Re: [squid-users] Regular Expression
Matus UHLAR - fantomas wrote: On 02.08.07 11:30, Enrico Popp wrote: I have an problem with regular expression in squidGuard. I'm using the following regex [EMAIL PROTECTED]://www.main.example.org/(.+)@http://[EMAIL PROTECTED] where did you get the regex? Now the problem consists that http://example.org contain no querystring after this rewrite. [EMAIL PROTECTED]://www.main.example.org/@http://www.example.org/@r should work, but I'm not sure what does the 'r' modifier do... something squidguard-ish ? Yes this works fine. If i had a querystring like [EMAIL PROTECTED]://www.main.example.org/blbl/nbblbl/[EMAIL PROTECTED]://www.example.org/@r then the url is only http://www.example.org/ without the rest. I won't only to rewrite the subdomain into the domain. And the rest of the subdomain should be obtained. In my opinion the 'r' modifier means, that the client get 302 - moved temporarily. kind regards Enrico
[squid-users] username and password in TRANSPARENT mode
Hi, I am runing squid with nsca_ath feature. I have configured client browser to use squid proxy server with ip address and port 3128. All work fine. Then, I configured SQUID in TRANSPARENT mode. Then, I lost the user name and password feature. Is it NORMAL in TRANSPARENT mode? This happened in SQUID 2.5. -- Thank you Indunil Jayasooriya
[squid-users] Squid and PPPoE - peculiar things
Anyone has experience peculiar things with Squid and PPPoE ? I have a setup where Squid is doing transparent tproxy for PPPoE and non-PPPoE users, however the experience is that when squid is serving the cached files for PPPoE users, it's slower than a commercial product. Is it possible that this is a MTU problem ? Does it make sense to change the ethernet interfaces to have a smaller MTU ( matching with a typical PPPoE config ) ? Or do I have to add iptables rule to clamp-mss-to-pmtu ? I have already got httpd_accel_no_pmtu_disc off as the default value. Regards. Important Warning! *** This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the use of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If this e-mail was sent to you by mistake, please take the time to notify the sender so that they can identify the problem and avoid any more mistakes in sending e-mail to you. The unauthorised use of information contained in this communication or its attachments may result in legal action against any person who uses it.
Re: [squid-users] username and password in TRANSPARENT mode
Hi, Indunil Jayasooriya wrote: I am runing squid with nsca_ath feature. I have configured client browser to use squid proxy server with ip address and port 3128. All work fine. Then, I configured SQUID in TRANSPARENT mode. Then, I lost the user name and password feature. Is it NORMAL in TRANSPARENT mode? This happened in SQUID 2.5. Please see: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-7cfff26a112769fccff8f4d507961cd27ebe5eac Neil. -- Neil Hillard[EMAIL PROTECTED] AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
[squid-users] performance problem or not ?
I'm running squid (squid-2.6.STABLE6-4.el5) on an old IBM x330 server (2x 1266MHZ PIII, 1GB RAM, 2 mirrored 36GB disks for OS and 20GB squid-spool), serving set-top-boxes' access to the internet. We have a feel for the proxy maybe being slow, but can't really pinpoint what the problem might be. Could somebody please have a look at the below numbers to see if something stands out as a potential performance problem ? Some stats from calamaris for the last 24 hours: Proxy statistics - Total amount: requests2818623 unique hosts/users: hosts 3427 Total Bandwidth:Byte15607M Max. Bandwidth usage: MBit/sec4.42 Proxy efficiency (HIT [kB/sec] / DIRECT [kB/sec]): factor 10.45 Average speed increase: % 100.25 TCP response time of 100%% requests:msec130 Cache statistics Total amount cached:requests 2088373 Request hit rate: % 74.09 Bandwidth savings: Byte8640M Bandwidth savings in Percent (Byte hit rate): % 55.36 Average cached object size: Byte4338 Average direct object size: Byte10004 Average object size:Byte5806 Incoming request peak - 429/second 6439/minute 238080/hour TCP-Request duration distribution - msechitsbyte = 10 48% 23% = 100 85% 60% = 1000 99% 86% File descriptors in use by squid are normally between 50-150, with peaks of 200-1000 once a week. CPU-usage is seldom above 10%, with 1-2% iowait and less than 1% system cpu. -jf
Re: [squid-users] username and password in TRANSPARENT mode
On Mon, Aug 06, 2007, Indunil Jayasooriya wrote: Hi, I am runing squid with nsca_ath feature. I have configured client browser to use squid proxy server with ip address and port 3128. All work fine. Then, I configured SQUID in TRANSPARENT mode. Then, I lost the user name and password feature. Is it NORMAL in TRANSPARENT mode? This happened in SQUID 2.5. I don't know why this isn't better documented, alas. No, transparent interception doesn't function with proxy authentication. Its a shortcoming of the HTTP RFC spec. I hear rumours about commercial products supporting cookie-type hacks to do authentication but I've never seen it live. Use WPAD+proxy.pac to autodiscover proxy services for a LAN. Adrian
Re: [squid-users] Squid and PPPoE - peculiar things
On Mon, Aug 06, 2007, Ming-Ching Tiew wrote: Anyone has experience peculiar things with Squid and PPPoE ? I have a setup where Squid is doing transparent tproxy for PPPoE and non-PPPoE users, however the experience is that when squid is serving the cached files for PPPoE users, it's slower than a commercial product. Is it possible that this is a MTU problem ? Does it make sense to change the ethernet interfaces to have a smaller MTU ( matching with a typical PPPoE config ) ? Or do I have to add iptables rule to clamp-mss-to-pmtu ? I have already got httpd_accel_no_pmtu_disc off as the default value. You're going to have to be slightly more detailed than that. slower than a commercial product when serving cached files could mean anything. Try modifying the routing table to always present a lower MTU, check to see what the path between the Squid and the PPPoE client, do some transfer tests between a PPPoE client and the Squid server itself (eg via thttpd on the squid server); try to nail down what exactly constitutes it being not fast. Adrian
[squid-users] Cache authenticated content?
Hi All I've been unable to find an answer to this from Google or searching the web archives of the list, but perhaps someone here can help. Our project ingests feed data from upstream providers, and we're trying to use squid to cache that data for our various development systems, so as not to frag the feed providers with requests. Squid however seems rather reluctant to cache the content (X-Cache: MISS constantly). We presume that this is because the providers require basic authentication. There are no other cache/expiry related headers on the content. Does our diagnosis about authentication sound correct? If so, is there any way to configure squid to cache the authenticated content? Thanks in advance Tom
Re: [squid-users] performance problem or not ?
Assuming you're running with diskd/aufs rather than ufs then I think your numbers are alright. The default caching rules are quite permissive and result in less caching than what might be possible, but more correct caching. You've paid for a support contract via Redhat - I suggest talking to them about it. :) Adrian On Mon, Aug 06, 2007, Jan-Frode Myklebust wrote: I'm running squid (squid-2.6.STABLE6-4.el5) on an old IBM x330 server (2x 1266MHZ PIII, 1GB RAM, 2 mirrored 36GB disks for OS and 20GB squid-spool), serving set-top-boxes' access to the internet. We have a feel for the proxy maybe being slow, but can't really pinpoint what the problem might be. Could somebody please have a look at the below numbers to see if something stands out as a potential performance problem ? Some stats from calamaris for the last 24 hours: Proxy statistics - Total amount: requests2818623 unique hosts/users: hosts 3427 Total Bandwidth: Byte15607M Max. Bandwidth usage: MBit/sec4.42 Proxy efficiency (HIT [kB/sec] / DIRECT [kB/sec]): factor 10.45 Average speed increase: % 100.25 TCP response time of 100%% requests: msec130 Cache statistics Total amount cached: requests 2088373 Request hit rate: % 74.09 Bandwidth savings:Byte8640M Bandwidth savings in Percent (Byte hit rate): % 55.36 Average cached object size: Byte4338 Average direct object size: Byte10004 Average object size: Byte5806 Incoming request peak - 429/second 6439/minute 238080/hour TCP-Request duration distribution - msec hitsbyte = 10 48% 23% = 10085% 60% = 1000 99% 86% File descriptors in use by squid are normally between 50-150, with peaks of 200-1000 once a week. CPU-usage is seldom above 10%, with 1-2% iowait and less than 1% system cpu. -jf -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level bandwidth-capped VPSes available in WA -
Re: [squid-users] username and password in TRANSPARENT mode
Dear Indunil, nsca_auth is not compatible with Transproxy, If transproxy works authentication wont and vice versa. I did try this thing on my box but failed.. Sussane Andrews http://healthtreatments.blogspot.com Indunil Jayasooriya wrote: Hi, I am runing squid with nsca_ath feature. I have configured client browser to use squid proxy server with ip address and port 3128. All work fine. Then, I configured SQUID in TRANSPARENT mode. Then, I lost the user name and password feature. Is it NORMAL in TRANSPARENT mode? This happened in SQUID 2.5.
Re: [squid-users] username and password in TRANSPARENT mode
Hi, Adrian Chadd wrote: On Mon, Aug 06, 2007, Indunil Jayasooriya wrote: I am runing squid with nsca_ath feature. I have configured client browser to use squid proxy server with ip address and port 3128. All work fine. Then, I configured SQUID in TRANSPARENT mode. Then, I lost the user name and password feature. Is it NORMAL in TRANSPARENT mode? This happened in SQUID 2.5. I don't know why this isn't better documented, alas. No, transparent interception doesn't function with proxy authentication. Its a shortcoming of the HTTP RFC spec. I hear rumours about commercial products supporting cookie-type hacks to do authentication but I've never seen it live. Use WPAD+proxy.pac to autodiscover proxy services for a LAN. It's documented in the FAQ (hence my previous reply)! I can't see how it's a shortcoming of the protocol. If the browser isn't aware that there is a proxy then why would it (why should it) try to authenticate to one? Tell it that a proxy exists and it's more than happy to authenticate. Interception is less than ideal. Neil. -- Neil Hillard[EMAIL PROTECTED] AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
Re: [squid-users] Cache authenticated content?
Hello Tom, I've been working on a similar problem last week. I've read the squid sources to understand how it works exactly and the answer is yes, if the content needs authentication it will not be cached by default. You will get MISS each time you request the same document. If you configure squid to ignore authentication (refresh_pattern ignore-auth option), it will cache the document but users won't need to authenticate for the following requests. I guess this is not what you want. I had to configure the web server to add this new header in the authenticated replies: Cache-Control: max-age=0, must-revalidate, public The public keywork allows squid to store the content of the reply. The max-age=0 option forces squid to check if the stored document is up to date on next requests. As a consequence it will also check authentication and user access. The must-revalidate keywork is here to force all caches (private and public) to check content validity on next request (will check auth). If you can't modify the web server replies, I don't know how to do this without modifying squid source code. Regards, René Le Lun 6 août 2007 11:04, Tom Dunstan a écrit : Hi All I've been unable to find an answer to this from Google or searching the web archives of the list, but perhaps someone here can help. Our project ingests feed data from upstream providers, and we're trying to use squid to cache that data for our various development systems, so as not to frag the feed providers with requests. Squid however seems rather reluctant to cache the content (X-Cache: MISS constantly). We presume that this is because the providers require basic authentication. There are no other cache/expiry related headers on the content. Does our diagnosis about authentication sound correct? If so, is there any way to configure squid to cache the authenticated content? Thanks in advance Tom
[squid-users] Fwd: username and password in TRANSPARENT mode
Hi Hendrik, Colud you pls give a good explanation for below matter? I am runing squid with nsca_ath feature. I have configured client browser to use squid proxy server with ip address and port 3128. All work fine. Then, I configured SQUID in TRANSPARENT mode. Then, I lost the user name and password feature. Is it NORMAL in TRANSPARENT mode? This happened in SQUID 2.5. -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya
Re: [squid-users] authentication ip ttl reset
Hi, Thanks for the tip but reconfigure does not help. I will try to get some time and make a patch for it some day. Until then, service outages... :( Bye Bgs Adrian Chadd wrote: On Thu, Aug 02, 2007, Bgs wrote: Is there a way to reset/clear the authentication/IP table without restarting squid? We use this feature but from time to time we would need to clear the table (or just a single user) from it, but the proxy is heavily used and do not want to create those grace time long outages. If a squid -k reconfigure / squid -k reload doesn't do it, I'm sure its possible to patch squid to do it via cachemgr.. Adrian
Re: [squid-users] Fwd: username and password in TRANSPARENT mode
Hi, Indunil Jayasooriya wrote: Hi Hendrik, Colud you pls give a good explanation for below matter? I am runing squid with nsca_ath feature. I have configured client browser to use squid proxy server with ip address and port 3128. All work fine. Then, I configured SQUID in TRANSPARENT mode. Then, I lost the user name and password feature. Is it NORMAL in TRANSPARENT mode? This happened in SQUID 2.5. No matter how many times you ask, the answer will be the same. Read the FAQ at: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-7cfff26a112769fccff8f4d507961cd27ebe5eac You may also care to search the archives as this question has been asked many times before. BTW, Henrik's name does not contain a 'd'! Neil. -- Neil Hillard[EMAIL PROTECTED] AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
Re: [squid-users] authentication ip ttl reset
On Mon, Aug 06, 2007, Bgs wrote: Hi, Thanks for the tip but reconfigure does not help. I will try to get some time and make a patch for it some day. Until then, service outages... :( * Would anyone like to donate to the Squid project to see this get done? * Assuming a donation or two takes place, would anyone like a t-shirt for this? :) (I've offered T-Shirts for various other bits and pieces but noone yet has completed any of the tasks!) Adrian
Re: [squid-users] username and password in TRANSPARENT mode
On Mon, Aug 06, 2007, Neil A. Hillard wrote: I can't see how it's a shortcoming of the protocol. If the browser isn't aware that there is a proxy then why would it (why should it) try to authenticate to one? Tell it that a proxy exists and it's more than happy to authenticate. Interception is less than ideal. Look at how a browser talks directly to an origin server when presenting (HTTP Basic) authentication credentials, and what a proxy ends up doing with those. Adrian
Re: [squid-users] username and password in TRANSPARENT mode
Adrian, Adrian Chadd wrote: On Mon, Aug 06, 2007, Neil A. Hillard wrote: I can't see how it's a shortcoming of the protocol. If the browser isn't aware that there is a proxy then why would it (why should it) try to authenticate to one? Tell it that a proxy exists and it's more than happy to authenticate. Interception is less than ideal. Look at how a browser talks directly to an origin server when presenting (HTTP Basic) authentication credentials, and what a proxy ends up doing with those. The browser knows it is talking to the origin server so will support basic auth. If you stick an intercepting proxy in the way and then use basic auth then how do you authenticate to the origin server? You have to have two headers and then tell the browser to use the proxy (and therefore the proxy auth header). Neil. -- Neil Hillard[EMAIL PROTECTED] AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
Re: [squid-users] username and password in TRANSPARENT mode
On Mon, Aug 06, 2007, Neil A. Hillard wrote: The browser knows it is talking to the origin server so will support basic auth. If you stick an intercepting proxy in the way and then use basic auth then how do you authenticate to the origin server? You have to have two headers and then tell the browser to use the proxy (and therefore the proxy auth header). yes, but the browser doesn't know that it has to authenticate to an intermediate until its asked via a 407. The specification doesn't cover transparently intercepted connections in this instance. (or did it via a proxy required status? Henrik knows the HTTP nuances better than I.) In any case, the specification wasn't clear, UA's don't handle Proxy-Authentication required right when they don't have an explicit proxy set, and thus you can't pull off that potentially useful (and potentially security hazardous!) trick. Adrian
Re: [squid-users] Regular Expression
[EMAIL PROTECTED]://www.main.example.org/@http://www.example.org/@r should work, but I'm not sure what does the 'r' modifier do... something squidguard-ish ? Yes this works fine. If i had a querystring like [EMAIL PROTECTED]://www.main.example.org/blbl/nbblbl/[EMAIL PROTECTED]://www.example.org/@r then the url is only http://www.example.org/ without the rest. I won't only to rewrite the subdomain into the domain. And the rest of the subdomain should be obtained. In my opinion the 'r' modifier means, that the client get 302 - moved temporarily. kind regards Enrico Please someone do explain what does that r modifier do. I've searched books and googled for it but couldn't find any referrence of the r modifier to substitute. Thanks Manoj --
[squid-users] Re: Fwd: username and password in TRANSPARENT mode
On mån, 2007-08-06 at 15:19 +0530, Indunil Jayasooriya wrote: Then, I configured SQUID in TRANSPARENT mode. Then, I lost the user name and password feature. Is it NORMAL in TRANSPARENT mode? This is a FAQ, and is also written in bold in the squid.conf comments. Why do you expect browsers to be willing to perform proxy authentication to what it thinks is the origin web server? To use proxy authentication the browser MUST be configured to use a proxy, one way or another. For ease of configuration look into WPAD. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Drop semi-dead peer upon zero sized replies
On fre, 2007-08-03 at 10:25 +1200, [EMAIL PROTECTED] wrote: We now provide an the Authoritative Configuration Manual for each version of squid. These manuals are built daily and directly from the squid source code to provide the most up to date information on squid options. Yes. It's an online browsable version of the information found in squid.conf.default. Recent releases of squid now come packaged with a copy of their Manual built during the release process. No they don't, not yet at least. But probably should do that for the 3.0 release.. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Firewall rule for dnsserver process on SquidNT-2.6 STABLE 13 on Windows
On tor, 2007-08-02 at 10:00 +0530, Santosh Rani wrote: Sir, The problem is resolved with the help of Firewall Support. One question here, what if I want to have a separate dnsserver.exe like in the case of Squid 2.5 STABLE3-NT. There just by allowing the dnsserver.exe in Firewall, Squid has no problems. Then you need to rebuild Squid with the --disable-internal-dns configure option. And keep in mind that this won't perform well under load. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Caching authenticated documents
On ons, 2007-08-01 at 10:23 +0200, René GARCIA wrote: If I make the server respond Cache-control: public,proxy-revalidate in headers the document is not cached. Do the document have any cache validator? (Last-Modified/ETag) Without a cache validator there is nothing the cache can use to ask the origin server if the document has been changed, and it won't be cached unless it's considered fresh for some time (by default min 60 seconds). Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Problems with Cacheobject
On ons, 2007-08-01 at 10:17 +0200, Enrico Popp wrote: A two-line perl program would do just fine. #!/usr/bin/perl -p BEGIN {$|=1;} s%^http://www.bli.org%http://www.bla.org% next Regards Henrik And now can i include this into squid with url_rewrite_program /path to script ? Yes. And i it is possible, where this script gets the input? The script gets it's input on standard input / stdin, from Squid. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] cache_peer options
On ons, 2007-08-01 at 17:02 +0530, Sekar wrote: In squid-2.6 cache_peer parameter has the option group=name . But we don't have explanation in squid.conf file . Could you explain that how to use this option? You don't. The option doesn't exists. A leftover from development I think. Thanks for noticing this. The mention of the non-existing option has not been removed. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Can I block CONNECT to any IP (but allow hostnames)?
How about: acl SSL_Port port 443 acl CONNECT method CONNECT # /etc/squid/good-connect-ip-addresses is one IP address per line. acl allowed-CONNECT dstdomain /etc/squid/good-connect-ip-addresses # One or the other, not sure which and I haven't tested it yet. acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ # One or more of these three, again, I haven't tested yet. http_access deny CONNECT !SSL_Port http_access deny CONNECT numeric_IPs http_access deny CONNECT numeric_IPs !allowed-CONNECT The goal is to: 1. Prevent CONNECT to non-SSL ports. 2. Block to IP addresses which use CONNECT vs. FQDN. 3. Allow a way to place exclusions to the IP blocks just in case there is a legit need. Please feel free to correct or comment anything I've stated above. .vp From: Amos Jeffries [EMAIL PROTECTED] To: Squid squid-users@squid-cache.org Tim Bates wrote: Can someone tell me if it's possible to block CONNECT attempts that only specify an IP address (rather than a hostname)? I can see no legitimate reason to CONNECT to an IP, and I've just caught students using this method to bypass the filters. TB Try the default squid configuration of: acl SSL_Port port 443 acl CONNECT method CONNECT http_access deny CONNECT !SSL_Port that will deny any obviously non-https uses. Beyond that this is one of the rare cases here domain regex is useful, having an ACL that tests for numeric-only domains. NP: do note that skype uses https CONNECT to raw IP numbers. If you want skype to work handle CONNECT restrictions carefully. Amos
Re: [squid-users] Caching authenticated documents
Le Lun 6 août 2007 15:33, Henrik Nordstrom a écrit : On ons, 2007-08-01 at 10:23 +0200, René GARCIA wrote: If I make the server respond Cache-control: public,proxy-revalidate in headers the document is not cached. Do the document have any cache validator? (Last-Modified/ETag) Without a cache validator there is nothing the cache can use to ask the origin server if the document has been changed, and it won't be cached unless it's considered fresh for some time (by default min 60 seconds). Yes, the Etag/Last-Modified are sent but after a long search I finally understand what was going wrong. My web server is a Sun One Web Server 6.1, it sends the Cache-Control header only on HTTP/1.1 requests. Squid only sends HTTP/1.0 requests to the web server so the Cache-Control header was never sent even if your browser sends HTTP/1.1 requests to squid. I had to force the webserver to send the Cache-Control header on each reply. Now it works fine. It makes an ugly config file for Sun One but finally I managed squid to cache authenticated documents and to check user access for each request. Thank you for your reply. Regards, René
Re: [squid-users] authentication ip ttl reset
I did a quick 3-4 minute skim through of the source. The solution doesn't seem to be difficult, but I may be wrong due to the haste. Would any of the more seasoned squid developers tell me if this approach would work: authenticate.c line 286: -} else if (ipdata-ip_expiretime + Config.authenticateIpTTL squid_curtime) { +} else if ( (ipdata-ip_expiretime + Config.authenticateIpTTL squid_curtime) || (auth_reset) ) { /* This IP has expired - remove from the seen list */ authenticateAuthUserRemoveIpEntry(auth_user, ipdata); + auth_reset=0; } } main.c line 812: if (do_reconfigure) { mainReconfigure(); do_reconfigure = 0; + auth_reset = 1; } else if (do_rotate) { with an int auth_reset=0 placed in the appropriate place. Adrian Chadd wrote: On Mon, Aug 06, 2007, Bgs wrote: Hi, Thanks for the tip but reconfigure does not help. I will try to get some time and make a patch for it some day. Until then, service outages... :( * Would anyone like to donate to the Squid project to see this get done? * Assuming a donation or two takes place, would anyone like a t-shirt for this? :) (I've offered T-Shirts for various other bits and pieces but noone yet has completed any of the tasks!) Adrian
Re: [squid-users] Problem with Sibling
Shekhar Gupta wrote: All, I have configured 4 proxy to work as sibling relation and specified the ICP port as 3130 , however when i try to do a telnet it always fails , so i think the cache performance is not getting optimized . Any clue for this ? Hi Shekhar, If your telnet to your sibling proxies on port 3128 fails, then your cache peering is not working and could possibly be setup incorrectly. Or some firewall on the other proxies might be blocking your cache peering. Are all the proxies on the same subnet? Are you getting errors regarding your siblings in your cache.log too? The best way to trouble-shoot your problem is using tcpdump. Check and see if traffic is flowing in both directions between your sibling caches on ports 3128 and 3130. Thanking you... Regards, Shekhar -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np
[squid-users] Timeout values
Greetings, I am looking for some recommendations on ideal timeout values for a squid cache serving up many images per second (1000+). Also, I would like client connections to automatically close after 10 seconds. Anyone happen to know where this is set within squid? Thanks
Re: [squid-users] Can I block CONNECT to any IP (but allow hostnames)?
That's pretty similar to what I went with. I ended up coming across a post on this list with similar goals, and used the suggested regex from there. TB Vadim Pushkin wrote: How about: acl SSL_Port port 443 acl CONNECT method CONNECT # /etc/squid/good-connect-ip-addresses is one IP address per line. acl allowed-CONNECT dstdomain /etc/squid/good-connect-ip-addresses # One or the other, not sure which and I haven't tested it yet. acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ # One or more of these three, again, I haven't tested yet. http_access deny CONNECT !SSL_Port http_access deny CONNECT numeric_IPs http_access deny CONNECT numeric_IPs !allowed-CONNECT The goal is to: 1. Prevent CONNECT to non-SSL ports. 2. Block to IP addresses which use CONNECT vs. FQDN. 3. Allow a way to place exclusions to the IP blocks just in case there is a legit need. Please feel free to correct or comment anything I've stated above. .vp From: Amos Jeffries [EMAIL PROTECTED] To: Squid squid-users@squid-cache.org Tim Bates wrote: Can someone tell me if it's possible to block CONNECT attempts that only specify an IP address (rather than a hostname)? I can see no legitimate reason to CONNECT to an IP, and I've just caught students using this method to bypass the filters. TB Try the default squid configuration of: acl SSL_Port port 443 acl CONNECT method CONNECT http_access deny CONNECT !SSL_Port that will deny any obviously non-https uses. Beyond that this is one of the rare cases here domain regex is useful, having an ACL that tests for numeric-only domains. NP: do note that skype uses https CONNECT to raw IP numbers. If you want skype to work handle CONNECT restrictions carefully. Amos
Re: [squid-users] Timeout values
On Mon, Aug 06, 2007, Frank Ruiz wrote: Greetings, I am looking for some recommendations on ideal timeout values for a squid cache serving up many images per second (1000+). Also, I would like client connections to automatically close after 10 seconds. Anyone happen to know where this is set within squid? http://www.squid-cache.org/Versions/v2/2.6/cfgman/ - search for timeout in that list. Adrian
Re: [squid-users] Can I block CONNECT to any IP (but allow hostnames)?
How about: acl SSL_Port port 443 acl CONNECT method CONNECT # /etc/squid/good-connect-ip-addresses is one IP address per line. acl allowed-CONNECT dstdomain /etc/squid/good-connect-ip-addresses # One or the other, not sure which and I haven't tested it yet. acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ # One or more of these three, again, I haven't tested yet. http_access deny CONNECT !SSL_Port http_access deny CONNECT numeric_IPs http_access deny CONNECT numeric_IPs !allowed-CONNECT The bypass permission needs to be allow and ahead of the global deny. Like so: http_access allow CONNECT numeric_IPs allowed-CONNECT http_access deny CONNECT numeric_IPs The goal is to: 1. Prevent CONNECT to non-SSL ports. 2. Block to IP addresses which use CONNECT vs. FQDN. 3. Allow a way to place exclusions to the IP blocks just in case there is a legit need. Please feel free to correct or comment anything I've stated above. .vp From: Amos Jeffries [EMAIL PROTECTED] To: Squid squid-users@squid-cache.org Tim Bates wrote: Can someone tell me if it's possible to block CONNECT attempts that only specify an IP address (rather than a hostname)? I can see no legitimate reason to CONNECT to an IP, and I've just caught students using this method to bypass the filters. TB Try the default squid configuration of: acl SSL_Port port 443 acl CONNECT method CONNECT http_access deny CONNECT !SSL_Port that will deny any obviously non-https uses. Beyond that this is one of the rare cases here domain regex is useful, having an ACL that tests for numeric-only domains. NP: do note that skype uses https CONNECT to raw IP numbers. If you want skype to work handle CONNECT restrictions carefully. Amos
RE: [squid-users] FW: Allowing streaming media through NTLM Authentication
Hi! I'm somehow Happy I'm not alone with this problem... I'm having this problem since squid 2.6STABLE9... (ALWAYS) I've tried everything possible without success... Let's try to get some progress on this matter, I'll dedicate some time to this soon (still this week or the next at most) If you have any progress, please post it here. Let's be sure of the problem... try accessing these radios: http://www.radios.com.br/emissoras/transa_prpop.htm http://www.radios.com.br/emissoras/transa_sppop.htm The former uses http as protocol, so it will ask for user/password, the latter uses mms as protocol, so it won't ask for user/password. As far as my small brain knows... that's mms that should be giving headaches, not the http one! Please post back if you get the same results, I have to show my boss I'm right, I'm not alone and i DO KNOW how to configure squid. :D I'll post here if I get it working, let's flame this discussion I see everyone trying to get rid of streamings, but not trying to get it working without these imperfections. Thanks, Mauricio Hi Apologies if this has been discussed before but I couldn't find a solution for my exact problem in the archives. I run Squid 2.6STABLE13 and have configured it to use NTLM authentication for all client requests. This is working properly for standard traffic but I am hitting a problem with streaming media. I'm aware that most streaming media can't handle NTLM authentication automatically and therefore when a user tries to access streaming media a login box pops up. I don't want the users being asked to authenticate so I'm trying to come up with a solution to instruct the proxy server to not authenticate the streaming media. I've tried matching on the streaming media mime types but ran into the problem in that the mime type is in the response and not the request and it is the request that is authenticated. Has anyone dealt with this issue before and how did you go about allowing streaming media through an authenticated proxy? Regards, Mathew Archibald begin:vcard fn:Mauricio Silveira n:Silveira;Mauricio org;quoted-printable:FSN do Brasil - Consultoria em Inform=C3=A1tica;Software Development / Networking adr:;;Brazil email;internet:[EMAIL PROTECTED] title:Linux Consultant / Developer tel;cell:11-9949-1040 url:http://www.fsndobrasil.com version:2.1 end:vcard
[squid-users] Allow origin IP address to pass through Squid proxy
Hi, I have a child proxy server that forwards requests to the parent proxy server where the traffic goes through url filtering to block requests to sites not appropriate. The administrator at the child proxy server site, has access to temporary override the blocking while they investigate the site. The problem is that the override is performed at the parent proxy server end, and just removes the blocking from the child proxy server address, so everyone going through the child proxy server gets no filtering traffic while the override is taking place. Is there a way to have the parent proxy server, know the origins ip address, instead of the child proxy server address, and therefore only unblocking traffic for that computer? What are the disadvantaged of allowing for the IP to pass through the child proxy server (seeing as the parent proxy server, will remove it so its not available to the public). Thanks, Adam
Re: [squid-users] NTLM_Auth LDAP_Group help needed.
Hi Henrik, Could you advise why the session hangs then? thanks Nick On 7/29/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: On ons, 2007-07-25 at 08:36 +1000, nick w wrote: thanks for the reply Angel. I have read on the forums that these two helpers can be used together!? Yes. You can mixfreely.
[squid-users] Squid Clustering on Windows platform
Hi there, I am looking at setting up clustering with 2 squid servers running on Windows platform, 2003 std. I am stumped at how to implement this and would appreciate all the help I can get on this issue. Currently I have 2 Windows servers running squid but not clustered. Any help would be great Nick