[squid-users] Large ACL's list, the ways to distribute squid caches, asking pro-users for advice.
Hi there, There is some problems and I asking for advice for spread squid load and increase perfomance. Now we have near 4000 users in our university, and one squid proxy server running on paravirtualized virtual machine (2 x 1.6Ghz Xeon E5310) We use Squid Accounting system calling SAcc for traffic accounting. It's generates squid configuration file and reloads squid when user is banned. Caching is off and squid uses only for proxying and accounting. There is NCSA authentication with passwd file for 4000 users, and 4000 ACL's generated in squid configuration file like this: acl popovasi proxy_auth popovasi http_access allow popovasi http_access allow popovasi CONNECT acl halenko proxy_auth halenko http_access allow halenko http_access allow halenko CONNECT acl mamatovaa proxy_auth mamatovaa http_access allow mamatovaa http_access allow mamatovaa CONNECT etc.. Internet connection is not so wide, only 4Mbps and, as I think, most hard on server is working with huge ACL lists. -- What we need and what we can: We need to spread squid load for better latency and responce to queries and turn on caching because of tiny internet channel. And so we have a couple of servers for new squid proxies. We can use mysql_auth helper for authentication because of all user database stored in mysql (but in clear-text, we working on it). We need some expirience and advices for better ACL management. How we can use one acl for all authorized users in passwd file? Can we get perfomance increase using CARP and parent proxy? What the perfomance hit will be if we will use gnu-regexp instead of built-in? Maybe we should change all user and traffic accounting management. Can you advice on dynamic distributed accounting and authentication solutions based on squid (I called it cache-grid :))? Now, ask you for your expirience. Thanks for reply. Feel free to give man and URL's for reading on this thread. Sorry for my English. Serg Androsov.
Re: [squid-users] ULTRASURF (anti-filtering program) problem
At 19:23 21-01-2008, SSCR Internet Admin wrote: I would like to ask if anyone from squid mailing list has stumble upon ultrasurf that can bypass any filtering products such as squidguard. I have setup a test pc with ip being blocked on squidguard. But to my surprise it bypass everything ive setup and with ultrasurf running on my test pc, IE internet setting has been changed to use 127.0.0.1 using port 9666. Teh ultrasurf proxy listening on 127.0.0.1 may be redirecting traffic to an external proxy. That would not go through Squid if you are only redirecting outgoing TCP traffic on port 80. I know that this is a kernel level issue and I havent successfully blocked 9666 via iptables, maybe someone could try it out and maybe come up with a solution, before young students could have this program since you don't need to install this on a PC, just run u.exe and youre done bypassing. The external proxy may not be listening on port 9666. As such, that iptables rule won't block access. The better solution is to prevent users from changing the Internet settings and by not allowing all outgoing connections to prevent the proxy from being bypassed. Regards, -sm
Re: [squid-users] ULTRASURF (anti-filtering program) problem
Amos Jeffries wrote: SSCR Internet Admin wrote: Hi, This is an off topic, but here it goes... I would like to ask if anyone from squid mailing list has stumble upon ultrasurf that can bypass any filtering products such as squidguard. I have setup a test pc with ip being blocked on squidguard. But to my surprise it bypass everything ive setup and with ultrasurf running on my test pc, IE internet setting has been changed to use 127.0.0.1 using port 9666. I know that this is a kernel level issue and I havent successfully blocked 9666 via iptables, maybe someone could try it out and maybe come up with a solution, before young students could have this program since you don't need to install this on a PC, just run u.exe and youre done bypassing. Thank you and God bless... Never heard of them. But going by the documentation they are HTTPS-tunneling all traffic from the localhost outbound. You and most would naturally allow HTTPS CONNECT requests through without filters for all the banking and secure sites that need it. And a read of the code confirms it. Seems to be interfacing with PuTTY, stunnel, and several HTTP CONNECT methods. If I'm right about it using HTTPS-tunnels you will need squid 3.1 with SSLBump to filter this programs traffic properly. We are just awaiting some of Alex's time for the SSLBump to be integrated fully into the daily snapshots. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] ULTRASURF (anti-filtering program) problem
SSCR Internet Admin wrote: Hi, This is an off topic, but here it goes... I would like to ask if anyone from squid mailing list has stumble upon ultrasurf that can bypass any filtering products such as squidguard. I have setup a test pc with ip being blocked on squidguard. But to my surprise it bypass everything ive setup and with ultrasurf running on my test pc, IE internet setting has been changed to use 127.0.0.1 using port 9666. I know that this is a kernel level issue and I havent successfully blocked 9666 via iptables, maybe someone could try it out and maybe come up with a solution, before young students could have this program since you don't need to install this on a PC, just run u.exe and youre done bypassing. Thank you and God bless... Never heard of them. But going by the documentation they are HTTPS-tunneling all traffic from the localhost outbound. You and most would naturally allow HTTPS CONNECT requests through without filters for all the banking and secure sites that need it. If I'm right about it using HTTPS-tunnels you will need squid 3.1 with SSLBump to filter this programs traffic properly. We are just awaiting some of Alex's time for the SSLBump to be integrated fully into the daily snapshots. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
[squid-users] ULTRASURF (anti-filtering program) problem
Hi, This is an off topic, but here it goes... I would like to ask if anyone from squid mailing list has stumble upon ultrasurf that can bypass any filtering products such as squidguard. I have setup a test pc with ip being blocked on squidguard. But to my surprise it bypass everything ive setup and with ultrasurf running on my test pc, IE internet setting has been changed to use 127.0.0.1 using port 9666. I know that this is a kernel level issue and I havent successfully blocked 9666 via iptables, maybe someone could try it out and maybe come up with a solution, before young students could have this program since you don't need to install this on a PC, just run u.exe and youre done bypassing. Thank you and God bless... -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] Keep the access log
Netmail writes: Hi I want to keep the access log of my squid for 5 years ; how to for set this option ? Thanks ! I use Logger to manage all my logs. I keep all my logs in /var/log for ease of use and have them prefixed with "Squid_". Here is the script I use on my backup machine to handle the compression et all: #!/bin/bash export PATH=/usr/local/bin:/usr/bin:/bin:/sbin: export D=`date -d yesterday +"%y%j"` tar -cp /var/log/Squid_*.$D | bzip2 -9 >> /Backup/Squid.bz2 rm /home2/log/Squid_*.$D &> /dev/null Logger automatically rotates all my logs daily and my log data is transmitted from my squid server to my backup machine automatically. I don't keep the logs on my squid server. --- Logger: Taking control of system logs. http://freshmeat.net/projects/slogger/
Re: [squid-users] Compile Time Options
> Gang, > > I'm getting ready to build squid from the command line (until now > I've just relied on the .deb packages but they are sooo outdated) for > Ubuntu 6.06 and Debian 4.0r1. The most recent squid are packaged nicely with a few debian specific fixes in the unstable repositories if you want to skip the whole building step. > I would like to know what command line > options I should use when I "make" it, ie, options that will put the > conf file in /etc/squid/, log files in /var/log/squid, etc. My cache is > for an ISP that connects via satellite, so bandwidth savings is > paramount. Also, it is done transparently via iptables (which works > mostly...). Any command line options that add performance (coss?) would > be appreciated too. > > Jason Wallace > For COSS: --enable-store-io=aufs,coss For transparency: --enable-linux-netfilter The basic commands I use on top of the defaultes are below. Not so much emphasis on bandwidth, but some. Also note this is squid3. Some may have diferent names for squid2. --prefix=/usr --localstatedir=/var --libexecdir=${prefix}/lib/squid3 --srcdir=. --datadir=/usr/share/squid3 --sysconfdir=/etc/squid3 --with-default-user=proxy --with-large-files You will also need to apply the following so squid places its logs in the correct position for Debian/Ubuntu. --- src/Makefile.am 2007-09-17 14:22:33.0 +1200 +++ src/Makefile.am-2 2007-09-12 19:31:53.0 +1200 @@ -985,7 +985,7 @@ DEFAULT_CONFIG_FILE = $(sysconfdir)/squid.conf DEFAULT_MIME_TABLE = $(sysconfdir)/mime.conf DEFAULT_DNSSERVER = $(libexecdir)/`echo dnsserver | sed '$(transform);s/$ $/$(EXEEXT)/'` -DEFAULT_LOG_PREFIX = $(localstatedir)/logs +DEFAULT_LOG_PREFIX = $(localstatedir)/log DEFAULT_CACHE_LOG = $(DEFAULT_LOG_PREFIX)/cache.log DEFAULT_ACCESS_LOG = $(DEFAULT_LOG_PREFIX)/access.log DEFAULT_STORE_LOG = $(DEFAULT_LOG_PREFIX)/store.log Amos
[squid-users] Re: HOWTO: Kerberos authentication and LDAP Authorization in Active Directory
BTW There are more "Kerberos tools" for squid at http://squidkerbauth.cvs.sourceforge.net/squidkerbauth/ 1) squid_kerb_auth - Authenticate with Kerberos to squid (for Unix) 2) squid_kerb_ldap - Authenticate with Kerberos (fallback to username/password) to AD,Openldap and query recursively group memberships (for Unix) 3) squid _kerb_proxy_auth - A patch for squid 2.6 to authenticate squid to ISA servers using Kerberos (for Unix) 4) squid_kerberizer - A local proxy which adds Kerberos authentication info for applications which don't support Kerberos authentication (for Windows and Unix) Regards Markus "Juraj Sakala" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Excelent. I will try it. Thanks very much. Hi all, I write a simple Howto for use kerberos to authenticate a user in Active Directory and make authorization with Ldap also in AD using group membership to control the access. its at http://klaubert.wordpress.com I hope that be useful to somebody, Klaubert Herr
[squid-users] Compile Time Options
Gang, I'm getting ready to build squid from the command line (until now I've just relied on the .deb packages but they are sooo outdated) for Ubuntu 6.06 and Debian 4.0r1. I would like to know what command line options I should use when I "make" it, ie, options that will put the conf file in /etc/squid/, log files in /var/log/squid, etc. My cache is for an ISP that connects via satellite, so bandwidth savings is paramount. Also, it is done transparently via iptables (which works mostly...). Any command line options that add performance (coss?) would be appreciated too. Jason Wallace
Re: [squid-users] Hardware sizing
On Fri, 2008-01-18 at 19:25 +1100, Adam Carter wrote: > Our current proprietory webcaches push about 100Mbps and are due for > replacement, so we're looking at Squid. Assuming Lintel platform, what > spec of hardware would provide, say 2-3 times that performance? We run > LDAP authentication, complex ACLs and SmartFilter. Do you want your Squid to do disk caching? If yes, I do not know the answer, but others will hopefully pitch in. If you do not need disk caching, you should be able to do 100 Mbits/sec or more with Squid before LDAP, ACLs, and SmartFilter are taken into account. A reasonably configured Dual Core 3+MHz PC should be able to do that. I cannot estimate the effect of authentication, access controls, and SmartFilter in general, but one can always benchmark a specific configuration to discover its limits. Needless to say that if Squid does not meet your performance objectives, it is possible to optimize it so that it does (as long as there is another cache that performs at the desired level). The required development would depend on your specific situation, and may not be trivial, of course. HTH, Alex.
[squid-users] Load Balance Requests
Is there anyway to get Squid to load balance outgoing requests and downloads across a couple different IP's? Matt
Re: [squid-users] Squid, ICAP and logs
On Thu, 2008-01-17 at 17:01 +0100, Bourdaraud Vincent (NSN - FR/St-Ouen) wrote: > I'm new to squid. It looks overall pretty good, by I found a show > stopper for our project :( > > We use squid 3.0 STABLE1 compiled with --enable-icap-client and > configured to delegate all HTTP request to our ICAP server. We need > squid to add some information processed by our ICAP server within its > HTTP transaction logs (basically, this information is a user unique ID). > This information is very sensitive and must not be forwarded to > origin-servers. > > I've read FAQ, docs and played with squid and found no solution since > squid is not able to ICAP header and not able to log HTTP headers before > they are removed with header_access rules > > Do you guys have some idea? One hack you could try is to add "Connection: X-FOO" HTTP header in hope that Squid will log and then remove it before forwarding. I have not tried that and do not know whether hop-by-hop headers are removed late enough for this ugly hack to work. If logging and then removing HTTP headers is not possible, then I think we should add a feature to log ICAP response headers. Can your server return the needed information in the ICAP response header instead of the HTTP message header? Thank you, Alex.
[squid-users] got NTLMSSP command 1, expected 3
I decided to move my problem with users getting popup auth windows randomly while surfing to this new thread title as I think this thread title is a little more precise. If anyone knows how to resolve the following I'd greatly appreciate the help. OS Ver: 6.2-STABLE FreeBSD 6.2-STABLE #1: Thu Mar 15 01:46:50 CDT 2007 Squid Ver: squid-2.6.18 (squid.conf below) Samba Ver: samba-3.0.28,1 [2008/01/21 10:25:04, 1] libsmb/ntlmssp.c:ntlmssp_update(334) got NTLMSSP command 1, expected 3 [2008/01/21 10:25:07, 1] libsmb/ntlmssp.c:ntlmssp_update(334) got NTLMSSP command 1, expected 3 [2008/01/21 10:25:07, 1] libsmb/ntlmssp.c:ntlmssp_update(334) got NTLMSSP command 1, expected 3 [2008/01/21 10:25:07, 1] libsmb/ntlmssp.c:ntlmssp_update(334) got NTLMSSP command 1, expected 3 Kind regards, Elvar # squid.conf acl localnets src 10.0.0.0/8 acl listenip src 172.30.1.2/255.255.255.255 http_port 172.30.1.2:3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl all src 0.0.0.0/0.0.0.0 cache_dir ufs /usr/local/squid/cache 500 16 256 access_log /usr/local/squid/logs/access.log squid cache_log /usr/local/squid/logs/cache.log cache_store_log none emulate_httpd_log off log_mime_hdrs on check_hostnames off auth_param ntlm keep_alive on auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=S-1-5-21-1078081533-562591055-725345543-5170 auth_param ntlm children 100 ### Needed for Windows Update to work ### acl windowsupdate dstdomain .windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain .download.windowsupdate.com acl windowsupdate dstdomain .c.microsoft.com acl windowsupdate dstdomain .download.microsoft.com acl honeywell dstdomain .honeywell.com acl webmail dstdomain webmail.example.com acl ptsc dstdomain .abcd.k12.in.us http_access allow windowsupdate localnets http_access allow honeywell localnets http_access allow webmail localnets http_access allow abcd localnets ## refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 #Recommended minimum configuration: acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl CONNECT method CONNECT acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl AuthorizedUsers proxy_auth REQUIRED # Only allow cachemgr access from localhost http_access allow manager localhost http_access allow manager listenip http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # http_access allow all AuthorizedUsers # And finally deny all other access to this proxy http_access deny all # and finally allow by default http_reply_access allow all icp_access allow all cache_effective_user squid visible_hostname example.com logfile_rotate 20 coredump_dir /usr/local/squid/cache ### End squid.conf
Re: [squid-users] squid_ldap_auth + ad2003
But I have restructured AD2003. And groups changed to organization unit. I changed my message on the nabble.com. I have my users: in a OU=Unibel, user=unibel and in a default container 'Users' user=squidtest. Authentication for users in the 'Users' container works well: ./squid_ldap_auth -u cn -b "cn=Users,dc=bsuir,dc=by" 172.16.83.1 squidtest squidtest OK How do I check authentication for users in the Organization Unit? What command line parameters for squid_ldap_auth use? I saw the squid_ldap_auth manual, but I do not help solve the problem. Tried recording format: ./squid_ldap_auth -b "ou=Unibel,dc=bsuir,dc=by" 172.16.83.1 unibel unibel ERR Success please help me Regards Andrew Matskevich -- View this message in context: http://www.nabble.com/squid_ldap_auth-%2B-ad2003-tp14948010p14996691.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] squid_ldap_auth + ad2003
Klaubert Herr da Silveira-2 wrote: > > Andrew, > > by my quick research the group "Domain Users" are a special group, and > are not a good group do this job, maybe is better to use other group > where you turn all users members off it. > > To include a check of group you should use a ldap filter in your > request, something like this: > -f "(&(objectClass=person)(memberOf=CN=Manual Domain Users, > CN=Users,dc=bsuir,dc=by))" > > A good reference is http://workaround.org/moin/SquidLdap. > > []'s > Klaubert > > > On Jan 18, 2008 6:36 AM, koluchy <[EMAIL PROTECTED]> wrote: >> >> I have my users in a group at the 'Domain Users', default container >> 'Users'. >> >> Authentication for users in the 'Users' container works well: >> ./squid_ldap_auth -u cn -b "cn=Users,dc=bsuir,dc=by" 172.16.83.1 >> squidtest squidtest >> OK >> >> How do I check authentication for users in the 'Domain Users'group in a >> container Users? What command line parameters for squid_ldap_auth use? >> >> I saw the squid_ldap_auth manual, but I do not help solve the problem. >> >> please help me >> >> Regards >>Andrew Matskevich >> -- >> View this message in context: >> http://www.nabble.com/squid_ldap_auth-%2B-ad2003-tp14948010p14948010.html >> Sent from the Squid - Users mailing list archive at Nabble.com. >> >> > > Thanks thanks thanks -- View this message in context: http://www.nabble.com/squid_ldap_auth-%2B-ad2003-tp14948010p14996501.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] storeDiskdSend OPEN: (35) Resource temporarily unavailable
On Mon, Jan 21, 2008, Monah Baki wrote: > Hi Tek, > > I am planning on moving 1500 users to the proxy, ofcourse the system > will change (hardware wise). Performance of squid should be > important, I knew diskd was still in "test" mode, but I did not > expect 4 users even though it was running for 27 days to display this > error messages. > For my own info, if I move to ufs, and if ufs is pretty stable, > performance wise is it close to diskd or better. Move it to AUFS, UFS isn't (currently) going to be very high performing. Diskd wasn't intended to be "testing"; it just turned out that the design made a couple of flawed assumptions about the rest of the Squid codebase. As always, I've got ideas on how to fix that; who knows when that'll happen. Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] storeDiskdSend OPEN: (35) Resource temporarily unavailable
Hi Tek, I am planning on moving 1500 users to the proxy, ofcourse the system will change (hardware wise). Performance of squid should be important, I knew diskd was still in "test" mode, but I did not expect 4 users even though it was running for 27 days to display this error messages. For my own info, if I move to ufs, and if ufs is pretty stable, performance wise is it close to diskd or better. Thanks On Jan 21, 2008, at 1:57 AM, Tek Bahadur Limbu wrote: Hi Monah, Monah Baki wrote: Hi all, I'm running squid 2.6-stable17 on Freebsd 6.3. Machine is a 500MHz with 512MB RAM. Don't you think that your system is a little low on resources even for a low number of users? ./configure --prefix=/usr/local/squid --enable- storeio=ufs,coss,diskd,null --enable-underscores --with-large- files --enable-large-cache-files --enable-delay-pools --disable- ident-lookups --enable-snmp --enable-cache-digests --enable- underscores --enable-kill-parent-hack --enable-removal-policies -- enable-async-io --enable-kqueue --enable-follow-x-forwarded-for I think it's better to use "--enable- storeio=ufs,aufs,coss,diskd,null" and remove "--enable-async-io". In the end if DISKD does not work for you, then I guess you should use UFS, AUFS or COSS. Since you only have 4 users, all of them will work fine for you... Thanking you... In my squid.conf: cache_dir diskd /usr/local/squid/var/cache 28000 32 512 Q1=72 Q2=64 Thanks BSD Networking, Microsoft Notworking -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np http://teklimbu.wordpress.com BSD Networking, Microsoft Notworking
Re: [squid-users] Keep the access log
J. Peng, on 01/21/2008 04:53 PM [GMT+500], wrote : > config squid to rotate logs and write a script to put the logs into > remote host with large disks,ie, a store device. > > On Jan 21, 2008 6:32 PM, Netmail <[EMAIL PROTECTED]> wrote: > >> Hi >> I want to keep the access log of my squid for 5 years ; how to for set this >> option ? >> Thanks ! >> >> >> we are keeping 6 months of logs on remote host. 1. enable log rotation for squid (keeping 1 is fine) 2. setup ssh key authentication between backup and squid hosts. 3. create a script to compress and SCP log file to bkp-host with somthing like rm -f /logbakup/* tar -czvf /logbakup/access.log_`date +%Y%m%d%H%M`.tar.gz /var/log/squid/access.log.0 scp /logbakup/*.tar.gz [EMAIL PROTECTED]:/squid-backups/ regards.
Re: [squid-users] Keep the access log
config squid to rotate logs and write a script to put the logs into remote host with large disks,ie, a store device. On Jan 21, 2008 6:32 PM, Netmail <[EMAIL PROTECTED]> wrote: > Hi > I want to keep the access log of my squid for 5 years ; how to for set this > option ? > Thanks ! > >
RS: [squid-users] winbindd: Exceeding 200 client connections, no idle connection found
Hello, I'm using squid 2.5stable14 because I'm using websense as web filter. As far as I know, it only works with squid 2.5. I'm planning to replace Websense with DansGuardian in March, so I will be able to upgrade Squid. Does the new version of Squid solve my problem? Or I will also have to apply the patch Adrian Chadd suggested on the previous post? Is there any automatic process to apply the patch (like an script) or do I have to edit the configuration files by hand? To Elvar: yes,users are getting popup windows on their browsers. Thanks. -Missatge original- De: Amos Jeffries [mailto:[EMAIL PROTECTED] Enviat el: ds. 19/01/2008 02:24 Per a: Adrian Chadd A/c: Francisco Martinez Espadas; squid-users@squid-cache.org Tema: Re: [squid-users] winbindd: Exceeding 200 client connections, no idle connection found Please also use a more recent squid release. Currently supported releases are: 2.6stable17+ if you are running high-performance servers 3.0-stable1+ if you can. Amos Adrian Chadd wrote: > On Fri, Jan 18, 2008, Francisco Martinez Espadas wrote: >> ???Hello, >> >> Since a few days ago I can't grant acces to users on my company network >> using Squid. >> I am having problems with 2 winbind processes that are using a huge > > Thank Samba for their fantastic implementation of windows authentication. :) > >> amount of CPU when users enter the system. >> The following is the winbind log: >>> nsswitch/winbindd.c:process_loop(813) >>> winbindd: Exceeding 200 client connections, no idle connection found > > http://devel.squid-cache.org/projects.html#ntlm_ip_cache > > > > Adrian > >>> >>> ???and the cache.log: >> 2008/01/18 11:05:24| WARNING: All ntlmauthenticator processes are >> busy. >> 2008/01/18 11:05:24| WARNING: up to 30 pending requests queued >> 2008/01/18 11:05:54| WARNING: All ntlmauthenticator processes are >> busy. >> 2008/01/18 11:05:54| WARNING: up to 59 pending requests queued >> 2008/01/18 11:05:54| Consider increasing the number of >> ntlmauthenticator processes to at least 89 in your config file. >> 2008/01/18 11:06:24| WARNING: All ntlmauthenticator processes are >> busy. >> 2008/01/18 11:06:24| WARNING: up to 98 pending requests queued >> 2008/01/18 11:06:24| Consider increasing the number of >> ntlmauthenticator processes to at least 128 in your config file. >> 2008/01/18 11:06:54| WARNING: All ntlmauthenticator processes are >> busy. >> 2008/01/18 11:06:54| WARNING: up to 149 pending requests queued >> 2008/01/18 11:06:54| Consider increasing the number of >> ntlmauthenticator processes to at least 179 in your config file. >> 2008/01/18 11:06:55| storeDirWriteCleanLogs: Starting... >> 2008/01/18 11:06:55| WARNING: Closing open FD8 >> 2008/01/18 11:06:55| 65536 entries written so far. >> 2008/01/18 11:06:55| WARNING: Closing open FD 84 >> 2008/01/18 11:06:55| Finished. Wrote 110308 entries. >> 2008/01/18 11:06:55| Took 0.1 seconds (838174.8 entries/sec). >> FATAL: Too many queued ntlmauthenticator requests (151 on 30) >> Squid Cache (Version 2.5.STABLE14): Terminated abnormally. >> I have been looking for some info and I've found this reopened >> bug:https://bugzilla.samba.org/show_bug.cgi?id=3204). >> >> Has anyone had the same problem and has succeeded on solving it? >> It's weird because Squid was working great until I updated Samba from >> Ubuntu repositories. >> >> This is my Scenario: >>> S.O. Ubuntu 7.04 >>> Versiones Samba y Winbind 3.0.24 >>> Usuarios, sobre unos 500 >>> Squid: >>> >>> $ squid -v >>> Squid Cache: Version 2.5.STABLE14 >>> configure options: --prefix=/usr --exec_prefix=/usr >>> --bindir=/usr/sbin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid >>> --sysconfdir=/etc/squid --localstatedir=/var/spool/squid >>> --datadir=/usr/share/squid --enable-linux-netfilter --enable-async-io >>> --enable-storeio=aufs --enable-arp-acl >>> --enable-removal-policies=lru,heap --enable-snmp --enable-delay-pools >>> --enable-htcp --enable-poll --enable-cache-digests >>> --enable-underscores --enable-referer-log --enable-useragent-log >>> --enable-carp --enable-large-files --enable-auth=basic,ntlm >>> >> thanks > -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Fwd: Re: [squid-users] new squid issue...
Oops, should have gone here as well ... -- Forwarded Message -- Subject: Re: [squid-users] new squid issue... Date: Monday 21 January 2008 08:59 From: Peter Albrecht <[EMAIL PROTECTED]> To: Russell Martilla <[EMAIL PROTECTED]> Hi Russell, > Now I still can't get squid to start with rcsquid... From your previous post I remember you are using SLES 9, correct? On SUSE Linux, rcsquid is a symbolic link pointing to /etc/init.d/squid which is a script using parameters like start, stop, restart, reload, etc.. > I run the following; > > ps -eaf |grep squid with these results; > > root 4629 1 0 14:48 ? 00:00:00 ./squid > squid 4631 4629 0 14:48 ? 00:00:00 (squid) > squid 4632 4631 0 14:48 ? 00:00:00 (unlinkd) > root 4635 21985 0 14:48 pts/1 00:00:00 grep squid So Squid is already running. Are you using the Squid version coming with SLES 9 or a self-compiled Squid version? What _exactly_ are you doing when calling rcsquid? Or which other commands are you using? Try the following: * rcsquid stop -> Check with "ps aux | grep squid" if all Squid processes are stopped. * rcsquid start -> Check with "ps aux | grep squid" if Squid is started. If not, please check the log file /var/log/messages for any information. Regards, Peter -- Peter Albrecht, Novell Training Services --- -- Peter Albrecht, Novell Training Services
[squid-users] Keep the access log
Hi I want to keep the access log of my squid for 5 years ; how to for set this option ? Thanks !