Re: [squid-users] optimizing squid and FreeBSD
mån 2007-03-19 klockan 21:53 -0800 skrev Chris Robertson: For what it's worth, the 30 requests/second suggestion is straight from the most active developer on the Squid-users mailing list: http://www.squid-cache.org/mail-archive/squid-users/200701/0433.html (see close to the bottom of that message). Just a small clarification. That rule applies to forward proxies only where the memory hit ratio is fairly small. For reverse proxies where most active content fit in memory there isn't much load on the disks and ufs pans out quite well. Obviously a number of people are experiencing great success using COSS. True. But not yet quite ready to lift the experimental flag.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] FTP access through squid
On 19.03.07 16:20, Michael St. Laurent wrote: Can squid be configured to proxy FTP requests that originate from My Network Places on Windows boxes? it's windows that has to be configured to proxy FTP requests through squid. I doubt that windows explorer can do that. There is 'frox' - an intercepting FTP proxy which can be configured to use squid. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: [squid-users] FTP access through squid
Michael St. Laurent wrote: Can squid be configured to proxy FTP requests that originate from My Network Places on Windows boxes? http://wiki.squid-cache.org/SquidFaq/InnerWorkings#head-cc52368a9a961fcf8f7f5a4df2e8ff0da8becb16 -- Martin A. Brooks | http://www.antibodymx.net/ | Anti-spam anti-virus Consultant| e: [EMAIL PROTECTED] | filtering. Inoculate antibodymx.net | m: +447896578023 | your mail system.
[squid-users] squid problem
Hi, I am using squid 2.6.STABLE5 on Red Hat 9 on 3128 port. This works perfectly fine for all the PCs in the same network segment (say 192.168.10.xxx). Now we have added different LAN segment and I want to provide Internet access to these users (say 192.168.50.xxx). Please let me what needs to be done to achieve the same. Thanks in advance. Prasad Deshpande Pune, India. DISCLAIMER: This message,including any attachments contains confidential and privileged information for the sole use of the intended recipient(s), and is protected by law. If you are not the intended recipient, please destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Bajaj Auto reserves the right to record, monitor, and inspect all email communications through its internal and external networks. Your messages shall be subject to such lawful supervision as Bajaj Auto deems necessary in order to protect its information, interests and reputation. Bajaj Auto prohibits and takes steps to prevent its information systems from being used to view, store or forward offensive or discriminatory material. If this message contains such material, please report it to [EMAIL PROTECTED]
Re: [squid-users] squid problem
tis 2007-03-20 klockan 16:31 +0530 skrev Prasad Deshpande: Hi, I am using squid 2.6.STABLE5 on Red Hat 9 on 3128 port. This works perfectly fine for all the PCs in the same network segment (say 192.168.10.xxx). Now we have added different LAN segment and I want to provide Internet access to these users (say 192.168.50.xxx). Please let me what needs to be done to achieve the same. And where is the problem? As long as your network and routing is set up proper Squid will be happy. signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] ntlm issue with 2.6.STABLE9-20070220
tis 2007-03-06 klockan 15:06 +0100 skrev Lionel Déruaz: Everything was working fine up to now except that since the upgrade, i am facing some performance issue : the squid usage cpu on the server is high, and the cache.log is full of the following message : [2007/03/05 10:00:37, 1] libsmb/ntlmssp.c:ntlmssp_update(259) got NTLMSSP command 3, expected 1 This indicates ntlm_auth got NTLM messages out-of-sequence. Have seen reports of Firefox occasionally doing this, continuing the NTLM handshake even if it reopens the connection. But no report besides yours of it being very frequent. It's relatively easy to diagnose from a ethereal/wireshark trace + access.log and cache.log from the same time period.. cache.log tells the time stamp access.log possible request candidates at that time (TCP_DENIED) and the ethereal/wireshark network trace to inspect what was really going on.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Error Negotiating SSL Connection error
fre 2007-03-09 klockan 07:37 -0500 skrev [EMAIL PROTECTED]: 2007/02/15 08:29:04 | fwdNegotiateSSL: Error negotiating SSL connection on FD 23: error:140940F6:SSL routines:SSL3_READ_BYTES:unknown alert type (1/-1/0) 2007/02/15 08:29:04 | TCP connection to 192.168.0.20/443 failed This is an error in opening the SSL connection to the web server, squid-webserver. cache_peer 192.168.0.20 parent 443 0 no-query originserver ssl name=opaccess.companyname.com I think the best thing to do here is to inspect the traffic with ssldump. You may need the certificate key of the web server to make sense of the exchanged data.. The numbers after FD (e.g. 23) changes to different numbers as the errors repeat themselves. It's normal that the FD number changes when seeing this error. But you should not get the error.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] ssl reverse proxy self signed cert
fre 2007-03-09 klockan 15:59 +0100 skrev Peter Meier: Hi maybe i understood something wrong but I'm trying to do the following setup with squid 2.6.STABLE7 and couldn't find anything related to my errors and problems: wished setup: client --ssl (cacert signed)-- squid (reverse) --ssl (selfsigned)-- apache When using self-signed certificates you need to either add the certificate as a ca for the cache_peer, or tell Squid to not verify the certificate of the peer at all. well for me it is clear that squid cannot verify the cert as it is self signed. however i'd like to tell squid that it should accept this cert, not try to verify it or whatever to be possible to use it. But I couldn't find such an option for the https_port option. It's the cache_peer option you need to look at.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] 127.0.0.1 is their IP...
mån 2007-03-12 klockan 13:56 -0400 skrev Shane A. Froebel: Just recompiled squid, like so... ./configure --enable-follow-x-forwarded-for --enable-useragent-log --enable-referer-log --quiet added to squid.conf: forwarded_for on Had someone post something on the site IP came back to being 127.0.0.1 IP came back where? forwarded_for makes Squid insert the original IP in the X-Forwarded-For header. Requires the receiving server to know how to read this header. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] periodic user re-authentication via Radius
ons 2007-03-14 klockan 15:37 -0400 skrev Michael W. Lucas: Hi, We have a need to force users to re-authenticate to the Web periodically. Squid doesn't support this, because of how the browser caches credentials. So I'm having our external Radius auth helper handle this for us. As this seems to be a FAQ, I'm sharing the script here. You can do something similar with the session external acl helper, periodically denying access. To do this use the helper in the automatic mode, and have a relatively small session timeout smaller than the ttl specified in external_acl_type. But be warned that some browser automatically retries the cached credentials a couple of times before asking the user to authenticate again. Also, in most browsers it's sufficient to just cancel the login box and try again.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Error creating mutexCan't init shared memory.freebsd 4.9/6.0 + squid2.5st14/2.6st11 + icap + clamav
freebsd 4.9/6.0 + squid2.5st14/2.6st10 + icap + clamav result: Error creating mutexCan't init shared memory.Fatal error, exiting! # ./c-icap -d 10 -D Enabling parameter -D Setting parameter :PidFile=/var/run/c-icap.pid Setting parameter :Timeout=300 Setting parameter :KeepAliveTimeout=600 Setting parameter :StartServers=3 Setting parameter :MaxServers=10 Setting parameter :MinSpareThreads=10 Setting parameter :MaxSpareThreads=20 Setting parameter :ThreadsPerChild=10 Setting parameter :Port=1344 Setting parameter :User=squid Setting parameter :Group=squid Setting parameter :TmpDir=/var/tmp Setting parameter :MaxMemObject=131072 Setting parameter :ServerLog=/var/log/c_icap/server.log Setting parameter :AccessLog=/var/log/c_icap/access.log Setting parameter :ModulesDir=/usr/local/lib/c_icap Loading service :logger path sys_logger.so Registering conf table:sys_logger Going to search variable Prefix in table sys_logger Setting parameter :Prefix=C-ICAP: Going to search variable Facility in table sys_logger Setting parameter :Logger=file_logger ACL spec name:localsquid_respmod username:- service:- type:4 port:0 src_ip:10.0.2.12 src_netmask:255.255.255.255 server_ip:0.0.0.0 ACL spec name:localsquid username:- service:- type:0 port:0 src_ip:10.0.2.12 src_netmask:255.255.255.255 server_ip:0.0.0.0 ACL spec name:externalnet username:- service:- type:0 port:0 src_ip:0.0.0.0 src_netmask:0.0.0.0 server_ip:0.0.0.0 ACL entry localsquid_respmod 1 added ACL entry localsquid 1 added ACL entry externalnet -1 added Setting parameter :ServicesDir=/usr/local/lib/c_icap Loading service :echo_module path srv_echo.so Found handler C_handler for service with extension:.so Initialization of echo module.. Loading service :url_check_module path srv_url_check.so Found handler C_handler for service with extension:.so Initialization of url_check module.. Loading service :antivirus_module path srv_clamav.so Found handler C_handler for service with extension:.so Going to initialize srvclamav Registering conf table:srv_clamav Going to search variable ScanFileTypes in table srv_clamav Iam going to scan data for simple scanning of type:,GIF,JPEG,MSOFFICE,TEXT,DATA,EXECUTABLE,ARCHIVE Going to search variable SendPercentData in table srv_clamav Setting parameter :SendPercentData=5 Going to search variable StartSendPercentDataAfter in table srv_clamav Setting parameter :StartSendPercentDataAfter=2097152 Going to search variable MaxObjectSize in table srv_clamav Setting parameter :MaxObjectSize=5242880 Going to search variable ClamAvTmpDir in table srv_clamav Setting parameter :ClamAvTmpDir=/usr/local/squid/tmp Going to search variable ClamAvMaxFilesInArchive in table srv_clamav Setting parameter :ClamAvMaxFilesInArchive=0 Going to search variable ClamAvMaxFileSizeInArchive in table srv_clamav Setting parameter :ClamAvMaxFileSizeInArchive=104857600 Going to search variable ClamAvMaxRecLevel in table srv_clamav Setting parameter :ClamAvMaxRecLevel=5 My hostname is:proxy.aromata.ru Error creating mutexCan't init shared memory.Fatal error, exiting! Log icap: Wed Mar 14 15:45:15 2007, general, Error creating mutexWed Mar 14 15:45:15 2007, general, can't get shared memory!Wed Mar 14 P.S. # cat GENERIC | grep mem options SYSVSHM # SYSV-style shared memory Help Best regards, Maxim A. Socolov Klas company tel. +7 495 916-5220 fax. +7 495 916-5221 www.aromata.ru
Re: [squid-users] tcp_outgoing_address not working
Bingo! Someone messed with the SNAT rules (we have a lot of them) and there was one with just the output device but no source IP that applied to the local traffic as well. :( Noob error that I missed that rule :/ Thanks :) Henrik Nordstrom wrote: tor 2007-03-01 klockan 18:37 +0100 skrev Bgs: Do you have any ideas why is squid sticking to the default system IP and not use any IP given in tcp_outgoing_address? Do you perhaps have any NAT masquerade rules messing things up? Regards Henrik
[squid-users] squid, blacklists ,squidguard doesnt work
Hi I installed squid 2.5.STABLE6 on Centos 4.4 I have a blacklist file, size more than 4 Megabytes acl in squid.conf look like acl porn url_regex -i /etc/squid/porn http_access deny porn When i started squid , /etc/init.d/squid start Stopping squid: .. Starting squid:[FAILED] I give this error in /var/log/messages Mar 20 15:25:33 lnx squid[21380]: Squid Parent: child process 21382 exited withstatus 0 Mar 20 15:26:40 lnx squid[21709]: fork failed: (12) Cannot allocate memory Mar 20 15:26:40 lnx squid[21709]: Squid Parent: child process -1 started Mar 20 15:26:40 lnx squid[21709]: Squid Parent: child process -1 exited due to signal 68 Mar 20 15:26:43 lnx squid[21709]: Squid Parent: child process -1 started Mar 20 15:26:43 lnx squid[21709]: Squid Parent: child process -1 exited due to signal 68 Mar 20 15:26:46 lnx squid[21709]: Squid Parent: child process -1 started Mar 20 15:26:46 lnx squid[21709]: Squid Parent: child process -1 exited due to signal 68 Mar 20 15:26:49 lnx squid[21709]: Squid Parent: child process -1 started Mar 20 15:26:49 lnx squid[21709]: Squid Parent: child process -1 exited due to signal 68 Mar 20 15:26:52 lnx squid[21709]: Squid Parent: child process -1 started Mar 20 15:26:52 lnx squid[21709]: Squid Parent: child process -1 exited due to signal 68 When i removed porn file or porn file 1 MB then squid work fine
Re: [squid-users] optimizing squid and FreeBSD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 20 Mar 2007 00:37:53 -0300 (BRT) Michel Santos [EMAIL PROTECTED] wrote: You can add kern.maxfilesperproc=8192 in /etc/sysctl.conf to increase your squid file descriptors to 8192. You may also have to change your kern.maxfiles parameter to say about 8192 or 16384. all this sugestions are kind of high, hardly you get over 2000 open files unless you have a heavy loaded server, this starts somewhere over 6-10mb/s sustained http througput when you may need more open files Hi Michel, My proxy servers do handle high active connnections during peak hours. Currently one of it is using about 4600 file descriptors. As Chris pointed out it might be due to high latency because our bandwidth comes through satellite and my proxy server is utilizing 8 mbps traffic currently. when you use coss you do not get even close to half of it I am using COSS and it works flawlessly at present. on FBSD you ever should query your system as with sysctl kern.openfiles to see what is going on and then when *really* coming to the limit you might like to raise it a little and otherwise not kern.openfiles shows 4318. Well if your proxy serves less than 30 requests per second, then ufs storage is fine. However if your demands are above 30 requests per second, then either diskd and aufs will be good. However you may need to tweak your kernel to implement diskd for FreeBSD. you say it so easy as if were that easy, firstable what your machine supports and needs is relative to the machine's processing power. There is no such 30 req/sec limit or switch-over-rule ... I admit there is no such rule but I am using it as a base for measurement and comparison. Obviously, req/sec is an easier and a better unit than say open_files/sec. but I agree, on FreeBSd you might consider diskd but the difference is small and depends on the machine and the throughgoing http-traffic and if your HD can really take the load (or better: answer the requests in time) so my opinion hear is using ufs is good and stable and fits high load for whom is not a specialist in system fine tuning, if you are knowing nasty kernel stuff *and* have really nasty hardware and like to get the most out of it then you should go diskd - but - better having a perfect UPS and a server which never crashs, you may loss your cache content, anyway it's a long way to get this 5-10% more (in comparism to ufs) Well I am saying this based on our proxy servers using ufs, diskd, aufs and coss. Usually median service time indicates the browsing speed and after alot of data collection, miss median service time's value has predicted our overall bandwidth utilization quite accurately and also the browsing speed. Our proxy servers using COSS usually gives the less amount of miss median service time. I have read articles and posts regarding ufs and they do suggest that ufs usually peaks out at 30-40 requests per second. However I have not really performed rigorous tests and benchmarks regarding ufs so I could be a little biased here. aufs? hands off Alot of people including myself are using aufs. However we are not using it extensively. Try using these in your kernel config file: options MSGMNB=8192 # max # of bytes in a queue options MSGMNI=40 # number of message queue identifiers options MSGSEG=512 # number of message segments per queue options MSGSSZ=64 # size of a message segment options MSGTQL=2048 # max messages in system options SHMSEG=16 options SHMMNI=32 options SHMMAX=2097152 options SHMALL=4096 this values might be kind of unreasonable but probably does not influence anything depending on your load, so you may not see if it is or not is unless you monitor SHM and MSG on your system. So I believe when you can live with SHMSEG=16 you do not need to set anything at all, it is lower than FreeBSD's default These complied values are working for my servers up till now. Well I once had a problem regarding diskd without the above compilation options. But that was long ago and you may be right that I won't see any difference with or without it. btw setting SHMMAX is old stuff, you should set SHMMAXPGS which adjust automatically SHMMAX considering the other tweaked SHM values, if you do it your way you may find undesired behaviour anyway ipc.* are tunables so you do *not* need to compile them into your kernel I will test it in near future just by tweaking the tunables. if you want to tune diskd read first a lot of postgres sql tuning matter which are the only lonly guys which seem ever having worked serious (except me of course ;) ) with this IPC stuff on FreeBSD. What you find on squid's website regarding FreeBSD makes diskd work on old versions but not tuned. I will read about them in the future.:) And thanks for your
Re: [squid-users] squid, blacklists ,squidguard doesnt work
[EMAIL PROTECTED] wrote: When i removed porn file or porn file 1 MB then squid work fine As each child will need to read that file, you're looking at a significant memory overhead. Either install more memory in the server, or keep the file down to a reasonable size. -- Martin A. Brooks | http://www.antibodymx.net/ | Anti-spam anti-virus Consultant| e: [EMAIL PROTECTED] | filtering. Inoculate antibodymx.net | m: +447896578023 | your mail system.
[squid-users] Squid+Open Portal+Ad replacement
Hi, Does anyone have experience they can relate to me offline (I'll summarize if requested) to accomplish the following User already has an IP dedicated to them (So anything that uses DHCP is out for now). They start up a browser and no matter what site they try at first, it redirects them to our Splash Page. Its open, so we just want them to click Connect or something to allow them through. Then, once that process has been completed, they can surf the net normally... Except all ads from the big companies are replaced with locally injected ads. More looking for the banner ads to be replaced. Thanks, Tuc/TBOH
[squid-users] RE: Authentification in transparent mode
Hi mailing list, According to the squid FAQ, the authentification is not possible in transparent mode because of browser security feature. Indeed, this last is not expecting the proxy. Nevertheless, is there someone who knows a bypass method? Deactivate this browser feature or something else? Thank you in advance of yours responses. Eric ANDRE Securalis | 10, rue Ballu | 75009 Paris Tél +33.(0)1.53.43.06.06 | support 0 820 820 848 Fax +33.(0)1.53.01.29.44 [EMAIL PROTECTED] | www.securalis.com
[squid-users] squid PURGE expense?
Hey all, I was wondering if anyone could tell me how expensive a PURGE operation would be in squid. Are there any locks or re-indexing that occurs on purge? Would a certain amount of purges per second hurt performance (more than the same amount of requests, for example) Thanks -- Dan Thomson Systems Engineer Peer1 Network 1000 555 West Hastings Vancouver, BC V6B 4N5 866-683-7747 http://www.peer1.com
Re: [squid-users] RE: Authentification in transparent mode
Eric ANDRE - SECURALIS wrote: Hi mailing list, According to the squid FAQ, the authentification is not possible in transparent mode because of browser security feature. Indeed, this last is not expecting the proxy. Nevertheless, is there someone who knows a bypass method? Deactivate this browser feature or something else? It's not so much of a feature as reality. http://www.squid-cache.org/mail-archive/squid-users/200506/0638.html That said, there are two possibilities listed in the mailing list archives. IP-based out of band authentication (the helper keeps a list of IPs that have passed the authentication procedure, and redirects non-authenticated IPs to said procedure) and cookie-based authentication (which carries the problem of getting the browser to submit the cookie for every web request, and filtering that cookie from the rest of the world). From what I understand, Squid 2.6 has a session helper that might be used to help implement the IP-based authentication. See the man page in the Squid source for usage. The cookie-auth method is proposed at http://www.squid-cache.org/mail-archive/squid-dev/200506/0034.html, questioned at http://www.squid-cache.org/mail-archive/squid-dev/200506/0035.html and fleshed out some more at http://www.squid-cache.org/mail-archive/squid-dev/200506/0039.html. Thank you in advance of yours responses. Eric ANDRE Securalis | 10, rue Ballu | 75009 Paris Tél +33.(0)1.53.43.06.06 | support 0 820 820 848 Fax +33.(0)1.53.01.29.44 [EMAIL PROTECTED] | www.securalis.com Chris
Re: [squid-users] Re: Download time issue: Squid 2.6
Thomas-Martin Seck wrote: FYI; the Squid FreeBSD port has already been updated to STABLE11. - Forwarded message from Thomas-Martin Seck [EMAIL PROTECTED] - [...] Yes, the FreeBSD port provides patches to enable ICAP client support, due to popular demand. ICAP support is not enabled by default, though. The ICAP client patch does or rather did remove that line. It's a bit difficult to tell because the ICAP code and the patch look like they are now developed against Squid-2-HEAD sources which seem to have diverged a bit from Squid-2.6, especially in client_side.c. The problem I am facing is that the patch used to touch clientReadRequest() but now touches clientTryParseRequest() instead (which is only present in Squid-2-HEAD it seems). I have updated the ICAP patchset I provide for FreeBSD to not remove the commSetTimeout() call in client_side.c:clientReadRequest(). The updated patch will be available in the FreeBSD ports collection alongside with Squid-2.6.STABLE11. I have just submitted the update request, so it should be available within the next few days. - End forwarded message - I'm using the FreeBSD squid port with ICAP support and I have it configured to pass all HTTP requests through my icap server. It was working well with the squid 2.6.9 port, but I wanted to take advantage of the better support for broken HTTP/1.1 servers so I have updated to the 2.6.11 port. However, squid is frequently dumping core with the following traceback: opteron6:/usr/ports/www/squid/work/squid-2.6.STABLE11/src (502) gdb squid ~/squid.core GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as amd64-marcel-freebsd... warning: exec file is newer than core file. Core was generated by `squid'. Program terminated with signal 6, Aborted. Reading symbols from /lib/libcrypt.so.3...done. Loaded symbols for /lib/libcrypt.so.3 Reading symbols from /lib/libm.so.4...done. Loaded symbols for /lib/libm.so.4 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /libexec/ld-elf.so.1...done. Loaded symbols for /libexec/ld-elf.so.1 #0 0x0008009e72dc in _nsyylhs () from /lib/libc.so.6 (gdb) where #0 0x0008009e72dc in _nsyylhs () from /lib/libc.so.6 #1 0x0008009e616d in _nsyyrindex () from /lib/libc.so.6 #2 0x7fffe4f0 in ?? () #3 0xffdfe510 in ?? () #4 0x in ?? () #5 0x in ?? () #6 0x in ?? () #7 0x004b2198 in __func__.0 () #8 0x in ?? () #9 0x0046cf5e in fatal_dump ( message=0x7fffe63c ß, 'ÿ' repeats 15 times) at tools.c:450 #10 0x0048a5e6 in xstrdup () #11 0x00463e93 in new_MemObject ( url=0xcd0080 http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml;, log_url=0x0) at store.c:122 #12 0x00463f9b in new_StoreEntry (mem_obj_flag=1, url=0xcd0080 http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml;, log_url=0x0) at store.c:136 #13 0x00464fbb in storeCreateEntry ( url=0xcd0080 http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml;, log_url=0x0, flags= {range = 0, nocache = 0, ims = 0, auth = 0, cachable = 1, hierarchical = 1, loopdetect = 0, proxy_keepalive = 0, proxying = 0, refresh = 0, redirected = 0, need_validation = 0, nocache_hack = 0, accelerated = 0, transparent = 0, inter---Type return to continue, or q return to quit--- nal = 0, body_sent = 0, reset_tcp = 0, must_keepalive = 0, connection_auth = 0, connection_proxy_auth = 0, no_connection_auth = 0, pinned = 0, auth_sent = 0, collapsed = 0, cache_validation = 0}, method=1) at store.c:1065 #14 0x00418704 in clientCreateStoreEntry (h=0xcd1018, m=1, flags= {range = 0, nocache = 0, ims = 0, auth = 0, cachable = 1, hierarchical = 1, loopdetect = 0, proxy_keepalive = 0, proxying = 0, refresh = 0, redirected = 0, need_validation = 0, nocache_hack = 0, accelerated = 0, transparent = 0, internal = 0, body_sent = 0, reset_tcp = 0, must_keepalive = 0, connection_auth = 0, connection_proxy_auth = 0, no_connection_auth = 0, pinned = 0, auth_sent = 0, collapsed = 0, cache_validation = 0}) at client_side.c:399 #15 0x0041b2b6 in clientProcessMiss (http=0xcd1018) at client_side.c:3470 #16 0x0041fa58 in clientProcessRequest (http=0xcd1018) at client_side.c:3400 #17 0x0044811f in icapReqModReadHttpHdrs (fd=12, data=0x6) at icap_reqmod.c:203 #18 0x0042592f in comm_select (msec=0) at comm_generic.c:264 #19 0x00452428 in main (argc=0, argv=0x0) at main.c:846 (gdb) quit I see in store_log.c's storeLog()
[squid-users] squid clamav
hi this may not be the right place for this ... i needed to download squidclamav.. and all the searches i do lead me to the site http://www.jackal-net.at/ it was working about 4 days ago wen i tried. and suddenly now it has stopped working.. it sez operation timed out wen connecting... ... has any one recently visited the site for the squidclamav download... or anyone knows wat is wrong with that site... or an alternative link for downloading squidclamav... thanks.. -- - Siddhesh
Re: [squid-users] Re: Download time issue: Squid 2.6
* Guy Helmer ([EMAIL PROTECTED]): I'm using the FreeBSD squid port with ICAP support and I have it configured to pass all HTTP requests through my icap server. It was working well with the squid 2.6.9 port, but I wanted to take advantage of the better support for broken HTTP/1.1 servers so I have updated to the 2.6.11 port. However, squid is frequently dumping core with the following traceback: ... I see in store_log.c's storeLog() method there is special handling for a NULL log_url but there isn't similar handling for the NULL log_url in client_site.c's clientCreateStoreEntry() method before it calls storeCreateEntry(). I'm new to this code base so I'm not sure whether it's my ICAP daemon that is causing a problem or if this is truly a problem in squid. Any ideas? I'll see whether I need to adapt the ICAP patch further (i.e. I screwed the merge from Squid-2-HEAD to Squid-2.6). It's possible, however, that the ICAP client is buggy in this respect. I just learned that its use is not encouraged on Squid-2 by the developers.
[squid-users] Certain Sites Wont Load
I am running Squid2.6STABLE9 and having trouble with certain sites coming up. Pages at news.yahoo.com will not come up anymore. Most other sites seem to work fine. I see nothing in log files. Any ideas? Matt
Re: [squid-users] squid, blacklists ,squidguard doesnt work
tis 2007-03-20 klockan 16:31 +0200 skrev [EMAIL PROTECTED]: Hi I installed squid 2.5.STABLE6 on Centos 4.4 I have a blacklist file, size more than 4 Megabytes acl in squid.conf look like acl porn url_regex -i /etc/squid/porn Uhm... 4 Megabytes of regex expressions? Are you really really sure that's what you have? I suspect you are abusing the wrong acl type here... quite likely a lot of that blacklist should go into a dstdomain acl.. What does the content of this blacklist look like? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] optimizing squid and FreeBSD
tis 2007-03-20 klockan 20:13 +0545 skrev Tek Bahadur Limbu: I admit there is no such rule but I am using it as a base for measurement and comparison. Obviously, req/sec is an easier and a better unit than say open_files/sec. What you want to monitor is the number of seeks/s, and if not that the amount of time something is waiting for i/o. the first isn't very easily collected in most os:es, but the latter is usually available via sar, iostat etc. the big difference between ufs and aufs (and also diskd) is that with aufs Squid does not wait while there is disk i/o, continuing network operations as the disk i/o takes place. With ufs each millisecond spent in iowait means network activity was paused.. I have read articles and posts regarding ufs and they do suggest that ufs usually peaks out at 30-40 requests per second. However I have not really performed rigorous tests and benchmarks regarding ufs so I could be a little biased here. The limit is caused by the seek time limitation of the disks, and this has not improved significantly over the years. However, trowing a lot of memory at it helps the situation, and the average amount of memory per Squid server has increased significantly so it is not unlikely the numbers may have improved a bit. These complied values are working for my servers up till now. Well I once had a problem regarding diskd without the above compilation options. But that was long ago and you may be right that I won't see any difference with or without it. On FreeBSD and many other OS:es diskd requires OS tuning. The requirements is documented in the FAQ. These is the minimum requirements. if you want to tune diskd read first a lot of postgres sql tuning matter which are the only lonly guys which seem ever having worked serious (except me of course ;) ) with this IPC stuff on FreeBSD. What you find on squid's website regarding FreeBSD makes diskd work on old versions but not tuned. Would be great if someone with insight in FreeBSD shm ipc configuration would update the wiki with more current information. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid+Open Portal+Ad replacement
tis 2007-03-20 klockan 12:30 -0400 skrev Tuc at T-B-O-H.NET: User already has an IP dedicated to them (So anything that uses DHCP is out for now). They start up a browser and no matter what site they try at first, it redirects them to our Splash Page. Its open, so we just want them to click Connect or something to allow them through. Then, once that process has been completed, they can surf the net normally... The above can be accomplished with the help of the session acl helper in it's active mode, combined with a internal web server for serving the splash page and redirecting the user back to the requested URL when clicking on Connect. Except all ads from the big companies are replaced with locally injected ads. More looking for the banner ads to be replaced. Thats a separate question. Not exactly a job for Squid but more one of the ad busting proxies in combination with Squid.. You need to not only replace the images but also rewrite the HTML and Javascript content on the fly. Also be warned that such rewriting is generally not allowed. Web sites is protected by copyright, plus terms of use also placing restrictions. So you better run this question with your lawyer before putting it to serious use. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] RE: Authentification in transparent mode
tis 2007-03-20 klockan 17:41 + skrev Eric ANDRE - SECURALIS: Hi mailing list, According to the squid FAQ, the authentification is not possible in transparent mode because of browser security feature. Indeed, this last is not expecting the proxy. Nevertheless, is there someone who knows a bypass method? Deactivate this browser feature or something else? The workaround is extremely simple. Make the browser understand it's using a proxy. How: * Auto discovery of the proxy (WPAD) * Manual configuration when auto discovery does not work, preferably to a PAC file (also used by WPAD). Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid PURGE expense?
tis 2007-03-20 klockan 10:49 -0700 skrev Dan Thomson: Hey all, I was wondering if anyone could tell me how expensive a PURGE operation would be in squid. Fairly light at the moment, much less than a GET cache hit. Are there any locks or re-indexing that occurs on purge? No. Would a certain amount of purges per second hurt performance (more than the same amount of requests, for example) Not more than the same amount of requests.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Certain Sites Wont Load
tis 2007-03-20 klockan 14:56 -0500 skrev Matt: I am running Squid2.6STABLE9 and having trouble with certain sites coming up. Pages at news.yahoo.com will not come up anymore. Most other sites seem to work fine. I see nothing in log files. Any ideas? Have you tried the operation system dependent wierdnesses section in the FAQ? Linux: http://wiki.squid-cache.org/SquidFaq/SystemWeirdnesses#head-699d810035c099c8b4bff21e12bb365438a21027 Solaris: http://wiki.squid-cache.org/SquidFaq/SystemWeirdnesses#head-742ae66a1347811b7a3ee278657c1a462548ad4e FreeBSD: http://wiki.squid-cache.org/SquidFaq/SystemWeirdnesses#head-69c86c56c716d46d55faa98751964f442e0bb92d Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Re: Download time issue: Squid 2.6
Thomas-Martin Seck wrote: * Guy Helmer ([EMAIL PROTECTED]): I'm using the FreeBSD squid port with ICAP support and I have it configured to pass all HTTP requests through my icap server. It was working well with the squid 2.6.9 port, but I wanted to take advantage of the better support for broken HTTP/1.1 servers so I have updated to the 2.6.11 port. However, squid is frequently dumping core with the following traceback: ... I'll see whether I need to adapt the ICAP patch further (i.e. I screwed the merge from Squid-2-HEAD to Squid-2.6). It's possible, however, that the ICAP client is buggy in this respect. I just learned that its use is not encouraged on Squid-2 by the developers. Thanks for looking into it. What's Squid-3's status? Is anyone using it under load, or is it undependable? Guy -- Guy Helmer, Ph.D. Chief System Architect Palisade Systems, Inc.
Re: [squid-users] Certain Sites Wont Load
Have you tried the operation system dependent wierdnesses section in the FAQ? Did the: echo 0 /proc/sys/net/ipv4/tcp_ecn Did not help. Rebooted the Linux CentOS 4.4 box running Squid and the problem went away. Any ideas? This is a transparent cache with a router DST-NAT'ing all port 80 traffic to it. Has been working fine for months. Have a 2nd identical setup that has not exibited this problem. One odd thing about this server. Its an AMD64 dual core although not running 64 bit OS. The clock drifts severely. I do a ntp update every hour to compensate but it seems to drift about 20 minutes by that time. Could that cause it? The other setup with different motherboard but still AMD64 does not drift. I see this in logs once in a while. STALE: Entry's timestamp greater than check time. Clock going backwards? Not sure if this could cause anything? Thanks. Matt
Re: [squid-users] optimizing squid and FreeBSD
Chris Robertson disse na ultima mensagem: all this sugestions are kind of high, hardly you get over 2000 open files unless you have a heavy loaded server, this starts somewhere over 6-10mb/s sustained http througput when you may need more open files High bandwidth, high latency connections (satellite links) also eat file descriptors quite quickly. Yes I really haven't considered this in my statement as also not slow disk system or slow disks themself Suggested settings are always welcome, but the most general advice is available from http://wiki.squid-cache.org/BestOsForSquid. Note there are not much in the way of OS tuning tips. Unless you are really pushing the boundaries of what Squid is capable of, they just won't buy you much. hum, may be on low traffic machines but there are certain priorities I guess, firstable good hardware comes first and not only disks but also network cards and memory. Bad cheap nics can do really terrible performance downgrading as well steal important cpu times. After getting the hardware straight you can get really great improvements by tweaking values for a cache server. Since we talk Freebsd here you might get easy 20% or more overall performance benefit in comparism to a stock OS and especially on SMP machines. Michel ... Datacenter Matik http://datacenter.matik.com.br E-Mail e Data Hosting Service para Profissionais.
Re: [squid-users] Certain Sites Wont Load
tis 2007-03-20 klockan 17:40 -0500 skrev Matt: STALE: Entry's timestamp greater than check time. Clock going backwards? Which Squid version? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] optimizing squid and FreeBSD
Henrik Nordstrom disse na ultima mensagem: tis 2007-03-20 klockan 20:13 +0545 skrev Tek Bahadur Limbu: I admit there is no such rule but I am using it as a base for measurement and comparison. Obviously, req/sec is an easier and a better unit than say open_files/sec. What you want to monitor is the number of seeks/s, and if not that the amount of time something is waiting for i/o. good point the first isn't very easily collected in most os:es, but the latter is usually available via sar, iostat etc. I believe neither one is an effective method for measuring cache performance. What the deal is with caching is less bandwidth consumption. Speeding up network access is not so much the point anymore since we all have large bandwidth everywhere. So then what does it matter getting 1000 requests satisfied if each of them is 1k? I do compare the incoming http traffic to the outgoing. Higher the difference better my cache performance right. the big difference between ufs and aufs (and also diskd) is that with aufs Squid does not wait while there is disk i/o, continuing network operations as the disk i/o takes place. With ufs each millisecond spent in iowait means network activity was paused.. that is certainly an interesting point. IO Bound I guess can be fight by faster and cpu independent disks and subsystem (scsi) and then using polling on for example em (intel pro) nics which seem to produce less interrupts. Also setting vfs.write_behind and vfs.vmiodirenable may give important improvement on some hardware together with vfs.read_max. I do not know why net.isr.direct is not on by default but at least on SMP it is what you want. This probably still does not work well on older versions than 6.2 All this does not cut ufs's bottleneck but helps a lot. So sure diskd is the preferred cache_dir on FreeBSD. But again, not on low traffic machines where I can not find any difference. IMO so long as your machine does not handle more than 2mb/s it does not matter what you do FreeBSD does it well either way - supposed you have good hardware. Michel ... Datacenter Matik http://datacenter.matik.com.br E-Mail e Data Hosting Service para Profissionais.
Re: [squid-users] optimizing squid and FreeBSD
tis 2007-03-20 klockan 21:09 -0300 skrev Michel Santos: I do compare the incoming http traffic to the outgoing. Higher the difference better my cache performance right. The better hit ratio you have. But tells nothing about the performance. An overloaded disk can be significantly slower than a fast Internet connection. that is certainly an interesting point. IO Bound I guess can be fight by faster and cpu independent disks and subsystem (scsi) and then using polling on for example em (intel pro) nics which seem to produce less interrupts. None of these helps in speeding up the rotation and seek time of a disk.. It's physical limitaions of things moving around. Also setting vfs.write_behind and vfs.vmiodirenable may give important improvement on some hardware together with vfs.read_max. Not familiar with FreeBSD terminology. All this does not cut ufs's bottleneck but helps a lot. So sure diskd is the preferred cache_dir on FreeBSD. I would say aufs is the preferred cache_dir on FreeBSD, Linux and Solaris these days. aufs requires POSIX kernel threads, which is available even on FreeBSD these days. But again, not on low traffic machines where I can not find any difference. IMO so long as your machine does not handle more than 2mb/s it does not matter what you do FreeBSD does it well either way - supposed you have good hardware. With only 2mb/s you are unlikely to reach even 30 req/s, so yes.. and this not even needing good hardware just not too crappy hardware. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Certain Sites Wont Load
2.6STABLE9 Matt STALE: Entry's timestamp greater than check time. Clock going backwards? Which Squid version? Regards Henrik
Re: [squid-users] Certain Sites Wont Load
tis 2007-03-20 klockan 21:32 -0500 skrev Matt: STALE: Entry's timestamp greater than check time. Clock going backwards? 2.6STABLE9 Then your clock is probably doing that... Squid won't be very happy with clocks going back in time.. But probably not the cause to your problems. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel