Re: [squid-users] acess.log with no data...

[Tek Bahadur Limbu]

Felipe wrote:

Hello...



I'm using Squid in a corporative  system. But, I've restarted the
squid two days ago, and now, the access.log file  is created with his
size equal to zero bytes. And the squid never write any data  on it.
Just my access.log stay always clean, without any data or registry of
acess.






What can it be? How can I solve  this?


Hi Felipe,

Have you tried restarting Squid again? What does your cache.log say?

Do you have something like the following in your squid.conf?

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log


cache_effective_user squid
cache_effective_group squid

Also is your /var/log/squid directory writable by the user squid or 
whatever user you are using as your cache_effective_user/group?


Thanking you...






Thank  you...






--

With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np

Re: [squid-users] Detecting and blocking child proxy servers

[Juraj Sakala]

On Wednesday 25 July 2007 14:42, Tek Bahadur Limbu wrote:
> Juraj Sakala wrote:
> > On Tuesday 24 July 2007 12:56, Tek Bahadur Limbu wrote:
> >> Is this possible? In other words, I want my proxy servers to detect
> >> squid or other proxy severs which are being used or operated by others
> >> besides me.
> >
> > May it is bepossible:
> > - if you know your network you can use header x_forwarded_for to detect
> > unknown networks.
> > - if you wont to allow only your proxy servers use http_access directive
> > with acl which contains only your proxy's
> > - try something like this:
> > acl  myproxy req_header Via MyProxy
> > http_access allow myproxy
> > http_access deny all
> > - use authentication
>
> Hi Juraj,
>
> Thanks for sharing your tips.
>
> Suppose I have the following:
>
> acl myproxy req_header Via 192.168.100.0/24
> http_access allow myproxy
> http_access deny all

It was only tip. I am not sure, but i think squid puts in this header his 
visible hostname and port in format 1.1 :. So if 
someone use Squid in default configuration you can block it easily. But it 
is true, that headers are easily spoofable

> Now if I use this, my normal clients (192.168.101.0/24) won't be able to
> access my proxy server right?

There is question if normal client sends Via header in request, I am sure that 
not.

So we need acl that permits requists from our proxy's with correct Via header 
or clients with no header and denies all other requests.

It will be hard, maybe external acl will be useful.

[squid-users] Proxy-Authenticate and WWW-Authenticate

[Matthew Smith]

Hello!

Is it correct to say that a response can only have one authenticate in 
the headers? That a request containing a WWW-Authenticate cannot have a 
Proxy-Authenticate as well?


If I have a site which requires authentication with a given scheme, am I 
right to assume that the only way a authenticating proxy between the 
site and the user can use authentication is if the authentication tokens 
sent by the user are the same for the proxy and the site? Is basic 
authentication the only auth system that can be chained in this way?


Lastly, assuming a proxy with no auth, is it now possible to have a 
WWW-Authenticate using the NTLM scheme pass though a squid proxy? In the 
past I believe the answer is no, but I want to be sure nothing has 
changed since.


Thanks for the help in this,

Matt Smith

[squid-users] HTTPS 8443 problem

[nick w]

Hi there,

I have a slight problem whereby I am getting a "403: Access Forbidden"
type message when I try to browse a site which utilizes port 8443. I
have gone through my squid.conf several times and everything looks
fine to me.

#  TAG: acl

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost dst 127.0.0.1/255.255.255.255
acl CONNECT method CONNECT
acl SSL_ports port 443 563 1443 1494 8443 8080 1 28443
acl Safe_ports port 20  # ftp data connection
acl Safe_ports port 21  # ftp control connection
acl Safe_ports port 70  # gopher
acl Safe_ports port 80  # http
acl Safe_ports port 81  # http Delegated Admin
acl Safe_ports port 87  # alt http lct crap
acl Safe_ports port 88  # alt http
acl Safe_ports port 119 # news
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 563 # snews
acl Safe_ports port 591 # filemaker
acl Safe_ports port 888 # filemaker
acl Safe_ports port 8443# extra https
acl Safe_ports port 1025-65535  # unregistered ports
acl CONNECT method CONNECT
acl password proxy_auth REQUIRED

#  TAG: http_access
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_access allow password


Any help would be appreciated.

thanks

Nick

[squid-users] forward and reverse proxy - the difference

[Ming-Ching Tiew]

Believe it or not, I got problem understanding the basics.

What's the difference between forward and reverse proxy.

When I read the article, 

http://jayant7k.blogspot.com/2006/10/reverse-proxy-using-squid.html

When I read paragraph 3,4 & 5, I think what is said about 
reverse proxy is equally applicable to forward proxy. Is there
a simpler way to explain the difference between the two ?

But of course, for forward proxy, I would not need to configure cache_peer.
So why is there a need for 'vhost' and 'vport' directive ?

Regards.

Re: [squid-users] per-acl error messages not working

[Norman Noah]

As far as i know error msg should put below after all rules ...

[squid-users] acess.log with no data...

[Felipe]

Hello...



I'm using Squid in a corporative  system. But, I've restarted the
squid two days ago, and now, the access.log file  is created with his
size equal to zero bytes. And the squid never write any data  on it.
Just my access.log stay always clean, without any data or registry of
acess.



What can it be? How can I solve  this?



Thank  you...

[squid-users] Squid 2.x maximum_object_size related to memory usage

[rihad]

Is Squid 2.6 too going to eat up to maximum_object_size of memory while 
retrieving a new object, before it decides whether to write it to disk? 
I'm considering to increase this value, so it never hurts to ask. Thank you.


From http://man.chinaunix.net/newsoft/squid/Squid_FAQ/FAQ.html#toc8.1


Squid-1.1 also uses a lot of memory to store in-transit objects. This
version stores incoming objects only in memory, until the transfer is
complete. At that point it decides whether or not to store the object on
disk. This means that when users download large files, your memory usage
will increase significantly.

[squid-users] intermittent ERR_CANNOT_FORWARD

[Ben Drees]

Hi,

I'm running Squid 2.6 STABLE12 as a reverse proxy. It is configured to 
select one of two origin servers based on the request URL like this:


cache_peer 10.1.64.104 parent 8102 0 originserver no-query round-robin
cache_peer 10.1.64.106 parent 8105 0 originserver no-query round-robin

# always_direct = default
never_direct allow all

acl api_url urlpath_regex ^/api/*

cache_peer_access 10.1.64.104 allow api_url
cache_peer_access 10.1.64.104 deny all
cache_peer_access 10.1.64.106 allow !api_url
cache_peer_access 10.1.64.106 deny all

Currently only URLs that *do* match the api_url acl are ever sent to Squid.

After a power outage yesterday I started seeing "X-Squid-Error: 
ERR_CANNOT_FORWARD 11" in the response headers of some but not all such 
requests. I had no difficulty connecting directly to the origin server 
at 10.1.64.104:8102. The errors went away as soon as I restarted Squid.


This raises the following questions:

1) Is it inappropriate to use the 'round-robin' option in this way, 
since only one origin server peer will match the cache_peer_access rules 
for a given URL?


2) Why did some requests succeed and some fail? Is there a health test 
that blocks the opening of new connections but allows existing 
persistent connections to be reused?


Does anyone have insight on these?

Thanks,
Ben

[squid-users] per-acl error messages not working

[Michael W. Lucas]

Hi,

I'm obviously doing something wrong with my ACLs, and would appreciate
any advice.  

We require authentication via radius, and we only allow each user to
be logged on from workstation at a time.  Anyone logged on to a server
can access the Internet from multiple machines (i.e., for maintenance
periods where one admin might be running updates on several boxes
simultaneously).

If a user logs in from too many machines, or if he enters a wrong
password, he gets the error message in ERR_NO_SHARING.  I would expect
a user who signs on too often to get ERR_NO_SHARING and a user who
fails to authenticate to get the default ERR_CACHE_ACCESS_DENIED.

Instead, all users get ERR_NO_SHARING.  I would like to give the users
a useful error message, but obviously I am missing something.

The ACL portion of my squid.conf follows.

Thanks for any suggestions,
==ml

--

error_directory /etc/squid/errors

auth_param basic program /usr/local/squid/libexec/squid_radius_auth_new -f 
/etc/squid/squid_radius_auth.conf

auth_param basic children 5
auth_param basic realm 'Web'

#confirm our login is still good via Radius at this interval;
#this is not the time between password query popups at user's browser!
authenticate_ttl 15 minutes

acl all src 0.0.0.0/0.0.0.0 # all sources

acl manager proto cache_object  # internal cache manager

acl localhost src 127.0.0.1/255.255.255.255  # This computer's loopback source
acl to_localhost dst 127.0.0.0/8 # This computer's loopback destinations

acl PURGE method PURGE

acl Safe_ports port 80  # http
acl Safe_ports port 20  # ftp
acl Safe_ports port 21  # ftp-data
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl radius_auth proxy_auth REQUIRED

acl no_auth_src src "/etc/squid/noauth_src.list"
acl no_auth_dst dst "/etc/squid/noauth_dst.list"
acl no_auth_hostdst dstdomain "/etc/squid/noauth_hostdst"

#Don't share password
authenticate_ip_ttl 60 seconds
acl noPwSharing max_user_ip 1
deny_info ERR_NO_SHARING noPwSharing
#allow server networks more leeway for administration
acl serverPwSharing max_user_ip 5
deny_info ERR_NO_SHARING serverPwSharing

#Our internal networks; one for source, one for dest

acl our_networks src 10.0.0.0/8 127.0.0.0/8
acl our_servers dst 10.0.0.0/8 127.0.0.0/8

acl server_network src 10.184.1.0/24

acl our_domains dstdomain internal.com

acl CONNECT method CONNECT  # Http Connect method

#Only the local machine can see cache manager
http_access allow manager localhost
http_access deny manager

#management acl
http_access allow PURGE localhost
http_access deny PURGE

#block connections to unsafe ports
http_access deny !Safe_ports

#Allow everyone through to some sites without auth
http_access allow no_auth_dst
http_access allow no_auth_src
http_access allow no_auth_hostdst

#Everyone can access internal servers
always_direct allow our_domains

#servers can have one user connect multiple times
http_access allow server_network radius_auth

#clients may only log in from one IP at a time.
http_access deny noPwSharing

#Clients must auth to radius to leave our network
http_access allow our_networks radius_auth  

#everyone else is denied access
http_access deny all

#everyone can reply
http_reply_access allow all

#nobody may use this as a peer proxy
icp_access deny all




-- 
Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED]
http://www.BlackHelicopters.org/~mwlucas/
  Coming Soon: "Absolute FreeBSD" -- http://www.AbsoluteFreeBSD.com
On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons."

Re: [squid-users] log rotation

[Zbigniew Szalbot]

Hello,

On Wed, 25 Jul 2007 18:50:27 +0545, Tek Bahadur Limbu
<[EMAIL PROTECTED]> wrote:
> Zbigniew Szalbot wrote:
>> Hello,
>>
>> I have looked at wiki but cannot find information about log rotation
>> (access & store logs).
>>
>> How can I do this? Or is it simply a matter of defining log rotation in
>> newsyslog.conf (I am on a FreeBSD system)?
>
> Hi Zbigniew,
>
> Go to:
>
> (1.) cd  /usr/ports/sysutils/logrotate
>
> (2.) make install clean
>
> (3.) cd /usr/local/etc
>
> (4.) vi /usr/local/etc/logrotate.conf
>
> Put the following in logrotate.conf

Thank you very much indeed! But I managed in a (I think) simpler way by
adding /usr/local/squid/logs/access.log squid:squid 644 7 * @T00 J
/usr/local/squid/logs/squid.pid 30 
to newsyslog.conf. 

But I appreciate such a thorough description! 

Warm regards, 

Zbigniew Szalbot

>
> # Start of logrotate.conf ###
>
> # rotate log files weekly
> #weekly
> daily
>
> # keep 4 weeks worth of backlogs
> rotate 7
>
> # send errors to root
> #errors root
>
> # create new (empty) log files after rotating old ones
> create
>
> # uncomment this if you want your log files compressed
> compress
>
> # RPM packages drop log rotation information into this directory
> include /usr/local/etc/logrotate.d
>
> /var/log/lastlog {
>  monthly
>  rotate 12
> }
>
>  End of logrotate.conf ##
>
> (5.) mkdir -p /usr/local/etc/logrotate.d/
>
> (6.) cd /usr/local/etc/logrotate.d/
>
> (7.) vi /usr/local/etc/logrotate.d/squid
>
> Put the following:
>
> ###Start of squid#
>
> /var/log/squid/access.log {
>  daily
>  rotate 90
>  copytruncate
>  compress
>  notifempty
>  missingok
> }
> /var/log/squid/cache.log {
>  daily
>  rotate 7
>  copytruncate
>  compress
>  notifempty
>  missingok
> }
>
>
> (8.)  /usr/local/sbin/logrotate -d /usr/local/etc/logrotate.conf
>
> (9.)  /usr/local/sbin/logrotate -f /usr/local/etc/logrotate.conf
>
> If some errors are reported, it's normal, just create or touch the
> relevant files or directories.
>
> (10.) vi /etc/crontab
>
> Put the following:
>
> 0 1 * * *   root/usr/local/sbin/logrotate
> /usr/local/etc/logrotate.conf > /dev/null 2>&1
>
>
> (11.) If all works well, you are good to go!!!
>
>
> Of course, the other simple way of doing this is to run:
>
> squid -k rotate
>
> from /etc/crontab
>
> 0  1 * * * root squid -k rotate
>
> Thanking you...
>
>
>>
>> Thank you!
>>
>
>
> --
>
> With best regards and good wishes,
>
> Yours sincerely,
>
> Tek Bahadur Limbu
>
> (TAG/TDG Group)
> Jwl Systems Department
>
> Worldlink Communications Pvt. Ltd.
>
> Jawalakhel, Nepal
>
> http://www.wlink.com.np
--
Zbigniew Szalbot
-- 
Zbigniew Szalbot

Re: [squid-users] log rotation

[Tek Bahadur Limbu]

Zbigniew Szalbot wrote:

Hello,

I have looked at wiki but cannot find information about log rotation
(access & store logs).

How can I do this? Or is it simply a matter of defining log rotation in
newsyslog.conf (I am on a FreeBSD system)?


Hi Zbigniew,

Go to:

(1.) cd  /usr/ports/sysutils/logrotate

(2.) make install clean

(3.) cd /usr/local/etc

(4.) vi /usr/local/etc/logrotate.conf

Put the following in logrotate.conf

# Start of logrotate.conf ###

# rotate log files weekly
#weekly
daily

# keep 4 weeks worth of backlogs
rotate 7

# send errors to root
#errors root

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
compress

# RPM packages drop log rotation information into this directory
include /usr/local/etc/logrotate.d

/var/log/lastlog {
monthly
rotate 12
}

 End of logrotate.conf ##

(5.) mkdir -p /usr/local/etc/logrotate.d/

(6.) cd /usr/local/etc/logrotate.d/

(7.) vi /usr/local/etc/logrotate.d/squid

Put the following:

###Start of squid#

/var/log/squid/access.log {
daily
rotate 90
copytruncate
compress
notifempty
missingok
}
/var/log/squid/cache.log {
daily
rotate 7
copytruncate
compress
notifempty
missingok
}


(8.)  /usr/local/sbin/logrotate -d /usr/local/etc/logrotate.conf

(9.)  /usr/local/sbin/logrotate -f /usr/local/etc/logrotate.conf

If some errors are reported, it's normal, just create or touch the 
relevant files or directories.


(10.) vi /etc/crontab

Put the following:

0 1 * * *   root/usr/local/sbin/logrotate 
/usr/local/etc/logrotate.conf > /dev/null 2>&1



(11.) If all works well, you are good to go!!!


Of course, the other simple way of doing this is to run:

squid -k rotate

from /etc/crontab

0  1 * * * root squid -k rotate

Thanking you...




Thank you!




--

With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np

Re: [squid-users] Detecting and blocking child proxy servers

[Tek Bahadur Limbu]

Juraj Sakala wrote:

On Tuesday 24 July 2007 12:56, Tek Bahadur Limbu wrote:

Is this possible? In other words, I want my proxy servers to detect
squid or other proxy severs which are being used or operated by others
besides me.


May it is bepossible:
- if you know your network you can use header x_forwarded_for to detect 
unknown networks. 
- if you wont to allow only your proxy servers use http_access directive with 
acl which contains only your proxy's

- try something like this:
acl  myproxy req_header Via MyProxy
http_access allow myproxy
http_access deny all
- use authentication



Hi Juraj,

Thanks for sharing your tips.

Suppose I have the following:

acl myproxy req_header Via 192.168.100.0/24
http_access allow myproxy
http_access deny all

Now if I use this, my normal clients (192.168.101.0/24) won't be able to 
access my proxy server right?


What I really want to achieve is to allow normal clients to access my 
proxy server transparently.


But I want to stop my clients who are operating their own proxy servers 
to use my proxy server as either a parent or sibling.


Can you brief me the correct syntax regarding achieving this?
Any help will be highly appreciated.

I am also using google:)


Thanking you...









--

With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np

[squid-users] Deny download a file bigger than 2.1 Mb, allow only from a specific domain.

[eXtremer]

Is it possible to configure squid in such a way so that it Deny download
files that are bigger than 2.1 Mb but allow only from a specific
site/domain, for example .symantec.com ?
waiting for a reply, 10x in advance.

my settings:

reply_body_max_size 210 allow all
-- 
View this message in context: 
http://www.nabble.com/Deny-download-a-file-bigger-than-2.1-Mb%2C-allow-only-from-a-specific-domain.-tf4141955.html#a11781842
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] SHOULD I NEED TO RECOMPILE THE KERNEL

[Marcello Romani]

Indunil Jayasooriya ha scritto:

Hi Indunil,

I don't think that you need to recompile your kernel. Which Squid
version are you using?


squid-2.5.STABLE1-3.9


Please post your squid.conf. Saying that Squid is SLOWER could mean alot
of things. It's very vague and an exact answer is not possible.


these are rules in my squid.conf

cache_mem 32 MB
cache_dir ufs /var/spool/squid 100 16 256

auth_param basic program /usr/bin/ncsa_auth /usr/etc/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl maxip max_user_ip -s 1

acl ncsa_users proxy_auth REQUIRED
acl CSB_AUTH_CRIB proxy_auth uddikah sudathf newtonf nilankab warunaa 
sandunm

acl CSB_AUTH_BANK proxy_auth chamikarab
acl CSB_AUTH_SEY proxy_auth manjulan sriyanim apsaraa rohang gehanp
acl CSB_AUTH_AUD proxy_auth mahesht thivankat


acl DOMAINS_SEY dstdomain .eseylan.com .cbsl.lk .eseylanet.com
acl DOMAINS dstdomain .crib.lk .cbsl.lk
acl DOMAINS_CSB dstdomain .nsb.lk .peoplesbank.lk .nationstrust.com
.hnb.lk .mbslbank.com .sampath.lk .hsbc.lk .combank.net .eseylan.com
.bankofceylon.net
acl DOMAINS_AUD dstdomain .cbsl.lk .nsb.lk .peoplesbank.lk
.nationstrust.com .hnb.net .mbslbank.com .sampath.lk .hsbc.lk
.combank.net .bankofceylon.net .icasrilanka.com .centralbanklanka.org
.auditnet.org .bankaudit.net .balancescorecard.org .netbankaudit.com
.isaca.org .accaglobal.com .certifiedinternalauditor.org .bba.org.uk
.accountingweb.co.uk .cima.org.uk .iasc.org.uk .icaew.co.uk
.kpmg.co.uk .yahoo.com .auditserve.com .managementhelp.org .lankae.com
.ceylicosavings.lk .cim.co.uk .amazon.com .ceylincosavings.lk
.eseylan.com .eseylanet.com .dfccbank.com .unionb.com
.standardchartered.com/lk .icicibank.com .pabcbank.com


#http_access deny maxip
http_access deny CSB_AUTH_SEY  !DOMAINS_SEY
http_access deny CSB_AUTH_CRIB !DOMAINS
http_access deny CSB_AUTH_BANK !DOMAINS_CSB
http_access deny CSB_AUTH_AUD !DOMAINS_AUD
http_access allow ncsa_users




Also posting your iptables firewall could help. Are you running Squid in
transparent mode? How many users are you serving?


No firewall is running on that box. No trasparent mode as well. Just
running as usual.

Clients are configured to use squid proxy server with ip address and
port 3128 in their
Internet Explore and Firefox .

But there is a filrewall running in front of that squid box.

about 27 users are using squid.



Can you post the info from squidclient mgr:info ?


pls see below

[EMAIL PROTECTED] root]# squidclient mgr:info
HTTP/1.0 200 OK
Server: squid/2.5.STABLE1
Mime-Version: 1.0
Date: Wed, 25 Jul 2007 10:01:36 GMT
Content-Type: text/plain
Expires: Wed, 25 Jul 2007 10:01:36 GMT
Last-Modified: Wed, 25 Jul 2007 10:01:36 GMT
X-Cache: MISS from csbsl.com
Proxy-Connection: close

Squid Object Cache: Version 2.5.STABLE1
Start Time: Wed, 25 Jul 2007 07:47:47 GMT
Current Time:   Wed, 25 Jul 2007 10:01:36 GMT
Connection information for squid:
   Number of clients accessing cache:  20
   Number of HTTP requests received:   768
   Number of ICP messages received:0
   Number of ICP messages sent:0
   Number of queued ICP replies:   0
   Request failure ratio:   0.00%
   Average HTTP requests per minute since start:   5.7
   Average ICP messages per minute since start:0.0
   Select loop called: 28597 times, 280.740 ms avg
Cache information for squid:
   Request Hit Ratios: 5min: 0.0%, 60min: 4.0%
   Byte Hit Ratios:5min: 13.3%, 60min: 5.2%
   Request Memory Hit Ratios:  5min: 0.0%, 60min: 10.0%
   Request Disk Hit Ratios:5min: 0.0%, 60min: 90.0%
   Storage Swap size:  18420 KB
   Storage Mem size:   796 KB
   Mean Object Size:   12.38 KB
   Requests given to unlinkd:  5
Median Service Times (seconds)  5 min60 min:
   HTTP Requests (All):   0.0  4.07741
   Cache Misses:  0.0 18.48929


Given this very high time, I would try to access the internet directly,
i.e. with no proxy configured on the client.
If your internet access is slow, squid can't do much.


   Cache Hits:0.0  0.01235


As you can see, cache hits are served very fast. Therefore the server is 
not your primary bottleneck (IMHO).



   Near Hits: 0.0  0.0
   Not-Modified Replies:  0.0  0.0
   DNS Lookups:   0.0  2.45286


You also have a very high dns lookup time. This certainly increases the
latency perceived by users. 


   ICP Queries:   0.0  0.0
Resource usage for squid:
   UP Time:8028.333 seconds
   CPU Time:   1.160 seconds
   CPU Usage:  0.01%
   CPU Usage, 5 minute avg:0.00%
   CPU Usage, 60 minute avg:   0.01%
   Maximum Resident Size: 0 KB
   Page faults with physical i/o: 501
Memory usage for squid via mallinfo():
   Total space in arena:3632 KB
   Ordi

Re: [squid-users] Detecting and blocking child proxy servers

[Juraj Sakala]

On Tuesday 24 July 2007 12:56, Tek Bahadur Limbu wrote:
> Is this possible? In other words, I want my proxy servers to detect
> squid or other proxy severs which are being used or operated by others
> besides me.

May it is bepossible:
- if you know your network you can use header x_forwarded_for to detect 
unknown networks. 
- if you wont to allow only your proxy servers use http_access directive with 
acl which contains only your proxy's
- try something like this:
acl  myproxy req_header Via MyProxy
http_access allow myproxy
http_access deny all
- use authentication

Re: [squid-users] setting up WCCP with multiple routers

[Dalibor Dukic]

On Wed, 2007-07-25 at 08:52 +0200, Arnaud Loonstra wrote:
> On Tue, 2007-07-24 at 22:25 +0200, Dalibor Dukic wrote:
> > On Tue, 2007-07-24 at 15:27 +0200, Arnaud Loonstra wrote:
> > > Hi,
> > > 
> > > I can't seem to find any documentation about setting up squid with
> > > WCCPv2 and multiple cisco routers. So this might be good for the
> > > archives if someone helps me out here.
> > 
> > What is the version of squid? 
> 
> It's the debian etch version:
> 2.6.5-6 (squid-2.6.STABLE5)
> 
I had same problems with debian etch. Update squid or patch-it with: 
- WCCPv2 disable PMTU-discovery (Bug #1584) 

Re: [squid-users] SHOULD I NEED TO RECOMPILE THE KERNEL

[Indunil Jayasooriya]

Hi Indunil,

I don't think that you need to recompile your kernel. Which Squid
version are you using?


squid-2.5.STABLE1-3.9


Please post your squid.conf. Saying that Squid is SLOWER could mean alot
of things. It's very vague and an exact answer is not possible.


these are rules in my squid.conf

cache_mem 32 MB
cache_dir ufs /var/spool/squid 100 16 256

auth_param basic program /usr/bin/ncsa_auth /usr/etc/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl maxip max_user_ip -s 1

acl ncsa_users proxy_auth REQUIRED
acl CSB_AUTH_CRIB proxy_auth uddikah sudathf newtonf nilankab warunaa sandunm
acl CSB_AUTH_BANK proxy_auth chamikarab
acl CSB_AUTH_SEY proxy_auth manjulan sriyanim apsaraa rohang gehanp
acl CSB_AUTH_AUD proxy_auth mahesht thivankat


acl DOMAINS_SEY dstdomain .eseylan.com .cbsl.lk .eseylanet.com
acl DOMAINS dstdomain .crib.lk .cbsl.lk
acl DOMAINS_CSB dstdomain .nsb.lk .peoplesbank.lk .nationstrust.com
.hnb.lk .mbslbank.com .sampath.lk .hsbc.lk .combank.net .eseylan.com
.bankofceylon.net
acl DOMAINS_AUD dstdomain .cbsl.lk .nsb.lk .peoplesbank.lk
.nationstrust.com .hnb.net .mbslbank.com .sampath.lk .hsbc.lk
.combank.net .bankofceylon.net .icasrilanka.com .centralbanklanka.org
.auditnet.org .bankaudit.net .balancescorecard.org .netbankaudit.com
.isaca.org .accaglobal.com .certifiedinternalauditor.org .bba.org.uk
.accountingweb.co.uk .cima.org.uk .iasc.org.uk .icaew.co.uk
.kpmg.co.uk .yahoo.com .auditserve.com .managementhelp.org .lankae.com
.ceylicosavings.lk .cim.co.uk .amazon.com .ceylincosavings.lk
.eseylan.com .eseylanet.com .dfccbank.com .unionb.com
.standardchartered.com/lk .icicibank.com .pabcbank.com


#http_access deny maxip
http_access deny CSB_AUTH_SEY  !DOMAINS_SEY
http_access deny CSB_AUTH_CRIB !DOMAINS
http_access deny CSB_AUTH_BANK !DOMAINS_CSB
http_access deny CSB_AUTH_AUD !DOMAINS_AUD
http_access allow ncsa_users




Also posting your iptables firewall could help. Are you running Squid in
transparent mode? How many users are you serving?


No firewall is running on that box. No trasparent mode as well. Just
running as usual.

Clients are configured to use squid proxy server with ip address and
port 3128 in their
Internet Explore and Firefox .

But there is a filrewall running in front of that squid box.

about 27 users are using squid.



Can you post the info from squidclient mgr:info ?


pls see below

[EMAIL PROTECTED] root]# squidclient mgr:info
HTTP/1.0 200 OK
Server: squid/2.5.STABLE1
Mime-Version: 1.0
Date: Wed, 25 Jul 2007 10:01:36 GMT
Content-Type: text/plain
Expires: Wed, 25 Jul 2007 10:01:36 GMT
Last-Modified: Wed, 25 Jul 2007 10:01:36 GMT
X-Cache: MISS from csbsl.com
Proxy-Connection: close

Squid Object Cache: Version 2.5.STABLE1
Start Time: Wed, 25 Jul 2007 07:47:47 GMT
Current Time:   Wed, 25 Jul 2007 10:01:36 GMT
Connection information for squid:
   Number of clients accessing cache:  20
   Number of HTTP requests received:   768
   Number of ICP messages received:0
   Number of ICP messages sent:0
   Number of queued ICP replies:   0
   Request failure ratio:   0.00%
   Average HTTP requests per minute since start:   5.7
   Average ICP messages per minute since start:0.0
   Select loop called: 28597 times, 280.740 ms avg
Cache information for squid:
   Request Hit Ratios: 5min: 0.0%, 60min: 4.0%
   Byte Hit Ratios:5min: 13.3%, 60min: 5.2%
   Request Memory Hit Ratios:  5min: 0.0%, 60min: 10.0%
   Request Disk Hit Ratios:5min: 0.0%, 60min: 90.0%
   Storage Swap size:  18420 KB
   Storage Mem size:   796 KB
   Mean Object Size:   12.38 KB
   Requests given to unlinkd:  5
Median Service Times (seconds)  5 min60 min:
   HTTP Requests (All):   0.0  4.07741
   Cache Misses:  0.0 18.48929
   Cache Hits:0.0  0.01235
   Near Hits: 0.0  0.0
   Not-Modified Replies:  0.0  0.0
   DNS Lookups:   0.0  2.45286
   ICP Queries:   0.0  0.0
Resource usage for squid:
   UP Time:8028.333 seconds
   CPU Time:   1.160 seconds
   CPU Usage:  0.01%
   CPU Usage, 5 minute avg:0.00%
   CPU Usage, 60 minute avg:   0.01%
   Maximum Resident Size: 0 KB
   Page faults with physical i/o: 501
Memory usage for squid via mallinfo():
   Total space in arena:3632 KB
   Ordinary blocks: 3461 KB 51 blks
   Small blocks:   0 KB  0 blks
   Holding blocks:   200 KB  1 blks
   Free Small blocks:  0 KB
   Free Ordinary blocks: 171 KB
   Total in use:3661 KB 96%
   Total free:   171 KB 4%
   Total size:  3832 KB
Memory accounted for:
   Total accounted: 1396 KB
   memPoolAlloc 

Re: [squid-users] SHOULD I NEED TO RECOMPILE THE KERNEL

[Tek Bahadur Limbu]

Indunil Jayasooriya wrote:

Hi,

I am still runnig Redhat 9 box with sendmail and squid. It is quite
slow. It has only 128 MB RAM. So I upgraded it to 512 MB RAM. Now, It
is running with 512 MB RAM. But, It is still slow. No progress has
been achived. Some users say it is slower than before. Actually, I
also have noticed it is NOW SLOWER than before. WHY IS THAT?

SHOULD I NEED TO RECOMPILE THE KERNEL as I installed a new 512 MB RAM ?

help needed?



Hi Indunil,

I don't think that you need to recompile your kernel. Which Squid 
version are you using?


Please post your squid.conf. Saying that Squid is SLOWER could mean alot 
of things. It's very vague and an exact answer is not possible.


Also posting your iptables firewall could help. Are you running Squid in 
transparent mode? How many users are you serving?


Can you post the info from squidclient mgr:info ?

Thanking you...




--

With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np

[squid-users] problem with transparent proxy

[Deephay]

Greetings all,

I deployed a transparent proxy for the LAN using squid, everything is
fine, but I found some of the sites will be blank (firefox) if you
visit them through the proxy (HTTP/1.1 302 Object Moved instead of
HTTP/1.1 200).

But if I set:

forwarded_for off

it renders ok then, seems that this happens only on some MS IIS based
sites. Could somebody explain me why? rules agains proxy?

Cheers,
Deephay

Re: [squid-users] log rotation

[Angela Williams]

Yo!
On Wednesday 25 July 2007 10:20, Zbigniew Szalbot wrote:
> Hello,
>
> I have looked at wiki but cannot find information about log rotation
> (access & store logs).
>
> How can I do this? Or is it simply a matter of defining log rotation in
> newsyslog.conf (I am on a FreeBSD system)?

squid -k rotate will tell squid to rotate its own logs!
Look in the well documented squid.conf.example file for this tag
logfile_rotate
and all will come clear.

You do not normally need the store log so set it to none in squid.conf. Access 
and Cache logs are normally all you need!

Cheers
Ang




-- 
Angela Williams Enterprise Outsourcing
Unix/Linux & Cisco spoken here! Bedfordview
[EMAIL PROTECTED]   Gauteng South Africa

Smile!! Jesus Loves You!!

[squid-users] log rotation

[Zbigniew Szalbot]

Hello,

I have looked at wiki but cannot find information about log rotation
(access & store logs).

How can I do this? Or is it simply a matter of defining log rotation in
newsyslog.conf (I am on a FreeBSD system)?

Thank you!

-- 
Zbigniew Szalbot  

[squid-users] SHOULD I NEED TO RECOMPILE THE KERNEL

[Indunil Jayasooriya]

Hi,

I am still runnig Redhat 9 box with sendmail and squid. It is quite
slow. It has only 128 MB RAM. So I upgraded it to 512 MB RAM. Now, It
is running with 512 MB RAM. But, It is still slow. No progress has
been achived. Some users say it is slower than before. Actually, I
also have noticed it is NOW SLOWER than before. WHY IS THAT?

SHOULD I NEED TO RECOMPILE THE KERNEL as I installed a new 512 MB RAM ?

help needed?

--
Thank you
Indunil Jayasooriya

Re: [squid-users] Help needed for squid with LDAP

[D & E Radel]

 Jagdeep Shrivastav wrote:

Hi,
Thanks for your prompt reply. I went through the url to completethe
configuration,

when i execute the command

/usr/lib/squid/squid_ldap_auth -b "dc=my,dc=domain" ldapserver
or
/usr/lib/squid/squid_ldap_auth -b "dc=my,dc=domain" -h IPofLDAPServer

and after providing the credentials i get the following error message

squid_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR Success.

Can you please tell me where i am going wrong.
It will be of great help if you can tell me the checklist for
configuring the Squid with LDAP

Thanks- Jagdeep



Try something like:

/usr/lib/squid/ldap_auth
  -R
  -b "dc=my,dc=domain"
  -D "cn=Administrator,cn=Users,dc=my,dc=domain"
  -w "Administrator's_Password"
  -f sAMAccountName=%s
  -h IPofLDAPServer

Regards,
D.Radel.

Re: [squid-users] Re: squid & ftp

[Nadeem Semaan]

So is there anything to be done on squid? thanks for your help.

- Original Message 
From: RW <[EMAIL PROTECTED]>
To: squid-users@squid-cache.org
Sent: Wednesday, July 25, 2007 4:42:27 AM
Subject: [squid-users] Re: squid & ftp


On Tue, 24 Jul 2007 15:22:22 +0200
Angela Williams <[EMAIL PROTECTED]> wrote:

> Hi!
> On Tuesday 24 July 2007 11:58, Nadeem Semaan wrote:
> > While trying to open ftp sites with IE, i usally get an error, when
> > opening the same site with firefox, i get prompted for credentials.
> > Is there anything that has to be done on Squid to have IE promt for
> > passwords as well (probably TAG: ftp_user), or is this browser
> > specific. I mean is it the way that squid handels the requests?
> 
> Good reason to trash Internot Exploder!
> In the Internet Options window choose the Advanced tab and make
> certain Use Passive FTP is checked!

Except that it's going through squid over an http connection so the
client need not make a distinction between passive and active ftp.


   

Got a little couch potato? 
Check out fun summer activities for kids.
http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+kids&cs=bz

Re: [squid-users] setting up WCCP with multiple routers

[Adrian Chadd]

On Wed, Jul 25, 2007, Arnaud Loonstra wrote:
> On Tue, 2007-07-24 at 22:25 +0200, Dalibor Dukic wrote:
> > On Tue, 2007-07-24 at 15:27 +0200, Arnaud Loonstra wrote:
> > > Hi,
> > > 
> > > I can't seem to find any documentation about setting up squid with
> > > WCCPv2 and multiple cisco routers. So this might be good for the
> > > archives if someone helps me out here.
> > 
> > What is the version of squid? 
> 
> It's the debian etch version:
> 2.6.5-6 (squid-2.6.STABLE5)

Upgrade to the latest version of Squid-2.6 (stable14?) in case there's been
any WCCPv2 fixes under Linux. I seem to recall one or two which Henrik
solved in early 2.6's that related to multiple router support.



Adrian