Re: [squid-users] Problem with http/1.1 302 - https://webmail.skynet.be
On 03.09.07 19:23, Martijn Moret wrote: The last days I'm experiencing problems logging in https://webmail.skynet.be through squid. Logging in over a direct line is no problem. The browser makes no difference, tried with Firefox 2, IE6 and 7. Here's the log from the squid server: 1188840174.379171 192.168.x.y TCP_MISS/302 18577 GET http://webmail.skynet.be/page.html? - DIRECT/195.238.5.214 text/html 1188840175.024 1625 192.168.x.y TCP_MISS/200 45394 CONNECT webmail.skynet.be:443 - DIRECT/195.238.5.214 - seems that webmail.skynet.be recitected user to https version. What is the problem? On 04.09.07 14:12, Martijn Moret wrote: The problem is when logging in, the redirection to the mail page does not come up, instead it says username/password invalid. it is the squid or the remote web server? Logs you've posted say that there was one successfull GET and one successfull CONNECT request. Are there any other logs from 192.168.x.y? When logging in bypassing the proxy all works well, so account/password is correct. I tried using our squid proxy without problem. However I don't use proxy for SSL connections... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The box said 'Requires Windows 95 or better', so I bought a Macintosh.
Re: [squid-users] Problem with http/1.1 302 - https://webmail.skynet.be
On Wed, Sep 05, 2007, Martijn Moret wrote: Anyone? this is really important to me... Thanks in advance. Martijn I'll help you diagnose it if there's a donation made to the Squid project via Paypal. (Begin by sending me some valid login details privately..) Adrian
Re: [squid-users] squid -k rotate does nothing
On 04.09.07 08:30, Wet Mogwai wrote: My squid machine stopped rotating logs recently. The last time rotate worked was the day before I copied the access.log to my laptop for the first time. The only changes made to the configuration that day were the good.hosts , bad.hosts, good.ip, and bad.ip files. After making the new files for the ACLs, I ran squid -k reload. did you check cache log file for config errors? I tried setting the logfile_rotate option in squid.conf in case it was ignoring the default. I have checked ownership and permissions. Everything seems right. It is still writing to the log, so it is getting to be quite large. I could write my own rotate script, but I'd rather get the existing function working. how is logfile_rotate currently set? This has been working properly for at least a year and a half. What could have caused squid to quit rotating? I am running Squid Cache: Version 2.5.STABLE14 on FreeBSD 6.1-RELEASE-p8 (SQUID_KERNEL). Logrotate is in the ports tree, but it is not installed. 2.5? Upgrade to 2.6 asap -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue.
Re: [squid-users] Problem with http/1.1 302 - https://webmail.skynet.be
On 03.09.07 19:23, Martijn Moret wrote: The last days I'm experiencing problems logging in https://webmail.skynet.be through squid. Logging in over a direct line is no problem. The browser makes no difference, tried with Firefox 2, IE6 and 7. Here's the log from the squid server: 1188840174.379171 192.168.x.y TCP_MISS/302 18577 GET http://webmail.skynet.be/page.html? - DIRECT/195.238.5.214 text/html 1188840175.024 1625 192.168.x.y TCP_MISS/200 45394 CONNECT webmail.skynet.be:443 - DIRECT/195.238.5.214 - seems that webmail.skynet.be recitected user to https version. What is the problem? On 04.09.07 14:12, Martijn Moret wrote: The problem is when logging in, the redirection to the mail page does not come up, instead it says username/password invalid. it is the squid or the remote web server? Logs you've posted say that there was one successfull GET and one successfull CONNECT request. Are there any other logs from 192.168.x.y? When logging in bypassing the proxy all works well, so account/password is correct. I tried using our squid proxy without problem. However I don't use proxy for SSL connections... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The box said 'Requires Windows 95 or better', so I bought a Macintosh. The webserver says username/password invalid. We use the proxy for http and SSL. There are no other log entry's (except for some images). I think the credentials for the webmail are not correctly transferred in the redirection. If someone can explain that this is a problem at Skynet than that's also very welcome. Regards Martijn
[squid-users] Not our Vary marker object
Hi tried to search the list for this but no help.What causes this does it affect any performance 2007/09/05 10:29:07| storeLocateVary: Not our vary marker object, Squid Cache: Version 2.6.STABLE13 configure options: '--prefix=/usr/local/squid' '--enable-async-io' '--enable-snmp' '--enable-poll' 'CFLAGS=-DNUMTHREADS=30' On Fedora Core 6 Could someone kindly advise. Regards Ronny -- *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- If I have seen further it is by standing on the shoulders of giants. --Isaac Newton -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
[squid-users] Re: Akamai-like CDN using squid and a DNS trick
Vicente Aguilar wrote: Long story short: all the users of a particular ISP had problems accessing our pages because of a routing problem between that ISP and ours. We ended up installing a squid reverse-proxy on that ISP's datacenter, and redirecting all its users there by returning a different DNS response depending on the client's IP address. This method could be extended to use as many ISPs/proxies as needed, creating a homegrown, Akamai-like CDN. Looks like a nice solution, and we might try something like that to reach Chinese users. Did you notice any ill effects of Bug 7 (http://www.squid-cache.org/bugs/show_bug.cgi?id=7)? This bug makes Squid deliver resources with expiration times in the past, thus causing the clients to revalidate the resources every time they are used. Regards, Oliver Schoett
Re: [squid-users] SOLVED - Problem with http/1.1 302 - https://webmail.skynet.be
On Wed, Sep 05, 2007, Martijn Moret wrote: You can use the following user details: user: pinosimone pass: pino2010 I've logged in fine, there's two messages there. I've got Squid manually configured in my browser. Squid version from squid -v: Squid Cache: Version 2.6.STABLE14-CVS So hm, why isn't it working for you? What do you see during login? I donated $10 to the paypal squid account. :) thanks. Adrian It looks like skynet has changed their redirection, all is working fine now. Regards Martijn
Re: [squid-users] squid to N2H2/Bess performance problem
On Mon, Sep 03, 2007, [EMAIL PROTECTED] wrote: We have been using squid for a number of years (since about 1999) at the East Granby, CT, USA school system. We use IE and have IE configured to point to squid at port 3128. Recently, the state (CT) started to provide a filtering system for optional use by school districts within the state. This filtering is performed by the Bess product at the state data center. When filtering is enabled, most web sites perform well. However, certain web sites (e.g. http://nces.ed.gov/nceskids) perform miserably. It takes about five minutes to load the page, whereas without filtering, the page loads almost instantaneously. Also, if I bypass squid for a PC, but pass through the filtering system, the page loads almost instantaneously. Can someone suggest an approach to debugging this problem? I'd start by setting up a test proxy that only you use, and see if using that proxy has the same issue. If it does, then you can easily debug/traffic snoop stuff to see exactly where the delays are. If it doesn't then you need to try and see whats different (besides the obvious one, which is one has more clients than the other.. :) Adrian
Re: [squid-users] squid -k rotate does nothing
Putting that aside, when are the rotations set;daily,weekly or something.You might have set them to weekly and its just 3 days now.It happened to me :-) Ronny *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- If I have seen further it is by standing on the shoulders of giants. --Isaac Newton -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Wet Mogwai wrote: I checked the path. It is correct. I like the idea of upgrading, but this is an important production machine with no backup. If I can convince them to get another machine, I'll make this one a backup and upgrading won't bother me as much. I'll try the newsyslog.conf after everyone goes home today.
Re: [squid-users] Block all Web Proxies with squid.
Quoting Tim Bates [EMAIL PROTECTED]: [EMAIL PROTECTED] wrote: Im sort of curious how you route your traffic? Im using iptables and reroute all port 80 traffic to my proxy on port 8080. Port 443 traffic goes straight to website, because you cant cache encrypted traffic. Or am I totally wrong about this? You can't cache it, but you can apply rules to it, thus restricting it's use for avoiding your proxy rules. I'm fairly sure that you can't do a transparent redirection though. Open to correct, but I think redirection breaks HTTPS. TB ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ** That is what I was thinking. I am running a transparent proxy. -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools
Re: [squid-users] Block all Web Proxies with squid.
Quoting [EMAIL PROTECTED] [EMAIL PROTECTED]: Hi, Well if u want to block proxy you can get the list from www.proxy.org. But this list is paid.is there any free list or can someone send a an attached text file of the list.Even i face the same Issue.May be we can make it work with SquidGaurd. I visited the site. English is not my native language, so, I can missed something, but I didn't understand the list is paid for final users searching proxy access. I tried to get http://proxy.org/cgi_proxies.shtml using wget and I got a 403 error, so, I tried -UMozilla. and it worked. I don't know if they will, anytime, block accesses coming from the same IP and doing nothing but loading main page. I did some egrep and awk in the file ( gotten by wget ) and I got a list of domains ( more than 4000 ), ready to use in a dstdom Squid ACL. I think it can be considered as a misuse of their service, because they use banners in the sites. So, I think it must be discussed to analyse the ethics. ( Maybe I am paranoid :-) ). Surfing in the site, I found a list or TOR servers, in text format ( wget needs -U ), to use in a .htaccess file. Again, some egrep and awk generated a list ready to use in a dst Squid ACL. Well, it is a little boring, but, we always can enter the site, save source page code, process it an use it with Squid, but, again, how about ethics? I am really interested about blocking anonymous proxies, but I have already seen that it is a hard job. :-( Thank you for your attention. Regards, Freitas There is some people doing work on blacklists at bleeding-edge. They wright sig files for snort. You might check out their site. Ive used their blacklists before. They stay pretty up-to-date. Or were. -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools
[squid-users] webmails are not accessible - SQUID 2.5.STABLE12
Hello all, I have SQUID 2.5 server implemented on SUSE linux enterprise 10. No access lists are there, the http traffic has no problems. I could not access any webmail! I have edited the squid.conf file to build time based ACL and it worked, but even before I did that, webmails were not accessible! Is it a common issue? Please advise. regards, Simsam.
Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Simsam, On Wed, 5 Sep 2007 15:12:58 +0400 [EMAIL PROTECTED] wrote: Hello all, I have SQUID 2.5 server implemented on SUSE linux enterprise 10. No access lists are there, the http traffic has no problems. I could not access any webmail! I have edited the squid.conf file to build time based ACL and it worked, but even before I did that, webmails were not accessible! Which webmails are you indicating? Hotmail, Yahoo, etc? Most of them use HTTPS. What's your ACL for SSL_ports? Are you running Squid in transparent mode? Also are you filtering traffic with some kind of firewall? Do you have an parent cache or a firewall in front of your squid box? What error message does your Squid cache give you when you try to access webmails? What does cache.log and access.log say? Try accessing webmails such as myway.com with and without secure mode and check if you can access it's webmail with HTTP and HTTPS. Is it a common issue? Please advise. It's not a common issue. I can't imagine what thousands of clients will say if they can't access the webmail service of Hotmail and Yahoo! And there are thousands of other webmail sites. I would also recommend you to upgrade to the latest version of Squid which is 2.6.STABLE14 currently. You can find the source package from the link below: http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE14.tar.gz Hope it helps. Thanking you... regards, Simsam. - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://wlink.com.np/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFG3qSifpE0pz+xqQQRAmnEAKCibKEUGNomqgu9Llpco3Tb0E9LcwCeNWow s39Ifz4EVXRGrWf1cbNsxDs= =UPVQ -END PGP SIGNATURE-
Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12
Hello Tek, Thank you for your help, actually I meant private webmails like my company's one that has the central exchange server in the head office taking in consideration that my network is not a subnet from their network, hotmail is running normally, Yahoo, Gmail etc. I am still beginner in this field but I could tell you that the proxy itself is acting as a firewall, no specific protocol filtration and here is the acl for the SSL port: acl SSL_ports port 443 563 http_access deny CONNECT !SSL_ports acl Safe_ports port 443 563 # https, snews http_access deny !Safe_ports The machine hosting the squid is directly connected to the router, as I mentioned before it is the firewall also and no ACL are there! No it is not running in the transparent mode! Before deploying the SQUID, this webmail was normally opening. When trying to access a specific webmail like http://mailhost.ccc.com.om/mail it is giving the following: Internet Explorer cannot display the webpage Most likely causes: You are not connected to the Internet. The website is encountering problems. There might be a typing error in the address. What you can try: Check your Internet connection. Try visiting another website to make sure you are connected. Retype the address. Go back to the previous page .. let my upgrade it then I will feed you back. thank you so much. regards, Simsam HIJJAWI Tek Bahadur Limbu [EMAIL PROTECTED] 09/05/2007 04:44 PM To [EMAIL PROTECTED] cc squid-users@squid-cache.org Subject Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Simsam, On Wed, 5 Sep 2007 15:12:58 +0400 [EMAIL PROTECTED] wrote: Hello all, I have SQUID 2.5 server implemented on SUSE linux enterprise 10. No access lists are there, the http traffic has no problems. I could not access any webmail! I have edited the squid.conf file to build time based ACL and it worked, but even before I did that, webmails were not accessible! Which webmails are you indicating? Hotmail, Yahoo, etc? Most of them use HTTPS. What's your ACL for SSL_ports? Are you running Squid in transparent mode? Also are you filtering traffic with some kind of firewall? Do you have an parent cache or a firewall in front of your squid box? What error message does your Squid cache give you when you try to access webmails? What does cache.log and access.log say? Try accessing webmails such as myway.com with and without secure mode and check if you can access it's webmail with HTTP and HTTPS. Is it a common issue? Please advise. It's not a common issue. I can't imagine what thousands of clients will say if they can't access the webmail service of Hotmail and Yahoo! And there are thousands of other webmail sites. I would also recommend you to upgrade to the latest version of Squid which is 2.6.STABLE14 currently. You can find the source package from the link below: http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE14.tar.gz Hope it helps. Thanking you... regards, Simsam. - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://wlink.com.np/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFG3qSifpE0pz+xqQQRAmnEAKCibKEUGNomqgu9Llpco3Tb0E9LcwCeNWow s39Ifz4EVXRGrWf1cbNsxDs= =UPVQ -END PGP SIGNATURE-
Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12
Hi Simsam, I am still beginner in this field but I could tell you that the proxy itself is acting as a firewall, no specific protocol filtration and here is the acl for the SSL port: acl SSL_ports port 443 563 http_access deny CONNECT !SSL_ports acl Safe_ports port 443 563 # https, snews http_access deny !Safe_ports Is this your only http_access rule? That would mean you only allow https connections and no http connections. The machine hosting the squid is directly connected to the router, as I mentioned before it is the firewall also and no ACL are there! No it is not running in the transparent mode! Before deploying the SQUID, this webmail was normally opening. When trying to access a specific webmail like http://mailhost.ccc.com.om/mail it is giving the following: If you only allow https as mentioned above, that will always be denied. Do http connections to other servers work? Internet Explorer cannot display the webpage Most likely causes: You are not connected to the Internet. The website is encountering problems. There might be a typing error in the address. This does not look like a Squid message denying access ... Please send all your ACL and http_access rules from squid.conf so that we can have a look. Regards, Peter -- Peter Albrecht, Novell Training Services
Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12
Hi Peter, No, this is only the https rule, I wrote it done to illustrate that the https ports are open. All http traffic are opened. Could you please give me the commands needed to install SQUID 2.6 according to tek's advise. I got the file from the site, I have some worries as the upgrade might affect the current setup! Thank you, Simsam Peter Albrecht [EMAIL PROTECTED] 09/05/2007 05:58 PM To squid-users@squid-cache.org cc Subject Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12 Hi Simsam, I am still beginner in this field but I could tell you that the proxy itself is acting as a firewall, no specific protocol filtration and here is the acl for the SSL port: acl SSL_ports port 443 563 http_access deny CONNECT !SSL_ports acl Safe_ports port 443 563 # https, snews http_access deny !Safe_ports Is this your only http_access rule? That would mean you only allow https connections and no http connections. The machine hosting the squid is directly connected to the router, as I mentioned before it is the firewall also and no ACL are there! No it is not running in the transparent mode! Before deploying the SQUID, this webmail was normally opening. When trying to access a specific webmail like http://mailhost.ccc.com.om/mail it is giving the following: If you only allow https as mentioned above, that will always be denied. Do http connections to other servers work? Internet Explorer cannot display the webpage Most likely causes: You are not connected to the Internet. The website is encountering problems. There might be a typing error in the address. This does not look like a Squid message denying access ... Please send all your ACL and http_access rules from squid.conf so that we can have a look. Regards, Peter -- Peter Albrecht, Novell Training Services
[squid-users] WCCPv2 - L2 + 3550 cisco switch
Hi all, Thanks to everyone who supports the great Squid! The Wiki and this mail-list have been very useful to me, but this time I'm stuck and I can't find any previous example to take off from there, so I was hoping for you guys feeling generous today and give me a clue or two... :) I want to do transparent redirection using a 3550 cisco switch, but it doesn't redirect any packet at all. My setup is like this: - Squid2.6stable14 on Ubuntu server 7.04 and a switch which has an up-to-date IP services IOS image. - The clients, the Squid, and the internet access are each one on separated switch virtual interfaces (SVI). - Although they aren't directly connected, there are no firewalls or any L3 hops between Squid and the switch. The docs says I have to use L2 redirection instead of GRE, but the switch doesn't even want to acknowledge the Squid-box (NOT usable, it says) when my WCCP configuration is like this: wccp2_forwarding_method 2 wccp2_return_method 2 wccp2_assignment_method 2 And the cache.log file shows this: fatal error - A WCCP router has specified a different assignment method 1, expected 2 Changing the Assignment method to 1 didn't had any effect, so I changed the Return method too, like this: wccp2_forwarding_method 2 wccp2_return_method 1 wccp2_assignment_method 1 After that, everything looked like if it were going to work: - No related errors inside cache.log. - The switch reported the following: WCCP Client ID: 10.10.2.2 Protocol Version:2.0 State: Usable Redirection: L2 Packet Return: GRE Assignment: HASH Initial Hash Info: Assigned Hash Info: Hash Allotment: 256 (100.00%) Packets s/w Redirected: 0 Connect Time:00:08:11 Bypassed Packets Process: 0 CEF: 0 - And even the GRE tunnel seems to be up: Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 10.10.2.2:2048 10.10.2.1:2048 ESTABLISHED BUT the clients are still able to browse internet directly, and the access.log file shows no activity. Mystery ~ ~ ~ If someone have any clues, please send a message... Thanks, Horacio. P.D. Other relevant configuration: + Switch related: ip wccp web-cache interface Vlan6 description Clients ip wccp web-cache redirect in + Squid related: http_port 8081 transparent + Iptables rules: # for L2 redirection iptables -t nat -A PREROUTING -i eth0 -p tcp -d 10.10.2.2/32 -j ACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8081 # for GRE redirection* iptables -t nat -A PREROUTING -i gre0 -p tcp -j REDIRECT --to-ports 8081 * - I know, normally used from-router-2-squid way. In this case, not used for forwarding, but may be needed for return method? help here! + GRE tunnel ** (/etc/network/interfaces): auto gre0 iface gre0 inet static address 172.16.1.1 netmask 255.255.255.252 broadcast 172.16.1.3 ** - for GRE redirection to work, the IP address its not relevant, found out at some place and proved with a router but not so sure in this setup... help! # ip tunnel gre0: gre/ip remote any local any ttl inherit nopmtudis
[squid-users] Allow Referrer
Greetings Squidlings ;0), I need to retain the referrer in the http header of an incoming client request. client (with referrer in http request) - squid - 3rd party The 3rd party needs to see the referrer portion of the http header. Does this require anything special? Thank you
Re: [squid-users] Squid 3.0-PRE7 won't build with snmp
Hi, At 02.12 05/09/2007, Nicole wrote: Squid 3.0-PRE7 seems to not build if you have --enable-snmp. Server was FreeBSD-6.2 amd64 When --disable-snmp was specified it built ok. Which seems to be opposite perhaps from a bug I noticed, #2071 It should be a dependency problem in Makefile: running make clean before the build should fix the problem. See my comment to the bug #2071: http://www.squid-cache.org/bugs/show_bug.cgi?id=2071. Regards Guido Serassio - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Re: Akamai-like CDN using squid and a DNS trick
On 9/5/07, Oliver Schoett [EMAIL PROTECTED] wrote: Did you notice any ill effects of Bug 7 (http://www.squid-cache.org/bugs/show_bug.cgi?id=7)? This bug makes Squid deliver resources with expiration times in the past, thus causing the clients to revalidate the resources every time they are used. Ugh, first I've heard of this bug. So, in an httpd-accel setup, we're wasting more bandwidth than if we didn't use squid at all!? Can anything be done in the config to mitigate? Is the STALE state always refreshed by a IMS request? Is there a way to force a purge/re-get instead of an IMS? i.e. It'd be nice if lm-factor percent generated an IMS, but age max resulted in a purge and re-GET... If not, perhaps I'll write a tool to tail the log for the hottest objects, look at the headers on disk, and issue PURGE requests. Yuck. -neil
Re: [squid-users] Squid 3.0-PRE7 won't build with snmp
On 05-Sep-07 My Secret NSA Wiretap Overheard Guido Serassio Saying : Hi, At 02.12 05/09/2007, Nicole wrote: Squid 3.0-PRE7 seems to not build if you have --enable-snmp. Server was FreeBSD-6.2 amd64 When --disable-snmp was specified it built ok. Which seems to be opposite perhaps from a bug I noticed, #2071 It should be a dependency problem in Makefile: running make clean before the build should fix the problem. See my comment to the bug #2071: http://www.squid-cache.org/bugs/show_bug.cgi?id=2071. Regards Guido Serassio Hi Yes I tried that. Sadly the build still fails. In fact I was also surprised that snmp was enabled by default and that I had to use --disable-snmp to get it to build. Also I found that even in my little test of telling my browser to use port 3120 for a proxy at home (with it on a server at home) that it would easily become slow or fail to load images. I had to reinstall 2.6-15. If your would like any more information that may help, please let me know. Nicole -- |\ __ /| (`\ | o_o |__ ) ) // \\ - [EMAIL PROTECTED] - Powered by FreeBSD - -- The term daemons is a Judeo-Christian pejorative. Such processes will now be known as spiritual guides - Politicaly Correct UNIX Page
Re: [squid-users] Squid 3.0-PRE7 won't build with snmp
Hi, At 21.37 05/09/2007, Nicole wrote: On 05-Sep-07 My Secret NSA Wiretap Overheard Guido Serassio Saying : Hi, At 02.12 05/09/2007, Nicole wrote: Squid 3.0-PRE7 seems to not build if you have --enable-snmp. Server was FreeBSD-6.2 amd64 When --disable-snmp was specified it built ok. Which seems to be opposite perhaps from a bug I noticed, #2071 It should be a dependency problem in Makefile: running make clean before the build should fix the problem. See my comment to the bug #2071: http://www.squid-cache.org/bugs/show_bug.cgi?id=2071. Regards Guido Serassio Hi Yes I tried that. Sadly the build still fails. In fact I was also surprised that snmp was enabled by default and that I had to use --disable-snmp to get it to build. I have done the following test: - configure --enable-snmp - make (OK) - configure --disable-snmp (but also configure only should be the same) - make (FAILED, because the files are not compiled again) - removed manually the .o files - make (OK) Please check if make clean really remove the .o files. I will run some more build test. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12
Hi Simsam, [EMAIL PROTECTED] wrote: Hi Peter, No, this is only the https rule, I wrote it done to illustrate that the https ports are open. All http traffic are opened. Could you please give me the commands needed to install SQUID 2.6 according to tek's advise. I got the file from the site, I have some worries as the upgrade might affect the current setup! Did you install Squid-2.5 with SUSE's package management tool or did you install it from source? Which ever method you had used, you can just keep the Old Squid binary and it's configuration files just in case something goes wrong with the Squid-2.6 installation! The following installation steps might help: (1.) tar zxvf squid-2.6.STABLE14.tar.gz (2.) cd squid-2.6.STABLE14/ (3.) ./configure --bindir=/usr/local/sbin \ --sysconfdir=/usr/local/etc/squid \ --datadir=/usr/local/etc/squid \ --libexecdir=/usr/local/libexec/squid \ --localstatedir=/usr/local/squid \ --enable-removal-policies=heap,lru \ --enable-storeio=diskd,aufs,coss,ufs,null \ --enable-snmp \ --enable-epoll \ --with-large-files \ --prefix=/usr/local \ --disable-ident-lookups \ --enable-underscores \ --with-large-files \ --disable-http-violations \ --enable-delay-pools \ --with-maxfd=8192 (4.) make all (5.) make install (6.) vi /usr/local/etc/squid/squid.conf (7.) /usr/local/sbin/squid -z (8.) /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf Note: Your compilation parameters may differ. Please adjust accordingly to your demands and needs. If your SUSE Linux box has installed and updated all the required development tools, then the installation should be a breeze! Remember to read the default squid.conf which comes with the new installation. Also check this out: http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE14-RELEASENOTES.html Happy Squid proxying with Squid-2.6STABLE14 !!! Thanking you... Thank you, Simsam Peter Albrecht [EMAIL PROTECTED] 09/05/2007 05:58 PM To squid-users@squid-cache.org cc Subject Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12 Hi Simsam, I am still beginner in this field but I could tell you that the proxy itself is acting as a firewall, no specific protocol filtration and here is the acl for the SSL port: acl SSL_ports port 443 563 http_access deny CONNECT !SSL_ports acl Safe_ports port 443 563 # https, snews http_access deny !Safe_ports Is this your only http_access rule? That would mean you only allow https connections and no http connections. The machine hosting the squid is directly connected to the router, as I mentioned before it is the firewall also and no ACL are there! No it is not running in the transparent mode! Before deploying the SQUID, this webmail was normally opening. When trying to access a specific webmail like http://mailhost.ccc.com.om/mail it is giving the following: If you only allow https as mentioned above, that will always be denied. Do http connections to other servers work? Internet Explorer cannot display the webpage Most likely causes: You are not connected to the Internet. The website is encountering problems. There might be a typing error in the address. This does not look like a Squid message denying access ... Please send all your ACL and http_access rules from squid.conf so that we can have a look. Regards, Peter -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np
Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12
On Thu, 6 Sep 2007, Tek Bahadur Limbu wrote: Hi Simsam, [EMAIL PROTECTED] wrote: Hi Peter, No, this is only the https rule, I wrote it done to illustrate that the https ports are open. All http traffic are opened. Could you please give me the commands needed to install SQUID 2.6 according to tek's advise. I got the file from the site, I have some worries as the upgrade might affect the current setup! Did you install Squid-2.5 with SUSE's package management tool or did you install it from source? Which ever method you had used, you can just keep the Old Squid binary and it's configuration files just in case something goes wrong with the Squid-2.6 installation! The following installation steps might help: (1.) tar zxvf squid-2.6.STABLE14.tar.gz (2.) cd squid-2.6.STABLE14/ (3.) ./configure --bindir=/usr/local/sbin \ I'd rather do it as : ./configure --prefix=/usr/local/squid26 so that it puts all the squid 2.6 related files in single directory. for easier access of config files and binary and logs, I'd create the symlinks to my fav path. Just a point to share. --sysconfdir=/usr/local/etc/squid \ --datadir=/usr/local/etc/squid \ --libexecdir=/usr/local/libexec/squid \ --localstatedir=/usr/local/squid \ --enable-removal-policies=heap,lru \ --enable-storeio=diskd,aufs,coss,ufs,null \ --enable-snmp \ --enable-epoll \ --with-large-files \ --prefix=/usr/local \ --disable-ident-lookups \ --enable-underscores \ --with-large-files \ --disable-http-violations \ --enable-delay-pools \ --with-maxfd=8192 (4.) make all (5.) make install (6.) vi /usr/local/etc/squid/squid.conf (7.) /usr/local/sbin/squid -z (8.) /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf Note: Your compilation parameters may differ. Please adjust accordingly to your demands and needs. If your SUSE Linux box has installed and updated all the required development tools, then the installation should be a breeze! Remember to read the default squid.conf which comes with the new installation. Also check this out: http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE14-RELEASENOTES.html Happy Squid proxying with Squid-2.6STABLE14 !!! Thanking you... Thank you, Simsam Peter Albrecht [EMAIL PROTECTED] 09/05/2007 05:58 PM To squid-users@squid-cache.org cc Subject Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12 Hi Simsam, I am still beginner in this field but I could tell you that the proxy itself is acting as a firewall, no specific protocol filtration and here is the acl for the SSL port: acl SSL_ports port 443 563 http_access deny CONNECT !SSL_ports acl Safe_ports port 443 563 # https, snews http_access deny !Safe_ports Is this your only http_access rule? That would mean you only allow https connections and no http connections. The machine hosting the squid is directly connected to the router, as I mentioned before it is the firewall also and no ACL are there! No it is not running in the transparent mode! Before deploying the SQUID, this webmail was normally opening. When trying to access a specific webmail like http://mailhost.ccc.com.om/mail it is giving the following: If you only allow https as mentioned above, that will always be denied. Do http connections to other servers work? Internet Explorer cannot display the webpage Most likely causes: You are not connected to the Internet. The website is encountering problems. There might be a typing error in the address. This does not look like a Squid message denying access ... Please send all your ACL and http_access rules from squid.conf so that we can have a look. Regards, Peter --
[squid-users] Squid + Dansguradian anomaly
I have a working combo of Dansguradin plus squid. This works great but I just found out that its blocking all sites that you type in via ip. e.g you can type google.com and get out but if you type in the ip of google dansguardian blocks it. I have the option in dansguardian.conf (reverseaddresslookups = off). Does anyone have any ideas? This message was sent using IMP, the Internet Messaging Program.
[squid-users] Clients dial a connection on a server using squid
Hello, I have dialup PPPoE connection on my server. Squid 2.6 is installed on Windows XP SP2 What i want to do is to let my clients dial a connection on my server automatically. Meaning, they just need to request the page, and squid will dial the connection. The following is not very important: If remote dialing (the question above) is possible, how to do a hang up of the connection. Thank you Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mailp=graduation+giftscs=bz
Re: [squid-users] TCP_DENIED:NONE and Forwarding loop
Hi Tek and Adrian, I appreciate the suggestions. We have resolved our issue, which was related to our custom-built Squid parent that was expecting ICP connections only from the configured IP address of the Squid (192.168.1.81). Squid is running on a host system with the IP 192.168.1.17 so we were using the following http_port command: http_port 192.168.1.81:80 to force Squid to listen on a specified IP address on port 80 for any connections. We tried to use the following command to get Squid to make ICP connections from that same IP address: icp_port 192.168.1.81:3130 but when Squid was trying to initiate an ICP to the Squid parent, it was using the host system IP (192.168.1.17) instead of the icp_port IP (192.168.1.81). Based on that, is there a way to force Squid to initiate ICP connections from a specific IP rather than the default/host IP address? Thanks again, Paul On Sep 4, 2007, at 2:30 AM, Tek Bahadur Limbu wrote: Hi Paul, Paul Bertain wrote: Hi All, I am having a problem with our Squid hierarchy. I am getting TCP_DENIED in the access.log and the cache.log shows a forwarding loop detected. Here is the access.log entry: 192.168.1.81 - - [03/Sep/2007:14:01:06 -0500] GET http:// web.example.com/customers/mba HTTP/1.0 403 1469 TCP_DENIED:NONE 208.106.5.39 - - [03/Sep/2007:14:01:06 -0500] GET http:// web.example.com/customers/mba HTTP/1.1 403 1570 TCP_MISS:DIRECT And here is the cache.log entries: 2007/09/03 13:58:50| parseHttpRequest: NF getsockopt (SO_ORIGINAL_DST) failed: (92) Protocol not available 2007/09/03 14:00:20| parseHttpRequest: NF getsockopt (SO_ORIGINAL_DST) failed: (92) Protocol not available 2007/09/03 14:01:06| WARNING: Forwarding loop detected for: Client: 192.168.1.81 http_port: 192.168.1 1.81:80 GET http://web.example.com/customers/mba HTTP/1.0 Accept: */* Accept-Language: en Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/419.3 (KHTML, like Gecko) Safari/419.3 Host: web.accelerint.com Via: 1.1 squid-1.example .com:80 (squid/2.5.STABLE14) X-Forwarded-For: 208.106.5.39 Cache-Control: max-age=259200 Connection: keep-alive I think our Squid parent is not responding so Squid goes direct to source. Is there a way to ensure that Squid will not go to origin even if the parent does not respond? We do DNS load-balancing so when the Squid tries to go direct to source, I think that is where our loop begins. Are you running Squid in transparent mode? Can you show us the output of: squid -v You can try to use the following directive: prefer_direct off In my opinion, this situation usually occurs if your parent squid cache has some kind of a relationship (possibly sibling) parameter to your squid cache in it's squid.conf. Posting your squid.conf might help. Thanking you... Thanks, Paul -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np
Re: [squid-users] header_access not work on squid-2.6STABLE15
On tis, 2007-09-04 at 13:48 +0200, Henrik Nordstrom wrote: On mån, 2007-09-03 at 20:05 -0700, zulkarnain wrote: Hi Henrik, Thanks for your reply. I think squid.conf for squid-2.6stable15 should be reorganized to avoid this problem. On squid-2.6Stable14, header_access define after access control (acl). Agreed. And fixed in 2.6.STABLE16. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Safari SSL issues constantly having to re authenticate.
On tis, 2007-09-04 at 14:13 +1000, Daniel Appleby wrote: Hi, I am having some issues where users using safari are constantly prompted to authenticate again and again when visiting an https website. The logs show the following: 1188864244.292561 128.184.148.13 TCP_MISS/200 1779 CONNECT phobos.apple.com:443 macupd DIRECT/17.250.236.65 - 1188864244.325 28 128.184.148.13 TCP_DENIED/407 21666 CONNECT phobos.apple.com:443 - NONE/- text/html Enable log_mime_hdrs (inspect the traffic with wireshark) and verify that the helper sends the login credentials properly. If not file a support request with Apple... I strongly suspect that the browser forgets to cache the credentials between https requests, sending the CONENCTs which result in 407 without any user credentials.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] assertion failed: client_side.c:4175
On tis, 2007-09-04 at 18:49 +0545, Tek Bahadur Limbu wrote: Adrian Chadd wrote: On Tue, Sep 04, 2007, Tek Bahadur Limbu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi All, I recently upgraded from Squid-2.6.STABLE12 to Squid-2.6.STABLE15 on a FreeBSD-6.1 amd64 machine. I am using the Diskd storage system. The title says it all: http://squidproxy.wordpress.com/2007/09/03/dont-upgrade-to-squid-26stable15-skip-straight-to-squid-26stable16/ :) Hi Adrian, Thanks for the correction. I guess I should downgrade to squid-2.6.STABLE14. 2.6.STABLE16 is out. Also there has been a patch available for this problem the whole week.. http://www.squid-cache.org/Versions/v2/2.6/changesets/11635.patch Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Delay Pools, external acl, single sign-on
On tis, 2007-09-04 at 15:31 +0200, Martin Perner wrote: The problem is that the script for the single sign-on didn't seem to set the %LOGIN variable. Correct, as authentication has not been used. %EXT_USER is the external_acl_type format tag to use for referencing the usename returned by an external acl helper. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Block all Web Proxies with squid.
On ons, 2007-09-05 at 11:15 +1000, Tim Bates wrote: I'm fairly sure that you can't do a transparent redirection though. Open to correct, but I think redirection breaks HTTPS. Technically it's possible to implement, but it would not add very much as only the destination IP address will be available to the proxy, not the requested hostname... so you can just as well filter https at the router level.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Block all Web Proxies with squid.
On tis, 2007-09-04 at 22:15 -0300, [EMAIL PROTECTED] wrote: Well, it is a little boring, but, we always can enter the site, save source page code, process it an use it with Squid, but, again, how about ethics? Good question. Their terms of use explicitly says You may not utilize any automatic or manual process to harvest information from the Site. but the legal status of this varies depending on in which country you are. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] squid -k rotate does nothing
On tis, 2007-09-04 at 08:30 -0700, Wet Mogwai wrote: My squid machine stopped rotating logs recently. The last time rotate worked was the day before I copied the access.log to my laptop for the first time. The only changes made to the configuration that day were the good.hosts , bad.hosts, good.ip, and bad.ip files. After making the new files for the ACLs, I ran squid -k reload. Check that the pid file exists, and have the right pid number in it... Also check cache.log for any errors.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] how do i set unic WEB URL for all cliens
On ons, 2007-09-05 at 09:53 +0700, nandika rupasinghe wrote: Hi dear all, I want to set unic(single ex:www.ugc.ac.lk) URL for all cilent who are using squide proxy for internet browsing. Not sure I understand what it is you want to do. Can you explain in other words? Regards Henri signature.asc Description: This is a digitally signed message part
Re: [squid-users] Not our Vary marker object
On ons, 2007-09-05 at 10:51 +0300, Ronny wrote: Hi tried to search the list for this but no help.What causes this does it affect any performance 2007/09/05 10:29:07| storeLocateVary: Not our vary marker object, It's a harmless warning. There is an bug report open for this, but not sure when it will get fixed.. (not a high priority item, as everyhing works) REgards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12
On ons, 2007-09-05 at 17:19 +0400, [EMAIL PROTECTED] wrote: Thank you for your help, actually I meant private webmails like my company's one that has the central exchange server in the head office taking in consideration that my network is not a subnet from their network, hotmail is running normally, Yahoo, Gmail etc. Exchange.. then probably NTLM authentication is used on the server. Try upgrading to Squid-2.6. It has the needed protocol workarounds to be able to deal with the protocol violations introduces by Microsoft in their NTLM/Negotiate authentication schemes of things... Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] WCCPv2 - L2 + 3550 cisco switch
On ons, 2007-09-05 at 12:06 -0500, Horacio Herrera Gonzalez wrote: - The switch reported the following: WCCP Client ID: 10.10.2.2 Protocol Version:2.0 State: Usable Redirection: L2 Packet Return: GRE Assignment: HASH Initial Hash Info: Assigned Hash Info: Hash Allotment: 256 (100.00%) Packets s/w Redirected: 0 Connect Time:00:08:11 Bypassed Packets Process: 0 CEF: 0 Looks fine. Only catch there is if WCCP is enabled on the right interface of the router, of if you have acls on the router bypassing WCCP redirection.. - And even the GRE tunnel seems to be up: Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 10.10.2.2:2048 10.10.2.1:2048 ESTABLISHED That's not GRE. Thats the WCCP UDP channel used for registering the cache with the WCCP router.. BUT the clients are still able to browse internet directly, and the access.log file shows no activity. Mystery ~ ~ ~ Is there packets seen on the GRE tunnel? netstat -Igre0 Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Allow Referrer
On ons, 2007-09-05 at 11:03 -0700, Frank Ruiz wrote: I need to retain the referrer in the http header of an incoming client request. client (with referrer in http request) - squid - 3rd party The 3rd party needs to see the referrer portion of the http header. Does this require anything special? No, all headers is forwarded unless you make special action not to... Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] header_access not work on squid-2.6STABLE15
--- Henrik Nordstrom [EMAIL PROTECTED] wrote: And fixed in 2.6.STABLE16. Thanks Henrik! Park yourself in front of a world of choices in alternative vehicles. Visit the Yahoo! Auto Green Center. http://autos.yahoo.com/green_center/
Re: [squid-users] WCCPv2 - L2 + 3550 cisco switch
On Wed, Sep 05, 2007, Horacio Herrera Gonzalez wrote: Thanks to everyone who supports the great Squid! The Wiki and this mail-list have been very useful to me, but this time I'm stuck and I can't find any previous example to take off from there, so I was hoping for you guys feeling generous today and give me a clue or two... :) Thanks! I want to do transparent redirection using a 3550 cisco switch, but it doesn't redirect any packet at all. It should do. I had it working when I had a loaner Cisco 3550.. wccp2_forwarding_method 2 wccp2_return_method 2 wccp2_assignment_method 2 And the cache.log file shows this: fatal error - A WCCP router has specified a different assignment method 1, expected 2 Changing the Assignment method to 1 didn't had any effect, so I changed the Return method too, like this: wccp2_forwarding_method 2 wccp2_return_method 1 wccp2_assignment_method 1 It needs to be a little friendlier, I agree. The Cisco 3550: * does hash assignment (like a software router); * does L2 forwarding (like a switch) * and I think does GRE redirect (which squid doesn't do atm.) After that, everything looked like if it were going to work: - No related errors inside cache.log. - The switch reported the following: WCCP Client ID: 10.10.2.2 Protocol Version:2.0 State: Usable Redirection: L2 Packet Return: GRE Assignment: HASH Initial Hash Info: Assigned Hash Info: Hash Allotment: 256 (100.00%) Packets s/w Redirected: 0 Connect Time:00:08:11 Bypassed Packets Process: 0 CEF: 0 - And even the GRE tunnel seems to be up: Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 10.10.2.2:2048 10.10.2.1:2048 ESTABLISHED Yup. P.D. Other relevant configuration: + Switch related: ip wccp web-cache interface Vlan6 description Clients ip wccp web-cache redirect in Does vlan6 have an IP address configured? WCCPv2 on a 3550 only works if the clients are routed through it. It wont work if its being a switch. Clients need to have vlan6 set as a default gateway. Adrian
[squid-users] User Authentication Begins Failing
I've been having an intermittent problem with user authentication over the last couple of months. For reasons I've yet to understand, users will all of a sudden not be able to authenticate (we're using ncsa_auth) to Squid despite providing valid credentials (confirmed with debug_options ALL,1 29,9) ; Squid will repeatedly prompt the user for authentication and ultimate deny access due to authentication failure. Basically, we have users directed to one of two proxy's (Solaris 8, Squid-2.5.STABLE10) via a proxy auto configuration file. We ftp out a password file (about 75K) to both proxy's which overwrites the active password file used by Squid. The problem appears to occur against each proxy simultaneously and so we had suspected a problem with the fact that we're overwriting the active password file (although we confirmed it is being ftp'ed out intact)but we've not been able to establish any correlation. Also, tried increasing auth_param basic children but to no avail. Ultimately, the symptoms 'go away' after a few minutes or alternatively we're able to stabilize things by bouncing squid issuing a 'squid -k reconfigure' ; interestingly after doing this we observe several 'Clearing cache ACL results for user: username' entries in cache.log where username matches the account name of a user actively experiencing the problem. Would appreciate any insights? Thank-you. Regards, Sergio Di Geronimo SIEMENS Siemens IT Solutions and Services
Re: [squid-users] User Authentication Begins Failing
I've seen a race condition here. The NCSA helper only reopens the file when it sees the modification time change. If the overwrite procedure doesn't create a temp file and move the full new file over the old one, squid might pick up on a partially-uploaded file and not bother to re-read the file until its modification time changes again. I solved it by an scp followed by a rename. See if that fixes it for you. Adrian On Wed, Sep 05, 2007, DiGeronimo,Sergio (IT Solutions CA) wrote: I've been having an intermittent problem with user authentication over the last couple of months. For reasons I've yet to understand, users will all of a sudden not be able to authenticate (we're using ncsa_auth) to Squid despite providing valid credentials (confirmed with debug_options ALL,1 29,9) ; Squid will repeatedly prompt the user for authentication and ultimate deny access due to authentication failure. Basically, we have users directed to one of two proxy's (Solaris 8, Squid-2.5.STABLE10) via a proxy auto configuration file. We ftp out a password file (about 75K) to both proxy's which overwrites the active password file used by Squid. The problem appears to occur against each proxy simultaneously and so we had suspected a problem with the fact that we're overwriting the active password file (although we confirmed it is being ftp'ed out intact)but we've not been able to establish any correlation. Also, tried increasing auth_param basic children but to no avail. Ultimately, the symptoms 'go away' after a few minutes or alternatively we're able to stabilize things by bouncing squid issuing a 'squid -k reconfigure' ; interestingly after doing this we observe several 'Clearing cache ACL results for user: username' entries in cache.log where username matches the account name of a user actively experiencing the problem. Would appreciate any insights? Thank-you. Regards, Sergio Di Geronimo SIEMENS Siemens IT Solutions and Services -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level bandwidth-capped VPSes available in WA -
[squid-users] header_access with 2.6stable12
will the following work correctly with 2.6stable12: header_access Via deny all header_access X-Forwarded-For deny all to completely not sending Via and X-Forwarded-For to the parent servers. Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/
[squid-users] To block perticuler IP for interner access
Dear all I want to block perticular IP for internet browsing on squide proxy. can u help me for necessary steps. warm regurds Nandika
[squid-users] donations
Thankyou to everyone who has donated via Paypal or bought some squid merchandise from the cafepress shop. http://www.squid-cache.org/Support/thankyou.dyn If you'd like to donate, even if its just $10 or $20, then please do. The project has only received $500 odd thus far; I shudder to think at how much better Squid would be if users just started donating $10 or so every few months. (read: it'd get a lot better.) Adrian
