Re: [squid-users] Authentication Hack
On Mon, Mar 3, 2008 at 7:24 PM, Michael Graham wrote: I think I missed a line out, try: external_acl_type ipauth %SRC /usr/local/squid/libexec/checkip acl ipauthACL external ipauth # -- This creates the ACL http_access allow ipauthACL Hi Michael, Thank you for your patience. Of course! The acl hadn't been declared! Still, I wasn't really aware of the external argument for acl :? However, Squid returns this in my /usr/local/squid/var/logs/cache.log: 2008/03/04 10:07:24| Ready to serve requests. 2008/03/04 10:07:24| WARNING: ipauth #1 (FD 7) exited 2008/03/04 10:07:24| WARNING: ipauth #2 (FD 8) exited 2008/03/04 10:07:24| WARNING: ipauth #3 (FD 9) exited 2008/03/04 10:07:24| Too few ipauth processes are running FATAL: The ipauth helpers are crashing too rapidly, need help! My Perl script is pretty simple, it just checks for the existence of a file with the name of the user's IP. If the file exists, the user has authenticated, if not he needs to log in. #!/usr/bin/perl -w $| = 1; if (-e '/var/www/apache2-default/cgi-bin/ips/'.$_){print OK;} else {print ERR;} (I'm assuming that squid places the user's IP onto the STDIN and I don't have to pass the IP address from the squid.conf file).
Re: RS: [squid-users] winbindd: Exceeding 200 client connections, no idle connection found
Hi Elvar, i tried your suggestion (thanks, by the way) but it didn't work. I have (at last!) succeeded unistalling ubuntu and replacing it with centOS 5.1 wich has Samba Version 3.0.25b-1.el5_1.4 and Squid 2.6stable18. thanks. El ds 23 de 02 del 2008 a les 05:51 -0600, en/na Elvar va escriure: This is what I got from someone on the samba list just a few days ago... Right now you'll have to change the definition of WINBINDD_MAX_SIMULTANEOUS_CLIENTS in include/local.h from 200 to a higher number and recompile. I'll look into paramaterizing this for 3.2 and later. I did this and changed mine to 400 and since recompiling / reinstalling I haven't had a problem. Kind regards, Elvar Francisco Martinez Espadas wrote: Hello, I've upgraded to Squid 2.6stable18, but I'm still having the same problem. Samba and Winbind version are 3.0.24. The OS is Ubuntu 7.04 Any idea about what's going on? thanks El dl 21 de 01 del 2008 a les 12:23 +0100, en/na Francisco Martinez Espadas va escriure: Hello, I'm using squid 2.5stable14 because I'm using websense as web filter. As far as I know, it only works with squid 2.5. I'm planning to replace Websense with DansGuardian in March, so I will be able to upgrade Squid. Does the new version of Squid solve my problem? Or I will also have to apply the patch Adrian Chadd suggested on the previous post? Is there any automatic process to apply the patch (like an script) or do I have to edit the configuration files by hand? To Elvar: yes,users are getting popup windows on their browsers. Thanks. -Missatge original- De: Amos Jeffries [mailto:[EMAIL PROTECTED] Enviat el: ds. 19/01/2008 02:24 Per a: Adrian Chadd A/c: Francisco Martinez Espadas; squid-users@squid-cache.org Tema: Re: [squid-users] winbindd: Exceeding 200 client connections, no idle connection found Please also use a more recent squid release. Currently supported releases are: 2.6stable17+ if you are running high-performance servers 3.0-stable1+ if you can. Amos Adrian Chadd wrote: On Fri, Jan 18, 2008, Francisco Martinez Espadas wrote: ???Hello, Since a few days ago I can't grant acces to users on my company network using Squid. I am having problems with 2 winbind processes that are using a huge Thank Samba for their fantastic implementation of windows authentication. :) amount of CPU when users enter the system. The following is the winbind log: nsswitch/winbindd.c:process_loop(813) winbindd: Exceeding 200 client connections, no idle connection found http://devel.squid-cache.org/projects.html#ntlm_ip_cache Adrian ???and the cache.log: 2008/01/18 11:05:24| WARNING: All ntlmauthenticator processes are busy. 2008/01/18 11:05:24| WARNING: up to 30 pending requests queued 2008/01/18 11:05:54| WARNING: All ntlmauthenticator processes are busy. 2008/01/18 11:05:54| WARNING: up to 59 pending requests queued 2008/01/18 11:05:54| Consider increasing the number of ntlmauthenticator processes to at least 89 in your config file. 2008/01/18 11:06:24| WARNING: All ntlmauthenticator processes are busy. 2008/01/18 11:06:24| WARNING: up to 98 pending requests queued 2008/01/18 11:06:24| Consider increasing the number of ntlmauthenticator processes to at least 128 in your config file. 2008/01/18 11:06:54| WARNING: All ntlmauthenticator processes are busy. 2008/01/18 11:06:54| WARNING: up to 149 pending requests queued 2008/01/18 11:06:54| Consider increasing the number of ntlmauthenticator processes to at least 179 in your config file. 2008/01/18 11:06:55| storeDirWriteCleanLogs: Starting... 2008/01/18 11:06:55| WARNING: Closing open FD8 2008/01/18 11:06:55| 65536 entries written so far. 2008/01/18 11:06:55| WARNING: Closing open FD 84 2008/01/18 11:06:55| Finished. Wrote 110308 entries. 2008/01/18 11:06:55| Took 0.1 seconds (838174.8 entries/sec). FATAL: Too many queued ntlmauthenticator requests (151 on 30) Squid Cache (Version 2.5.STABLE14): Terminated abnormally. I have been looking for some info and I've found this reopened bug:https://bugzilla.samba.org/show_bug.cgi?id=3204). Has anyone had the same problem and has succeeded on solving it? It's weird because Squid was working great until I updated Samba from Ubuntu repositories. This is my Scenario: S.O. Ubuntu 7.04 Versiones Samba y Winbind 3.0.24 Usuarios, sobre unos 500 Squid: $ squid -v Squid Cache: Version 2.5.STABLE14 configure options: --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid
[squid-users] internet access groups in Active Directory
Hi people, i have a problem when I try to pass an user Active Directory group from Squid to Dansguardian. This is my scenario: 1. User clients are using dansguardan as proxy, with NTLM auth. 2. Squid is installed on the same server, with NTLM auth also. 3. In my Active Directory there are 3 groups with diferent Internet privileges. 4. Squid, in order to retrieve user groups, reads a text file where there 3 groups are defined (/etc/squid/group-AD) in my squid.conf: external_acl_type wb_group ttl=900 % LOGIN /usr/lib/squid/wbinfo_group.pl acl ACCES_INTERNET external wb_group /etc/squid/group-AD 5. at the moment, in dansguardian I need to define every single user in /etc/dansguardian/lists/filtergroupslist (user=filter-group) . So, my question is: how can I pass from squid to dansguardian the user groups? thanks
[squid-users] Partially forwarding request to my parent
Hello, I have a parent proxy which I use only for certain dstdomains, leaving all the remaining domains handled by my own local proxy. #Here i define my parent which i would forward the request for acls unipa and ieee cache_peer myparentproxy parent 3128 0 no-query proxy-only #Here are the acls for unipa and ieee acl unipa dst x.y.0.0/16 acl ieee dstdomain .ieee.org #Here i ask to forward the request to my parent proxy directly if they match my acls and explicitly deny to forward to the parent all the remaining requests always_direct allow ieee unipa always_direct deny all #Opposite never_direct deny ieee unipa never_direct allow all All the requests, both matching my acls or not, are forwarded to the parent proxy. What am i missing? Thanks a lot! -- GnuPG / PGP Key Available on http://pgp.mit.edu KeyID: 0x17E179AA - Key Fingerprint: 6594 0AEB 13E9 7CA5 EBF7 FCF7 E201 1E6F 17E1 79AA Linux Registered User: #192634 Web: http://www.ashetic.net/wordpress/
Re: [squid-users] Squid-2, Squid-3, roadmap
Hi everyone, I'm quite disappointed in the lack of feedback from the community over this. Its hard to figure out what people want if noone speaks up, so this is your time to speak up. Adrian On Wed, Feb 27, 2008, Mark Nottingham wrote: Hello Squid folk, I maintain Yahoo!'s internal build of Squid, and serve as a resource for the various Y! properties that use it. We currently only use Squid-2, and don't have plans to migrate to Squid-3; although ESI, ICAP as well as eCAP look interesting, there are too many critical features (e.g., collapsed fowarding, refresh stale hit, full Vary/ETag support, not to mention several things in 2.7DEVEL0) missing for us to use it. Additionally, anecdotal evidence shows that it's still too unstable and slow for production use where these aspects are important; or at least, there is enough doubt about them to make switching too risky for too little benefit. I know that there's a lot of water under the bridge WRT -2 vs -3, and don't want to stir up what must seem like a very old discussion to the developers. However, there's not much clarity about the situation WRT 2 vs 3, and we've been in this state for a long period of time. Specifically, a few questions for the developers of Squid: * Besides the availability of *CAP and ESI -- which are very specialised, and of interest only to a subset of Squid users -- is there any user-visible benefit to switching to -3? * What do the developers consider to be a success metric for -3? I.e., when will maintenance on -2 stop? * Until that time, what is the development philosophy for Squid-2? Will it be only maintained, or will new features be added / rewrites be done as (possibly sponsored) resources are available? Looking at http://wiki.squid-cache.org/RoadMap/Squid2 , it seems to be the latter; is that the correct interpretation? * If that success metric is not reached, what is the contingency plan? * How will these answers change if a substantial number of users willingfully choose to stay on -2 (and not just because they neglect to update their software)? Also, a few questions for -users: * Who is using -3 in production now? How are you using it (load, use case, etc.) and what are your experiences? * Who is planning to use -3 soon? Why? * Who is not planning to use -3 soon? Why not? Thanks, -- Mark Nottingham [EMAIL PROTECTED] -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] Youtube video cache
On Mon, Mar 03, 2008, Cassiano Martin wrote: Hi all! Did someone had success caching youtube videos? I tried it but it didnt worked for me. I followed all Adrian's steps, but no success at all. The trouble is that its a moving target and I'm having to try and keep things updated. I'm trying to organise better, updated documentation but its only for paying clients at the present time. Trying to keep the documentation updated and keeping an eye on what they're up to requires time! I'm using squid: Squid Cache: Version 2.7.DEVEL0-20080303 configure options: '--enable-delay-pools' '--enable-cache-digests' '--enable-poll' '--disable-ident-lookups' '--enable-truncate' '--enable-removal-policies' '--enable-arp-acl' '--enable-ssl' Thanks. -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] Youtube video cache
Adrian Chadd escreveu: On Mon, Mar 03, 2008, Cassiano Martin wrote: Hi all! Did someone had success caching youtube videos? I tried it but it didnt worked for me. I followed all Adrian's steps, but no success at all. The trouble is that its a moving target and I'm having to try and keep things updated. I'm trying to organise better, updated documentation but its only for paying clients at the present time. Trying to keep the documentation updated and keeping an eye on what they're up to requires time! I'm using squid: Squid Cache: Version 2.7.DEVEL0-20080303 configure options: '--enable-delay-pools' '--enable-cache-digests' '--enable-poll' '--disable-ident-lookups' '--enable-truncate' '--enable-removal-policies' '--enable-arp-acl' '--enable-ssl' Thanks. Okay, I'm trying to figure out what changed. If I find what is happening, I'll post to the list. Thanks Adrian.
Re: [squid-users] Authentication Hack
My Bad. I had used $_ instead of STDIN in my Perl program. It still doesn't work, though: I get a blank page instead of my logon page. The Apache access.log and errors.log don't appear to have any entries. I'll investigate further...
Re: [squid-users] Squid-2, Squid-3, roadmap
Well, I am interested in speed, features and ICAP. So I like -2 and -3 to merge. It seems to me that for the sake of being polite with each other we do not want to call the -2 / -3 issue a fork, but effectively it really is a fork. So here is my question back to the main maintainers: do you want to undo the fork and merge ? Note this: for a merge there are 2 ways: 1) port functionality from -3 to -2 2) port functionality from -2 to -3 -Marcus Adrian Chadd wrote: Hi everyone, I'm quite disappointed in the lack of feedback from the community over this. Its hard to figure out what people want if noone speaks up, so this is your time to speak up. Adrian On Wed, Feb 27, 2008, Mark Nottingham wrote: Hello Squid folk, I maintain Yahoo!'s internal build of Squid, and serve as a resource for the various Y! properties that use it. We currently only use Squid-2, and don't have plans to migrate to Squid-3; although ESI, ICAP as well as eCAP look interesting, there are too many critical features (e.g., collapsed fowarding, refresh stale hit, full Vary/ETag support, not to mention several things in 2.7DEVEL0) missing for us to use it. Additionally, anecdotal evidence shows that it's still too unstable and slow for production use where these aspects are important; or at least, there is enough doubt about them to make switching too risky for too little benefit. I know that there's a lot of water under the bridge WRT -2 vs -3, and don't want to stir up what must seem like a very old discussion to the developers. However, there's not much clarity about the situation WRT 2 vs 3, and we've been in this state for a long period of time. Specifically, a few questions for the developers of Squid: * Besides the availability of *CAP and ESI -- which are very specialised, and of interest only to a subset of Squid users -- is there any user-visible benefit to switching to -3? * What do the developers consider to be a success metric for -3? I.e., when will maintenance on -2 stop? * Until that time, what is the development philosophy for Squid-2? Will it be only maintained, or will new features be added / rewrites be done as (possibly sponsored) resources are available? Looking at http://wiki.squid-cache.org/RoadMap/Squid2 , it seems to be the latter; is that the correct interpretation? * If that success metric is not reached, what is the contingency plan? * How will these answers change if a substantial number of users willingfully choose to stay on -2 (and not just because they neglect to update their software)? Also, a few questions for -users: * Who is using -3 in production now? How are you using it (load, use case, etc.) and what are your experiences? * Who is planning to use -3 soon? Why? * Who is not planning to use -3 soon? Why not? Thanks, -- Mark Nottingham [EMAIL PROTECTED]
Re: RS: [squid-users] winbindd: Exceeding 200 client connections, no idle connection found
Francisco, Are you still exceeding max allowed connections based on what you put in local.h? Also, for you samba masters out there, is there a way to view the current number of winbind connections in use? I would be very interested in monitoring that and having myself paged once it hit a certain amount etc. Regards, Elvar Francisco Martinez Espadas wrote: Hi Elvar, i tried your suggestion (thanks, by the way) but it didn't work. I have (at last!) succeeded unistalling ubuntu and replacing it with centOS 5.1 wich has Samba Version 3.0.25b-1.el5_1.4 and Squid 2.6stable18. thanks. El ds 23 de 02 del 2008 a les 05:51 -0600, en/na Elvar va escriure: This is what I got from someone on the samba list just a few days ago... Right now you'll have to change the definition of WINBINDD_MAX_SIMULTANEOUS_CLIENTS in include/local.h from 200 to a higher number and recompile. I'll look into paramaterizing this for 3.2 and later. I did this and changed mine to 400 and since recompiling / reinstalling I haven't had a problem. Kind regards, Elvar Francisco Martinez Espadas wrote: Hello, I've upgraded to Squid 2.6stable18, but I'm still having the same problem. Samba and Winbind version are 3.0.24. The OS is Ubuntu 7.04 Any idea about what's going on? thanks El dl 21 de 01 del 2008 a les 12:23 +0100, en/na Francisco Martinez Espadas va escriure: Hello, I'm using squid 2.5stable14 because I'm using websense as web filter. As far as I know, it only works with squid 2.5. I'm planning to replace Websense with DansGuardian in March, so I will be able to upgrade Squid. Does the new version of Squid solve my problem? Or I will also have to apply the patch Adrian Chadd suggested on the previous post? Is there any automatic process to apply the patch (like an script) or do I have to edit the configuration files by hand? To Elvar: yes,users are getting popup windows on their browsers. Thanks. -Missatge original- De: Amos Jeffries [mailto:[EMAIL PROTECTED] Enviat el: ds. 19/01/2008 02:24 Per a: Adrian Chadd A/c: Francisco Martinez Espadas; squid-users@squid-cache.org Tema: Re: [squid-users] winbindd: Exceeding 200 client connections, no idle connection found Please also use a more recent squid release. Currently supported releases are: 2.6stable17+ if you are running high-performance servers 3.0-stable1+ if you can. Amos Adrian Chadd wrote: On Fri, Jan 18, 2008, Francisco Martinez Espadas wrote: ???Hello, Since a few days ago I can't grant acces to users on my company network using Squid. I am having problems with 2 winbind processes that are using a huge Thank Samba for their fantastic implementation of windows authentication. :) amount of CPU when users enter the system. The following is the winbind log: nsswitch/winbindd.c:process_loop(813) winbindd: Exceeding 200 client connections, no idle connection found http://devel.squid-cache.org/projects.html#ntlm_ip_cache Adrian ???and the cache.log: 2008/01/18 11:05:24| WARNING: All ntlmauthenticator processes are busy. 2008/01/18 11:05:24| WARNING: up to 30 pending requests queued 2008/01/18 11:05:54| WARNING: All ntlmauthenticator processes are busy. 2008/01/18 11:05:54| WARNING: up to 59 pending requests queued 2008/01/18 11:05:54| Consider increasing the number of ntlmauthenticator processes to at least 89 in your config file. 2008/01/18 11:06:24| WARNING: All ntlmauthenticator processes are busy. 2008/01/18 11:06:24| WARNING: up to 98 pending requests queued 2008/01/18 11:06:24| Consider increasing the number of ntlmauthenticator processes to at least 128 in your config file. 2008/01/18 11:06:54| WARNING: All ntlmauthenticator processes are busy. 2008/01/18 11:06:54| WARNING: up to 149 pending requests queued 2008/01/18 11:06:54| Consider increasing the number of ntlmauthenticator processes to at least 179 in your config file. 2008/01/18 11:06:55| storeDirWriteCleanLogs: Starting... 2008/01/18 11:06:55| WARNING: Closing open FD8 2008/01/18 11:06:55| 65536 entries written so far. 2008/01/18 11:06:55| WARNING: Closing open FD 84 2008/01/18 11:06:55| Finished. Wrote 110308 entries. 2008/01/18 11:06:55| Took 0.1 seconds (838174.8 entries/sec). FATAL: Too many queued ntlmauthenticator requests (151 on 30) Squid Cache (Version 2.5.STABLE14): Terminated abnormally. I have been looking for some info and I've found this reopened bug:https://bugzilla.samba.org/show_bug.cgi?id=3204). Has anyone had the same problem and has succeeded on solving it? It's weird because Squid was working great until I updated Samba from Ubuntu repositories. This is my
[squid-users] Auth through HTTPS reverse proxy
I've setup Squid 2.6.STABLE6 as a reverse proxy. It terminates SSL connections using a wildcard cert and then passes the connections to back-end servers using either HTTP or HTTPS. All works well for servers that don't require any authentication (or which let the web application handle its own authentication). However, when I try to use Apache's native authentication to restrict directory access, any access through the proxy always fails authentication. Access directly to the server (bypassing the proxy) authenticates just fine, so it appears that something about my Squid setup is causing authentication to break. This happens regardless of whether the back-end is running HTTP or HTTPS. The squid apache logs don't tell me anything. I've looked over packet dumps (on the HTTP side, of course), but I don't see the user/pwd anywhere. Any ideas what I'm doing wrong? Squid.conf: (docs is the server in question) http_port 80 vhost https_port 443 cert=/etc/squid/server.crt key=/etc/squid/server.pem vhost icp_port 0 cache_peer 172.26.6.159 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=cmaxx-app-peer cache_peer 172.22.65.2 parent 80 0 no-query originserver name=docs-peer cache_peer 172.22.66.208 parent 80 0 no-query originserver name=ocsapp-peer cache_peer 172.22.66.206 parent 80 0 no-query originserver name=ocsinf-peer hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache maximum_object_size 0 KB access_log /var/log/squid/access.log squid url_rewrite_program /usr/local/bin/rewrite-http acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT acl sites_cmaxx-app dstdomain emr.bryanlgh.org cmaxx-app.bryanlgh.org acl sites_docs dstdomain docs.bryanlgh.org acl sites_ocsapp dstdomain ocsapp.bryanlgh.org acl sites_ocsinf dstdomain ocsinf.bryanlgh.org acl webserver dst 172.26.6.159 192.168.2.65 172.22.66.208 172.22.66.206 192.168.2.64 172.22.65.21 http_access allow webserver miss_access allow webserver http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all cache_peer_access cmaxx-app-peer allow sites_cmaxx-app cache_peer_access docs-peer allow sites_docs cache_peer_access ocsapp-peer allow sites_ocsapp cache_peer_access ocsinf-peer allow sites_ocsinf cache_mgr [EMAIL PROTECTED] coredump_dir /var/spool/squid /var/log/squid/access_log: 1204578261.272226 209.50.21.242 TCP_MISS/401 859 GET https://docs.bryanlgh.org/ - FIRST_UP_PARENT/172.22.65.2 text/html 1204578308.668620 209.50.21.242 TCP_MISS/401 859 GET https://docs.bryanlgh.org/ - FIRST_UP_PARENT/172.22.65.2 text/html 1204578567.765707 209.50.21.242 TCP_MISS/401 859 GET https://docs.bryanlgh.org/ - FIRST_UP_PARENT/172.22.65.2 text/html 1204578646.323262 209.50.21.242 TCP_MISS/401 859 GET https://docs.bryanlgh.org/ - FIRST_UP_PARENT/172.22.65.2 text/html 1204578807.803736 209.50.21.242 TCP_MISS/401 859 GET https://docs.bryanlgh.org/ - FIRST_UP_PARENT/172.22.65.2 text/html 1204578834.523 37 209.50.21.242 TCP_MISS/401 859 GET https://docs.bryanlgh.org/ - FIRST_UP_PARENT/172.22.65.2 text/html Apache access_log on docs web server: 198.203.245.64 - - [03/Mar/2008:15:09:27 -0600] GET / HTTP/1.0 401 484 - Lynx/2.8.6rel.4 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/1.6.3 198.203.245.64 - - [03/Mar/2008:15:10:46 -0600] GET / HTTP/1.0 401 484 - Lynx/2.8.6rel.4 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/1.6.3 198.203.245.64 - - [03/Mar/2008:15:13:27 -0600] GET / HTTP/1.0 401 484 - Lynx/2.8.6rel.4 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/1.6.3 198.203.245.64 - - [03/Mar/2008:15:13:54 -0600] GET / HTTP/1.0 401 484 - Lynx/2.8.6rel.4 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/1.6.3 Shell output from the lynx text-based web browser (after prompting once for user/pwd): lynx https://docs.bryanlgh.org Alert!: Unable to access document. Looking up docs.bryanlgh.org Making HTTPS connection to docs.bryanlgh.org Verified connection to docs.bryanlgh.org (cert=*.bryanlgh.org) Secure 128-bit TLS 1.0 (RSA_AES_128_CBC_SHA1) HTTP connection Sending HTTP request. HTTP request sent; waiting for response. Alert!: Access without authorization denied -- retrying Retrying with access authorization information. Looking up docs.bryanlgh.org Making HTTPS connection to docs.bryanlgh.org Verified connection to docs.bryanlgh.org (cert=*.bryanlgh.org) Secure 128-bit TLS 1.0 (RSA_AES_128_CBC_SHA1) HTTP connection Sending HTTP request. HTTP request sent; waiting for response. Can't Access `https://docs.bryanlgh.org/' Alert!: Unable to access document. lynx: Can't access startfile begin:vcard fn:Ben
Re: [squid-users] Auth through HTTPS reverse proxy
Ben Hollingsworth wrote: I've setup Squid 2.6.STABLE6 as a reverse proxy. It terminates SSL connections using a wildcard cert and then passes the connections to back-end servers using either HTTP or HTTPS. All works well for servers that don't require any authentication (or which let the web application handle its own authentication). However, when I try to use Apache's native authentication to restrict directory access, any access through the proxy always fails authentication. Access directly to the server (bypassing the proxy) authenticates just fine, so it appears that something about my Squid setup is causing authentication to break. This happens regardless of whether the back-end is running HTTP or HTTPS. The squid apache logs don't tell me anything. I've looked over packet dumps (on the HTTP side, of course), but I don't see the user/pwd anywhere. Any ideas what I'm doing wrong? Here's a little more info I should have included earlier. Apache 2.0.25 on RHEL4. Squid runs on RHEL5. Apache config: ServerTokens OS ServerRoot /etc/httpd PidFile run/httpd.pid Timeout 120 KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15 IfModule prefork.c StartServers 8 MinSpareServers5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000 /IfModule IfModule worker.c StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 /IfModule Listen 80 LoadModule access_module modules/mod_access.so LoadModule auth_module modules/mod_auth.so LoadModule auth_anon_module modules/mod_auth_anon.so LoadModule auth_dbm_module modules/mod_auth_dbm.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule ldap_module modules/mod_ldap.so LoadModule auth_ldap_module modules/mod_auth_ldap.so LoadModule include_module modules/mod_include.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule cern_meta_module modules/mod_cern_meta.so LoadModule expires_module modules/mod_expires.so LoadModule deflate_module modules/mod_deflate.so LoadModule headers_module modules/mod_headers.so LoadModule usertrack_module modules/mod_usertrack.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mime.so LoadModule dav_module modules/mod_dav.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule asis_module modules/mod_asis.so LoadModule info_module modules/mod_info.so LoadModule dav_fs_module modules/mod_dav_fs.so LoadModule vhost_alias_module modules/mod_vhost_alias.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule imap_module modules/mod_imap.so LoadModule actions_module modules/mod_actions.so LoadModule speling_module modules/mod_speling.so LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule cache_module modules/mod_cache.so LoadModule suexec_module modules/mod_suexec.so LoadModule disk_cache_module modules/mod_disk_cache.so LoadModule file_cache_module modules/mod_file_cache.so LoadModule mem_cache_module modules/mod_mem_cache.so LoadModule cgi_module modules/mod_cgi.so Include conf.d/*.conf User apache Group apache ServerAdmin [EMAIL PROTECTED] UseCanonicalName Off DocumentRoot /var/www/html Directory / Options FollowSymLinks AllowOverride None /Directory Directory /var/www/html Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all /Directory IfModule mod_userdir.c UserDir disable /IfModule DirectoryIndex index.html index.html.var AccessFileName .htaccess Files ~ ^\.ht Order allow,deny Deny from all /Files TypesConfig /etc/mime.types DefaultType text/plain IfModule mod_mime_magic.c MIMEMagicFile conf/magic /IfModule HostnameLookups Off ErrorLog logs/error_log LogLevel warn LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ combined LogFormat %h %l %u %t \%r\ %s %b common LogFormat %{Referer}i - %U referer LogFormat %{User-agent}i agent CustomLog logs/access_log combined ServerSignature On Alias /icons/ /var/www/icons/ Directory /var/www/icons Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all /Directory IfModule mod_dav_fs.c DAVLockDB /var/lib/dav/lockdb /IfModule ScriptAlias /cgi-bin/ /var/www/cgi-bin/ Directory /var/www/cgi-bin AllowOverride None Options None Order allow,deny Allow from all /Directory IndexOptions FancyIndexing VersionSort NameWidth=* AddIconByEncoding
Re: [squid-users] Squid-2, Squid-3, roadmap
On Tuesday 04 March 2008 7:36:50 am Adrian Chadd wrote: Hi everyone, I'm quite disappointed in the lack of feedback from the community over this. Its hard to figure out what people want if noone speaks up, so this is your time to speak up. I see nothing attractive in Squid v3.0. I don't mean to imply any criticism of the Squid developers. Indeed, I am grateful for their efforts over the years. It is just that the feature set of 3.0 is not geared to my needs. The ICAP/ESI and authentication improvements seem geared to large installations (corporate use), but that's not my environment. I don't run a hierarchy of web proxies. I have a single Squid installation which I use for client performance and bandwidth reduction purposes on a small Linux network What I want is a fast, stable web proxy. Really, the only desired enhancement that comes immediately to mind is full HTTP v1.1 compliance. Until 3.0 I always ran the current version of Squid. I'm currently running 2.6S18. My expectation is that my next version of Squid will be either 2.6S19 or 2.7S1, depending on how the developer politics shake out. There's nothing terribly wrong with Squid v3.0, but nothing terribly desireable about it either.
[squid-users] RELEASE/304 messages in store.log
Hi, We recently added the reload-into-ims directive to our squid config after noticing that a large number of queries were coming in with No- Cache set, killing our cache efficiency. We have a relatively short max-age set, working on the assumption that the If-Modified-Since will keep the unchanging content from being continually refreshed. Looking in our store.log, however, we're seeing lots of this: 1204650204.462 RELEASE -1 2435DD617A6A5750936E71A36D77AF8F 304 1204635071 1204057533-1 image/jpeg -1/0 GET http://example.com/object.jpg I'm unsure if the meaning of this. The RELEASE line suggests that the object in question was deleted from the cache store, but the 304 suggests that a 304 Not-Modified was sent to the client. Any insights? I can't imagine that the object should be purged from cache if a Not-Modified is returned, but I can't tell if it actually is or not... -C
[squid-users] Serve JSON object on access denial?
Hi, Is there any way to make Squid serve a JSON object when access to some proxied resource is denied? I use Squid as a reverse proxy to control access to CouchDB database (which by itself does not have any access control yet). In the case of error, CouchDB serves a specifically-formatted JSON object. I would like to be able to serve a similar JSON object (with content-type application/json) if the proxy denies access, instead of a HTML page. Thanks. -- Dimitry Golubovsky Anywhere on the Web
Re: [squid-users] Squid-2, Squid-3, roadmap
Hi, We've been testing Squid 3. 2.X is out of the question since we need ICAP. Our 3.0STABLE1 build with backported icap-related patches from 3.0-current is stable enough for us (no crashes, no weird behaviour). What I would personally like to see is full HTTP 1.1 compliance and a more complete ICAP implementation. However, for our own very limited use of a HTTP proxy, Squid-3 fits the bill rather nicely. Thanks ! Best, François On Tue, 4 Mar 2008 21:36:50 +0900 Adrian Chadd [EMAIL PROTECTED] wrote: Hi everyone, I'm quite disappointed in the lack of feedback from the community over this. Its hard to figure out what people want if noone speaks up, so this is your time to speak up. Adrian On Wed, Feb 27, 2008, Mark Nottingham wrote: Hello Squid folk, I maintain Yahoo!'s internal build of Squid, and serve as a resource for the various Y! properties that use it. We currently only use Squid-2, and don't have plans to migrate to Squid-3; although ESI, ICAP as well as eCAP look interesting, there are too many critical features (e.g., collapsed fowarding, refresh stale hit, full Vary/ETag support, not to mention several things in 2.7DEVEL0) missing for us to use it. Additionally, anecdotal evidence shows that it's still too unstable and slow for production use where these aspects are important; or at least, there is enough doubt about them to make switching too risky for too little benefit. I know that there's a lot of water under the bridge WRT -2 vs -3, and don't want to stir up what must seem like a very old discussion to the developers. However, there's not much clarity about the situation WRT 2 vs 3, and we've been in this state for a long period of time. Specifically, a few questions for the developers of Squid: * Besides the availability of *CAP and ESI -- which are very specialised, and of interest only to a subset of Squid users -- is there any user-visible benefit to switching to -3? * What do the developers consider to be a success metric for -3? I.e., when will maintenance on -2 stop? * Until that time, what is the development philosophy for Squid-2? Will it be only maintained, or will new features be added / rewrites be done as (possibly sponsored) resources are available? Looking at http://wiki.squid-cache.org/RoadMap/Squid2 , it seems to be the latter; is that the correct interpretation? * If that success metric is not reached, what is the contingency plan? * How will these answers change if a substantial number of users willingfully choose to stay on -2 (and not just because they neglect to update their software)? Also, a few questions for -users: * Who is using -3 in production now? How are you using it (load, use case, etc.) and what are your experiences? * Who is planning to use -3 soon? Why? * Who is not planning to use -3 soon? Why not? Thanks, -- Mark Nottingham [EMAIL PROTECTED]
RE: [squid-users] Multi ISP Load Balancing Problem
Hi, I'm using Windows 2000 with Service Pack 4. If you think that it is a file descriptor problem, why this problem apear when I install 3 Squid Services but not happen on previous configuration which install one Squid Service only ? I don't understand about select(). The Loop related error has been solved by not using ICP between Main to both Parent and Parent to Parent sibling relation ship. But the performance with 3 Squid Services still bad. Best regards, -Original Message- From: Guido Serassio [mailto:[EMAIL PROTECTED] Sent: Monday, March 03, 2008 12:37 AM To: Lazuardi Nasution; squid-users@squid-cache.org Subject: RE: [squid-users] Multi ISP Load Balancing Problem Hi, At 19:51 28/02/2008, Lazuardi Nasution wrote: We are using Squid 2.6STABLE18 for Windows. The performance is so bad. Here is some of weird things on log file, I don't have any idea of them. Exactly what Windows version ? I hope that you are using a Windows Server 2003 machine 2008/02/28 11:17:38| comm_select: select failure: (10038) WSAENOTSOCK, Socket operation on nonsocket. 2008/02/28 11:17:38| Select loop Error. Retry 10 FATAL: Select Loop failed! Squid Cache (Version 2.6.STABLE18): Terminated abnormally. CPU Usage: 106.922 seconds = 35.922 user + 71.000 sys Maximum Resident Size: 41444 KB Page faults with physical i/o: 12269 These errors only happen when there is many users are accessing the Squid. These errors didb't happen when I just using one instance and do load balancing by separating tcp_outgoing_address on Squid Main based on odd or even clients source address, I'm not satisfied with this load balancing method. Don't forget that scalability of Squid on Windows is very limited: - Maximum file descriptors number is hard coded to 2048 in the Microsoft C Runtime library, so you can safely support a top of around 660 CONCURRENT object requests without user authentication. Please note: OBJECT requests, not concurrent USERS. - For portability reasons, the comm loop is based on select(), this is not the better thing for speed. Here you can find some tips on tuning TCP on Windows: http://smallvoid.com/article/winnt-tcpip-max-limit.html Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Part of Page Loading Slowly
TCP window scaling was the issue. I believe the real issue is caused by the company that hosts the site I'm trying to access and I performed a workaround. I'd like to let them know what was causing the issue. Started working immediately after: echo 0 /proc/sys/net/ipv4/tcp_window_scaling Documentation: http://wiki.squid-cache.org/KnowledgeBase/BrokenWindowSize http://dunedin.lug.net.nz/forums/archive/index.php/t-82653.html On Mar 3, 2008, at 5:23 PM, Adrian Chadd wrote: Hm, try disabling pmtu, timestampsand window scaling on your squid server? Adrian On Mon, Mar 03, 2008, Cody Jarrett wrote: I'm having an issue with a new squid install. Squid has always worked fine, but I moved squid to a new server and am having issues. My squid config allows access to 1 website for ordering purposes. Since moving to the new server, when accessing the website, a certain page load takes anywhere from 5 minutes to 10 minutes. Basically, the border of the page loads, but the center of the page is some sort of ajax and a scriplet form and that hangs. When it eventually starts to load the form, it loads about 1 line per second and about 50 lines. When I don't use the proxy and browse to the site, the page and form loads in about 3 seconds. The whole time when it is trying to load, I get the following when running tethereal on the server over and over until it finally loads: 1204576907.204371 192.168.1.100 - 10.20.30.40 TCP 59770 squid [ACK] Seq=10215 Ack=26389 Win=524176 Len=0 TSV=740957497 TSER=260637360 1204576907.240115 192.168.1.100 - 10.20.30.40 TCP 59770 squid [ACK] Seq=10215 Ack=27837 Win=524176 Len=0 TSV=740957497 TSER=260637398 1204576908.448434 10.20.30.40 - 192.168.1.100 TCP [TCP segment of a reassembled PDU] 1204576908.481293 10.20.30.40 - 192.168.1.100 TCP [TCP segment of a reassembled PDU] 1204576908.501902 192.168.1.100 - 10.20.30.40 TCP 59770 squid [ACK] Seq=10215 Ack=29285 Win=524176 Len=0 TSV=740957510 TSER=260638651 1204576908.525971 192.168.1.100 - 10.20.30.40 TCP 59770 squid [ACK] Seq=10215 Ack=30733 Win=524176 Len=0 TSV=740957510 TSER=260638684 1204576909.736172 10.20.30.40 - 192.168.1.100 TCP [TCP segment of a reassembled PDU] 1204576909.769486 10.20.30.40 - 192.168.1.100 TCP [TCP segment of a reassembled PDU] On the previous server, I didn't have any problems, and I copied the squid.conf over to the new server, editing the IP address and server name in the conf file. The new server has a cable internet connection several mbit's in speed. I even tried the exact same version of squid on the previous version, but upgraded to squid-2.6.STABLE6-5.el5_1.2 without any difference. It's a pretty basic config, and the only thing that has really changed is the centos 5 server that is now acting as the proxy server and the internet connection is now cable. It almost looked like some sort of MTU issue, but I've tried browsing the site from a computer using the proxy that is on the LAN behind this server, ( this server acts as the gateway for this LAN). Any insight would be greatly appreciated. Thanks. Here is my configuration file: http_port 1.2.3.4:3128 http_port 127.0.0.1:3128 visible_hostname proxy.blah.com cache_dir null /dev/null auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd acl all src 0/0 acl MyAllowedSites dstdomain .site.com acl MyAcct proxy_auth | /etc/squid/acl_groups/MyGroups http_access allow MyAcct MyAllowedSites http_access deny all acl all src 0.0.0.0/0.0.0.0 acl CONNECT method CONNECT acl authenticated proxy_auth REQUIRED http_access allow authenticated http_access deny all http_reply_access allow all icp_access allow all tcp_recv_bufsize 10 bytes coredump_dir /var/spool/squid -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] Part of Page Loading Slowly
TCP window scaling was the issue. I believe the real issue is caused by the company that hosts the site I'm trying to access and I performed a workaround. I'd like to let them know what was causing the issue. Started working immediately after: echo 0 /proc/sys/net/ipv4/tcp_window_scaling Documentation: http://wiki.squid-cache.org/KnowledgeBase/BrokenWindowSize http://dunedin.lug.net.nz/forums/archive/index.php/t-82653.html On Mar 3, 2008, at 5:23 PM, Adrian Chadd wrote: Hm, try disabling pmtu, timestampsand window scaling on your squid server? Adrian On Mon, Mar 03, 2008, Cody Jarrett wrote: I'm having an issue with a new squid install. Squid has always worked fine, but I moved squid to a new server and am having issues. My squid config allows access to 1 website for ordering purposes. Since moving to the new server, when accessing the website, a certain page load takes anywhere from 5 minutes to 10 minutes. Basically, the border of the page loads, but the center of the page is some sort of ajax and a scriplet form and that hangs. When it eventually starts to load the form, it loads about 1 line per second and about 50 lines. When I don't use the proxy and browse to the site, the page and form loads in about 3 seconds. The whole time when it is trying to load, I get the following when running tethereal on the server over and over until it finally loads: 1204576907.204371 192.168.1.100 - 10.20.30.40 TCP 59770 squid [ACK] Seq=10215 Ack=26389 Win=524176 Len=0 TSV=740957497 TSER=260637360 1204576907.240115 192.168.1.100 - 10.20.30.40 TCP 59770 squid [ACK] Seq=10215 Ack=27837 Win=524176 Len=0 TSV=740957497 TSER=260637398 1204576908.448434 10.20.30.40 - 192.168.1.100 TCP [TCP segment of a reassembled PDU] 1204576908.481293 10.20.30.40 - 192.168.1.100 TCP [TCP segment of a reassembled PDU] 1204576908.501902 192.168.1.100 - 10.20.30.40 TCP 59770 squid [ACK] Seq=10215 Ack=29285 Win=524176 Len=0 TSV=740957510 TSER=260638651 1204576908.525971 192.168.1.100 - 10.20.30.40 TCP 59770 squid [ACK] Seq=10215 Ack=30733 Win=524176 Len=0 TSV=740957510 TSER=260638684 1204576909.736172 10.20.30.40 - 192.168.1.100 TCP [TCP segment of a reassembled PDU] 1204576909.769486 10.20.30.40 - 192.168.1.100 TCP [TCP segment of a reassembled PDU] On the previous server, I didn't have any problems, and I copied the squid.conf over to the new server, editing the IP address and server name in the conf file. The new server has a cable internet connection several mbit's in speed. I even tried the exact same version of squid on the previous version, but upgraded to squid-2.6.STABLE6-5.el5_1.2 without any difference. It's a pretty basic config, and the only thing that has really changed is the centos 5 server that is now acting as the proxy server and the internet connection is now cable. It almost looked like some sort of MTU issue, but I've tried browsing the site from a computer using the proxy that is on the LAN behind this server, ( this server acts as the gateway for this LAN). Any insight would be greatly appreciated. Thanks. Here is my configuration file: http_port 1.2.3.4:3128 http_port 127.0.0.1:3128 visible_hostname proxy.blah.com cache_dir null /dev/null auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd acl all src 0/0 acl MyAllowedSites dstdomain .site.com acl MyAcct proxy_auth | /etc/squid/acl_groups/MyGroups http_access allow MyAcct MyAllowedSites http_access deny all acl all src 0.0.0.0/0.0.0.0 acl CONNECT method CONNECT acl authenticated proxy_auth REQUIRED http_access allow authenticated http_access deny all http_reply_access allow all icp_access allow all tcp_recv_bufsize 10 bytes coredump_dir /var/spool/squid -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] Auth through HTTPS reverse proxy
Ben Hollingsworth wrote: I've setup Squid 2.6.STABLE6 as a reverse proxy. It terminates SSL connections using a wildcard cert and then passes the connections to back-end servers using either HTTP or HTTPS. All works well for servers that don't require any authentication (or which let the web application handle its own authentication). However, when I try to use Apache's native authentication to restrict directory access, any access through the proxy always fails authentication. Access directly to the server (bypassing the proxy) authenticates just fine, so it appears that something about my Squid setup is causing authentication to break. This happens regardless of whether the back-end is running HTTP or HTTPS. The squid apache logs don't tell me anything. I've looked over packet dumps (on the HTTP side, of course), but I don't see the user/pwd anywhere. Any ideas what I'm doing wrong? Squid.conf: (docs is the server in question) http_port 80 vhost https_port 443 cert=/etc/squid/server.crt key=/etc/squid/server.pem vhost icp_port 0 cache_peer 172.26.6.159 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=cmaxx-app-peer cache_peer 172.22.65.2 parent 80 0 no-query originserver name=docs-peer cache_peer 172.22.66.208 parent 80 0 no-query originserver name=ocsapp-peer cache_peer 172.22.66.206 parent 80 0 no-query originserver name=ocsinf-peer OK, I fixed my problem. I need to add login=PASS to the option list in the cache_peer lines. Otherwise, it wasn't passing login info back to the real server. begin:vcard fn:Ben Hollingsworth n:Hollingsworth;Ben org:BryanLGH Health System;Information Technology adr:;;1600 S. 48th St.;Lincoln;NE;68506;USA email;internet:[EMAIL PROTECTED] title:Systems Programmer tel;work:402-481-8582 tel;fax:402-481-8354 tel;cell:402-432-5334 url:http://www.bryanlgh.org version:2.1 end:vcard
Re: [squid-users] Question about Bug 1681
Ok so do I only need to apply it to squid, or will I have to also go into samba and apply it there as well? And does this need to be applied to all versions of squid 2.6 stable releases? Or is it part of a certain stable release? On 3/3/08, Guido Serassio [EMAIL PROTECTED] wrote: Hi, At 16:56 03/03/2008, Brian Kirk wrote: I have a question regarding the following bug: http://www.squid-cache.org/bugs/show_bug.cgi?id=1681 It appears as though this bug is only something that occurs with squid's ntlm_auth, we however use samba's ntlm_auth, and I see simular problems. snippet from squid.conf auth_param ntlm program /opt/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp We seem to have the exact same problem though. We are running squid2.6 Stable 9, and samba 3.0.25b. Is this patch needed for our environment? No. The fix was for all NTLM authenticators. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Question about Bug 1681
Hi, At 21:19 04/03/2008, Brian Kirk wrote: Ok so do I only need to apply it to squid, or will I have to also go into samba and apply it there as well? And does this need to be applied to all versions of squid 2.6 stable releases? Or is it part of a certain stable release? It's included in all Squid starting from 2.6 STABLE2. Regards Guido On 3/3/08, Guido Serassio [EMAIL PROTECTED] wrote: Hi, At 16:56 03/03/2008, Brian Kirk wrote: I have a question regarding the following bug: http://www.squid-cache.org/bugs/show_bug.cgi?id=1681 It appears as though this bug is only something that occurs with squid's ntlm_auth, we however use samba's ntlm_auth, and I see simular problems. snippet from squid.conf auth_param ntlm program /opt/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp We seem to have the exact same problem though. We are running squid2.6 Stable 9, and samba 3.0.25b. Is this patch needed for our environment? No. The fix was for all NTLM authenticators. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/ - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
[squid-users] Configuring reverse proxy for both 80/443
I seem to be stumped. I need to reverse proxy for one internal server that listens on both 80 and 443. How can I configure squid to proxy for the same cache-peer on both 80 and 443? As far as I can see you can only specify one protocol per cache-peer line. I think I am missing something. - Nick
[squid-users] Squid Reverse Proxy - Apache - Trailing Slash
Hi, folks. I'm new to the list and pretty new to Squid as well. I'm running into a specific problem right now and need some guidance. As you know, trailing slashes are required for directories and when it is omitted from a request, Apache performs a redirect to include the trailing slash. This is fine and I understand the necessity. The problem is that I have Apache (2.0.63) running behind a firewall on port 8080. Squid (2.6b18) is the proxy running on port 80. When Apache receives a directory request without a trailing slash, its redirect includes its running port (e.g. http://myserver/dir is redirected to http://myserver:8080/dir/). 8080 is user inaccessible and the redirect fails. How do I resolve this? Thank you! Chris
Re: [squid-users] Redirector problems with squid 2.6
On Tue, 2008-03-04 at 09:45 +1000, Jonne Hannon wrote: I'm using squid 2.6STABLE18 as squid 3 is not yet compatibile with Smartfilter. In what way are the two incompatible? Is there a bug report for this problem? Thank you, Alex.
Re: [squid-users] Configuring reverse proxy for both 80/443
I haven't tried this myself, but can't you just have two cache-peer lines with the same host but different port numbers? -C On Mar 4, 2008, at 5:11 PM, Nick Duda wrote: I seem to be stumped. I need to reverse proxy for one internal server that listens on both 80 and 443. How can I configure squid to proxy for the same cache-peer on both 80 and 443? As far as I can see you can only specify one protocol per cache-peer line. I think I am missing something. - Nick
RE: [squid-users] Configuring reverse proxy for both 80/443
Nope, it throws an error, I tried that. -Original Message- From: Chris Woodfield [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 8:02 PM To: Nick Duda Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Configuring reverse proxy for both 80/443 I haven't tried this myself, but can't you just have two cache-peer lines with the same host but different port numbers? -C On Mar 4, 2008, at 5:11 PM, Nick Duda wrote: I seem to be stumped. I need to reverse proxy for one internal server that listens on both 80 and 443. How can I configure squid to proxy for the same cache-peer on both 80 and 443? As far as I can see you can only specify one protocol per cache-peer line. I think I am missing something. - Nick
Re: [squid-users] Configuring reverse proxy for both 80/443
I haven't tried myself but I'm pretty sure that you can have as many duplicate cache_peers as you want as long you give each of them a different name Ric On Mar 4, 2008, at 5:01 PM, Chris Woodfield wrote: I haven't tried this myself, but can't you just have two cache-peer lines with the same host but different port numbers? -C On Mar 4, 2008, at 5:11 PM, Nick Duda wrote: I seem to be stumped. I need to reverse proxy for one internal server that listens on both 80 and 443. How can I configure squid to proxy for the same cache-peer on both 80 and 443? As far as I can see you can only specify one protocol per cache-peer line. I think I am missing something. - Nick
Re: [squid-users] Squid-2, Squid-3, roadmap
Well, I am interested in speed, features and ICAP. So I like -2 and -3 to merge. It seems to me that for the sake of being polite with each other we do not want to call the -2 / -3 issue a fork, but effectively it really is a fork. So here is my question back to the main maintainers: do you want to undo the fork and merge ? Note this: for a merge there are 2 ways: 1) port functionality from -3 to -2 2) port functionality from -2 to -3 Don't forget the .5) tasks: 1.5) port all changes made to -3 since starting the base port to -2. 2.5) port all changes made to -2 since starting the base port to -3. (1) would require a full re-code of -2 into C++ (repeating 6+ years of 3.x development under a new name) in order to encompass the features of -3 that cannot be back-ported. (2) requires info from you the users, about what features you need ported, and some help on porting those over to -3. Most of the developers are already working on this. We do want to close the divide. We also have not yet had a sponsor willing to pay specifically for any feature porting. So we are stuck with doing it whenever time is available. Changes are largely following (2). The decision was made years ago to cleanup squid somewhat by only porting the features that you the users found useful and wanted ported. That porting list comprise most of the 3.x RoadMap. As I and others keep posting: IF THERE IS ANYTHING MISSING LET US KNOW! The 3.1 RoadMap will finalize in 3 (three) weeks. If you don't tell us your feature needs by then you will be stuck waiting for 3.2+ or paying large amounts for them to be done. Amos -Marcus Adrian Chadd wrote: Hi everyone, I'm quite disappointed in the lack of feedback from the community over this. Its hard to figure out what people want if noone speaks up, so this is your time to speak up. Adrian On Wed, Feb 27, 2008, Mark Nottingham wrote: Hello Squid folk, I maintain Yahoo!'s internal build of Squid, and serve as a resource for the various Y! properties that use it. We currently only use Squid-2, and don't have plans to migrate to Squid-3; although ESI, ICAP as well as eCAP look interesting, there are too many critical features (e.g., collapsed fowarding, refresh stale hit, full Vary/ETag support, not to mention several things in 2.7DEVEL0) missing for us to use it. Additionally, anecdotal evidence shows that it's still too unstable and slow for production use where these aspects are important; or at least, there is enough doubt about them to make switching too risky for too little benefit. I know that there's a lot of water under the bridge WRT -2 vs -3, and don't want to stir up what must seem like a very old discussion to the developers. However, there's not much clarity about the situation WRT 2 vs 3, and we've been in this state for a long period of time. Specifically, a few questions for the developers of Squid: * Besides the availability of *CAP and ESI -- which are very specialised, and of interest only to a subset of Squid users -- is there any user-visible benefit to switching to -3? * What do the developers consider to be a success metric for -3? I.e., when will maintenance on -2 stop? * Until that time, what is the development philosophy for Squid-2? Will it be only maintained, or will new features be added / rewrites be done as (possibly sponsored) resources are available? Looking at http://wiki.squid-cache.org/RoadMap/Squid2 , it seems to be the latter; is that the correct interpretation? * If that success metric is not reached, what is the contingency plan? * How will these answers change if a substantial number of users willingfully choose to stay on -2 (and not just because they neglect to update their software)? Also, a few questions for -users: * Who is using -3 in production now? How are you using it (load, use case, etc.) and what are your experiences? * Who is planning to use -3 soon? Why? * Who is not planning to use -3 soon? Why not? Thanks, -- Mark Nottingham [EMAIL PROTECTED]
Re: [squid-users] Redirector problems with squid 2.6
Hi Henrik, To work with squid 2.6, I had to add a newline to the string being written back to stdout. This was not required with squid 2.5. Thanks for your help. Jonne. iDivision Security Team Brisbane City Council Ph: 07 3403 6918 Email: [EMAIL PROTECTED] Visit http://www.brisbane.qld.gov.au Henrik Nordstrom [EMAIL PROTECTED] 4/03/2008 10:08:57 am On Mon, 2008-03-03 at 11:23 +1000, Jonne Hannon wrote: It appears to me that squid 2.6 is not receiving the output back from the redirector. Can you please advise how I can troubleshoot this further? Have you disabled output buffering in the helper? Regards Henrik ** This message has passed through an insecure network. Please direct all enquiries to the message author. ** ** This message has passed through an insecure network. Please direct all enquiries to the message author. **
Re: [squid-users] RELEASE/304 messages in store.log
Check to see if the object is actually in cache. I bet that the RELEASE line you're seeing is the temporary store entry that was created purely to return the 304 message. Adrian On Tue, Mar 04, 2008, Chris Woodfield wrote: Hi, We recently added the reload-into-ims directive to our squid config after noticing that a large number of queries were coming in with No- Cache set, killing our cache efficiency. We have a relatively short max-age set, working on the assumption that the If-Modified-Since will keep the unchanging content from being continually refreshed. Looking in our store.log, however, we're seeing lots of this: 1204650204.462 RELEASE -1 2435DD617A6A5750936E71A36D77AF8F 304 1204635071 1204057533-1 image/jpeg -1/0 GET http://example.com/object.jpg I'm unsure if the meaning of this. The RELEASE line suggests that the object in question was deleted from the cache store, but the 304 suggests that a 304 Not-Modified was sent to the client. Any insights? I can't imagine that the object should be purged from cache if a Not-Modified is returned, but I can't tell if it actually is or not... -C -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
[squid-users] Squid on FreeBSD poor performance
Hi! Today i'm running squid 2.6 stable18 on FreeBSD 6.3 in a Acer R710 Server. Client have 3000 users But performance is poor. Consults has the method to be allowed to improve? My hardware is: CPU: Intel(R) Xeon(TM) CPU 3.20GHz *2 RAM: 4G HD: SEAGATE ST373207LC * 4 (320M/s 1 RPM) #uname -a proxy4 -joejoe-:uname -a FreeBSD proxy4.tw 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #1: Sat Nov 17 11:45:41 CST 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/PROXY i386 #mount /dev/da0s1a on / (ufs, local) devfs on /dev (devfs, local) /dev/da0s1f on /squidlogs (ufs, local, soft-updates) /dev/da0s1d on /usr (ufs, local, soft-updates) /dev/da0s1e on /var (ufs, local, soft-updates) /dev/da0s1g on /tmp (ufs, local, soft-updates) /dev/da1s1d on /bcache1 (ufs, local, noatime, soft-updates) /dev/da1s1e on /bcache2 (ufs, local, noatime, soft-updates) /dev/da1s2d on /bcache3 (ufs, local, noatime, soft-updates) /dev/da1s2e on /bcache4 (ufs, local, noatime, soft-updates) /dev/da1s3d on /bcache5 (ufs, local, noatime, soft-updates) /dev/da1s3e on /bcache6 (ufs, local, noatime, soft-updates) /dev/da1s4d on /bcache7 (ufs, local, noatime, soft-updates) /dev/da1s4e on /bcache8 (ufs, local, noatime, soft-updates) /dev/da2s1d on /ccache1 (ufs, local, noatime, soft-updates) /dev/da2s1e on /ccache2 (ufs, local, noatime, soft-updates) /dev/da2s2d on /ccache3 (ufs, local, noatime, soft-updates) /dev/da2s2e on /ccache4 (ufs, local, noatime, soft-updates) /dev/da2s3d on /ccache5 (ufs, local, noatime, soft-updates) /dev/da2s3e on /ccache6 (ufs, local, noatime, soft-updates) /dev/da2s4d on /ccache7 (ufs, local, noatime, soft-updates) /dev/da2s4e on /ccache8 (ufs, local, noatime, soft-updates) /dev/da3s1d on /dcache1 (ufs, local, noatime, soft-updates) /dev/da3s1e on /dcache2 (ufs, local, noatime, soft-updates) /dev/da3s2d on /dcache3 (ufs, local, noatime, soft-updates) /dev/da3s2e on /dcache4 (ufs, local, noatime, soft-updates) /dev/da3s3d on /dcache5 (ufs, local, noatime, soft-updates) /dev/da3s3e on /dcache6 (ufs, local, noatime, soft-updates) /dev/da3s4d on /dcache7 (ufs, local, noatime, soft-updates) /dev/da3s4e on /dcache8 (ufs, local, noatime, soft-updates) #df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/da0s1a9.7G 70M8.8G 1%/ devfs 1.0K1.0K 0B 100%/dev /dev/da0s1f 10G1.2G8.1G13%/squidlogs /dev/da0s1d 19G 10G7.8G56%/usr /dev/da0s1e 19G103M 18G 1%/var /dev/da0s1g5.8G 92K5.4G 0%/tmp /dev/da1s1d7.8G6.0G1.2G84%/bcache1 /dev/da1s1e7.8G6.0G1.1G84%/bcache2 /dev/da1s2d7.8G6.0G1.1G84%/bcache3 /dev/da1s2e7.8G6.0G1.1G84%/bcache4 /dev/da1s3d7.8G6.0G1.1G84%/bcache5 /dev/da1s3e7.8G6.0G1.2G84%/bcache6 /dev/da1s4d7.8G6.0G1.1G84%/bcache7 /dev/da1s4e7.8G6.0G1.1G84%/bcache8 /dev/da2s1d7.8G6.0G1.2G84%/ccache1 /dev/da2s1e7.8G6.0G1.1G84%/ccache2 /dev/da2s2d7.8G6.0G1.1G84%/ccache3 /dev/da2s2e7.8G6.0G1.1G84%/ccache4 /dev/da2s3d7.8G6.0G1.2G84%/ccache5 /dev/da2s3e7.8G6.0G1.1G84%/ccache6 /dev/da2s4d7.8G6.0G1.2G84%/ccache7 /dev/da2s4e7.8G6.0G1.2G84%/ccache8 /dev/da3s1d7.8G6.0G1.1G84%/dcache1 /dev/da3s1e7.8G6.0G1.1G84%/dcache2 /dev/da3s2d7.8G6.0G1.1G84%/dcache3 /dev/da3s2e7.8G6.0G1.2G84%/dcache4 /dev/da3s3d7.8G6.0G1.1G84%/dcache5 /dev/da3s3e7.8G6.0G1.2G84%/dcache6 /dev/da3s4d7.8G6.0G1.1G84%/dcache7 /dev/da3s4e7.8G6.0G1.2G84%/dcache8 My kernel was compiled in the day before yesterday with some tunning options: Commented: options PAE options MAXFILES=16384 In /boot/loader.conf file : kern.ipc.msgmnb=16384 # Origin: 2048 kern.ipc.msgmni=96 # Origin: 40 kern.ipc.msgseg=2048# Origin: 2048 kern.ipc.msgssz=64 # Origin: 8 kern.ipc.msgtql=5120 # Origin: 40 kern.geom.debugflags=16 machdep.hyperthreading_allowed=1 kern.maxdsiz=2147483648 # 2GB kern.dfldsiz=2147483648 # 2GB kern.maxssiz=268435456 # 256MB kern.ipc.maxsockets=4008 kern.ipc.nmbclusters=32768 kern.ipc.nmbufs=65535 kern.ipc.nsfbufs=2496 net.inet.tcp.tcbhashsize=2048 In /etc/sysctl.conf file : net.inet.ip.portrange.first=2 # Origin: 49152 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.tcp.recvspace=65535 net.inet.tcp.sendspace=65535 kern.ipc.somaxconn=32768 kern.ipc.maxsockbuf=2097152 net.inet.ip.redirect=0
Re: [squid-users] Squid on FreeBSD poor performance
Firstly, drop cache_mem way way down to something like 128 or 256meg. It doesn't need to be that big and that can't allocate! is FreeBSD saying no! to memory allocations after your process grows past a certain size. 200 req/sec shouldn't be making it cry, 800 req/sec should be. I do think you've got way, way too many cache dirs though. I'd collapse that to one per disk rather than lots of 8 gig cachedirs. FreeBSD-6 and FreeBSD-7 can use aufs instead of diskd. Try that maybe. The dnsSubmit() messages are probably an indication your DNS server isn't fast enough. Other than that, its hard to tell whats going on without historical statistics. Thats why I suggest setting up any kind of statistics graphing to all of my clients and those that have thank me for it. Adrian On Wed, Mar 05, 2008, joejoe wrote: Hi! Today i'm running squid 2.6 stable18 on FreeBSD 6.3 in a Acer R710 Server. Client have 3000 users But performance is poor. Consults has the method to be allowed to improve? My hardware is: CPU: Intel(R) Xeon(TM) CPU 3.20GHz *2 RAM: 4G HD: SEAGATE ST373207LC * 4 (320M/s 1 RPM) #uname -a proxy4 -joejoe-:uname -a FreeBSD proxy4.tw 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #1: Sat Nov 17 11:45:41 CST 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/PROXY i386 #mount /dev/da0s1a on / (ufs, local) devfs on /dev (devfs, local) /dev/da0s1f on /squidlogs (ufs, local, soft-updates) /dev/da0s1d on /usr (ufs, local, soft-updates) /dev/da0s1e on /var (ufs, local, soft-updates) /dev/da0s1g on /tmp (ufs, local, soft-updates) /dev/da1s1d on /bcache1 (ufs, local, noatime, soft-updates) /dev/da1s1e on /bcache2 (ufs, local, noatime, soft-updates) /dev/da1s2d on /bcache3 (ufs, local, noatime, soft-updates) /dev/da1s2e on /bcache4 (ufs, local, noatime, soft-updates) /dev/da1s3d on /bcache5 (ufs, local, noatime, soft-updates) /dev/da1s3e on /bcache6 (ufs, local, noatime, soft-updates) /dev/da1s4d on /bcache7 (ufs, local, noatime, soft-updates) /dev/da1s4e on /bcache8 (ufs, local, noatime, soft-updates) /dev/da2s1d on /ccache1 (ufs, local, noatime, soft-updates) /dev/da2s1e on /ccache2 (ufs, local, noatime, soft-updates) /dev/da2s2d on /ccache3 (ufs, local, noatime, soft-updates) /dev/da2s2e on /ccache4 (ufs, local, noatime, soft-updates) /dev/da2s3d on /ccache5 (ufs, local, noatime, soft-updates) /dev/da2s3e on /ccache6 (ufs, local, noatime, soft-updates) /dev/da2s4d on /ccache7 (ufs, local, noatime, soft-updates) /dev/da2s4e on /ccache8 (ufs, local, noatime, soft-updates) /dev/da3s1d on /dcache1 (ufs, local, noatime, soft-updates) /dev/da3s1e on /dcache2 (ufs, local, noatime, soft-updates) /dev/da3s2d on /dcache3 (ufs, local, noatime, soft-updates) /dev/da3s2e on /dcache4 (ufs, local, noatime, soft-updates) /dev/da3s3d on /dcache5 (ufs, local, noatime, soft-updates) /dev/da3s3e on /dcache6 (ufs, local, noatime, soft-updates) /dev/da3s4d on /dcache7 (ufs, local, noatime, soft-updates) /dev/da3s4e on /dcache8 (ufs, local, noatime, soft-updates) #df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/da0s1a9.7G 70M8.8G 1%/ devfs 1.0K1.0K 0B 100%/dev /dev/da0s1f 10G1.2G8.1G13%/squidlogs /dev/da0s1d 19G 10G7.8G56%/usr /dev/da0s1e 19G103M 18G 1%/var /dev/da0s1g5.8G 92K5.4G 0%/tmp /dev/da1s1d7.8G6.0G1.2G84%/bcache1 /dev/da1s1e7.8G6.0G1.1G84%/bcache2 /dev/da1s2d7.8G6.0G1.1G84%/bcache3 /dev/da1s2e7.8G6.0G1.1G84%/bcache4 /dev/da1s3d7.8G6.0G1.1G84%/bcache5 /dev/da1s3e7.8G6.0G1.2G84%/bcache6 /dev/da1s4d7.8G6.0G1.1G84%/bcache7 /dev/da1s4e7.8G6.0G1.1G84%/bcache8 /dev/da2s1d7.8G6.0G1.2G84%/ccache1 /dev/da2s1e7.8G6.0G1.1G84%/ccache2 /dev/da2s2d7.8G6.0G1.1G84%/ccache3 /dev/da2s2e7.8G6.0G1.1G84%/ccache4 /dev/da2s3d7.8G6.0G1.2G84%/ccache5 /dev/da2s3e7.8G6.0G1.1G84%/ccache6 /dev/da2s4d7.8G6.0G1.2G84%/ccache7 /dev/da2s4e7.8G6.0G1.2G84%/ccache8 /dev/da3s1d7.8G6.0G1.1G84%/dcache1 /dev/da3s1e7.8G6.0G1.1G84%/dcache2 /dev/da3s2d7.8G6.0G1.1G84%/dcache3 /dev/da3s2e7.8G6.0G1.2G84%/dcache4 /dev/da3s3d7.8G6.0G1.1G84%/dcache5 /dev/da3s3e7.8G6.0G1.2G84%/dcache6 /dev/da3s4d7.8G6.0G1.1G84%/dcache7 /dev/da3s4e7.8G6.0G1.2G84%/dcache8 My kernel was compiled in the day before yesterday with some tunning options: Commented: options PAE options MAXFILES=16384 In /boot/loader.conf file : kern.ipc.msgmnb=16384 # Origin: 2048
Re: [squid-users] Authentication Hack
I believe that this is the thing that is defeating me at the moment. I cannot get my Error page Form to call my CGI script: http://www.mail-archive.com/squid-users@squid-cache.org/msg53327.html
[squid-users] bypass parent proxy for some urls - dstdomains
Hello, I appologize if this has been answered before, but I have been unable to find anything. I am trying to set up the following: Lan - Squid - Parent Proxy (ISP) I have basically added the following lines to squid.conf file cache_peer parentcache.foo.com parent 3128 0 no-query default acl all src 0.0.0.0/0.0.0.0 never_direct allow all and all traffic is going through the parent proxy, however I would like to be able to set up acl in order to allow some websites to go through directly, without going through the parent proxy. So basically what I need is the following: check destination to see if it is allowed to bypass parent proxy (or access denied, or blocked) if no acl exists, then forword request to parent proxy any and all help would be greatly appreciated, please let me know ifyou need more info. thanks, paul This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal.
[squid-users] Need help
Dear All, Can anyone suggest me any free software to monitor squid which will show all information like CPU usage, Memory Usage, No of hite, IP address where from request is coming top users, Top sites, Top Bandwith . Please reply to me i will be grateful to you .. -- Regards Piyush Joshi 9415414376
[squid-users] Problem with SSL/Http and Squid in Reverse Proxy
I have set up Squid3 with SSL as a Reverse Proxy, SSL work as expected, but when a backendserver have hardcoded links inside a webapplikation like http://bla.bla.bla , the url change when the user click on this link and you have no more ssl, only http! Can you force to use only ssl, even if there are hardcoded links inside the applikation?