-29 klockan 10:06 -0500 skrev Dave Rhodes: Thanks Henrik, but no joy when the suggeted code is added to the conf file. I agree that the site is broken but since I am sure there will be others, I need a workaround. Anything else you can think of? Indeed.. site seems quite broken wrt http/1.0 clients.. You can try the patch found at http://www.henriknordstrom.net/code/squid-http11.patch it's designed for a different purpose, but may solve your problem as well. The patch is a first step towards making Squid-2.x HTTP/1.1. Regards Henrik
[squid-users] how to use neighbor_type_domain ?
hello, i configure my squid to make sibling with my other squid. my first squid have ip address 202.xx.112.36 and the second is 202.xx.123.6 my computer is connected to first squid (202.xx.112.36) the configuration in first squid is cache_peer 202.xx.123.6sibling 3128 3130 neighbor_type_domain 202.xx.123.6 parent .myipaddress.com the second squid is cache_peer 202.xx.112.36sibling 3128 3130 when i browsing from my computer via first squid to www.myipaddress.com, why the site detect my first squid ip(202.xx.112.36), not the second ip (202.xx.123.36) ? How to make the site is detect from 202.xx.123.36 both squid use same version, squid 2.6.6 Thanks, regards, adi