[squid-users] Squid.conf blanks after sometimes
Dear All I am facing a strange problem while using Squid 2.5. I configured PCQ Linux 2007 for squid. First, I have observed last month that squid failed to connect to websites/internet. When I cheeked the squid.conf file, I found it becomes totally BLANK. No data was there.I restored the squid.conf file from backup. This problem appeared again two times. Every time squid.conf file become blank and I have to restore it from backup-copy of it.I also observed some files like squid.conf.1 , squid.conf.2 , squid.conf.3 , and squid.conf.4 .This problem gets notice on every Monday, after the weekly off of my office. (Saturday and Sunday) So my queries are (1)Is it something to do with log rotation which is set on every 5 days?(defaults setting).This problem occuring after log rotation , so far i observed.How these squid.conf.1 to squid.conf.4 get created? (2)Is it because of hard disk media problem?I havenot observed any media problem so far (3)Or it is squid specific problem? Please help me in this regard. No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.467 / Virus Database: 269.6.6/795 - Release Date: 5/9/2007 3:07 PM
Re: [squid-users] new website: final beta
Might want to have a look at http://www.mnot.net/cgi_buffer/ which, despite its name, has a PHP one-line drop-in that might do the trick. Mind you, I haven't looked at that code in years, and there very well may be some bugs in there, or compatibility with newer versions of PHP, but it's a starting point... Cheers, On 2007/05/10, at 12:02 AM, Adrian Chadd wrote: On Wed, May 09, 2007, Craig Skinner wrote: On Wed, May 09, 2007 at 02:14:33PM +0200, Ralf Hildebrandt wrote: Nice work Adrian! Definitely. Struth Bruce! Nice one mate! Sort of quoting one of Yahweh's olde proverbs: ...squidmaster, cache thy self Will the final site be cache-able? I don't have the web skills that you do, but I found the easiest way to make php's cache-able was to lynx dump the php to a .html, and have apache serve index.html in preference to index.phtml. Naturally, all links to pages must be to the .html and not the .php: It will be. I just haven't yet added E-Tag and Expiry generation to the PHP code. I'll see what I can do. I haven't found an example of a really good dynamic site that actually sets appropriate cachability tags (and does so with minimal load to the server - there's no point in having to do the whole database query set and parse the database replies just to generate etags, for example!) so I figure this can double as that. Now, where's that spare time.. Adrian -- Mark Nottingham [EMAIL PROTECTED]
Re: [squid-users] Squid.conf blanks after sometimes
Hello ssp, Thursday, May 10, 2007, 9:22:05 AM, you wrote: (1)Is it something to do with log rotation which is set on every 5 days?(defaults setting).This problem occuring after log rotation , so far i observed.How these squid.conf.1 to squid.conf.4 get created? Show you squid.conf and squid log rotate script. (2)Is it because of hard disk media problem?I havenot observed any media problem so far No. (3)Or it is squid specific problem? Please help me in this regard. This is hand related problem :) -- Best regards, Sergeymailto:[EMAIL PROTECTED]
Re: [squid-users] If not authenticated don´t ask for it.
Thank you! Seems to working fine now. On 5/9/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: ons 2007-05-09 klockan 14:25 +0200 skrev Patrik Hansson: Hello. I´v just gotten squid installed and working with NTLM and AD Groups. What i whant is to block some files for normal users, like .exe, .zip and so on but give admins the right to download them. I made two AD groups named allowinet and admininet. If a normal user is trying to download an .exe he gets presented with a login dialog. I don´t whant that..i whant my NOTE_FILETYPES_FILTERED displayed to the user directly. Then the last acl on the http_access deny line must not be related to logins. Example: if you have http_access deny downloads normalusers you can simply switch the two acls http_access deny normalusers downloads or alternatively add a dymmy acl last on the line acl denied_download_message src 0.0.0.0/0 http_access deny downloads normalusers denied_download_message then use this acl in deny_info to select the proper error message deny_info ERR_BLOCKED_DOWNLOAD denied_download_message Regards Henrik
Re: [squid-users] Squid as Acceleration Proxy in a Squid Cluster
Ok, thanks - that works and i see that a sibling becomes some request for caches. But if i stop the local apache on a server and ask over the server the website - squid sad 2007/05/10 08:10:30| Detected DEAD Parent: 127.0.0.1 2007/05/10 08:10:30| TCP connection to 127.0.0.1/80 failed Thats ok but the result is this: The following error was encountered: * Unable to forward this request at this time. 2007/05/10 08:10:55| Failed to select source for 'http://www.xxx.tld' 2007/05/10 08:10:55| always_direct = 0 2007/05/10 08:10:55|never_direct = 0 2007/05/10 08:10:55|timedout = 0 Thanks Marcel leongmzlist wrote: 1. your cache sibling configuration is wrong; you're not contacting any of the sibling. 2. use the proxy-only flag if you don't want squid to store cache hits from the siblings. try something like cache_peer sibling1 sibling 80 3130 proxy-only no-delay allow-miss name=sibling1 mike At 03:02 PM 5/9/2007, Marcel Alburg wrote: Hello, my Networks looks like Internet | [LB] -ha- [LB] | | +-+ | | | | [Squid + Apache] [Squid + Apache] All Hosts has running a webserver at 127.0.0.1:80 and a squid at the official IP Adresse on Port 80. The LoadBalancer ([LB]) forward the request to on of the server. The Squid checks his Cache and it the cache valid he send from cache otherwise he ask the local apache. We've a lot of hosts with this configuration and we've a problem, that any squid cache his own version from a webpage (n-Nodes could be n different Versions from a webpage - because the access and generationtime differs). My question is. It is possible to let ask the Squid the other nodes in the network if the requested page cached. And has any node a cached version - than deliver this cached version - otherwise ask the local apache. I tried a lot of different configs but nothing works to my contentment. a other problem is: If ask the squid the local page and gets an Error 404 or 500 he should ask the other Proxies for any valid cached version and deliver that version. The Webuser should not see the 500 Errors (if we had a lot of load at the server, the error 500 pages comes often). And i wanna stop the local apache at one node and the squid should notice that and ask the other nodes. One of my not working config was like this cache_peer 127.0.0.1parent 80 0 originserverno-query default allow-miss cache_peer 127.0.0.1sibling 80 3130 cache_peer 127.0.0.1sibling 80 3130 cache_peer 127.0.0.1sibling 80 3130 icp_hit_stale on It is possible to realized that ? Thanks Marcel
Re: [squid-users] Squid as Acceleration Proxy in a Squid Cluster
add no-query to cache_peer line ! i think this 'solve' ... On 5/10/07, Marcel Alburg [EMAIL PROTECTED] wrote: Ok, thanks - that works and i see that a sibling becomes some request for caches. But if i stop the local apache on a server and ask over the server the website - squid sad 2007/05/10 08:10:30| Detected DEAD Parent: 127.0.0.1 2007/05/10 08:10:30| TCP connection to 127.0.0.1/80 failed Thats ok but the result is this: The following error was encountered: * Unable to forward this request at this time. 2007/05/10 08:10:55| Failed to select source for 'http://www.xxx.tld' 2007/05/10 08:10:55| always_direct = 0 2007/05/10 08:10:55|never_direct = 0 2007/05/10 08:10:55|timedout = 0 Thanks Marcel leongmzlist wrote: 1. your cache sibling configuration is wrong; you're not contacting any of the sibling. 2. use the proxy-only flag if you don't want squid to store cache hits from the siblings. try something like cache_peer sibling1 sibling 80 3130 proxy-only no-delay allow-miss name=sibling1 mike At 03:02 PM 5/9/2007, Marcel Alburg wrote: Hello, my Networks looks like Internet | [LB] -ha- [LB] | | +-+ | | | | [Squid + Apache] [Squid + Apache] All Hosts has running a webserver at 127.0.0.1:80 and a squid at the official IP Adresse on Port 80. The LoadBalancer ([LB]) forward the request to on of the server. The Squid checks his Cache and it the cache valid he send from cache otherwise he ask the local apache. We've a lot of hosts with this configuration and we've a problem, that any squid cache his own version from a webpage (n-Nodes could be n different Versions from a webpage - because the access and generationtime differs). My question is. It is possible to let ask the Squid the other nodes in the network if the requested page cached. And has any node a cached version - than deliver this cached version - otherwise ask the local apache. I tried a lot of different configs but nothing works to my contentment. a other problem is: If ask the squid the local page and gets an Error 404 or 500 he should ask the other Proxies for any valid cached version and deliver that version. The Webuser should not see the 500 Errors (if we had a lot of load at the server, the error 500 pages comes often). And i wanna stop the local apache at one node and the squid should notice that and ask the other nodes. One of my not working config was like this cache_peer 127.0.0.1parent 80 0 originserverno-query default allow-miss cache_peer 127.0.0.1sibling 80 3130 cache_peer 127.0.0.1sibling 80 3130 cache_peer 127.0.0.1sibling 80 3130 icp_hit_stale on It is possible to realized that ? Thanks Marcel -- Sds. Alexandre J. Correa Onda Internet / OPinguim.net http://www.ondainternet.com.br http://www.opinguim.net
[squid-users] difference with java applets behaviors
Hello to all, when upgrading from squid 2.5 STABLE12 to squid 2.6STABLE9, i've noticed some troubles when trying to access some https web sites using java applets. We are using NTLM authentication for internet access, and it seems to be the reason of the problem (user is asked to log in on a pop-up windows that keeps on appearing, even it enters correct information). The same websites work fine on my old proxy (squid 2.5 stable9), and this proxy uses also NTLM authentication. Do you know what could have changed in squid that explain this different behavior ? Any workaround is off course welcome (i know that i can make a rule to allow java type browser not use NTLM, but i first want to find the reason of this change ; morever this first workaround will not be accepted, by our security team). Thanks in advance
Re: [squid-users] Squid as Acceleration Proxy in a Squid Cluster
My cache peer lines look like this On first server: cache_peer 127.0.0.1parent 80 0 originserverno-query default cache_peer server2sibling 80 3130 proxy-only no-delay allow-miss name=server2 On second server: cache_peer 127.0.0.1parent 80 0 originserverno-query default cache_peer server1sibling 80 3130 proxy-only no-delay allow-miss name=server1 Marcel Alexandre Correa wrote: add no-query to cache_peer line ! i think this 'solve' ... On 5/10/07, Marcel Alburg [EMAIL PROTECTED] wrote: Ok, thanks - that works and i see that a sibling becomes some request for caches. But if i stop the local apache on a server and ask over the server the website - squid sad 2007/05/10 08:10:30| Detected DEAD Parent: 127.0.0.1 2007/05/10 08:10:30| TCP connection to 127.0.0.1/80 failed Thats ok but the result is this: The following error was encountered: * Unable to forward this request at this time. 2007/05/10 08:10:55| Failed to select source for 'http://www.xxx.tld' 2007/05/10 08:10:55| always_direct = 0 2007/05/10 08:10:55|never_direct = 0 2007/05/10 08:10:55|timedout = 0 Thanks Marcel leongmzlist wrote: 1. your cache sibling configuration is wrong; you're not contacting any of the sibling. 2. use the proxy-only flag if you don't want squid to store cache hits from the siblings. try something like cache_peer sibling1 sibling 80 3130 proxy-only no-delay allow-miss name=sibling1 mike At 03:02 PM 5/9/2007, Marcel Alburg wrote: Hello, my Networks looks like Internet | [LB] -ha- [LB] | | +-+ | | | | [Squid + Apache] [Squid + Apache] All Hosts has running a webserver at 127.0.0.1:80 and a squid at the official IP Adresse on Port 80. The LoadBalancer ([LB]) forward the request to on of the server. The Squid checks his Cache and it the cache valid he send from cache otherwise he ask the local apache. We've a lot of hosts with this configuration and we've a problem, that any squid cache his own version from a webpage (n-Nodes could be n different Versions from a webpage - because the access and generationtime differs). My question is. It is possible to let ask the Squid the other nodes in the network if the requested page cached. And has any node a cached version - than deliver this cached version - otherwise ask the local apache. I tried a lot of different configs but nothing works to my contentment. a other problem is: If ask the squid the local page and gets an Error 404 or 500 he should ask the other Proxies for any valid cached version and deliver that version. The Webuser should not see the 500 Errors (if we had a lot of load at the server, the error 500 pages comes often). And i wanna stop the local apache at one node and the squid should notice that and ask the other nodes. One of my not working config was like this cache_peer 127.0.0.1parent 80 0 originserverno-query default allow-miss cache_peer 127.0.0.1sibling 80 3130 cache_peer 127.0.0.1sibling 80 3130 cache_peer 127.0.0.1sibling 80 3130 icp_hit_stale on It is possible to realized that ? Thanks Marcel
Re: [squid-users] difference with java applets behaviors
On Thu, May 10, 2007, Lionel D?ruaz wrote: Hello to all, when upgrading from squid 2.5 STABLE12 to squid 2.6STABLE9, i've noticed some troubles when trying to access some https web sites using java applets. We are using NTLM authentication for internet access, and it seems to be the reason of the problem (user is asked to log in on a pop-up windows that keeps on appearing, even it enters correct information). The same websites work fine on my old proxy (squid 2.5 stable9), and this proxy uses also NTLM authentication. Do you know what could have changed in squid that explain this different behavior ? Any workaround is off course welcome (i know that i can make a rule to allow java type browser not use NTLM, but i first want to find the reason of this change ; morever this first workaround will not be accepted, by our security team). Could you please provide squid debugs and packet traces? I'd like to see what the difference is with NTLM authentication.. Adrian
[squid-users] Squid Authentication + ldap/samba
Hi there I´m trying to set up squid whit authentication, but i would need it asking the user the credencials. Allrdy set up an squid_ldap_auth but a login prompt comes, every time. trying now with squid_ldap_group, but still nothing, from the Unix prompt i can authenticate a user whit some filter. where some info : Squid.conf --- *external_acl_type InetGroup %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3 acl InetAccess external InetGroup 513 http_access allow InetAccess --- *Ldap info - ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte) result : # duarte, Users, pnp.com dn: uid=duarte,ou=Users,dc=pnp,dc=com objectClass: top objectClass: person ... sn: duarte givenName: duarte uid: duarte uidNumber: 1002 gidNumber: 513 ... # numResponses: 2 # numEntries: 1 -- From the prompt on Unix : /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)) -v 3 duarte 513 OK so my question is.. whit the browser not authenticating whit squid ? Thanks in advance.
Re: [squid-users] Squid as Acceleration Proxy in a Squid Cluster
My cache peer lines look like this On first server: cache_peer 127.0.0.1parent 80 0 originserverno-query default cache_peer server2sibling 80 3130 proxy-only no-delay allow-miss name=server2 On second server: cache_peer 127.0.0.1parent 80 0 originserverno-query default cache_peer server1sibling 80 3130 proxy-only no-delay allow-miss name=server1 Marcel Alexandre Correa wrote: add no-query to cache_peer line ! i think this 'solve' ... On 5/10/07, Marcel Alburg [EMAIL PROTECTED] wrote: Ok, thanks - that works and i see that a sibling becomes some request for caches. But if i stop the local apache on a server and ask over the server the website - squid sad 2007/05/10 08:10:30| Detected DEAD Parent: 127.0.0.1 2007/05/10 08:10:30| TCP connection to 127.0.0.1/80 failed Thats ok but the result is this: The following error was encountered: * Unable to forward this request at this time. 2007/05/10 08:10:55| Failed to select source for 'http://www.domain.tld' 2007/05/10 08:10:55| always_direct = 0 2007/05/10 08:10:55|never_direct = 0 2007/05/10 08:10:55|timedout = 0 Thanks Marcel leongmzlist wrote: 1. your cache sibling configuration is wrong; you're not contacting any of the sibling. 2. use the proxy-only flag if you don't want squid to store cache hits from the siblings. try something like cache_peer sibling1 sibling 80 3130 proxy-only no-delay allow-miss name=sibling1 mike At 03:02 PM 5/9/2007, Marcel Alburg wrote: Hello, my Networks looks like Internet | [LB] -ha- [LB] | | +-+ | | | | [Squid + Apache] [Squid + Apache] All Hosts has running a webserver at 127.0.0.1:80 and a squid at the official IP Adresse on Port 80. The LoadBalancer ([LB]) forward the request to on of the server. The Squid checks his Cache and it the cache valid he send from cache otherwise he ask the local apache. We've a lot of hosts with this configuration and we've a problem, that any squid cache his own version from a webpage (n-Nodes could be n different Versions from a webpage - because the access and generationtime differs). My question is. It is possible to let ask the Squid the other nodes in the network if the requested page cached. And has any node a cached version - than deliver this cached version - otherwise ask the local apache. I tried a lot of different configs but nothing works to my contentment. a other problem is: If ask the squid the local page and gets an Error 404 or 500 he should ask the other Proxies for any valid cached version and deliver that version. The Webuser should not see the 500 Errors (if we had a lot of load at the server, the error 500 pages comes often). And i wanna stop the local apache at one node and the squid should notice that and ask the other nodes. One of my not working config was like this cache_peer 127.0.0.1parent 80 0 originserverno-query default allow-miss cache_peer 127.0.0.1sibling 80 3130 cache_peer 127.0.0.1sibling 80 3130 cache_peer 127.0.0.1sibling 80 3130 icp_hit_stale on It is possible to realized that ? Thanks Marcel
Re: [squid-users] Intercepting cache, CISCO + SQUID = WCCP
On Thu, May 10, 2007, Alexandre Correa wrote: Hello again :) i?m planing to move my new squid box to act with cisco using wccp v2 !! today my network topology: (internet) - cisco -- switch -- (eth0) gateway+squid (eth1) -- clients squid is running on gateway.. the new topology is: (internet) - cisco - switch - (eth0) gateway (eth1) - clients _|(eth0) squid box Questions: 1- with wccp, squid are transparent like TPROXY ? only if you set it up to use TPROXY and WCCP in the right configuration. 2- wich is best, turn my gateway into a bridge and squid box receiving the link (eth0) and on eth1 linked to gateway (eth0) OR put squid like the 'new topology' ? Stick the Squid out on the side of the router via another interface. You can stick it on the internal interface if you'd like (with the rest of your internal LAN) but just make sur eyou don't fill the interface to the Cisco. Adrian
Re: [squid-users] Squid Authentication + ldap/samba
Hello Duarte, If you want authenticate users from LDAP only, this configuration is enough: auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b ou=People,dc=test,dc=com ldap.test.com auth_param basic children 5 auth_param basic realm Squid proxy-caching web server [skipped] acl ldap_users proxy_auth REQUIRED [skipped] http_access allow ldap_users Thursday, May 10, 2007, 1:17:34 PM, you wrote: Hi there I´m trying to set up squid whit authentication, but i would need it asking the user the credencials. Allrdy set up an squid_ldap_auth but a login prompt comes, every time. trying now with squid_ldap_group, but still nothing, from the Unix prompt i can authenticate a user whit some filter. where some info : Squid.conf --- *external_acl_type InetGroup %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3 acl InetAccess external InetGroup 513 http_access allow InetAccess --- *Ldap info - ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte) result : # duarte, Users, pnp.com dn: uid=duarte,ou=Users,dc=pnp,dc=com objectClass: top objectClass: person ... sn: duarte givenName: duarte uid: duarte uidNumber: 1002 gidNumber: 513 ... # numResponses: 2 # numEntries: 1 -- From the prompt on Unix : /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)) -v 3 duarte 513 OK so my question is.. whit the browser not authenticating whit squid ? Thanks in advance. -- Best regards, Sergeymailto:[EMAIL PROTECTED]
Re: [squid-users] Squid Authentication + ldap/samba
Hi, i really wanna is to authenticated on ldap, but the browser not to show a pop-up, it's possible? samba ( maybe ntlm ?) what does the [skipped], does ? thanks Sergey A. Kobzar wrote: Hello Duarte, If you want authenticate users from LDAP only, this configuration is enough: auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b ou=People,dc=test,dc=com ldap.test.com auth_param basic children 5 auth_param basic realm Squid proxy-caching web server [skipped] acl ldap_users proxy_auth REQUIRED [skipped] http_access allow ldap_users Thursday, May 10, 2007, 1:17:34 PM, you wrote: Hi there I´m trying to set up squid whit authentication, but i would need it asking the user the credencials. Allrdy set up an squid_ldap_auth but a login prompt comes, every time. trying now with squid_ldap_group, but still nothing, from the Unix prompt i can authenticate a user whit some filter. where some info : Squid.conf --- *external_acl_type InetGroup %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3 acl InetAccess external InetGroup 513 http_access allow InetAccess --- *Ldap info - ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte) result : # duarte, Users, pnp.com dn: uid=duarte,ou=Users,dc=pnp,dc=com objectClass: top objectClass: person ... sn: duarte givenName: duarte uid: duarte uidNumber: 1002 gidNumber: 513 ... # numResponses: 2 # numEntries: 1 -- From the prompt on Unix : /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)) -v 3 duarte 513 OK so my question is.. whit the browser not authenticating whit squid ? Thanks in advance.
Re[2]: [squid-users] Squid Authentication + ldap/samba
Hello Duarte, Thursday, May 10, 2007, 2:09:05 PM, you wrote: Hi, i really wanna is to authenticated on ldap, but the browser not to show a pop-up, it's possible? samba ( maybe ntlm ?) I gave you working configuration. Just forgot about -v 3 option. :) what does the [skipped], does ? Line from standard Squid's config. Show tail -f /path/to/squid.conf tail -f /path/to/slapd.conf ? thanks Sergey A. Kobzar wrote: Hello Duarte, If you want authenticate users from LDAP only, this configuration is enough: auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b ou=People,dc=test,dc=com ldap.test.com auth_param basic children 5 auth_param basic realm Squid proxy-caching web server [skipped] acl ldap_users proxy_auth REQUIRED [skipped] http_access allow ldap_users Thursday, May 10, 2007, 1:17:34 PM, you wrote: Hi there I´m trying to set up squid whit authentication, but i would need it asking the user the credencials. Allrdy set up an squid_ldap_auth but a login prompt comes, every time. trying now with squid_ldap_group, but still nothing, from the Unix prompt i can authenticate a user whit some filter. where some info : Squid.conf --- *external_acl_type InetGroup %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3 acl InetAccess external InetGroup 513 http_access allow InetAccess --- *Ldap info - ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte) result : # duarte, Users, pnp.com dn: uid=duarte,ou=Users,dc=pnp,dc=com objectClass: top objectClass: person ... sn: duarte givenName: duarte uid: duarte uidNumber: 1002 gidNumber: 513 ... # numResponses: 2 # numEntries: 1 -- From the prompt on Unix : /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)) -v 3 duarte 513 OK so my question is.. whit the browser not authenticating whit squid ? Thanks in advance. -- Best regards, Sergeymailto:[EMAIL PROTECTED]
Re: [squid-users] Squid Authentication + ldap/samba
Ok, i think i´m not explaining so good. I have allready squid authentication, what i need is that the browser does not show the prompt just get the credencials whitout prompting the user, for example me user is part of a domain só thé get the user from the computer and the user would not have the need to type it, is there any way ? Sergey A. Kobzar wrote: Hello Duarte, Thursday, May 10, 2007, 2:09:05 PM, you wrote: Hi, i really wanna is to authenticated on ldap, but the browser not to show a pop-up, it's possible? samba ( maybe ntlm ?) I gave you working configuration. Just forgot about -v 3 option. :) what does the [skipped], does ? Line from standard Squid's config. Show tail -f /path/to/squid.conf tail -f /path/to/slapd.conf ? thanks Sergey A. Kobzar wrote: Hello Duarte, If you want authenticate users from LDAP only, this configuration is enough: auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b ou=People,dc=test,dc=com ldap.test.com auth_param basic children 5 auth_param basic realm Squid proxy-caching web server [skipped] acl ldap_users proxy_auth REQUIRED [skipped] http_access allow ldap_users Thursday, May 10, 2007, 1:17:34 PM, you wrote: Hi there I´m trying to set up squid whit authentication, but i would need it asking the user the credencials. Allrdy set up an squid_ldap_auth but a login prompt comes, every time. trying now with squid_ldap_group, but still nothing, from the Unix prompt i can authenticate a user whit some filter. where some info : Squid.conf --- *external_acl_type InetGroup %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3 acl InetAccess external InetGroup 513 http_access allow InetAccess --- *Ldap info - ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte) result : # duarte, Users, pnp.com dn: uid=duarte,ou=Users,dc=pnp,dc=com objectClass: top objectClass: person ... sn: duarte givenName: duarte uid: duarte uidNumber: 1002 gidNumber: 513 ... # numResponses: 2 # numEntries: 1 -- From the prompt on Unix : /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)) -v 3 duarte 513 OK so my question is.. whit the browser not authenticating whit squid ? Thanks in advance.
Re[2]: [squid-users] Squid Authentication + ldap/samba
Hello Duarte, Many browsers have option to save username and passwd ;) Thursday, May 10, 2007, 2:30:40 PM, you wrote: Ok, i think i´m not explaining so good. I have allready squid authentication, what i need is that the browser does not show the prompt just get the credencials whitout prompting the user, for example me user is part of a domain só thé get the user from the computer and the user would not have the need to type it, is there any way ? Sergey A. Kobzar wrote: Hello Duarte, Thursday, May 10, 2007, 2:09:05 PM, you wrote: Hi, i really wanna is to authenticated on ldap, but the browser not to show a pop-up, it's possible? samba ( maybe ntlm ?) I gave you working configuration. Just forgot about -v 3 option. :) what does the [skipped], does ? Line from standard Squid's config. Show tail -f /path/to/squid.conf tail -f /path/to/slapd.conf ? thanks Sergey A. Kobzar wrote: Hello Duarte, If you want authenticate users from LDAP only, this configuration is enough: auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b ou=People,dc=test,dc=com ldap.test.com auth_param basic children 5 auth_param basic realm Squid proxy-caching web server [skipped] acl ldap_users proxy_auth REQUIRED [skipped] http_access allow ldap_users Thursday, May 10, 2007, 1:17:34 PM, you wrote: Hi there I´m trying to set up squid whit authentication, but i would need it asking the user the credencials. Allrdy set up an squid_ldap_auth but a login prompt comes, every time. trying now with squid_ldap_group, but still nothing, from the Unix prompt i can authenticate a user whit some filter. where some info : Squid.conf --- *external_acl_type InetGroup %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3 acl InetAccess external InetGroup 513 http_access allow InetAccess --- *Ldap info - ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte) result : # duarte, Users, pnp.com dn: uid=duarte,ou=Users,dc=pnp,dc=com objectClass: top objectClass: person ... sn: duarte givenName: duarte uid: duarte uidNumber: 1002 gidNumber: 513 ... # numResponses: 2 # numEntries: 1 -- From the prompt on Unix : /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)) -v 3 duarte 513 OK so my question is.. whit the browser not authenticating whit squid ? Thanks in advance. -- Best regards, Sergeymailto:[EMAIL PROTECTED]
Re[2]: [squid-users] Squid Authentication + ldap/samba
Hello Duarte, Many browsers have option to save username and passwd ;) Thursday, May 10, 2007, 2:30:40 PM, you wrote: Ok, i think i´m not explaining so good. I have allready squid authentication, what i need is that the browser does not show the prompt just get the credencials whitout prompting the user, for example me user is part of a domain só thé get the user from the computer and the user would not have the need to type it, is there any way ? Sergey A. Kobzar wrote: Hello Duarte, Thursday, May 10, 2007, 2:09:05 PM, you wrote: Hi, i really wanna is to authenticated on ldap, but the browser not to show a pop-up, it's possible? samba ( maybe ntlm ?) I gave you working configuration. Just forgot about -v 3 option. :) what does the [skipped], does ? Line from standard Squid's config. Show tail -f /path/to/squid.conf tail -f /path/to/slapd.conf ? thanks Sergey A. Kobzar wrote: Hello Duarte, If you want authenticate users from LDAP only, this configuration is enough: auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b ou=People,dc=test,dc=com ldap.test.com auth_param basic children 5 auth_param basic realm Squid proxy-caching web server [skipped] acl ldap_users proxy_auth REQUIRED [skipped] http_access allow ldap_users Thursday, May 10, 2007, 1:17:34 PM, you wrote: Hi there I´m trying to set up squid whit authentication, but i would need it asking the user the credencials. Allrdy set up an squid_ldap_auth but a login prompt comes, every time. trying now with squid_ldap_group, but still nothing, from the Unix prompt i can authenticate a user whit some filter. where some info : Squid.conf --- *external_acl_type InetGroup %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3 acl InetAccess external InetGroup 513 http_access allow InetAccess --- *Ldap info - ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte) result : # duarte, Users, pnp.com dn: uid=duarte,ou=Users,dc=pnp,dc=com objectClass: top objectClass: person ... sn: duarte givenName: duarte uid: duarte uidNumber: 1002 gidNumber: 513 ... # numResponses: 2 # numEntries: 1 -- From the prompt on Unix : /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)) -v 3 duarte 513 OK so my question is.. whit the browser not authenticating whit squid ? Thanks in advance. -- Best regards, Sergeymailto:[EMAIL PROTECTED]
Re: [squid-users] Squid Authentication + ldap/samba
Hi, Sergey I know that, but for example in IE ou Firefox the prompt still open , although the password is saved, my question is if there is some way that the prompt ( although the password is save ) is not shown. Dny way thanks for the tips. Sergey A. Kobzar wrote: Hello Duarte, Many browsers have option to save username and passwd ;) Thursday, May 10, 2007, 2:30:40 PM, you wrote: Ok, i think i´m not explaining so good. I have allready squid authentication, what i need is that the browser does not show the prompt just get the credencials whitout prompting the user, for example me user is part of a domain só thé get the user from the computer and the user would not have the need to type it, is there any way ? Sergey A. Kobzar wrote: Hello Duarte, Thursday, May 10, 2007, 2:09:05 PM, you wrote: Hi, i really wanna is to authenticated on ldap, but the browser not to show a pop-up, it's possible? samba ( maybe ntlm ?) I gave you working configuration. Just forgot about -v 3 option. :) what does the [skipped], does ? Line from standard Squid's config. Show tail -f /path/to/squid.conf tail -f /path/to/slapd.conf ? thanks Sergey A. Kobzar wrote: Hello Duarte, If you want authenticate users from LDAP only, this configuration is enough: auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b ou=People,dc=test,dc=com ldap.test.com auth_param basic children 5 auth_param basic realm Squid proxy-caching web server [skipped] acl ldap_users proxy_auth REQUIRED [skipped] http_access allow ldap_users Thursday, May 10, 2007, 1:17:34 PM, you wrote: Hi there I´m trying to set up squid whit authentication, but i would need it asking the user the credencials. Allrdy set up an squid_ldap_auth but a login prompt comes, every time. trying now with squid_ldap_group, but still nothing, from the Unix prompt i can authenticate a user whit some filter. where some info : Squid.conf --- *external_acl_type InetGroup %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3 acl InetAccess external InetGroup 513 http_access allow InetAccess --- *Ldap info - ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte) result : # duarte, Users, pnp.com dn: uid=duarte,ou=Users,dc=pnp,dc=com objectClass: top objectClass: person ... sn: duarte givenName: duarte uid: duarte uidNumber: 1002 gidNumber: 513 ... # numResponses: 2 # numEntries: 1 -- From the prompt on Unix : /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f ((uid=%u)(gidNumber=%g)) -v 3 duarte 513 OK so my question is.. whit the browser not authenticating whit squid ? Thanks in advance.
[squid-users] java-script-problem ???
Hello! We're having problems with the url of a financial magazine: http://www.cash-online.de/ Without proxy the sites shows rapidly...with proxy squid 2.6.5-4 the site does NOT load. Is this an squid-issue, or where may be the problem ? GreetinX Ove Starckjohann
Re: [squid-users] WCCP / no return traffic on gre interface
ons 2007-05-09 klockan 15:27 -0400 skrev Chad Harrelson: Wow. Thanks Henrik! This is the command that got it going: echo 0 /proc/sys/net/ipv4/conf/gre1/rp_filter I thought for sure that I had run across documentation that told me to enable rp_filter. Oh, it's working now. Now on the WCCPv2 When I try enabling version 2 I get the following error while sniffing my external interface: 15:17:12.108896 IP 150.125.125.185 150.125.127.142: ICMP 150.125.125.185 protocol 47 port 34878 unreachable, length 84 Sounds like the local/remote endpoint of your GRE tunnel does not match how the router encapsulates the intercepted traffic. (150.125.127.142 is the automatic router ID that is displayed under: sh ip wccp) And is what you should use as router IP for WCCP (and GRE),. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] java-script-problem ???
On 5/10/07, Starckjohann, Ove [EMAIL PROTECTED] wrote: Hello! We're having problems with the url of a financial magazine: http://www.cash-online.de/ Without proxy the sites shows rapidly...with proxy squid 2.6.5-4 the site does NOT load. Is this an squid-issue, or where may be the problem ? Possibly the tcp window scaling issue. Take a look at this post by Henrik: http://marc.info/?l=squid-usersm=117339989811225w=2 Chris
Re: [squid-users] Squid Authentication + ldap/samba
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/10/2007 08:44 AM, Duarte Lázaro wrote: Hi, Sergey I know that, but for example in IE ou Firefox the prompt still open , although the password is saved, my question is if there is some way that the prompt ( although the password is save ) is not shown. Yes, there is. A single sign-on solution, like Kerberos, *but*, not sure about how squid will integrate that, AFAIK thru ntlm auth. Searching for Single Sign-On (also know as SSO) you will find some good information and posts on the mail list about the subject. Good luck and don't forge to add more information on this thread if you find something interesting. :-) Kind regards, - -- Felipe Augusto van de Wiel [EMAIL PROTECTED] Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGQxpHCj65ZxU4gPQRAmF6AJ4xCeiN9llH+kCD5d6UrMDs7hknGQCgxUhd F0390uTpA7JcO+y29GvkN/s= =1H9E -END PGP SIGNATURE-
AW: [squid-users] java-script-problem ???
direct hit :-) echo 0 /proc/sys/net/ipv4/tcp_window_scaling solved the issue :-) Thank you !!! Greets Ove Starckjohann -Ursprüngliche Nachricht- Von: Chris Nighswonger [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 10. Mai 2007 15:06 An: Starckjohann, Ove Cc: squid-users@squid-cache.org Betreff: Re: [squid-users] java-script-problem ??? On 5/10/07, Starckjohann, Ove [EMAIL PROTECTED] wrote: Hello! We're having problems with the url of a financial magazine: http://www.cash-online.de/ Without proxy the sites shows rapidly...with proxy squid 2.6.5-4 the site does NOT load. Is this an squid-issue, or where may be the problem ? Possibly the tcp window scaling issue. Take a look at this post by Henrik: http://marc.info/?l=squid-usersm=117339989811225w=2 Chris
Re: [squid-users] java-script-problem ???
On 5/10/07, Starckjohann, Ove [EMAIL PROTECTED] wrote: direct hit :-) echo 0 /proc/sys/net/ipv4/tcp_window_scaling You might want to add that to your system config (not sure where off the top of my head) so that it will survive a reboot. Chris
Re: [squid-users] new website: final beta
On Thu, May 10, 2007 at 11:46:42AM +1200, [EMAIL PROTECTED] wrote: I don't have the web skills that you do, but I found the easiest way to make php's cache-able was to lynx dump the php to a .html, and have apache serve index.html in preference to index.phtml. Naturally, all links to pages must be to the .html and not the .php: Whereas I have a completely alternate experience with cachability. PHP has the ability to easily prepend headers that specify cachability and duration. Alternatively apache can do that itself with VirtualHost or .htaccess configs. Oh OK, I never even thought of using mod_expires entries in per directory .htaccess files. Good point. I did play about with PHP headers, but found it awkward when using common header templates and wanting only some pages to be dynaminc. Thanks for the tip.
Re: [squid-users] WCCP / no return traffic on gre interface
Hi Henrik, thanks for your continued help. I changed the GRE tunnel end point and the wccp2_router statement to match the router id of 150.125.127.142 but now squid and the router don't negotiate. As you can see here below, there is a mismatch in the I_See_You packet IDs. May 10 13:12:39.011 GMT: WCCP-EVNT:S00: Here_I_Am packet from 150.125.125.185 w/bad rcv_id May 10 13:12:39.011 GMT: WCCP-PKT:S00: Sending I_See_You packet to 150.125.125.185 w/ rcv_id 0002 ULAN-ISSR#sh ip wccp web ULAN-ISSR#sh ip wccp web-cache d WCCP Cache-Engine information: Web Cache ID: 150.125.125.185 Protocol Version: 2.0 State: NOT Usable Redirection: L2 Packet Return: L2 Packets Redirected:0 Connect Time: 00:00:16 Assignment:MASK ULAN-ISSR# Here's my squid.conf: wccp2_router 150.125.127.142 wccp2_version 4 wccp2_rebuild_wait on wccp2_forwarding_method 2 wccp2_return_method 2 wccp2_service standard 0 I have also tried forwarding/return_method of 1 with the same results. Any thoughts? Thanks again, -- Chad On 5/10/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: ons 2007-05-09 klockan 15:27 -0400 skrev Chad Harrelson: Wow. Thanks Henrik! This is the command that got it going: echo 0 /proc/sys/net/ipv4/conf/gre1/rp_filter I thought for sure that I had run across documentation that told me to enable rp_filter. Oh, it's working now. Now on the WCCPv2 When I try enabling version 2 I get the following error while sniffing my external interface: 15:17:12.108896 IP 150.125.125.185 150.125.127.142: ICMP 150.125.125.185 protocol 47 port 34878 unreachable, length 84 Sounds like the local/remote endpoint of your GRE tunnel does not match how the router encapsulates the intercepted traffic. (150.125.127.142 is the automatic router ID that is displayed under: sh ip wccp) And is what you should use as router IP for WCCP (and GRE),. Regards Henrik
Re: [squid-users] java-script-problem ???
* Chris Nighswonger [EMAIL PROTECTED]: echo 0 /proc/sys/net/ipv4/tcp_window_scaling You might want to add that to your system config (not sure where off the top of my head) so that it will survive a reboot. /etc/sysctl.conf -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED]
Re: [squid-users] WCCP / no return traffic on gre interface
tor 2007-05-10 klockan 09:19 -0400 skrev Chad Harrelson: Hi Henrik, thanks for your continued help. I changed the GRE tunnel end point and the wccp2_router statement to match the router id of 150.125.127.142 but now squid and the router don't negotiate. As you can see here below, there is a mismatch in the I_See_You packet IDs. Hmm.. try using the closest interface address as wccp2_router but the router ID address as GRE endpoint.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] tcp_outgoing_address error?
tor 2007-05-10 klockan 01:07 +0100 skrev Shadi Almosri: it seems to be using the main IP each time a request is made regardless of the rules that i have set for where the incoming request is from Any errors in cache.log? Have you disabled serverside persistent connections? server_persistent_connections off Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] difference with java applets behaviors
tor 2007-05-10 klockan 11:12 +0200 skrev Lionel Déruaz: The same websites work fine on my old proxy (squid 2.5 stable9), and this proxy uses also NTLM authentication. Do you know what could have changed in squid that explain this different behavior ? Same Samba version? The bulk of the NTLM authentication is done by Samba, Squid just acts as a relay between the client and Samba.. The only difference I can think of in Squid is that there is slight change in persistent connection management. You can try auth_param ntlm keep_alive off to see if that makes any difference. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid Authentication + ldap/samba
tor 2007-05-10 klockan 12:09 +0100 skrev Duarte Lázaro: i really wanna is to authenticated on ldap, but the browser not to show a pop-up, it's possible? samba ( maybe ntlm ?) This depends entirely on browser support and which scheme you are using. Few if browsers support fully saved proxy passwords when using the Basic or Digest authentication schemes. Most asks the user once before sending the password to the proxy. Most browsers supporting NTLM authentication do this automatically on Windows stations logged on to a domain, but using NTLM requires a NTLM capable authentication backend such as Samba connected to the Windows domain, LDAP can not be used. But you can use LDAP to check group membership using squid_ldap_group even if using NTLM via Samba for authentication. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid log with date ext
On 5/10/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Is it possible to generate squid log file with date extension (like /var/log/squid/access.log-`date +%Y%m%d` format) in real time (i mean it is not generated by logrotate) ? Currently it's not possible. You can rename old files after rotating them with squid -k rotate; it's a relatively simple exercise in shell scripting. -- /kinkie
[squid-users] ACL Question
I am trying to modify my ACL to prevent a specific IP address within a range already defined in http_access and acl. Where within this do I state *not* (!) 192.168.1.200? Thank you. acl NET_ONE src 192.168.0.0/16 or http_access allow NET_ONE
Re: [squid-users] ACL Question
On 5/10/07, Vadim Pushkin [EMAIL PROTECTED] wrote: I am trying to modify my ACL to prevent a specific IP address within a range already defined in http_access and acl. Where within this do I state *not* (!) 192.168.1.200? Thank you. acl NET_ONE src 192.168.0.0/16 or http_access allow NET_ONE acl srcdeny src 192.168.1.200 acl NET_ONE src 192.168.0.0/16 # and then # the specific deny rule must be ABOVE the allow rule http_access deny srcdeny http_access allow NET_ONE -- /kinkie
Re: [squid-users] ACL Question
On 5/10/07, Vadim Pushkin [EMAIL PROTECTED] wrote: I am trying to modify my ACL to prevent a specific IP address within a range already defined in http_access and acl. Where within this do I state *not* (!) 192.168.1.200? acl NET_ONE src 192.168.0.0/16 or http_access allow NET_ONE I think you will have to define a new acl such as: acl deniedips src 192.168.1.200 and then make the following entry immediately *before* 'http_access allow NET_ONE' : http_access deny deniedips Rules are processed in order of appearance in the list, first to last. Chris
Re: [squid-users] ACL Question
Thank you very much! .vp On 5/10/07, Vadim Pushkin [EMAIL PROTECTED] wrote: I am trying to modify my ACL to prevent a specific IP address within a range already defined in http_access and acl. Where within this do I state *not* (!) 192.168.1.200? Thank you. acl NET_ONE src 192.168.0.0/16 or http_access allow NET_ONE acl srcdeny src 192.168.1.200 acl NET_ONE src 192.168.0.0/16 # and then # the specific deny rule must be ABOVE the allow rule http_access deny srcdeny http_access allow NET_ONE -- /kinkie
Re: [squid-users] WCCP / no return traffic on gre interface
I just tried using 150.125.125.186 (closest IP) as the wccp2_router address and the router ID as the GRE endpoint as you recommended but the router would not negotiate with squid. The cache server would not show up at all when doing a: sh ip wccp. So then I switched them. Router ID as the wccp2_address and closest IP as the GRE endpoint. Now I have the same problem as before where I get the mis-match on the I_See_You packets. Can you think of anything else? Like I said, this work with protocol 1. Also, the only other strange config I have is that my GRE interface is a real routable IP (150.125.125.187/29). Most of the documents I see say to use the same IP as eth0 but with a 32 bit mask. When I do this I get the protocol 47 ICMP unreachable error in tcpdump. thoughts? Thanks, -- Chad On 5/10/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: tor 2007-05-10 klockan 09:19 -0400 skrev Chad Harrelson: Hi Henrik, thanks for your continued help. I changed the GRE tunnel end point and the wccp2_router statement to match the router id of 150.125.127.142 but now squid and the router don't negotiate. As you can see here below, there is a mismatch in the I_See_You packet IDs. Hmm.. try using the closest interface address as wccp2_router but the router ID address as GRE endpoint.. Regards Henrik
RE: [squid-users] Intercepting cache, CISCO + SQUID = WCCP
I just finished the set up CISCO + SQUID = WCCP and its working great I didnt use tproxy, I am using ufdb for content filtering. Im running centos 4 squid 2.6.STABLE12 (created the rpms) ip_gre module If you need any help I could send you the files Cisco 3845 Using wccpv2 whith access list --- Fernando Rodriguez -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Alexandre Correa Enviado el: miércoles, 09 de mayo de 2007 11:17 p.m. Para: squid-users@squid-cache.org Asunto: [squid-users] Intercepting cache, CISCO + SQUID = WCCP Hello again :) i´m planing to move my new squid box to act with cisco using wccp v2 !! today my network topology: (internet) - cisco -- switch -- (eth0) gateway+squid (eth1) -- clients squid is running on gateway.. the new topology is: (internet) - cisco - switch - (eth0) gateway (eth1) - clients _|(eth0) squid box Questions: 1- with wccp, squid are transparent like TPROXY ? 2- wich is best, turn my gateway into a bridge and squid box receiving the link (eth0) and on eth1 linked to gateway (eth0) OR put squid like the 'new topology' ? Thanks !! Best Regards !! -- Sds. Alexandre J. Correa Onda Internet / OPinguim.net http://www.ondainternet.com.br http://www.opinguim.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] how to drop a squid active request?
Hello everyone. I need a way of dropping some active request of some users every now and then. I googled and looked at the list archive, but got nothing in return (or maybe I didn't understand something). I use squid 2.5-14 on FreeBSD 6. Is there any way of doing this? Regards Isnard
Re: [squid-users] how to drop a squid active request?
Hello Isnard, # man (8) tcpdrop DESCRIPTION The tcpdrop command drops the TCP connection specified by the local address laddr, port lport and the foreign address faddr, port fport. Addresses and ports can be specified by name or numeric value. I hope this will help ;) Thursday, May 10, 2007, 10:09:26 PM, you wrote: Hello everyone. I need a way of dropping some active request of some users every now and then. I googled and looked at the list archive, but got nothing in return (or maybe I didn't understand something). I use squid 2.5-14 on FreeBSD 6. Is there any way of doing this? Regards Isnard -- Best regards, Sergeymailto:[EMAIL PROTECTED]
Re: [squid-users] difference with java applets behaviors
tor 2007-05-10 klockan 11:12 +0200 skrev Lionel Déruaz: The same websites work fine on my old proxy (squid 2.5 stable9), and this proxy uses also NTLM authentication. Do you know what could have changed in squid that explain this different behavior ? Same Samba version? The bulk of the NTLM authentication is done by Samba, Squid just acts as a relay between the client and Samba.. Yes, the only difference between these servers is the squid package. The only difference I can think of in Squid is that there is slight change in persistent connection management. You can try auth_param ntlm keep_alive off to see if that makes any difference. Regards Henrik Ok, i test it tomorrow and let you know. Thanks anyway
Re: [squid-users] Content compression
Fernando Rodriguez wrote: Hello, Is there any way to compress on the fly the requested data for the client in order to save bandwith, or is there any compression method that can be used with squid?? Thanks --- Fernando Rodriguez http://devel.squid-cache.org/projects.html#gzip http://devel.squid-cache.org/gzip/ The best way to get features out of development is either coding them yourself, or sponsorship. The To Do list on this one is pretty short... Chris
Re: [squid-users] WCCP / no return traffic on gre interface
tor 2007-05-10 klockan 13:10 -0400 skrev Chad Harrelson: Can you think of anything else? Check your firewall rules on the Squid server. The message suggests that the I_SEE_YOU messages isn't reaching your Squid. Like I said, this work with protocol 1. Also, the only other strange config I have is that my GRE interface is a real routable IP (150.125.125.187/29). Most of the documents I see say to use the same IP as eth0 but with a 32 bit mask. When I do this I get the protocol 47 ICMP unreachable error in tcpdump. Below is assuming you are using Linux. Think you said you are, but not sure... GRE has two sets of addresses. a) The tunnel endpoint addresses (local remote). These MUST match the traffic sent by the router. Also known as link addresses. Use tcpdump on the ethernet interface if you are unsure how the router encapsulates the traffic. b) Local interface address. Doesn't really matter what it's set to, but should be set to an IP address usable on your network. And the interface must be UP. It's hard to see all of these using the obsolete ifconfig command, but if you use the modern ip command then everything is shown nicely. ip addr show wccp0 5: [EMAIL PROTECTED]: POINTOPOINT,NOARP,UP,LOWER_UP mtu 1476 qdisc noqueue link/gre 1.2.3.4 peer 5.6.7.8 inet 10.20.30.40/32 scope global wccp0 The device @eth0 must be the physical device where the GRE packets is being received. The link/gre line must match the addresses used by the router on the intercepted traffic. 1.2.3.4 is the router IP (source), 5.6.7.8 is the server IP (destination). The inet line should list an IP which is usable on your network and identifying the server. But it's not very important here as no traffic is going out via this GRE tunnel. For simplicity I recommend using the same IP as the ethernet inteface matching the local GRE endpoint. As no traffic should be routed out this WCCP GRE interface I recommend using a /32 address. The only practical difference is that if you use a full network then you automatically get a route for that network via the GRE interface.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid as Acceleration Proxy in a Squid Cluster
tor 2007-05-10 klockan 10:11 +0200 skrev Marcel Alburg: But if i stop the local apache on a server and ask over the server the website - squid sad 2007/05/10 08:10:30| Detected DEAD Parent: 127.0.0.1 2007/05/10 08:10:30| TCP connection to 127.0.0.1/80 failed Thats ok but the result is this: The following error was encountered: * Unable to forward this request at this time. 2007/05/10 08:10:55| Failed to select source for 'http://www.xxx.tld' 2007/05/10 08:10:55| always_direct = 0 2007/05/10 08:10:55|never_direct = 0 2007/05/10 08:10:55|timedout = 0 For this to work well you need a fallback non-ICP parent relation to the other.. siblings is only queried for the content they have already cached. You should also have a cache_peer_access rule preventing circular forwarding in case both is having problems.. Someting like the following should work: cache_peer the_apache parent ... no-query originserver default cache_peer the_other_server parent ... no-query cache_peer the_other_server sibling ... name=other_server_sibling (note: no no-query on the sibling relation, only the parent relations) acl from_other_server src the_other_server cache_peer_access the_other_server deny from_other_server cache_peer_access the_other_server_sibling deny from_other_server The dual sibling parent relation to the other server is needed so that ICP only acts in sibling mode, but that it's still used as a parent if the preferred web server is down. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Content compression
tor 2007-05-10 klockan 13:48 -0800 skrev Chris Robertson: http://devel.squid-cache.org/gzip/ The best way to get features out of development is either coding them yourself, or sponsorship. The To Do list on this one is pretty short... Well.. the To Do hasn't really been updated.. but yes. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Intercepting cache, CISCO + SQUID = WCCP
On Thu, May 10, 2007, Fernando Rodriguez wrote: I just finished the set up CISCO + SQUID = WCCP and its working great I didn?t use tproxy, I am using ufdb for content filtering. Im running centos 4 squid 2.6.STABLE12 (created the rpms) ip_gre module If you need any help I could send you the files Cisco 3845 Using wccpv2 whith access list Please do! There's no such thing as too little documentation examples. Check out http://wiki.squid-cache.org/ConfigExamples/ and let me know if you'd like to add an article there documenting your setup. Adrian
Re: [squid-users] squid log with date ext
On Thu, May 10, 2007, Kinkie wrote: On 5/10/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Is it possible to generate squid log file with date extension (like /var/log/squid/access.log-`date +%Y%m%d` format) in real time (i mean it is not generated by logrotate) ? Currently it's not possible. You can rename old files after rotating them with squid -k rotate; it's a relatively simple exercise in shell scripting. And if someone writes it up I'd be happy to include it in the base distribution. The trick: use head -1 and tail -1 on the rotated logfile to figure out its time span, then rename the logfile to that.. Adrian
[squid-users] pac and dat woes
I am having problem with Firefox 1.5, FF2.XX and IE 6 and 7 and proxy autoconfiguration. After a few days of searching and trying, i am unable to use autoconfiguration for my proxy. 1. I have the following dhcpd.conf file: max-lease-time 28800; default-lease-time 14400; option subnet-mask 255.255.255.0; ddns-update-style interim; option WPAD code 252 = text; # # rimith.local subnet 192.168.1.0 netmask 255.255.225.0 { option WPAD http://192.168.1.17/proxy.pac;; option routers 192.168.1.20; dynamic-bootp-lease-length 10; ignore client-updates; option domain-name-servers 192.168.1.17, 200.75.200.2; max-lease-time 14400; ddns-updates off; default-lease-time 4000; range 192.168.1.126 192.168.1.239; } 2. the MIME type has been set on the webserver. 3. also, i have my internal dns set to point wpad.rimith.local to the server 192.168.1.17, and also i have a link for wpad.dat pointing to proxy.pac on the root of the webserver. None of my clients are able to set the proxy automatically. But if I set the address for the pac file manually, everything works o.k. can someone shed some light on my problem? thanks! RP -- Raúl Pittí Palma, Eng. Global Engineering and Technology S.A. mobile (507)-6616-0194 office (507)-390-4338 Republic of Panama www.globaltecsa.com
[squid-users] Delay pools throttle inbound, not outbound
Okay, this is strange. I have a squid 2.6.STABLE12 instance running on 32-bit Linux in web accelerator setup. Squid conf: # delay pools delay_pools 1 delay_class 1 3 # allow a maximum of 200 mebibits (25 mebibytes per second) in # aggregate... delay_parameters 1 26214400/26214400 xxx/xxx xxx/xxx delay_initial_bucket_level 50 delay_access 1 allow all (I have changed xxx/xxx because this configuration is somewhat sensitive) With this configuration, I see that _inbound_ traffic (from my webservers, to the proxy) is throttled at 200 mebibits, but _outbound_ traffic (to the Internet from the proxy) is not throttled at all. Shouldn't delay pools affect the connection between the proxy and the Internet when Squid is in web accelerator mode? -- Justin Dossey Operations, podOmatic (415) 975-9981
Re: [squid-users] pac and dat woes
On Thu, May 10, 2007, Pitti, Raul wrote: I am having problem with Firefox 1.5, FF2.XX and IE 6 and 7 and proxy autoconfiguration. After a few days of searching and trying, i am unable to use autoconfiguration for my proxy. I've made WPAD work but I've not made it work with a DHCP configuration. I've done mine with DNS. Does anyone here have an example of a WPAD+DHCP configuration? If so I'd like to talk to you and document it on the Wiki. Adrian 1. I have the following dhcpd.conf file: max-lease-time 28800; default-lease-time 14400; option subnet-mask 255.255.255.0; ddns-update-style interim; option WPAD code 252 = text; # # rimith.local subnet 192.168.1.0 netmask 255.255.225.0 { option WPAD http://192.168.1.17/proxy.pac;; option routers 192.168.1.20; dynamic-bootp-lease-length 10; ignore client-updates; option domain-name-servers 192.168.1.17, 200.75.200.2; max-lease-time 14400; ddns-updates off; default-lease-time 4000; range 192.168.1.126 192.168.1.239; } 2. the MIME type has been set on the webserver. 3. also, i have my internal dns set to point wpad.rimith.local to the server 192.168.1.17, and also i have a link for wpad.dat pointing to proxy.pac on the root of the webserver. None of my clients are able to set the proxy automatically. But if I set the address for the pac file manually, everything works o.k. can someone shed some light on my problem? thanks! RP -- Ra?l Pitt? Palma, Eng. Global Engineering and Technology S.A. mobile (507)-6616-0194 office (507)-390-4338 Republic of Panama www.globaltecsa.com -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level bandwidth-capped VPSes available in WA -
[squid-users] proxy.pac config
Hi, I wanted to ask if this is possible. Ive just installed a second squid server and was wondering if I could create somewhat a loadbalancing without using TCP-loadbalancer or HA by using a proxy.pac that is capable of detecting a busy/failed server and connect to the next available proxy server. Squid 1 Internet--+-Workstation(with proxy.pac) Squid 2 If you have any idea or experience, can you share it with me? TIA Nats -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] proxy.pac config
On Fri, May 11, 2007, SSCR Internet Admin wrote: Hi, I wanted to ask if this is possible. Ive just installed a second squid server and was wondering if I could create somewhat a loadbalancing without using TCP-loadbalancer or HA by using a proxy.pac that is capable of detecting a busy/failed server and connect to the next available proxy server. Squid 1 Internet--+-Workstation(with proxy.pac) Squid 2 There's plenty of examples of proxy.pac file based load balancing and failover. Failover is easy, just give a number of entries in a list, ie: return proxy1:3128; proxy2:3128 And to failover to direct, try: return proxy1:3128; proxy2:3128; DIRECT let me know if this doesn't work. Adrian
RE: [squid-users] pac and dat woes
I've made WPAD work but I've not made it work with a DHCP configuration. I've done mine with DNS. Does anyone here have an example of a WPAD+DHCP configuration? If so I'd like to talk to you and document it on the Wiki. Here's what we use to support WPAD+DHCP: [From dhcpd.conf, in the global section of the file] option option-252 code 252 = text; option option-252 http://wpad.example.com/wpad.dat\n;; Note that IE6 truncates the answer it gets (by dropping the last character), which is why you need to include something like '\n'. I'm not sure whether Firefox supports DHCP for its autodiscovery. David. __ David Gameau ISTS - Systems Infrastructure University of South Australia email: [EMAIL PROTECTED] phone: +61 8 302 3533 fax: +61 8 302 5800 Disclaimer: His brain sometimes stops working. - Chiyo, Azumange Daoih
Re: [squid-users] pac and dat woes
David Gameau wrote: Here's what we use to support WPAD+DHCP: [From dhcpd.conf, in the global section of the file] option option-252 code 252 = text; option option-252 http://wpad.example.com/wpad.dat\n;; Note that IE6 truncates the answer it gets (by dropping the last character), which is why you need to include something like '\n'. I'm not sure whether Firefox supports DHCP for its autodiscovery. The alternative for IE6 is to have a symlink with the t missing from the name. That's how I did it anyway. And AFAIK, DHCP-WPAD is really only effective for Windows running IE6/7. I'm fairly sure support for this method in other operating systems and browsers is pretty much non-existent. TB ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. **
Re: [squid-users] pac and dat woes
On Thu, May 10, 2007, Pitti, Raul wrote: I am having problem with Firefox 1.5, FF2.XX and IE 6 and 7 and proxy autoconfiguration. After a few days of searching and trying, i am unable to use autoconfiguration for my proxy. I've made WPAD work but I've not made it work with a DHCP configuration. I've done mine with DNS. Does anyone here have an example of a WPAD+DHCP configuration? If so I'd like to talk to you and document it on the Wiki. grr ... top-poster. Yes I have WPAD+DHCP going. I encountered very similar problems. There were two workaround I had to use First, was discarding all the common online instructions. They only seem to work for one or the other not both Ffx and IE. DO NOT rename option 252 inside the dhcp config. Each time you need it send it explicitly by number. There is something about the way most DHCP agents do name aliasing that IE hates. Secondly, the DNS wpad.* MUST have * equal to at least one of the 'domain' settings in resolv.conf in linux and 'default-domain' in dhcp.conf for windows (there is probably a machine domain config for windows but I don't use it). Aside from that, each Ffx has to be set explicitly to 'Automatically Detect Network Settings'. The default is a forced DIRECT connection. I will be back at the machines that do this in a few hours and can give you exact examples then. Amos 1. I have the following dhcpd.conf file: max-lease-time 28800; default-lease-time 14400; option subnet-mask 255.255.255.0; ddns-update-style interim; option WPAD code 252 = text; # # rimith.local subnet 192.168.1.0 netmask 255.255.225.0 { option WPAD http://192.168.1.17/proxy.pac;; option routers 192.168.1.20; dynamic-bootp-lease-length 10; ignore client-updates; option domain-name-servers 192.168.1.17, 200.75.200.2; max-lease-time 14400; ddns-updates off; default-lease-time 4000; range 192.168.1.126 192.168.1.239; } 2. the MIME type has been set on the webserver. 3. also, i have my internal dns set to point wpad.rimith.local to the server 192.168.1.17, and also i have a link for wpad.dat pointing to proxy.pac on the root of the webserver. None of my clients are able to set the proxy automatically. But if I set the address for the pac file manually, everything works o.k. can someone shed some light on my problem? thanks! RP -- Ra?l Pitt? Palma, Eng. Global Engineering and Technology S.A. mobile (507)-6616-0194 office (507)-390-4338 Republic of Panama www.globaltecsa.com -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level bandwidth-capped VPSes available in WA -
Re: [squid-users] pac and dat woes
On Fri, May 11, 2007, David Gameau wrote: I've made WPAD work but I've not made it work with a DHCP configuration. I've done mine with DNS. Does anyone here have an example of a WPAD+DHCP configuration? If so I'd like to talk to you and document it on the Wiki. Here's what we use to support WPAD+DHCP: [From dhcpd.conf, in the global section of the file] option option-252 code 252 = text; option option-252 http://wpad.example.com/wpad.dat\n;; Note that IE6 truncates the answer it gets (by dropping the last character), which is why you need to include something like '\n'. I'm not sure whether Firefox supports DHCP for its autodiscovery. Hm! How interesting. Do you have any tech references for that IE6 WPAD behaviour? Adrian
RE: [squid-users] proxy.pac config
Thanks Adrian it works! I could see that it shift to the other server when I manually shutdown squid. Now, this could be a harder (for a noob like me). What if I have 500 workstation, so I have to config each browser to use my new pac file, is there a way that this pac will eventually force all browser to use pac. Like blindly install pac on their browser when they go directly to port 80. Thanks -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Friday, May 11, 2007 9:37 AM To: SSCR Internet Admin Cc: squid-users@squid-cache.org Subject: Re: [squid-users] proxy.pac config On Fri, May 11, 2007, SSCR Internet Admin wrote: Hi, I wanted to ask if this is possible. Ive just installed a second squid server and was wondering if I could create somewhat a loadbalancing without using TCP-loadbalancer or HA by using a proxy.pac that is capable of detecting a busy/failed server and connect to the next available proxy server. Squid 1 Internet--+-Workstation(with proxy.pac) Squid 2 There's plenty of examples of proxy.pac file based load balancing and failover. Failover is easy, just give a number of entries in a list, ie: return proxy1:3128; proxy2:3128 And to failover to direct, try: return proxy1:3128; proxy2:3128; DIRECT let me know if this doesn't work. Adrian -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: [squid-users] pac and dat woes
-Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] On Fri, May 11, 2007, David Gameau wrote: I've made WPAD work but I've not made it work with a DHCP configuration. I've done mine with DNS. Does anyone here have an example of a WPAD+DHCP configuration? If so I'd like to talk to you and document it on the Wiki. Here's what we use to support WPAD+DHCP: [From dhcpd.conf, in the global section of the file] option option-252 code 252 = text; option option-252 http://wpad.example.com/wpad.dat\n;; Note that IE6 truncates the answer it gets (by dropping the last character), which is why you need to include something like '\n'. I'm not sure whether Firefox supports DHCP for its autodiscovery. Hm! How interesting. Do you have any tech references for that IE6 WPAD behaviour? Adrian I can't find the singular authoritative source for the problem. However, this is probably the best explanation I could find. [from http://homepages.tesco.net/J.deBoynePollard/FGA/web-browser-auto-proxy-c onfiguration.html] One caveat: Microsoft's Internet Explorer version 6.01 expects the string in option 252 to be NUL-terminated. As such, it unconditionally strips off the final octet of the string before using it. Earlier versions of Microsoft's Internet Explorer do not do this. To satisfy all versions, simply explicitly include a NUL as the last octet of the string. Regards, David. __ David Gameau ISTS - Systems Infrastructure University of South Australia email: [EMAIL PROTECTED] phone: +61 8 302 3533 fax: +61 8 302 5800 Disclaimer: His brain sometimes stops working. - Chiyo, Azumange Daoih
Re: [squid-users] proxy.pac config
On Fri, May 11, 2007, SSCR Internet Admin wrote: Thanks Adrian it works! I could see that it shift to the other server when I manually shutdown squid. Now, this could be a harder (for a noob like me). What if I have 500 workstation, so I have to config each browser to use my new pac file, is there a way that this pac will eventually force all browser to use pac. Like blindly install pac on their browser when they go directly to port 80. You can do it via WPAD DHCP or WPAD DNS (thats what WPAD is for) but it requires users' browsers to have the proxy autodetection feature ticked. Watch this list, I have a feeling I'm going to be writing a couple of Squid Wiki articles on successfully deploying WPAD and proxy.pac files to finally demystify the mess.. Adrian
[squid-users] Bandwidth Requirements
I am looking at implementing squid for one of my clients and have a question regarding bandwidth usage. In the scenario I will have multiple locations with very few PC's approximately 2-3 machines per location. If I setup a main squid server in one of my main locations with a standard DSL connection (3.0Mbps down and 512K up) and VPN the stores into that main server, will I notice a large delay when waiting for pages to load? My second question is if I use that scenario will the internet traffic all flow under through the proxy or will it just check the URL and then use the default route which will be the local internet connect? Thanks in advance. Dustin
Re: [squid-users] proxy.pac config
well, you can be sure i'll provide a fully working example as soon as I get my config working. :-D (just to prevent others to waste as much time as myself.) RP Adrian Chadd wrote: On Fri, May 11, 2007, SSCR Internet Admin wrote: Thanks Adrian it works! I could see that it shift to the other server when I manually shutdown squid. Now, this could be a harder (for a noob like me). What if I have 500 workstation, so I have to config each browser to use my new pac file, is there a way that this pac will eventually force all browser to use pac. Like blindly install pac on their browser when they go directly to port 80. You can do it via WPAD DHCP or WPAD DNS (thats what WPAD is for) but it requires users' browsers to have the proxy autodetection feature ticked. Watch this list, I have a feeling I'm going to be writing a couple of Squid Wiki articles on successfully deploying WPAD and proxy.pac files to finally demystify the mess.. Adrian -- Raúl Pittí Palma, Eng. Global Engineering and Technology S.A. mobile (507)-6616-0194 office (507)-390-4338 Republic of Panama www.globaltecsa.com
[squid-users] squidproxy.wordpress.com
I've created a Wordpress blog (which will be linked off the front page of the new site) which I and some of the other developers will include developments, announcements and general tidbits about Squid development. http://squidproxy.wordpress.com/ (squid was taken.) Thanks, Adrian
Re: [squid-users] Bandwidth Requirements
I am looking at implementing squid for one of my clients and have a question regarding bandwidth usage. In the scenario I will have multiple locations with very few PC's approximately 2-3 machines per location. If I setup a main squid server in one of my main locations with a standard DSL connection (3.0Mbps down and 512K up) and VPN the stores into that main server, will I notice a large delay when waiting for pages to load? My second question is if I use that scenario will the internet traffic all flow under through the proxy or will it just check the URL and then use the default route which will be the local internet connect? Thanks in advance. Dustin Um, the best use of Squid is to prevent usage of slow links like your 512K up. If the clients are on the other end of it to squid then you really need a great reason to force them to use it. On the information you have given the answers are definately, and maybe. But some info on what you are trying to do may change that. Amos
Re: [squid-users] proxy.pac config
On 5/10/07, Adrian Chadd [EMAIL PROTECTED] wrote: There's plenty of examples of proxy.pac file based load balancing and failover. It's important to keep in mind that some PAC behavior, including failover, is different for different browsers and browser versions -- this particularly applies to IE, which for example, caches everything about PAC, included failed proxies, and won't forget until the iexplore.exe process ends and is restarted. This means that once IE has detected a failed proxy, it will automatically failo ver, but will not fail back, will never try a failed proxy again until you exit and restart. Watch this list, I have a feeling I'm going to be writing a couple of Squid Wiki articles on successfully deploying WPAD and proxy.pac files to finally demystify the mess.. Tell me about it. I've been told that I should write a WPAD/APC/PAC book, but O'Reilly said that one chapter in the rock thrush book was more than enough for their needs. Kevin (P.S. Have you heard about the magical PAC refresh option in Microsoft's IEAK?)
Re: [squid-users] proxy.pac config
On Thu, May 10, 2007, K K wrote: On 5/10/07, Adrian Chadd [EMAIL PROTECTED] wrote: There's plenty of examples of proxy.pac file based load balancing and failover. It's important to keep in mind that some PAC behavior, including failover, is different for different browsers and browser versions -- this particularly applies to IE, which for example, caches everything about PAC, included failed proxies, and won't forget until the iexplore.exe process ends and is restarted. You can turn that cache behaviour off. I'll hunt around for the instructions to tell IE not to cache proxy.pac lookups and add it to the documentation. (P.S. Have you heard about the magical PAC refresh option in Microsoft's IEAK?) Nope! Please tell. Adrian