Re: [squid-users] ACL and http_access Confusion
> > So, replace > > > > acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ > > > > with > > > > acl numeric_IPs dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ > > > > and > > > > will this work? > > > > http_access deny CONNECT numeric_IPs !allowed_IPs On 06.07.07 11:18, [EMAIL PROTECTED] wrote: > Um, I'm starting to get a little confused here myself after that reply. > > When you are wanting to test the actual destination IP you can use the > 'dst' type ACL (squid will do any DNS lokoup needed to find it before > testing). note that using 'dst' acl will disable connecting to those IP's also if they're specified by a hostname, which is probably not what -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: [squid-users] Mrtg and squid
On Tue, Jul 10, 2007, Henrik Nordstrom wrote: > m??n 2007-07-09 klockan 19:30 +0800 skrev Adrian Chadd: > > > Hang tight, I'm just putting the finishing touches on a basic MRTG graphing > > template which works with Squid-2.6 and Squid-3. I'll put it online once > > I figure out why I'm not seeing LRU expiry time information. > > Do we have that exposed in the MIB these days? Probably not. There is no > global LRU expiration any more, just a per cache_dir one.. (and only > when using lru) It seems to be returning 00:00 to MRTG, which is obviously invalid. Graphing the memory LRU age would be handy though. Adrian
Re: [squid-users] transparent tproxy: routing issue or myownproblem ?
From: "Henrik Nordstrom" <[EMAIL PROTECTED]> > >> I lost you, what do you mean by bridge-netfilter integration. Any URL ? > > It's a kernel option. Did you mean CONFIG_BRIDGE_NETFILTER=y and all these :- # CONFIG_BRIDGE_NF_EBTABLES=m CONFIG_BRIDGE_EBT_BROUTE=m CONFIG_BRIDGE_EBT_T_FILTER=m CONFIG_BRIDGE_EBT_T_NAT=m CONFIG_BRIDGE_EBT_802_3=m CONFIG_BRIDGE_EBT_AMONG=m CONFIG_BRIDGE_EBT_ARP=m CONFIG_BRIDGE_EBT_IP=m CONFIG_BRIDGE_EBT_LIMIT=m CONFIG_BRIDGE_EBT_MARK=m CONFIG_BRIDGE_EBT_PKTTYPE=m CONFIG_BRIDGE_EBT_STP=m CONFIG_BRIDGE_EBT_VLAN=m CONFIG_BRIDGE_EBT_ARPREPLY=m CONFIG_BRIDGE_EBT_DNAT=m CONFIG_BRIDGE_EBT_MARK_T=m CONFIG_BRIDGE_EBT_REDIRECT=m CONFIG_BRIDGE_EBT_SNAT=m CONFIG_BRIDGE_EBT_LOG=m CONFIG_BRIDGE_EBT_ULOG=m I have plenty of those inside many kernel and modules. How do I use it instead of TPROXY ? >> Hmmm interesting. I do not have this rule in my system and I am >> able to surf the NET via the bridge/squid ( if I set up proper routing ). > > It will work fine until you use TPROXY to have Squid fake the source IP > on the requests it sends.. As far as I can tell my system is already faking the source IP. But I might be wrong. :-) Do you mean it is a result of some of the kernel CONFIGs which I had instead of TPROXY module ? Regards.
[squid-users] error pages
I know that %u in a error page gives you the url the person was trying to visit, can you by chance get a user name at that page with another shortcut, or any other way. Thanks in advance for the hlep.
Re: [squid-users] How to permit only Skype voice traffic
On 7/6/07, FREGONI Roberto <[EMAIL PROTECTED]> wrote: I'd like to permit only Skype voice traffic and deny file transfer, chatting and device sharing through my squid proxy. Do you know if it is possible to do it. Squid isn't capable of doing what you ask -- I doubt any network firewall or proxy is capable of reliably doing what you ask. Skype is a closed-source application using a proprietary peer-to-peer protocol, and goes to extremes to prevent telcos from implementing limitations on Skype traffic at the network level. The features Skype has implemented to keep ISPs from blocking/degrading phone calls also makes it difficult for other network owners to *reliably* implement even simple permit or deny of Skype sessions, as (aside from some phone-home behavior at session startup) their protocol pretty much looks like any other encrypted P2P network protocol, tunneling over TCP/443 and any other port it can find. Among other implications, this means any firewall hole you open "for Skype" is going to be available for other P2P to exploit. My recommendation is to set a policy forbidding Skype and other peer-to-peer, and take whatever technical and social measures you can to enforce the policy. Now I can only deny or permit Skype traffic at all, I'd like to use Skype for voip traffic without risks of free file exchanging. If you deploy MS-Windows as a domain (AD, etc) with good control over the local workstations, you can use the "Skype for Business" group policy feature to control file transfer via registry hacks on the (Windows) workstations where the client is installed: http://www.skype.com/security/Skype-v1.5.adm http://share.skype.com/sites/security/2007/01/deploying_skype_in_a_windows_d.html#more Kevin
[squid-users] Re: Problem for downloading packets using yum through the Squid's authentication.
Elvin Hernàndez wrote: > Hi everyone. > > As you know, every machine with Fedora Core 6 can use the command 'yum' > either to update the system or install packets on line. We tried to > install the packets related with Xen via yum and we had not success to do > it. The company's machines go out to Internet through Squid which > authenticate the users before allow access to internet. In a beginning we > thought that the problem was that yum was not authenticating with proxy > and therefore it can't download the packets from Internet, so we edited > the file /etc/yum.conf and added the next lines: > > proxy=10.200.0.48:8081 > proxy_username=ehernandez > proxy_password=** > > Once we did the previous, we tried to download the packets again and we > obtained the next error: > > Loading "installonlyn" plugin > Options Error: Error parsing '10.200.0.48:8081': URL must be http, ftp or > https not "10.200.0.48" Have you tried the obvious: proxy=http://10.200.0.48:8081
Re: [squid-users] Using the squidclient to put a file into squid cache
On 7/9/07, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: mån 2007-07-09 klockan 00:39 -0500 skrev ying lcs: > I am trying to use the squidclient to put a file into squid cache. You can't. You can only use squidclient to ask Squid to fetch a file to be placed in the cache.. If this needs to be fetched from a different location than normal accesses then see cache_peer + cache_peer_access.. Thanks but my understand is cache_peer + cache_peer _access can only access/load files from caches in other squid server. In my case, I want to put a local file to the squid cache. That is kind of different. I appreciate if you can give me more pointers to achieve what I want. Thank you. Regards Henrik
Re: [squid-users] Problem for downloading packets using yum through the Squid's authentication.
mån 2007-07-09 klockan 10:05 -0700 skrev Elvin Hernàndez: > proxy=10.200.0.48:8081 > proxy_username=ehernandez > proxy_password=** > > Once we did the previous, we tried to download the packets again and we > obtained the next error: > > Loading "installonlyn" plugin > Options Error: Error parsing '10.200.0.48:8081': URL must be http, ftp or > https not "10.200.0.48" Try proxy=http://10.200.0.48:8081 Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] How to permit only Skype voice traffic
mån 2007-07-09 klockan 15:52 + skrev Vadim Pushkin: > Could you, or anyone else on this list? Provide an example on how to do this > for CONNECT? Just add the port used to SSL_Ports and Safe_Ports. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Re: squid and multiple redirectors
mån 2007-07-09 klockan 16:32 +0100 skrev RW: > Jeff Pang wrote: > > > 2007/7/8, Dave <[EMAIL PROTECTED]>: > >> Hello, > >> I'm running squid 2.6 and need to run several redirectors, one for > >> banner filtering, another for av, and a possible third for chat blocking > >> if there is one? I read about a shell script: > >> > >> #!/bin/sh > >> > >> /path/to/redirector1 | /path/to/redirector2 > > > > This is bad way.Using pipe is expensive at most time. > > More importantly it wouldn't work as expected, as redirectors return a blank > line to indicate the URL is unmodified. Posted a perl script on the list some year ago or so for chaining redirectors using Open2(). Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Problem for downloading packets using yum through the Squid's authentication.
Hi everyone I could resolve the problem. I just had to do the following: 1.- In a shell a write the next line: http_proxy=http://lhernandez:[EMAIL PROTECTED]:8081 2.- After that, I exported the varible: export http_proxy Regards - Mensaje original De: Isnard Jaquet <[EMAIL PROTECTED]> Para: Elvin Hernàndez <[EMAIL PROTECTED]> Enviado: lunes, 9 de julio, 2007 14:02:45 Asunto: Re: [Via RS MAX: SPAM] Re: [squid-users] Problem for downloading packets using yum through the Squid's authentication. Are you sure the port number of your proxy is 8081? Telnet it and see what happens. Post the output please. Regards, Isnard Em Seg, 2007-07-09 às 11:29 -0700, Elvin Hernàndez escreveu: > I follow your advice but I got a new error: > > [EMAIL PROTECTED] ~]# yum install kernel-xen xen virt-manager > Loading "installonlyn" plugin > Setting up Install Process > Setting up repositories > Could not retrieve mirrorlist > http://mirrors.fedoraproject.org/mirrorlist?repo=core-6&arch=i386 error was > [Errno 4] IOError: > Error: Cannot find a valid baseurl for repo: core > > Other idea??? > > Thank you > > - Mensaje original > De: Isnard Jaquet <[EMAIL PROTECTED]> > Para: Elvin Hernàndez <[EMAIL PROTECTED]> > Enviado: lunes, 9 de julio, 2007 12:44:14 > Asunto: Re: [squid-users] Problem for downloading packets using yum through > the Squid's authentication. > > > Try > proxy=http://10.200.0.48:8081 > > > Regards, > > Isnard > > > Em Seg, 2007-07-09 às 10:05 -0700, Elvin Hernàndez escreveu: > > Hi everyone. > > > > As you know, every machine with Fedora Core 6 can use the command 'yum' > > either to update the system or install packets on line. We tried to install > > the packets related with Xen via yum and we had not success to do it. The > > company's machines go out to Internet through Squid which authenticate the > > users before allow access to internet. In a beginning we thought that the > > problem was that yum was not authenticating with proxy and therefore it > > can't download the packets from Internet, so we edited the file > > /etc/yum.conf and added the next lines: > > > > proxy=10.200.0.48:8081 > > proxy_username=ehernandez > > proxy_password=** > > > > Once we did the previous, we tried to download the packets again and we > > obtained the next error: > > > > Loading "installonlyn" plugin > > Options Error: Error parsing '10.200.0.48:8081': URL must be http, ftp or > > https not "10.200.0.48" > > > > What must I do so that yum can perform correctly and it can download > > packets from Internet via Squid? > > Do I need to perform any configuration on Squid so that I can download > > packets via 'yum'? > > > > If you have some documentation or some opinion to resolve this problem I'll > > be grateful for it. > > > > Regards. > > > > __ > > Correo Yahoo! > > Espacio para todos tus mensajes, antivirus y antispam ¡gratis! > > Regístrate ya - http://correo.espanol.yahoo.com/ > > > > __ > Correo Yahoo! > Espacio para todos tus mensajes, antivirus y antispam ¡gratis! > Regístrate ya - http://correo.espanol.yahoo.com/ > __ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! Regístrate ya - http://correo.espanol.yahoo.com/
Re: [squid-users] Mrtg and squid
mån 2007-07-09 klockan 19:30 +0800 skrev Adrian Chadd: > Hang tight, I'm just putting the finishing touches on a basic MRTG graphing > template which works with Squid-2.6 and Squid-3. I'll put it online once > I figure out why I'm not seeing LRU expiry time information. Do we have that exposed in the MIB these days? Probably not. There is no global LRU expiration any more, just a per cache_dir one.. (and only when using lru) Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] transparent tproxy: routing issue or my ownproblem ?
tis 2007-07-10 klockan 00:14 +0800 skrev Ming-Ching Tiew: > I lost you, what do you mean by bridge-netfilter integration. Any URL ? It's a kernel option. > Hmmm interesting. I do not have this rule in my system and I am > able to surf the NET via the bridge/squid ( if I set up proper routing ). It will work fine until you use TPROXY to have Squid fake the source IP on the requests it sends.. > Now you make me wonder if I have set it up correctly. It seems to > me that the internet-->lan traffic is already heading into the bridge, > so there is no need to hijack it again. Am I missing something ? The bridge needs to know to forward that traffic to Squid if it's a response to the request sent by Squid.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Re: Squid 2.6 Stable13 with Reverse Proxy for RPC and OWA
Anything in cache.log? What does access.log say? sön 2007-07-08 klockan 16:02 +0530 skrev Shekhar Gupta: > Any updates from any one ? > > On 7/4/07, Shekhar Gupta <[EMAIL PROTECTED]> wrote: > > Hi , > > > > I am having following problem with squid acting as reverse proxy for > > my OWA and RPC server . > > > > Both OWA and RPC is having the same hostname as of now . I am able > > to get it worked with OWA however as shown on wiki for RPC i tried > > with option RPC-DATA-IN and OUT , but that din't worked , every time i > > change my outlook to new reverse proxy address it will show exchange > > as offline . > > > > OWA and RPC hostname : owa-rpc.mydomain.com > > Squid is compiled with dns disabled option . > > https_port 443 cert=/usr/rprgate/servercrt.pem > > key=/usr/rprgate/serverkey.pem defaultsite=owa-rpc.mydomain.com vhost > > cache_peer 10.112.51.93 parent 443 0 no-query originserver login=PASS > > ssl sslflags=DONT_VERIFY_PEER name=owa-rpc.mydomain.com > > extension_methods RPC_IN_DATA RPC_OUT_DATA > > acl owaserver dstdomain owa-rpc.mydomain.com > > cache_peer_access owa-rpc.mydomain.com allow owaserver > > acl OWAip dst 10.112.51.93 > > http_access allow OWAip > > http_access allow all > > miss_access allow OWAip > > miss_access deny all > > > > Please let me know where i am wrong in this , why my RPC is not > > working where as OWA is working fine . any clue > > > > Regards > > Shekhar > > signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Using the squidclient to put a file into squid cache
mån 2007-07-09 klockan 00:39 -0500 skrev ying lcs: > I am trying to use the squidclient to put a file into squid cache. You can't. You can only use squidclient to ask Squid to fetch a file to be placed in the cache.. If this needs to be fetched from a different location than normal accesses then see cache_peer + cache_peer_access.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Problem for downloading packets using yum through the Squid's authentication.
Yes, I'm sure that the correct port to go out to internet is 8081. Here is the ouput: [EMAIL PROTECTED] ~]# telnet 10.200.0.48 8081 Trying 10.200.0.48... Connected to poseidon.insys-corp.com.mx (10.200.0.48). Escape character is '^]'. Connection closed by foreign host. On the other hand, I read in a manual that in the argument 'proxy' is specified the url to the proxy server that yum should use. If squid doesn't perform as a Web Server and If I just can reference to Squid by IP address, I don't know how to point to Squid in this argument. Regards - Mensaje original De: Isnard Jaquet <[EMAIL PROTECTED]> Para: Elvin Hernàndez <[EMAIL PROTECTED]> Enviado: lunes, 9 de julio, 2007 14:02:45 Asunto: Re: [Via RS MAX: SPAM] Re: [squid-users] Problem for downloading packets using yum through the Squid's authentication. Are you sure the port number of your proxy is 8081? Telnet it and see what happens. Post the output please. Regards, Isnard Em Seg, 2007-07-09 às 11:29 -0700, Elvin Hernàndez escreveu: > I follow your advice but I got a new error: > > [EMAIL PROTECTED] ~]# yum install kernel-xen xen virt-manager > Loading "installonlyn" plugin > Setting up Install Process > Setting up repositories > Could not retrieve mirrorlist > http://mirrors.fedoraproject.org/mirrorlist?repo=core-6&arch=i386 error was > [Errno 4] IOError: > Error: Cannot find a valid baseurl for repo: core > > Other idea??? > > Thank you > > - Mensaje original > De: Isnard Jaquet <[EMAIL PROTECTED]> > Para: Elvin Hernàndez <[EMAIL PROTECTED]> > Enviado: lunes, 9 de julio, 2007 12:44:14 > Asunto: Re: [squid-users] Problem for downloading packets using yum through > the Squid's authentication. > > > Try > proxy=http://10.200.0.48:8081 > > > Regards, > > Isnard > > > Em Seg, 2007-07-09 às 10:05 -0700, Elvin Hernàndez escreveu: > > Hi everyone. > > > > As you know, every machine with Fedora Core 6 can use the command 'yum' > > either to update the system or install packets on line. We tried to install > > the packets related with Xen via yum and we had not success to do it. The > > company's machines go out to Internet through Squid which authenticate the > > users before allow access to internet. In a beginning we thought that the > > problem was that yum was not authenticating with proxy and therefore it > > can't download the packets from Internet, so we edited the file > > /etc/yum.conf and added the next lines: > > > > proxy=10.200.0.48:8081 > > proxy_username=ehernandez > > proxy_password=** > > > > Once we did the previous, we tried to download the packets again and we > > obtained the next error: > > > > Loading "installonlyn" plugin > > Options Error: Error parsing '10.200.0.48:8081': URL must be http, ftp or > > https not "10.200.0.48" > > > > What must I do so that yum can perform correctly and it can download > > packets from Internet via Squid? > > Do I need to perform any configuration on Squid so that I can download > > packets via 'yum'? > > > > If you have some documentation or some opinion to resolve this problem I'll > > be grateful for it. > > > > Regards. > > > > __ > > Correo Yahoo! > > Espacio para todos tus mensajes, antivirus y antispam ¡gratis! > > Regístrate ya - http://correo.espanol.yahoo.com/ > > > > __ > Correo Yahoo! > Espacio para todos tus mensajes, antivirus y antispam ¡gratis! > Regístrate ya - http://correo.espanol.yahoo.com/ > __ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! Regístrate ya - http://correo.espanol.yahoo.com/
Re: [squid-users] transparent tproxy: routing issue or my ownproblem ?
From: "Henrik Nordstrom" <[EMAIL PROTECTED]> > > ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \ > -i eth0 --ip-source your.lan.network/mask \ > --ip-destination-port 80 -j redirect --redirect-target ACCEPT If you look at the http://ebtables.sourceforge.net/examples.html#easy, it says when re-direct on ethX, it should be DROP instead of accept, while doing it on brX, then it should be ACCEPT. I am no ebtables expert, correctly if I am wrong. :-) > If you are to use TPROXY then I'd recommend using the bridge-netfilter > integration instead of ebtables. I lost you, what do you mean by bridge-netfilter integration. Any URL ? > This because TPROXY needs to intercept > the return traffic as well, not just lan->internet traffic. It's > possible to add ebtables rules for this by doing rules inverse to the > above. > > > ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \ > --ip-destination your.lan.network/mask \ > --ip-source-port 80 -j redirect --redirect-target ACCEPT > Hmmm interesting. I do not have this rule in my system and I am able to surf the NET via the bridge/squid ( if I set up proper routing ). Now you make me wonder if I have set it up correctly. It seems to me that the internet-->lan traffic is already heading into the bridge, so there is no need to hijack it again. Am I missing something ? Regards.
[squid-users] Re: Re: Using the squidclient to put a file into squid cache
ying lcs wrote: > On 7/9/07, RW <[EMAIL PROTECTED]> wrote: >> ying lcs wrote: >> >> > Hi, >> > >> > I am trying to use the squidclient to put a file into squid cache. >> > >> > Like this: >> > ./squidclient -P test.html http://www.test.com >> >> That command is for uploading a file to a remote server through squid. >> >> I'm guessing that what you trying to do is create a fake cache entry. >> AFAIK you can't do that with squidclient. Possibly what you need is a >> squid redirector to rewrite requests instead. There are a number of >> these, try google. >> > > Thanks. I have looked at these squid redirector: > http://www.squidguard.org/Doc/ > http://squirm.foote.com.au/ > > none of them allows me to upload a file to squid cache . They don't but they allow squid to replace one url with another so you can substitute your file for the one on the remote webserver.
Re: [squid-users] split access log up for different sites?
On 09/07/07, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: mån 2007-07-09 klockan 19:06 +0200 skrev Anton Melser: > That's just perfect thanks Hendrik! Those 2.6 docs are going to be my friend! It's the exact same text as you have in squid.conf.default.. yip, and the first thing I did was grep out all the comments... alas, I spend about 0.005% of my time configuring squid, and have got used to programmes with reasonably accessible online docs... It's all good though, thanks! Cheers Anton
Re: [squid-users] split access log up for different sites?
mån 2007-07-09 klockan 19:06 +0200 skrev Anton Melser: > That's just perfect thanks Hendrik! Those 2.6 docs are going to be my friend! It's the exact same text as you have in squid.conf.default.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Re: Using the squidclient to put a file into squid cache
On 7/9/07, RW <[EMAIL PROTECTED]> wrote: ying lcs wrote: > Hi, > > I am trying to use the squidclient to put a file into squid cache. > > Like this: > ./squidclient -P test.html http://www.test.com That command is for uploading a file to a remote server through squid. I'm guessing that what you trying to do is create a fake cache entry. AFAIK you can't do that with squidclient. Possibly what you need is a squid redirector to rewrite requests instead. There are a number of these, try google. Thanks. I have looked at these squid redirector: http://www.squidguard.org/Doc/ http://squirm.foote.com.au/ none of them allows me to upload a file to squid cache . Can you please tell me if I am missing anything? Thank you.
Re: [squid-users] split access log up for different sites?
That's just perfect thanks Hendrik! Those 2.6 docs are going to be my friend!
Cheers
Anton
On 09/07/07, Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
fre 2007-07-06 klockan 08:58 +0200 skrev Anton Melser:
> Thanks for that. It's not entirely clear from the docs... So do I need
> something like:
>
> acl sitea dstdomain my.site.com
>
> logformat sitea %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs % "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> access_log /var/log/squid/combined.log sitea
Almost..
access_log /var/log/squid/combined.log sitea sitea
the first is the log format, the second the acl filtering what to log
there..
> This doesn't seem possible from the docs
> (http://www.visolve.com/squid/squid30/logs.php) but the docs are for
> squid 3!
See squid.conf.default for the right documentation for your Squid
version, or
http://www.squid-cache.org/Versions/v2/2.6/cfgman/access_log.html for
the online version for 2.6.
Regards
Henrik
[squid-users] Problem for downloading packets using yum through the Squid's authentication.
Hi everyone. As you know, every machine with Fedora Core 6 can use the command 'yum' either to update the system or install packets on line. We tried to install the packets related with Xen via yum and we had not success to do it. The company's machines go out to Internet through Squid which authenticate the users before allow access to internet. In a beginning we thought that the problem was that yum was not authenticating with proxy and therefore it can't download the packets from Internet, so we edited the file /etc/yum.conf and added the next lines: proxy=10.200.0.48:8081 proxy_username=ehernandez proxy_password=** Once we did the previous, we tried to download the packets again and we obtained the next error: Loading "installonlyn" plugin Options Error: Error parsing '10.200.0.48:8081': URL must be http, ftp or https not "10.200.0.48" What must I do so that yum can perform correctly and it can download packets from Internet via Squid? Do I need to perform any configuration on Squid so that I can download packets via 'yum'? If you have some documentation or some opinion to resolve this problem I'll be grateful for it. Regards. __ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! Regístrate ya - http://correo.espanol.yahoo.com/
Re: [squid-users] How to permit only Skype voice traffic
Could you, or anyone else on this list? Provide an example on how to do this for CONNECT? Many thanks, .vp FREGONI Roberto wrote: Hi guys, I'd like to permit only Skype voice traffic and deny file transfer, chatting and device sharing through my squid proxy. Do you know if it is possible to do it. Now I can only deny or permit Skype traffic at all, I'd like to use Skype for voip traffic without risks of free file exchanging. Thanks in advance Regards roberto Squid cannot yet determine the content of traffic in tunnels (CONNECT tunneling is used by skype). Squid can however pass most kinds of content via ICAP to an external content processor. You'll need one of those. Amos
[squid-users] Re: squid and multiple redirectors
Jeff Pang wrote: > 2007/7/8, Dave <[EMAIL PROTECTED]>: >> Hello, >> I'm running squid 2.6 and need to run several redirectors, one for >> banner filtering, another for av, and a possible third for chat blocking >> if there is one? I read about a shell script: >> >> #!/bin/sh >> >> /path/to/redirector1 | /path/to/redirector2 > > This is bad way.Using pipe is expensive at most time. More importantly it wouldn't work as expected, as redirectors return a blank line to indicate the URL is unmodified.
Re: [squid-users] Creating a web admin site, suggestions?
Elijah Alcantara wrote: > Hi, > > I've got this small project to create a php+mysql system that will > manage a small network and setup web rules like blocking specific > websites. > > I was thinking of saving these rules to the database then if the user > clicks on the apply button at the frontend the squid proxy will fetch > all these rules from a text/config file that the system created from > the database. > > Is that the best solution? any comments on how I could best tackle this ? I have squid/squidguard setup. I have a php page that users can go to and add blocks for their areas. A cronjob runs and checks the database, if the table had been modified, it creates the new access list and updates the proxy servers. We have multiple schools in the district, each school can determine what extra blocks they want to have for their school. I also have a 'global' table, so if I find a site that should be blocked district wide, then I add the site to the global list. When the person logs into the admin site, they only have the ability to alter their school file.
[squid-users] squid and extranet
Hello, I am very new to squid and sorry if I may be asking just a very obvious question but... I configured squid to be a proxy server and it works great. I have one problem, though. When I try to log in to my work extranet (which is a remote network), squid somehow disallows it. That is, a login window to enter U and P is presented but it won't log me in. However, when I bypass squid and connect to the extranet, I can log in w/o a problem. What should I be looking for? Has anyone had this problem before? Thank you in advance for heading me in the right direction. BTW - I can live with that as I defined (in browser) that extranet is an exception and there is not proxying for it but it would be nice to get it to work. Warm regards, Zbigniew Szalbot
[squid-users] Re: confirm unsubscribe from squid-users@squid-cache.org
Zitat von [EMAIL PROTECTED]: Hi! This is the ezmlm program. I'm managing the squid-users@squid-cache.org mailing list. I'm working for my owner, who can be reached at [EMAIL PROTECTED] This is an automated response from the squid-cache.org list server to confirm the requested action. If you have not sent the unsubscribe request below then it is safe to ignore the request. To confirm that you would like [EMAIL PROTECTED] removed from the squid-users mailing list, please send an empty reply to this address: [EMAIL PROTECTED] Usually, this happens when you just hit the "reply" button. If this does not work, simply copy the address and paste it into the "To:" field of a new message. I haven't checked whether your address is currently on the mailing list. To see what address you used to subscribe, look at the messages you are receiving from the mailing list. Each message has your address hidden inside its return path; for example, [EMAIL PROTECTED] receives messages with return path: [EMAIL PROTECTED] --- Administrative commands for the squid-users list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: <[EMAIL PROTECTED]> To subscribe to the list, send a message to: <[EMAIL PROTECTED]> To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: <[EMAIL PROTECTED]> or for the digest to: <[EMAIL PROTECTED]> For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: <[EMAIL PROTECTED]> Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: <[EMAIL PROTECTED]> Received: (qmail 48314 invoked by uid 26); 9 Jul 2007 09:26:09 - Received: from mailer02.biochem.mpg.de (mailer02.biochem.mpg.de [141.61.1.29]) by squid-cache.org (8.14.0/8.14.0) with ESMTP id l699Q7SB048221 for <[EMAIL PROTECTED]>; Mon, 9 Jul 2007 03:26:09 -0600 (MDT) (envelope-from [EMAIL PROTECTED]) Received: from localhost (unknown [127.0.0.1]) by mailer02.biochem.mpg.de (Postfix) with ESMTP id CA21470001E8 for <[EMAIL PROTECTED]>; Mon, 9 Jul 2007 09:25:59 + (UTC) Received: from mailer02.biochem.mpg.de ([127.0.0.1]) by localhost (mailer02.biochem.mpg.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o053Cq7KUIZt for <[EMAIL PROTECTED]>; Mon, 9 Jul 2007 11:25:58 +0200 (CEST) Received: from mail01.biochem.mpg.de (mail01.biochem.mpg.de [192.168.20.21]) by mailer02.biochem.mpg.de (Postfix) with ESMTP id DBC5E70001E1 for <[EMAIL PROTECTED]>; Mon, 9 Jul 2007 11:25:58 +0200 (CEST) Received: from localhost (unknown [127.0.0.1]) by mail01.biochem.mpg.de (Postfix) with ESMTP id DAC6B1C84 for <[EMAIL PROTECTED]>; Mon, 9 Jul 2007 09:25:56 + (UTC) Received: from mail01.biochem.mpg.de ([127.0.0.1]) by localhost (mail01 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06089-06 for <[EMAIL PROTECTED]>; Mon, 9 Jul 2007 11:25:53 +0200 (CEST) Received: from msx.w2k.biochem.mpg.de (msx.biochem.mpg.de [10.5.0.19]) by mail01.biochem.mpg.de (Postfix) with ESMTP id DD8981C83 for <[EMAIL PROTECTED]>; Mon, 9 Jul 2007 11:25:53 +0200 (CEST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: unsubscribe X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Mon, 9 Jul 2007 11:25:48 +0200 Message-ID: <[EMAIL PROTECTED]> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: unsubscribe Thread-Index: AcfCCyAr9Qyo9ud8SCac7C8gR2SYtA== From: "Markus Krause" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> X-Virus-Scanned: ClamAV 0.90.3/3613/Sun Jul 8 19:16:11 2007 on squid-cache.org X-Virus-Scanned: by amavisd-new at biochem.mpg.de X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-3.0 (squid-cache.org [12.160.37.9]); Mon, 09 Jul 2007 03:26:09 -0600 (MDT) X-Virus-Status: Clean unsubscribe +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL| | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 8
Re: [squid-users] Mrtg and squid
Hi Adrian! On Monday 09 July 2007 13:30, Adrian Chadd wrote: > On Mon, Jul 09, 2007, Angela Williams wrote: > > Hi All Squiders! > > I have run many squid boxes over the years but never really worried about > > any stats out of them other than cache manager and sarg. > > We have just put a new box in to frontend an F5 Link controller which > > frontends a few dsl lines. > > I now really need to tweak this box for really good performance so have > > tried mrtg to do this. > > Here is the problem! I have had to change all the nice MIB names to > > dreadful oid numbers to make it work. > > You haven't changed the MIB numbers; This is the config after I changed the names to numbers! It had been cacheServerRequests in the original config. Result was empty graphs and tons of errors in the mrtg log! Sorry should have mentioned that! > > Target[cacheServerRequests]: > > 1.3.6.1.4.1.3495.1.3.2.1.10.0&1.3.6.1.4.1.3495.1.3. > > 2.1.10.0:[EMAIL PROTECTED]:3401 > > Thats still a MIB number! > > Hang tight, I'm just putting the finishing touches on a basic MRTG graphing > template which works with Squid-2.6 and Squid-3. I'll put it online once > I figure out why I'm not seeing LRU expiry time information. I'm waiting breathlessly!! Cheers Ang -- Angela Williams Enterprise Outsourcing Unix/Linux & Cisco spoken here! Bedfordview [EMAIL PROTECTED] Gauteng South Africa Smile!! Jesus Loves You!!
[squid-users] Re: Using the squidclient to put a file into squid cache
ying lcs wrote: > Hi, > > I am trying to use the squidclient to put a file into squid cache. > > Like this: > ./squidclient -P test.html http://www.test.com That command is for uploading a file to a remote server through squid. I'm guessing that what you trying to do is create a fake cache entry. AFAIK you can't do that with squidclient. Possibly what you need is a squid redirector to rewrite requests instead. There are a number of these, try google.
Re: [squid-users] Mrtg and squid
Hi Henrik On Monday 09 July 2007 13:31, Henrik Nordstrom wrote: > fre 2007-07-06 klockan 15:40 +0200 skrev Angela Williams: > > Hi All Squiders! > > > > Here is the problem! I have had to change all the nice MIB names to > > dreadful oid numbers to make it work. > > The easier solution is to ask MRTG to load the Squid mib. Works fine, at > least last time I used MRTG (quite many years ago..). Still trying to get on to the mrtg list! Subscribe but nothing came back! :-( > > These are the errors I see in my /var/log/mrtg.log file > > > > 2007-07-06 13:58:19 -- Started mrtg with config '/etc/squid-mrtg.conf' > > 2007-07-06 13:58:19 -- Unknown SNMP var cacheUptime > > at /usr/bin/mrtg line 2149 > > > > > > Using snmpget with a -m and the mib file gets me the correct results but > > it seems to me that mrtg is not using the squid mibs. > > Is the MIB readable by the user running mrtg? I'm currently using root to run mrtg to resolve that possibility! I even tried putting the mib file in /tmp perms 777 just to be sure! I'll give this s few days and then hack your scripts! Cheers Ang -- Angela Williams Enterprise Outsourcing Unix/Linux & Cisco spoken here! Bedfordview [EMAIL PROTECTED] Gauteng South Africa Smile!! Jesus Loves You!!
Re: [squid-users] Need info
ons 2007-07-04 klockan 09:55 +0530 skrev Rajanikanth H.V: > Does squid support git native port. Only if it's HTTP, or the client is using CONNECT to establish a tunnel. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Mrtg and squid
fre 2007-07-06 klockan 15:40 +0200 skrev Angela Williams: > Hi All Squiders! > Here is the problem! I have had to change all the nice MIB names to dreadful > oid numbers to make it work. The easier solution is to ask MRTG to load the Squid mib. Works fine, at least last time I used MRTG (quite many years ago..). > These are the errors I see in my /var/log/mrtg.log file > > 2007-07-06 13:58:19 -- Started mrtg with config '/etc/squid-mrtg.conf' > 2007-07-06 13:58:19 -- Unknown SNMP var cacheUptime > at /usr/bin/mrtg line 2149 > > Using snmpget with a -m and the mib file gets me the correct results but it > seems to me that mrtg is not using the squid mibs. Is the MIB readable by the user running mrtg? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Mrtg and squid
On Mon, Jul 09, 2007, Angela Williams wrote: > Hi All Squiders! > I have run many squid boxes over the years but never really worried about any > stats out of them other than cache manager and sarg. > We have just put a new box in to frontend an F5 Link controller which > frontends a few dsl lines. > I now really need to tweak this box for really good performance so have tried > mrtg to do this. > Here is the problem! I have had to change all the nice MIB names to dreadful > oid numbers to make it work. You haven't changed the MIB numbers; > Target[cacheServerRequests]: > 1.3.6.1.4.1.3495.1.3.2.1.10.0&1.3.6.1.4.1.3495.1.3. > 2.1.10.0:[EMAIL PROTECTED]:3401 Thats still a MIB number! Hang tight, I'm just putting the finishing touches on a basic MRTG graphing template which works with Squid-2.6 and Squid-3. I'll put it online once I figure out why I'm not seeing LRU expiry time information. Adrian
Re: [squid-users] Re: transparent tproxy: routing issue or my own problem ?
fre 2007-07-06 klockan 15:08 +0800 skrev Ming-Ching Tiew: > Sorry for taking up your bandwidth it looks like I am looking for something > impossible at this moment. Not impossible, but quite hard. A lot easier to make sure you have proper routing set up on the bridge... Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] split access log up for different sites?
fre 2007-07-06 klockan 08:58 +0200 skrev Anton Melser:
> Thanks for that. It's not entirely clear from the docs... So do I need
> something like:
>
> acl sitea dstdomain my.site.com
>
> logformat sitea %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs % "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> access_log /var/log/squid/combined.log sitea
Almost..
access_log /var/log/squid/combined.log sitea sitea
the first is the log format, the second the acl filtering what to log
there..
> This doesn't seem possible from the docs
> (http://www.visolve.com/squid/squid30/logs.php) but the docs are for
> squid 3!
See squid.conf.default for the right documentation for your Squid
version, or
http://www.squid-cache.org/Versions/v2/2.6/cfgman/access_log.html for
the online version for 2.6.
Regards
Henrik
signature.asc
Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Automatic switching of squid to a second internet link?
Tek Bahadur Limbu wrote: > Danish Siddiqui wrote: >> >> Tek Bahadur Limbu wrote: >>> Danish Siddiqui wrote: Hi, Ive got squid proxy server running on a CentOS 4.4 machine. This proxy server is connected to the internet through a Sonicwall PRO3060 firewall machine. We have got three different ISP lines, one of which is used by squid. All the three lines terminate at the firewall. One of these links then goes to the squid server. Many a times it happens that the internet link on the squid line goes down, because of which we have to switch the squid server on to one of the remaining ISP lines. >>> Hi Danish Siddiqui, >>> >>> When the 1st ISP goes down, does that mean that you actually have to >>> switch the cable from your squid box to the 2nd or 3rd ISP link on >>> your Sonicwall machine? >>> >> No, the only cable that is connected to the squid box is from the >> Sonicwall firewall. I was planning a setup in which an extra NIC would be attached to the squid server. This NIC would be connected to a different ISP line, so that when one link goes down, the squid proxy server automatically switches on to the next line, wherein the LAN users dont get to feel the difference while browsing. Also, when the original link gets restored, the squid server automatically switches back on to the original link >>> If your Sonicwall firewall and routing policy allows you to access >>> all 3 ISPs lines from your Squid box, I think that you can use the >>> "tcp_outgoing_address" parameter to switch to either the 2nd or 3rd >>> ISP connection when the 1st ISP goes down. >>> >>> Of course, you must have a small script in Crontab to check for >>> internet connectivity to your 1st ISP at regular intervals, say >>> every 2 minutes. >>> >> How will the script go. Can you give me some pointers till the time I >> look around for it. > > Hi, > > I think a simple script such as PING should suffice. If your 1st ISP > goes down, can you ping your Sonicwall Firewall WAN port? > > > >>> If the 1st ISP gets internet connectivity again, then let the script >>> restore connectivity from the 2nd or 3rd ISP back to the 1st ISP again. >>> >>> But again, adding 2 extra NIC cards to your Squid box will provide >>> you more control and fail over. In my opinion, it will be a very >>> interesting option. >>> >> Seems interesting to me too >>> If your Squid box is running on Linux with a kernel greater than >>> 2.4.20, then you can apply traffic and routing rules. >> Its running on a CentOS 4.4 with kernel 2.6.9-42.ELsmp >>> Please see the following link: >>> >>> http://lartc.org/howto/lartc.rpdb.multiple-links.html >>> >>> This guys really seem to perform some kind of magic with advanced >>> routing and traffic control! >>> > > Have you given any thoughts to implementing such a feature suggested > by lartc.org ? > I think it's ideal for your case where you have 3 internet providers > where you can split the load among the 3 providers? > I tried to go through the above lartc.org link, but unfortunately I wasnt able to understand much . Instead I'm going through this link to clear my basics first http://www.hispafuentes.com/hf-doc/HOWTOs/Linux-html-HOWTOs-20021014/HOWTO/Net-HOWTO/x552.html Danish Thanking you... > >>> My current setup requires me to deny access to the squid server till the time it is up again. >>> I suppose that you can't access all 3 ISPs lines from your Squid box? >> Ill have to go according to your suggestions. But at the moment the >> squid box can access only 1 ISP line Is this setup possible? And if yes, can you please tell me how or point me to the necessary resources. >>> I definitely think it is possible. Let's wait and get more help and >>> input from other experts and professionals from the Squid mailing list. >>> >>> >>> Thanking you... >>> Thanks Danish The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy the original message all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. >>> >> >> >> >> The information contained in this electronic message and any >> attachments to this message are intended for the exclusive use of the >> addressee(s) and may contain proprietary, confidential or privileged >> information. If you are not the intended recipient, you should not >> diss
Re: [squid-users] block internal proxy servers
tor 2007-07-05 klockan 23:44 -0700 skrev apee r: > hi all. i am using squid proxy 2.6. i have both auth > acl and ip src acl to authenticate my internal users. > but some users are using proxy servers on internal > machines. how to block requests coming from internal > proxy servers. You need to identify these servers and block them by source IP. Why do you want to do this? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Using ACL
mån 2007-07-09 klockan 09:25 +0300 skrev Murat Ipekbayrak: > Hi, > > I wonder if I can use the defined URL which is being presented by acl_name. > > For example: > > acl block_google url_regex -i www.google.com > > How can I point to www.google.com by using block_google? Is there any > parameters like %s or anything else? Use where? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] transparent tproxy: routing issue or my own problem ?
fre 2007-07-06 klockan 11:07 +0800 skrev Ming-Ching Tiew: > I think I fixed the issue by changing the ebtables rule to :- > > ebtables -t broute -A BROUTING --logical-in br0 -p IPv4 --ip-protocol 6 \ >--ip-destination-port 80 -j redirect --redirect-target DROP Should be ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \ -i eth0 --ip-source your.lan.network/mask \ --ip-destination-port 80 -j redirect --redirect-target ACCEPT with eth0 being the interface connected to your LAN, and your.lan.network/mask the IP network used on your LAN. Do NOT redirects networks for which you do not have routing configured, doing so will not work. If you are to use TPROXY then I'd recommend using the bridge-netfilter integration instead of ebtables. This because TPROXY needs to intercept the return traffic as well, not just lan->internet traffic. It's possible to add ebtables rules for this by doing rules inverse to the above. ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \ --ip-destination your.lan.network/mask \ --ip-source-port 80 -j redirect --redirect-target ACCEPT Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Creating a web admin site, suggestions?
On Mon, 9 Jul 2007, Jeff Pang wrote: 2007/7/9, Elijah Alcantara <[EMAIL PROTECTED]>: I was thinking of saving these rules to the database then if the user clicks on the apply button at the frontend the squid proxy will fetch all these rules from a text/config file that the system created from the database. you could read the config file itself into a BIG text box where you can modify whatever, and then when pressed "save" button will write the data of the text box back to the config file. just a suggestion. DONOT forget to make backup of config file before the webpage writes back the data. The only thing I can think is that you may run webserver with root since you need to modify squid.conf and execute 'squid -k reconfigure' You should not run apache as root effective user. just set permission on squid.conf to be writeable by effective user of webserver and setuid on squid binary and use a wrapper to run squid reconfigure. that should do. command.btw,parsing and redefining squid.conf by php is not easy,is it?Maybe perl is better choice. good luck. --
Re: [squid-users] Creating a web admin site, suggestions?
Jeff Pang wrote:
2007/7/9, Elijah Alcantara <[EMAIL PROTECTED]>:
I was thinking of saving these rules to the database then if the user
clicks on the apply button at the frontend the squid proxy will fetch
all these rules from a text/config file that the system created from
the database.
The only thing I can think is that you may run webserver with root
since you need to modify squid.conf and execute 'squid -k reconfigure'
command.btw,parsing and redefining squid.conf by php is not easy,is
it?Maybe perl is better choice.
good luck.
I find it quite easy ;-) PHP is after all just a better version of Perl...
Read squid.conf it into a variable, explode on '\n'. Then loop and
explode again on ' '. Finally process as needed. By that I mean insert
into your DB using the ACL names as cross-linked keys and line# for
*_access keys.
To dump the results back simply loop over your tables doing a DB lookup,
use CATSTR() in SQL and ORDER BY the particular key in use for each table.
Done. Also, theres no need to run either squid or webserver as root. You
can simply:
make the user: of the particular .php page doing fopen() on squid.conf
the same cache_effective_user as set in squid, that will allow
Read-Write access to squid.conf without changing its ownership.
the PHP.ini safe_mode_exec_dir directory needs to include a symlink to
the squid binary if PHP is run in safe mode for the exec("squid -k
reconfigure") call.
Or you could maybe just chown("squid.conf") from PHP between fclose()
and exec().
Amos
Re: [squid-users] Need compilation options for dansguardian
sön 2007-07-08 klockan 12:25 +0545 skrev Tek Bahadur Limbu: > I am thinking of installation Dansguardian in front of one of my Squid box. I > need some optimal configure compilation options for Dansguardian. It is for > a FreeBSD-6.2 box. There is no special Squid compilation options for using Dansguardian. Dansguardian help is perhaps better asked on the Dansguardian mailing list.. http://dansguardian.org/?page=mailinglist Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid in accelerator mode: invalidation of site contents
Kinkie wrote: On 7/2/07, martin sarsale <[EMAIL PROTECTED]> wrote: Dear all: We're developing the new version of our CMS and we would like to use squid in accelerator mode to speed up our service. From the application side, we know exactly when the data changed and we would like to invalidate all cached data for that site. Is this possible? maybe using squidclient or something. We can't do this purging url by url since it doesn't makes much sense (and we don't have the url list!). We want to wipe out every cached object for mysite.com. You can't do that on the squid side either, since squid doesn't index objects by URL but by hash. The only way is to PURGE the relevant object. You can reduce quite a lot the window of staleness by specifying in every response the HTTP header: Cache-Control: s-maxage=XXX, public, proxy-revalidate (reference taken from: http://www.mnot.net/cache_docs/) by choosing the right XXX value (the time in seconds before the object expires) you'll be able to find the right balance between higher load on the backend (smaller values of XXX) and higher chance of serving stale content (higher values of XXX) Just be careful you leave empty the Expires: header. It can prevent IMS requests from refreshing the content. Amos
Re: [squid-users] How to permit only Skype voice traffic
FREGONI Roberto wrote: Hi guys, I'd like to permit only Skype voice traffic and deny file transfer, chatting and device sharing through my squid proxy. Do you know if it is possible to do it. Now I can only deny or permit Skype traffic at all, I'd like to use Skype for voip traffic without risks of free file exchanging. Thanks in advance Regards roberto Squid cannot yet determine the content of traffic in tunnels (CONNECT tunneling is used by skype). Squid can however pass most kinds of content via ICAP to an external content processor. You'll need one of those. Amos
[squid-users] Mrtg and squid
Hi All Squiders! I have run many squid boxes over the years but never really worried about any stats out of them other than cache manager and sarg. We have just put a new box in to frontend an F5 Link controller which frontends a few dsl lines. I now really need to tweak this box for really good performance so have tried mrtg to do this. Here is the problem! I have had to change all the nice MIB names to dreadful oid numbers to make it work. Here is the config. Gentoo linux with squid 2.6.STABLE12 and mrtg 2.15.1 The relevant lines from squid.conf are acl snmppublic snmp_community public snmp_port 3401 # Gentoo must specify this snmp_access allow snmppublic all The rest are all commented out to use defaults My mrtg config file looks like this # # Global Configuration # RunAsDaemon: yes EnableIPv6: no Options[_]: bits,growright WorkDir: /var/www/squid IconDir: /images/ LoadMIBs: /opt/mrtg/squid/squid.mib # # # Common stuff # # PageTop[^]: Squid3 Squid Traffic Stats PageTop[$]: Contact Angela Williams if you have any questions PageFoot[^]: Page managed by mailto:[EMAIL PROTECTED]">Angela Williams # # # Configuration for each Target you want to monitor # # Target[cacheServerRequests]: 1.3.6.1.4.1.3495.1.3.2.1.10.0&1.3.6.1.4.1.3495.1.3. 2.1.10.0:[EMAIL PROTECTED]:3401 MaxBytes[cacheServerRequests]: 1000 Title[cacheServerRequests]: Server Requests @ squid3 Options[cacheServerRequests]: growright, nopercent PageTop[cacheServerRequests]: Server Requests @ squid3 YLegend[cacheServerRequests]: requests/sec ShortLegend[cacheServerRequests]: req/s LegendI[cacheServerRequests]: Requests LegendO[cacheServerRequests]: Legend1[cacheServerRequests]: Requests Legend2[cacheServerRequests]: These are the errors I see in my /var/log/mrtg.log file 2007-07-06 13:58:19 -- Started mrtg with config '/etc/squid-mrtg.conf' 2007-07-06 13:58:19 -- Unknown SNMP var cacheUptime at /usr/bin/mrtg line 2149 2007-07-06 13:58:19 -- Unknown SNMP var cacheSoftware at /usr/bin/mrtg line 2149 2007-07-06 13:58:19 -- Unknown SNMP var cacheVersionId at /usr/bin/mrtg line 2149 2007-07-06 13:58:19 -- Use of uninitialized value in concatenation (.) or string at /usr/bin/mrtg line 2165. 2007-07-06 13:58:19 -- Use of uninitialized value in concatenation (.) or string at /usr/bin/mrtg line 2165. Repeated every 5 mins! Using snmpget with a -m and the mib file gets me the correct results but it seems to me that mrtg is not using the squid mibs. I have always tried to avoid snmp until now! New learning curve again! I could have a go at Henrik Nordstrom's rrdtool stuff but that is another learning curve! I will post this to the mrtg list once I get subscribed! Cheers Ang -- Angela Williams Enterprise Outsourcing Unix/Linux & Cisco spoken here! Bedfordview [EMAIL PROTECTED] Gauteng South Africa Smile!! Jesus Loves You!!
AW: [squid-users] ACL URL question
try acl blockID url_regex -i ^http://www.xpto.com/\?id=000 the ? has a special meaing in regex, so you have to demask it... markus >-Ursprüngliche Nachricht- >Von: Emilio Casbas [mailto:[EMAIL PROTECTED] >Gesendet: Donnerstag, 5. Juli 2007 16:27 >An: "Rui Dias | Expoarade - Animação,E.M." >Cc: squid-users@squid-cache.org >Betreff: Re: [squid-users] ACL URL question > >Rui Dias | Expoarade - Animação,E.M. escribió: >> Hello Everyone, >> I need to block a site like http://www.xpto.com/?id=000 >> When i try to block the full address with the ?id=000 the >rule don't work, >> but if I block only www.xpto.com .. I can block the website .. >> The problem is that I don't want to block the whole website >only the link >> like at top. >> Anyone? >> Thanks >> Rui >> >> >> > >acl xpto dstdomain http://www.xpto.com >acl blockID url_regex -i ^http://www.xpto.com/?id=000 > >http_access deny blockID >http_access allow xpto > >Take a look: >http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-57610c67cac9 >87182f6055118dd6d29e1ccd4445 > > >Emilio C. >
[squid-users] Mrtg and squid
Hi All Squiders! I have run many squid boxes over the years but never really worried about any stats out of them other than cache manager and sarg. We have just put a new box in to frontend an F5 Link controller which frontends a few dsl lines. I now really need to tweak this box for really good performance so have tried mrtg to do this. Here is the problem! I have had to change all the nice MIB names to dreadful oid numbers to make it work. Here is the config. Gentoo linux with squid 2.6.STABLE12 and mrtg 2.15.1 The relevant lines from squid.conf are acl snmppublic snmp_community public snmp_port 3401 # Gentoo must specify this snmp_access allow snmppublic all The rest are all commented out to use defaults My mrtg config file looks like this # # Global Configuration # RunAsDaemon: yes EnableIPv6: no Options[_]: bits,growright WorkDir: /var/www/squid IconDir: /images/ LoadMIBs: /opt/mrtg/squid/squid.mib # # # Common stuff # # PageTop[^]: Squid3 Squid Traffic Stats PageTop[$]: Contact Angela Williams if you have any questions PageFoot[^]: Page managed by mailto:[EMAIL PROTECTED]">Angela Williams # # # Configuration for each Target you want to monitor # # Target[cacheServerRequests]: 1.3.6.1.4.1.3495.1.3.2.1.10.0&1.3.6.1.4.1.3495.1.3. 2.1.10.0:[EMAIL PROTECTED]:3401 MaxBytes[cacheServerRequests]: 1000 Title[cacheServerRequests]: Server Requests @ squid3 Options[cacheServerRequests]: growright, nopercent PageTop[cacheServerRequests]: Server Requests @ squid3 YLegend[cacheServerRequests]: requests/sec ShortLegend[cacheServerRequests]: req/s LegendI[cacheServerRequests]: Requests LegendO[cacheServerRequests]: Legend1[cacheServerRequests]: Requests Legend2[cacheServerRequests]: These are the errors I see in my /var/log/mrtg.log file 2007-07-06 13:58:19 -- Started mrtg with config '/etc/squid-mrtg.conf' 2007-07-06 13:58:19 -- Unknown SNMP var cacheUptime at /usr/bin/mrtg line 2149 2007-07-06 13:58:19 -- Unknown SNMP var cacheSoftware at /usr/bin/mrtg line 2149 2007-07-06 13:58:19 -- Unknown SNMP var cacheVersionId at /usr/bin/mrtg line 2149 2007-07-06 13:58:19 -- Use of uninitialized value in concatenation (.) or string at /usr/bin/mrtg line 2165. 2007-07-06 13:58:19 -- Use of uninitialized value in concatenation (.) or string at /usr/bin/mrtg line 2165. Repeated every 5 mins! Using snmpget with a -m and the mib file gets me the correct results but it seems to me that mrtg is not using the squid mibs. I have always tried to avoid snmp until now! New learning curve again! I could have a go at Hendrik Nordstrom's rrdtool stuff but that is another learning curve! I will post this to the mrtg list once I get subscribed! Cheers Ang -- Angela Williams Enterprise Outsourcing Unix/Linux & Cisco spoken here! Bedfordview [EMAIL PROTECTED] Gauteng South Africa Smile!! Jesus Loves You!!
RE: [squid-users] Squid ACL
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 06 July 2007 00:22 >To: Christian Vallant >Cc: squid-users@squid-cache.org >Subject: Re: [squid-users] Squid ACL > >> Hello, >> >> i need to solve following problem. >> I have an ldap-server, which i use to authenticate the user. >> If the user is in the group, he has access to the group A. If the >> authentications fails, he has access to the group B. >> >> Can anyone tell me, how i can solve this problem. >> >> I have already have an authentication, but the problem is, that if the >> user tries to authenticate, but he has no rights, the >> authentication-window >> comes again and again. But the user has to be in the group >> to_domains_without_auth and the other domains should be blocked. >> >> So, the relevant code looks like: >> >> auth_param basic program /etc/squid/ldapauth.pl >> acl for_inetusers proxy_auth REQUIRED >> >> acl to_domains_without_auth dstdomain >> "/var/ipcop/proxy/advanced/acls/dst_noauth >> .acl" >> >> >> Can anyone help me? >> > >Check the order of http_access * lines in your squid.conf. >They are processed in order, and for_inetusers needs to be preceeded by >any ACL that allow people through without Auth. > >For example: > >http_access allow anybody_without_auth >http_access allow for_inetusers >http_access deny all > >Amos Remember for rules to work effectively, at least one of them has to be true. I suspect this is why your authentication window keeps popping up. For example if someone isn't in the inetusers group, the result of the line http_access allow for_inetusers will be false and it will move on to the next line. You need the users to match a deny rule to stop the request being processed and output a squid error page to the user. The deny all rule should suffice. Hope this makes sense.
[squid-users] How to permit only Skype voice traffic
Hi guys, I'd like to permit only Skype voice traffic and deny file transfer, chatting and device sharing through my squid proxy. Do you know if it is possible to do it. Now I can only deny or permit Skype traffic at all, I'd like to use Skype for voip traffic without risks of free file exchanging. Thanks in advance Regards roberto
Re: [squid-users] Creating a web admin site, suggestions?
2007/7/9, Elijah Alcantara <[EMAIL PROTECTED]>: I was thinking of saving these rules to the database then if the user clicks on the apply button at the frontend the squid proxy will fetch all these rules from a text/config file that the system created from the database. The only thing I can think is that you may run webserver with root since you need to modify squid.conf and execute 'squid -k reconfigure' command.btw,parsing and redefining squid.conf by php is not easy,is it?Maybe perl is better choice. good luck.
Re: [squid-users] Re: *** VIRUS *** [squid-users] Server Report
tor 2007-07-05 klockan 13:19 +0545 skrev Manoj_Rajkarnikar: > On Tue, 1 Jan 2002, [EMAIL PROTECTED] wrote: > > > WARNING: This e-mail has been altered by MIMEDefang. Following this > > paragraph are indications of the actual changes made. For more > > information about your site's MIMEDefang policy, contact > > Vianet System Administrator <[EMAIL PROTECTED]>. For more information > > about MIMEDefang, see: > > > >http://www.roaringpenguin.com/mimedefang/enduser.php3 > > > > Dropped document.scr (application/octet-stream) containing virus > > Worm.SCO.A-1. > > > > Please do something about it. found worm in a message... Now the filters have been hardened a bit further, with the sideeffect that most non-text attachments will get rejected, at least until there is a proper virus scanner running.. And no, I didn't send that virus. Received: from squid-cache.org (ppp-124.120.133.107.revip2.asianet.co.th [124.120.133.107]) by squid-cache.org (8.14.0/8.13.6) with ESMTP id l642GdEo067087 for ; Tue, 3 Jul 2007 20:16:42 -0600 (MDT) (envelope-from [EMAIL PROTECTED]) Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Just a test, please ignore
This is just a test of the mail server. Please ignore. Regards Henrik
[squid-users] Question Regarding Squid Parent SSL
Hello, I was trying to get my Local Lan Squid Proxy to connect trough SSL to my dedicated Server on the internet. I have set it up as parent proxy in my squid.conf on my lan by adding : cache_peer externalserverip parent 8080 3130 default ssl sslcert=/etc/ssl/squid.crt sslkey=/etc/ssl/squid.key sslversion=1 I created the squid.crt & squid.key by myself. on the external machine I have added: https_port 8080 cert=/etc/ssl/squid.pem version=1 I have double chceked that the squid user is able to read squid.crt/squid.key & squid.pem My logfiles show the following: Local-Net: 1183806725.866 76 10.224.208.81 TCP_MISS/503 1658 GET http://www.google.de/ - NONE/- text/html 1183806728.094 1420 10.224.208.81 TCP_MISS/503 1475 GET http://www.google.de/ - ANY_PARENT/externalserverip text/html 1183806751.594 0 10.224.208.81 TCP_MISS/503 1658 GET http://www.google.de/ - NONE/- text/html 1183806753.553 1245 10.224.208.81 TCP_MISS/503 1475 GET http://www.google.de/ - ANY_PARENT/externalserverip text/html 1183806754.371 0 10.224.208.81 TCP_MISS/503 1658 GET http://www.google.de/ - NONE/- text/html 1183806756.203 1389 10.224.208.81 TCP_MISS/503 1475 GET http://www.google.de/ - ANY_PARENT/externalserverip text/html Remote-Squid: 1183813893.412 0 homeip UDP_MISS/000 42 ICP_QUERY http://www.google.de/ - NONE/- - 1183813895.432 0 homeip UDP_MISS/000 205 ICP_QUERY http://sb.google.com/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.4&version=goog-white-domain:1:23,goog-white-url:1:371,goog-black-url:1:12236,goog-black-enchash:1:28736 - NONE/- - 1183813917.852 0 homeip UDP_MISS/000 42 ICP_QUERY http://www.google.de/ - NONE/- - 1183813918.852 0 homeip UDP_MISS/000 42 ICP_QUERY http://www.google.de/ - NONE/- - 1183813921.252 0 homeip UDP_MISS/000 42 ICP_QUERY http://www.google.de/ - NONE/- - 1183813926.912 0 homeip UDP_MISS/000 44 ICP_QUERY http://ocsp.thawte.com/ - NONE/- - The Browser shows the following error : While trying to retrieve the URL: http://www.google.de/ The following error was encountered: Connection to parentproxyip Failed The system returned: (71) Protocol error The remote host or network may be down. Please try the request again. Your cache administrator is root Generated Sat, 07 Jul 2007 11:12:36 GMT by hera.localnet.corp (squid/2.6.STABLE13) Thanks for any help. Kind Regards Christian Keil
Re: [squid-users] porn filtering, blacklists, and squid log file analysis
Look at urlblacklist.com; and don't be afraid to pay their monthly subscription amount. It feeds right into dansguardian. Adrian On Sun, Jul 08, 2007, Dave wrote: > Hello, >I'm trying to implement porn filtering. I'm trying a variety of setups > to see which will give me the best results. First i'm using squid (2.6 port > on FreeBSD), as a transparent proxy in all setups. Setup1 is using > squidGuard, and the Mesd blacklist. When i dropped in mesd to the picture > the situation improved, a lot of previously accessible sites were now > blocked. My volunteer has a test machine for this and was able to google > and to either pull up images, nothing with pornographic-like names, but > that kind of images, and sites that weren't on the list. I update the > blacklist every night, but i need to write a script that goes through the > access.log, finds machine accesses and where they go, and then sets up a > list of sites. It then goes through said list, eliminating all duplicate > entries, and sees which domains still work, those that do are automatically > added to a custom squidguard blacklist and squidguard is reconfigured, > squid reloaded. >After that explanation i use grep on the access.log to find only the > accesses from the machine i want my test box, put that in another file. I > then use cut to take out i think it's field 10 or 11 it's the url of the > page, drop that in another file. The problem is i have a file containing > 9500 entries, manually going through this isn't an option. If anyone can > help with this i can put the file somewhere where it can be downloaded. >On the subject of blacklists aside from the mesd list, is there > anymore lists for squid/squidguard, that are free or free for noncommercial > purposes? >My second setup involves dansguardian. My issue with this is first the > last time i tried this yes it worked though i never stress-tested this to > the extent i'm going for now, and second it seemed to slow the internet > down very noticeably to the point where everyone was telling me. I've got > squid as a transparent proxy using pf and i'd like to keep that > arrangement, last time i had to change this if there's an alternative i'm > open to suggestions. > Thanks. > Dave.
Re: [squid-users] Re: *** VIRUS *** [squid-users] Server Report
On Fri, Jul 06, 2007, Manoj_Rajkarnikar wrote: > On Fri, 6 Jul 2007, Henrik Nordstrom wrote: > > >tor 2007-07-05 klockan 13:19 +0545 skrev Manoj_Rajkarnikar: > >>On Tue, 1 Jan 2002, [EMAIL PROTECTED] wrote: > >> > >>Please do something about it. found worm in a message... > > > > > >Now the filters have been hardened a bit further, with the sideeffect > >that most non-text attachments will get rejected, at least until there > >is a proper virus scanner running.. > > Thanks. Sure hope no other virus makes through to the list. That didn't quite work - it deferred all mail. I've taken it out from the mail configuration for the time being. Henrik, check the maillog for "Syntax", you'll see what happened.. Its going to take a couple of hours at least to drain all the posts out of the queue. Adrian
[squid-users] Fwd: squid question
Can i get a user name in a error page, for example i know %u gets the url the person requested, but is there any other ones that i can use Thanks in advance for any help.
Re: [squid-users] Squid performance in the tank.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 5 Jul 2007 15:44:36 -0400 "Jeff Honey" <[EMAIL PROTECTED]> wrote: > > I don't know that I've ever had occasion to ask the squid group anything > before but this one thing has me stumped. We just moved our infrastructure > from one facility to another and our squid servers' performance has really > gone down the tubes. Request processes have slowed to a crawl. Admittedly, we > have made some changes to the routing of external requests (as we are no > longer in a flat network) but all the systems in that same IP network have no > trouble at all getting to the outside world. > > When squid receives a page request, it just seems to sit on it for a few > seconds before doing anything with it and the end user doesn't see any > activity from squid for a minute or longer. This was a perfectly functioning > squid setup prior to our move. The only thing that has changed is the path it > takes to get to the Internet. How should I go about finding out if it is > squid with the problem or if it just something boneheaded I've done somewhere > else? Hi Jeff, I agree with Adrian regarding upgrading from your Squid-2.5 to the current version of 2.6.13. You will appreciate the drop in CPU load among other things. Since your Squid box was working fine yesterday, upgrading will probably not solve your problems however. I suppose you are not running Squid in transparent mode? DNS could also be the culprit as Adrian had mentioned. How fast can your Squid box resolve DNS queries? Since the only thing that has changed is an additional router between Squid and the Internet. I would first run a tcpdump between with your Squid box and your router to make sure the firewalls are doing their jobs fine. Doesn't access.log and cache.log complain about anything? Thanking you... > > > Squid Cache: Version 2.5.STABLE1-20030206 > configure options: --prefix=/usr/local/squid25 --enable-dlmalloc > --enable-ssl --enable-openssl --enable-useragent-log --enable-snmp > --enable-kill-parent-hack --enable-time-hack --enable-delay-pools > --enable-referer-log --enable-underscores '--enable-auth=basic digest ntlm' > > > > ¤¤¤ > ¤ Jeff Honey, Network Administrator > ¤ PS America, Inc. > ¤ 4426 N. Orange Blossom Trl > ¤ Orlando, FL 32804 > ¤ 407-521-1011 voice > ¤ 407-521-1007 fax > ¤¤¤ > > - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFGjeoEVrOl+eVhOvYRAp8ZAJ9mzo/9g3fV/sr9BNNA1lFbVHE29QCfbPAc 9E45d/wObtv5niJ4czTwWSk= =n9xa -END PGP SIGNATURE-
[squid-users] Re: transparent tproxy: routing issue or my own problem ?
From: "Ming-Ching Tiew" <[EMAIL PROTECTED]> > > It seems then to me that the http reply ( source port 80 ) has also be > directed ***INTO*** the Bridge/Squid S. Why is that so ? Why didn't the > Bridge/Squid forward the reply packet to the other side of the > interface ? > > I am looking for something more transparent. Any insight is much > appreciated. > Sorry for taking up your bandwidth it looks like I am looking for something impossible at this moment. The http reply has to go back **INTO** the Bridge/Squid box, so that it can make a cache copy, as such the http reply to the http request will have to ROUTE out from the bridge/squid box ( verses BRIDGE ). Unless some enhancement is made to do some kind of "connection tracking", and thus reply the packet back to the mac address of the original requests. Regards.
[squid-users] Creating a web admin site, suggestions?
Hi, I've got this small project to create a php+mysql system that will manage a small network and setup web rules like blocking specific websites. I was thinking of saving these rules to the database then if the user clicks on the apply button at the frontend the squid proxy will fetch all these rules from a text/config file that the system created from the database. Is that the best solution? any comments on how I could best tackle this ? Regards, Elijah -- Elijah O. Alcantara http://elijah.pinoguin.com Web/Typo3 Developer, Sys/Net Administrator & Support PHP Development ApS http://phpdev.dk
Re: [squid-users] split access log up for different sites?
On 06/07/07, Adrian Chadd <[EMAIL PROTECTED]> wrote:
On Thu, Jul 05, 2007, Anton Melser wrote:
> Hi,
> I had a look but couldn't see any way to split up a log for different
> sites being reverse proxied. Is this possible?
Squid-2.6 introduced the ability to use ACLs and multiple access log
lines to determine which log gets which requests.
Thanks for that. It's not entirely clear from the docs... So do I need
something like:
acl sitea dstdomain my.site.com
logformat sitea %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/combined.log sitea
This doesn't seem possible from the docs
(http://www.visolve.com/squid/squid30/logs.php) but the docs are for
squid 3!
Thanks
Anton
Re: [squid-users] squid and multiple redirectors
2007/7/8, Dave <[EMAIL PROTECTED]>: Hello, I'm running squid 2.6 and need to run several redirectors, one for banner filtering, another for av, and a possible third for chat blocking if there is one? I read about a shell script: #!/bin/sh /path/to/redirector1 | /path/to/redirector2 This is bad way.Using pipe is expensive at most time.You can do all the things in a perl script.If you have problems on perl programming,many guys can help you (including me). For the setting of url_rewrite_children suggested value is 5, multiple redirectors wouldn't i have to take that up to say 15 or so? Some of our squid hosts are also running redirector,they run 64 childs or more,didn't see bad things happened.So I think this number is based on the request queue on squid,if this queue is too large,you can see the warnings info in cache.log and you need to improve the redirector childs number. Good luck.
Re: [squid-users] how can I add an object to squid cache
At first you may be sure weather that object is cacheable or not by squid.Squid wouldn't cache some objects based on the configure file. If it's cacheable,you just run squidclient to request that object for one time,then squid would cache it. 2007/7/7, ying lcs <[EMAIL PROTECTED]>: Hi, From this documentation of squidclient, it mentions it can purge an object to squid cache http://www.penguin-soft.com/penguin/man/1/squidclient.html Can you please tell me how can I add and object to squid cache? Thank you.
[squid-users] How to permit only Skype voice traffic
Hi guys, I'd like to permit only Skype voice traffic and deny file transfer, chatting and device sharing through my squid proxy. Do you know if it is possible to do it. Now I can only deny or permit Skype traffic at all, I'd like to use Skype for voip traffic without risks of free file exchanging. Thanks in advance Regards roberto
[squid-users] block internal proxy servers
hi all. i am using squid proxy 2.6. i have both auth acl and ip src acl to authenticate my internal users. but some users are using proxy servers on internal machines. how to block requests coming from internal proxy servers. apee stevie [EMAIL PROTECTED] Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting
[squid-users] Re: Squid 2.6 Stable13 with Reverse Proxy for RPC and OWA
Any updates from any one ? On 7/4/07, Shekhar Gupta <[EMAIL PROTECTED]> wrote: Hi , I am having following problem with squid acting as reverse proxy for my OWA and RPC server . Both OWA and RPC is having the same hostname as of now . I am able to get it worked with OWA however as shown on wiki for RPC i tried with option RPC-DATA-IN and OUT , but that din't worked , every time i change my outlook to new reverse proxy address it will show exchange as offline . OWA and RPC hostname : owa-rpc.mydomain.com Squid is compiled with dns disabled option . https_port 443 cert=/usr/rprgate/servercrt.pem key=/usr/rprgate/serverkey.pem defaultsite=owa-rpc.mydomain.com vhost cache_peer 10.112.51.93 parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=owa-rpc.mydomain.com extension_methods RPC_IN_DATA RPC_OUT_DATA acl owaserver dstdomain owa-rpc.mydomain.com cache_peer_access owa-rpc.mydomain.com allow owaserver acl OWAip dst 10.112.51.93 http_access allow OWAip http_access allow all miss_access allow OWAip miss_access deny all Please let me know where i am wrong in this , why my RPC is not working where as OWA is working fine . any clue Regards Shekhar
Re: [squid-users] squid in accelerator mode: invalidation of site contents
On 7/2/07, martin sarsale <[EMAIL PROTECTED]> wrote: Dear all: We're developing the new version of our CMS and we would like to use squid in accelerator mode to speed up our service. From the application side, we know exactly when the data changed and we would like to invalidate all cached data for that site. Is this possible? maybe using squidclient or something. We can't do this purging url by url since it doesn't makes much sense (and we don't have the url list!). We want to wipe out every cached object for mysite.com. You can't do that on the squid side either, since squid doesn't index objects by URL but by hash. The only way is to PURGE the relevant object. You can reduce quite a lot the window of staleness by specifying in every response the HTTP header: Cache-Control: s-maxage=XXX, public, proxy-revalidate (reference taken from: http://www.mnot.net/cache_docs/) by choosing the right XXX value (the time in seconds before the object expires) you'll be able to find the right balance between higher load on the backend (smaller values of XXX) and higher chance of serving stale content (higher values of XXX) -- /kinkie
[squid-users] Creating a web admin site, suggestions?
Hi, I've got this small project to create a php+mysql system that will manage a small network and setup web rules like blocking specific websites. I was thinking of saving these rules to the database then if the user clicks on the apply button at the frontend the squid proxy will fetch all these rules from a text/config file that the system created from the database. Is that the best solution? any comments on how I could best tackle this ? Regards, Elijah -- Elijah O. Alcantara http://elijah.pinoguin.com Web/Typo3 Developer, Sys/Net Administrator & Support PHP Development ApS http://phpdev.dk
[squid-users] phishtank filtering
I've knocked up a phishtank plugin for the later versions of Squid (2.6.STABLE13; latest Squid-3 snapshot) which integrates lookups to the phishtank database (from www.phishtank.com.) I plan on extending it to include the Google Safebrowsing database and whatever other URL-based filtering schemes I can get my grubby hands on over the next couple weeks. I'd like a show of hands to see what kind of interest y'all have out there for this kind of thing. I'd like to offer this (and other bits of software) as "donateware" - you donate to Squid, you get the current version. It all depends on how much interest there is. If you're a Squid product vendor and think you'll be interested in offering phishing website filtering in your product (and face it, who -wouldn't- want to run it if its acting as a forward cache for an organisation? Seriously..) then please let me know. There's an article and screenshot here: http://squidproxy.wordpress.com/2007/07/08/squid-and-phishy-filtering-phishtankcom/ Let me know what y'all think. Adrian
[squid-users] porn filtering, blacklists, and squid log file analysis
Hello, I'm trying to implement porn filtering. I'm trying a variety of setups to see which will give me the best results. First i'm using squid (2.6 port on FreeBSD), as a transparent proxy in all setups. Setup1 is using squidGuard, and the Mesd blacklist. When i dropped in mesd to the picture the situation improved, a lot of previously accessible sites were now blocked. My volunteer has a test machine for this and was able to google and to either pull up images, nothing with pornographic-like names, but that kind of images, and sites that weren't on the list. I update the blacklist every night, but i need to write a script that goes through the access.log, finds machine accesses and where they go, and then sets up a list of sites. It then goes through said list, eliminating all duplicate entries, and sees which domains still work, those that do are automatically added to a custom squidguard blacklist and squidguard is reconfigured, squid reloaded. After that explanation i use grep on the access.log to find only the accesses from the machine i want my test box, put that in another file. I then use cut to take out i think it's field 10 or 11 it's the url of the page, drop that in another file. The problem is i have a file containing 9500 entries, manually going through this isn't an option. If anyone can help with this i can put the file somewhere where it can be downloaded. On the subject of blacklists aside from the mesd list, is there anymore lists for squid/squidguard, that are free or free for noncommercial purposes? My second setup involves dansguardian. My issue with this is first the last time i tried this yes it worked though i never stress-tested this to the extent i'm going for now, and second it seemed to slow the internet down very noticeably to the point where everyone was telling me. I've got squid as a transparent proxy using pf and i'd like to keep that arrangement, last time i had to change this if there's an alternative i'm open to suggestions. Thanks. Dave.
Re: [squid-users] Re: *** VIRUS *** [squid-users] Server Report
On Fri, 6 Jul 2007, Henrik Nordstrom wrote: tor 2007-07-05 klockan 13:19 +0545 skrev Manoj_Rajkarnikar: On Tue, 1 Jan 2002, [EMAIL PROTECTED] wrote: Please do something about it. found worm in a message... Now the filters have been hardened a bit further, with the sideeffect that most non-text attachments will get rejected, at least until there is a proper virus scanner running.. Thanks. Sure hope no other virus makes through to the list. And no, I didn't send that virus. I agree. Received: from squid-cache.org (ppp-124.120.133.107.revip2.asianet.co.th [124.120.133.107]) by squid-cache.org (8.14.0/8.13.6) with ESMTP id l642GdEo067087 for ; Tue, 3 Jul 2007 20:16:42 -0600 (MDT) (envelope-from [EMAIL PROTECTED]) Regards Henrik Manoj --
[squid-users] Using ACL
Hi, I wonder if I can use the defined URL which is being presented by acl_name. For example: acl block_google url_regex -i www.google.com How can I point to www.google.com by using block_google? Is there any parameters like %s or anything else?
Re: [squid-users] transparent tproxy: routing issue or my own problem ?
> I think I fixed the issue by changing the ebtables rule to :- > > ebtables -t broute -A BROUTING --logical-in br0 -p IPv4 --ip-protocol 6 \ >--ip-destination-port 80 -j redirect --redirect-target DROP > > Note that subtle changes. With that I don't need to add routes and other > shits. > I would appreciate feedback from others to see if this is a better rule than > the original one. > Sorry false alarm. The new rule bypasses all traffic from squid, that's why it is working. Back to square ones. Need to work harder on it. :-(
[squid-users] squid and multiple redirectors
Hello, I'm running squid 2.6 and need to run several redirectors, one for banner filtering, another for av, and a possible third for chat blocking if there is one? I read about a shell script: #!/bin/sh /path/to/redirector1 | /path/to/redirector2 etc. And use that script as your redirector in squid.conf. Would this work? I was thinking bannerfiltering first, there's no need to run av on banners since i won't be viewing them anyway. For the setting of url_rewrite_children suggested value is 5, multiple redirectors wouldn't i have to take that up to say 15 or so? Thanks. Dave.
