[squid-users] squid transparent proxy
Dear all, I am trying to activate transparent proxy on my setup but I cannot run it. with the standard setup (configuring the client PC with browser configuration) everything is working good, squid is responding and the client can browse the internet. Now we are trying to implement a setup wherein client has an option to put or not to put a configuration on the browser. I have separate machine 1st machine is the firewall/NAT server running Fedora Core 4 64 bit (with public IP on the interface) and the 2nd machine is the squid running Fedora Core 8 64 bit (also with a public IP address). Although all the clients uses a private IP, squid can still serve them pretty well. Now I have configure my squid (squid-2.6stable19) to accept transparent connection, and its seems it is working because as the cache.log says, "accepting transparently proxied http connection at 0.0.0.0, port 8080, FD 11 But I configure the client browser without a proxy configuration I cannot browse the internet. I am attaching below my firewall/NAT iptables configuration. Can you please check it for me and let me know if I am missing something. Also if you can provide me a step by step configuration of a transparent proxy setup. # Generated by iptables-save v1.2.8 on Thu Dec 23 08:44:33 2004 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # -A INPUT -j ACCEPT -A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 778 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -p udp -j REJECT --reject-with icmp-net-prohibited # -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT -A FORWARD -s 192.168.10.0/255.255.255.0 -j ACCEPT -A FORWARD -d 192.168.10.0/255.255.255.0 -j ACCEPT -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT -A FORWARD -s 192.168.11.0/255.255.255.0 -j ACCEPT -A FORWARD -d 192.168.11.0/255.255.255.0 -j ACCEPT -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT -A FORWARD -s 192.168.12.0/255.255.255.0 -j ACCEPT -A FORWARD -d 192.168.12.0/255.255.255.0 -j ACCEPT -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT -A FORWARD -s 192.168.14.0/255.255.255.0 -j ACCEPT -A FORWARD -d 192.168.14.0/255.255.255.0 -j ACCEPT -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT -A FORWARD -s 192.168.15.0/255.255.255.0 -j ACCEPT -A FORWARD -d 192.168.15.0/255.255.255.0 -j ACCEPT -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT -A FORWARD -s 192.168.16.0/255.255.255.0 -j ACCEPT -A FORWARD -d 192.168.16.0/255.255.255.0 -j ACCEPT -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.80 -j REJECT -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.82 -j REJECT -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.87 -j REJECT -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.74 -j REJECT -A FORWARD -s 192.168.24.0/255.255.248.0 -j ACCEPT -A FORWARD -d 192.168.24.0/255.255.248.0 -j ACCEPT # -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.80 -j REJECT -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.82 -j REJECT -A FORWARD -p tcp --sy
Re: [squid-users] Bypassing 403 and 404 status to ICAP using icap_access
Hello Alex, Thanks for the reply. I had submitted a bug report. I am just placing few lines from the debug log here for your reference. 2008/04/03 14:24:58.788| ACLChecklist::preCheck: 0x604dfdc8 checking 'icap_access class_1 deny HS' 2008/04/03 14:24:58.788| ACLList::matches: checking HS 2008/04/03 14:24:58.788| ACL::checklistMatches WARNING: 'HS' ACL is used but there is no HTTP reply -- not matching. 2008/04/03 14:24:58.788| ACLList::matches: result is false Please let me know if you have some input on this. Thanks Selvi On 3/19/08, Alex Rousskov <[EMAIL PROTECTED]> wrote: > On Tue, 2008-03-18 at 11:42 +0530, selvi nandu wrote: > > > Here, i don't want the 403 and 404 status to be sent to the ICAP Server. > > > > I had tried icap_access with http_status but that didn't work for me. > > > > ICAP configurations used: > > > > acl HS http_status 404 > > > > icap_enable on > > icap_preview_enable off > > icap_persistent_connections off > > icap_send_client_ip on > > icap_send_client_username on > > icap_client_username_header X-Authenticated-User > > icap_service vicontent respmod_precache 0 icap://172.16.1.225:1344/respmod > > icap_class class_1 vicontent > > icap_access class_1 deny HS > > icap_access class_1 allow all > > > > Any thoughts to achieve this? > > I do not see any problem with your configuration. If you do not receive > better responses, please file a bug and attach cache.log with ALL,9 > debug_options enabled when 404 transaction is being processed. > > Thank you, > > Alex. > > >
Re: [squid-users] cache "big" images ans use it on the LAN
Henrik Nordstrom wrote: I noticed that if multiple local clients query the same ressource image at almost the same time, squid delivers the cached ressource. But if the workstations request it one after the other, they all take it from the big internet, and it lags a lot. Sounds like the banner may have expired from the cache. Probably due to the web site not allowing it to be cached for very long.. An example URL of a object where you see this would help.. http://svn.infogerance.us for example. I already provided that URL and its cacheability sounded OK. Is there a possibility to "force" or overwrite the cacheability/expiration?
Re: [squid-users] client ip's
Jorge Bastos wrote: The rule I use to redirect traffic from 80 to 8080 is: I must remember, this was working before 3.0 stable1 or stable2 (not using stable2), I just saw this was happening now. What version did you upgrade from? iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8080 If squid is running on this same box I would recommend the REDIRECT target instead of DNAT. It's less work for the kernel. The other possible issue is that you have your redirection rule at the start of the NAT tables. The matching rule to allow squid traffic out is near the end. Even if you keep DNAT, they should be in this order: # allow squid traffic out okay. iptables -t nat _A PREROUTING -s 192.168.1.1 -p tcp --dport 80 -j ACCEPT # redirect all other web traffic into squid. iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080 cisne:~# iptables-save -t nat # Generated by iptables-save v1.4.0 on Wed Apr 2 17:12:25 2008 *nat :PREROUTING ACCEPT [35:1650] :POSTROUTING ACCEPT [10307:1367320] :OUTPUT ACCEPT [66427:4357431] -A PREROUTING -d 193.164.158.105/32 -j DROP -A PREROUTING -i eth1 -p tcp -m tcp --dport 5111 -j DNAT --to-destination 192.168.1.11:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 5901 -j DNAT --to-destination 192.168.1.2:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 5969 -j DNAT --to-destination 192.168.1.3:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.204:3389 -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8080 -A PREROUTING -p gre -j ACCEPT -A PREROUTING -p icmp -j ACCEPT -A PREROUTING -p ah -j ACCEPT -A PREROUTING -p udp -m udp --dport 53 -j ACCEPT -A PREROUTING -p udp -m udp --dport 500 -j ACCEPT -A PREROUTING -p udp -m udp --dport 1723 -j ACCEPT -A PREROUTING -p udp -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 20 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 21 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 23 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 25 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 43 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 79 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 123 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 143 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 443 -j ACCEPT -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 444 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 1723 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 1863 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 3306 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 3389 -j ACCEPT -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 5000 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5190 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5900 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5901 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 6667 -j ACCEPT -A PREROUTING -s 192.168.1.0/24 -d 192.168.1.206/32 -p tcp -m tcp --dport -j ACCEPT -A PREROUTING -d 192.168.1.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT -A PREROUTING -i eth1 -p tcp -m tcp --dport 30106 -j DNAT --to-destination 192.168.1.224:30106 -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 62500:63500 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A PREROUTING -j DROP -A POSTROUTING -o eth1 -j MASQUERADE COMMIT # Completed on Wed Apr 2 17:12:26 2008 -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 2 de Abril de 2008 11:42 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: RE: [squid-users] client ip's WHat do your iptables NAT rules look like? iptables-save -t nat ons 2008-04-02 klockan 09:18 +0100 skrev Jorge Bastos: Transparent proxy Squid running on: 8080 And I forward 80 => 8080 (squid) => web My iptables rules are intact, I believe it was from 3.0 stable 1 or 2 that this started to happen. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 2 de Abril de 2008 0:12 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: RE: [squid-users] client ip's tis 2008-04-01 klockan 12:29 +0100 skrev Jorge Bastos: No, just squid himself. As a plain proxy, or playing with NAT? Regards Henrik -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
[squid-users] Squid 2.6 + Debian Etch + tproxy + bridge + transparent proxy
Hey all, I've been a happy user of Squid for the past 10 years or so, and I'd like to take a second to thank everyone who has worked so hard to make such a great piece of software! I'd like to give back to the Squid community, but unfortunately I'm not much of a C hacker. However, I'm hoping I can still help. I've just spent a few days getting my school's Squid install up to date (we were running 2.5 on Debian Woody). I switched to using tproxy this time around (we used to do policy routing on our core, but it was spiking the CPU too much). Thanks to the mailing list, some articles on the web, and a little messing around I was able to get the whole system up and running. I've documented the steps here: http://web.suffieldacademy.org/ils/netadmin/docs/software/squid/ The document is written for someone with a decent grasp of Linux, and is specifically geared to Debian Etch. There are some tweaks that are specific to our install (compile-time flags, mostly), but otherwise it's pretty generic. Hopefully, this will help someone else out who's trying to build a similar system, so I'm posting so it will hit the archives. Feel free to adapt, add to the wiki, or mirror if you find it useful. Also, any corrections are welcome. ;-) Thanks again for all your efforts! Jason -- Jason Healy|[EMAIL PROTECTED]| http://www.logn.net/
Re: [squid-users] Help with Calamaris report syntax?
Ed Flecko wrote: Hi folks, I'm running OpenBSD 4.2 with Squid and Calamaris. I'd like to create a simple report with Calamaris that would show how much bandwidth is being saved at our company as a result of implementing Squid, but I'm having trouble trying to figure the correct syntax. scalar (scalar.risk.az/scalar095/) is a pretty good fit for this. After I installed Calamaris, I thought I'd try creating what I thought would be a simple report just to see what a Calamaris report would look like, but I apparently didn't use the correct syntax. Here's what I tried running from the /var/www/htdocs directory: cat /var/squid/logs/access.log calamaris -P 60 calamaris.html. I ended this comand after about 15 minutes when it seemed the report was just going and going and going... How many days does your access.log cover? How many requests per second do you get? Given the fact that the latest stable release (2.59) does all the calculations required to display all the reports irrespective of which reports you have chosen to display, it might take a while. To output HTML you need the -F html switch and you'll need to redirect it to a readable location. Something like... cat /var/squid/logs/access.log calamaris -P 60 -F html -b 1 > /var/www/htdocs/calamaris.html ...will give you the 60 minute performance data as html in your ht docs directory and print out a hash mark (#) for every 10,000 lines of the log processed. Since Apache is already installed and configured, I'd like to save the report as something like: calamaris.html in the /htdocs directory. Can someone help me with what I'm doing wrong? Thank you, Ed Chris
RE: [squid-users] block chat
> > >i m setting up squid proxy to block gtalk & msn, etc... > > >i found through internet to block port 5223 & 5222 for gtalk > > >i tried to block by acl block_port 5223 5222 but it didnt block > > > > > >plz guide me to block these chat > > >thansks > squid only can do something when those are tunelled through squid via > CONNECT requests or accessed via squid using HTTP (not HTTPS) > protocol. > That would require building a list of sites, hosts and ports > and mainting it. > > Otherwise, you need content inspector, which hopefully can do detect > what protocol is used. Assuming HTTP tunnelling, SmartFilter (from Secure Computing) has an IM category. I don't know if it is granular enough to configure different IM types to block, ie it might block all IMs or none.
RE: [squid-users] Unable to access a website through Suse/Squid.
ons 2008-04-02 klockan 15:43 -0400 skrev Terry Dobbs: > Ok folks, here is my packet capture; I included only the transmissions > between the 2 relevant devices (SUSE Server and the problematic > website). The capture looks very much like the issues seen by window scaling, but there is no window in scaling in this trace... A bit confused.. Guessing wildly here, but my first action would be to upgrade the kernel just in case it's a known tcp problem which has been worked around already.. Another thing you can try is to decrease the window size to a very small size /sbin/ip route add 63.148.24.5 via your.internet.gateway window 1480 this isn't optimal for performance, but may work around certain broken firewalls if there is packet reordering at play.. You can also try lowering the MSS, in case there is a MTU blackhole... /sbin/ip route add 63.148.24.5 via your.internet.gateway mss 496 Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
Hi, I got the capture working, and sent you the file earlier on. When I tried sending it to the list it kept bouncing back. It is very small, and I zipped it up. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2008 5:54 PM To: Terry Dobbs Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Unable to access a website through Suse/Squid. ons 2008-04-02 klockan 11:56 -0400 skrev Terry Dobbs: > Also, when running ethereal it doesn't seem to be capturing web traffic, > catching lots of ARP, but nothing web related. When running on Windows > behind the SUSE box I can capture web traffic, is there something > obvious I am missing here? Should just work. Try capturing on the "Any" interface, in case traffic isn't going the direction you think.. Regards Henrik
Re: [squid-users] Transparent Proxy and iTunes/WinAmp
I've never had that happen at my place, and I've been running a transparent proxy for quite some time. Could it maybe be the client is not sending all the headers required? What happens if you try to connect to the same streams with a browser (Shout/Ice cast streams should load a web page about them)? TB Adam Goldberg wrote: Hi -- For some reason, whenever clients try to connect to music streams on port 80 through my transparent proxy, they receive the error: HTTP/1.0 5.2 Bad Gateway I wonder what's going on here. I wonder if IPTABLES can somehow detect the difference between a browser request and a music client request, although they both run on 80. Or perhaps, I need to change something in squid.conf? Thanks for your help, Adam ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. **
Re: [squid-users] Reverse Proxy and Oracle applications
ons 2008-04-02 klockan 10:31 -0400 skrev James Wenzel: > http_port 8000 accel defaultsite=my.website.com:8000 > cache_peer 10.1.140.200 parent 8000 0 no-query originserver name=auth > http_port 9000 accel defaultsite=my.website.com:9000 > cache_peer 10.1.140.200 parent 9000 0 no-query originserver name=app You also need cache_peer_access telling Squid what to send to each peer.. if not they are both considered equal. Squid does not do any automagic pattern matching on the peers to guess which peer to use. Regards Henrik
Re: [squid-users] cache "big" images ans use it on the LAN
ons 2008-04-02 klockan 15:46 +0300 skrev Rakotomandimby Mihamina: > I noticed that if multiple local clients query the same ressource image > at almost the same time, squid delivers the cached ressource. > But if the workstations request it one after the other, they all take it > from the big internet, and it lags a lot. Sounds like the banner may have expired from the cache. Probably due to the web site not allowing it to be cached for very long.. An example URL of a object where you see this would help.. Regards Henrik
Re: [squid-users] upgrade process
ons 2008-04-02 klockan 08:22 -0400 skrev Allen Schmidt Sr.: > We currently are on SUSE and squid is the only thing on this box. > Version 2.5.STABLE10 > > How hard is it to upgrade to more recent versions? We are only using it > for caching...in front of a pair of Zope clients. Forward with clients going out to the Internet or reverse with Internet clients coming in to your web severs? For forward proxying there is very little to consider when upgrading. Most existing configurations should just work. For reverse proxy setups there is a bit more as the squid.conf syntax for reverse proxying has changed in 2.6+. The 2.6 release notes tries to list all configuration differences, enabling you to build an opinion on how hard it may be to adjust your setup. Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
ons 2008-04-02 klockan 11:56 -0400 skrev Terry Dobbs: > Also, when running ethereal it doesn't seem to be capturing web traffic, > catching lots of ARP, but nothing web related. When running on Windows > behind the SUSE box I can capture web traffic, is there something > obvious I am missing here? Should just work. Try capturing on the "Any" interface, in case traffic isn't going the direction you think.. Regards Henrik
Re: [squid-users] proxy cache with multi back end server !
ons 2008-04-02 klockan 09:20 +0200 skrev Mathieu Kretchner: > Hello all, > > I'm trying to follow the how to here : > http://wiki.squid-cache.org/SquidFaq/ReverseProxy > in the section : > Sending different requests to different back end web servers > > And unfortunately I can see only one server. What do you mean by this? > I've succeeded to see the first one server with url on squid : > http://myserv/ > but this url didn't work : > http://myserv/foo/ What happens? Regards Henrik
Re: [squid-users] Pegging CPU with epoll_wait
ons 2008-04-02 klockan 13:46 -0500 skrev Ben Hollingsworth: > restarting squid (maybe a few hours or a few days), it starts pegging > the CPU at 100%. Running strace on the squid processes scrolls: > > epoll_wait(3, {}, 256, 0) = 0 > > as fast as my screen will scroll. Restarting squid makes it settle down > again for a while. This (timeout 0) indicates Squid probably thinks there is some timed event that it needs to attend to. Exactly what is hard to say, but it should in such case be visible using cachemgr. squidclient mgr:events But the best action is probably to record a debug log of what Squid is doing when you see this: squid -k debug; sleep 1; squid -k debug then file a bug report and attach your cache.log file. > This server sees only a few hits an hour. What's > causing this, and how do I stop it? To stop it first step is to identify the cause.. Regards Henrik
[squid-users] Pegging CPU with epoll_wait
I'm running Squid 2.6STABLE6 (the RedHat-distributed version) on a stock RHEL 5.1 64-bit server with kernel 2.6.18-53.1.13.el5. Some time after restarting squid (maybe a few hours or a few days), it starts pegging the CPU at 100%. Running strace on the squid processes scrolls: epoll_wait(3, {}, 256, 0) = 0 as fast as my screen will scroll. Restarting squid makes it settle down again for a while. This server sees only a few hits an hour. What's causing this, and how do I stop it? begin:vcard fn:Ben Hollingsworth n:Hollingsworth;Ben org:BryanLGH Health System;Information Technology adr:;;1600 S. 48th St.;Lincoln;NE;68506;USA email;internet:[EMAIL PROTECTED] title:Systems Programmer tel;work:402-481-8582 tel;fax:402-481-8354 tel;cell:402-432-5334 url:http://www.bryanlgh.org version:2.1 end:vcard
Re: [squid-users] Why has Sarg has stopped working?
Hmmm. I don't have a /var/log/cron directory or anything that looks like a log file relative to cron within the /var/log directory. ??? Ed On Wed, Apr 2, 2008 at 9:42 AM, Trevor Akers <[EMAIL PROTECTED]> wrote: > For #3 /var/log/cron > > > > -Original Message- > From: Ed Flecko [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 02, 2008 9:37 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Why has Sarg has stopped working? > > Hi folks, > I'm running Sarg (installed from a package) on OpenBSD 4.2. > > It installed fine, and has been running fine for about a week. For > some reason, it decided to stop working. > > I have a cron job to run Sarg every day (50 23 * * * > /usr/local/bin/sarg -n), and it stopped working. I've looked around > and I'm not sure where it would be logging its events. So, I thought > I'd try running the job manually (/usr/local/bin/sarg -n), and I get > the following output: > > /usr/local/bin/sarg[1]: cannot open !DOCTYPE: No such file or directory > /usr/local/bin/sarg[2]: syntax error: `newline' unexpected > > 1. Any suggestions of how to diagnose my problem? > 2. Where does Sarg write log entries to? > 3. Just for my information, where do I look for cron job logs to > diagnose future problems? :-) > > Thank you, > Ed >
[squid-users] Why has Sarg has stopped working?
Hi folks, I'm running Sarg (installed from a package) on OpenBSD 4.2. It installed fine, and has been running fine for about a week. For some reason, it decided to stop working. I have a cron job to run Sarg every day (50 23 * * * /usr/local/bin/sarg -n), and it stopped working. I've looked around and I'm not sure where it would be logging its events. So, I thought I'd try running the job manually (/usr/local/bin/sarg -n), and I get the following output: /usr/local/bin/sarg[1]: cannot open !DOCTYPE: No such file or directory /usr/local/bin/sarg[2]: syntax error: `newline' unexpected 1. Any suggestions of how to diagnose my problem? 2. Where does Sarg write log entries to? 3. Just for my information, where do I look for cron job logs to diagnose future problems? :-) Thank you, Ed
RE: [squid-users] client ip's
The rule I use to redirect traffic from 80 to 8080 is: I must remember, this was working before 3.0 stable1 or stable2 (not using stable2), I just saw this was happening now. iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8080 cisne:~# iptables-save -t nat # Generated by iptables-save v1.4.0 on Wed Apr 2 17:12:25 2008 *nat :PREROUTING ACCEPT [35:1650] :POSTROUTING ACCEPT [10307:1367320] :OUTPUT ACCEPT [66427:4357431] -A PREROUTING -d 193.164.158.105/32 -j DROP -A PREROUTING -i eth1 -p tcp -m tcp --dport 5111 -j DNAT --to-destination 192.168.1.11:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 5901 -j DNAT --to-destination 192.168.1.2:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 5969 -j DNAT --to-destination 192.168.1.3:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.204:3389 -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8080 -A PREROUTING -p gre -j ACCEPT -A PREROUTING -p icmp -j ACCEPT -A PREROUTING -p ah -j ACCEPT -A PREROUTING -p udp -m udp --dport 53 -j ACCEPT -A PREROUTING -p udp -m udp --dport 500 -j ACCEPT -A PREROUTING -p udp -m udp --dport 1723 -j ACCEPT -A PREROUTING -p udp -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 20 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 21 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 23 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 25 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 43 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 79 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 123 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 143 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 443 -j ACCEPT -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 444 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 1723 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 1863 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 3306 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 3389 -j ACCEPT -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 5000 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5190 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5900 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5901 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 6667 -j ACCEPT -A PREROUTING -s 192.168.1.0/24 -d 192.168.1.206/32 -p tcp -m tcp --dport -j ACCEPT -A PREROUTING -d 192.168.1.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT -A PREROUTING -i eth1 -p tcp -m tcp --dport 30106 -j DNAT --to-destination 192.168.1.224:30106 -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 62500:63500 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A PREROUTING -j DROP -A POSTROUTING -o eth1 -j MASQUERADE COMMIT # Completed on Wed Apr 2 17:12:26 2008 -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 2 de Abril de 2008 11:42 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: RE: [squid-users] client ip's WHat do your iptables NAT rules look like? iptables-save -t nat ons 2008-04-02 klockan 09:18 +0100 skrev Jorge Bastos: > Transparent proxy > > Squid running on: 8080 > And I forward 80 => 8080 (squid) => web > > My iptables rules are intact, I believe it was from 3.0 stable 1 or 2 that > this started to happen. > > > > > > -Original Message- > > From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] > > Sent: quarta-feira, 2 de Abril de 2008 0:12 > > To: Jorge Bastos > > Cc: squid-users@squid-cache.org > > Subject: RE: [squid-users] client ip's > > > > tis 2008-04-01 klockan 12:29 +0100 skrev Jorge Bastos: > > > No, just squid himself. > > > > As a plain proxy, or playing with NAT? > > > > Regards > > Henrik >
RE: [squid-users] Unable to access a website through Suse/Squid.
Hey, I did the command you mentioned and it didn't seem to make a difference. Is there anything special I need to do after running the command. Also, when running ethereal it doesn't seem to be capturing web traffic, catching lots of ARP, but nothing web related. When running on Windows behind the SUSE box I can capture web traffic, is there something obvious I am missing here? -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 7:07 PM To: Terry Dobbs Cc: J Beris; squid-users@squid-cache.org Subject: RE: [squid-users] Unable to access a website through Suse/Squid. tis 2008-04-01 klockan 18:00 -0400 skrev Terry Dobbs: > Would you want the trace from the squid server, or from a client behind > the squid server? > > Also, the TCP scaling fix, it was just to add a record to the file > right? > > Also, I tried doing the window scaling again. Is it just as simple as > creating the file "tcp_default_win_scale" in /proc/sys/net/ipv4? The simplest way to test if it's window scaling biting the host (or to be correct it's firewall) is to disable window scaling. echo 0 >/proc/sys/net/ipv4/tcp_window_scaling The sysctls have changed somewhat since the lwn.net article was written many years ago. Regards Henrik
[squid-users] Reverse Proxy and Oracle applications
Hey all, Thanks to Henrik I have gotten pretty far on putting a reverse proxy infront of my oracle apps servers. I have a common back end that uses port 8000 and port 9000. I believe I can get to both ports now successfully. Here is the issue. When the Jinitiator calls from port 8000 to port 9000 in oracle forms, I get server:9000 is was unreachable. Is there anything special I need to put in my config to get this to go? I have seen there were issues in the past, but I am now on 2.6 Stable 19 so I hope those are now gone. My example config is as follows: http_port 8000 accel defaultsite=my.website.com:8000 cache_peer 10.1.140.200 parent 8000 0 no-query originserver name=auth http_port 9000 accel defaultsite=my.website.com:9000 cache_peer 10.1.140.200 parent 9000 0 no-query originserver name=app Any help would be greatly appricated, and thank you Henrik for getting me this far. James Wenzel Enterprise Resource Providers www.enterpriserp.com 716 310 8236
Re: [squid-users] block chat
> click007 wrote: > >i m setting up squid proxy to block gtalk & msn, etc... > >i found through internet to block port 5223 & 5222 for gtalk > >i tried to block by acl block_port 5223 5222 but it didnt block > > > >plz guide me to block these chat > >thansks On 02.04.08 22:04, Amos Jeffries wrote: > Most chat programs have their own chat Protocol which is _NOT_ HTTP > Protocol. > > You have to block them at the firewall first and only if they start > using the proxy do you need to block them in squid. squid only can do something when those are tunelled through squid via CONNECT requests or accessed via squid using HTTP (not HTTPS) protocol. That would require building a list of sites, hosts and ports and mainting it. Otherwise, you need content inspector, which hopefully can do detect what protocol is used. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
[squid-users] Transparent Proxy and iTunes/WinAmp
Hi -- For some reason, whenever clients try to connect to music streams on port 80 through my transparent proxy, they receive the error: HTTP/1.0 5.2 Bad Gateway I wonder what's going on here. I wonder if IPTABLES can somehow detect the difference between a browser request and a music client request, although they both run on 80. Or perhaps, I need to change something in squid.conf? Thanks for your help, Adam
[squid-users] cache "big" images ans use it on the LAN
Hi, I have a very low bandwodth with high latency internet access, but several workstations (on my LAN) sharing that one. I use squid in order to try to cache some "big" (_say_ bigger than 100K) websites top banners and other big ressources. I noticed that if multiple local clients query the same ressource image at almost the same time, squid delivers the cached ressource. But if the workstations request it one after the other, they all take it from the big internet, and it lags a lot. How should I configure squid (what parameter to set) if I want it to cache and deliver the cached ressource for some time interval (say 1 hour for example). This should only apply to images and flash animations and so on, _not_ to text ressources. Optionally, the same thing for https would be OK, but I can leave without https. Thanks a lot for any help.
Re: [squid-users] https --> http reverse proxy problem
Mirabello Massimiliano wrote: -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] The binary package I use has been compiled with option '--with-openssl=/opt/openssl', so I think squid looks for openssl in /opt and doesn't find it. There is a way to instruct squid to look for openssl on other path? You could re-compile from sources. OR you could make that path exist as a symlink to where its supposed to be on your system. I already tryed to symlink both the openssl binary and the openssl directory. The error still remain the same. I tryed also to add openssl to $PATH. Any other suggestion? If that is not working you are stuck with getting a new binary for squid. The best way is usually to build from source code with everything you need and nothing you don't. Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
[squid-users] upgrade process
We currently are on SUSE and squid is the only thing on this box. Version 2.5.STABLE10 How hard is it to upgrade to more recent versions? We are only using it for caching...in front of a pair of Zope clients. Just curious. Thanks
RE: [squid-users] Unable to access a website through Suse/Squid.
> I tried connecting from a machine running openSUSE 10.3 (without going > through a proxy). There is something weird in the first reply from the > server in the TCP section of the package analysis: I just tried the same thing, fired up openSUSE 10.3 on a laptop, no proxy. Started Wireshark and did a capture. > TCP Analysis Flags: A segment before this frame was lost > > In the following frames I see: > > This frame is a (suspected) retransmission > > And then the connection stops. No idea what that means, though. Maybe > that > helps. I also get a few (suspected) retransmissions, but the page loads normally in Firefox. Don't think those retransmissions point to anything really serious, though. Not serious enough to mess up the loading of the page. After all, the packets were retransmitted and then arrived. Most likely somewhere there is a lack of bandwidth, probably the origin server. Maybe the origin server sometimes suffers under high utilization or lacks bandwidth severely enough to cause empty replies? > Well, that seems to be a strong hint that something is wrong with this > server. Could you try from another Linux distribution to rule out it's > a bug in openSUSE? I doubt it's a bug in openSUSE. We'd be seeing this with more websites then. It's more likely either something at the origin server...or something at Terry's setup which we haven't identified (yet). I've been using openSUSE 10.2 and 10.3 both since they were released. Haven't had problems with sites not loading or sending empty replies. HTH, Joop Dit bericht is gescand op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. Mailscanner door http://www.prosolit.nl Professional Solutions fot IT
Re: [squid-users] Unable to access a website through Suse/Squid.
Hi Terry, > Yea, im lost on this one. Ethereal doesn't show anything strange, just > the initial connection request, just doesn't seem to get anything back. I tried connecting from a machine running openSUSE 10.3 (without going through a proxy). There is something weird in the first reply from the server in the TCP section of the package analysis: TCP Analysis Flags: A segment before this frame was lost In the following frames I see: This frame is a (suspected) retransmission And then the connection stops. No idea what that means, though. Maybe that helps. > Doesn't really make sense that only this one site (at least that I know > of) is having this issue. The SUSE firewall is turned off, network card > is configured properly, etc... Well, that seems to be a strong hint that something is wrong with this server. Could you try from another Linux distribution to rule out it's a bug in openSUSE? Regards, Peter -- Peter Albrecht [EMAIL PROTECTED] Open Source School GmbH Tel: +49-89-287793-83 Amalienstraße 45 RG Mob: +49-173-3528664 80799 München Fax: +49-89-287555-63 HRB 172645 - Amtsgericht München Geschäftsführer: Peter Albrecht, Dr. Markus Wirtz
RE: [squid-users] https --> http reverse proxy problem
> -Original Message- > From: Amos Jeffries [mailto:[EMAIL PROTECTED] > > > > The binary package I use has been compiled with option > > '--with-openssl=/opt/openssl', so I think squid looks for > openssl in > > /opt and doesn't find it. > > > > There is a way to instruct squid to look for openssl on other path? > > You could re-compile from sources. > > OR you could make that path exist as a symlink to where its > supposed to be on your system. > I already tryed to symlink both the openssl binary and the openssl directory. The error still remain the same. I tryed also to add openssl to $PATH. Any other suggestion? Massimiliano Internet Email Confidentiality Footer - La presente comunicazione, con le informazioni in essa contenute e ogni documento o file allegato, e' rivolta unicamente alla/e persona/e cui e' indirizzata ed alle altre da questa autorizzata/e a riceverla. Se non siete i destinatari/autorizzati siete avvisati che qualsiasi azione, copia, comunicazione, divulgazione o simili basate sul contenuto di tali informazioni e' vietata e potrebbe essere contro la legge (art. 616 C.P., D.Lgs n. 196/2003 Codice in materia di protezione dei dati personali). Se avete ricevuto questa comunicazione per errore, vi preghiamo di darne immediata notizia al mittente e di distruggere il messaggio originale e ogni file allegato senza farne copia alcuna o riprodurne in alcun modo il contenuto. This e-mail and its attachments are intended for the addressee(s) only and are confidential and/or may contain legally privileged information. If you have received this message by mistake or are not one of the addressees above, you may take no action based on it, and you may not copy or show it to anyone; please reply to this e-mail and point out the error which has occurred. -
RE: [squid-users] client ip's
WHat do your iptables NAT rules look like? iptables-save -t nat ons 2008-04-02 klockan 09:18 +0100 skrev Jorge Bastos: > Transparent proxy > > Squid running on: 8080 > And I forward 80 => 8080 (squid) => web > > My iptables rules are intact, I believe it was from 3.0 stable 1 or 2 that > this started to happen. > > > > > > -Original Message- > > From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] > > Sent: quarta-feira, 2 de Abril de 2008 0:12 > > To: Jorge Bastos > > Cc: squid-users@squid-cache.org > > Subject: RE: [squid-users] client ip's > > > > tis 2008-04-01 klockan 12:29 +0100 skrev Jorge Bastos: > > > No, just squid himself. > > > > As a plain proxy, or playing with NAT? > > > > Regards > > Henrik >
Re: [squid-users] https --> http reverse proxy problem
Mirabello Massimiliano wrote: -Original Message- From: Mirabello Massimiliano -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2008 1:11 AM To: Mirabello Massimiliano Cc: Squid Users Subject: Re: [squid-users] https --> http reverse proxy problem tis 2008-04-01 klockan 17:55 +0200 skrev Mirabello Massimiliano: My cache.log reports: 2008/04/01 17:53:50| clientNegotiateSSL: Error negotiating SSL connection on FD 11: error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed (1/-1) Hmm.. that's a new one. Which version of OpenSSL are you using? IPAHU016 > openssl version OpenSSL 0.9.6k 30 Sep 2003 Try setting sslcontext=something on your https_port, may make a difference (very related to session ids). I tried but nothing changed. Still get the same error. I think I found where the problem is: IPAHU016 > squid -v Squid Cache: Version 2.6.STABLE16 configure options: '--prefix=/opt/iexpress/squid' '--enable-carp' '--enable-storeio=ufs,null,coss,diskd,aufs' '--enable-pthreads' '--enable-removal-policies=heap,lru' '--enable-icmp' '--enable-delay-pools' '--enable-kill-parent-hack' '--enable-snmp' '--enable-cachemgr-hostname' '--enable-htcp' '--enable-forw-via-db' '--enable-cache-digests' '--enable-underscores' '--enable-basic-auth-helpers=LDAP,SMB,MSNT,NCSA,PAM,YP,multi-domain-NTLM ' '--enable-ssl' *'--with-openssl=/opt/openssl' *'--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_grou p' '--enable-ntlm-fail-open' '--enable-x-accelerator-vary' 'CC=gcc -static-libgcc ' 'CFLAGS=-g' 'LDFLAGS=-Wl,+nodefaultrpath -L/opt/openssl/lib -L/opt/iexpress/openldap/lib -L/usr/local/lib -L/usr/lib' 'CPPFLAGS=-I/opt/iexpress/openldap/include -I/opt/openssl/include' IPAHU016 > ls -ltr /opt/openssl /opt/openssl not found The binary package I use has been compiled with option '--with-openssl=/opt/openssl', so I think squid looks for openssl in /opt and doesn't find it. There is a way to instruct squid to look for openssl on other path? You could re-compile from sources. OR you could make that path exist as a symlink to where its supposed to be on your system. Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Re: [squid-users] block chat
click007 wrote: i m setting up squid proxy to block gtalk & msn, etc... i found through internet to block port 5223 & 5222 for gtalk i tried to block by acl block_port 5223 5222 but it didnt block plz guide me to block these chat thansks Most chat programs have their own chat Protocol which is _NOT_ HTTP Protocol. You have to block them at the firewall first and only if they start using the proxy do you need to block them in squid. Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
RE: [squid-users] client ip's
Transparent proxy Squid running on: 8080 And I forward 80 => 8080 (squid) => web My iptables rules are intact, I believe it was from 3.0 stable 1 or 2 that this started to happen. > -Original Message- > From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] > Sent: quarta-feira, 2 de Abril de 2008 0:12 > To: Jorge Bastos > Cc: squid-users@squid-cache.org > Subject: RE: [squid-users] client ip's > > tis 2008-04-01 klockan 12:29 +0100 skrev Jorge Bastos: > > No, just squid himself. > > As a plain proxy, or playing with NAT? > > Regards > Henrik
[squid-users] block chat
i m setting up squid proxy to block gtalk & msn, etc... i found through internet to block port 5223 & 5222 for gtalk i tried to block by acl block_port 5223 5222 but it didnt block plz guide me to block these chat thansks -- View this message in context: http://www.nabble.com/block-chat-tp16444681p16444681.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] https --> http reverse proxy problem
> -Original Message- > From: Mirabello Massimiliano > > > -Original Message- > > From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 02, 2008 1:11 AM > > To: Mirabello Massimiliano > > Cc: Squid Users > > Subject: Re: [squid-users] https --> http reverse proxy problem > > > > tis 2008-04-01 klockan 17:55 +0200 skrev Mirabello Massimiliano: > > > My cache.log reports: > > > 2008/04/01 17:53:50| clientNegotiateSSL: Error negotiating SSL > > > connection on FD 11: error:140B512D:SSL > > > routines:SSL_GET_NEW_SESSION:ssl session id callback failed (1/-1) > > > > Hmm.. that's a new one. > > > > Which version of OpenSSL are you using? > > > > IPAHU016 > openssl version > OpenSSL 0.9.6k 30 Sep 2003 > > > Try setting sslcontext=something on your https_port, may make a > > difference (very related to session ids). > > > > I tried but nothing changed. Still get the same error. > > > I think I found where the problem is: IPAHU016 > squid -v Squid Cache: Version 2.6.STABLE16 configure options: '--prefix=/opt/iexpress/squid' '--enable-carp' '--enable-storeio=ufs,null,coss,diskd,aufs' '--enable-pthreads' '--enable-removal-policies=heap,lru' '--enable-icmp' '--enable-delay-pools' '--enable-kill-parent-hack' '--enable-snmp' '--enable-cachemgr-hostname' '--enable-htcp' '--enable-forw-via-db' '--enable-cache-digests' '--enable-underscores' '--enable-basic-auth-helpers=LDAP,SMB,MSNT,NCSA,PAM,YP,multi-domain-NTLM ' '--enable-ssl' *'--with-openssl=/opt/openssl' *'--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_grou p' '--enable-ntlm-fail-open' '--enable-x-accelerator-vary' 'CC=gcc -static-libgcc ' 'CFLAGS=-g' 'LDFLAGS=-Wl,+nodefaultrpath -L/opt/openssl/lib -L/opt/iexpress/openldap/lib -L/usr/local/lib -L/usr/lib' 'CPPFLAGS=-I/opt/iexpress/openldap/include -I/opt/openssl/include' IPAHU016 > ls -ltr /opt/openssl /opt/openssl not found The binary package I use has been compiled with option '--with-openssl=/opt/openssl', so I think squid looks for openssl in /opt and doesn't find it. There is a way to instruct squid to look for openssl on other path? thanks, Massimiliano Internet Email Confidentiality Footer - La presente comunicazione, con le informazioni in essa contenute e ogni documento o file allegato, e' rivolta unicamente alla/e persona/e cui e' indirizzata ed alle altre da questa autorizzata/e a riceverla. Se non siete i destinatari/autorizzati siete avvisati che qualsiasi azione, copia, comunicazione, divulgazione o simili basate sul contenuto di tali informazioni e' vietata e potrebbe essere contro la legge (art. 616 C.P., D.Lgs n. 196/2003 Codice in materia di protezione dei dati personali). Se avete ricevuto questa comunicazione per errore, vi preghiamo di darne immediata notizia al mittente e di distruggere il messaggio originale e ogni file allegato senza farne copia alcuna o riprodurne in alcun modo il contenuto. This e-mail and its attachments are intended for the addressee(s) only and are confidential and/or may contain legally privileged information. If you have received this message by mistake or are not one of the addressees above, you may take no action based on it, and you may not copy or show it to anyone; please reply to this e-mail and point out the error which has occurred. -
RE: [squid-users] https --> http reverse proxy problem
> -Original Message- > From: Diego Woitasen [mailto:[EMAIL PROTECTED] > 2008/4/1, Mirabello Massimiliano <[EMAIL PROTECTED]>: > > > > > > My cache.log reports: > > 2008/04/01 17:53:50| clientNegotiateSSL: Error negotiating SSL > > connection on FD 11: error:140B512D:SSL > > routines:SSL_GET_NEW_SESSION:ssl session id callback failed (1/-1) > > > > > > Sounds like a Squid certificate problem. Try with openssl > c_client -connect squidhost:37500, it will display > certificate info. If it doesn't work, try the generate the > certificate again. > IPAHU016 > openssl s_client -connect ipahu016:37500 CONNECTED(0003) 7721:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: I tried to generate certificates with a different openssl version (instead of 0.9.6k) on other host: >openssl version OpenSSL 0.9.7a Feb 19 2003 IPAHU016> openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout ipahu016.key -out ipahu016.crt I tested them with: IPAHU016> openssl s_server -cert ipahu016.crt -key ipahu016.key -accept 37600 & IPAHU016> openssl s_client -connect ipahu016:37600 CONNECTED(0003) depth=0 /C=IT/ST=Italy/L=Newbury/O=My Company Ltd/OU=ipahu016/CN=ipahu016 verify error:num=18:self signed certificate verify return:1 depth=0 /C=IT/ST=Italy/L=Newbury/O=My Company Ltd/OU=ipahu016/CN=ipahu016 verify return:1 --- Certificate chain 0 s:/C=IT/ST=Italy/L=Newbury/O=My Company Ltd/OU=ipahu016/CN=ipahu016 i:/C=IT/ST=Italy/L=Newbury/O=My Company Ltd/OU=ipahu016/CN=ipahu016 --- Server certificate -BEGIN CERTIFICATE- MIIDHjCCAoegAwIBAgIBADANBgkqhkiG9w0BAQQFADBuMQswCQYDVQQGEwJJVDEO MAwGA1UECBMFSXRhbHkxEDAOBgNVBAcTB05ld2J1cnkxFzAVBgNVBAoTDk15IENv bXBhbnkgTHRkMREwDwYDVQQLEwhpcGFodTAxNjERMA8GA1UEAxMIaXBhaHUwMTYw HhcNMDgwNDAyMDcxMTQ1WhcNMTgwMzMxMDcxMTQ1WjBuMQswCQYDVQQGEwJJVDEO MAwGA1UECBMFSXRhbHkxEDAOBgNVBAcTB05ld2J1cnkxFzAVBgNVBAoTDk15IENv bXBhbnkgTHRkMREwDwYDVQQLEwhpcGFodTAxNjERMA8GA1UEAxMIaXBhaHUwMTYw gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALirqQNwg/crE1xJdRu3w/O6W3UR CRvYWFNMz29qoZAnEtKSikdlVSwcf8SW2rD7/b0AbzcGlqiM2gMmabksjZMlyumA mVQRuZu3ACmSo1ltlxSJOvwJS+KK9wK9sSNKQ2dwFwM83yBbkI7fEFq7Ne0r7/5R /7/0UWfuXd/oBmX3AgMBAAGjgcswgcgwHQYDVR0OBBYEFK9XdN8xgQp8rla/ypCp v6crjo5YMIGYBgNVHSMEgZAwgY2AFK9XdN8xgQp8rla/ypCpv6crjo5YoXKkcDBu MQswCQYDVQQGEwJJVDEOMAwGA1UECBMFSXRhbHkxEDAOBgNVBAcTB05ld2J1cnkx FzAVBgNVBAoTDk15IENvbXBhbnkgTHRkMREwDwYDVQQLEwhpcGFodTAxNjERMA8G A1UEAxMIaXBhaHUwMTaCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOB gQAH+WdZiX0nV3CYQ+0dnc+wRQFhOimSpiPDnsKDDRrjKZz6PfAScKI1I8sxQPr/ OXiIhtWbSsUXybHCY62q5Sf2gPY+aFA+RR1EFBRSwPGNe3grK3mUZAbLKnI5RJcw psfLWcfhkb4jHp9P5fpend+0CA9s8zKUcb5s6s9cZpZSXw== -END CERTIFICATE- subject=/C=IT/ST=Italy/L=Newbury/O=My Company Ltd/OU=ipahu016/CN=ipahu016 issuer=/C=IT/ST=Italy/L=Newbury/O=My Company Ltd/OU=ipahu016/CN=ipahu016 --- No client certificate CA names sent --- SSL handshake has read 1230 bytes and written 250 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: 3CBCC3021C063F3A93EE818EC90531BD27B88F5FC2FCC4460795EDAA14CBA68F Session-ID-ctx: Master-Key: 7AC2060C28913035DFC87062171DBB1A07D778843AB73D4862C894E5AA0131BB0958C636 1BD190FA6AFA656241D418 AC Key-Arg : None Start Time: 1207123026 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- > Is you key encrypted? I don't remember if squid support for > asking a passphrase. > No, it's not. regards, Massimiliano Mirabello Internet Email Confidentiality Footer - La presente comunicazione, con le informazioni in essa contenute e ogni documento o file allegato, e' rivolta unicamente alla/e persona/e cui e' indirizzata ed alle altre da questa autorizzata/e a riceverla. Se non siete i destinatari/autorizzati siete avvisati che qualsiasi azione, copia, comunicazione, divulgazione o simili basate sul contenuto di tali informazioni e' vietata e potrebbe essere contro la legge (art. 616 C.P., D.Lgs n. 196/2003 Codice in materia di protezione dei dati personali). Se avete ricevuto questa comunicazione per errore, vi preghiamo di darne immediata notizia al mittente e di distruggere il messaggio originale e ogni file allegato senza farne copia alcuna o riprodurne in alcun modo il contenuto. This e-mail and its attachments are intended for the addressee(s) only and are confidential and/or may contain legally privileged information. If you have received this message by mistake or are not one of the addressees above, you may take no action based on it, and you may not copy or show it to anyone; please reply to this e-mail and point out the error which has occurred. -
RE: [squid-users] https --> http reverse proxy problem
> -Original Message- > From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 02, 2008 1:11 AM > To: Mirabello Massimiliano > Cc: Squid Users > Subject: Re: [squid-users] https --> http reverse proxy problem > > tis 2008-04-01 klockan 17:55 +0200 skrev Mirabello Massimiliano: > > My cache.log reports: > > 2008/04/01 17:53:50| clientNegotiateSSL: Error negotiating SSL > > connection on FD 11: error:140B512D:SSL > > routines:SSL_GET_NEW_SESSION:ssl session id callback failed (1/-1) > > Hmm.. that's a new one. > > Which version of OpenSSL are you using? > IPAHU016 > openssl version OpenSSL 0.9.6k 30 Sep 2003 > Try setting sslcontext=something on your https_port, may make > a difference (very related to session ids). > I tried but nothing changed. Still get the same error. Internet Email Confidentiality Footer - La presente comunicazione, con le informazioni in essa contenute e ogni documento o file allegato, e' rivolta unicamente alla/e persona/e cui e' indirizzata ed alle altre da questa autorizzata/e a riceverla. Se non siete i destinatari/autorizzati siete avvisati che qualsiasi azione, copia, comunicazione, divulgazione o simili basate sul contenuto di tali informazioni e' vietata e potrebbe essere contro la legge (art. 616 C.P., D.Lgs n. 196/2003 Codice in materia di protezione dei dati personali). Se avete ricevuto questa comunicazione per errore, vi preghiamo di darne immediata notizia al mittente e di distruggere il messaggio originale e ogni file allegato senza farne copia alcuna o riprodurne in alcun modo il contenuto. This e-mail and its attachments are intended for the addressee(s) only and are confidential and/or may contain legally privileged information. If you have received this message by mistake or are not one of the addressees above, you may take no action based on it, and you may not copy or show it to anyone; please reply to this e-mail and point out the error which has occurred. -
[squid-users] proxy cache with multi back end server !
Hello all, I'm trying to follow the how to here : http://wiki.squid-cache.org/SquidFaq/ReverseProxy in the section : Sending different requests to different back end web servers And unfortunately I can see only one server. I've succeeded to see the first one server with url on squid : http://myserv/ but this url didn't work : http://myserv/foo/ Any idea ?? Thanks for your help! Here is my squid conf file : http_port 80 defaultsite=myserv hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports cache_peer 192.168.0.10 parent 80 0 no-query originserver name=server1 cache_peer 192.168.0.11 parent 80 0 no-query originserver name=server2 acl foo urlpath_regex ^/foo cache_peer_access server1 allow foo cache_peer_access server2 deny foo acl devmk_site dstdomain myser http_access allow devmk_site http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid begin:vcard fn:Mathieu Kretchner n:Kretchner;Mathieu org:INRIA;Syslog adr;dom:;;2007 route des lucioles - BP93;Sophia Antipolis;;06902 CEDEX email;internet:[EMAIL PROTECTED] tel;work:04 92 38 76 67 x-mozilla-html:FALSE version:2.1 end:vcard