[squid-users] a config help
Hello, My squid hosts have an original server. When the original server get down, it will use other siblings for sources. this is my config section, is it right? please help,thanks. nonhierarchical_direct off prefer_direct on cache_peer 192.168.1.1 parent80 0 no-query originserver name=WWW cache_peer 192.168.1.2 sibling80 0 no-query name=WWW cache_peer 192.168.1.3 sibling80 0 no-query name=WWW acl service_www dstdomain www.site.com blog.site.com forum.site.com cache_peer_access WWW allow service_www
Re: [squid-users] SARG - deny_info problem
I'm using RedHat 9, and this is the last version of squid (squid-2.5.STABLE1-3.9.i386) that I found for RH9, If you could tell where to find the 2.6 version for it I'll appreciate. -- View this message in context: http://www.nabble.com/SARG---deny_info-problem-tp15586805p15606543.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] DNS-based reverse proxy peer selection, 2.5 vs 2.6
Sven Edge wrote: From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sven Edge wrote: Poking around the source for the squid-2.6.STABLE17 release currently in Fedora, there's appears to be another source of DIRECT_NO besides a never_direct, in peer_select.c. http://www.squid-cache.org/cgi-bin/cvsweb.cgi/squid/src/peer_select.c I've got version 1.131, where there's an if (request-flags.accelerated) that can cause a DIRECT_NO, but the most recent version 1.134 has changed that. Not sure what the code's testing for in either version, but from the commit comment it sounds like up to now 2.6 was deliberately blocking direct access when in accelerator mode. Maybe it's just a case of waiting for the next release? Aha, sounds like that yes. Fortunately Stable 18 is out already so if the change was included there you could use that one. Otherwise the 2.6 daily snapshot should be stable enough to use, just with a little testing required to be sure of it. FYI, if http://www.squid-cache.org/cgi-bin/cvsweb.cgi/squid3/src/peer_select.cc is where squid 3.0 comes from, that doesn't have the same change applied. Thanks for your help. :) Ouch. Thanks for noticing that one. I'll have to check up as to whats going on with that change. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] SARG - deny_info problem
eXtremer wrote: I'm using RedHat 9, and this is the last version of squid (squid-2.5.STABLE1-3.9.i386) that I found for RH9, If you could tell where to find the 2.6 version for it I'll appreciate. I don't think there is a 2.6+ RH package. If you find one we'd all like to know. Others have reported that Fedora (FC) packages will run without a lot of trouble on RH. Good luck. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] a config help
J. Peng wrote: Hello, My squid hosts have an original server. When the original server get down, it will use other siblings for sources. this is my config section, is it right? please help,thanks. nonhierarchical_direct off prefer_direct on cache_peer 192.168.1.1 parent80 0 no-query originserver name=WWW cache_peer 192.168.1.2 sibling80 0 no-query name=WWW cache_peer 192.168.1.3 sibling80 0 no-query name=WWW acl service_www dstdomain www.site.com blog.site.com forum.site.com cache_peer_access WWW allow service_www name= MUST be unique for each peer. With matching cache_peer_access for each name= Otherwise this is correct. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] YAHOO:MSN:GOOGLE
Tarak Ranjan wrote: hi list, i have one squid server which is running on FC6 , im using SQUID 2.6.STABLE16. that is running fine, not any issue with that, Now i want to make SQUID some effective. I want my squid proxy should detect 1) which file users are downloading or uploading 2) using Chat [yahoo, msn, google], IFF client software configured to use HTTP-Proxy protocol. which file users are sending or receiving , _possibly_ depending on how client software does it. usually not. which chat room they are entering , No can do, even if client could go through server. The chat-rooms are IM-protocol data, not HTTP-protocol data. time duration of login in messenger . IFF the client software uses HTTP-Proxy CONNECT methods this can be measured from squid transfer-duration records. side note: I have found this to be just under 100% of the time a user has PC turned on and plugged into the net. Not useful to detect messenger usage, its _always_ running connected in the background. All these i want to track using Squid, has anyone implement those stuff . Any help will be really appreciate. or any Link Step 1) Configure each client IM to use HTTP-Proxy protocol features. NP: Windows or MSN messengers, also block the IM protocol ports. IM will failover to using port-80 then an IE-configured proxy. Step 2) check squid access.log Thats ALL you can do in squid. If you are extremely lucky the client software will do some file up/down actions as proper HTTP and you maybe can pass them through an external filter. Squid is an HTTP-proxy. Its simply not written or capable yet as a random-internet-traffic monitor. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
[squid-users] Messenger Tracing
hi list, i have one squid server which is running on FC6 , im using SQUID 2.6.STABLE16. that is running fine, not any issue with that, Now i want to make SQUID some effective. I want my squid proxy should detect 1) which file users are downloading or uploading 2) using Chat [yahoo, msn, google], which file users are sending or receiving , which chat room they are entering , time duration of login in messenger . All these i want to track using Squid, has anyone implement those stuff . Any help will be really appreciate. or any Link Thanks Regards, TArak Save all your chat conversations. Find them online at http://in.messenger.yahoo.com/webmessengerpromo.php
Re: [squid-users] strange memory use
On 18.02.08 15:16, J. Peng wrote: Storage Mem size: 4404 KB it said my storage mem size is 4404 KB, though I have set the cache_mem size to 1.8 GB in squid.conf: cache_mem 1800 MB because memory cache and memory usage are two different things. see http://wiki.squid-cache.org/SquidFaq/SquidMemory Request Hit Ratios: 5min: 99.9%, 60min: 99.9% Byte Hit Ratios:5min: 97.1%, 60min: 98.2% Request Memory Hit Ratios: 5min: 22.2%, 60min: 22.0% Request Disk Hit Ratios:5min: 25.9%, 60min: 25.9% why request memory hit ratios is so low (about 22%), while squid has used so few memory (only 4M)? your clients are probably down loading much uncacheable objects -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: [squid-users] confused config on default squid.conf
J. Peng wrote: Hello members, Below is the piece from the default squid.conf: # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests # (matching hierarchy_stoplist or not cacheable request type) direct # to origin servers. # # If you set this to off, Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # # If you are inside an firewall see never_direct instead of # this directive. # #Default: # nonhierarchical_direct on # TAG: prefer_direct # Normally Squid tries to use parents for most requests. If you for some # reason like it to first try going direct and only use a parent if # going direct fails set this to on. # # By combining nonhierarchical_direct off and prefer_direct on you # can set up Squid to use a parent as a backup path if going direct # fails. # # Note: If you want Squid to use parents for all requests see # the never_direct directive. prefer_direct only modifies how Squid # acts on cacheable requests. # #Default: # prefer_direct off I'm confused about this statement: # By combining nonhierarchical_direct off and prefer_direct on you # can set up Squid to use a parent as a backup path if going direct # fails. Why it's nonhierarchical_direct off and prefer_direct on? I think it should be nonhierarchical_direct on and prefer_direct on. Thanks for the kind helps. I think you are right. Thank you. I'll mark this for a double-check and fix if someone else does not get to it first. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Proxy intermission issue
Jeremy Kim wrote: Hello, Our squid proxy works fine most of the time but couple times during the day it would freeze or slow down causing connection to time out or take really long time to get to the website. Then it would be fine again. I did check the cache logs and there wasn't any warnings about median warning time. Would anyone know what might be the cause of this? My currently cache space is 95% full but even if I allocate more space on my cache, I still have the same problem. For example my cache space was only 35% full before and I still had this problem. Jeremy Um, the moon turning blue maybe? Seriously. There have been more than one release of squid software. To even guess at such an abstract problem we need to know what version, release, and probably some details of your config. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Forwarding HTTP and HTTPS Traffic to an Upstream Proxy using Cache_Peer on separate ports
Ric Lonsdale wrote: Hi, I am testing a product called Finjan, which is a website anti-virus/malicious code checker that potentially blocks websites. I'm using Squid.2.6-STABLE-12 on an IBM x345 server, with RedHat ES3.0, and have configured the following fields to make the Finjan appliance a parent proxy to my Squid setup. Aha. Excellent. For the wiki: was there anything, even minor, needed to build squid 2.6 on RH? If you are looking at using this in production I'd advise going to stable 18 for better security. However, the Finjan appliance listens on port 8080 for standard HTTP traffic, but listens on 8443 for HTTPS (SSL) traffic, and squid returns the following error with this setup. FATAL: ERROR: cache_peer 10.198.1.2 specified twice Squid Cache (Version 2.6.STABLE12): Terminated abnormally. CPU Usage: 0.006 seconds = 0.001 user + 0.005 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 Aborted cache_peer 10.198.1.2 parent 8080 7 no-query cache_peer 10.198.1.2 parent 8443 7 no-query They need unique name= for squid to tell them apart. Thanks yourself. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Squid currently not working.
Adam Carter wrote: Are you running it as root? I's say he is - I have a fedora 8 box (squid is not actually used on this box AFAIK); [EMAIL PROTECTED] ~]$ service squid start sed: can't read /etc/squid/squid.conf: Permission denied init_cache_dir /var/spool/squid... /etc/init.d/squid: line 68: /var/log/squid/squid.out: Permission denied Starting squid: /etc/init.d/squid: line 72: /var/log/squid/squid.out: Permission denied [FAILED] [EMAIL PROTECTED] ~]$ su Password: [EMAIL PROTECTED] cartera]# service squid start init_cache_dir /var/spool/squid... Starting squid: . [ OK ] [EMAIL PROTECTED] cartera]# Steve, can you post the output of 'netstat -anp | grep 81' (it should find nothing). Well, in light of a the absent common problems. I'm reminded of a long debug we did earlier where it turned out to be SELinux issues. Is the security setting there protecting the 1024 ports seperately. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] YAHOO:MSN:GOOGLE
--- Amos Jeffries [EMAIL PROTECTED] wrote: Tarak Ranjan wrote: hi list, i have one squid server which is running on FC6 , im using SQUID 2.6.STABLE16. that is running fine, not any issue with that, Now i want to make SQUID some effective. I want my squid proxy should detect 1) which file users are downloading or uploading 2) using Chat [yahoo, msn, google], IFF client software configured to use HTTP-Proxy protocol. which file users are sending or receiving , _possibly_ depending on how client software does it. usually not. which chat room they are entering , No can do, even if client could go through server. The chat-rooms are IM-protocol data, not HTTP-protocol data. time duration of login in messenger . IFF the client software uses HTTP-Proxy CONNECT methods this can be measured from squid transfer-duration records. side note: I have found this to be just under 100% of the time a user has PC turned on and plugged into the net. Not useful to detect messenger usage, its _always_ running connected in the background. All these i want to track using Squid, has anyone implement those stuff . Any help will be really appreciate. or any Link Step 1) Configure each client IM to use HTTP-Proxy protocol features. NP: Windows or MSN messengers, also block the IM protocol ports. IM will failover to using port-80 then an IE-configured proxy. Step 2) check squid access.log Thats ALL you can do in squid. If you are extremely lucky the client software will do some file up/down actions as proper HTTP and you maybe can pass them through an external filter. Squid is an HTTP-proxy. Its simply not written or capable yet as a random-internet-traffic monitor. Amos Force fully if i want to connect all the messenger using http proxy, from the server side, means nothing to change in client . will it possible bypass all messenger traffic through SQUID , will it possible ? Tarak Download prohibited? No problem. CHAT from any browser, without download. Go to http://in.messenger.yahoo.com/webmessengerpromo.php/
Re: [squid-users] YAHOO:MSN:GOOGLE
Tarak Ranjan wrote: --- Amos Jeffries [EMAIL PROTECTED] wrote: Tarak Ranjan wrote: hi list, i have one squid server which is running on FC6 , im using SQUID 2.6.STABLE16. that is running fine, not any issue with that, Now i want to make SQUID some effective. I want my squid proxy should detect 1) which file users are downloading or uploading 2) using Chat [yahoo, msn, google], IFF client software configured to use HTTP-Proxy protocol. which file users are sending or receiving , _possibly_ depending on how client software does it. usually not. which chat room they are entering , No can do, even if client could go through server. The chat-rooms are IM-protocol data, not HTTP-protocol data. time duration of login in messenger . IFF the client software uses HTTP-Proxy CONNECT methods this can be measured from squid transfer-duration records. side note: I have found this to be just under 100% of the time a user has PC turned on and plugged into the net. Not useful to detect messenger usage, its _always_ running connected in the background. All these i want to track using Squid, has anyone implement those stuff . Any help will be really appreciate. or any Link Step 1) Configure each client IM to use HTTP-Proxy protocol features. NP: Windows or MSN messengers, also block the IM protocol ports. IM will failover to using port-80 then an IE-configured proxy. Step 2) check squid access.log Thats ALL you can do in squid. If you are extremely lucky the client software will do some file up/down actions as proper HTTP and you maybe can pass them through an external filter. Squid is an HTTP-proxy. Its simply not written or capable yet as a random-internet-traffic monitor. Amos Force fully if i want to connect all the messenger using http proxy, from the server side, means nothing to change in client . will it possible bypass all messenger traffic through SQUID , will it possible ? Redirecting IM ports to squid will result in numerous protocol failures for both squid and client IM. Only the Windows messenger, MSN messenger have hacks to get around that AND only if client confgured (DHCP? WPAD? maul?) to use proxy for IE anyway. Still leaves you with minimal control, zero statistical reporting. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Proxy intermission issue
On Wed, 20 Feb 2008 15:12:54 -0500 Jeremy Kim [EMAIL PROTECTED] wrote: Our squid proxy works fine most of the time but couple times during the day it would freeze or slow down causing connection to time out or take really long time to get to the website. Then it would be fine again. You should check that all your DNS servers are working as expected ,for example with the host(1) utility. If they are all OK, please send your platform, squid version, and relevant configuration to the list, as asked by Amos too. François
[squid-users] Error while accessing FTP Squid 2.6 STABLE 16
Hi, While trying to access FTP through Squid 2.6 STABLE 16, I get an error. This is the first time that while trying to go to FTP site I got this error. If I bypass Squid I do not get any error. With best regards I append the error that I get is as follows, ERROR The requested URL could not be retrieved An FTP protocol error occurred while trying to retrieve the URL: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/windows/ The following FTP command was sent: PASS yourpassword and then thhe following reply was received. Your cache administrator is webmaster. Generated Thu, 21 Feb 2008 13:03:52 GMT by Dishs (squid/2.6.STABLE16)
[squid-users] FTP access configuration
Dear All, I have configured the Squid (with authentication ) and it is working fine for surfing internet. But whenever client tried to access our ftp site (which is also password protected), instead of asking for password it automatic tried the password and give this error ERROR The requested URL could not be retrieved An FTP authentication failure occurred while trying to retrieve the URL: ftp://72.18.130.105/ Squid sent the following FTP command: PASS yourpassword and then received this reply User anonymous cannot log in. Your cache administrator is [EMAIL PROTECTED] Generated Thu, 21 Feb 2008 13:38:07 GMT by localhost.localdomain (squid/2.6.STABLE4) -- can anybody hep me where and what configuration is required ?? Arun
Re: [squid-users] a config help
Thank you so much Amos. On Thu, Feb 21, 2008 at 7:14 PM, Amos Jeffries [EMAIL PROTECTED] wrote: J. Peng wrote: Hello, My squid hosts have an original server. When the original server get down, it will use other siblings for sources. this is my config section, is it right? please help,thanks. nonhierarchical_direct off prefer_direct on cache_peer 192.168.1.1 parent80 0 no-query originserver name=WWW cache_peer 192.168.1.2 sibling80 0 no-query name=WWW cache_peer 192.168.1.3 sibling80 0 no-query name=WWW acl service_www dstdomain www.site.com blog.site.com forum.site.com cache_peer_access WWW allow service_www name= MUST be unique for each peer. With matching cache_peer_access for each name= Otherwise this is correct. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] v2.6. Dynamic ACL time management
Thanks for your advice, I'll think about that. Serg Amos Jeffries пишет: Serj A. Androsov wrote: Good time of the day, Amos I know about time acl's and it's format. Really it's problem to avoid rewriting/reconfiguring of the squid.conf and perform really dynamic time management. I think I can write an external acl perl script, which receive %src and check it legits (time regions) in mysql database (stored procedure) or file, but I really don't know how it's may degrade perfomance of squid, as you know we have ~3k users and it must be for about 30s-1m TTL for that ACL. Squid does have configurable TTL for caching of external acl results. Even without that I have not found any noticeable delays on a moderately slow server with external acls. I do two complicated auth ACL scripts _every_ request that involve remote MySQL lookup and remote ICMP or rDNS. Squid response time is still within 0.1 seconds. Amos -- Serj Amos Jeffries пишет: Hello there, Is there ways to perform a dynamic time management for several src's net? The problem is: A couple of subnets (stored in MySQL database) A couple of internet access time acl's (alse stored in MySQL database). Also there are links between src's and time templates. I need ways for scripting or some other dynamic organization of acl like this: acl time1 timedef acl time2 timdef2 acl src1 srcdef acl src2 srcdef2 http_access allow src1 time1 http_access allow src2 time2 Be glad to any advice. http://www.squid-cache.org/Versions/v2/2.6/cfgman/acl.html Look for 'time' Amos
[squid-users] cannot auth win 2003 users with squid ldap_auth
Hi, I was trying to setup squid on fc7. Version 2.6.STABLE16. I have a domain setup in win 2003 server with about 20 users (abcgroup.local), the IP address of the domain controller being 192.168.10.3. I have a group(abcgroup), which has 3 companys.(Cmp1, Cmp2, Cmp3) Now, I am setting all this up assuming I could use the squid_ldap_auth param to query the domain to authenticate the user without installing a ldap server on the DC. I tried to research on openLdap but I am not sure if I sould be using it on the win server. I am pretty new to using server 2003 and using squid for the first time. I'm not quite sure if the domain controller should have ldap setup by default OR if I will have to install it (openLdap) to get the squid proxy to authenticate the user. (I am trying a transparent auth so that I could view the logs in SARG such that I know which user logged in and accessed which web site) This is the authentication part of squid.conf. auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b dc=abcgroup,dc=local -D cn=Administrator,cn=Users,dc=abcgroup,dc=local -w password -f sAMAccountName=%s -h 192.168.10.3 auth_param basic children 5 auth_param basic realm Vanderpolgroup.local auth_param basic credentialsttl 5 minutes I tried to use the squid_ldap_auth as a terminal command but it gave me an output. ERR everytime I hit the return key. Which is why, I am assuming that I cannot access the domain controller OR its not sending a query. I also tried using the ldap browser which does not display the entire tree that I have setup on the DC. I don't know if this information is enough. But if anyone can help me out it will be great. I am doing this as part of a school project. Thanks Sheldon
[squid-users] Squid-2.7, youtube windowsupdate caching
Hi All, Out of curiosity, I am driven to test squid-2.7 for it's ability to cache youtube and windowsupdate. I have already installed it alongside my Squid-3.0.1 and it's now in service. I am more interested in the windowsupdate caching than youtube though as you can all guess. I have followed the wiki entry for youtube caching and will start testing that to see how it happens:-) There was a recent mention of some changes to the wiki entry relating to url changes of youtube server - http://www1.no.squid-cache.org/mail-archive/squid-users/200802/0282.html. Could this have been reflected in the wiki? Has anyone done something they'd like to share as regards caching windowsupdate? Thanks in advance Odhiambo Washington Nairobi, KENYA On 2/21/08, Sheldon Carvalho [EMAIL PROTECTED] wrote: Hi, I was trying to setup squid on fc7. Version 2.6.STABLE16. I have a domain setup in win 2003 server with about 20 users (abcgroup.local), the IP address of the domain controller being 192.168.10.3. I have a group(abcgroup), which has 3 companys.(Cmp1, Cmp2, Cmp3) Now, I am setting all this up assuming I could use the squid_ldap_auth param to query the domain to authenticate the user without installing a ldap server on the DC. I tried to research on openLdap but I am not sure if I sould be using it on the win server. I am pretty new to using server 2003 and using squid for the first time. I'm not quite sure if the domain controller should have ldap setup by default OR if I will have to install it (openLdap) to get the squid proxy to authenticate the user. (I am trying a transparent auth so that I could view the logs in SARG such that I know which user logged in and accessed which web site) This is the authentication part of squid.conf. auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b dc=abcgroup,dc=local -D cn=Administrator,cn=Users,dc=abcgroup,dc=local -w password -f sAMAccountName=%s -h 192.168.10.3 auth_param basic children 5 auth_param basic realm Vanderpolgroup.local auth_param basic credentialsttl 5 minutes I tried to use the squid_ldap_auth as a terminal command but it gave me an output. ERR everytime I hit the return key. Which is why, I am assuming that I cannot access the domain controller OR its not sending a query. I also tried using the ldap browser which does not display the entire tree that I have setup on the DC. I don't know if this information is enough. But if anyone can help me out it will be great. I am doing this as part of a school project. Thanks Sheldon -- Sent from Gmail for mobile | mobile.google.com Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Oh My God! They killed init! You Bastards! --from a /. post
[squid-users] problem with wccp v2 and cisco
I am trying to setup an HTTP-only WCCP v2 redirection via Cisco 2811 router to a Linux-based Squid 2.6 box. The problem is that there is no content showing up in the squid access log, and web connections are slow and often timeout. I have done some research on the net and checked some things that were noted by peoples posts, but I am still a bit stumped. The router shows WCCP status as good in that the router and the cache server see each other, and there appears to be redirection occurring because 'sh ip wccp' on the router shows it, and a tcpdump session on the web cache server sees it. The router and the web cache appliance are layer 2 adjacent to each other, and on the same ip subnet, but the cache server is connected via a Cisco EtherSwitch module installed in the 2811 router, and the clients being redirected to the cache server are hanging off a different ip subnet and different layer 2 segment. I also notice that the wccp2 GRE tunnel I setup on the Linux box shows traffic in only one direction. I suspect that at least part of my problem is that I have setup the GRE tunnel wrong. I also read that WCCP functionality is buggy in various Cisco IOS versions, I have tried to figure out if the IOS version I am using is a buggy one. I attempted to use the same IOS version as is in use on a Cisco WAAS 2811 router, which is 12.4(9) but the closest I could get to that was 12.4(10c) 12.4(15)T3 exhibited the same problems. I have provided information below on my setup, can someone please provide me with some information that can help to figure out what I am doing wrong? ROUTER INFO --- Router: Cisco 2811 running c2800nm-advsecurityk9-mz.124-10c WCCP version: 2 #sh ip wccp Global WCCP information: Router information: Router Identifier: IIP censored Protocol Version:2.0 Service Identifier: web-cache Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:4285 Process: 0 Fast: 0 CEF: 4285 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 Other router configure directives: Clients using cache server on FastEthernet 0/0.1 Squid server is directly connected to FastEthernet 0/2/0 WCCP router config directives: ip wccp web-cache ip wccp web-cache version 2 interface fastethernet0/0.1 ip wccp web-cache redirect in SQUID INFO --- Squid platform: CentOS 5.1 on x86_64 Squid version: CentOS bundled RPM which is squid-2.6.STABLE6-5.el5_1.2 Squid is set for transparent mode and to listen on port 80 and port 3128. The host based firewall is disabled, because I don't need redirect to 3128 from 80. (Could this be a problem, do I need iptables mangling of some sort?) squid.conf directives: http_port 80 transparent http_port 3128 transparent wccp2_router router IP as noted in Cisco sh ip wccp router identifier wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service standard 0 CENTOS Linux OS INFO --- CentOS 5.1 x86_64 on Intel Core 2 Duo Kernel is custom compiled, version 2.6.23 /bin/echo 1 /proc/sys/net/ipv4/ip_forward /bin/echo 0 /proc/sys/net/ipv4/conf/default/rp_filter /bin/echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter /sbin/modprobe ip_gre /sbin/ip tunnel add wccp2 mode gre remote ip of Cisco router identifier as listed in the sh ip wccp command local same ip as eth0 dev eth0 /sbin/ifconfig wccp2 same ip as eth0 netmask 255.255.255.255 up ifconfig output from CentOS box: eth0 Link encap:Ethernet HWaddr 00:30:1B:44:7F:11 inet addr:IP censored Bcast:info censored Mask:255.255.240.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:38474 errors:0 dropped:0 overruns:0 frame:0 TX packets:38245 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6402032 (6.1 MiB) TX bytes:5488603 (5.2 MiB) Interrupt:19 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0
Re: [squid-users] problem with wccp v2 and cisco
G'day, * Yes you still need iptables to redirect packets going to arbitrary destinations into Squid running on a port. * Traffic will only flow over the GRE tunnel one way - from the router to the cache. On Thu, Feb 21, 2008, Ritter, Nicholas wrote: I am trying to setup an HTTP-only WCCP v2 redirection via Cisco 2811 router to a Linux-based Squid 2.6 box. The problem is that there is no content showing up in the squid access log, and web connections are slow and often timeout. I have done some research on the net and checked some things that were noted by peoples posts, but I am still a bit stumped. The router shows WCCP status as good in that the router and the cache server see each other, and there appears to be redirection occurring because 'sh ip wccp' on the router shows it, and a tcpdump session on the web cache server sees it. The router and the web cache appliance are layer 2 adjacent to each other, and on the same ip subnet, but the cache server is connected via a Cisco EtherSwitch module installed in the 2811 router, and the clients being redirected to the cache server are hanging off a different ip subnet and different layer 2 segment. I also notice that the wccp2 GRE tunnel I setup on the Linux box shows traffic in only one direction. I suspect that at least part of my problem is that I have setup the GRE tunnel wrong. I also read that WCCP functionality is buggy in various Cisco IOS versions, I have tried to figure out if the IOS version I am using is a buggy one. I attempted to use the same IOS version as is in use on a Cisco WAAS 2811 router, which is 12.4(9) but the closest I could get to that was 12.4(10c) 12.4(15)T3 exhibited the same problems. I have provided information below on my setup, can someone please provide me with some information that can help to figure out what I am doing wrong? ROUTER INFO --- Router: Cisco 2811 running c2800nm-advsecurityk9-mz.124-10c WCCP version: 2 #sh ip wccp Global WCCP information: Router information: Router Identifier: IIP censored Protocol Version:2.0 Service Identifier: web-cache Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:4285 Process: 0 Fast: 0 CEF: 4285 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 Other router configure directives: Clients using cache server on FastEthernet 0/0.1 Squid server is directly connected to FastEthernet 0/2/0 WCCP router config directives: ip wccp web-cache ip wccp web-cache version 2 interface fastethernet0/0.1 ip wccp web-cache redirect in SQUID INFO --- Squid platform: CentOS 5.1 on x86_64 Squid version: CentOS bundled RPM which is squid-2.6.STABLE6-5.el5_1.2 Squid is set for transparent mode and to listen on port 80 and port 3128. The host based firewall is disabled, because I don't need redirect to 3128 from 80. (Could this be a problem, do I need iptables mangling of some sort?) squid.conf directives: http_port 80 transparent http_port 3128 transparent wccp2_router router IP as noted in Cisco sh ip wccp router identifier wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service standard 0 CENTOS Linux OS INFO --- CentOS 5.1 x86_64 on Intel Core 2 Duo Kernel is custom compiled, version 2.6.23 /bin/echo 1 /proc/sys/net/ipv4/ip_forward /bin/echo 0 /proc/sys/net/ipv4/conf/default/rp_filter /bin/echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter /sbin/modprobe ip_gre /sbin/ip tunnel add wccp2 mode gre remote ip of Cisco router identifier as listed in the sh ip wccp command local same ip as eth0 dev eth0 /sbin/ifconfig wccp2 same ip as eth0 netmask 255.255.255.255 up ifconfig output from CentOS box: eth0 Link encap:Ethernet HWaddr 00:30:1B:44:7F:11 inet addr:IP censored Bcast:info censored Mask:255.255.240.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:38474 errors:0 dropped:0 overruns:0 frame:0 TX packets:38245 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6402032 (6.1
[squid-users] YAHOO:MSN:GOOGLE
hi list, i have one squid server which is running on FC6 , im using SQUID 2.6.STABLE16. that is running fine, not any issue with that, Now i want to make SQUID some effective. I want my squid proxy should detect 1) which file users are downloading or uploading 2) using Chat [yahoo, msn, google], which file users are sending or receiving , which chat room they are entering , time duration of login in messenger . All these i want to track using Squid, has anyone implement those stuff . Any help will be really appreciate. or any Link Thanks Regards, TArak
Re: [squid-users] FTP access configuration
Dear All, I have configured the Squid (with authentication ) and it is working fine for surfing internet. But whenever client tried to access our ftp site (which is also password protected), instead of asking for password it automatic tried the password and give this error ERROR The requested URL could not be retrieved An FTP authentication failure occurred while trying to retrieve the URL: ftp://72.18.130.105/ Squid sent the following FTP command: PASS yourpassword and then received this reply User anonymous cannot log in. Your cache administrator is [EMAIL PROTECTED] Generated Thu, 21 Feb 2008 13:38:07 GMT by localhost.localdomain (squid/2.6.STABLE4) -- can anybody hep me where and what configuration is required ?? Clients need to send their ftp login as part of the URL for proxied connections. ie. ftp://user:[EMAIL PROTECTED]/ You may also be able to use: ftp_user user:pass@ BUT, if that worked it would have the same login for all users going through squid. Amos
Re: [squid-users] YAHOO:MSN:GOOGLE
On Fri, 2008-02-22 at 00:27 +1300, Amos Jeffries wrote: Tarak Ranjan wrote: hi list, i have one squid server which is running on FC6 , im using SQUID 2.6.STABLE16. that is running fine, not any issue with that, Now i want to make SQUID some effective. I want my squid proxy should detect 1) which file users are downloading or uploading 2) using Chat [yahoo, msn, google], IFF client software configured to use HTTP-Proxy protocol. which file users are sending or receiving , _possibly_ depending on how client software does it. usually not. which chat room they are entering , No can do, even if client could go through server. The chat-rooms are IM-protocol data, not HTTP-protocol data. time duration of login in messenger . IFF the client software uses HTTP-Proxy CONNECT methods this can be measured from squid transfer-duration records. side note: I have found this to be just under 100% of the time a user has PC turned on and plugged into the net. Not useful to detect messenger usage, its _always_ running connected in the background. All these i want to track using Squid, has anyone implement those stuff . Any help will be really appreciate. or any Link Step 1) Configure each client IM to use HTTP-Proxy protocol features. NP: Windows or MSN messengers, also block the IM protocol ports. IM will failover to using port-80 then an IE-configured proxy. Step 2) check squid access.log Thats ALL you can do in squid. If you are extremely lucky the client software will do some file up/down actions as proper HTTP and you maybe can pass them through an external filter. Squid is an HTTP-proxy. Its simply not written or capable yet as a random-internet-traffic monitor. Amos Force fully if i want to connect all the messenger using http proxy, from the server side, means nothing to change in client . will it possible bypass all messenger traffic through SQUID , will it possible ? Tarak
[squid-users] Reverse proxy woes
I'm running a reverse proxy on CentOS5 with squid-2.6.STABLE6-5.el5_1.2 (RHEL RPM) and running into some odd issues. I have a stack setup like this: Squid (port 80) - apache (port ) - Resin (port 8080) It's caching images/static files served from the apache level like a champ, but it's having intermittent problems caching dynamically generate content. The apache - Resin connector is mod_proxy_http with the force-proxy-request-1.0 hack in-place. Apache is 2.2.8, Resin 3.1.3, all running on the same box - Linux devserver01 2.6.18-53.1.4.el5 #1 SMP Fri Nov 30 00:45:55 EST 2007 x86_64 x86_64 x86_64 GNU/Linux. Running once a second a curl command like: curl -b /tmp/cj -c /tmp/cj -s -v -o/dev/null http://www.example.com/index.html I'll get this response dozens/hundreds of times (i.e. a MISS): * About to connect() to www.example.com port 80 * Trying 192.168.80.223... connected * Connected to www.example.com (192.168.80.223) port 80 GET /index.html HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: www.example.com Accept: */* Cookie: JSESSIONID=abciW-MVH28Db_ekbG5Gr HTTP/1.0 200 OK Date: Thu, 21 Feb 2008 23:31:55 GMT Server: Resin/3.1.3 Cache-Control: max-age=60, must-revalidate, proxy-revalidate Expires: Thu, 21 Feb 2008 23:32:54 GMT Content-Type: text/html; charset=iso-8859-1 X-Cache: MISS from devserver01.example.com X-Cache-Lookup: MISS from devserver01.example.com:80 Via: 1.0 devserver01.example.com:80 (squid) Connection: close Closing connection #0 But then all of a sudden I'll get this for a minute as the Age counter increments up to max-age, 60: * About to connect() to www.example.com port 80 * Trying 192.168.80.223... connected * Connected to www.example.com (192.168.80.223) port 80 GET /index.html HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: www.example.com Accept: */* Cookie: JSESSIONID=abciW-MVH28Db_ekbG5Gr HTTP/1.0 200 OK Date: Thu, 21 Feb 2008 23:31:55 GMT Server: Resin/3.1.3 Cache-Control: max-age=60, must-revalidate, proxy-revalidate Expires: Thu, 21 Feb 2008 23:32:54 GMT Content-Type: text/html; charset=iso-8859-1 Age: 2 X-Cache: HIT from devserver01.example.com X-Cache-Lookup: HIT from devserver01.example.com:80 Via: 1.0 devserver01.example.com:80 (squid) Connection: close Closing connection #0 and then it will go back to an un-cached, MISS state for dozens/hundreds of requests. Given the Cache-Control / Expires headers, shouldn't Squid be caching this every single time for sixty seconds? Tony P.S. The site involved here gets hundreds/thousands of hits per second for these pages, so caching for 60 seconds is a big win. We'll extend cache times as required... once it's working.
[squid-users] Re: cannot auth win 2003 users with squid ldap_auth
Hi Sheldon, When you run squid_ldap_auth by itself, it should sit there with no prompt. At this point you would type a username and password (separated by a space, such as administrator pasword) and if it exists (or at least if the search is successful), you should see OK. If the search did not find that username/password you see ERR, so you may have it already there. Your details look basically OK. I found that when I had the -D details wrong I would get messages such as credentials invalid Alan.
[squid-users] Grouping the delay_pool access
Dear friends, I have a 512kb ADSL link. I tried to implement delay_pools on my users but apparently after i apply the configuration, even the general surfing seems to get significant slow down. I thought the delay_pools should only affect their downloading speed, but seems like general surfing gets affected. My configuration is as follow: delay_pools 2 #setup two delay pools delay_class 1 2 #delay pool 1 is a class 2 delay_class 2 3 #delay pool 2 is a class 3 delay_parameters 1 64000/64000 16000/32000 delay_parameters 2 64000/64000 5/5 45000/45000 delay_access 1 allow all delay_access 2 allow all I tried not to provide the entire 512kb link to squid because the link is also used by our email service. So if not mistaken, i should adjust the aggreggate allocation from 64000 to something lower? And my problem now is, what configuration is affecting my general surfing speed The other issue is, i want some director to be unrestricted from delay_pools restriction, do i just create a group and set up a delay class 1 allocating the full ADSL bandwith for them as follow: delay_class 3 1 #delay pool 2 be a class 1 delay pool delay_parameters 3 64000/64000 delay_access 3 allow directors_group delay_access 3 deny all Hopefully can help me with this, thanks for taking time reading my question! regards Yong
Re: [squid-users] Squid currently not working.
Yes I am running in root. That is shown in this print out. This is what is printed out by the netstat command. [EMAIL PROTECTED] ~]# netstat -anp | grep 81 unix 2 [ ACC ] STREAM LISTENING 14810 2545/gnome-panel/tmp/orbit-root/linc-9f1-0-3f5a8e763496f unix 2 [ ACC ] STREAM LISTENING 14907 2554/bluetooth-appl /tmp/orbit-root/linc-9fa-0-4e8813194e725 unix 2 [ ACC ] STREAM LISTENING 15416 2581/wnck-applet/tmp/orbit-root/linc-a15-0-13954fc42616f unix 2 [ ACC ] STREAM LISTENING 15474 2564/python /tmp/orbit-root/linc-a04-0-6f0681c392b59 unix 2 [ ACC ] STREAM LISTENING 7092 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 126172 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 93342 2554/bluetooth-appl /tmp/orbit-root/linc-9fa-0-4e8813194e725 unix 3 [ ] STREAM CONNECTED 93332 2564/python /tmp/orbit-root/linc-a04-0-6f0681c392b59 unix 3 [ ] STREAM CONNECTED 93330 2581/wnck-applet/tmp/orbit-root/linc-a15-0-13954fc42616f unix 2 [ ] DGRAM93281 7364/gconfd-2 unix 3 [ ] STREAM CONNECTED 90382 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 90381 6806/avahi-daemon: unix 3 [ ] STREAM CONNECTED 32064 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 29491 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 23587 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 23556 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 16243 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 16181 2545/gnome-panel/tmp/orbit-root/linc-9f1-0-3f5a8e763496f unix 3 [ ] STREAM CONNECTED 15792 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 15779 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 15481 2516/dbus-daemon@/tmp/dbus-odKo4rnUga unix 3 [ ] STREAM CONNECTED 15479 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 15463 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 15435 2581/wnck-applet unix 3 [ ] STREAM CONNECTED 15434 2581/wnck-applet/tmp/orbit-root/linc-a15-0-13954fc42616f unix 3 [ ] STREAM CONNECTED 15424 2581/wnck-applet/tmp/orbit-root/linc-a15-0-13954fc42616f unix 3 [ ] STREAM CONNECTED 15420 2581/wnck-applet unix 3 [ ] STREAM CONNECTED 15397 2581/wnck-applet unix 3 [ ] STREAM CONNECTED 15355 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 15353 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 15225 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 14901 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 14815 2462/gnome-session /tmp/.ICE-unix/2462 unix 3 [ ] STREAM CONNECTED 14814 2546/nautilus unix 3 [ ] STREAM CONNECTED 14792 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 13989 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 10745 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 10277 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 8481 2101/Xvnc @/tmp/.X11-unix/X2 unix 3 [ ] STREAM CONNECTED 8115 2149/hald @/var/run/hald/dbus-FlMuRINzXX unix 3 [ ] STREAM CONNECTED 8114 2164/event1 unix 3 [ ] STREAM CONNECTED 7968 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 7518 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 7506 1812/dbus-daemon/var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 7104 1812/dbus-daemon unix 3 [ ] STREAM CONNECTED 7103 1812/dbus-daemon [EMAIL PROTECTED] ~]#
Re: [squid-users] Squid currently not working.
So now I am currently in the jam of finding out why it is currently not working correctly. Any help is greatly appreciated. May I look at your rules in squid.conf file? and also the output of below command ps aux |grep squid -- Thank you Indunil Jayasooriya
[squid-users] subdomain error
Hello, My squid for reverse proxy has the config like: cache_peer 172.23.147.30 parent80 0 no-query originserver name=RES acl service_res dstdomain res.mail.xx.com res_css.mail.xx.com res_js.mail.xx.com res_img.mail.xx.com res-css.mail.xx.com res-css.mai l.xx.com res-js.mail.xx.com res-img.mail.xx.com acl service_res dstdomain r7.mail.xx.com r7_css.mail.xx.com r7_js.mail.xx.com r7_img.mail.xx.com r7-css.mail.xx.com r7-js.mail.xx.co m r7-img.mail.xx.com cache_peer_access RES allow service_res When I stop and start Squid I get the warnings in screen: 2008/02/22 14:44:35| WARNING: 'res-css.mail.xx.com' is a subdomain of 'res-css.mail.xx.com' 2008/02/22 14:44:35| WARNING: because of this 'res-css.mail.xx.com' is ignored to keep splay tree searching predictable 2008/02/22 14:44:35| WARNING: You should probably remove 'res-css.mail.xx.com' from the ACL named 'service_res' My squid seems to work well though. But why this happened? thanks.
Re: [squid-users] FTP access configuration
On Fri, Feb 22, 2008 at 4:47 AM, Amos Jeffries [EMAIL PROTECTED] wrote: Dear All, I have configured the Squid (with authentication ) and it is working fine for surfing internet. But whenever client tried to access our ftp site (which is also password protected), instead of asking for password it automatic tried the password and give this error ERROR The requested URL could not be retrieved An FTP authentication failure occurred while trying to retrieve the URL: ftp://72.18.130.105/ Squid sent the following FTP command: PASS yourpassword and then received this reply User anonymous cannot log in. Your cache administrator is [EMAIL PROTECTED] Generated Thu, 21 Feb 2008 13:38:07 GMT by localhost.localdomain (squid/2.6.STABLE4) -- can anybody hep me where and what configuration is required ?? Clients need to send their ftp login as part of the URL for proxied connections. ie. ftp://user:[EMAIL PROTECTED]/ You may also be able to use: ftp_user user:pass@ BUT, if that worked it would have the same login for all users going through squid. Amos Is there any way that browser pop up for the username and password, because the said method disclose the password to all and that could be a security issue ... Arun
