Re: [squid-users] Rewrite http to https for owa.
Dwyer, Simon wrote: Hey everyone, I am starting to really get my squid server under control here :) One last step to have it fully working is to rewrite address's coming in on http to https. This is for OWA. I have tried to use squirm and have some success. What I need to do is redirect http://mail.domainname.com/ to https://mail.domainname/com/owa. For all reverse proxy requests. Is there an easier way to do this? I have googled it without much success. Cheers, Simon Have you tried this: http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess Maybe with a basic http_port listener instead of the https_port. Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Re: [squid-users] Re: Force cache reload for object from browser
Paul Bryson wrote: Henrik Nordstrom wrote: Good question how to ask a browser to do a reload of a non-displayable object... Heck, it doesn't really even need to even be a browser (though that would be most universally useful). I just need some way to tell the proxy to grab a new version of the file. If you have access to an app that lets you set custom headers (curl, wget, squidclient, etc) you could try sending a request for the object with the header: Cache-Control: max-age=0, must-revalidate, proxy-revalidate and hope that at least one of those mechanisms is available. Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Re: [squid-users] Does anyone know how to make https work?
Brian Lu wrote: Hi All I meet a problem:when I use https to access the web pages,my IE always show me: 1.If setuped cache_peer: 錯誤 欲連結之網址(URL)無法正確的傳回 當嘗試傳回下面的網址(URL)時: https://www.chb.com.tw/wcm/web/home/index.html 發生了下列的錯誤: Unsupported Request Method and Protocol 尚未支援的要求方式或通訊協定 Squid does not support all request methods for all access protocols. For example, you can not POST a Gopher request. 因為 Squid (網路快取程式)並未支援所有的連結要求方式在各式通訊協定上。 比如說,你不能要求一個 GOPHER 的 POST 連結要求。 Generated Mon, 21 Apr 2008 05:22:30 GMT by proxy.seed.net.tw (squid/2.5.STABLE11) 2.If no cache_peer: ERROR The requested URL could not be retrieved While trying to retrieve the URL: https://www.chb.com.tw/wcm/web/home/index.html The following error was encountered: Connection to 210.65.204.245 Failed The system returned: (71) Protocol error The remote host or network may be down. Please try the request again. Your cache administrator is . Generated Mon, 21 Apr 2008 05:18:30 GMT by 192.168.1.254 (squid/3.0.STABLE2) My squid version: [EMAIL PROTECTED] ]# squid -v Squid Cache: Version 3.0.STABLE2 configure options: '--enable-ssl' '--enable-linux-netfilter' '--enable-referer-log' My squid.conf: snip http_port 3128 transparent https_port 3129 cert=/usr/local/squid/etc/cert.pem key=/usr/local/squid/etc/key.pem transparent snip HTTPS cannot be intercepted transparently in 3.0 or any 2.x You need to have 3.1 with sslBump enabled for thatt. Does anyone know how to make https work? thank you very much~ Best regards, Brian Lu (sorry if my txt is garbled, thunderbird seems not to like unicode editing) Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Re: [squid-users] Chat Apps getting blocked
g f wrote: I have a question about your reply: http_access deny CONNECT !SSL_ports Shouldnt this deny access to all but SSL_ports 443 and 563? but wouldnt this: acl Safe_ports port 1025-65535 # unregistered ports http_access deny !Safe_ports allow access on port 5222 (normally default xmpp port). I am curious if I understand the acls properly. They are all run top-to-bottom with first-match-wins. So the ... http_access deny !Safe_ports ... does not stop port 5222 access, merely lets it continue down to a later ACL check. Which in this case is ... http_access deny CONNECT !SSL_Ports ... which matches and denies it (CONNECT is being done and 5222 is not in SSL_Ports) Amos Thanks. On Mon, Apr 21, 2008 at 8:13 AM, Amos Jeffries [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Odhiambo Washington wrote: Hello List, I copycat(ed) a squid.conf from this list a few days ago and did minimal config mods just to allow my network to use it. It works great with youtube caching, but stranegly, it blocks MSN/Yahoo chats, but I sincerely cannot see where this is happening. The file can be access from the following URL: https://212.22.160.35/~wash/squid.conf.txt https://212.22.160.35/%7Ewash/squid.conf.txt (I use a self-signed certificate, so please just accept it) I get the following in the access log: 1208510066.248 7255 192.168.0.106 http://192.168.0.106 TCP_DENIED/403 1422 CONNECT 207.46.110.28:1863 http://207.46.110.28:1863 - NONE/- text/html 1208510066.726 7850 192.168.0.150 http://192.168.0.150 TCP_DENIED/403 1422 CONNECT 207.46.110.89:1863 http://207.46.110.89:1863 - NONE/- text/html 1208510100.571847 192.168.0.106 http://192.168.0.106 TCP_DENIED/403 1422 CONNECT 207.46.110.94:1863 http://207.46.110.94:1863 - NONE/- text/html 1208510119.339 28 192.168.0.150 http://192.168.0.150 TCP_DENIED/403 1422 CONNECT 207.46.110.94:1863 http://207.46.110.94:1863 - NONE/- text/html 1208510173.114853 192.168.0.106 http://192.168.0.106 TCP_DENIED/403 1422 CONNECT 207.46.108.13:1863 http://207.46.108.13:1863 - NONE/- text/html 1208510216.270668 192.168.0.150 http://192.168.0.150 TCP_DENIED/403 1422 CONNECT 207.46.108.85:1863 http://207.46.108.85:1863 - NONE/- text/html 1208510300.314852 192.168.0.106 http://192.168.0.106 TCP_DENIED/403 1422 CONNECT 207.46.108.97:1863 http://207.46.108.97:1863 - NONE/- text/html 1208510347.723853 192.168.0.106 http://192.168.0.106 TCP_DENIED/403 1422 CONNECT 207.46.108.86:1863 http://207.46.108.86:1863 - NONE/- text/html 1208510371.584823 192.168.0.106 http://192.168.0.106 TCP_DENIED/403 1422 CONNECT 207.46.108.66:1863 http://207.46.108.66:1863 - NONE/- text/html 1208510408.981 20 192.168.0.150 http://192.168.0.150 TCP_DENIED/403 1422 CONNECT 207.46.108.97:1863 http://207.46.108.97:1863 - NONE/- text/html 1208510413.535 1673 192.168.0.106 http://192.168.0.106 TCP_DENIED/403 1422 CONNECT 207.46.108.93:1863 http://207.46.108.93:1863 - NONE/- text/html 1208510488.270 19 192.168.0.106 http://192.168.0.106 TCP_DENIED/403 1438 CONNECT messenger.hotmail.com:1863 http://messenger.hotmail.com:1863 - NONE/- text/html 1208510609.843 0 192.168.0.117 http://192.168.0.117 TCP_DENIED/403 1426 CONNECT talk.google.com:5222 http://talk.google.com:5222 - NONE/- text/html 1208510609.844 0 192.168.0.117 http://192.168.0.117 TCP_DENIED/403 1430 CONNECT scs.msg.yahoo.com:5050 http://scs.msg.yahoo.com:5050 - NONE/- text/html 1208510616.495 0 192.168.0.117 http://192.168.0.117 TCP_DENIED/403 1426 CONNECT talk.google.com:5222 http://talk.google.com:5222 - NONE/- text/html 1208510617.057 1 192.168.0.117 http://192.168.0.117 TCP_DENIED/403 1430 CONNECT scs.msg.yahoo.com:5050 http://scs.msg.yahoo.com:5050 - NONE/- text/html 1208510637.734 20 192.168.0.106 http://192.168.0.106 TCP_DENIED/403 1438 CONNECT messenger.hotmail.com:1863 http://messenger.hotmail.com:1863 - NONE/- text/html 1208510643.865 31 192.168.0.106 http://192.168.0.106 TCP_DENIED/403 1438 CONNECT messenger.hotmail.com:1863 http://messenger.hotmail.com:1863 - NONE/- text/html 1208510676.014 0 192.168.0.117 http://192.168.0.117 TCP_DENIED/403 1430 CONNECT scs.msg.yahoo.com:5050 http://scs.msg.yahoo.com:5050 - NONE/- text/html snip Where in the acls is this coming from? You have: http_access deny CONNECT !SSL_ports
Re: [squid-users] Chat Apps getting blocked
Odhiambo Washington wrote: snip Hi Amos, Thank you so much. This now works after I created an ACL for them. PS: Does everyone on this list get some e-mail from ANTIGEN blah on some exchange server whenever they send mail to the list or is it just me? You're the first to mention it about Antigen. I usually get 'bad word filter' messages from a bunch of schools when I mention 127.x.x.x/8 or the like. If you check one of the bounces you should be able to see if its directly to you or through the list. Anything like this going through the list needs reporting to [EMAIL PROTECTED] For every post to the list, I get a response with the following data in the body: begin quote Microsoft Antigen for Exchange found a message matching a filter. The message is currently Identified. Message: SUSPECT MAIL_ _squid_users_ Access Controls using MAC address Filter name: KEYWORD= profanity: bastards;sexual discrimination: bastards Sent from: Odhiambo Washington Folder: SMTP Messages\Inbound Location: tesco/First Administrative Group/SW2KE /end quote It's very annoying and I always wonder if squid-users is hosted on a M$ Exchange platform:-) Anyone has a clue as to why I always get this? Mails you send to the list have you as the sender. One of the other list members is behind an annoying 'bad words' filter. You should try to let them know its broken. Or worst-case respond in kind by blocking their email to you. Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
[squid-users] Still issues accessing external site on port 2095
Hi all Still having issues trying to access an external website on port 2095 I know it's a squid issue per say because if I set a firewall rule to allow direct access to the site and add an exception in the proxy settings of IE it works fine The error I get in IE is While trying to retrieve the URL: http://gcredrooster.com.au:2095/ The following error was encountered: Connection Failed The system returned: (111) Connection refusedThe remote host or network may be down. Please try the request again In the access.log file on the squid server I am seeing 1208841189.402688 192.168.1.21 TCP_MISS/301 395 GET http://gcredrooster.com.au/webmail - DIRECT/205.234.128.149 application/cgi 1208841189.591183 192.168.1.21 TCP_MISS/503 1440 GET http://gcredrooster.com.au:2095/ - NONE/- text/html 1208846748.431168 192.168.1.21 TCP_MISS/503 1440 GET http://gcredrooster.com.au:2095/ - NONE/- text/html Any more suggestions would be most welcome Scott
Re: [squid-users] Still issues accessing external site on port 2095
Thompson, Scott (WA) wrote: Hi all Still having issues trying to access an external website on port 2095 I know it's a squid issue per say because if I set a firewall rule to allow direct access to the site and add an exception in the proxy settings of IE it works fine The error I get in IE is While trying to retrieve the URL: http://gcredrooster.com.au:2095/ The following error was encountered: Connection Failed The system returned: (111) Connection refusedThe remote host or network may be down. Please try the request again In the access.log file on the squid server I am seeing 1208841189.402688 192.168.1.21 TCP_MISS/301 395 GET http://gcredrooster.com.au/webmail - DIRECT/205.234.128.149 application/cgi 1208841189.591183 192.168.1.21 TCP_MISS/503 1440 GET http://gcredrooster.com.au:2095/ - NONE/- text/html 1208846748.431168 192.168.1.21 TCP_MISS/503 1440 GET http://gcredrooster.com.au:2095/ - NONE/- text/html Any more suggestions would be most welcome 503 means your squid still has ACL blocking outgoing requests to that port. The access log shows its now coming in from the browser proeperly. If you cant tell from reading the squid.conf what lines are denying the request (probably its not listed in Safe_Ports) then a a look at cache.log with debug_options 28,8 will show you what the ACL are all doing. Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Re: [squid-users] Problem with Restarted Squid Stable 2.6_19 Add
Nicole wrote: On 21-Apr-08 My Secret NSA Wiretap Overheard Adrian Chadd Saying : On Sun, Apr 20, 2008, Nicole wrote: I took a look at this over the weekend (whilst looking at other stuff in the storage code) and I could -probably- make the AUFS swaplog parsing case much faster. I've just got other priorities at the moment (ie, lots more cleaning up before I start breaking things in creative ways.) Is this perhaps a recent change? I never noticed this until I upgraded. (from -16 I think) I tried downgrading once after a reboot, however I got the same results when i tried to restart it. But other servers I have, with older revs, don't have this problem. Its been like this forever. How big are your swaplog files in each of your cache dirs? Do you perodically rotate the logfiles? (squid -k rotate) Hi The swaplog files are about 156 megs. Altho I have some servers that have swaplogs that are 1.6 gigs but are fine as they the servers have never been restarted. The size of the swaplog / swap.state files won't matter (on 64-bits machines anyway) until a restart or rotate is needed. Then it may crunch on re-processing. I have never run squid -k rotate. I have another server that just started exibiting the same sort of behaviour of slowing down. I tried lowing the available disk size to force it trim some files and did a squid -k rotate but it was still slow. Ah, that is part of the problem then. swap.state 'log' are not true logs, but a journal of cache operations. -k rotate performs a cleanup of the cache and shrinks the journals down to whats actually still present in cache. Alongside rotating the real log files. You need to complete at least one full rotate/restart for the ancient data to be removed from cache+journals before any speed problems can be meaningfully judged. If it is still going slow on a second restart/rotate thats an issue to look into. Going by the problems you are encountering each time it happens, I'd do the machines one by one and ensure each finishes and is okay before moving to the next server. It's getting to be kind of a drag having to contantly wipe out the cache every few months when they get to a larger size. The disks are 146 Gig and are only 56% full. I am trying to keep lowering the alloted available cache size to see if there is a sweet spot. How often should squid -k rotate be used. It seems like there are various opinions on its usage and frequency. Theoretically daily is best. But in real-usage it depends on the server load and traffic. Gaps as long as monthly might be okay. Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Re: [squid-users] Rewrite http to https for owa.
Hi, At 02:54 22/04/2008, Dwyer, Simon wrote: Hey everyone, I am starting to really get my squid server under control here :) One last step to have it fully working is to rewrite address's coming in on http to https. This is for OWA. I have tried to use squirm and have some success. What I need to do is redirect http://mail.domainname.com/ to https://mail.domainname/com/owa. For all reverse proxy requests. Is there an easier way to do this? I have googled it without much success. I think that this could help you; http://support.microsoft.com/kb/327800/en-us But I'm not sure if all the OWA functionality work fine rewriting the path of the URL. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Re: Force cache reload for object from browser
mån 2008-04-21 klockan 16:01 -0500 skrev Paul Bryson: Heck, it doesn't really even need to even be a browser (though that would be most universally useful). I just need some way to tell the proxy to grab a new version of the file. Pretty much any command line client will do fine.. wget / squidclient / curl, etc... wget --no-cache ... squidclient -r curl -H Cache-Control: no-cache With squidclient you can also tell Squid to forget about the cached file without fetching a new copy squidclient -m PURGE http:// (subject to http_access restrictions) Regards Henrik
Re: [squid-users] Problem with Restarted Squid Stable 2.6_19 Add
tis 2008-04-22 klockan 20:29 +1200 skrev Amos Jeffries: The size of the swaplog / swap.state files won't matter (on 64-bits machines anyway) until a restart or rotate is needed. Then it may crunch on re-processing. Only on restart. On rotate Squid just spews out what it has in memory, discarding the on-disk copy. But note that as this very rapidly touches all of the Squid in-memory index it may result a noticeable level of paging activity unless you have disabled the swap... (most modern OS:es isn't very friendly to apps using a lot of memory, like Squid...) Regards Henrik
Re: [squid-users] Rewrite http to https for owa.
tis 2008-04-22 klockan 10:54 +1000 skrev Dwyer, Simon: I am starting to really get my squid server under control here :) One last step to have it fully working is to rewrite address's coming in on http to https. This is for OWA. You want to redirect the user to https if he accidently requested http? Many ways for doing that.. deny_info, url_rewriter, maybe more.. Regards Henrik
Re: [squid-users] Still issues accessing external site on port 2095
tis 2008-04-22 klockan 20:14 +1200 skrev Amos Jeffries: While trying to retrieve the URL: http://gcredrooster.com.au:2095/ The following error was encountered: Connection Failed The system returned: (111) Connection refusedThe remote host or network may be down. Please try the request again 1208841189.591183 192.168.1.21 TCP_MISS/503 1440 GET http://gcredrooster.com.au:2095/ - NONE/- text/html 1208846748.431168 192.168.1.21 TCP_MISS/503 1440 GET http://gcredrooster.com.au:2095/ - NONE/- text/html 503 means your squid still has ACL blocking outgoing requests to that port. The access log shows its now coming in from the browser proeperly. No it doesn't.. thats TCP_DENIED/403... More likely a firewall problem, or the server doesn't like modern TCP/IP implementations (I.e. ECN or Window Scaling issues). Regards Henrik
[squid-users] HowTO ReWrite Destination IP?
Hi, I use Squid as a transparent proxy/interceptor and i'd like to do the following. When a request comes and squid resolves it to the IP X.X.X.X, I'd like to change that IP to Y.Y.Y.Y Is this possible? The reason it, the IP X.X.X.X has a QoS policy applied and IP Y.Y.Y.Y, that way, I can access the webserver the maximum speed of the webserver. Thanks in advanced, Jorge
Re: [squid-users] HowTO ReWrite Destination IP?
You can add the web site with ip Y.Y.Y.Y in /etc/hosts tis 2008-04-22 klockan 14:40 +0100 skrev Jorge Bastos: Hi, I use Squid as a transparent proxy/interceptor and i'd like to do the following. When a request comes and squid resolves it to the IP X.X.X.X, I'd like to change that IP to Y.Y.Y.Y Is this possible? The reason it, the IP X.X.X.X has a QoS policy applied and IP Y.Y.Y.Y, that way, I can access the webserver the maximum speed of the webserver. Thanks in advanced, Jorge
RE: [squid-users] HowTO ReWrite Destination IP?
An option, but good, i'd had to do that for each new site and for the hundred already installed. No other way? There's no DNS server that can do this? -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: terça-feira, 22 de Abril de 2008 16:56 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: Re: [squid-users] HowTO ReWrite Destination IP? You can add the web site with ip Y.Y.Y.Y in /etc/hosts tis 2008-04-22 klockan 14:40 +0100 skrev Jorge Bastos: Hi, I use Squid as a transparent proxy/interceptor and i'd like to do the following. When a request comes and squid resolves it to the IP X.X.X.X, I'd like to change that IP to Y.Y.Y.Y Is this possible? The reason it, the IP X.X.X.X has a QoS policy applied and IP Y.Y.Y.Y, that way, I can access the webserver the maximum speed of the webserver. Thanks in advanced, Jorge
Re: [squid-users] Rewrite http to https for owa.
Dwyer, Simon wrote: One last step to have it fully working is to rewrite address's coming in on http to https. This is for OWA. I have tried to use squirm and have some success. What I need to do is redirect http://mail.domainname.com/ to https://mail.domainname/com/owa. For all reverse proxy requests. Is there an easier way to do this? I have googled it without much success. Here's how I do exactly that. In squid.conf: url_rewrite_program /usr/local/bin/rewrite-http and then: % cat /usr/local/bin/rewrite-http #!/usr/bin/perl # # URL rewriter for squid to convert HTTP requests to HTTPS. # Return an HTTP permanent redirect back to the browser. # http://wiki.squid-cache.org/SquidFaq/SquidRedirectors # $| = 1; while () { s/^http:/301:https:/; # replace http with https print; } -- CONFIDENTIALITY NOTICE: This e-mail message,including any attachments,is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient,please contact the sender by reply e-mail and destroy all copies of the original message. begin:vcard fn:Ben Hollingsworth n:Hollingsworth;Ben org:BryanLGH Medical Center;Information Technology adr:;;1600 S. 48th St.;Lincoln;NE;68506-1275;USA email;internet:[EMAIL PROTECTED] title:Systems Programmer tel;work:402-481-8582 tel;fax:402-481-8354 url:http://www.bryanlgh.org version:2.1 end:vcard
Re: [squid-users] HowTO ReWrite Destination IP?
Install named on the squid box, configure it with the necessary zones and associate names to Y.Y.Y.Y IPs ? This way, normal DNS resolve to X.X.X.X, and your local DNS resolves to Y.Y.Y.Y . You might also implement split horizon DNS (use google). F On Tue, 22 Apr 2008 17:12:03 +0100 Jorge Bastos [EMAIL PROTECTED] wrote: An option, but good, i'd had to do that for each new site and for the hundred already installed. No other way? There's no DNS server that can do this? -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: terça-feira, 22 de Abril de 2008 16:56 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: Re: [squid-users] HowTO ReWrite Destination IP? You can add the web site with ip Y.Y.Y.Y in /etc/hosts tis 2008-04-22 klockan 14:40 +0100 skrev Jorge Bastos: Hi, I use Squid as a transparent proxy/interceptor and i'd like to do the following. When a request comes and squid resolves it to the IP X.X.X.X, I'd like to change that IP to Y.Y.Y.Y Is this possible? The reason it, the IP X.X.X.X has a QoS policy applied and IP Y.Y.Y.Y, that way, I can access the webserver the maximum speed of the webserver. Thanks in advanced, Jorge
[squid-users] Can squid cache more than just http?
Hello, I've recently decided to start a project of being logging traffic to and from a VPN tunnel I have. I want to be able to log all traffic not just http. I've found numerous how to docs on setting up a transparent proxy and cache for web traffic, but nothing along the lines of what I'm looking to do. Is this even a possibility with Squid? I would like to setup the proxy behind the VPN router to log unencrypted traffic with source destination and port. Any help would be greatly appreciated. Thanks, Nick _ Back to work after baby–how do you know when you’re ready? http://lifestyle.msn.com/familyandparenting/articleNW.aspx?cp-documentid=5797498ocid=T067MSN40A0701A
Re: [squid-users] Can squid cache more than just http?
Nicholas Lehman escreveu: Hello, I've recently decided to start a project of being logging traffic to and from a VPN tunnel I have. I want to be able to log all traffic not just http. I've found numerous how to docs on setting up a transparent proxy and cache for web traffic, but nothing along the lines of what I'm looking to do. Is this even a possibility with Squid? I would like to setup the proxy behind the VPN router to log unencrypted traffic with source destination and port. Any help would be greatly appreciated. As you already noticed, squid is a http proxy and, thus, cannot cache non-http data. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
[squid-users] Failure URL
Hello Group, I currently have a set of rules such that a certain range of IP addresses have ZERO internet access. However, I would like to use the Failure URL feature to send a customized message to the users at these denied IP addresses. The problem seems to be, since they have no access they can't get to the failure URL. Something of an infinite loop. Any work-around? TIA! :) Davan Wong World Health Club Information Technology Department
Re: [squid-users] Failure URL
Davan Wong wrote: Hello Group, I currently have a set of rules such that a certain range of IP addresses have ZERO internet access. However, I would like to use the Failure URL feature to send a customized message to the users at these denied IP addresses. The problem seems to be, since they have no access they can't get to the failure URL. Something of an infinite loop. Any work-around? Allow them access to the error URL. And don't hijack threads by replying to one with a completely diferent topic. You are lucky anyone saw your message. Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Re: [squid-users] Still issues accessing external site on port 2095
Henrik Nordstrom wrote: tis 2008-04-22 klockan 20:14 +1200 skrev Amos Jeffries: While trying to retrieve the URL: http://gcredrooster.com.au:2095/ The following error was encountered: Connection Failed The system returned: (111) Connection refusedThe remote host or network may be down. Please try the request again 1208841189.591183 192.168.1.21 TCP_MISS/503 1440 GET http://gcredrooster.com.au:2095/ - NONE/- text/html 1208846748.431168 192.168.1.21 TCP_MISS/503 1440 GET http://gcredrooster.com.au:2095/ - NONE/- text/html 503 means your squid still has ACL blocking outgoing requests to that port. The access log shows its now coming in from the browser proeperly. No it doesn't.. thats TCP_DENIED/403... More likely a firewall problem, or the server doesn't like modern TCP/IP implementations (I.e. ECN or Window Scaling issues). Arg. Thanks Henrik. Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Re: [squid-users] Failure URL
tis 2008-04-22 klockan 16:42 -0600 skrev Davan Wong: Hello Group, I currently have a set of rules such that a certain range of IP addresses have ZERO internet access. However, I would like to use the Failure URL feature to send a customized message to the users at these denied IP addresses. The problem seems to be, since they have no access they can't get to the failure URL. Something of an infinite loop. Any work-around? Allow them to acess the failure URL via the proxy. Regards Henrik
RE: [squid-users] Failure URL
I currently have a set of rules such that a certain range of IP addresses have ZERO internet access. However, I would like to use the Failure URL feature to send a customized message to the users at these denied IP addresses. The problem seems to be, since they have no access they can't get to the failure URL. Something of an infinite loop. Do you mean no access to the internet or to the proxy? If you mean no access to the internet you could use WCCP on a router that sits somewhere along the default route path to intercept the request and send it to squid where you would have an ACL that captures the requests and presents the failure page. I think we need more info - are you using interception/proxy.pac etc
Re: [squid-users] Can't access this site using squid-2.6.19
Andy Low wrote: Hi, Let me clarify for this site: www.ura.gov.sg. For Internet Explorer, I can't see the page at all. For Firefox, I can see the page but it is still loading and seems like not finish yet. I have no problem if I bypass Squid, is there a bug with Squid? Nope. This is a TCP window scaling issue (http://en.wikipedia.org/wiki/TCP_window_scale_option). Most likely a broken firewall on the far end. See http://www.squid-cache.org/mail-archive/squid-users/200703/0190.html for a reasonably elegant solution on Linux. Thanks, Andy Chris
[squid-users] tcp_denied
Hello, We have observed that on our system there is a link of dss1.siteadvisor.com generating background request and hence we were getting error in access.log file. Error was TCP_DENIED/400 error:invalid reuqest. Our proxy server is configured with authentication. When we enable transparent setting in http_port, the log was showing lots of request going to http://dss1.siteadvisor.com:3128/DSS/Ping? etc.. When we disable transparent it was showing error as mentioned above. I could not find out why squid generates such error. We stopped siteadvisor service on system and everything is fine. Any idea why squid generates such error? How to overcome from this? Jigar Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ