Re: [squid-users] Authentication Hack
Dave Coventry wrote: I believe that this is the thing that is defeating me at the moment. I'm not sure how easy it would be to get the post to your cgi to work. You'll need to post absolutely (action=http://;) rather than relatively. But I think what you would be better to use the deny_info http://... form of deny_info. Something like deny_info http://myhost/login.cgi?url=%s ipauthACL then the login page will be your cgi script and as an added bonus you'll get url set as the original url that caused the deny. Then you can redirect to it after a successful login.
Re: [squid-users] Authentication Hack
On Wed, Mar 5, 2008 at 11:20 AM, Michael Graham wrote:
deny_info http://myhost/login.cgi?url=%s ipauthACL
then the login page will be your cgi script and as an added bonus you'll
get url set as the original url that caused the deny. Then you can
redirect to it after a successful login.
Okay, thanks. I'll try that.
However, it appears that, when the screen goes blank (ie, when I'm
expecting my login page to appear), it's actually crashing Squid.
I've revised my helper script slightly (the STDIN apparently has a
newline which confused the script):
1:#!/usr/bin/perl
2:$| = 1;
3:$ip=STDIN;
4:$ip=chomp($ip);
5:$ipfile='/var/www/apache2-default/cgi-bin/ips/'.$ip;
6:#print $ipfile;
7:if (-e $ipfile){print OK;}
8:else {print ERR : .$ip;}
This appears in the cache.log:
2008/03/05 11:33:44| WARNING: ipauth #1 (FD 7) exited
2008/03/05 11:33:44| WARNING: ipauth #2 (FD 8) exited
2008/03/05 11:33:44| WARNING: ipauth #3 (FD 9) exited
2008/03/05 11:33:44| Too few ipauth processes are running
2008/03/05 11:33:44| storeDirWriteCleanLogs: Starting...
2008/03/05 11:33:44| Finished. Wrote 195 entries.
2008/03/05 11:33:44| Took 0.0 seconds (874439.5 entries/sec).
FATAL: The ipauth helpers are crashing too rapidly, need help!
Squid Cache (Version 2.6.STABLE18): Terminated abnormally.
Squid then seems to restart without a problem. (Which is why I thought
the redirection behaviour was to blame.)
Damned if I can see what is going wrong
Thanks again for your assistance.
Re: [squid-users] Authentication Hack
Dave Coventry wrote:
1:#!/usr/bin/perl
2:$| = 1;
3:$ip=STDIN;
4:$ip=chomp($ip);
5:$ipfile='/var/www/apache2-default/cgi-bin/ips/'.$ip;
6:#print $ipfile;
7:if (-e $ipfile){print OK;}
8:else {print ERR : .$ip;}
This appears in the cache.log:
2008/03/05 11:33:44| WARNING: ipauth #1 (FD 7) exited
2008/03/05 11:33:44| WARNING: ipauth #2 (FD 8) exited
2008/03/05 11:33:44| WARNING: ipauth #3 (FD 9) exited
2008/03/05 11:33:44| Too few ipauth processes are running
2008/03/05 11:33:44| storeDirWriteCleanLogs: Starting...
2008/03/05 11:33:44| Finished. Wrote 195 entries.
2008/03/05 11:33:44| Took 0.0 seconds (874439.5 entries/sec).
FATAL: The ipauth helpers are crashing too rapidly, need help!
(Sorry Dave I keep hitting reply and not reply to list)
External helps are not supposed to exit once they have completed a
request. Your perl script should read from stdin then write OK/ERR then
wait for more input.
Cheers,
Mick
Re: [squid-users] Authentication Hack
Thanks, Mick.
On Wed, Mar 5, 2008 at 12:08 PM, Michael Graham wrote:
(Sorry Dave I keep hitting reply and not reply to list)
Yes, I keep doing that :)
External helps are not supposed to exit once they have completed a
request. Your perl script should read from stdin then write OK/ERR then
wait for more input.
Ah!
So this should work?
1:#!/usr/bin/perl
2:while(1){
3: $| = 1;
4: $ip=STDIN;
5: $ip=chomp($ip);
6: $ipfile='/var/www/apache2-default/cgi-bin/ips/'.$ip;
7: #print $ipfile;
8: if (-e $ipfile){print OK;}
9: else {print ERR : .$ip;}
10:}
I'll try it right now.
Re: [squid-users] Authentication Hack
Uhm, try:
#!/usr/bin/perl -w
use strict; # (because you should!)
$| = 1;
while () {
chomp;
my ($ip) = $_;
# XXX should verify IP is an IP and not something nasty!
...
}
The question then is how to query a cgi from a helper. I'd try the LWP stuff
in Perl to talk to a cgi-bin ; what you've doen there is try to read a file,
not call a cgi-bin. :)
Adrian
On Wed, Mar 05, 2008, Dave Coventry wrote:
Thanks, Mick.
On Wed, Mar 5, 2008 at 12:08 PM, Michael Graham wrote:
(Sorry Dave I keep hitting reply and not reply to list)
Yes, I keep doing that :)
External helps are not supposed to exit once they have completed a
request. Your perl script should read from stdin then write OK/ERR then
wait for more input.
Ah!
So this should work?
1:#!/usr/bin/perl
2:while(1){
3: $| = 1;
4: $ip=STDIN;
5: $ip=chomp($ip);
6: $ipfile='/var/www/apache2-default/cgi-bin/ips/'.$ip;
7: #print $ipfile;
8: if (-e $ipfile){print OK;}
9: else {print ERR : .$ip;}
10:}
I'll try it right now.
--
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] Need help
There's no (one) piece of software that does this yet. A combination of various bits of free software can do all of this. Adrian On Wed, Mar 05, 2008, piyush joshi wrote: Dear All, Can anyone suggest me any free software to monitor squid which will show all information like CPU usage, Memory Usage, No of hite, IP address where from request is coming top users, Top sites, Top Bandwith . Please reply to me i will be grateful to you .. -- Regards Piyush Joshi 9415414376 -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] Need help
Hi friends Try Webmin http://freshmeat.net/projects/webmin/ You can manage a lot o things through a graphic console. Hope it helps. Regards, Luis Claudio Botelho Chefe de Tecnologia e Redes Coordenadoria Geral de Informática Centro Universitário da FEI São Bernardo do Campo - SP 4353-2900 ramal 2117 The great secret of life is to spend it in something that endures more than itself In the box was written: Windows NT, 2000 or better. So I installed Linux Knowing is not enough, we must apply. Willing is not enough, we must do. - Original Message - From: Adrian Chadd [EMAIL PROTECTED] To: piyush joshi [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, March 05, 2008 8:37 AM Subject: Re: [squid-users] Need help There's no (one) piece of software that does this yet. A combination of various bits of free software can do all of this. Adrian On Wed, Mar 05, 2008, piyush joshi wrote: Dear All, Can anyone suggest me any free software to monitor squid which will show all information like CPU usage, Memory Usage, No of hite, IP address where from request is coming top users, Top sites, Top Bandwith . Please reply to me i will be grateful to you .. -- Regards Piyush Joshi 9415414376 -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] Authentication Hack
Thanks Adrian,
On Wed, Mar 5, 2008 at 1:31 PM, Adrian Chadd wrote:
Uhm, try:
#!/usr/bin/perl -w
use strict; # (because you should!)
Point taken.
$| = 1;
while () {
chomp;
my ($ip) = $_;
# XXX should verify IP is an IP and not something nasty!
...
}
I'll try it!
The question then is how to query a cgi from a helper. I'd try the LWP stuff
in Perl to talk to a cgi-bin ; what you've doen there is try to read a file,
not call a cgi-bin. :)
My understanding is that Squid checks the helper to carry out a check
against the IP, User, etc according to the FORMAT parameter to test
that they belong to an acl, based on OK or ERR. My script was just a
simple test against the existence of a file generated by a cgi script
called by the ACCESS_DENIED error page replacement.
If you can see a way to short-cut this, please tell me more!
As far as I can see, though, Squid is looking for either OK or ERR and
ignores anything else
Re: [squid-users] Authentication Hack
On Wed, Mar 05, 2008, Dave Coventry wrote: The question then is how to query a cgi from a helper. I'd try the LWP stuff in Perl to talk to a cgi-bin ; what you've doen there is try to read a file, not call a cgi-bin. :) My understanding is that Squid checks the helper to carry out a check against the IP, User, etc according to the FORMAT parameter to test that they belong to an acl, based on OK or ERR. My script was just a simple test against the existence of a file generated by a cgi script called by the ACCESS_DENIED error page replacement. Ok, then the rest of the code should be ok. You can run it at the command line to see if its doing the right thing. Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] Need help
To find out about the Performance of squid install cache manager. To monitor the surfing habits install sarg. On Wed, Mar 5, 2008 at 1:09 PM, piyush joshi [EMAIL PROTECTED] wrote: Dear All, Can anyone suggest me any free software to monitor squid which will show all information like CPU usage, Memory Usage, No of hite, IP address where from request is coming top users, Top sites, Top Bandwith . Please reply to me i will be grateful to you .. -- Regards Piyush Joshi 9415414376
Re: [squid-users] Need help
piyush joshi wrote: Dear All, Can anyone suggest me any free software to monitor squid which will show all information like CPU usage, Memory Usage, No of hite, IP address where from request is coming top users, Top sites, Top Bandwith . Please reply to me i will be grateful to you .. We use a combination of calamaris and cacti/SNMP to get all those stats. begin:vcard fn:Ben Hollingsworth n:Hollingsworth;Ben org:BryanLGH Health System;Information Technology adr:;;1600 S. 48th St.;Lincoln;NE;68506;USA email;internet:[EMAIL PROTECTED] title:Systems Programmer tel;work:402-481-8582 tel;fax:402-481-8354 tel;cell:402-432-5334 url:http://www.bryanlgh.org version:2.1 end:vcard
[squid-users] Getting username from NTLM but ignore domain and password?
Hi, I want to create an authenticator in perl - I don't want people to have to manually type usernames and passwords, I just hope to grab their usernames from the NTLM and trust that they haven't installed a browser that can't supply the credentials automatically like IE. There is a number of different domains too so I want to be able to accept them all.. Is there a way to get IE to send the username that squid passes onto an external authentication module? The authenticator will permit any password - I just want it to capture the username. The idea is that the proxy stays transparent but I can still see the usernames in the log files if I need to. I'd really appreciate any tips. Thanks, Adrian.
Re: [squid-users] Problem with SSL/Http and Squid in Reverse Proxy
Kaddu, Patrick wrote:
I have set up Squid3 with SSL as a Reverse Proxy, SSL work as expected,
but when a backendserver have hardcoded links inside a webapplikation
like http://bla.bla.bla , the url change when the user click on this
link and you have no more ssl, only http!
Can you force to use only ssl, even if there are hardcoded links inside
the applikation?
We've run into the same problem, and have only partially solved it. For
simple web pages, we setup squid to listen on port 80. We then
configured a rewriter that replaces http://; in any URL's with
301:https://; to send a permanent redirect back to the client (see below).
The problem comes with form submissions. The HTTP spec prohibits
clients from changing the URL of POST requests without confirming with
the user (see section 10.3.2 10.3.4 of RFC 2616:
http://www.ietf.org/rfc/rfc2616.txt?number=2616 ). Neither IE nor
Firefox bother confirming this, and instead just change the method to
GET, which drops all the form variables on the floor. In short, form
submissions that hardcode the http://; won't work using this method.
You can find my thread on this topic in the archives betwen 23 Jan - 1
Feb 2008. I'd love to hear any suggestions around it, as it's a deal
breaker for us on this project.
In squid.conf:
url_rewrite_program /usr/local/bin/rewrite-http
cat /usr/local/bin/rewrite-http
#!/usr/bin/perl
#
# URL rewriter for squid to convert HTTP requests to HTTPS.
# Return an HTTP permanent redirect back to the browser.
# http://wiki.squid-cache.org/SquidFaq/SquidRedirectors
#
$| = 1;
while () {
s/^http:/301:https:/; # replace http with https
print;
}
begin:vcard
fn:Ben Hollingsworth
n:Hollingsworth;Ben
org:BryanLGH Health System;Information Technology
adr:;;1600 S. 48th St.;Lincoln;NE;68506;USA
email;internet:[EMAIL PROTECTED]
title:Systems Programmer
tel;work:402-481-8582
tel;fax:402-481-8354
tel;cell:402-432-5334
url:http://www.bryanlgh.org
version:2.1
end:vcard
RE: [squid-users] Configuring reverse proxy for both 80/443
You want something like this: http_port 80 defaultsite=www.example.com vhost https_port 443 cert=example.crt key=example.key defaultsite=www.example.com vhost # acl example_sites dstdomain www.example.com example.com acl example_ssl proto HTTPS # cache_peer 127.0.0.1 parent 1443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow example_sites example_ssl # cache_peer 127.0.0.1 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites -Original Message- From: Nick Duda [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 5:11 PM To: squid-users@squid-cache.org Subject: [squid-users] Configuring reverse proxy for both 80/443 I seem to be stumped. I need to reverse proxy for one internal server that listens on both 80 and 443. How can I configure squid to proxy for the same cache-peer on both 80 and 443? As far as I can see you can only specify one protocol per cache-peer line. I think I am missing something. - Nick
Re: [squid-users] RELEASE/304 messages in store.log
You are correct, this appears to be what is happening. This breaks my initial assumptions about store.log entries, however - instead of only logging objects either stored or removed from cache, it's logging the disposition of each incoming request, showing whether or not the request is cached or not. Is this a correct understanding, or is it even more involved than that? More specifically, if we use cache ACLs to declare certain objects uncacheable, will they get logged with RELEASE lines in store.log as well? Also, is there a way to only log objects that are added or removed from cache storage? -C On Mar 4, 2008, at 10:52 PM, Adrian Chadd wrote: Check to see if the object is actually in cache. I bet that the RELEASE line you're seeing is the temporary store entry that was created purely to return the 304 message. Adrian On Tue, Mar 04, 2008, Chris Woodfield wrote: Hi, We recently added the reload-into-ims directive to our squid config after noticing that a large number of queries were coming in with No- Cache set, killing our cache efficiency. We have a relatively short max-age set, working on the assumption that the If-Modified-Since will keep the unchanging content from being continually refreshed. Looking in our store.log, however, we're seeing lots of this: 1204650204.462 RELEASE -1 2435DD617A6A5750936E71A36D77AF8F 304 1204635071 1204057533-1 image/jpeg -1/0 GET http://example.com/object.jpg I'm unsure if the meaning of this. The RELEASE line suggests that the object in question was deleted from the cache store, but the 304 suggests that a 304 Not-Modified was sent to the client. Any insights? I can't imagine that the object should be purged from cache if a Not-Modified is returned, but I can't tell if it actually is or not... -C -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
RE: [squid-users] Configuring reverse proxy for both 80/443
Still not working properly. Here is what my configuration looks like, followed by what it is doing: http_port 80 defaultsite=www.insideserver.com vhost https_port 443 cert=/path/to/cert/example.crt key=/path/to/key/example.key defaultsite=ssl.insideserver.com vhost # acl example_sites dstdomain www.insideserver.com ssl.insiderserver.com acl example_ssl proto HTTPS # cache_peer 192.168.0.10 parent 443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow example_sites example_ssl # cache_peer 192.168.0.10 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites I setup an entry in my host file: 68.x.x.x. www.insiderserver.com I open IE and browse to www.insiderserver.com and it works, no problem I browse to ssl.inisdeserver.com which is the same server as www.insideserver.com but requires SSL to connect and IE just spinsthinking over and over. I look at the access.log on the proxy and over and over it keeps trying to make a connection, but its saying example_http even though im trying for the SSL version TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html -Original Message- From: Anthony Tonns [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 10:44 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] Configuring reverse proxy for both 80/443 You want something like this: http_port 80 defaultsite=www.example.com vhost https_port 443 cert=example.crt key=example.key defaultsite=www.example.com vhost # acl example_sites dstdomain www.example.com example.com acl example_ssl proto HTTPS # cache_peer 127.0.0.1 parent 1443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow example_sites example_ssl # cache_peer 127.0.0.1 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites -Original Message- From: Nick Duda [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 5:11 PM To: squid-users@squid-cache.org Subject: [squid-users] Configuring reverse proxy for both 80/443 I seem to be stumped. I need to reverse proxy for one internal server that listens on both 80 and 443. How can I configure squid to proxy for the same cache-peer on both 80 and 443? As far as I can see you can only specify one protocol per cache-peer line. I think I am missing something. - Nick
[squid-users] port problem (I guess)
I have this line in access.log: TCP_DENIED/400 1667 POST http://idse.imss.gob.mx:-1/imss/servlet/gob.imss.idse.afilia.modelos.ModeloAfiliaMovimientos - NONE/- text/html and in my cache.log: The reply for POST http://idse.imss.gob.mx:-1/imss/servlet/gob.imss.idse.afilia.modelos.ModeloAfiliaMovimientos is ALLOWED, because it matched 'all' In my squid.conf I have an acl with all .gob.mx domain and http_access allow to this acl. And I can't access this page, without proxy i have access to this page.
Re: [squid-users] port problem (I guess)
Can you please do a tcpdump of the request from the client andsee if its really asking for a port -1? Thanks, Adrian On Wed, Mar 05, 2008, Mario Salazar Ba?os wrote: I have this line in access.log: TCP_DENIED/400 1667 POST http://idse.imss.gob.mx:-1/imss/servlet/gob.imss.idse.afilia.modelos.ModeloAfiliaMovimientos - NONE/- text/html and in my cache.log: The reply for POST http://idse.imss.gob.mx:-1/imss/servlet/gob.imss.idse.afilia.modelos.ModeloAfiliaMovimientos is ALLOWED, because it matched 'all' In my squid.conf I have an acl with all .gob.mx domain and http_access allow to this acl. And I can't access this page, without proxy i have access to this page. -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] Configuring reverse proxy for both 80/443
Nick, Try creating a seperate dstdomain acl for the ssl.insiderserver.com and allow that for your cache_peer_access for the ssl connection - Justin On Wed, Mar 5, 2008 at 11:35 AM, Nick Duda [EMAIL PROTECTED] wrote: Still not working properly. Here is what my configuration looks like, followed by what it is doing: http_port 80 defaultsite=www.insideserver.com vhost https_port 443 cert=/path/to/cert/example.crt key=/path/to/key/example.key defaultsite=ssl.insideserver.com vhost # acl example_sites dstdomain www.insideserver.com ssl.insiderserver.com acl example_ssl proto HTTPS # cache_peer 192.168.0.10 parent 443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow example_sites example_ssl # cache_peer 192.168.0.10 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites I setup an entry in my host file: 68.x.x.x. www.insiderserver.com I open IE and browse to www.insiderserver.com and it works, no problem I browse to ssl.inisdeserver.com which is the same server as www.insideserver.com but requires SSL to connect and IE just spinsthinking over and over. I look at the access.log on the proxy and over and over it keeps trying to make a connection, but its saying example_http even though im trying for the SSL version TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html -Original Message- From: Anthony Tonns [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 10:44 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] Configuring reverse proxy for both 80/443 You want something like this: http_port 80 defaultsite=www.example.com vhost https_port 443 cert=example.crt key=example.key defaultsite=www.example.com vhost # acl example_sites dstdomain www.example.com example.com acl example_ssl proto HTTPS # cache_peer 127.0.0.1 parent 1443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow example_sites example_ssl # cache_peer 127.0.0.1 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites -Original Message- From: Nick Duda [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 5:11 PM To: squid-users@squid-cache.org Subject: [squid-users] Configuring reverse proxy for both 80/443 I seem to be stumped. I need to reverse proxy for one internal server that listens on both 80 and 443. How can I configure squid to proxy for the same cache-peer on both 80 and 443? As far as I can see you can only specify one protocol per cache-peer line. I think I am missing something. - Nick -- - Justin Lintz
RE: [squid-users] Configuring reverse proxy for both 80/443
Didn't seem to help, in fact with that I get Connection to example_ssl failed. The system returned: (71) Protocol error My config looks like this now: http_port 80 defaultsite=www.insideserver.com vhost https_port 443 cert=/path/to/cert/example.crt key=/path/to/key/example.key defaultsite=ssl.insideserver.com vhost # acl example_sites dstdomain www.insideserver.com acl ssl_site dstdomain ssl.insiderserver.com acl example_ssl proto HTTPS # cache_peer 192.168.0.10 parent 443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow ssl_site example_ssl # cache_peer 192.168.0.10 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites -Original Message- From: Justin Lintz [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 12:19 PM To: Nick Duda Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Configuring reverse proxy for both 80/443 Nick, Try creating a seperate dstdomain acl for the ssl.insiderserver.com and allow that for your cache_peer_access for the ssl connection - Justin On Wed, Mar 5, 2008 at 11:35 AM, Nick Duda [EMAIL PROTECTED] wrote: Still not working properly. Here is what my configuration looks like, followed by what it is doing: http_port 80 defaultsite=www.insideserver.com vhost https_port 443 cert=/path/to/cert/example.crt key=/path/to/key/example.key defaultsite=ssl.insideserver.com vhost # acl example_sites dstdomain www.insideserver.com ssl.insiderserver.com acl example_ssl proto HTTPS # cache_peer 192.168.0.10 parent 443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow example_sites example_ssl # cache_peer 192.168.0.10 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites I setup an entry in my host file: 68.x.x.x. www.insiderserver.com I open IE and browse to www.insiderserver.com and it works, no problem I browse to ssl.inisdeserver.com which is the same server as www.insideserver.com but requires SSL to connect and IE just spinsthinking over and over. I look at the access.log on the proxy and over and over it keeps trying to make a connection, but its saying example_http even though im trying for the SSL version TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html -Original Message- From: Anthony Tonns [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 10:44 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] Configuring reverse proxy for both 80/443 You want something like this: http_port 80 defaultsite=www.example.com vhost https_port 443 cert=example.crt key=example.key defaultsite=www.example.com vhost # acl example_sites dstdomain www.example.com example.com acl example_ssl proto HTTPS # cache_peer 127.0.0.1 parent 1443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow example_sites example_ssl # cache_peer 127.0.0.1 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites -Original Message- From: Nick Duda [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 5:11 PM To: squid-users@squid-cache.org Subject: [squid-users] Configuring reverse proxy for both 80/443 I seem to be stumped. I need to reverse proxy for one internal server that listens on both 80 and 443. How can I configure squid to proxy for the same cache-peer on both 80 and 443? As far as I can see you can only specify one protocol per cache-peer line. I think I am missing something. - Nick -- - Justin Lintz
RE: [squid-users] Configuring reverse proxy for both 80/443
Think I solved it...I probably should have mentioned that I was using a self-signed cert. If I use the sslflags=DON'T_VERIFY_PEER it works...now I just need to use the SSLCAFILE= once I get the ca file. - Nick -Original Message- From: Nick Duda Sent: Wednesday, March 05, 2008 12:28 PM To: Justin Lintz Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Configuring reverse proxy for both 80/443 Didn't seem to help, in fact with that I get Connection to example_ssl failed. The system returned: (71) Protocol error My config looks like this now: http_port 80 defaultsite=www.insideserver.com vhost https_port 443 cert=/path/to/cert/example.crt key=/path/to/key/example.key defaultsite=ssl.insideserver.com vhost # acl example_sites dstdomain www.insideserver.com acl ssl_site dstdomain ssl.insiderserver.com acl example_ssl proto HTTPS # cache_peer 192.168.0.10 parent 443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow ssl_site example_ssl # cache_peer 192.168.0.10 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites -Original Message- From: Justin Lintz [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 12:19 PM To: Nick Duda Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Configuring reverse proxy for both 80/443 Nick, Try creating a seperate dstdomain acl for the ssl.insiderserver.com and allow that for your cache_peer_access for the ssl connection - Justin On Wed, Mar 5, 2008 at 11:35 AM, Nick Duda [EMAIL PROTECTED] wrote: Still not working properly. Here is what my configuration looks like, followed by what it is doing: http_port 80 defaultsite=www.insideserver.com vhost https_port 443 cert=/path/to/cert/example.crt key=/path/to/key/example.key defaultsite=ssl.insideserver.com vhost # acl example_sites dstdomain www.insideserver.com ssl.insiderserver.com acl example_ssl proto HTTPS # cache_peer 192.168.0.10 parent 443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow example_sites example_ssl # cache_peer 192.168.0.10 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites I setup an entry in my host file: 68.x.x.x. www.insiderserver.com I open IE and browse to www.insiderserver.com and it works, no problem I browse to ssl.inisdeserver.com which is the same server as www.insideserver.com but requires SSL to connect and IE just spinsthinking over and over. I look at the access.log on the proxy and over and over it keeps trying to make a connection, but its saying example_http even though im trying for the SSL version TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html -Original Message- From: Anthony Tonns [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 10:44 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] Configuring reverse proxy for both 80/443 You want something like this: http_port 80 defaultsite=www.example.com vhost https_port 443 cert=example.crt key=example.key defaultsite=www.example.com vhost # acl example_sites dstdomain www.example.com example.com acl example_ssl proto HTTPS # cache_peer 127.0.0.1 parent 1443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow example_sites example_ssl # cache_peer 127.0.0.1 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites -Original Message- From: Nick Duda [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 5:11 PM To: squid-users@squid-cache.org Subject: [squid-users] Configuring reverse proxy for both 80/443 I seem to be stumped. I need to reverse proxy for one internal server that listens on both 80 and 443. How can I configure squid to proxy for the same cache-peer on both 80 and 443? As far as I can see you can only specify one protocol per cache-peer line. I think I am missing something. - Nick -- - Justin Lintz
RE: [squid-users] Configuring reverse proxy for both 80/443
Any pointers on how to properly convert the .p12 of a Windows Cert Authority server to the .pem that sslcafile= wants? I tried doing this conversion using openssl and got the .pem file from it, but it doesn't work. I'm using sslflags for now, which I know is vul. to man in the middle. - Nick -Original Message- From: Nick Duda Sent: Wednesday, March 05, 2008 1:01 PM To: Nick Duda; Justin Lintz Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Configuring reverse proxy for both 80/443 Think I solved it...I probably should have mentioned that I was using a self-signed cert. If I use the sslflags=DON'T_VERIFY_PEER it works...now I just need to use the SSLCAFILE= once I get the ca file. - Nick -Original Message- From: Nick Duda Sent: Wednesday, March 05, 2008 12:28 PM To: Justin Lintz Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Configuring reverse proxy for both 80/443 Didn't seem to help, in fact with that I get Connection to example_ssl failed. The system returned: (71) Protocol error My config looks like this now: http_port 80 defaultsite=www.insideserver.com vhost https_port 443 cert=/path/to/cert/example.crt key=/path/to/key/example.key defaultsite=ssl.insideserver.com vhost # acl example_sites dstdomain www.insideserver.com acl ssl_site dstdomain ssl.insiderserver.com acl example_ssl proto HTTPS # cache_peer 192.168.0.10 parent 443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow ssl_site example_ssl # cache_peer 192.168.0.10 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites -Original Message- From: Justin Lintz [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 12:19 PM To: Nick Duda Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Configuring reverse proxy for both 80/443 Nick, Try creating a seperate dstdomain acl for the ssl.insiderserver.com and allow that for your cache_peer_access for the ssl connection - Justin On Wed, Mar 5, 2008 at 11:35 AM, Nick Duda [EMAIL PROTECTED] wrote: Still not working properly. Here is what my configuration looks like, followed by what it is doing: http_port 80 defaultsite=www.insideserver.com vhost https_port 443 cert=/path/to/cert/example.crt key=/path/to/key/example.key defaultsite=ssl.insideserver.com vhost # acl example_sites dstdomain www.insideserver.com ssl.insiderserver.com acl example_ssl proto HTTPS # cache_peer 192.168.0.10 parent 443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow example_sites example_ssl # cache_peer 192.168.0.10 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites I setup an entry in my host file: 68.x.x.x. www.insiderserver.com I open IE and browse to www.insiderserver.com and it works, no problem I browse to ssl.inisdeserver.com which is the same server as www.insideserver.com but requires SSL to connect and IE just spinsthinking over and over. I look at the access.log on the proxy and over and over it keeps trying to make a connection, but its saying example_http even though im trying for the SSL version TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - FIRST_UP_PARENT/example_http text/html TCP_MISS/302 574 GET https://ssl.insideserver.com - ANY_PARENT/example_http text/html -Original Message- From: Anthony Tonns [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 10:44 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] Configuring reverse proxy for both 80/443 You want something like this: http_port 80 defaultsite=www.example.com vhost https_port 443 cert=example.crt key=example.key defaultsite=www.example.com vhost # acl example_sites dstdomain www.example.com example.com acl example_ssl proto HTTPS # cache_peer 127.0.0.1 parent 1443 0 no-query originserver ssl name=example_ssl cache_peer_access example_ssl allow example_sites example_ssl # cache_peer 127.0.0.1 parent 1080 0 no-query originserver name=example_http cache_peer_access example_http allow example_sites -Original Message- From: Nick Duda [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 5:11 PM To: squid-users@squid-cache.org Subject: [squid-users] Configuring reverse proxy for both 80/443 I seem to be stumped. I need to reverse proxy for one internal server that
Re: [squid-users] wccp v2 and cisco working info
So Nicholas, what exactly fixed your problem? I'm having an almost identical problem as you were, except I'm trying to use a Cisco ASA5520 firewall (which supports WCCPv2) with Squid 2.6. I have tried re-writing the iptables in multiple was, but I don't think they ever get triggered. I haven't tried changing squid to run on port 80 though. I might try that just for the heck. Thanks! Dom Ritter, Nicholas wrote: I have complete testing of our squid implementation...here is the Cisco information for the wiki. Unless someone objects, Iwould like to submit a detailed howto to squid-cache.org for CentOS 5.1 deployment. This solution is working VERY well. -- View this message in context: http://www.nabble.com/problem-with-wccp-v2-and-cisco-tp15620231p15855664.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] How to Log Client IP's
Hello all, I am having a problem with the client IP's being logged in the access.log file. I am using Squid with Dansguardian, and we would like to have Squid log the IP's of each computer going through squid, but at the moment, all traffic appears to go through 127.0.0.1 in the log. How do I fix this, or what are some possible symptoms to this? Thanks, Jonathan Caum Xpedeus, Inc.
Re: [squid-users] Getting username from NTLM but ignore domain and password?
Hi, At 15:57 05/03/2008, Adrian wrote: Hi, I want to create an authenticator in perl - I don't want people to have to manually type usernames and passwords, I just hope to grab their usernames from the NTLM and trust that they haven't installed a browser that can't supply the credentials automatically like IE. There is a number of different domains too so I want to be able to accept them all.. Is there a way to get IE to send the username that squid passes onto an external authentication module? The authenticator will permit any password - I just want it to capture the username. The idea is that the proxy stays transparent but I can still see the usernames in the log files if I need to. I'd really appreciate any tips. Such NTLM authenticator is already in Squid: fakeauth. Regards Guido Thanks, Adrian. - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] Multi ISP Load Balancing Problem
HI, At 19:58 04/03/2008, Lazuardi Nasution wrote: Hi, I'm using Windows 2000 with Service Pack 4. Server, right ? If you think that it is a file descriptor problem, why this problem apear when I install 3 Squid Services but not happen on previous configuration which install one Squid Service only ? I don't understand about select(). The Loop related error has been solved by not using ICP between Main to both Parent and Parent to Parent sibling relation ship. I think that you are pushing too much squid under Windows. But the performance with 3 Squid Services still bad. select() is the worst Squid comm loops. For a really high performance cache, you should use another OS. Please note that I'm writing this as the maintainer of the Windows port of Squid :-) Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] port problem (I guess)
Adrian Chadd escribió: Can you please do a tcpdump of the request from the client andsee if its really asking for a port -1? Thanks, Adrian On Wed, Mar 05, 2008, Mario Salazar Ba?os wrote: I have this line in access.log: TCP_DENIED/400 1667 POST http://idse.imss.gob.mx:-1/imss/servlet/gob.imss.idse.afilia.modelos.ModeloAfiliaMovimientos - NONE/- text/html and in my cache.log: The reply for POST http://idse.imss.gob.mx:-1/imss/servlet/gob.imss.idse.afilia.modelos.ModeloAfiliaMovimientos is ALLOWED, because it matched 'all' In my squid.conf I have an acl with all .gob.mx domain and http_access allow to this acl. And I can't access this page, without proxy i have access to this page. Here is tcpdump file, host 192.168.13.77 gateway 192.168.13.13 squid 192.168.13.4 14:47:55.398717 IP (tos 0x0, ttl 128, id 1053, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.13.77.1287 192.168.13.4.3128: ., cksum 0x58f8 (correct), ack 759 win 64777 14:47:58.101335 IP (tos 0x0, ttl 128, id 1059, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.13.77.1289 192.168.13.4.3128: S, cksum 0x3b31 (correct), 2852319496:2852319496(0) win 65535 mss 1460,nop,nop,sackOK 14:47:58.101368 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.13.4.3128 192.168.13.77.1289: S, cksum 0xed86 (correct), 1547360910:1547360910(0) ack 2852319497 win 5840 mss 1460,nop,nop,sackOK 14:47:58.101509 IP (tos 0x0, ttl 128, id 1060, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.13.77.1289 192.168.13.4.3128: ., cksum 0x311b (correct), ack 1 win 65535 14:47:58.104496 IP (tos 0x0, ttl 128, id 1061, offset 0, flags [none], proto: UDP (17), length: 78) 192.168.13.77.137 192.168.13.4.137: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST 14:47:58.104511 IP (tos 0xc0, ttl 64, id 35054, offset 0, flags [none], proto: ICMP (1), length: 106) 192.168.13.4 192.168.13.77: ICMP 192.168.13.4 udp port 137 unreachable, length 86 IP (tos 0x0, ttl 128, id 1061, offset 0, flags [none], proto: UDP (17), length: 78) 192.168.13.77.137 192.168.13.4.137: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST 14:47:59.603949 IP (tos 0x0, ttl 128, id 1062, offset 0, flags [none], proto: UDP (17), length: 78) 192.168.13.77.137 192.168.13.4.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 14:47:59.603986 IP (tos 0xc0, ttl 64, id 35055, offset 0, flags [none], proto: ICMP (1), length: 106) 192.168.13.4 192.168.13.77: ICMP 192.168.13.4 udp port 137 unreachable, length 86 IP (tos 0x0, ttl 128, id 1062, offset 0, flags [none], proto: UDP (17), length: 78) 192.168.13.77.137 192.168.13.4.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 14:48:01.104005 IP (tos 0x0, ttl 128, id 1063, offset 0, flags [none], proto: UDP (17), length: 78) 192.168.13.77.137 192.168.13.4.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 14:48:01.104041 IP (tos 0xc0, ttl 64, id 35056, offset 0, flags [none], proto: ICMP (1), length: 106) 192.168.13.4 192.168.13.77: ICMP 192.168.13.4 udp port 137 unreachable, length 86 IP (tos 0x0, ttl 128, id 1063, offset 0, flags [none], proto: UDP (17), length: 78) 192.168.13.77.137 192.168.13.4.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 14:48:02.604791 IP (tos 0x0, ttl 128, id 1064, offset 0, flags [DF], proto: TCP (6), length: 490) 192.168.13.77.1289 192.168.13.4.3128: P 1:451(450) ack 1 win 65535 14:48:02.604825 IP (tos 0x0, ttl 64, id 44468, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.13.4.3128 192.168.13.77.1289: ., cksum 0x1639 (correct), ack 451 win 6432 14:48:02.604842 IP (tos 0x0, ttl 128, id 1065, offset 0, flags [DF], proto: TCP (6), length: 506) 192.168.13.77.1289 192.168.13.4.3128: P 451:917(466) ack 1 win 65535 14:48:02.604850 IP (tos 0x0, ttl 64, id 44469, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.13.4.3128 192.168.13.77.1289: ., cksum 0x1037 (correct), ack 917 win 7504 14:48:02.605222 IP (tos 0x0, ttl 64, id 44470, offset 0, flags [DF], proto: TCP (6), length: 1500) 192.168.13.4.3128 192.168.13.77.1289: . 1:1461(1460) ack 917 win 7504 14:48:02.605232 IP (tos 0x0, ttl 64, id 44471, offset 0, flags [DF], proto: TCP (6), length: 247) 192.168.13.4.3128 192.168.13.77.1289: P 1461:1668(207) ack 917 win 7504 14:48:02.605336 IP (tos 0x0, ttl 64, id 44472, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.13.4.3128 192.168.13.77.1289: F, cksum 0x09b3 (correct), 1668:1668(0) ack 917 win 7504 14:48:02.605991 IP (tos 0x0, ttl 128, id 1066, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.13.77.1289 192.168.13.4.3128: ., cksum 0x2704 (correct), ack 1668 win 65535 14:48:02.605998 IP (tos 0x0, ttl 128, id 1067, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.13.77.1289 192.168.13.4.3128: ., cksum 0x2703 (correct), ack 1669 win 65535 --
Re: [squid-users] Squid-2, Squid-3, roadmap
On 05/03/2008, at 1:39 PM, Amos Jeffries wrote: Well, I am interested in speed, features and ICAP. So I like -2 and -3 to merge. It seems to me that for the sake of being polite with each other we do not want to call the -2 / -3 issue a fork, but effectively it really is a fork. So here is my question back to the main maintainers: do you want to undo the fork and merge ? Note this: for a merge there are 2 ways: 1) port functionality from -3 to -2 2) port functionality from -2 to -3 Don't forget the .5) tasks: 1.5) port all changes made to -3 since starting the base port to -2. 2.5) port all changes made to -2 since starting the base port to -3. (1) would require a full re-code of -2 into C++ (repeating 6+ years of 3.x development under a new name) in order to encompass the features of -3 that cannot be back-ported. Well, that's a bit of a straw-man, isn't it? AIUI 3 *is* already 2 re- coded into C++. Never mind the question of why that's necessary; indeed, I think a lot of people's discomfort is centred on the fact that large parts of 3 have been rewritten and not battle-tested in wide deployment. I think you'd get that deployment if there were significant reasons for users to migrate; conversion to C++ is motivation for the developers, not the users, unless it's accompanied by user-visible improvements in performance, stability, or functionality. Again, while ESI and ICAP are cool and useful, IMO they don't motivate the majority of your users. (2) requires info from you the users, about what features you need ported, and some help on porting those over to -3. full vary/etag support collapsed_forwarding stale-if-error stale-while-revalidate external_refresh_check pinned peer connections external logfile daemon stablility performance wide adoption (yes, this is a chicken-and-egg problem) Most of the developers are already working on this. We do want to close the divide. We also have not yet had a sponsor willing to pay specifically for any feature porting. So we are stuck with doing it whenever time is available. Again, parity with -2 isn't enough; why would someone pay for something they can already get in -2 if it meets their needs? You need to find a killer app for -3 that has broader appeal than just ICAP and ESI. While I'm in a mood for ruffling feathers (*grin*), it might also help to have the core discussions in public; AIUI there's a separate mailing list for this, and while having those discussions hidden away shelters you guys to some degree -- and I appreciate your motivation for doing so -- it also removes the opportunity for feedback by interested non-core folks. You might find that some more transparency improves the process and vitality of the project. Cheers, -- Mark Nottingham [EMAIL PROTECTED]
RE: [squid-users] Squid-2, Squid-3, roadmap
-Original Message- From: Mark Nottingham [mailto:[EMAIL PROTECTED] Well, that's a bit of a straw-man, isn't it? AIUI 3 *is* already 2 re- coded into C++. Never mind the question of why that's necessary; indeed, I think a lot of people's discomfort is centred on the fact that large parts of 3 have been rewritten and not battle-tested in wide deployment. Some of my discomfort stems from the fact that from where I sit, development on -3 seems entirely ad-hoc, with no direction; whereas -2 development is entirely focused (of course, with only Adrian really developing it, it's going to be moreso; what I'm talking about is more 'what is being developed' than 'who's developing it' though). I could be talking entirely out of turn here though, as I haven't seen a -3 roadmap. Here's a big thing that absolutely scares the crap out of me as far as moving to -3 goes: Stable Versions: Version First PRE Release Date First STABLE release Date Latest Release Latest Release Date 3.0 Aug 15, 2003Dec 13, 2007 STABLE1 Dec 13, 2007 2.6 May 29, 2006Jul 1, 2006STABLE18 Jan 10, 2008 Now, don't get me wrong here, I understand how development cycles work, and I understand that it was a ground up re-write, but 4 years to get to a stable version that has _LESS_ useful features than a version that was being actively developed, outperforms the hell out of the 'new' version and contains more features overall just doesn't instill confidence in me in terms of moving over to it. Sorry, but that's just the way it is from a business perspective. The second thing, that Mark has touched upon, but the majority of squid developers don't seem to get, is that the big users of squid are businesses. We rest our livelyhoods and userbase upon squid - Yahoo! a hell of a lot, Last.FM a hell of a lot too. It's all well and good saying 'you guys should switch to -3, it's the shit!', however, it would be cowboyish of us to migrate our caching services over to utilizing something that in our own testing doesn't perform as well as what we're already using, and is barely tested at our scale. -2 has proven survivability, we're in our comfort zone using it, we know it works, there are no odd suprises awaiting us in a months time due to untested code. From a financial aspect, I can say right now that if I upgraded to -3, and in a months time it took our site offline, it'd probably get my ass fired. The truth of it is, as much as you guys tell yourselves that your userbase is people who run one or two cache boxes in their basements to cache their lan internet access, and that there's no money in squid, there are many companies who use it in production as a reverse caching proxy in which it is an integral part of their setup. These users - Mark and myself included -, in volume of cache boxes make up a huge portion of your userbase, and we're the type who shy away from change because it burns us in the long run. We're also the type who are willing to sponsor projects to add features to them so that we don't have to change, and will avoid change like the plague because change means downtime and instability in something that is in all likelyhood already unstable by design. Again, parity with -2 isn't enough; why would someone pay for something they can already get in -2 if it meets their needs? snip While I'm in a mood for ruffling feathers (*grin*), it might also help to have the core discussions in public; AIUI there's a separate mailing list for this, and while having those discussions hidden away shelters you guys to some degree -- and I appreciate your motivation for doing so -- it also removes the opportunity for feedback by interested non-core folks. You might find that some more transparency improves the process and vitality of the project. I totally agree, and I'll go on to say this, since it seems I too am in a mood for ruffling feathers... I've spoken to Adrian too many times to count on two hands about this whole thing, and if you guys are trying to re-invent the wheel, you may as well stop now. There are so many other projects out there which are doing what squid does now, and in some cases, they do it much better (I'm talking in terms of reverse caching proxy here) - varnishd for instance. You can throw the question back at me 'well, why don't you use that then?' - the answer is above: change. If it comes to the point where I'm forced to change to -3, then I'll be changing to varnishd. It's that simple, and here's why: They're both 'new'. Squid-3 is relatively untested as far as I can tell in the r-c-p arena; I've used it myself on a couple of test machines, and the performance I got out of it was about 1/4 that of the -2 machines, but that's pretty anecdotal. Varnishd is in production at a few decent sized websites, and is being used successfully. Varnishd has all the features I need in it to be a direct replacement for -2.
Re: [squid-users] Squid-2, Squid-3, roadmap
On 05/03/2008, at 1:39 PM, Amos Jeffries wrote: Well, I am interested in speed, features and ICAP. So I like -2 and -3 to merge. It seems to me that for the sake of being polite with each other we do not want to call the -2 / -3 issue a fork, but effectively it really is a fork. So here is my question back to the main maintainers: do you want to undo the fork and merge ? Note this: for a merge there are 2 ways: 1) port functionality from -3 to -2 2) port functionality from -2 to -3 Don't forget the .5) tasks: 1.5) port all changes made to -3 since starting the base port to -2. 2.5) port all changes made to -2 since starting the base port to -3. (1) would require a full re-code of -2 into C++ (repeating 6+ years of 3.x development under a new name) in order to encompass the features of -3 that cannot be back-ported. Well, that's a bit of a straw-man, isn't it? AIUI 3 *is* already 2 re- coded into C++. Never mind the question of why that's necessary; indeed, I think a lot of people's discomfort is centred on the fact that large parts of 3 have been rewritten and not battle-tested in wide deployment. Simply repeating the same changes, yes would be bad. But starting from scratch can cause different experience-based design that may be better. That is one of the crux problems being discussed by Core. I think you'd get that deployment if there were significant reasons for users to migrate; conversion to C++ is motivation for the developers, not the users, unless it's accompanied by user-visible improvements in performance, stability, or functionality. Again, while ESI and ICAP are cool and useful, IMO they don't motivate the majority of your users. Personally I agree. The statement from Core shortly indicates the others do too. We advocate that users pick -3 if they find -2 and -3 both match their requirements. As you say, the motivation to choose between the two is not large, and mostly centered around the fact that 5 out of 6 most active developers are coding on -3. (2) requires info from you the users, about what features you need ported, and some help on porting those over to -3. full vary/etag support - pending someone to work on it collapsed_forwarding - pending for 3.1 and someone to work on it stale-if-error stale-while-revalidate - Um, so why did you (the sponsor for these two I believe) not also request their addition in -3 for future-proofing your install app? external_refresh_check pinned peer connections - thank you. external logfile daemon - pending for 3.1, I'm just about to start on this one myself. stablility - CODE stability: we are always working on this. Not much we can do beyond; it doesn't crash, has no leaks, no reachable bad code paths, and no memory access errors. As we find we fix. - DEVELOPMENT stability: We have. 3.0stable1 is out, 3.0stable2 now in final stages before release. Roadmaps are being laid out for predictability and followed. You were arguing for adding new things to 3.0 in order to encourage use of it, that adds instability, we will only be adding new features to the latest 3.x release. performance - well, Adrian is the only 'expert' we have on this amongst the developers. I play at it in -3. You will have to ask him to add some of his work to -3. I believe 3.x is now as performance-efficient as a 2.6stable 6 install. wide adoption (yes, this is a chicken-and-egg problem) - The usual basic problem, but its growing. 3.0 is the next step from 2.5, and those remaining installs are coming up. Thank you. You have just doubled our public-submissions count. Most of the developers are already working on this. We do want to close the divide. We also have not yet had a sponsor willing to pay specifically for any feature porting. So we are stuck with doing it whenever time is available. Again, parity with -2 isn't enough; why would someone pay for something they can already get in -2 if it meets their needs? You need to find a killer app for -3 that has broader appeal than just ICAP and ESI. 3.0 was about parity with needs. It failed some in that regard. 3.1 is about making up that failure plus some. Is seamless IPv6, SSL control, and weighted round-robin not enough of a killer app for you? While I'm in a mood for ruffling feathers (*grin*), it might also help to have the core discussions in public; AIUI there's a separate mailing list for this, and while having those discussions hidden away shelters you guys to some degree -- and I appreciate your motivation for doing so -- it also removes the opportunity for feedback by interested non-core folks. You might find that some more transparency improves the process and vitality of the project. Well, to shed some light on things (I hate secrecy too). The core discussions are all about what we are going to publicly say so we don't contradict ourselves and confuse people too much. Often personal messages between individuals. We ruffle
Re: [squid-users] Squid-2, Squid-3, roadmap
On Thu, Mar 06, 2008, Amos Jeffries wrote: 3.1 is about making up that failure plus some. Is seamless IPv6, SSL control, and weighted round-robin not enough of a killer app for you? The trouble is Amos, I'm reasonably confident I can get sponsorship for porting enough of those to Squid-2 for the reverse proxy clients who need it to .. well, get it. Cleaning up Squid-2 to support v4/v6 sockaddrs, src/dst ACLs and client-side only (without any gatewaying into anything but v4) is enough of a first cut for the reverse proxy guys to be happy, and if Xenion can get paid to work on that and contribute it back then I will. In fact, I'd be very surprised if one of my clients -doesn't- ask for that! Adrian
Re: [squid-users] Squid-2, Squid-3, roadmap
On 06/03/2008, at 12:28 PM, Amos Jeffries wrote: stale-if-error stale-while-revalidate - Um, so why did you (the sponsor for these two I believe) not also request their addition in -3 for future-proofing your install app? Because -3 isn't on our roadmap, for the reasons cited. If it appears there, I imagine we could easily fund the conversion (although I should check with H to see if that was already included; to be frank, it wasn't really even on my radar). You need to find a killer app for -3 that has broader appeal than just ICAP and ESI. 3.0 was about parity with needs. It failed some in that regard. 3.1 is about making up that failure plus some. Is seamless IPv6, SSL control, and weighted round-robin not enough of a killer app for you? Not particularly. The thing is, for most any functionality, I can get there more quickly by funding it in -2; until -3 is ready for production use, it doesn't make sense to fund features in it (see above). A killer app for -3 would be multi-core support (and the perf advantages that it would bring), or something else that the re- architecture makes possible that isn't easy in -2. AIUI, though, that isn't the case; i.e., -3 doesn't make this significantly easier. Well, to shed some light on things (I hate secrecy too). The core discussions are all about what we are going to publicly say so we don't contradict ourselves and confuse people too much. Often personal messages between individuals. We ruffle each others feathers at times too. None of which is something people exactly want public. The rest is going through squid-dev and squid-users. Well, I guess that's good to hear, but I do note that having a private core list on an OS project is AFAIK not that common. Cheers, -- Mark Nottingham [EMAIL PROTECTED]
Re: [squid-users] port problem (I guess)
On Wed, Mar 05, 2008, Mario Salazar Ba?os wrote: The reply for POST http://idse.imss.gob.mx:-1/imss/servlet/gob.imss.idse.afilia.modelos.ModeloAfiliaMovimientos is ALLOWED, because it matched 'all' In my squid.conf I have an acl with all .gob.mx domain and http_access allow to this acl. And I can't access this page, without proxy i have access to this page. Here is tcpdump file, host 192.168.13.77 gateway 192.168.13.13 squid 192.168.13.4 .. with the packet bodies? :) Fire up wireshark and try that. It'll be really obvious what the HTTP request looks like. adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
RE: [squid-users] Squid-2, Squid-3, roadmap
-Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] snip 3.0 was about parity with needs. It failed some in that regard. 3.1 is about making up that failure plus some. Is seamless IPv6, SSL control, and weighted round-robin not enough of a killer app for you? SSL control is nice, but we don't use SSL anywhere near squid, so it's not a big issue either way for us... we already have weighted round-robin in -2 by using CARP with specific weights, unless you're talking about something different? As for IPv6... eh, I suppose that'll be nice if IPv6 actually starts getting use sometime this decade. As Mark said, multicore would be quite awesome, as would better memory management, better I/O throughput on the cache_dir, proper support for memory only caches, support for acl based cache_dir's (i.e. cache_dir foo allow dstdomain blah while denying everything else and cache_dir bar allow dstdomain boo while denying everything else) to improve overall hit-rate and decrease cache file flapping, handling of a cache_dir failure that doesn't include squid dumping core, HTTP/1.1 support, options support. Things in 2.6 I'd like to see in 3 (on top of mark's list): COSS support - stable, with all the functions -2 has follow_x_forwarded_for refresh_stale_hit umask support -Tony
[squid-users] Reverse Proxy backend server redirects
I have Squid set up as a Reverse Proxy listening on port 80. My backend server (Apache) is running on port 8080. When Apache issues an automatic redirect (such as when a visitor neglects a trailing slash on a directory name), it adds port 8080 into the URL. How do I have Squid rewrite this before sending it back to the client? Thanks! Chris
Re: [squid-users] Squid-2, Squid-3, roadmap
BTW, eCAP *is* interesting; it just looks really tentative at this point, and the perf/stability issues overshadow it to some degree. Now, if you released Python bindings for eCAP, *that* would be interesting. Also, multi-core would make eCAP that much more powerful; as it is, servers like lighttpd have a huge performance advantage, and are getting to the point where it's pretty easy to write a module for them. Cheers, On 06/03/2008, at 12:52 PM, Mark Nottingham wrote: A killer app for -3 would be multi-core support (and the perf advantages that it would bring), or something else that the re- architecture makes possible that isn't easy in -2. AIUI, though, that isn't the case; i.e., -3 doesn't make this significantly easier. -- Mark Nottingham [EMAIL PROTECTED]
[squid-users] Doesn't appear a pop up window on browser when enable the authentication.
Folks, I have a bit problem. I enabled the authentication in the squid as bellow. However despite browser got 407 http response code, pop up window that to fill in username/password didn't show up in the browser. I also figured out that the response from the squid didn't include WWW-authenticate header. My questions are, 1 Should authenticate response from the squid include WWW-authenticate header with 407 code? 2 Did cause of acl/http_access in the squid.conf raise this problem? Here is configure options and my squid.conf. Also I'm using squid-3.HEAD. ./configure --prefix=/usr/local/squid --enable-icap-client --enable-ssl --enable-ipv6 --enable-basic-auth-helpers=NCSA --enable-auth=basic (Now ICAP has been set to OFF in the squid.conf) auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/passwd auth_param basic children 5 auth_param basic realm Squid auth_param basic credentialsttl 2 hours acl password proxy_auth REQUIRED acl localhost src 192.168.11.31/32 http_access allow localhost password -- written prior to be put http_access deny all Browers which I tested. IE7, Opera 9.26, Netscape7.1. Regards, SEIJI KOBAYASHI
[squid-users] centralized storage for squid
Dear all At this moment, I have several squid servers for http caching. Many duplicated objects have been found in different servers. I would minimize to data storage by installing a large centralized storage and the squid servers mount to the storage as data disk. Have anyone tried this before? thanks a lot Yahoo! 網上安全攻略,教你如何防範黑客! 請前往http://hk.promo.yahoo.com/security/index.html 了解更多。
Re: [squid-users] automatic migration of config files from 2.6 to 3.0
Hi, Is there a utility that comes with squid 3.0 package that will automatically migrate any existing lower version squid configuration to reflect with the new version? I know this sounds a lazy kind of administration technique, but these will help a lot on proxy farms especially you have different type of machines and specs.. Just curious about it. There is nothing to do automatic migration. Individual setups are just too individual. I planned to make one but settled with an online validator similar to the ones W3C provide to assist updating old configuration to 2.6. It takes your squid.conf and marks each line as OK, EVIL, USELESS, or CHANGE-TO-___ http://squid.treenet.co.nz/cf.check/ When 3.0 came out I got trapped into 3.1 updates and bugs rather than the planned 3.0 support in the validator :-( If you poke me a few times, 2.6stable18 and 3.x rules might happen over this month. Amos Jeffries
Re: [squid-users] centralized storage for squid
Dear all At this moment, I have several squid servers for http caching. Many duplicated objects have been found in different servers. I would minimize to data storage by installing a large centralized storage and the squid servers mount to the storage as data disk. Have anyone tried this before? Yes some have tried before. They met a major problem: No current release of squid can share its disk-cache with any external application (including other squid). You can link a SAN-type share and allocate a space for each squid to read/write as its cache_dir. But that does not solve the object-duplication. And I believe some SAN have RAID backup? that may cause problems by itself. Duplication can be prevented or at least reduced by balancing the squid as sibling peers with proxy-only option, and preferring sibling-fetch over direct-fetch. Amos
Re: [squid-users] centralized storage for squid
On Thu, Mar 06, 2008, Siu Kin LAM wrote: Dear all At this moment, I have several squid servers for http caching. Many duplicated objects have been found in different servers. I would minimize to data storage by installing a large centralized storage and the squid servers mount to the storage as data disk. Have anyone tried this before? Its been talked about a lot. Noone's ever sat down and implemented it. :/ Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] centralized storage for squid
2008/3/6 Siu Kin LAM [EMAIL PROTECTED]: Dear all At this moment, I have several squid servers for http caching. Many duplicated objects have been found in different servers. I would minimize to data storage by installing a large centralized storage and the squid servers mount to the storage as data disk. Have anyone tried this before? I recommend you do not follow this path. The shared storage tank would be extremely critical performance-wise and would soon become a bottleneck. Furthermore the cached objects would be different enough that de-duplication algorithms would be probably ineffective. Local storage is so cheap these days that that it makes much more sense to just keep the data duplication. As an alternative, split your squid farm in two layers, with the first level acting as an intelligent load balancing layer (using CARP) for the caching workhorse which should be the second layer. -- /kinkie
Re: [squid-users] Squid-2, Squid-3, roadmap
Mark Nottingham wrote: A killer app for -3 would be multi-core support (and the perf advantages that it would bring), or something else that the re-architecture makes possible that isn't easy in -2. AIUI, though, that isn't the case; i.e., -3 doesn't make this significantly easier. Absolutely THE killer app for either -2 or -3. The fact that multi-core processors are now the defacto standard in any box makes this more important by the day IMHO. Being able to do sustained IO across multiple Gb NICs will absolutely require it. This is the single biggest performance enhancement that could be implemented. So where does multi-core support fall on either roadmap? -mikep
