Re: [squid-users] Redirector not getting the Port number in theURL.
I actually missed to mention that we are using squid in a reverse proxy mode. I get the port numbers when the squid is configured for direct proxy but when it is configured for reverse proxy, the port number is not coming to the redirector program even if the port is other than 80. What do your http_port line look like? Thanks Hendrik, I got the clue, the "vport" parameter fixed the issue. I had "http_port 9000" before and now I have changed it to "http_port 9000 vport". Thanks -logu
[squid-users] HTCP Questions
Everyone, I'm in the process of upgrading some squid servers from an early 2.5 release to 2.6. Right now we have a relatively simple setup, with squids on two different boxes that act as siblings; in the future we will probably be maintaining this sort of flat hierarchy if additional squids are added. They squids currently communicate with each other using ICP. Are there any compelling reasons to use HTCP rather than ICP? My limited understanding of the subject is that as it stands ICP and HTCP are roughly equivalent, but that the HTCP implementation in Squid 3.0 will be improved and that might make HTCP more compelling at that time. Is this correct? For a simple flat hierarchy with sibling squids will moving to HTCP provide any tangible benefits? Are there any risks in migrating to HTCP? -- Evan Klitzke <[EMAIL PROTECTED]>
RE: [squid-users] Squid + WPAD issues
Hi Terry
isInNet refers to the network that the Host is on so where you have
(isInNet(host,"192.168.0.0","255.255.0.0")) return "PROXY
192.168.10.14:3128";
If they are GOING to a www host that is at 192.168.1.1 then it will use
the proxy 192.168.10.14:3128 this options does not refer to the clients
options
You could try using a DHCP option for each Subnet which allows you to
specify the proxy.pac -> symlink to wpad.dat file to use
Add option 252 to Predefined options
Detect proxy server using DHCPINFORM (Option2)
DHCP server can send DHCPINFORM message and then client can get
javascript URL. DHCP server should be supported using DHCPINFORM.
Windows 2000 Server/Windows .NET Server support it.
Open DHCP Window, right click the host name and select "Set Predefined
Options..."
Click "Add" button at "Predefined Option and Values" window. And then
type as below. You can give any name, but data type and Code should be
"String" and "252"
Add "AUTO-PROXY-CONFIG" to each scope options and the value should point
your proxy.pac file (make link to wpad.dat or copy same file to
proxy.pac)
http://www.grape-info.com/doc/win2000srv/internet-gw/wpad/
Hope this helps
Thanks
Andrew Loughnan
Computer Services Manager
compassion innovation integrity
St Joseph's College Geelong
135 Aphrasia Street Newtown Vic 3220
T +61 3 5226 8165, F +61 3 5221 6983, E [EMAIL PROTECTED]
www.sjc.vic.edu.au
-Original Message-
From: Terry Dobbs [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 6 June 2007 1:40 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Squid + WPAD issues
Hi All,
We have been using a proxy server with a WPAD.dat file for a year or
two. Now, we have setup another squid server in a remote site. I need to
configure the WPAD.dat file in a way where if you are on subnet A use
Proxy Server A and if you are on subnet B user proxy server B.
For the life of me, I cannot get this to work. For example, I am using
what is seen below, and it seems the only line that works is the "else"
statement so everyone is using the same server?
function FindProxyForURL(url, host)
{
if (isPlainHostName(host))
return "DIRECT";
else if (isInNet(host,"192.168.0.0","255.255.0.0"))
return "PROXY 192.168.10.14:3128";
else if (isInNet(host,"192.150.170.0","255.255.255.0"))
return "PROXY 192.150.170.120:3128";
else
return "PROXY 192.150.170.120:3128";
}
Any help would be GREATLY appreciated!! All machines run IE 6 or 7 and
are on Win2K/WinXP.
Thanks
[squid-users] authentication and user based filtering
Guys, I'm looking for an open source solution to this problem... 1. Using Squid as a proxy (works fine) 2. Authenticate users off Novell e-directory (works fine) 3. filter content using blacklists (works fine) 4. filter content based on user access - a field in LDAP (no idea how to get this to work) What I need is that Joe Manager is in group 'god' so he gets access to everything. While Mary Engineer is in group 'technical' and 'news' so she only gets access to sites that are the technical and news whitelists, BUT if the site is in the blacklists it gets blocked regardless of group. I'm stuck on how to get a filter solution that will query LDAP to get the groups for the users and then filter on that. Or is this something that should be done by Squid. I'm open to suggestions. Bill Holder Senior IT Engineer _ INFORMATION MANAGEMENT DIVISION | Queensland Transport Creating business confidence B1, 477 Boundary Street, Spring Hill QLD 4000 P: 07 3834 5922 F: 07 3834 2911 E: [EMAIL PROTECTED] *** WARNING: This e-mail (including any attachments) may contain legally privileged, confidential or private information and may be protected by copyright. You may only use it if you are the person(s) it was intended to be sent to and if you use it in an authorised way. No one is allowed to use, review, alter, transmit, disclose, distribute, print or copy this e-mail without appropriate authority. If this e-mail was not intended for you and was sent to you by mistake, please telephone or e-mail me immediately, destroy any hardcopies of this e-mail and delete it and any copies of it from your computer system. Any right which the sender may have under copyright law, and any legal privilege and confidentiality attached to this e-mail is not waived or destroyed by that mistake. It is your responsibility to ensure that this e-mail does not contain and is not affected by computer viruses, defects or interference by third parties or replication problems (including incompatibility with your computer system). Opinions contained in this e-mail do not necessarily reflect the opinions of the Queensland Department of Main Roads, Queensland Transport or Maritime Safety Queensland, or endorsed organisations utilising the same infrastructure. ***
Re: [squid-users] Problem with Sibling squids
Nothing :( I'm using version 2.5.STABLE14 I've checked cache.log, nothing appears :( nothing comes into my mind! I used tethereal to see if the switch or some kind of firewall were filtering packets, but it's not the case :(, packets stop being sent by squids :( I'm about to start crying! :( On 6/5/07, Juraj Sakala <[EMAIL PROTECTED]> wrote: > > Added that line and didn't help :(. > > > > This is what happens: > > > > 1) Squids were configured without sibling. > > 2) Configured sibling on each squid as showed before (4 cache_peer > > lines per squid, total 5 squids). > > 3) Reloaded (not restarted) squid. Sibling started working After a > > while (~20 secs). Stopped working. > > 4) Changed some settings (disable siblings, reloaded, enabled > > siblings, reloaded) and no ICP requests were sent. > > 5) Restarted Squid and sibling started working again for ~20 secs again. > > > > So every change I make I have to restart squid :( > > > > About if I see SIBLING_HITs on my access.log, yes, for those 20 secs > > sibling works. I see SIBLING_HITs :( > > It is strange problem. I use ICP without problems. Which version of squid do > you use? > Do you have checked cache.log? > > This is part of my working config, perhaps it will be helpful for you: > > Proxy1: > icp_port 3130 > icp_hit_stale off > cache_peer proxy2 sibling 3128 3130 no-netdb-exchange proxy-only no-digest > no-delay > log_icp_queries off > icp_query_timeout 500 > http_access allow Proxy2 > icp_access allow Proxy2 > visible_hostname Proxy1 > > Proxy2: > icp_port 3130 > icp_hit_stale off > cache_peer proxy1 sibling 3128 3130 no-netdb-exchange proxy-only no-digest > no-delay > log_icp_queries off > icp_query_timeout 500 > http_access allow Proxy1 > icp_access allow Proxy1 > visible_hostname Proxy2 > Sunil, i'm glad it helped you :) On 6/5/07, Sunil K.P. <[EMAIL PROTECTED]> wrote: > Greetings, > > Thanks a lot. > I was having problems with the sibling hits and it got solved. > > Regards > Sunil Cheers! Santiago
[squid-users] Reccommendation for ftp proxy software?
Greetings, I am wondering if anyone has a suggestion for a linux based FTP proxy with the same sort of NTLM auth capability as Squid? I need to set up something to proxy requests from Explorer as well as from FTP client programs.
[squid-users] squid config question
> I am just getting started with 2.6 S13 and was looking to run it > against my mediawiki server as an Http Accelerator. Right now it's on > the same box and I plan to move it here shortly. But first I just want > to make sure I have it working correctly. Can anyone give a look at > the below config and tell me if I have it right? > > http_port [IPADDRESS]:80 accel defaultsite=127.0.0.1 > cache_peer 127.0.0.1 parent 80 0 no-query originserver login=PASS > acl WIKIip dst [IPADDRESS] > acl WIKI dstdomain [HOSTNAME AND DOMAIN] > acl all src 0/0 > http_access allow all > visible_hostname [HOSTNAME AND DOMAIN] > cache_peer_access HOSTNAME AND DOMAIN] allow all > > > I keep seeing 2007/06/05 02:14:26| squid.conf, line 8: No cache_peer > '[HOSTNAME AND DOMAIN]' in the logs as well as > > > 1181018880.588 RELEASE -1 EDA21F66F576C00321CD3282489FBD30 > 200 1181018878-1 1181018878 text/html 7335/7335 GET [WIKI > URI]/index.php/Special:Recentchanges > 1181018880.700 RELEASE -1 478A4353B1F718D5D89D8AB6FD56A98E > 304 1181018880-1-1 unknown -1/0 GET [WIKI > URI]/skins/common/commonPrint.css > 1181018880.789 RELEASE -1 572ADF9D17F262131CCEA7236F3D553F > 304 1181018 > 880-1-1 unknown -1/0 GET [WIKI > URI]/skins/fiwiki/main.css? > > > Should "RELEASE" be there in the logs for everything but images? > Anyone have a sample squid.conf and a LocalSetting.php from mediawiki > that they would be willing to share? > Thanks again, > Seth
[squid-users] [OT] about "Free software only dies when the last copy of the source code is erased"
I wrote something to explain what I mean to say when i said "I can't implement this if the proyect is dead " http://lucas-coudures.blogspot.com/2007/06/cuando-muere-un-proyecto-de-software.html I am sorry because i can't explain very well in English so a wrote this in Spanish, someone in this mailing list speak Spanish?? -- Lucas Coudures Registered Linux User #442566 Blog: http://lucas-coudures.blogspot.com/ Jabber: [EMAIL PROTECTED] - Este mensaje no contiene virus, debido a que todo su contenido se ha generado bajo Linux. Dead is a matter of definition. Free software only dies when the last copy of the source code is erased.
[squid-users] a bug in the new squid pakage (CentOS 4.5) ?
Hello, I think i found a bug in the new squid pakage squid-2.5.STABLE14-1.4E that repalce squid-2.5.STABLE6-3.4E.12 (in last CentOS 4.5 update) I'm using squid as reverse proxy with a redirctor. The new version broke the redirector new links. For example this URL: http://www.domain.com/ Should be redirect to this URL: http://www.redirect-domain.com/ When trying to load http://www.domain.com/ squid give this error message: The requested URL could not be retrieved While trying to retrieve the URL: http://www.redirect-domain.com/ The following error was encountered: Unable to determine IP address from host name for templeoflight.wikis.diburim.co.il The dnsserver returned: Name Error: The domain name does not exist. This means that: The cache was not able to resolve the hostname presented in the URL. Check if the address is correct. Your cache administrator is root. Generated Sat, 19 May 2007 14:15:07 GMT by ns1.wike-site.com (squid/2.5.STABLE14) www.redirect-domain.com is alive and define fine squid dns resolvers. Uninstaling the new pakage and reinstalling the old pakage solve the problem. Gonen -- If you can't read my mail, try changing encoding to UTF-8. Gonen. smime.p7s Description: S/MIME Cryptographic Signature
RE: FW: [squid-users] Cert issue on reserve proxy
When I log in as root I get access denied on writing cache due to the user account owning the directory, set it back to nobody? cache_peer parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER Login=PASS We also have sslproxy set to no verify but not sure if that matters. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 05, 2007 10:43 AM To: Jason Hitt Cc: squid-users@squid-cache.org Subject: Re: FW: [squid-users] Cert issue on reserve proxy tis 2007-06-05 klockan 10:11 -0500 skrev Jason Hitt: > After logging in as the effective user and setting the cache and log ownership to this account when I launch squid I get this: > > commBind: Cannot bind socket FD 12 to *:443: (13) Permission denied > FATAL: Cannot open HTTP Port You should start Squid as root, with cache_effective_user set to the user you want Squid to run as. > CONNECTED(0004) > depth=0 /CN= > verify error:num=18:self signed certificate verify return:1 depth=0 > /CN= verify return:1 > --- > Certificate chain > 0 s:/CN= >i:/CN= Looks good. What do your cache_peer line look like? With self-signed certificates you need to either disable peer certificte validation, or use the peer certificate as an CA. Regards Henrik
Re: FW: [squid-users] Cert issue on reserve proxy
tis 2007-06-05 klockan 10:11 -0500 skrev Jason Hitt: > After logging in as the effective user and setting the cache and log > ownership to this account when I launch squid I get this: > > commBind: Cannot bind socket FD 12 to *:443: (13) Permission denied > FATAL: Cannot open HTTP Port You should start Squid as root, with cache_effective_user set to the user you want Squid to run as. > CONNECTED(0004) > depth=0 /CN= > verify error:num=18:self signed certificate verify return:1 depth=0 /CN= > verify return:1 > --- > Certificate chain > 0 s:/CN= >i:/CN= Looks good. What do your cache_peer line look like? With self-signed certificates you need to either disable peer certificte validation, or use the peer certificate as an CA. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Squid + WPAD issues
Hi All,
We have been using a proxy server with a WPAD.dat file for a year or
two. Now, we have setup another squid server in a remote site. I need to
configure the WPAD.dat file in a way where if you are on subnet A use
Proxy Server A and if you are on subnet B user proxy server B.
For the life of me, I cannot get this to work. For example, I am using
what is seen below, and it seems the only line that works is the "else"
statement so everyone is using the same server?
function FindProxyForURL(url, host)
{
if (isPlainHostName(host))
return "DIRECT";
else if (isInNet(host,"192.168.0.0","255.255.0.0"))
return "PROXY 192.168.10.14:3128";
else if (isInNet(host,"192.150.170.0","255.255.255.0"))
return "PROXY 192.150.170.120:3128";
else
return "PROXY 192.150.170.120:3128";
}
Any help would be GREATLY appreciated!! All machines run IE 6 or 7 and
are on Win2K/WinXP.
Thanks
Re: [squid-users] Problem with Sibling squids
Greetings, Thanks a lot. I was having problems with the sibling hits and it got solved. Regards Sunil - Original Message - From: "Juraj Sakala" <[EMAIL PROTECTED]> To: "Santiago Del Castillo" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, June 05, 2007 2:21 PM Subject: Re: [squid-users] Problem with Sibling squids Added that line and didn't help :(. This is what happens: 1) Squids were configured without sibling. 2) Configured sibling on each squid as showed before (4 cache_peer lines per squid, total 5 squids). 3) Reloaded (not restarted) squid. Sibling started working After a while (~20 secs). Stopped working. 4) Changed some settings (disable siblings, reloaded, enabled siblings, reloaded) and no ICP requests were sent. 5) Restarted Squid and sibling started working again for ~20 secs again. So every change I make I have to restart squid :( About if I see SIBLING_HITs on my access.log, yes, for those 20 secs sibling works. I see SIBLING_HITs :( It is strange problem. I use ICP without problems. Which version of squid do you use? Do you have checked cache.log? This is part of my working config, perhaps it will be helpful for you: Proxy1: icp_port 3130 icp_hit_stale off cache_peer proxy2 sibling 3128 3130 no-netdb-exchange proxy-only no-digest no-delay log_icp_queries off icp_query_timeout 500 http_access allow Proxy2 icp_access allow Proxy2 visible_hostname Proxy1 Proxy2: icp_port 3130 icp_hit_stale off cache_peer proxy1 sibling 3128 3130 no-netdb-exchange proxy-only no-digest no-delay log_icp_queries off icp_query_timeout 500 http_access allow Proxy1 icp_access allow Proxy1 visible_hostname Proxy2
Re: [squid-users] Information Banner/Pop-up
tis 2007-06-05 klockan 13:51 +0200 skrev Paolo Biancolli: > I have a requirement to display a notice to all users before they start > using the internet in my organisation. It is to direct them to a URL > stating the conditions of use etc. The session helper in 2.6 is intended for this exactly, allowing the first request of each "session" to be redirected to a policy page or similar. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] delay pools and acls
Henrik Nordstrom wrote: tis 2007-06-05 klockan 07:40 +0700 skrev Arianto C Nugroho: Quoting McDouglas <[EMAIL PROTECTED]>: Hi! Is is possible to to assign delay pools to acls instead of domain names? I use an external acl to verify if a given user belongs to a given windows group (using wbinfo_group) and i'd like to limit his bandwith depending on group membership (teachers can use 1 mbit, students only 250kbit) Thanks AFAIK, delay pool is assigned to a group of acl .. It should work, provided the group acl is also evaluated in http_access. Squid can not wait for lookups to external helpers to complete in delay_access, so the results of any acls used there must be immediately available without querying some other process or already known. Regards Henrik Thanks, I missed the http_access lines, after that everything worked perfectly with wbinfo_group.
FW: [squid-users] Cert issue on reserve proxy
After logging in as the effective user and setting the cache and log ownership to this account when I launch squid I get this: commBind: Cannot bind socket FD 12 to *:443: (13) Permission denied FATAL: Cannot open HTTP Port -Original Message- From: Jason Hitt [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 05, 2007 9:56 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] Cert issue on reserve proxy I was running squid as nobody:nogroup but made a user for squid and added it to cache_effective_user, logged in as the user and run the openssl command. Got whats below. Why does it say protocol is TLS, shouldn't it be sslv3? CONNECTED(0004) depth=0 /CN= verify error:num=18:self signed certificate verify return:1 depth=0 /CN= verify return:1 --- Certificate chain 0 s:/CN= i:/CN= --- Server certificate -BEGIN CERTIFICATE- -END CERTIFICATE- subject=/CN= issuer=/CN= --- No client certificate CA names sent --- SSL handshake has read 659 bytes and written 324 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 Session-ID: 7E1BFBDFFEC0CE1EA79B9A990AEDB5D92D7F3F6A0E213610D3EDC49E Session-ID-ctx: Master-Key: Key-Arg : None Start Time: 1181055015 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Monday, June 04, 2007 4:37 PM To: Jason Hitt Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Cert issue on reserve proxy mån 2007-06-04 klockan 11:20 -0500 skrev Jason Hitt: > When I added it to cache_effective_user as you mentioned I states theres no > account named "openssl". I made one just to see if that's what you meant and > gave the openssl account ownership of the logs and caches as needed butI get > an abort trap. I'm stumped. Abort to do a port mirror and wireshark the ssl > exchange. I want you to run the openssl s_client command as the cache_effective_user on your Squid server, whatever that is on your server, not as root. I do not want you to change the cache_effective_user in suqid.conf at all. Just to run the openssl command as the user cache_effective_user is set to run Squid under.. Regards Henrik
RE: [squid-users] Cert issue on reserve proxy
I was running squid as nobody:nogroup but made a user for squid and added it to cache_effective_user, logged in as the user and run the openssl command. Got whats below. Why does it say protocol is TLS, shouldn't it be sslv3? CONNECTED(0004) depth=0 /CN= verify error:num=18:self signed certificate verify return:1 depth=0 /CN= verify return:1 --- Certificate chain 0 s:/CN= i:/CN= --- Server certificate -BEGIN CERTIFICATE- -END CERTIFICATE- subject=/CN= issuer=/CN= --- No client certificate CA names sent --- SSL handshake has read 659 bytes and written 324 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 Session-ID: 7E1BFBDFFEC0CE1EA79B9A990AEDB5D92D7F3F6A0E213610D3EDC49E Session-ID-ctx: Master-Key: Key-Arg : None Start Time: 1181055015 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Monday, June 04, 2007 4:37 PM To: Jason Hitt Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Cert issue on reserve proxy mån 2007-06-04 klockan 11:20 -0500 skrev Jason Hitt: > When I added it to cache_effective_user as you mentioned I states theres no > account named "openssl". I made one just to see if that's what you meant and > gave the openssl account ownership of the logs and caches as needed butI get > an abort trap. I'm stumped. Abort to do a port mirror and wireshark the ssl > exchange. I want you to run the openssl s_client command as the cache_effective_user on your Squid server, whatever that is on your server, not as root. I do not want you to change the cache_effective_user in suqid.conf at all. Just to run the openssl command as the user cache_effective_user is set to run Squid under.. Regards Henrik
Re: [squid-users] log user activity
On 6/5/07, Kamal Paryani <[EMAIL PROTECTED]> wrote: in squid can we log all user web based activity - like can we have a keylogger kind of a output of whatever activity they have done on the web Squid, like any other web proxy, will log the basic details of each HTTP converation, but not the contents of a POST. Additionally, there is no ability to peer into TLS (HTTPS) conversations over CONNECT. for e.g. if they use gmail to send mail or chat can we log all the matter they type like in a keylogger Sorry, no, what you ask for is not possible with *any* web proxy, and is likely to be illegal (and is always unethical, IMHO) Kevin
[squid-users] log user activity
hi in squid can we log all user web based activity - like can we have a keylogger kind of a output of whatever activity they have done on the web for e.g. if they use gmail to send mail or chat can we log all the matter they type like in a keylogger regards kamal
Re: [squid-users] Problem with Sibling squids
> Added that line and didn't help :(. > > This is what happens: > > 1) Squids were configured without sibling. > 2) Configured sibling on each squid as showed before (4 cache_peer > lines per squid, total 5 squids). > 3) Reloaded (not restarted) squid. Sibling started working After a > while (~20 secs). Stopped working. > 4) Changed some settings (disable siblings, reloaded, enabled > siblings, reloaded) and no ICP requests were sent. > 5) Restarted Squid and sibling started working again for ~20 secs again. > > So every change I make I have to restart squid :( > > About if I see SIBLING_HITs on my access.log, yes, for those 20 secs > sibling works. I see SIBLING_HITs :( It is strange problem. I use ICP without problems. Which version of squid do you use? Do you have checked cache.log? This is part of my working config, perhaps it will be helpful for you: Proxy1: icp_port 3130 icp_hit_stale off cache_peer proxy2 sibling 3128 3130 no-netdb-exchange proxy-only no-digest no-delay log_icp_queries off icp_query_timeout 500 http_access allow Proxy2 icp_access allow Proxy2 visible_hostname Proxy1 Proxy2: icp_port 3130 icp_hit_stale off cache_peer proxy1 sibling 3128 3130 no-netdb-exchange proxy-only no-digest no-delay log_icp_queries off icp_query_timeout 500 http_access allow Proxy1 icp_access allow Proxy1 visible_hostname Proxy2
Re: [squid-users] Problem with Sibling squids
Hi Kevin, I want to try both. Cache Digest and no-digest, because I want to run two benchmarks. Cache-Digests it's very very useful if you have mid/high latency between squids. Since my latency it's <1 ms, ICP isn't a big problem for me. I can afford an ICP request per every HTTP request. But of course i won't discard using Cache Digest to see what is better in my case. Thanks a lot! Santiago On 6/5/07, K K <[EMAIL PROTECTED]> wrote: > You might consider enabling Cache Digests (see > http://wiki.squid-cache.org/SquidFaq/CacheDigests). > > If squid is compiled with --enable-cache-digests, you can configure > peers to periodically share a hashed summary of cached objects instead > of using ICP to check as requests come in. > > Checking the local RAM digests for several peers is (nearly always) > more efficient than sending out ICP requests to the same number of > peers and then waiting for responses from all peers. Drawbacks are > the overhead to build and transfer digests every X minutes, and also > you miss out on hits that would have been successful with ICP, > particularly the extremely efficient UDP_HIT_OBJ type :) > > Kevin >
Re: [squid-users] Problem with Sibling squids
Hi juraj, Added that line and didn't help :(. This is what happens: 1) Squids were configured without sibling. 2) Configured sibling on each squid as showed before (4 cache_peer lines per squid, total 5 squids). 3) Reloaded (not restarted) squid. Sibling started working After a while (~20 secs). Stopped working. 4) Changed some settings (disable siblings, reloaded, enabled siblings, reloaded) and no ICP requests were sent. 5) Restarted Squid and sibling started working again for ~20 secs again. So every change I make I have to restart squid :( About if I see SIBLING_HITs on my access.log, yes, for those 20 secs sibling works. I see SIBLING_HITs :( Thank you! Santiago On 6/5/07, Juraj Sakala <[EMAIL PROTECTED]> wrote: > Hi, > > > Here's my config: > > > > acl RedPlaid src 208.XX.XX.0/255.255.255.0 > > acl squid1 src 208.74.XX.XX > > acl squid2 src 208.74.XX.XX > > acl squid3 src 208.74.XX.XX > > acl squid4 src 208.74.XX.XX > > acl squid5 src 208.74.XX.XX > > acl AllowedSites dstdomain "/etc/squid/allowed_sites" > > acl DeniedSites url_regex "/etc/squid/denied_sites" > > > > http_access allow AllowedSites !DeniedSites > > http_access allow localhost > Try this: > http_access allow RedPlaid > I think this was problem > > > http_access deny all > > > > icp_access allow RedPlaid > > icp_access deny all > > > > miss_access deny squid1 squid2 squid3 squid4 > > miss_access allow all > > > > httpd_accel_host virtual > > httpd_accel_port 80 > > httpd_accel_single_host off > > > > httpd_accel_with_proxy on > > > > httpd_accel_uses_host_header on > > > > log_icp_queries on > > icp_hit_stale on > > > > cache_peer 208.74.XX.XX sibling 80 3130 proxy-only no-digest allow-miss > > cache_peer 208.74.XX.XX sibling 80 3130 proxy-only no-digest allow-miss > > cache_peer 208.74.XX.XX sibling 80 3130 proxy-only no-digest allow-miss > > cache_peer 208.74.XX.XX sibling 80 3130 proxy-only no-digest allow-miss > Do you see something like this in access.log?: > 1181021372.535545 x.x.x.x TCP_MISS/200 6784 GET > http://www.google.sk/images/nav_logo3.png - SIBLING_HIT/someproxy image/png > > Regards > Juraj >
Re: [squid-users] Redirector not getting the Port number in theURL.
tis 2007-06-05 klockan 17:20 +0530 skrev Logu: > Thanks Hendrik for the details, > I actually missed to mention that we are using squid in a reverse proxy > mode. I get the port numbers when the squid is configured for direct proxy > but when it is configured for reverse proxy, the port number is not coming > to the redirector program even if the port is other than 80. What do your http_port line look like? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Redirector not getting the Port number in theURL.
The port number in the requested url is not available for the url rewrite (redirector) program, is it an expected behaviour.? It is there. But the URL sent to url rewriters is slightly normalized so if the port is the default for the requested scheme then it's not sent. All hostnames sent to the url rewriter is also lower-case. What this means is that if you request http://WWW.ExAmPlE.cOm:80/path then http://www.example.com/path is sent to the URL rewriter, but if you request http://WWW.ExAmPlE.cOm:81/path then http://www.example.com:81/path is sent. Thanks Hendrik for the details, I actually missed to mention that we are using squid in a reverse proxy mode. I get the port numbers when the squid is configured for direct proxy but when it is configured for reverse proxy, the port number is not coming to the redirector program even if the port is other than 80. -Logu
[squid-users] Information Banner/Pop-up
Hi All, I have a requirement to display a notice to all users before they start using the internet in my organisation. It is to direct them to a URL stating the conditions of use etc. We are using squid 2.5 stable 14 with NTLM authentication and I see that with this method one cannot insert a note in the auth box as you can with basic auth (auth_param basic realm). Is it possible to activate a pop-up or info box where I can display to users the required info? Many thanks Paolo Biancolli This communication is intended for the addressee only. It is confidential. If you have received this communication in error, please notify us immediately and destroy the original message. You may not copy or disseminate this communication without the permission of the University. Only authorized signatories are competent to enter into agreements on behalf of the University and recipients are thus advised that the content of this message may not be legally binding on the University and may contain the personal views and opinions of the author, which are not necessarily the views and opinions of The University of the Witwatersrand, Johannesburg. All agreements between the University and outsiders are subject to South African Law unless the University agrees in writing to the contrary.
Re: [squid-users] Missing "/var/log/squid/access.log"
Henrik Nordstrom wrote: tis 2007-06-05 klockan 16:09 +1200 skrev D & E Radel: Henrik Nordstrom wrote: tis 2007-06-05 klockan 14:48 +1200 skrev D & E Radel: Hi there, After upgrading from squid 2.5 to 2.6 (Debian oldstable to Debian stable), everything now seems to work except SARG. SARG now complains about a missing: /var/log/squid/access.log Is there a change in the squid.conf that requires me to specify this somewhere? Yes. You need an access_log line in squid.conf telling Squid where to log, or it won't log.. Regards Henrik Thanks for that. Where can I find info on how to generate the access log? Or where can I download a generic squid.conf for 2.6? I couldn't see one in the stable tarball that I just downloaded. The generic squid.conf is installed as squid.conf.default when you install Squid. The access_log directive is the new 2.6 name for what was the cache_access_log directive in 2.5.. You do not need to generate the access log, but you need to tell Squid that it should make one.. Regards Henrik Thanks Henrik. :-)
[squid-users] HTTPS through VPN
I have squid running and I want people on VPN tunnel to be able to use squid. It all works fine apart from https websites time out. If I am on the same subnet it works fine but as soon as I am on a different subnet connecting through VPN it no longer can handle requests. I went through the logs and I can see the https connect from the right ip address but it doesnt do anything else. How can I fix this. Jonathan Bastin
Re: [squid-users] squid_radius_auth accepts any credentials!
tis 2007-06-05 klockan 08:53 +0100 skrev Neil A. Hillard:
> I'll post here and let everyone know whether it's OK now. I'll compare
> the sources but can you summarise what needed resolving?
It was a year ago so memory is a little dim, but looking at the diffs
the specific change is these two:
}
+
+if (auth->id != request_id) {
+ /* Duplicate response of an earlier query, ignore */
+ return -1;
+}
+
/* Verify the reply digest */
[...]
if (memcmp(reply_digest, calc_digest, AUTH_VECTOR_LEN) != 0) {
fprintf(stderr, "Warning: Received invalid reply digest from server\n");
+ return -1;
}
Regards
Henrik
signature.asc
Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid no space left on device
> Probably you are running out of inodes. Try to create the squid swap file > system with more inodes than the default. Yes, it seems that i was running out of inodes. Thanks for your and Martin's reply. It is now more or less solved. - Rainhard
Re: [squid-users] copy paste from yahoo mail asks password
hi the copy paste from yahoo problem occurs only when i copy from yahoo and paste in to word 2003 if i paste into notepad or any the app, or even an older version of word then it does not ask for authentication only with yahoo and word 2003 regards On 5/30/07, Pablo Fernandes Yahoo <[EMAIL PROTECTED]> wrote: When you are using authentication and a user has no permission to access something, it resend the authentication prompt again, even if the proxy is at the middle of a loading of web site, it resend the authentication prompt instead give "permission denied" message. Hey, try to check in your access.log logs while the user is trying to access the webmail. You will probably see something being denied. Tell us the results. Regards Pablo Fernandes -Ursprüngliche Nachricht- Von: Kamal Paryani [mailto:[EMAIL PROTECTED] Gesendet: quarta-feira, 30 de maio de 2007 17:44 An: Pablo Fernandes Yahoo; squid-users@squid-cache.org Betreff: Re: [squid-users] copy paste from yahoo mail asks password hi pablo i understand what you are saying but the user who is doing this has got no restrictions to any website he is part of s_users (if you check in my squid.conf ) but i think what you are saying is correct but i dont know why it happens only with yahoo and not with gmail regards On 5/30/07, Pablo Fernandes Yahoo <[EMAIL PROTECTED]> wrote: > Hi Kamal, > > Im not sure if i understood you well (explain a bit better). > > But anyway, for a initial test, try to allow all for a user and then access > the same way you are trying now and having problems. Report us. Just > checking if is there something wrong with your allowed domains. > > I had similar problems with another web site. The problem was because fort > he autentication, the web site tryed to access another URL that isn't > allowed fort he user, this way we could never get authenticated. After i > allowed this new domain, that worked fine. > > My be thats your problem. > > regards > > > Pablo Fernandes > > > -Ursprüngliche Nachricht- > Von: Kamal Paryani [mailto:[EMAIL PROTECTED] > Gesendet: quarta-feira, 30 de maio de 2007 15:18 > An: squid-users@squid-cache.org > Betreff: [squid-users] copy paste from yahoo mail asks password > > hi > i am using squid 2.6 stable 13 > > i am using basic authentication > > when a user does a copy paste from yahoo mail to word > the browser ask for password again before allowing to paste > > my squid.conf lines which i changed are as follows > > # Squid normally listens to port 3128 > http_port 192.168.1.200:3128 > > auth_param basic program /usr/local/squid/libexec/ncsa_auth > /usr/local/squid/etc/passwd > > acl bo_users proxy_auth "/usr/local/squid/etc/bo_users" > acl fo_users proxy_auth "/usr/local/squid/etc/fo_users" > acl tpi_users proxy_auth "/usr/local/squid/etc/tpi_users" > acl s_users proxy_auth "/usr/local/squid/etc/s_users" > acl bo_sites dstdomain "/usr/local/squid/etc/bo_sites" > acl fo_sites dstdomain "/usr/local/squid/etc/fo_sites" > acl tpi_sites dstdomain "/usr/local/squid/etc/tpi_sites" > http_access allow bo_sites bo_users > http_access allow fo_sites fo_users > http_access allow tpi_sites tpi_users > http_access allow s_users > http_access deny all > > acl our_networks src 192.168.1.0/24 192.168.2.0/24 > http_access allow our_networks > > # And finally deny all other access to this proxy > http_access deny all > > > > rest everything is at default > regards > kamal > > > > > > ___ > Yahoo! Mail - Sempre a melhor opção para você! > Experimente já e veja as novidades. > http://br.yahoo.com/mailbeta/tudonovo/ > > ___ Yahoo! Mail - Sempre a melhor opção para você! Experimente já e veja as novidades. http://br.yahoo.com/mailbeta/tudonovo/
Re: [squid-users] Missing "/var/log/squid/access.log"
tis 2007-06-05 klockan 16:09 +1200 skrev D & E Radel: > Henrik Nordstrom wrote: > > tis 2007-06-05 klockan 14:48 +1200 skrev D & E Radel: > >> Hi there, > >> > >> After upgrading from squid 2.5 to 2.6 (Debian oldstable to Debian stable), > >> everything now seems to > >> work except SARG. SARG now complains about a missing: > >> /var/log/squid/access.log > >> > >> Is there a change in the squid.conf that requires me to specify this > >> somewhere? > > > > Yes. You need an access_log line in squid.conf telling Squid where to > > log, or it won't log.. > > > > Regards > > Henrik > > Thanks for that. Where can I find info on how to generate the access log? Or > where can I download a > generic squid.conf for 2.6? I couldn't see one in the stable tarball that I > just downloaded. The generic squid.conf is installed as squid.conf.default when you install Squid. The access_log directive is the new 2.6 name for what was the cache_access_log directive in 2.5.. You do not need to generate the access log, but you need to tell Squid that it should make one.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid_radius_auth accepts any credentials!
Henrik, >> I'm currently using squid 2.5 stable 6 (I know it's old but it works >> and isn't the root of the problem!). Am using squid_radius_auth against >> out RADIUS server. > > Which version of squid_radius_auth? Many thanks for the reply. The one detail I new I had to state I forgot! I was originally running 1.06 and upgraded to 1.08 when the problem was identified. I originally thought it had resolved the problem but later found out that it was still there! > Looks like the version of squid_radius_auth you have is broken.. Which > version is it, and from where did you get it? I obtained both 1.06 and 1.08 from http://www.squid-cache.org/contrib/squid_radius_auth. > Hmm.. looking at my partially maintained copy.. looks like I may have > fixed this exact issue quite some time ago (a year to be exact) but > never published a new copy. Oh well. Version 1.09 now published as > http://www.squid-cache.org/contrib/squid_radius_auth/, please give it a > try. I'll download it now and get a change in to put it live. I'll post here and let everyone know whether it's OK now. I'll compare the sources but can you summarise what needed resolving? Many thanks, Neil. -- Neil Hillard[EMAIL PROTECTED] AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
