Re: [squid-users] Problems connecting to some websites
Hi Haytham, Haytham KHOUJA (devnull) wrote: Hello All, I have some problems connecting to some websites such as: google.com, yahoo.com, facebook.com and some local websites, this is not constant. i have the following configured: echo 1 /proc/sys/net/ipv4/ip_forward echo 1 /proc/sys/net/ipv4/ip_nonlocal_bind echo 0 /proc/sys/net/ipv4/conf/all/rp_filter echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/tcp_ecn echo 0 /proc/sys/net/ipv4/tcp_low_latency echo 1024 65535 /proc/sys/net/ipv4/ip_local_port_range echo 1 /proc/sys/net/ipv4/tcp_moderate_rcvbuf echo 10240 /proc/sys/net/ipv4/tcp_max_syn_backlog echo 100 /proc/sys/net/ipv4/ip_conntrack_max Note that i have a busy (500 concurrent requests) proxy connected to a L4 Foundry Switch. So this is a transparent (intercepting) proxy? There are always some issues with it even though there is much less than before. As always, tcpdump and investigation is your best way out. Thanking you... -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np http://teklimbu.wordpress.com
Re: [squid-users] load balancing traffic through squid on systems with 2 Internet connections
On Nov 21, 2007 12:21 PM, Tek Bahadur Limbu [EMAIL PROTECTED] wrote: Hi George, Siju George wrote: Hi, I have a System with two Internet connections. Is it possible to configure squid to load balance out going internet traffic through those two Internet Connections? To keep things simple, you can just use the tcp_outgoing_address parameter in squid.conf. It didn't work :-( I am running OpenSBD and using the route-to option in pf.conf http://www.openbsd.org/faq/pf/pools.html#outgoing to load balance Internet connections. It is not multipath routing with two default routes. Thank you so much for the response :-) Kind Regards Siju
Re: [squid-users] Problem with AUTH
Quoting Ralf Hildebrandt [EMAIL PROTECTED]: # grep -2 digestauthentifizierung squid.conf.WLAN # Rest erlauben -- aber nur authorisiert! # acl digestauthentifizierung proxy_auth REQUIRED http_access allow digestauthentifizierung http_access allow CONNECT digestauthentifizierung Have you tried removing the line : http_access allow CONNECT digestauthentifizierung. You shouldn't need it, imho. Because http_access allow digestauthentifizierung already allows everything? Yes, already allows http AND https for the authenticated users. Andrew
[squid-users] Authenticating with Samba for logging username in Squid access log
Good morning. I have successfully followed the steps in the walk-through http://mkeadle.org/?p=13 http://mkeadle.org/?p=13 However, now, I am interested in how to get the username to appear in the access log. I have been unable to find any information on this. Can you provide assistance? Otherwise, if there is a better way to accomplish my goal, please let me know. I am still open to other options. Thank you for the assistance. Shane
[squid-users] cuteftp throught squid
Hello, I need to connec cuteftp client through squid, any suggestion? thanks Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs
Re: [squid-users] External Helper - %{Hdr:member} ?
On ons, 2007-11-21 at 00:07 -0500, Louis Gonzales wrote: Where I seem to be failing is, attempting to send any other HTTP host header information, just is not working for me. For example if I try: %{Referer} I'm getting a - which means nothing was passed. Works for me. I've also tried: %{Referer:absoluteURI} - where I'm treating Referer as Hdr and absoluteURI as member Referer only has a single member, the URI. The member syntax is used for list headers to extract a single member element in the list of values. For example a single cookie. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Invalid Response
On tis, 2007-11-20 at 15:26 +0100, [EMAIL PROTECTED] wrote: Quoting Henrik Nordstrom [EMAIL PROTECTED]: On fre, 2007-11-09 at 16:25 +0100, [EMAIL PROTECTED] wrote: I encounter An invalid Response on a particular site. What is said in cache.log? Cache.log doesn't say much on normal debug settings. Odd, it should. Squid version? Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] load balancing traffic through squid on systems with 2 Internet connections
On Nov 22, 2007 2:16 AM, Henrik Nordstrom [EMAIL PROTECTED] wrote: On ons, 2007-11-21 at 13:50 +0900, Adrian Chadd wrote: On Wed, Nov 21, 2007, Ming-Ching Tiew wrote: As far as I know, you could do split access using the 'tcp_outgoing_address' method, but you can't get squid to use it in round-robin manner. I might be wrong. :-) I don't think there is, but making squid do that with a small source patch wouldn't be difficult. But not something I would recommend. Many sites dislikes clients coming from more than one IP during the same session. The client IP is often embedded in session cookies etc, making the session fail if the IP changes. Yes Henrik. Such sites are identified and there is af firewall rule added to PF in OpenBSD to route them through the same interface.. But it is not a problem with majority of the sites. Thank you so much for the response :-) Kind Regards Siju
[squid-users] read_timeout and fwdServerClosed: re-forwarding
Greetings, I'm trying to make sense of some behavior I'm observing related to the read_timeout. I'm dealing with an accelerator setup, where I'd rather return stale content (or an error) then wait for the origin server to return fresh content if it is taking too long to respond. I was hoping that setting the read_timeout to something very low, (ie: a few seconds) I could get the behavior -- granted, if the origin server sent back a few bytes every second, squid would keep waiting, but as I said: accelerator setup; I know how the origin server behaves, for every request it does a bunch of data crunching (which occasionally takes a while) before it ever writes a single byte back to the client. What I've observed from testing with a simple JSP that does a sleep before writing back the response is that anytime the read_timeout is exceeded, squid will retry the request, and if that retry also exceeds the read_timeout, it will retry again, up to a a total of 10 times (10 retries, 11 total requests to the origin server) before responding back to the client. It will do these retries even if there is a stale entry in the cache for this request (returning the stale content eventually -- but without a 'Warning' header). Debugging logs for these retries look like this... 2007/11/20 14:04:10| checkTimeouts: FD 13 Expired 2007/11/20 14:04:10| checkTimeouts: FD 13: Call timeout handler 2007/11/20 14:04:10| httpTimeout: FD 13: 'http://localhost/test-read-timeout.jsp?123' 2007/11/20 14:04:10| fwdFail: ERR_READ_TIMEOUT Gateway Time-out http://localhost/test-read-timeout.jsp?123 ... 2007/11/20 14:04:10| fwdServerClosed: FD 13 http://localhost/test-read-timeout.jsp?123 2007/11/20 14:04:10| fwdServerClosed: re-forwarding (2 tries, 12 secs) ... 2007/11/20 14:04:16| checkTimeouts: FD 13 Expired 2007/11/20 14:04:16| checkTimeouts: FD 13: Call timeout handler 2007/11/20 14:04:16| httpTimeout: FD 13: 'http://localhost/test-read-timeout.jsp?123' 2007/11/20 14:04:16| fwdFail: ERR_READ_TIMEOUT Gateway Time-out http://localhost/test-read-timeout.jsp?123 ... 2007/11/20 14:04:16| fwdServerClosed: FD 13 http://localhost/test-read-timeout.jsp?123 2007/11/20 14:04:16| fwdServerClosed: re-forwarding (3 tries, 18 secs) This seems very counter intuitive to me -- if the origin server accepts a connection, but takes a really long time to respond, in my experience that typically means it's overloaded and slamming it with 11 times the number of requests isn't going to help anything. The only config option I could find that seemed to relate to retries was maximum_single_addr_tries but setting it to 1 had no affect, I did however notice this comment in it's docs... # Note: This is in addition to the request re-forwarding which # takes place if Squid fails to get a satisfying response. ...this sounds like what I'm seeing -- is there an option to control the number of re-forwarding attempts (to be something smaller then 10), or any further documentation on the definition of a satisfying response ? -Hoss
Re: [squid-users] read_timeout and fwdServerClosed: re-forwarding
On Wed, Nov 21, 2007, Chris Hostetter wrote: Greetings, I'm trying to make sense of some behavior I'm observing related to the read_timeout. Tip: fwdReforwardableStatus() I think is the function which implements the behaviour you're seeing. That and fwdCheckRetry. You could set the HTTP Gateway timeout to return 0 so the request isn't forwarded and see if that works, or the n_tries check in fwdCheckRetry(). I could easily make the 10 retry count a configurable parameter. The feature, IIRC, was to work around transient network issues which would bring up error pages in a traditional forward-proxying setup. I'm dealing with an accelerator setup, where I'd rather return stale content (or an error) then wait for the origin server to return fresh content if it is taking too long to respond. Hm, what about retry_on_error ? Does that do anything in an accelerator setup? Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
Re: [squid-users] load balancing traffic through squid on systems with 2 Internet connections
From: Siju George [EMAIL PROTECTED] But not something I would recommend. Many sites dislikes clients coming from more than one IP during the same session. The client IP is often embedded in session cookies etc, making the session fail if the IP changes. Yes Henrik. Such sites are identified and there is af firewall rule added to PF in OpenBSD to route them through the same interface.. But it is not a problem with majority of the sites. Perhaps it will be interesting for squid to have an acl called random :- ( is there one already ? ) eg acl rnd random 50 # 50 % tcp_outgoing_address x.x.x.x rnd --- use x 50 % of time tcp_outgoing_address y.y.y.y rnd use y 50% of time tcp_outgoing_address z.z.z.z --- have to provide a default in case nothing is matched And the random acl can be used together with other acl too ! eg acl link1 dst . tcp_outgoing_address x.x.x.x link1 rnd :-)
Re: [squid-users] load balancing traffic through squid on systems with 2 Internet connections
It sounds like a coding project - are you volunteering? :) Adrian On Thu, Nov 22, 2007, Ming-Ching Tiew wrote: From: Siju George [EMAIL PROTECTED] But not something I would recommend. Many sites dislikes clients coming from more than one IP during the same session. The client IP is often embedded in session cookies etc, making the session fail if the IP changes. Yes Henrik. Such sites are identified and there is af firewall rule added to PF in OpenBSD to route them through the same interface.. But it is not a problem with majority of the sites. Perhaps it will be interesting for squid to have an acl called random :- ( is there one already ? ) eg acl rnd random 50 # 50 % tcp_outgoing_address x.x.x.x rnd --- use x 50 % of time tcp_outgoing_address y.y.y.y rnd use y 50% of time tcp_outgoing_address z.z.z.z --- have to provide a default in case nothing is matched And the random acl can be used together with other acl too ! eg acl link1 dst . tcp_outgoing_address x.x.x.x link1 rnd :-) -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] load balancing traffic through squid on systems with 2 Internet connections
Hi George, Siju George wrote: On Nov 21, 2007 12:21 PM, Tek Bahadur Limbu [EMAIL PROTECTED] wrote: Hi George, Siju George wrote: Hi, I have a System with two Internet connections. Is it possible to configure squid to load balance out going internet traffic through those two Internet Connections? To keep things simple, you can just use the tcp_outgoing_address parameter in squid.conf. It didn't work :-( I am running OpenSBD and using the route-to option in pf.conf http://www.openbsd.org/faq/pf/pools.html#outgoing I am not familiar with OpenBSD systems. How many network interface cards does this OpenBSD system have? And how is your network setup layout? to load balance Internet connections. It is not multipath routing with two default routes. Why don't you create 2 alias in your network interface pointing to the 2 routers having internet connectivity and then use the tcp_outgoing_address parameter? Thanking you... Thank you so much for the response :-) Kind Regards Siju -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np http://teklimbu.wordpress.com
Re: [squid-users] External Helper - %{Hdr:member} ?
On ons, 2007-11-21 at 20:13 -0500, Louis Gonzales wrote: Per the RFC for HTTP headers, Referer has both 'absoluteURI' and 'relativeURI', do you have an example of 'any' of the %{Hdr:member} HTTP headers, for syntactical reference? THats just two different syntaxes for the URI in Referer, not different members send in the header. Referer is a single-valued header. Examples: %{Cache-Control:max-age} %{Cookie:;USER} Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] squid and CCTV
Hello, I am trying to view a website that is linked to the CCTV camera's we have and it only shows a blue screen, I have tried bypassing all the rules on squid for that site and no luck. When I try veing the same site on the same version of squid but running in trnasparent mode, it works fine. Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
Re: [squid-users] load balancing traffic through squid on systems with 2 Internet connections
On Wed, Nov 21, 2007, Ming-Ching Tiew wrote: As far as I know, you could do split access using the 'tcp_outgoing_address' method, but you can't get squid to use it in round-robin manner. I might be wrong. :-) On ons, 2007-11-21 at 13:50 +0900, Adrian Chadd wrote: I don't think there is, but making squid do that with a small source patch wouldn't be difficult. On 21.11.07 21:46, Henrik Nordstrom wrote: But not something I would recommend. Many sites dislikes clients coming from more than one IP during the same session. The client IP is often embedded in session cookies etc, making the session fail if the IP changes. We have squid servers behind L3 switch (balancer) which uses the 'sourcehash' technique for balancing requests because of this reason. Maybe such functionality could be integrated into squid. Or into packetfilter :) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Re: [squid-users] cuteftp throught squid
On 21.11.07 12:48, julian julian wrote: Hello, I need to connec cuteftp client through squid, any suggestion? does cuteftp support HTTP proxy? If not, the other way is use frox as intercepting FTP proxy -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease