[squid-users] Bypass tools that works with squid
Is there any way in squid to bypass some sites that are banned by firewall or special tools as squid-plug in ...? Because ISP banned some sites such as GMail I dont want to use Windows software e.g. YourFreedom, UltraSurf I want to install as server s/w with squid Any help is appriciated Mr. Crack 007
[squid-users] bypass tools that works with squid
Is there any way in squid to bypass some sites that are banned by firewall or special tools as squid-plug in ...? Because ISP banned some sites such as GMail I dont want to use Windows software e.g. YourFreedom, UltraSurf I want to install as server s/w with squid Any help is appriciated Mr. Crack 007
[squid-users] bypass tools that works together with squid
Is there any way in squid to bypass some sites that are banned by firewall or special tools as squid-plug in ...? Because ISP banned some sites such as GMail I dont want to use Windows software e.g. YourFreedom, UltraSurf I want to install as server s/w with squid Any help is appriciated Mr. Crack 007
RE: [squid-users] How squid does Src/Dst IP address matching
I understand the security concern, but if squid is accessed by Users only within the company and company's intranet is secure enough, then it is an overkill as DNS is performed twice(Squid being used in transparent mode), once by the browser and then second time by the Squid. Shouldn't we have this as configurable through squid.conf file, though with the disclaimer you wrote earlier. This looks like a good feature to have. Like: Disble DNS lookups by Squid, instead use the DST IP address in the intercepted HTTP requested. #disable_dns_lookup, hence use Dst IP from the packet Thanks Saurabh -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2008 10:28 AM To: Saurabh Agarwal Cc: squid-users@squid-cache.org Subject: Re: [squid-users] How squid does Src/Dst IP address matching Saurabh Agarwal wrote: > Thanks Amos, I have one follow up question though on your reply > > src - performs an OS call to retrieve the IP of the other end of the TCP > > connection socket its been given. > > dst - retrieves the FQDN being looked up from the request headers, and > performs a DNS lookup on it to retrieve the address. > >>> To determine the dst IP address, why do we don't perform an OS call > to retrieve the destination IP address. Is it technically possible? If > yes how? IF we can do it, then we can save some time in the DNS lookup > that squid performs. It's possible. Most OS provide sgetsockopt() calls to retrieve them. Squid does not use these in order to protect its cache against compromised users. When trusting the users requested dst-IP a single infected web client retrieving a bad web page could poison the cache and pass the infection on to all other users. Amos > > Thanks > Saurabh > -Original Message- > From: Amos Jeffries [mailto:[EMAIL PROTECTED] > Sent: Monday, March 17, 2008 4:01 PM > To: Saurabh Agarwal > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] How squid does Src/Dst IP address matching > > Saurabh Agarwal wrote: >> Hi >> >> Can someone please tell how does squid does the acl evaluation related >> to Src/Dst IP address? Like "acl myNet dst 10.0.0.0/255.255.0.0" >> >> As I understand squid does not get to know the IP layer information >> which has the destination IP address field. >> >> But in the HTTP header we have the name of the server like >> "Host mail.yahoo.com", which can be used to determine the destination > IP >> Address. >> >> Does squid resolves the IP address of mail.yahoo.com before it does > the >> Dst Address acls matching or evaluation? > > > With src and dst it differs in the methods of attaining the IP. But the > evaluation is identical. > > src - performs an OS call to retrieve the IP of the other end of the TCP > > connection socket its been given. > > dst - retrieves the FQDN being looked up from the request headers, and > performs a DNS lookup on it to retrieve the address. > > Both then pass the IP to the ACL processing to be checked. > > Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
[squid-users] Keith Almli has invited you to open a Google mail account
I've been using Gmail and thought you might like to try it out. Here's an invitation to create an account. --- Keith Almli has invited you to open a free Gmail account. To accept this invitation and register for your account, visit http://mail.google.com/mail/a-5287f755b2-9cf3dba933-7bccd6b136 Once you create your account, Keith Almli will be notified with your new email address so you can stay in touch with Gmail! If you haven't already heard about Gmail, it's a new search-based webmail service that offers: - Over 2,700 megabytes (two gigabytes) of free storage - Built-in Google search that instantly finds any message you want - Automatic arrangement of messages and related replies into "conversations" - Powerful spam protection using innovative Google technology - No large, annoying ads--just small text ads and related pages that are relevant to the content of your messages To learn more about Gmail before registering, visit: http://mail.google.com/mail/help/benefits.html And, to see how easy it can be to switch to a new email service, check out our new switch guide: http://mail.google.com/mail/help/switch/ We're still working every day to improve Gmail, so we might ask for your comments and suggestions periodically. We hope you'll like Gmail. We do. And, it's only going to get better. Thanks, The Gmail Team (If clicking the URLs in this message does not work, copy and paste them into the address bar of your browser).
[squid-users] Keith Almli has invited you to open a Google mail account
I've been using Gmail and thought you might like to try it out. Here's an invitation to create an account. --- Keith Almli has invited you to open a free Gmail account. To accept this invitation and register for your account, visit http://mail.google.com/mail/a-5287f755b2-95bb52a601-a73533ce5b Once you create your account, Keith Almli will be notified with your new email address so you can stay in touch with Gmail! If you haven't already heard about Gmail, it's a new search-based webmail service that offers: - Over 2,700 megabytes (two gigabytes) of free storage - Built-in Google search that instantly finds any message you want - Automatic arrangement of messages and related replies into "conversations" - Powerful spam protection using innovative Google technology - No large, annoying ads--just small text ads and related pages that are relevant to the content of your messages To learn more about Gmail before registering, visit: http://mail.google.com/mail/help/benefits.html And, to see how easy it can be to switch to a new email service, check out our new switch guide: http://mail.google.com/mail/help/switch/ We're still working every day to improve Gmail, so we might ask for your comments and suggestions periodically. We hope you'll like Gmail. We do. And, it's only going to get better. Thanks, The Gmail Team (If clicking the URLs in this message does not work, copy and paste them into the address bar of your browser).
[squid-users] Keith Almli has invited you to open a Google mail account
I've been using Gmail and thought you might like to try it out. Here's an invitation to create an account. --- Keith Almli has invited you to open a free Gmail account. To accept this invitation and register for your account, visit http://mail.google.com/mail/a-5287f755b2-bb4a0fba2f-2749e650af Once you create your account, Keith Almli will be notified with your new email address so you can stay in touch with Gmail! If you haven't already heard about Gmail, it's a new search-based webmail service that offers: - Over 2,700 megabytes (two gigabytes) of free storage - Built-in Google search that instantly finds any message you want - Automatic arrangement of messages and related replies into "conversations" - Powerful spam protection using innovative Google technology - No large, annoying ads--just small text ads and related pages that are relevant to the content of your messages To learn more about Gmail before registering, visit: http://mail.google.com/mail/help/benefits.html And, to see how easy it can be to switch to a new email service, check out our new switch guide: http://mail.google.com/mail/help/switch/ We're still working every day to improve Gmail, so we might ask for your comments and suggestions periodically. We hope you'll like Gmail. We do. And, it's only going to get better. Thanks, The Gmail Team (If clicking the URLs in this message does not work, copy and paste them into the address bar of your browser).
[squid-users] firewall bypass tools that work squid
I want to bypass ISP firewall for some sites. Is is possible to configure in squid or have any special squid plug-ins ...? I dont want to use Windows software e.g. YourFreedom, UltraSurf I want to install as server s/w with squid Any help is appriciated Mr. Crack 007
Re: [squid-users] Outlook Express unable to download mail (POP3)
I enable NAT on squid box and set squid-box default gateway by DHCP use iptables On Thu, Mar 20, 2008 at 10:38 PM, Matus UHLAR - fantomas <[EMAIL PROTECTED]> wrote: > > On 20.03.08 20:14, [EMAIL PROTECTED] wrote: > > i am new for squid, i am using squid version 2.6 STABLE 8. > > > > i able to setup the proxy server with squid, my user able to use IE to > > surf net by using my proxy server. BUT my problem is when i wan to use > > Outlook Express to download my mail, the Outlook popup a msg said that > > unable to find the host. example, my email domain is mail.domain.com, and > > it is hosted in somewhere hosting company. > > > > i didnt set any rule yet and allow all user to access internet. Any > > configuration setting i need to look into? > > I am sorry, this is mailing lists of SQUID users. SQUID is an HTTP proxy, it > can't proxy other protocol. POP3 is not HTTP. > > It's useless to proxy POP3 protocol, unless you want to intercept and/or > filter it. Squid won't do either. > -- > Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Christian Science Programming: "Let God Debug It!". >
[squid-users] How to split web traffic and voice with two ADSL
I am running Cybercafe with two ADSL. I want to use one ADSL for web surfing. says its ip X.X.X.A And another ADSL for voice e.g. gtalk, pfingo, VZO, says its ip X.X.X.B how can I redirect voice to X.X.X.B with squid Mr. Crack 007
Re: [squid-users] How squid does Src/Dst IP address matching
On Mon, Mar 24, 2008, Saurabh Agarwal wrote: > I understand the security concern, but if squid is accessed by Users > only within the company and company's intranet is secure enough, then it > is an overkill as DNS is performed twice(Squid being used in transparent > mode), once by the browser and then second time by the Squid. > > Shouldn't we have this as configurable through squid.conf file, though > with the disclaimer you wrote earlier. This looks like a good feature to > have. > > Like: Disble DNS lookups by Squid, instead use the DST IP address in the > intercepted HTTP requested. > #disable_dns_lookup, hence use Dst IP from the packet Thats not a bad idea, but the possibility is there to absolutely, positively blow away not only your clients' feet, but their legs, their torso, their car/bike, and potentially their neighbours' pet. Its very dangerous. I'll commit a patch if someone submits one. It has to have a very, very large warning and it also needs to log something in cache.log to explain why enabling the option is 100% dangerous. Please realise that its not only comprimised hosts, its also malicious users. Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] bypass tools that works together with squid
On Mon, Mar 24, 2008, Mr Crack wrote: > Is there any way in squid to bypass some sites that are banned by firewall or > special tools as squid-plug in ...? > Because ISP banned some sites such as GMail > I dont want to use Windows software e.g. YourFreedom, UltraSurf > I want to install as server s/w with squid G'day, * Spend $5 a month on a small virtual private server in the US or Europe; * Install Squid with authentication; * Use that proxy as your own personal browsing proxy. Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] ACLs and localhost
there is something in all this i really am not understanding.Sorry to be
so stupid.
AIUI now, it looks at the ACLs and processes them until it finds one that
matches, and then it stops matching them and allows access. It will only
deny a page when its has processed all the ACLS and NOT found a match.
if i have only 1 authenticated user (emma) then the time based ACL
('testing') it denies access as it should .
When i add another user access (http_access allow andrew) the browser
authentication box comes up , i put in 'emma' and it gives me access.
Im restarting squid and clearing the browser cache between all these
attempts.
hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe'
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
acl andrew proxy_auth REQUIRED
acl emma proxy_auth REQUIRED
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
acl testing time MTWHF 07:30-08:00
hepworth emma # grep ^http /etc/squid/squid.conf
http_port 3128
http_access allow emma testing
http_access deny localhost
http_access deny all
hepworth emma #
2008/03/24 09:52:44| aclCheckFast: list: 0x82ab370
2008/03/24 09:52:44| aclMatchAclList: checking all
2008/03/24 09:52:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
2008/03/24 09:52:44| aclMatchAclList: returning 1
2008/03/24 09:52:44| aclCheck: checking 'http_access allow emma testing'
2008/03/24 09:52:44| aclMatchAclList: checking emma
2008/03/24 09:52:44| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/24 09:52:44| aclMatchUser: user is emma, case_insensitive is 0
2008/03/24 09:52:44| Top is (nil), Top->data is Unavailable
2008/03/24 09:52:44| aclMatchUser: user REQUIRED and auth-info present.
2008/03/24 09:52:44| aclMatchAclList: checking testing
2008/03/24 09:52:44| aclMatchAcl: checking 'acl testing time MTWHF
07:30-08:00'
2008/03/24 09:52:44| aclMatchTime: checking 592 in 450-480, weekbits=3e
2008/03/24 09:52:44| aclMatchAclList: no match, returning 0
2008/03/24 09:52:44| aclCheck: checking 'http_access deny localhost'
2008/03/24 09:52:44| aclMatchAclList: checking localhost
2008/03/24 09:52:44| aclMatchAcl: checking 'acl localhost src
127.0.0.1/255.255.255.255'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
2008/03/24 09:52:44| aclMatchAclList: returning 1
2008/03/24 09:52:44| aclCheck: match found, returning 0
2008/03/24 09:52:44| aclCheckCallback: answer=0
2008/03/24 09:52:44| The request GET http://grolma.no-ip.org/ is DENIED,
because it matched 'localhost'
2008/03/24 09:52:44| The reply for GET http://grolma.no-ip.org/ is
ALLOWED, because it matched 'localhost'
2008/03/24 09:52:44| aclCheckFast: list: 0x82ab370
2008/03/24 09:52:44| aclMatchAclList: checking all
2008/03/24 09:52:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
2008/03/24 09:52:44| aclMatchAclList: returning 1
2008/03/24 09:52:44| aclCheck: checking 'http_access allow emma testing'
2008/03/24 09:52:44| aclMatchAclList: checking emma
2008/03/24 09:52:44| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/24 09:52:44| aclCacheMatchAcl: cache hit on acl '0x82a7cc8'
2008/03/24 09:52:44| aclMatchAclList: checking testing
2008/03/24 09:52:44| aclMatchAcl: checking 'acl testing time MTWHF
07:30-08:00'
2008/03/24 09:52:44| aclMatchTime: checking 592 in 450-480, weekbits=3e
2008/03/24 09:52:44| aclMatchAclList: no match, returning 0
2008/03/24 09:52:44| aclCheck: checking 'http_access deny localhost'
2008/03/24 09:52:44| aclMatchAclList: checking localhost
2008/03/24 09:52:44| aclMatchAcl: checking 'acl localhost src
127.0.0.1/255.255.255.255'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
2008/03/24 09:52:44| aclMatchAclList: returning 1
2008/03/24 09:52:44| aclCheck: match found, returning 0
2008/03/24 09:52:44| aclCheckCallback: answer=0
2008/03/24 09:52:44| The request GET http://grolma.no-ip.org/favicon.ico
is DENIED, because it matched 'localhost'
2008/03/24 09:52:44| The reply for GET http://grolma.no-ip.org/favicon.ico
is ALLOWED, because it matched 'localhost'
hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe_ports'
hepworth emma # cat /etc/squid/squid.conf |grep ^http
http_port 3128
http_access allow emma testing
http_access allow andrew
http_access deny localhost
http_access deny all
hepworth emma #
2008/03/24 09:56:04| aclCheckFast: list: 0x82ab640
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: checking 'http_access allow emma testing'
2008/03/24 09:56:04| aclMatchAclList: checking emma
2008/03/24 09:56:04| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/24 09:56:04| aclMatchUser: us
Re: [squid-users] A bug? (was "cache deny and the 'public' token")
On Sun, 2008-03-23 at 01:42 -0700, Ricardo Newbery wrote: > I guess another alternative to the 'public' token is to instead issue > a 'private' token with any cookie-authenticated response that should > not be cached. This just moves the default cache strategy for > authenticated responses to "cache everything, unless it's private" > instead of "do not cache anything, unless it's public". Hmm... this > may be a better approach in any case, since it plays better with other > shared-caches that might be encountered downstream of my server. Problem is that as soon as you enable caching of URLs gving split views shared caches will start caching them, and with the only thing differentiating a request for a public copy with a request for a private copy being the Cookie headers (of which there may be plenty, and often changing) you have to say "Vary: Cookie". But since each user will most likely carry his own set of cookies (and often a changing set) each request will be pretty much unique to the shared cache, almost eliminating any opportunity for a cache hit. Regards Henrik
[squid-users] Clearing ACLs on reload?
Hi, I was wondering how I could clear entries from certain ACL during reload of squid configuration? I was looking if I could for example add a line like this (not valid, of course): acl local_domains reset acl local_domains "/etc/squid/local_domains.acl" The issue here is that I need to control access to parent proxy by ACLs, and sometimes entries need to be removed from a ACL. Because the ACL rules always add to the existing ACL, removing a line from external file and reloading squid does not actually remove it from running configuration. For me it would be fine, if there were a way to do this, with a reset rule before the ACL entries, right now I can add new ACL entries by reloading, but to remove I need to restart squid completely. I'm using ubuntu package, 2.6.18-1ubuntu2. I can upgrade to 3.x release if this would solve my problem. *hile*
Re: [squid-users] Clearing ACLs on reload?
Ilkka Tuohela escreveu: The issue here is that I need to control access to parent proxy by ACLs, and sometimes entries need to be removed from a ACL. Because the ACL rules always add to the existing ACL, removing a line from external file and reloading squid does not actually remove it from running configuration. For me it would be fine, if there were a way to do this, with a reset rule before the ACL entries, right now I can add new ACL entries by reloading, but to remove I need to restart squid completely. I'm afraid you're absolutely mistaken. 'squid -k reconfigure' clears all ACLs and re-read them from the external files. At least on my SEVERAL squid boxes, which i have different versions of squid including some old 2.5 ones, reconfigure clears everything and re-read files. I have never seen this behavior of 'only adding rules' . Test it again, watch your 'current configuration' with cachemgr.cgi, and you'll see that you're wrong on this thinking that reconfigure does not clear ACLs. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
Re: [squid-users] Clearing ACLs on reload?
Ilkka Tuohela wrote: Hi, I was wondering how I could clear entries from certain ACL during reload of squid configuration? I was looking if I could for example add a line like this (not valid, of course): acl local_domains reset acl local_domains "/etc/squid/local_domains.acl" The issue here is that I need to control access to parent proxy by ACLs, and sometimes entries need to be removed from a ACL. Because the ACL rules always add to the existing ACL, removing a line from external file and reloading squid does not actually remove it from running configuration. For me it would be fine, if there were a way to do this, with a reset rule before the ACL entries, right now I can add new ACL entries by reloading, but to remove I need to restart squid completely. I'm using ubuntu package, 2.6.18-1ubuntu2. I can upgrade to 3.x release if this would solve my problem. *hile* I thought squid did clear the ACLs on reload. And a quick check of the code confirms that it should be. What is giving you the idea that it does not? Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Clearing ACLs on reload?
> I thought squid did clear the ACLs on reload. And a quick check of the > code confirms that it should be. > > What is giving you the idea that it does not? Oh, my bad, for the squid version I said this actually works correctly, don't know what I've done differently. And of course, I can't reproduce this right now, I'll need to check it again when I'm working on the cache which had this problem. I'll be back if I find the case when this happened (yes it has happened once, but it actually included commenting out a broken parent cache + it's acls same time from configuration). Consider this issue as PEBKAC unless otherwise proven :) *hile*
Re: [squid-users] Outlook Express unable to download mail (POP3)
On 24.03.08 13:53, Mr Crack wrote: > I enable NAT on squid box and set squid-box default gateway by DHCP > use iptables not on the squid box. On the router. It's irelevant if squid runs there, and if squid runs on different maching, NATting on it won't help. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name.
[squid-users] squid behind ziproxy ?
Hey, We are currently using ziproxy (http://ziproxy.sourceforge.net/) in a transparent setup to compress (Gzip) the data between the requesting client and the end server. We also scale down requested images to conserve bandwidth. Now we would like to implement a squid proxy to make use of it's cache. We are looking at a setup like the following: Old setup: Internet <--> ziproxy in transparent mode <--> slow link <--> client New setup: Internet <--> squid cache #1 <--> slow link <--> squid cache #2 <--> client Squid cache #1 and squid cache #2 will have some form of cache hierarch setup between them. So if we want to continue to use the ziproxy software we will lose the Gzip compression benefits but will retain the image scaling. My question is, will having squid go through ziproxy have any affects on the cache use ? Because the image(gif,jpeg,tif,..) on the server will never match the copy received by squid cache #1. Since it would be scaled / altered on it's way down ? Thanks -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. "It's not that I'm so smart, it's just that I stay with problems longer." - Albert Einstein
Re: [squid-users] squid behind ziproxy ?
Hello, I guess I should of also asked if ziproxy could exist between the squid cache #1 system and squid cache #2 system. I initially ruled this out ... I figured that when the squid servers talk to one another that it would not be HTTP. But I guess it could be ? Anyways, any insight will be helpful. Michael Michael Gale wrote: Hey, We are currently using ziproxy (http://ziproxy.sourceforge.net/) in a transparent setup to compress (Gzip) the data between the requesting client and the end server. We also scale down requested images to conserve bandwidth. Now we would like to implement a squid proxy to make use of it's cache. We are looking at a setup like the following: Old setup: Internet <--> ziproxy in transparent mode <--> slow link <--> client New setup: Internet <--> squid cache #1 <--> slow link <--> squid cache #2 <--> client Squid cache #1 and squid cache #2 will have some form of cache hierarch setup between them. So if we want to continue to use the ziproxy software we will lose the Gzip compression benefits but will retain the image scaling. My question is, will having squid go through ziproxy have any affects on the cache use ? Because the image(gif,jpeg,tif,..) on the server will never match the copy received by squid cache #1. Since it would be scaled / altered on it's way down ? Thanks -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. "It's not that I'm so smart, it's just that I stay with problems longer." - Albert Einstein
[squid-users] Hardware setup ?
Hey, We are working on our hardware requirements and am looking for some feedback. Please let me know what you think: Demand: - 225 requests per second during peak times in 2008. So we are plaining for 300 RPS minimal per server. Ideally if each server could handle 600 RPS that would be good. - We have 1600 remote locations connected via sat link, each with about 4 devices behind it. - 125GB per month of HTTP traffic We currently are planing on two servers being available behind an LVS router. These two servers will speak with a squid instance at each location so some form of peering can be used. So I have the following questions: 1. Would there be any problem with squid running at each sat location (1600) trying to use a peering method with squidpeer.domain.com IP that is load balanced by an LVS router pointing to two squid servers ? 2. Does squid benefit from a dual core or quad core setup at all ? 3. How do these hardware requirements look, per server: - 4 drives for squid cache, hardware raid stripped - 4ms seek time, 73GB of space =~ 294GB of cache available - Looking to use at least 150GB of cache per server - 8GB of RAM - Two dual core or two quad core 3.0Ghz processors. Any feedback is appreciated Thanks -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. "It's not that I'm so smart, it's just that I stay with problems longer." - Albert Einstein
Re: [squid-users] A bug? (was "cache deny and the 'public' token")
On Mar 24, 2008, at 3:22 AM, Henrik Nordstrom wrote: On Sun, 2008-03-23 at 01:42 -0700, Ric wrote: I guess another alternative to the 'public' token is to instead issue a 'private' token with any cookie-authenticated response that should not be cached. This just moves the default cache strategy for authenticated responses to "cache everything, unless it's private" instead of "do not cache anything, unless it's public". Hmm... this may be a better approach in any case, since it plays better with other shared-caches that might be encountered downstream of my server. Problem is that as soon as you enable caching of URLs gving split views shared caches will start caching them, and with the only thing differentiating a request for a public copy with a request for a private copy being the Cookie headers (of which there may be plenty, and often changing) you have to say "Vary: Cookie". But since each user will most likely carry his own set of cookies (and often a changing set) each request will be pretty much unique to the shared cache, almost eliminating any opportunity for a cache hit. Regards Henrik Yes, I realize this. Unless we authenticate using one of the Authenticated header methods, it seems that we have to be careful not to try caching "split views" in standard proxies. Cookie- authenticated responses should only be cacheable in public shared caches if they contain no personalization. The exception being if you have some other means to control the cache (such as Surrogate-Control) -- only then can you cache a split view (in your cache only) and reliably pass all the cookie-authenticated requests (with exceptions for 'public' responses, assuming this bug is ever fixed). Ric
[squid-users] adjacency issues with Cisco devices and WCCP
I am having an adjacency issue with Cisco devices, WCCP v2 and Linux-based squid 2.6. I am running a CentOS 5.1 box with the packaged Squid that comes with the ditribution. If I have a router redirecting to the squid box, and the squid box has a GRE tunnel setup to point to the "show ip wccp" advertised IP, the whole setup does not work. The moment I make the squid box layer2/layer3 adjacent to the "show ip wccp" advertised IP the whole setup works fine. I am allowing all GRE traffic, so I know it is not a firewalling issue, but I do notice that the linux box is not using the GRE tunnel because ifconfig shows no increase in packet counts. The commands I am using are as follows, and this is for WCCP/Transparent caching: **Note: the local ip of the squid box is 10.2.2.31, and 192.168.1.1 is the IP of the WCCP router. 192.168.1.1 is a Cat6506/Sup720, and 192.168.1.1 is a router link on that switch, 10.2.2.0/24 is a vlan with a router link on it, all on the same switch. /sbin/ip tunnel add gre0 mode gre remote 192.168.1.1 local 10.2.2.31 dev eth0 /sbin/ip addr add 10.2.2.31/32 dev gre0 /bin/echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter /sbin/ip link set gre0 up /sbin/service squid start The WCCP router does not register the squid cache as being there, but a "debug ip wccp" shows the two talking to each other. This issue, in general, has been a problem on mulitple IOS versions, but I think it may be something wrong with the gre tunnel setup on the Linux box. Anyone have ideas as to what I may be doing wrong? Nick
Re: [squid-users] injecting small piece of html into pages retrieved
On Fri, 2008-03-21 at 19:45 -0700, Edward Rosinzonsky wrote: > I'd like to inject a small piece of HTML into any page retrieved > through the proxy. E.g. change "" to "
Re: [squid-users] you tube +delay pool
s f wrote: hi, here is the things u mentioned acl our_networks src x.x.x.x/x delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 2048/8000 #delay_parameters 1 4096/8000 acl dp url_regex -i \.mp3$ \.wmv$ \.avi$ \.wma$ \.mpe?g$ acl dp1 rep_mime_type video/flv #acl youtube url_regex -i youtube acl youtube dstdomain .youtube.com #rep_mime_type didnt worked so currently am having this. but since youtube has delay_access 1 allow dp our_networks delay_access 1 allow dp1 our_networks I think the problem originates from mixing reply_mime_type and src. At the very least, you should drop the "our_networks" from this line. On the others it's just redundant. delay_access 1 allow youtube our_networks delay_access 1 deny all The delay pool is working for acl dp and youtube. But there is no effect in youtube videos. Chris
[squid-users] How can I tell if snmp has been compiled into Squid?
Hi folks, I'm running OpenBSD 4.2 and have installed the Squid package using the pkg_add method. I'm trying to set up snmp monitoring with no success. I keep getting a "Invalid ACL type 'snmp_community" error message, so now I'm wondering if snmp has been compiled in. Is there a command I can run on Squid to see what options have been compiled in? Thank you, Ed
