[squid-users] Cache Proxy Configuration to let through SSL
Hi all. I searched for 2 Day work now and I cannot figure it out. Sorry if it is nonetheless in the FAQ or obivous. I set up an Ubuntu 6.10 Server and installed Squid and Dansguardian. These two work fine together and http-Traffic is no Problem. Because I want it to protect my Network, I closed as many Ports as possible and configured Squid in (I hope so) way, to just allow Http Traffic and Https Traffic. Caching the http Trafic works fine. But I cannot figure out, how to tell squid to just let through the Https-Traffic. I don`t ned squid to touch the Data, recrypt it or anything else, as may others wanted squid to. Surfing normally on http and https Sites with an Proxy and content filter (obviousliy not for https) would be great. Is this possible? Which Port is to be given to the Browser? Howdo I open the required Port at my Server? A don`t run any other stuff at the server, can I take any (useless) Stuff out if the .conf? Heres my squid.conf: # WELCOME TO SQUID 2.6.STABLE1 # http_port 3128 icp_port 0 acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache access_log /var/log/squid/access.log squid cache_dir ufs /media/hdd1/squidcache emulate_httpd_log on hosts_file /etc/hosts refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl purge method PURGE acl CONNECT method CONNECT #Recommended minimum configuration: http_access allow manager localhost http_access deny manager # Only allow purge requests from localhost http_access allow purge localhost http_access deny purge # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow CONNECT SSL_ports http_access allow Safe_ports # And finally deny all other access to this proxy http_access deny all http_reply_access allow all icp_access allow all visible_hostname localhost coredump_dir /var/spool/squid Thanks for any help! King Regards, Felix Unterpaintner
[squid-users] squid accelerating port 8080 but want to mask :8080 ???
i have squid accelerating resin applications on port :8080, squid runs on :80... every url i view has :8080 after i can squid mask the port??? thanks! Oli -- View this message in context: http://www.nabble.com/squid-accelerating-port-8080-but-want-to-mask-%3A8080-tf4486703.html#a12794571 Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Banner page for certain users in squid
Adrian Chadd wrote: On Wed, Sep 19, 2007, Umesh Bodalina wrote: Hi all I am running Squid Cache: Version 2.5.STABLE14 on FC5 I run SARG against my access.log every day to get a list of top 30 users, and would like to know if there is a way of redirecting these top 30 users to a notice page upon first login in squid, where they are notified of their high usage? After which they can continue surfing of course. I'm sure people have done it in the past. I've not done it. Henrik? I do it here. Requires some external helper and fancy use of deny_info. I'm sure I've outlined the exact process in several different ways recently. PS. Its much easier in 2.6/3.0 so time to upgrade. Amos
[squid-users] SquidNT - Compressing rotated logs
Since I'm running SquidNT there's no native log rotation method. I'm writing a batch file to handle this, but I would like to zip up the archive copies of the log to save space, seeing as how store.log and access.log are 500MB+ each in less than a week. Thing is, I want to run this from the command line, preferably without relying no any 3rd party solutions. I looked at compress.exe in the Windows 2003 Resource Kit, but I'd rather take advantage of the built in ZIP folders if possible... plus I couldn't figure out in three minutes how to uncompress them, and I don't want to rely on people remembering to compress them again after. Anyone know of a built in method I can use to do this? Paul Cocker IT Systems Administrator IT Security Officer 01628 81(6647) TNT Post (Doordrop Media) Ltd. 1 Globeside Business Park Fieldhouse Lane Marlow Bucks SL7 1HY TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
RE: [squid-users] Java authentication under SquidNT 2.6STABLE14using NTLM
Many thanks, I guess I'll move us to STABLE 16. I'm tempted to copy the .conf, but I note the changelog talks about a .conf re-ordering, so I guess it'll be best to just copy my custom lines over. Paul Cocker IT Systems Administrator IT Security Officer 01628 81(6647) TNT Post (Doordrop Media) Ltd. 1 Globeside Business Park Fieldhouse Lane Marlow Bucks SL7 1HY -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 19 September 2007 11:44 To: Paul Cocker Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Java authentication under SquidNT 2.6STABLE14using NTLM On ons, 2007-09-19 at 09:35 +0100, Paul Cocker wrote: > Apologies for the duplicate, I received a "failed delivery" message. > > What classifies as a "messenger" under squid then? The key part there is the use of NTLM. In this case "messenger" is nothing special, just another non-browser application using the CONNECT method to open TCP tunnels via the Squid HTTP proxy. Regards Henrik TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
RE: [squid-users] Java authentication under SquidNT 2.6STABLE14using NTLM
On tor, 2007-09-20 at 12:33 +0100, Paul Cocker wrote: > Many thanks, I guess I'll move us to STABLE 16. I'm tempted to copy the > .conf, but I note the changelog talks about a .conf re-ordering, so I > guess it'll be best to just copy my custom lines over. You can reuse your old configuration just fine. The reordering is just to make sure the order the directives is listed matches the order they depend on each other so you don't have to move things around to make them work.. Note: Once you have a working configuration it's recommended you clean if from all the documentation. Much easier to maintain that way, and you'll always have current documentaiton in squid.conf.default. egrep -v "^#|^$" squid.conf >squid.conf.clean edit squid.conf.clean adding your own comments explaining why things is set up the way they are mv squid.conf.clean squid.conf Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] SquidNT - Compressing rotated logs
Paul Cocker wrote: Since I'm running SquidNT there's no native log rotation method. I'm writing a batch file to handle this, but I would like to zip up the archive copies of the log to save space, seeing as how store.log and access.log are 500MB+ each in less than a week. Thing is, I want to run this from the command line, preferably without relying no any 3rd party solutions. I looked at compress.exe in the Windows 2003 Resource Kit, but I'd rather take advantage of the built in ZIP folders if possible... plus I couldn't figure out in three minutes how to uncompress them, and I don't want to rely on people remembering to compress them again after. Anyone know of a built in method I can use to do this? Last time I scripted compression in Win32 the 'compressed folders' just used the zip algorithm so any standard .zip utility would make a file windows can show as a 'compressed folder'. To get the folder icon all you have to do is zip a whole directory rather than a single file. Amos
RE: [squid-users] SquidNT - Compressing rotated logs
Yes, but this then requires a 3rd party utility to create the ZIP, and I was looking first for a "Windows only" method. "Compressed folder" is just how Windows refers to a ZIP archive, be it of a file or a folder or anything. Paul Cocker IT Systems Administrator IT Security Officer 01628 81(6647) TNT Post (Doordrop Media) Ltd. 1 Globeside Business Park Fieldhouse Lane Marlow Bucks SL7 1HY -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: 20 September 2007 13:03 To: squid-users@squid-cache.org Subject: Re: [squid-users] SquidNT - Compressing rotated logs Paul Cocker wrote: > Since I'm running SquidNT there's no native log rotation method. I'm > writing a batch file to handle this, but I would like to zip up the > archive copies of the log to save space, seeing as how store.log and > access.log are 500MB+ each in less than a week. Thing is, I want to > run this from the command line, preferably without relying no any 3rd > party solutions. > > I looked at compress.exe in the Windows 2003 Resource Kit, but I'd > rather take advantage of the built in ZIP folders if possible... plus > I couldn't figure out in three minutes how to uncompress them, and I > don't want to rely on people remembering to compress them again after. > > Anyone know of a built in method I can use to do this? > Last time I scripted compression in Win32 the 'compressed folders' just used the zip algorithm so any standard .zip utility would make a file windows can show as a 'compressed folder'. To get the folder icon all you have to do is zip a whole directory rather than a single file. Amos TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
[squid-users] maximum size of cache_mem
Hi all, I've squid running with 4GB of cache_mem, seemed my squid unable to use 4GB of cache_mem. I would like to know is there any tools to analyze cache_mem utilization? My system is: Fedora 7 64bit and squid-2.6S13 Thanks, Zul Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545469
RE: [squid-users] Java authentication under SquidNT2.6STABLE14using NTLM
Initially I did it that way, being used to the BSDs working in the same fashion, but I changed it back simply due to the documentation recommending an exact copy. I think you're right though, clean config for the win ;) Paul Cocker IT Systems Administrator IT Security Officer 01628 81(6647) TNT Post (Doordrop Media) Ltd. 1 Globeside Business Park Fieldhouse Lane Marlow Bucks SL7 1HY -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 20 September 2007 12:37 To: Paul Cocker Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Java authentication under SquidNT2.6STABLE14using NTLM On tor, 2007-09-20 at 12:33 +0100, Paul Cocker wrote: > Many thanks, I guess I'll move us to STABLE 16. I'm tempted to copy > the .conf, but I note the changelog talks about a .conf re-ordering, > so I guess it'll be best to just copy my custom lines over. You can reuse your old configuration just fine. The reordering is just to make sure the order the directives is listed matches the order they depend on each other so you don't have to move things around to make them work.. Note: Once you have a working configuration it's recommended you clean if from all the documentation. Much easier to maintain that way, and you'll always have current documentaiton in squid.conf.default. egrep -v "^#|^$" squid.conf >squid.conf.clean edit squid.conf.clean adding your own comments explaining why things is set up the way they are mv squid.conf.clean squid.conf Regards Henrik TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
RE: [squid-users] Java authentication under SquidNT2.6STABLE14using NTLM
On tor, 2007-09-20 at 13:38 +0100, Paul Cocker wrote: > Initially I did it that way, being used to the BSDs working in the same > fashion, but I changed it back simply due to the documentation > recommending an exact copy. Which documentation recommends an exact copy? Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] maximum size of cache_mem
Hi, Have a look at cache manager: http://wiki.squid-cache.org/SquidFaq/CacheManager HTH, On 9/20/07, zulkarnain <[EMAIL PROTECTED]> wrote: > Hi all, > > I've squid running with 4GB of cache_mem, seemed my > squid unable to use 4GB of cache_mem. I would like to > know is there any tools to analyze cache_mem > utilization? > > My system is: Fedora 7 64bit and squid-2.6S13 > > Thanks, > Zul > > > > > Be a better Globetrotter. Get better travel answers from someone who knows. > Yahoo! Answers - Check it out. > http://answers.yahoo.com/dir/?link=list&sid=396545469 > -- Gonzalo A. Arana
Re: [squid-users] maximum size of cache_mem
SNMP is good http://www.squid-cache.org/~wessels/squid-rrd/ On Thu, 2007-09-20 at 05:08 -0700, zulkarnain wrote: > Hi all, > > I've squid running with 4GB of cache_mem, seemed my > squid unable to use 4GB of cache_mem. I would like to > know is there any tools to analyze cache_mem > utilization? > > My system is: Fedora 7 64bit and squid-2.6S13 > > Thanks, > Zul > > > > > Be a better Globetrotter. Get better travel answers from someone who knows. > Yahoo! Answers - Check it out. > http://answers.yahoo.com/dir/?link=list&sid=396545469 *** The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Please note that emails to, from and within RTÉ may be subject to the Freedom of Information Act 1997 and may be liable to disclosure.
RE: [squid-users] Java authentication underSquidNT2.6STABLE14using NTLM
Sorry, I'm being too exacting on the documentation. The SquidNT docs say to copy squid.conf.default to make a squid.conf copy and to modify that. Obviously if you're going to do it the BSD way with the default file and the "change this" file then there's no point making a copy since you start from a blank anyway. So it could just be my interpretation of their meaning. Paul Cocker IT Systems Administrator IT Security Officer 01628 81(6647) TNT Post (Doordrop Media) Ltd. 1 Globeside Business Park Fieldhouse Lane Marlow Bucks SL7 1HY -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 20 September 2007 13:47 To: Paul Cocker Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Java authentication underSquidNT2.6STABLE14using NTLM On tor, 2007-09-20 at 13:38 +0100, Paul Cocker wrote: > Initially I did it that way, being used to the BSDs working in the > same fashion, but I changed it back simply due to the documentation > recommending an exact copy. Which documentation recommends an exact copy? Regards Henrik TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
RE: [squid-users] Java authentication under SquidNT 2.6 STABLE 14using NTLM
Unfortunately this doesn't seem to resolve the issue. Got SquidNT 2.6 STABLE 16 up and running on a different port with the config being otherwise identical (minus the Java acl lines obviously) and changed my browser settings to point to it, browsed the web okay, but once I tried to use the Java app the access.log recorded the following: TCP_DENIED/407 2035 CONNECT web.site.com:443 - NONE/- text/html Same as before :( Paul Cocker IT Systems Administrator IT Security Officer 01628 81(6647) TNT Post (Doordrop Media) Ltd. 1 Globeside Business Park Fieldhouse Lane Marlow Bucks SL7 1HY -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 18 September 2007 22:56 To: Paul Cocker Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Java authentication under SquidNT 2.6 STABLE 14using NTLM On tis, 2007-09-18 at 19:51 +0100, Paul Cocker wrote: > Last week (Thursday/Friday) my organisation moved from SquidNT 2.5 to > SquidNT 2.6 STABLE 14. > Java 6 Update 2 and users connect using NTLM passthrough > authentication, squid looks to see that they are a member of group X > before allowing Upgrade to 2.6.STABLE16.. should work better. Regards Henrik TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
Re: [squid-users] maximum size of cache_mem
--- John Moylan <[EMAIL PROTECTED]> wrote: > SNMP is good > > http://www.squid-cache.org/~wessels/squid-rrd/ > Thanks John! But snmp still did not provide utilization of usage cache_mem. Zul Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC
Re: [squid-users] maximum size of cache_mem
On Thu, Sep 20, 2007, zulkarnain wrote: > --- John Moylan <[EMAIL PROTECTED]> wrote: > > SNMP is good > > > > http://www.squid-cache.org/~wessels/squid-rrd/ > > > > Thanks John! But snmp still did not provide > utilization of usage cache_mem. Usage? It definitely graphs the current cache_mem utilisation. I know, I'm graphing it.. Adrian
Re: [squid-users] maximum size of cache_mem
--- Gonzalo Arana <[EMAIL PROTECTED]> wrote: > Hi, > > Have a look at cache manager: > > http://wiki.squid-cache.org/SquidFaq/CacheManager > Here is my cache manager output: Memory usage for squid via mallinfo(): Total space in arena: 1810628 KB Ordinary blocks: 1810311 KB 19 blks Small blocks: 0 KB 0 blks Holding blocks: 18800 KB 5 blks Free Small blocks: 0 KB Free Ordinary blocks: 316 KB Total in use: 1829111 KB 100% Total free: 316 KB 0% Total size:1829428 KB Memory accounted for: Total accounted: 1707551 KB memPoolAlloc calls: 115795525 memPoolFree calls: 112049666 squid only recognize 1.8GB of cache_mem but I've 4GB cache_mem in squid.conf, does it mean maximum size of cache_mem is 2GB? any help would be great. Thanks. Zul Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
[squid-users] ufdbGuard version 1.12 is released
all, ufdbGuard is a free URL filter for Squid. Besides being a regualr URL filter, it can also enforce Google SafeSearch, dynamically detect https proxies and enforce strict https usage policies. ufdbGuard can be downloaded from Sourceforge: http://sourceforge.net/projects/ufdbguard/ Marcus
Re: [squid-users] maximum size of cache_mem
The pages linked to provide 2 very relevent graphs generated using rrdtool cachemanager and snmp. Those are Memory Usage and page faults Memory usage is well..memory useage, and Page Faults are usually a good indicator of swapping activity. Using both graphs will enable you to tweak your memory to ensure max usage and help you to avoid swapping. J On Thu, 2007-09-20 at 07:44 -0700, zulkarnain wrote: > --- John Moylan <[EMAIL PROTECTED]> wrote: > > SNMP is good > > > > http://www.squid-cache.org/~wessels/squid-rrd/ > > > > Thanks John! But snmp still did not provide > utilization of usage cache_mem. > > Zul > > > > > Yahoo! oneSearch: Finally, mobile search > that gives answers, not web links. > http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC *** The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Please note that emails to, from and within RTÉ may be subject to the Freedom of Information Act 1997 and may be liable to disclosure.
Re: [squid-users] maximum size of cache_mem
Hi, Try getting squid config via cachemgr. Checking cache_log is a good idea when squid starts. If squid sees anything not normal, it should report it there. I am just shooting with my eyes folded, but: 1) check ulimit hard & soft values (ulimit -Ha and ulimit -Sa). 2) Are you running squid in 32bit or 64bit? I am unfamiliar with Fedora, so I can't provide much help in this one, sory. HTH, On 9/20/07, zulkarnain <[EMAIL PROTECTED]> wrote: > --- Gonzalo Arana <[EMAIL PROTECTED]> wrote: > > Hi, > > > > Have a look at cache manager: > > > > http://wiki.squid-cache.org/SquidFaq/CacheManager > > > > Here is my cache manager output: > > Memory usage for squid via mallinfo(): > Total space in arena: 1810628 KB > Ordinary blocks: 1810311 KB 19 blks > Small blocks: 0 KB 0 blks > Holding blocks: 18800 KB 5 blks > Free Small blocks: 0 KB > Free Ordinary blocks: 316 KB > Total in use: 1829111 KB 100% > Total free: 316 KB 0% > Total size:1829428 KB > Memory accounted for: > Total accounted: 1707551 KB > memPoolAlloc calls: 115795525 > memPoolFree calls: 112049666 > > squid only recognize 1.8GB of cache_mem but I've 4GB > cache_mem in squid.conf, does it mean maximum size of > cache_mem is 2GB? any help would be great. Thanks. > > Zul > > > > > > Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel > and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 > > -- Gonzalo A. Arana
Re: [squid-users] squid accelerating port 8080 but want to mask :8080 ???
On 9/20/07, oliew <[EMAIL PROTECTED]> wrote: > > i have squid accelerating resin applications on port :8080, squid runs on > :80... > > every url i view has :8080 after i can squid mask the port??? Squid doesn't touch the HTML.. resin must make sure that only relative URLs are used in the pages, and that only relative redirects are used. This is not a specific issue with squid, but with any reverse proxy / load balancing solution. -- /kinkie
Re: [squid-users] maximum size of cache_mem
Hi, That's only referring to the amount of memory currently consumed by the memory cache. You should be able to see the figure growing as the memory cache fills up. J On Thu, 2007-09-20 at 07:50 -0700, zulkarnain wrote: > --- Gonzalo Arana <[EMAIL PROTECTED]> wrote: > > Hi, > > > > Have a look at cache manager: > > > > http://wiki.squid-cache.org/SquidFaq/CacheManager > > > > Here is my cache manager output: > > Memory usage for squid via mallinfo(): > Total space in arena: 1810628 KB > Ordinary blocks: 1810311 KB 19 blks > Small blocks: 0 KB 0 blks > Holding blocks: 18800 KB 5 blks > Free Small blocks: 0 KB > Free Ordinary blocks: 316 KB > Total in use: 1829111 KB 100% > Total free: 316 KB 0% > Total size:1829428 KB > Memory accounted for: > Total accounted: 1707551 KB > memPoolAlloc calls: 115795525 > memPoolFree calls: 112049666 > > squid only recognize 1.8GB of cache_mem but I've 4GB > cache_mem in squid.conf, does it mean maximum size of > cache_mem is 2GB? any help would be great. Thanks. > > Zul > > > > > > Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel > and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 *** The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Please note that emails to, from and within RTÉ may be subject to the Freedom of Information Act 1997 and may be liable to disclosure.
[squid-users] ICAP - not sending Respmod
Hi all, I was testing Squid 3.0.PRE6-20070718 and the ICAP protocol was working fine. I've updated to 3.0.PRE7-20070919 and squid stop sending Respmod, although the Reqmod is ok, follow my conf: icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod icap_class filtro_url service_1 service_2 icap_access filtro_url allow all I've tracked the connection and I can see ICAP server answering his Methods: OPTIONS icap://127.0.0.1:1344/wwreqmod ICAP/1.0 Host: 127.0.0.1:1344 ICAP/1.0 200 OK Allow: 204 Encapsulated: null-body=0 ISTAG: "001-000-03" Max-Connections: 50 Methods: REQMOD, RESPMOD, PROFILE, CERTVERIFY Options-TTL: 300 Preview: 30 Service: Webwasher 6.5.2.2676 (WW 6.5) Service-ID: ww Transfer-Preview: * X-Include: X-Authenticated-Groups,X-Authenticated-User,X-Client-IP Bugzilla? Thanks, Thiago Cruz
Re: [squid-users] maximum size of cache_mem
--- zulkarnain <[EMAIL PROTECTED]> wrote: > --- Gonzalo Arana <[EMAIL PROTECTED]> wrote: > > Hi, > > > > Have a look at cache manager: > > > > http://wiki.squid-cache.org/SquidFaq/CacheManager > > > > Here is my cache manager output: > > Memory usage for squid via mallinfo(): > Total space in arena: 1810628 KB > Ordinary blocks: 1810311 KB 19 blks > Small blocks: 0 KB 0 blks > Holding blocks: 18800 KB 5 blks > Free Small blocks: 0 KB > Free Ordinary blocks: 316 KB > Total in use: 1829111 KB 100% > Total free: 316 KB 0% > Total size:1829428 KB > Memory accounted for: > Total accounted: 1707551 KB > memPoolAlloc calls: 115795525 > memPoolFree calls: 112049666 > > squid only recognize 1.8GB of cache_mem but I've 4GB > cache_mem in squid.conf, does it mean maximum size of > cache_mem is 2GB? any help would be great. Thanks. > Are you running 64-bit CPU,64-bit OS and 64-bit Squid program? Otherwise I don't think your squid can use full of 4G memory for cache_mem. Sick of deleting your inbox? Yahoo!7 Mail has free unlimited storage. http://au.docs.yahoo.com/mail/unlimitedstorage.html
[squid-users] Reverse Proxy for Multiple SSL sites
Hi.. I hope that this is the correct address, if not I apologise I have a simple yes or no type of question for you.. is it possible to have a squid proxy running as a reverse proxy on one IP Address but forwarding on requests to multiple backend web servers for HTTPS requests? eg: DNS for ww1.abc.com, ww1.def.com ww1.ghi.com pointing to FIREWALL:443 (single IP Address) pointing to SQUID:443 (single IP Address, reverse proxy) ww1.abc.com:443 ww1.def.com:443 ww1.ghi.com:443 (Please replace ww1 with www) Thanks Jason __ This message (including any attachments) is confidential and may be privileged. It is intended for use by the addressee only. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. LeasePlan Corporation N.V. (including its group companies) shall not be responsible nor liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. LeasePlan Corporation N.V. (or its group companies) does not guarantee the confidentiality of this message, nor that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference." __
[squid-users] after squid shut down redirector still working
Hi.I have troubles with redirector. When I shutting down the squid,all the auth helpers started by squid quitting too.But not redirectors.I can not understand what is happening with squid. Also,after squid reconfiguration the redirectors count becomes doubled. This is a piece of cache.log 2007/09/19 21:49:38| Took 0.3 seconds ( 0.0 objects/sec). 2007/09/19 21:49:38| Beginning Validation Procedure 2007/09/19 21:49:38| Completed Validation Procedure 2007/09/19 21:49:38| Validated 0 Entries 2007/09/19 21:49:38| store_swap_size = 0k 2007/09/19 21:49:39| storeLateRelease: released 0 objects 2007/09/19 21:52:27| Preparing for shutdown after 0 requests 2007/09/19 21:52:27| Waiting 30 seconds for active connections to finish 2007/09/19 21:52:27| FD 22 Closing HTTP connection 2007/09/19 21:52:58| Shutting down... 2007/09/19 21:52:58| FD 23 Closing ICP connection 2007/09/19 21:52:58| WARNING: Closing client 127.0.0.1 connection due to lifetime timeout 2007/09/19 21:52:58|http://www.yahoo.com/ 2007/09/19 21:52:58| Closing unlinkd pipe on FD 20 2007/09/19 21:52:58| storeDirWriteCleanLogs: Starting... 2007/09/19 21:52:58| Finished. Wrote 0 entries. 2007/09/19 21:52:58| Took 0.0 seconds ( 0.0 entries/sec). CPU Usage: 0.062 seconds = 0.028 user + 0.035 sys Maximum Resident Size: 7180 KB Page faults with physical i/o: 0 2007/09/19 21:52:58| Open FD WRITING 6 shaga_redir #1 2007/09/19 21:52:58| Squid Cache (Version 2.6.STABLE14): Exiting normally. Who can explain me,what's wrong? Thanks in advance. -- View this message in context: http://www.nabble.com/after-squid-shut-down-redirector-still-working-tf4488899.html#a12801750 Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Please help to configure http_access allow for one computername to blocked site
I have searched everywhere for how to allow one computername on our network to be exempt from the following url blocking example. Does anyone know how? Please help. acl bad_domains dstdomain .domainname.com http_access deny bad_domains Thanks -- View this message in context: http://www.nabble.com/Please-help-to-configure-http_access-allow-for-one-computername-to-blocked-site-tf4489220.html#a12802862 Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] ICAP - not sending Respmod
Hi, Works very well for me. How are you testing it? Maybe the problem is repeated ICAP service failures. In this case squid stops using the service. if you change the line: icap_service service_2 respmod_precache 0 . to icap_service service_2 respmod_precache 1 . What are you seeing? The squid bugzilla is here: http://www.squid-cache.org/bugs/ Regards, Christos Thiago Cruz wrote: > Hi all, > > I was testing Squid 3.0.PRE6-20070718 and the ICAP protocol was working > fine. I've updated to 3.0.PRE7-20070919 and squid stop sending Respmod, > although the Reqmod is ok, follow my conf: > > icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod > icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod > icap_class filtro_url service_1 service_2 > icap_access filtro_url allow all > > I've tracked the connection and I can see ICAP server answering his Methods: > > OPTIONS icap://127.0.0.1:1344/wwreqmod ICAP/1.0 > Host: 127.0.0.1:1344 > > ICAP/1.0 200 OK > Allow: 204 > Encapsulated: null-body=0 > ISTAG: "001-000-03" > Max-Connections: 50 > Methods: REQMOD, RESPMOD, PROFILE, CERTVERIFY > Options-TTL: 300 > Preview: 30 > Service: Webwasher 6.5.2.2676 (WW 6.5) > Service-ID: ww > Transfer-Preview: * > X-Include: X-Authenticated-Groups,X-Authenticated-User,X-Client-IP > > > Bugzilla? > > Thanks, > Thiago Cruz >
[squid-users] Refresh Pattern Regex
Hi All, please what exactly do we match the refresh_pattern regex against? Is it the url, the whole header, mime, or what? Thanks, solomon.
Re: [squid-users] squid only caching for a few seconds... i.e. MISS/HIT/MISS/HIT
On ons, 2007-09-19 at 18:12 -0700, Neil Harkins wrote: > Hi. Our squid appears to be caching .css for only a few seconds, > when I expect it should be caching it longer, and doing IMS requests. It should.. and do for me.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Banner page for certain users in squid
On tor, 2007-09-20 at 10:45 +0800, Adrian Chadd wrote: > > I run SARG against my access.log every day to get a list of top 30 > > users, and would like to know if there is a way of redirecting these top > > 30 users to a notice page upon first login in squid, where they are > > notified of their high usage? After which they can continue surfing of > > course. > > I'm sure people have done it in the past. I've not done it. Henrik? A acl containing these users combined with the session helper would do the trick fine. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Cache Proxy Configuration to let through SSL
On tor, 2007-09-20 at 10:05 +0200, Unterpaintner, Felix wrote: > But I cannot figure out, how to tell squid to just let through the > Https-Traffic. I don`t ned squid to touch the Data, recrypt it or anything > else, as may others wanted squid to. Normally it does just that, lets it through. Browsers uses the CONNECT method to open SSL tunnels. What do access.log say? > Is this possible? Yes. > Which Port is to be given to the Browser? The http_port. > Howdo I open the required Port at my Server? ? > A don`t run any other stuff at the server, can I take any (useless) Stuff out > if the .conf? Yours looked reasonable, except for the http_access stuff.. those were a bit twisted. But works.. > http_access allow localhost > http_access allow CONNECT SSL_ports > http_access allow Safe_ports > # And finally deny all other access to this proxy > http_access deny all You may just as well replace the above with "http_access allow all". But most uses an acl to only allow allowed clients here.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] SquidNT - Compressing rotated logs
On tor, 2007-09-20 at 12:31 +0100, Paul Cocker wrote: > Since I'm running SquidNT there's no native log rotation method. I'm > writing a batch file to handle this, but I would like to zip up the > archive copies of the log to save space, seeing as how store.log and > access.log are 500MB+ each in less than a week. Thing is, I want to run > this from the command line, preferably without relying no any 3rd party > solutions. Here is one idea using only Windows: Create a log archival directory, configure it to be compressed and that files stored there should get automatically compressed. Then in your batch job that rotates the logs, copy the logs there and let the filesystem compress them for you.. Regards Henrik signature.asc Description: This is a digitally signed message part
RE: [squid-users] Java authentication under SquidNT 2.6 STABLE 14using NTLM
On tor, 2007-09-20 at 15:33 +0100, Paul Cocker wrote: > Unfortunately this doesn't seem to resolve the issue. Got SquidNT 2.6 > STABLE 16 up and running on a different port with the config being > otherwise identical (minus the Java acl lines obviously) and changed my > browser settings to point to it, browsed the web okay, but once I tried > to use the Java app the access.log recorded the following: > > TCP_DENIED/407 2035 CONNECT web.site.com:443 - NONE/- text/html Odd. Can you provide a packet capture of the traffic so we can look into full detail? wireshark is a very good tool for that purpose.. http://www.wireshark.org/ You can send the packet capture in private, or upload it to ftp://ftp.henriknordstrom.net/incoming/ Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Reverse Proxy for Multiple SSL sites
On tor, 2007-09-20 at 17:22 +0100, [EMAIL PROTECTED] wrote: > is it possible to have a squid proxy running as a reverse proxy on one IP > Address but forwarding on requests to multiple backend web servers for > HTTPS requests? Yes, but only using a single certificate presented to the users. So you need a multi-domain certificate to make clients happy if doing this. This is a SSL limitation, not so much a Squid limitation.. SSL is on the ip:port level, before it's known which host the client requested. All the options such as vhost etc is available in https_port as well, even if the documentation mostly talks about a single site due to the certificate limitations.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] after squid shut down redirector still working
On tor, 2007-09-20 at 10:15 -0700, Arthur Tumanyan wrote: > Hi.I have troubles with redirector. > When I shutting down the squid,all the auth helpers started by squid > quitting too.But not redirectors.I can not understand what is happening with > squid. Probably your redirectors are broken. What redirector are you using? The redirector needs to exit when stdin is closed. Have seen some broken redirector implementations before which enters a 100% CPU loop instead of exiting, not knowing what to do when EOF is seen.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Please help to configure http_access allow for one computername to blocked site
On tor, 2007-09-20 at 11:20 -0700, mherder wrote: > I have searched everywhere for how to allow one computername on our network > to be exempt from the following url blocking example. Does anyone know how? > Please help. > > acl bad_domains dstdomain .domainname.com > > http_access deny bad_domains acl good_computer src ip.of.the.computer http_access allow good_computer http_access deny bad_domains or alternatively http_access deny !good_computer bad_domains Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Refresh Pattern Regex
On tor, 2007-09-20 at 13:13 -0700, Solomon Asare wrote: > Hi All, > please what exactly do we match the refresh_pattern > regex against? Is it the url, the whole header, mime, > or what? The whole URL from scheme to query string. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] maximum size of cache_mem
On tor, 2007-09-20 at 07:44 -0700, zulkarnain wrote: > --- John Moylan <[EMAIL PROTECTED]> wrote: > > SNMP is good > > > > http://www.squid-cache.org/~wessels/squid-rrd/ > > > > Thanks John! But snmp still did not provide > utilization of usage cache_mem. It does. cacheMemUsage is the amount of cache_mem used. Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] More ACL issues.
Hi, SquidNT 2.5 ntlm auth Windows Server 2003 Everything is nearly working. The authentication against AD is fine, I can see the domain name\username in the logs etc. However when I add the acl for my tomtom software it allows the tomtom software to connect to their site, but I stop seeing the domain name\username in the access logs. acl tomtom src 192.168.2.100 http_access allow tomtom acl localnet proxy_auth REQUIRED src 192.168.2.0/24 http_access allow localnet There must be a way so that I can login to the tomtom site and still authenticate in AD? Thanks, Tom. - Atomix Solutions - making technology simple - Broadband / Networks / Email / Maintenance www: http://www.atomixsolutions.net tel: +44 (0)7980 560118 +44 (0)1765 605646 fax: +44 (0)1765 605646 skype: tom_galphay msn: [EMAIL PROTECTED] = IMPORTANT: The contents of this email, and any attachments, are CONFIDENTIAL and intended only for the person(s) to whom they are addressed. If you have received the email in error please notify the sender immediately and delete it from your computer system. Do not copy or distribute it or disclose its contents to any person. Unless otherwise stated, the views and opinions expressed in this email are personal to the sender and do not represent the official view of the company. -- I am using the free version of SPAMfighter for private users. It has removed 1846 spam emails to date. Paying users do not have this message in their emails. Get the free SPAMfighter here: http://www.spamfighter.com/len
Re: [squid-users] ICAP - not sending Respmod
Hi Christos, I guess that there is a misconfiguration with my ICAP server I'm working on this. Have you tried a configuration like this? It seems that service_3 will never be actived. icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod icap_service service_3 respmod_precache 0 icap://172.1.1.16:1344/respmod icap_class filtro_url service_1 service_2 service_3 icap_access filtro_url allow all Thanks, Thiago Cruz On 9/20/07, Christos Tsantilas <[EMAIL PROTECTED]> wrote: > Hi, > Works very well for me. How are you testing it? > Maybe the problem is repeated ICAP service failures. In this case squid > stops using the service. > > if you change the line: > icap_service service_2 respmod_precache 0 . > to > icap_service service_2 respmod_precache 1 . > > What are you seeing? > > The squid bugzilla is here: > http://www.squid-cache.org/bugs/ > > Regards, >Christos > > > Thiago Cruz wrote: > > Hi all, > > > > I was testing Squid 3.0.PRE6-20070718 and the ICAP protocol was working > > fine. I've updated to 3.0.PRE7-20070919 and squid stop sending Respmod, > > although the Reqmod is ok, follow my conf: > > > > icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod > > icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod > > icap_class filtro_url service_1 service_2 > > icap_access filtro_url allow all > > > > I've tracked the connection and I can see ICAP server answering his > Methods: > > > > OPTIONS icap://127.0.0.1:1344/wwreqmod ICAP/1.0 > > Host: 127.0.0.1:1344 > > > > ICAP/1.0 200 OK > > Allow: 204 > > Encapsulated: null-body=0 > > ISTAG: "001-000-03" > > Max-Connections: 50 > > Methods: REQMOD, RESPMOD, PROFILE, CERTVERIFY > > Options-TTL: 300 > > Preview: 30 > > Service: Webwasher 6.5.2.2676 (WW 6.5) > > Service-ID: ww > > Transfer-Preview: * > > X-Include: X-Authenticated-Groups,X-Authenticated-User,X-Client-IP > > > > > > Bugzilla? > > > > Thanks, > > Thiago Cruz > > > >
Re: [squid-users] More ACL issues.
Try using webmin to administer squid Best regards Tom Vivian wrote: >Hi, > >SquidNT 2.5 >ntlm auth >Windows Server 2003 > >Everything is nearly working. The authentication against AD is fine, I can >see the domain name\username in the logs etc. However when I add the acl for >my tomtom software it allows the tomtom software to connect to their site, >but I stop seeing the domain name\username in the access logs. > >acl tomtom src 192.168.2.100 >http_access allow tomtom >acl localnet proxy_auth REQUIRED src 192.168.2.0/24 >http_access allow localnet > >There must be a way so that I can login to the tomtom site and still >authenticate in AD? > >Thanks, > >Tom. > >- > Atomix Solutions - making technology simple >- > Broadband / Networks / Email / Maintenance > > www: http://www.atomixsolutions.net > tel: +44 (0)7980 560118 >+44 (0)1765 605646 > fax: +44 (0)1765 605646 > skype: tom_galphay > msn: [EMAIL PROTECTED] >= > >IMPORTANT: The contents of this email, and any attachments, are CONFIDENTIAL >and intended only for the person(s) to whom they are addressed. If you have >received the email in error please notify the sender immediately and delete >it from your computer system. Do not copy or distribute it or disclose its >contents to any person. Unless otherwise stated, the views and opinions >expressed in this email are personal to the sender and do not represent the >official view of the company. > > > Antes de imprimir piensa en tu responsabilidad y compromiso con el MEDIO AMBIENTE Mensaje analizado y protegido, tecnologia antivirus amavis+clamav
[squid-users] HTTP Header Manipulation Question
I have an application that passes a value back to the client using the HTTP Status string: Response.Status = Response.Status & " " & FileSize This would return an HTTP status to the client looking like below, which says 200 for success and 5632 for the number of bytes uploaded to the server. 200 5632 Unfortunately, Squid doesn't see that as a valid HTTP status (and rightfully so) and trims off the 5632 and replaces it with "OK". Therefore, the application errors on the client side because its expecting a value back in the HTTP Header. Below is what I found in testing: Through the Squid proxy: HTTP/1.0 200 OK Direct to Web Server: HTTP/1.1 200 5632 The developers are working on fixing this, but for the time-being, is there any setting in Squid that I can set to allow it to pass the value back after the "200" status code (i.e. replace the "OK" with a value)? What I'd like Squid to pass back is: HTTP/1.0 200 Example: HTTP/1.0 200 5632 Any assistance would be appreciated.
Re: [squid-users] TCP_DENIED:NONE and Forwarding loop
Paul Bertain wrote: Hi Tek and Adrian, I appreciate the suggestions. We have resolved our issue, which was related to our custom-built Squid parent that was expecting ICP connections only from the configured IP address of the Squid (192.168.1.81). Squid is running on a host system with the IP 192.168.1.17 so we were using the following http_port command: http_port 192.168.1.81:80 to force Squid to listen on a specified IP address on port 80 for any connections. We tried to use the following command to get Squid to make ICP connections from that same IP address: icp_port 192.168.1.81:3130 but when Squid was trying to initiate an ICP to the Squid parent, it was using the host system IP (192.168.1.17) instead of the icp_port IP (192.168.1.81). Based on that, is there a way to force Squid to initiate ICP connections from a specific IP rather than the default/host IP address? Thanks again, Paul # TAG: udp_outgoing_address # udp_outgoing_addressis used for ICP packets sent out to other # caches. Chris
Re: [squid-users] maximum size of cache_mem
--- tech user <[EMAIL PROTECTED]> wrote: > > Are you running 64-bit CPU,64-bit OS and 64-bit > Squid program? > Otherwise I don't think your squid can use full of > 4G memory for cache_mem. > Yes! I'm running 64-bit CPU, 64-bit OS and 64-bit squid. But squid unable to use 4GB of cache_mem. Did I miss something? Zul Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545433
[squid-users] Maximum Cachedir COSS size
Hi, I had configure squid2.6 with this parameter ./configure \ --prefix=/usr/local/squid_coss \ --enable-coss-aio-ops \ --with-pthreads \ --with-aio \ --with-coss-membuf-size=33554432 \ --enable-linux-netfilter \ --enable-large-cache-files \ --with-large-files \ --enable-async-io=256 \ --enable-snmp \ --enable-cache-digests \ --enable-follow-x-forwarded-for \ --enable-storeio="aufs,coss" \ --enable-removal-policies="heap,lru" \ --with-maxfd=65536 \ --enable-epoll \ --disable-ident-lookups And my squid.conf of COSS as cache_dir coss /dev/cciss/c0d5 10 max-size=33554431 overwrite-percent=40 And use command squid -z I got this error FATAL: COSS cache_dir size exceeds largest offset I try to random the max size and the size can't more than 7500. What's happen ? How I can use the maximum disk for single partition. Thanks Sunin.T
Re: [squid-users] ICAP - not sending Respmod
On tor, 2007-09-20 at 18:39 -0300, Thiago Cruz wrote: > Have you tried a configuration like this? It seems that service_3 will > never be actived. > > icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod > icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod > icap_service service_3 respmod_precache 0 icap://172.1.1.16:1344/respmod > > icap_class filtro_url service_1 service_2 service_3 Curretntly chaining of multipleservices at the same service point is not supported, which means you can at most have two icap services per request, one at reqmod_precache and one at respmod_precache. Regards Henrik signature.asc Description: This is a digitally signed message part