Re: [squid-users] setting up WCCP with multiple routers
On Wed, 2007-07-25 at 12:57 +0200, Dalibor Dukic wrote: > On Wed, 2007-07-25 at 08:52 +0200, Arnaud Loonstra wrote: > > On Tue, 2007-07-24 at 22:25 +0200, Dalibor Dukic wrote: > > > On Tue, 2007-07-24 at 15:27 +0200, Arnaud Loonstra wrote: > > > > Hi, > > > > > > > > I can't seem to find any documentation about setting up squid with > > > > WCCPv2 and multiple cisco routers. So this might be good for the > > > > archives if someone helps me out here. > > > > > > What is the version of squid? > > > > It's the debian etch version: > > 2.6.5-6 (squid-2.6.STABLE5) > > > I had same problems with debian etch. Update squid or patch-it with: > - WCCPv2 disable PMTU-discovery (Bug #1584) > I see, But is the configuration I did correct or not? since I haven't had the chance of patching squid it'll be good to know if I did it the right way. Rg, Arnaud Amarantis Onderwijsgroep is de concernorganisatie van ISA-scholen en ROC ASA
Re: [squid-users] Firewall rule for dnsserver process on SquidNT-2.6 STABLE 13 on Windows
I am in touch with the Outpost team, Sir. Regards On 31/07/07, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > On tis, 2007-07-31 at 11:06 +0530, Santosh Rani wrote: > > Here is what I see in 'Alerts Tracker' in my Outpost Firewall Logs, > > > > 7/29/2007 6:28:20 PMAttempt to modify Outpost Firewall Pro files > > is prevented.Application: squid, Path: D:\xz\sbin\squid.exe > > 7/29/2007 10:25:35 AMAttempt to modify Outpost Firewall Pro files > > is prevented.Application: squid, Path: D:\xz\sbin\squid.exe > > 7/28/2007 1:03:47 PMAttempt to modify Outpost Firewall Pro files > > is prevented.Application: squid, Path: D:\xz\sbin\squid.exe > > > > Outpost thinks that Squid.exe is trying to modify it. > > And it's not.. > > I guess this is a question for the firewall support... > > Regards > Henrik > >
Re: [squid-users] setting up WCCP with multiple routers
On Wed, Aug 01, 2007, Arnaud Loonstra wrote: > I see, But is the configuration I did correct or not? since I haven't > had the chance of patching squid it'll be good to know if I did it the > right way. Meh, all of this is making me want to break apart the WCCPv2 code from Squid and have it run as a daemon, handling stuff like creating/tearing down GRE end-points and other related guff. Having people doing all of this stuff manually is starting to really irk me. Any interest? Adrian
[squid-users] Caching authenticated documents
Hi, I'm working on making squid our new proxy service. The main goal of using squid is to save bandwith between our distant sites. I would like squid to cache authenticated documents (authorize basic auth) but to continue verifying user auth to the final server. If I had ignore-auth in squid config. The document is cached but no longuer authenticated. If I make the server respond "Cache-control: public,proxy-revalidate" in headers the document is not cached. I've been playing with Cache-control parameters with no success (must-revalidate, s-maxage=0, ...). What I would like is : - For the first request on a document, the user sends authorizatrion header. The server sends the document, squid keeps it in cache. - For the following requests on that document, the new authorization header is send by squid to the server with a "If-Modified-Since" header to check cache validity. The server shoud respond "304 Not Modified" if user credetials are OK and document is up to date in cache. Any idea how to configure squid for that ? Rene
[squid-users] mixing ntlm and non-ntlm auth
Hi, I'm running 2.6.STABLE6 on RHEL4.5, and I have ntlm authentication working via smb/winbind. My problem is that I have a mixed client base of windows PCs, which can do ntlm, and linux servers, which cannot. All the linux servers are on their own IP network, 192.168.0.0/24, while the windows PCs are in 192.168.0.1/24. I would like to use ntlm auth for the windows PCs, and allow the linux machines to use the proxy without ntlm authentication. I have tried various combinations of acls, but I always end up in a position where all requests succeed without authentication, or the windows work but the linux clients fail with '407 authfail'. My current config is: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp acl ntlmauth src 192.168.1.0/24 acl nonntlm src 192.168.0.0/24 acl AuthorizedUsers proxy_auth #with and without REQUIRED, no difference http_access allow nonntlm http_access allow AuthorizedUsers ntlmauth #have also tried 'ntlmauth AuthorizedUsers ' Is this possible? Can I configure squid to require ntlm auth for some source addresses, but not for others? Thanks, Gavin
Re: [squid-users] Problems with Cacheobject
Henrik Nordstrom wrote: >On tis, 2007-07-31 at 14:29 +0200, Enrico Popp wrote: > > > >>I have an problem. In my company we use 2different urls. I.e. >>www.bla.org and www.bli.org. But after the urlstring the querystrings >>are the same. Squid saved an object twice, if it is from www.bli.org and >>www.bla.org with the same querystring. I'm sure this could be avoided. >>My idea is to rewrite one url into another. I have read the squidGuard >>help, but i can't find out any solution. Can squidGuard do this? Or any >>other Idea? >> >> > >A two-line perl program would do just fine. > >#!/usr/bin/perl -p >BEGIN {$|=1;} >s%^http://www.bli.org%http://www.bla.org% && next > >Regards >Henrik > > And now can i include this into squid with url_rewrite_program /path to script ? And i it is possible, where this script gets the input? The reason why i would do this, is because i will avoid to save the same object twice. regards Enrico
[squid-users] cannot block a particular website
Hi all I want to block site over my network, but i'm unable to do it... 1)google chat The simple acl said that it would be be blocked throgh acl statements, But that never helped me, finally i took the help of host file and solve the problem. I edited a host file, made a following entry 127.0.0.1 chatenabled.mail.google.com And now its working as i had required. 2)www.nseindia.com & online vedio cliping sites like youtube.com and others. I'm not finding a proper solution for blocking this particular sites... I'm pasting my squid configuration file. __ http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 1500 Mb cache_dir aufs /var/spool/squid 3000 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log mime_table /etc/squid/mime.conf log_mime_hdrs on auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0%1440 refresh_pattern . 0 20% 4320 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl all src 0.0.0.0/0.0.0.0 # this is to block the sites, lets c how it works acl go4_sites dstdom_regex -i "/etc/squid/blocked/bsite.acl" acl go2 url_regex -i ^http://www.nseindia.com/ acl SSL_ports port 443 563 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70# gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl block_port port 5269 acl office port 8383 acl google_block port 5222 5223 http_access allow safe_ports http_access allow manager localhost http_access allow office http_access deny manager http_access deny go4_sites http_access deny go2 # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # Deny requests to unknown ports http_access deny !Safe_ports http_access deny !block_port http_access deny !google_block #This didn't work out as i wished to acl our_networks src 192.168.1.0/24 192.168.2.0/24 http_access allow our_networks # And finally deny all other access to this proxy http_access deny all #http_access allow localhost http_access allow all http_reply_access allow all icp_access allow all visible_hostname linux httpd_accel_host linux httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on logfile_rotate 9 deny_info ERR_BLOCKED_FILES f29 deny_info ERR_BLOCKED_FILES junklist #acl denydomain dstdomain talk.google.com #http_access deny denydomain error_directory /usr/share/squid/errors coredump_dir /var/spool/squid bsite.acl has only one name of the site ie. .nseindia.com Please give any suggestion as i'm very desparate in doing this... Mayuresh M Murkunde Gujarat, India Email: [EMAIL PROTECTED]
[squid-users] cache_peer options
Hello all, In squid-2.6 cache_peer parameter has the option "group=name " . But we don't have explanation in squid.conf file . Could you explain that how to use this option?
Re: [squid-users] cannot block a particular website
Mayuresh M Murkunde wrote: Hi all I want to block site over my network, but i'm unable to do it... 1)google chat The simple acl said that it would be be blocked throgh acl statements, But that never helped me, finally i took the help of host file and solve the problem. I edited a host file, made a following entry 127.0.0.1 chatenabled.mail.google.com And now its working as i had required. 2)www.nseindia.com & online vedio cliping sites like youtube.com and others. I'm not finding a proper solution for blocking this particular sites... I'm pasting my squid configuration file. I see your problem immediately. Firstly - *_access are checked in sequence with first match being used. Secondly - "deny !x" means immediately deny everything not listed in x Between those two details you should be able to see the problem also. Try replacing all your twisted http_access with these (in this order): acl nseindia dstdomain .nseindia.com acl youtube dstdomain .youtube.com http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow office http_access deny google_block http_access deny nseindia http_access deny youtube http_access allow our_networks http_access deny all OR if you don't like the length of the allow our_networks line you could use: acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl all src 0.0.0.0/0.0.0.0 # this is to block the sites, lets c how it works acl go4_sites dstdom_regex -i "/etc/squid/blocked/bsite.acl" acl go2 url_regex -i ^http://www.nseindia.com/ eww, DONT use regex unless you absolutely have to have a regex expresion. The above is better done with a 'dstdomain' ACL: acl nseindia dstdomain .nseindia.com visible_hostname linux This should be a FQDN ie linux.example.com httpd_accel_host linux httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Hmm, squid 2.5 config. If you need transparency upgrade to 2.6, much easier and better for it. logfile_rotate 9 deny_info ERR_BLOCKED_FILES f29 deny_info ERR_BLOCKED_FILES junklist #acl denydomain dstdomain talk.google.com #http_access deny denydomain yep another useless http_access line. HTH Amos
Re: [squid-users] cannot block a particular website
Mayuresh M Murkunde wrote: Hi all I want to block site over my network, but i'm unable to do it... 1)google chat The simple acl said that it would be be blocked throgh acl statements, But that never helped me, finally i took the help of host file and solve the problem. I edited a host file, made a following entry 127.0.0.1 chatenabled.mail.google.com And now its working as i had required. 2)www.nseindia.com & online vedio cliping sites like youtube.com and others. I'm not finding a proper solution for blocking this particular sites... I'm pasting my squid configuration file. I see your problem immediately. Firstly - *_access are checked in sequence with first match being used. Secondly - "deny !x" means immediately deny everything not listed in x Between those two details you should be able to see the problem also. Try replacing all your twisted http_access with these (in this order): acl nseindia dstdomain .nseindia.com acl youtube dstdomain .youtube.com http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow office http_access deny google_block http_access deny nseindia http_access deny youtube http_access allow our_networks http_access deny all acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl all src 0.0.0.0/0.0.0.0 # this is to block the sites, lets c how it works acl go4_sites dstdom_regex -i "/etc/squid/blocked/bsite.acl" acl go2 url_regex -i ^http://www.nseindia.com/ eww, DONT use regex unless you absolutely have to have a proper regex expresion. The above is better done with a 'dstdomain' ACL: acl nseindia dstdomain .nseindia.com visible_hostname linux This should be a FQDN ie linux.example.com httpd_accel_host linux httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Hmm, squid 2.5 config. If you need transparency upgrade to 2.6, much easier config and better code for it. logfile_rotate 9 deny_info ERR_BLOCKED_FILES f29 deny_info ERR_BLOCKED_FILES junklist HTH Amos
[squid-users] Squid performance lagging Apache
I have a test bed using siege. The test runs 23400 hits against 19 static http items. Squid, delivering all from memory, runs roughly 75% of the throughput of raw Apache or Apache proxy. The siege "client" box has plenty of ports so that TIME_WAIT is not an issue. The client and server have a direct 1Gbit ethernet wire between them. The boxes are multi-core Xeons at 2.6G with 8G ram, running Debian Etch Amd64 (2.6 kernel). The build has epoll() enabled. Single core hits roughly 80% with squid. With squid tests, a third box was running Apache to supply http content but not accessed due to caching. Any suggestions as to what might raise the throughput of squid to approach / exceed apache2? Any recommended profiling techniques? Note: I later configured 2 squid instances on the same box and divided the 23400 evenly between them. The throughput was constant, same as if one instance. CPU cores hovered around 37-40% during test. Summary: plenty of ram, disk not used, extra CPU power ... seems like an issue of socket throughput ... Thanks, Matthew
Re: [squid-users] Squid performance lagging Apache
On Wed, Aug 01, 2007, Matthew Von Maszewski wrote: > I have a test bed using siege. The test runs 23400 hits against 19 > static http items. Squid, delivering all from memory, runs roughly > 75% of the throughput of raw Apache or Apache proxy. The siege > "client" box has plenty of ports so that TIME_WAIT is not an issue. > The client and server have a direct 1Gbit ethernet wire between them. Can you run oprofile under Amd64 on those boxes? I'd like to know exactly where Squid's spending its time. My guess is that its spending a stupid amount of time in headersEnd() and memset() in your tests. Adrian
Re: [squid-users] Squid performance lagging Apache
Minor note: disabling hyperthreading gained roughly 5% in squid ... apache not measured (yet). On Aug 1, 2007, at 12:18 PM, Adrian Chadd wrote: On Wed, Aug 01, 2007, Matthew Von Maszewski wrote: I have a test bed using siege. The test runs 23400 hits against 19 static http items. Squid, delivering all from memory, runs roughly 75% of the throughput of raw Apache or Apache proxy. The siege "client" box has plenty of ports so that TIME_WAIT is not an issue. The client and server have a direct 1Gbit ethernet wire between them. Can you run oprofile under Amd64 on those boxes? I'd like to know exactly where Squid's spending its time. My guess is that its spending a stupid amount of time in headersEnd() and memset() in your tests. Adrian
[squid-users] Slow connection through proxy
Hi All, I have a problem with my proxy and Windows clients on certain ip ranges on my network. I've just upgraded my network from a single LDAP/Samba server running on Mandriva 2007 to a dual redundant setup with DNS, NTP and LDAP master/slave on two servers with a seperate PDC and BDC pair authenticating and providing file shares. Authentication on the network for users is fast as lightning. On the old network I had a Mandriva 2007 box with Squid proxying and NTLM auth and this machine has been moved to the new setup. Clients are spread across three IP ranges 172.20.0., 172.20.1. and 172.20.2. with the 0 range being assigned static IPs and the one and two ranges collecting an IP from DHCPD. If I connect a client to the network, it obtains an address from the DHCP server along with DNS, gateway and WINS server settings but the connection via Squid is slow e.g. 30-120 seconds to obtain a page. If I take the settings from ipconfig and enter them manually but with an IP in the 172.20.0 range, it works perfectly with pages appearing withing 1-2 seconds. nslookup returns IP's within a second on the proxy and clients and su'ing to a user account on the proxy takes a split second, suggesting that nss and pam_smb are authenticating OK. On the old network, the proxy worked fine across al three IP ranges, on the new it behaves as above. Is there anywhere I should be looking in particular for clues to this one. I'll be out of the office until Monday but I'll check the mail as soon as I can for a reply. Many thanks, Julian PB
Re: [squid-users] Route domain through different gateway
On Mon, 30 Jul 2007 03:36:08 +0200 Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > For this you use tcp_outgoing_address combined with policy routing in > your OS to route the traffic to the right gateway based on the source IP > set by Squid. Does it work with follow_x_forwarded_for? I have the following setup: follow_x_forwarded_for allow localhost acl our_networks src 192.168.0.0/24 192.168.2.0/24 acl my_ip src 84.32.xx.xx http_access allow our_networks http_access allow my_ip tcp_outgoing_address 81.7.xx.xx my_ip tcp_outgoing_address 193.219.xx.xx server_persistent_connections off If my X-Forwarded-For address is 84.32.xx.xx, outgoing address is 193.219.xx.xx, while it should be 81.7.xx.xx, right? If I change 2nd tcp_outgoing_address line to tcp_outgoing_address 81.7.xx.xx then outgoing adress is 81.7.xx.xx. If I don't use follow_x_forwarded_for everything works OK. squid-2.6.STABLE13. After searching a bit, I found http://www.squid-cache.org/bugs/show_bug.cgi?id=1886. The patch in it is a bit incorrect. The corrected patch is attached and it works with my setup. Regards, Nerijusdiff -ur squid-2.6.STABLE13.orig/src/forward.c squid-2.6.STABLE13/src/forward.c --- squid-2.6.STABLE13.orig/src/forward.c 2007-04-17 12:35:17.0 +0300 +++ squid-2.6.STABLE13/src/forward.c 2007-08-02 03:05:47.0 +0300 @@ -424,7 +424,12 @@ aclCheck_t ch; memset(&ch, '\0', sizeof(aclCheck_t)); if (request) { - ch.src_addr = request->client_addr; +#if FOLLOW_X_FORWARDED_FOR + if (Config.onoff.acl_uses_indirect_client) { + ch.src_addr = request->indirect_client_addr; + } else +#endif /* FOLLOW_X_FORWARDED_FOR */ + ch.src_addr = request->client_addr; ch.my_addr = request->my_addr; ch.my_port = request->my_port; ch.request = request; @@ -438,7 +443,12 @@ aclCheck_t ch; memset(&ch, '\0', sizeof(aclCheck_t)); if (request) { - ch.src_addr = request->client_addr; +#if FOLLOW_X_FORWARDED_FOR + if (Config.onoff.acl_uses_indirect_client) { + ch.src_addr = request->indirect_client_addr; + } else +#endif /* FOLLOW_X_FORWARDED_FOR */ + ch.src_addr = request->client_addr; ch.my_addr = request->my_addr; ch.my_port = request->my_port; ch.request = request;
Re: [squid-users] Squid on shared server?
On 8/1/07, Daniel Bearer <[EMAIL PROTECTED]> wrote: > Is it possible to run Squid on a virtual/shared server? There's nothing unique about Squid which would preclude it from running on a virtual server, or as an ordinary user on a shared server. The bare minimum necessary for Squid to run is creation and read access to a couple of static directories containing read-only configuration files and support files (error pages, icons, etc), the ability to bind a TCP port to accept connections, and the ability to open outgoing connections for DNS lookups and to fetch content. Oh, and the ability to malloc() a goodly amount of RAM :) If you're just looking to run a proxy, you might find that Squid is overkill for your needs. Kevin
[squid-users] Squid on shared server?
Hello, Is it possible to run Squid on a virtual/shared server? Thanks, db
Re: [squid-users] Firewall rule for dnsserver process on SquidNT-2.6 STABLE 13 on Windows
Sir, The problem is resolved with the help of Firewall Support. One question here, what if I want to have a separate dnsserver.exe like in the case of Squid 2.5 STABLE3-NT. There just by allowing the dnsserver.exe in Firewall, Squid has no problems. Regards Santosh Rani > > On 8/1/07, Santosh Rani <[EMAIL PROTECTED]> wrote: > > I am in touch with the Outpost team, Sir. > > Regards > > > > On 31/07/07, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > > > On tis, 2007-07-31 at 11:06 +0530, Santosh Rani wrote: > > > > Here is what I see in 'Alerts Tracker' in my Outpost Firewall Logs, > > > > > > > > 7/29/2007 6:28:20 PMAttempt to modify Outpost Firewall Pro files > > > > is prevented.Application: squid, Path: D:\xz\sbin\squid.exe > > > > 7/29/2007 10:25:35 AMAttempt to modify Outpost Firewall Pro files > > > > is prevented.Application: squid, Path: D:\xz\sbin\squid.exe > > > > 7/28/2007 1:03:47 PMAttempt to modify Outpost Firewall Pro files > > > > is prevented.Application: squid, Path: D:\xz\sbin\squid.exe > > > > > > > > Outpost thinks that Squid.exe is trying to modify it. > > > > > > And it's not.. > > > > > > I guess this is a question for the firewall support... > > > > > > Regards > > > Henrik > > > > > > > > >