[squid-users] Need configuration advise
Hi I would like to use Squid servers in my network for a couple of reasons but I am having trouble making it all work together. I have a central site with a webserver that needs acceleration, and I have about 1000 external sites each with 10-50 clients that need a local cache to save bandwidth. The clients on my local sites are not web users, but an automated client that downloads files based on rules. My first goal is to set up the central HTTP Accelerator (reverse proxy) to help out my webserver. The content is protected using Basic Authentication. I have set up the accelerator using the following configuration (Squid 2.6 Stable 10): http_port 80 accel defaultsite=centralsquid.foo.bar cache_peer webserver.foo.bar parent 80 0 no-query originserver login=PASS url_rewrite_host_header off collapsed_forwarding on acl port80 port 80 http_access allow port80 This seems to work just fine. My second goal is to set up the proxy-cache at the local sites. My idea was to configure this as a reverse proxy for the central accelerator. So what I did was to configure this server much the same way as the central accelerator, only I point the local squid at the central squid: http_port 80 accel defaultsite=localsquid001.foo.bar cache_peer centralsquid.foo.bar parent 80 0 no-query originserver login=PASS url_rewrite_host_header off collapsed_forwarding on acl port80 port 80 http_access allow port80 This does not work, and I am stuck. Any help would be greatly appreciated! Is it possible to pull this off? Regards Roland Rabben
Re: [squid-users] tcp_outgoing_address not working
Upgraded to latest squid, same result. Squid still uses the wrong outgoing address whatever I set with tcp_outgoing_address :( Any ideas? Bgs wrote: Hi all, For some reason tcp_outgoing_address is not working for me, even though the setup is simple and look like just the zillion example configs I found around the net. Setup: Linux box with 2.5.STABLE13 and several outside IPs (single connection): 2: eth1: BROADCAST,MULTICAST,UP,1 mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:05:5d:64:89:a0 brd ff:ff:ff:ff:ff:ff inet 1.2.3.146/28 brd 1.2.3.159 scope global eth1 inet 1.2.3.147/28 brd 1.2.3.159 scope global secondary eth1 inet 1.2.3.148/28 brd 1.2.3.159 scope global secondary eth1 inet 1.2.3.149/28 brd 1.2.3.159 scope global secondary eth1 inet 1.2.3.150/28 brd 1.2.3.159 scope global secondary eth1 inet 1.2.3.151/28 brd 1.2.3.159 scope global secondary eth1 inet 1.2.3.152/28 brd 1.2.3.159 scope global secondary eth1 inet 1.2.3.153/28 brd 1.2.3.159 scope global secondary eth1 inet 1.2.3.154/28 brd 1.2.3.159 scope global secondary eth1 inet 1.2.3.155/28 brd 1.2.3.159 scope global secondary eth1 inet 1.2.3.156/28 brd 1.2.3.159 scope global secondary eth1 inet 1.2.3.157/28 brd 1.2.3.159 scope global secondary eth1 inet 1.2.3.158/28 brd 1.2.3.159 scope global secondary eth1 We used to NAT different internal IPs to different outside IPs, I want the same result with squid. Here is the relevant portion of my squid.conf: acl src_1 src 10.0.0.105 acl src_2 src 10.0.0.106 acl src_3 src 10.0.0.107 acl src_4 src 10.0.0.108 acl src_5src 10.0.0.109 acl src_6 src 10.0.0.110 acl src_7src 10.0.0.111 acl src_8 src 10.0.0.112 acl src_9src 10.0.0.113 acl src_10src 10.0.0.114 acl src_11src 10.0.0.115 acl src_bgstest src 10.0.0.136 tcp_outgoing_address 1.2.3.147 src_1 tcp_outgoing_address 1.2.3.148 src_2 tcp_outgoing_address 1.2.3.149 src_3 tcp_outgoing_address 1.2.3.150 src_4 tcp_outgoing_address 1.2.3.151 src_5 tcp_outgoing_address 1.2.3.152 src_6 tcp_outgoing_address 1.2.3.153 src_7 tcp_outgoing_address 1.2.3.154 src_8 tcp_outgoing_address 1.2.3.155 src_9 tcp_outgoing_address 1.2.3.156 src_10 tcp_outgoing_address 1.2.3.157 src_bgstest tcp_outgoing_address 1.2.3.146 Whatever IP I use, the source IP will be 1.2.3.146. The funny part comes now: I changed the last (default) rule to .148 and squid still uses the .146 address. Do you have any ideas why is squid sticking to the default system IP and not use any IP given in tcp_outgoing_address? Thanks Bgs
[squid-users] Problem with squid and shorewall
Dear all, I’m set up a firewall and proxy using Shorewall and squid on Kubuntu server. I follows the instruction for the two interface shorewall conf and: http://www.shorewall.net/Shorewall_Squid_Usage.html Both shorewall and squid work fine when I use its separately (squid work fine when I con figure my web browser to user the proxy on the 3128 with shorewall configured to accept the request from local network on 3128 port). Thus I try to set up shorewall to redirect all www requests on 3128 port but in this case, when I try to navigate on internet, squid reply on my browser whit the message that it is not possible to forward this request at this time. Squid is configured with: http_port 3128 transparent … acl my_networks src 10.10.10.0/24 http_access allow mynetwoks …. On ‘rules’ file of shorewall configuration I inserted the following lines: (where loc is the local net zone 10.10.10.0/24 and net represents the Internet zone) REDIRECT loc 3128 tcp www – ACCEPT $FW net tcp www Some one can help me? Thanks in advance, GV
Re: [squid-users] maximum netowrk interfaces
[EMAIL PROTECTED] disse na ultima mensagem: While this is not strictly a squid question, does anyone know the maximum number of virtual interfaces that can be created on a Linux box? I've got a proposal being shoved at me to create a virtual interface per section here at work and have individual squids listening to those interfaces (don't get me started on how bad that idea is). as much as the computer supports squid will listen on all of them unless you configure expl. in squid.conf multi-instance squid is a good idea but I am not sure if it usefull having an instance bound to an interface João ... Datacenter Matik http://datacenter.matik.com.br E-Mail e Data Hosting Service para Profissionais.
Re: [squid-users] Timeouts/browser hang with autodetect proxy
Brian Riffle disse na ultima mensagem: I am having an issue with timeouts using squid with both IE and Firefox when using auto detect proxy When I am autodetecting the proxy server, if I type in an invalid domain name (like google.comm, or googlec.om, etc) it will take upwards of 20 seconds to timeout, and give me the squid error page that the domain does not exist. During this time, the browser completely locks up, and is unusable. However, during my troubleshooting, I have noticed that if I manually set the proxy settings in the browsers (with the same rules and execptions as the proxy.pac and wpad.dat files, the timeout does not happen. The are you sure your DNS or mime settings are correct so the auto-detection will not fail? João ... Datacenter Matik http://datacenter.matik.com.br E-Mail e Data Hosting Service para Profissionais.
[squid-users] www.linux.org
Could someone told me why I, being in Hong Kong using I-Cable as ISP, could never fully load this website, even with Squid? Is it a site design issue? Or is it something else? -- .~.http://changmw.homeip.net / v \ May the Force and Farce be with you! Linux 2.6.20.2 /( _ )\ (Ubuntu 6.10) 20:35:01 up 2 days 5:07 ^ ^0 users load average: 1.02 1.01 1.00 news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
[squid-users] Squid Java problem
Hi all, We are using squid proxy which is integrated with AD on our network without much problems and everything seems to be working fine except when site makes the use of Java. One of our teams is accessing site which is making use of Java. As soon as the site loads it starts prompting for username and password and never goes away even though we enter the correct userid and password and we have to kill the browser process. We are making the use of latest JVM. My question is what is the solution to this problem? Thanks in advance. -- Click to generate a targeted mailing list to grow your business http://tags.bluebottle.com/fc/CAaCMPJnOcfJ9y24T7dmNvN70blsazjo/
[squid-users] Question on 302 problem
Folks, I have used the procedure for 302 redirecting that the FAQ defines. However, I get this: 2007/03/09 12:38:24| helperHandleRead: unexpected reply on channel 302 from url_rewriter #2 '302:www.rachalan.f2s.com' 2007/03/09 12:38:32| helperHandleRead: unexpected reply on channel 302 from url_rewriter #3 '302:www.rachalan.f2s.com' 2007/03/09 12:38:33| helperHandleRead: unexpected reply on channel 302 from url_rewriter #4 '302:www.rachalan.f2s.com' 2007/03/09 12:38:34| helperHandleRead: unexpected reply on channel 302 from url_rewriter #5 '302:www.rachalan.f2s.com' In the cache.log file. Any ideas what the problem is? Have I forgot to change something in squid.conf? TIA Alan
Re: [squid-users] Squid Java problem
On Mon, Mar 12, 2007, Tornado wrote: Hi all, We are using squid proxy which is integrated with AD on our network without much problems and everything seems to be working fine except when site makes the use of Java. One of our teams is accessing site which is making use of Java. As soon as the site loads it starts prompting for username and password and never goes away even though we enter the correct userid and password and we have to kill the browser process. We are making the use of latest JVM. My question is what is the solution to this problem? Could you please take a traffic dump using wireshark of the exchange between the java program/browser and the proxy server? It might shine some further light on the issue. Thanks, Adrian
Re: [squid-users] ntlm issue with 2.6.STABLE9-20070220
Sorry for posting again, but i am facing a wall with this issue. Any clue will be welcome ! Thanks agai in advance hello, I've recently make an upgrade from Squid 2.5.STABLE12 to squid 2.6.STABLE9-20070220. These servers use samba 3.0.22 (winbind) to authenticate squid users that are allowed to access internet. Everything was working fine up to now except that since the upgrade, i am facing some performance issue : the squid usage cpu on the server is high, and the cache.log is full of the following message : [2007/03/05 10:00:37, 1] libsmb/ntlmssp.c:ntlmssp_update(259) got NTLMSSP command 3, expected 1 Does anynome get the same problem ? Thanks in advance, Lionel
Re: [squid-users] Question on 302 problem
mån 2007-03-12 klockan 14:59 +0100 skrev WRIGHT Alan: 2007/03/09 12:38:34| helperHandleRead: unexpected reply on channel 302 from url_rewriter #5 '302:www.rachalan.f2s.com' In the cache.log file. Any ideas what the problem is? Looks like you have set url_rewrite_concurrency with a helper not supporting this modified helper protocol. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid Java problem
we have same issue with yahoo beta todays... On 3/12/07, Adrian Chadd [EMAIL PROTECTED] wrote: On Mon, Mar 12, 2007, Tornado wrote: Hi all, We are using squid proxy which is integrated with AD on our network without much problems and everything seems to be working fine except when site makes the use of Java. One of our teams is accessing site which is making use of Java. As soon as the site loads it starts prompting for username and password and never goes away even though we enter the correct userid and password and we have to kill the browser process. We are making the use of latest JVM. My question is what is the solution to this problem? Could you please take a traffic dump using wireshark of the exchange between the java program/browser and the proxy server? It might shine some further light on the issue. Thanks, Adrian -- Best Regards NIMA SADEGHIAN
Re: [squid-users] Timeouts/browser hang with autodetect proxy
mostly same detected issues are because of dns settings in squid.conf (if just clients are slow) or squid box. is there any wrong with delay pools? On 3/12/07, Michel Santos [EMAIL PROTECTED] wrote: Brian Riffle disse na ultima mensagem: I am having an issue with timeouts using squid with both IE and Firefox when using auto detect proxy When I am autodetecting the proxy server, if I type in an invalid domain name (like google.comm, or googlec.om, etc) it will take upwards of 20 seconds to timeout, and give me the squid error page that the domain does not exist. During this time, the browser completely locks up, and is unusable. However, during my troubleshooting, I have noticed that if I manually set the proxy settings in the browsers (with the same rules and execptions as the proxy.pac and wpad.dat files, the timeout does not happen. The are you sure your DNS or mime settings are correct so the auto-detection will not fail? João ... Datacenter Matik http://datacenter.matik.com.br E-Mail e Data Hosting Service para Profissionais. -- Best Regards NIMA SADEGHIAN
[squid-users] squid cache ip problem
i am using squid only for cache and i don't want the users to be seen as the cache server ip but with the ip that they have. this is my config: http_port ip:8080 acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 128 MB cache_dir ufs /var/spool/squid 285696 32 215 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl clientd myip xxx.x.x.x/21 http_access allow all clients http_access allow all http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_reply_access allow all httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on forwarded_for on and that's all
[squid-users] Disable Subdomain from being put through the Accelerator
By default, we have *.battlestarwiki.org gone through squid. However, we like to remove blog.battlestarwiki.org from being stored in squid. How can this be done... --- Shane
Re: [squid-users] Disable Subdomain from being put through the Accelerator
Shane A. Froebel a écrit : By default, we have *.battlestarwiki.org gone through squid. However, we like to remove blog.battlestarwiki.org from being stored in squid. How can this be done... --- Shane Seems you can use cache deny command in the squid.conf something like : acl blog url_regex blog.battlestarwiki.org cache deny blog Hope this help. -- Jérémy Lardon Laboratoire DIOM, équipe SATIn - Doctorant 04 77 48 50 34
[squid-users] squid 2.6STABLE10 bug ?!
my squid is crashing after upgrade from 2.6stable5 to 2.6stable10 2007/03/12 13:01:28| assertion failed: client_side.c:4164: buf != NULL || !conn-body.request -- log 2007/03/12 12:55:27| httpReadReply: Excess data from GET http://vagalume.uol.com.br/js/suggest-encrypted.js; 2007/03/12 12:55:31| httpReadReply: Excess data from GET http://vagalume.uol.com.br/includes/menu.xml; 2007/03/12 12:55:41| httpReadReply: Excess data from GET http://vagalume.uol.com.br/js/enquete_include.js; 2007/03/12 12:57:06| httpReadReply: Excess data from GET http://vagalume.uol.com.br/css/pop.css; 2007/03/12 12:57:08| httpReadReply: Excess data from GET http://vagalume.uol.com.br/css/indique.css; 2007/03/12 12:58:23| httpReadReply: Excess data from GET http://infotempo.uol.com.br/css/home_uol.css; 2007/03/12 12:58:23| httpReadReply: Excess data from GET http://infotempo.uol.com.br/taguol.htm; 2007/03/12 12:58:32| httpReadReply: Excess data from GET http://infotempo.uol.com.br/js/dblive.js; 2007/03/12 13:00:29| Short response on port 57806. Expecting 94457803 octets more 2007/03/12 13:01:27| httpReadReply: Request not yet fully sent POST http://x3.uploaded.to/Download.php?id=20f829178c74d983b3f515cc1327d7a8; 2007/03/12 13:01:28| assertion failed: client_side.c:4164: buf != NULL || !conn-body.request 2007/03/12 13:02:39| Starting Squid Cache version 2.6.STABLE10 for x86_64-redhat-linux-gnu... 2007/03/12 13:02:39| Process ID 12210 2007/03/12 13:02:39| With 4096 file descriptors available 2007/03/12 13:02:39| Using epoll for the IO loop 2007/03/12 13:02:39| DNS Socket created at 0.0.0.0, port 41211, FD 6 2007/03/12 13:02:39| Adding nameserver 200.243.251.130 from squid.conf 2007/03/12 13:02:39| Adding nameserver 200.243.251.131 from squid.conf 2007/03/12 13:02:39| helperOpenServers: Starting 5 'squidGuard' processes 2007/03/12 13:02:39| Unlinkd pipe opened on FD 15 2007/03/12 13:02:39| Swap maxSize 60817408 KB, estimated 4678262 objects 2007/03/12 13:02:39| Target number of buckets: 233913 2007/03/12 13:02:39| Using 262144 Store buckets 2007/03/12 13:02:39| Max Mem size: 262144 KB 2007/03/12 13:02:39| Max Swap size: 60817408 KB 2007/03/12 13:02:39| Store logging disabled 2007/03/12 13:02:39| Rebuilding storage in /var/spool/squid1 (DIRTY) 2007/03/12 13:02:39| Rebuilding storage in /var/spool/squid2 (DIRTY) 2007/03/12 13:02:39| Using Round Robin store dir selection 2007/03/12 13:02:39| Set Current Directory to /var/log/squid 2007/03/12 13:02:39| Loaded Icons. gdb dbug: GNU gdb Red Hat Linux (6.1post-1.20040607.43.0.1rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu...(no debugging symbols found)...Using host libthread_db library /lib64/tls/libthread_db.so.1. Core was generated by `(squid) -D -s'. Program terminated with signal 6, Aborted. Reading symbols from /lib/libsafe.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libsafe.so.2 Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /lib64/libssl.so.4...(no debugging symbols found)...done. Loaded symbols for /lib64/libssl.so.4 Reading symbols from /lib64/libcrypto.so.4...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypto.so.4 Reading symbols from /usr/lib64/libgssapi_krb5.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/libkrb5.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5.so.3 Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /usr/lib64/libk5crypto.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libk5crypto.so.3 Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /usr/lib64/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libz.so.1 Reading symbols from /lib64/tls/librt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/tls/librt.so.1 Reading symbols from /lib64/tls/libpthread.so.0...(no debugging symbols found)...done. Loaded symbols for /lib64/tls/libpthread.so.0 Reading symbols from /lib64/tls/libm.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/tls/libm.so.6 Reading symbols from /lib64/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libnsl.so.1 Reading symbols from
Re: [squid-users] squid 2.6STABLE10 bug ?!
Hi, At 18.00 12/03/2007, Alexandre Correa wrote: my squid is crashing after upgrade from 2.6stable5 to 2.6stable10 2007/03/12 13:01:28| assertion failed: client_side.c:4164: buf != NULL || !conn-body.request Probably this: http://www.squid-cache.org/bugs/show_bug.cgi?id=1915 Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
[squid-users] 127.0.0.1 is their IP...
Just recompiled squid, like so... ./configure --enable-follow-x-forwarded-for --enable-useragent-log --enable-referer-log --quiet added to squid.conf: forwarded_for on Had someone post something on the site IP came back to being 127.0.0.1
Re: [squid-users] Squid Java problem
On 3/12/07, Tornado [EMAIL PROTECTED] wrote: Hi all, We are using squid proxy which is integrated with AD on our network without much problems and everything seems to be working fine except when site makes the use of Java. Are you using ntlm? Chris
[squid-users] squid is taking over my system!
Squid users, I am running Ubuntu Edgy 6.10 for AMD64 which is Kernel 2.6.17. I have squid 2.6.STABLE9 that I installed from source. This is not a production server yet, so it was just kind of sitting there for the past few days, today when I turned on the screen I saw messages similar to the following: (numbers) Out of memory: Kill process XXX (apache2) score XX and children. (numbers) Out of Memory: Killed process XXX (apache2). (...) (numbers) Out of memory: Kill process XXX (squid) score XX and children. (numbers) Out of Memory: Killed process XXX (squid). I don't know too many linux commands, but I looked on google and found the free command. My computer has 1 GB of RAM and I only had 10 MB free, but I had about 75% of my swap space left. (I have about 3 GB of swap). I did /etc/init.d/squid stop which replied [ok] but then when i look in top I see that I still only have 10 MB free memory, and most of the pid's on the list belong to squid. Why are 30,000 squid processes running after I type squid stop. According to ps aux, /usr/sbin/squid -D -sYC has 9486 entries (AFTER I typed squid stop.) On our production server we have 512 MB of RAM and squid 2.4.STABLE7 and this has never happened. What can I do? Note that during the last 5 days this computer was unplugged from the network so, it's cache cannot be full!
Re: [squid-users] squid cache ip problem
mån 2007-03-12 klockan 17:41 +0200 skrev [EMAIL PROTECTED]: i am using squid only for cache and i don't want the users to be seen as the cache server ip but with the ip that they have. See Linux TPROXY. Has quite strict network requirements and requires Squid to run either on the router/gateway, or transparent interception. The reason is that all port 80 traffic (requests and responses) must be redirected to the proxy server. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] maximum netowrk interfaces
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: While this is not strictly a squid question, does anyone know the maximum number of virtual interfaces that can be created on a Linux box? I've got a proposal being shoved at me to create a virtual interface per section here at work and have individual squids listening to those interfaces (don't get me started on how bad that idea is). I just tested on debian with stock kernel 2.6.18: T=0; while [ $T -lt 255 ]; do echo $T; ifconfig eth0:${T} \ 192.168.${T}.1 netmask 255.255.255.0 up; T=`expr $T + 1` ; done and set up 255 virtual interfaces with no problem. Somewhat related, I haven't been able to create more than 7 GRE tunnels (in case you're using WCCP). - -- A: Because it destroys the flow of conversation. Q: Why is top posting dumb? - -- Juan Nicolás Ruiz| Corporación Parque Tecnológico de Mérida | Centro de Cálculo Cientifico ULA [EMAIL PROTECTED] | Avenida 4, Edif. Gral Masini, Ofic. B-32 +58-(0)274-252-4192 | Mérida - Edo. Mérida. Venezuela -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF9dkXmjsZS9ZBxv8RAnA7AJ4yoUWobDPZX5tnMK2wflbYkDj26ACbBE4u IiIJaJonO46p4nhiRc8gzRE= =WtWd -END PGP SIGNATURE-
Re: [squid-users] Another HTTP 1.1 Question
On 3/11/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: sön 2007-03-11 klockan 16:38 +0800 skrev Adrian Chadd: If someone would like a fun weekend project - write something to sniff out these broken connections and insert temporary ip routes for it. Another idea would be a test tool to see why a site is broken.. Known issues: - ECN - Window Scaling - Forgetting Vary - Mixing up ETag (same ETag on multiple incompatible entities) - Various malformed responses * Double content length * Malformed headers * Repeated single-value headers If I knew more about the structure of these items I'd give it a whirl. As it is, I just have come up to the bottom level of understanding tcp window scaling. FWIW, I complained to the ncsecu and got a call from their IT dept today. It seems that using the words firewall, bank, and broken in the same sentence caused a stir. Apparently they did an OS upgrade on their Symantec (?) firewall recently. I'm not the only one complaining. We'll see if Symantec fixes it. Thanks for the help again, Henrik. I would have been lost on this one without it. Chris
Re: [squid-users] maximum netowrk interfaces
mån 2007-03-12 klockan 18:49 -0400 skrev Nicolás Ruiz: I just tested on debian with stock kernel 2.6.18: T=0; while [ $T -lt 255 ]; do echo $T; ifconfig eth0:${T} \ 192.168.${T}.1 netmask 255.255.255.0 up; T=`expr $T + 1` ; done and set up 255 virtual interfaces with no problem. Sidenote: The above does not create virtual interfaces, just labelled IP addresses on the eth0 interface. Somewhat related, I haven't been able to create more than 7 GRE tunnels (in case you're using WCCP). No apparent problem here.. Just created a couple of thousand wccpX gre interfaces (all unused as I have no WCCP capable router). Linux-2.6.19 Fedora Core 6. ip tunnel add wccpX mode gre device eth0 remote X.X.X.X Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] About a squid manager system
Hi all, our company have a lot(100) of squid box, and several engineers login the box and edit squid.conf while add a domain acl, or modify some other something. what the question is, we modify the configure file frequently, add or modify squid.conf, so the work is very tired. so, we want to develop a squid center manager system with a web interface to manager squid configuration( squid.conf). now ,i meet a difficulty: how to split the squid.conf to storage( database), and reassemble the configure file. some direct is sequence dependent... Could yu give me a hint?or some GNU tools to parse and generate configure file? any hint appreciate... -- Best regards Felix New
Re: [squid-users] Another HTTP 1.1 Question
mån 2007-03-12 klockan 19:44 -0400 skrev Chris Nighswonger: - ECN - Window Scaling - Forgetting Vary - Mixing up ETag (same ETag on multiple incompatible entities) - Various malformed responses * Double content length * Malformed headers * Repeated single-value headers If I knew more about the structure of these items I'd give it a whirl. The first two is TCP/IP related. Detection is done by trying to communicate with the server both with and without the feature enabled. The rest is HTTP protocol: Forgetting Vary: Many servers forget to emit a Vary: accept-encoding header in gzip:ed responses. Tested by sending requests with and without Accept-Encoding: gzip and comparing the results. If Content-Encoding of the responses differ but Accept-Encoding isn't mentioned in vary then the server is broken. Badly broken if the Vary is missing on the gzip:ed variant. Note: always responding with gzip is ok, even without vary. Mixing up ETag: Effectively the same test as above, but comparing the ETag header of the responses. If Content-Encoding differs but ETag is the same the server is broken. Double content length: Server response has more than one content-length header. Critical if the value differs. Malformed headers: Server response contains various crap mixed with the response headers. Have seen for example various system error messages etc.. (i.e. Failed to open ). A well formed HTTP header follows the pattern ^[A-Za-z][-A-Za-z0-9]*:.* and anything in the headers not matching this is malformed. Technically a few more characters is allowed in the header name, but all known headers follow this pattern. Repeated single-value headers: The exact same test as for content-length, but for other less critical HTTP headers specified as single-valued not allowing more than one value. I.e. Content-Type, Content-Encoding, ETag, Date, etc. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Another HTTP 1.1 Question
On Tue, Mar 13, 2007, Henrik Nordstrom wrote: The first two is TCP/IP related. Detection is done by trying to communicate with the server both with and without the feature enabled. Are ECN/Window Scaling options which can be fiddled via syscalls per socket FD? If they are then we could sneak them into the retry forwarding logic and cache if/when they work. Adrian
Re: [squid-users] Squid Java problem
Yes we are. Are there any known issues with NTLM and java? Quoting Chris Nighswonger [EMAIL PROTECTED]: On 3/12/07, Tornado [EMAIL PROTECTED] wrote: Hi all, We are using squid proxy which is integrated with AD on our network without much problems and everything seems to be working fine except when site makes the use of Java. Are you using ntlm? Chris -- Click for free info on adult education and start making $150k/ year http://tags.bluebottle.com/fc/CAaCMPJnSlySTVLt105rAyYlCKXP1sk1/
Re: [squid-users] About a squid manager system
Felix New wrote: Could yu give me a hint?or some GNU tools to parse and generate configure file? It sounds to me like you could benefit from using revision control software to manage the configuration files. The tool that springs to mind is Subversion (see http://subversion.tigris.org ). Subversion has a mechanism called hooks that allow you to perform arbitrary actions when a file is changed. Regards -- Martin A. Brooks | http://www.antibodymx.net/ | Anti-spam anti-virus Consultant| e: [EMAIL PROTECTED] | filtering. Inoculate antibodymx.net | m: +447896578023 | your mail system.