Re: [squid-users] SSL Accel - Reverse Proxy
The authorative documentaiton is squid.conf.default, or the copy found online on squid-cache.org. http://www.squid-cache.org/Versions/v2/2.6/cfgman/cache_peer.html Regards Henrik On mån, 2008-05-05 at 11:25 -0700, Tory M Blue wrote: > visolve documentation > > front-end-https > > >to enable the "Front-End-Https: On" header needed when using Squid > as a SSL frontend infront of Microsoft OWA. > See MS KB document Q307347 for details on this header. If set to auto > then the header will only be added if the > request is forwarded as a https://URL. > > So maybe the docs have been updated since, but there were no options > specified in the 2.6 configuration manual from visolve > > Thanks for the pointer! > > Tory > > On Mon, May 5, 2008 at 11:14 AM, Henrik Nordstrom > <[EMAIL PROTECTED]> wrote: > > On mån, 2008-05-05 at 09:23 -0700, Tory M Blue wrote: > > > > > Either I have this implemented wrong (more likely). Or the directive > > > is not quite right. > > > > Quote from the documentation: > > > > front-end-https[=on|auto] > > > > use front-end-https to enable the "Front-End-Https: On" > > header needed when using Squid as a SSL frontend in > > front > > of Microsoft OWA. See MS KB document Q307347 for > > details > > on this header. If set to auto the header will > > only be added if the request is forwarded as a https:// > > URL. > > > > Or in other words set it to auto and it will behave as you like it to. > > > > Regards > > Henrik > > > >
Re: [squid-users] Reverse proxy with URL rewriting
Thank you for the explanations. I made squid working with url rewriting. But i've got an other problem, each web server use cookie methods and I need to rewrite the Cookie path too. Is it possible ? I didn't find a solution on the FAQ. example : Web server1 >> squid : HTTP/1.1 200 OK Set-Cookie: cookie=[Token]; Path=/ squid >> user: HTTP/1.1 200 OK Set-Cookie: cookie=[Token]; Path=/serv1 Mathieu: That's my configuration: squid.conf -- http_port :80 vhost no-connection-auth acl serv1-path urlpath_regex \/serv1(\/|$) acl serv2-path urlpath_regex \/serv2(\/|$) url_rewrite_host_header off acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl Safe_ports port 80 http_access deny !Safe_ports http_access deny !serv1-path !serv2-path http_reply_access allow all http_access allow manager localhost http_access deny manager always_direct allow all url_rewrite_program /etc/squid/redirector.pl url_rewrite_children 5 http_access deny all /etc/squid/redirector.pl #!/usr/bin/perl -p BEGIN { $|=1; } s%^http://squid.ext.com/serv1%http://server1.intranet.com%&&; next; s%^http://squid.ext.com/serv2%http://server2.intranet.com%&&; next; regards Sylvain
Re: [squid-users] SSL Accel - Reverse Proxy
On mån, 2008-05-05 at 09:23 -0700, Tory M Blue wrote: > Either I have this implemented wrong (more likely). Or the directive > is not quite right. Quote from the documentation: front-end-https[=on|auto] use front-end-https to enable the "Front-End-Https: On" header needed when using Squid as a SSL frontend in front of Microsoft OWA. See MS KB document Q307347 for details on this header. If set to auto the header will only be added if the request is forwarded as a https:// URL. Or in other words set it to auto and it will behave as you like it to. Regards Henrik
Re: [squid-users] SSL Accel - Reverse Proxy
On Mon, May 5, 2008 at 9:23 AM, Tory M Blue <[EMAIL PROTECTED]> wrote: > > On Fri, May 2, 2008 at 6:17 PM, Henrik Nordstrom > <[EMAIL PROTECTED]> wrote: > > On ons, 2008-04-30 at 11:10 -0700, Tory M Blue wrote: > > > I was wondering if there was a way for Squid to pass on some basic > > > information to the server citing that the original request was Secure, > > > so that the backend server will respond correctly. > > > > Yes. See the front-end-https cache_peer option. > > Thanks Henrik > > Either I have this implemented wrong (more likely). Or the directive > is not quite right. Found it, not quite clear in the documentation but I read the description again. "If set to auto", so there are actually options , so I set it to =auto and that works! Thanks Tory
Re: [squid-users] SSL Accel - Reverse Proxy
On Fri, May 2, 2008 at 6:17 PM, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > On ons, 2008-04-30 at 11:10 -0700, Tory M Blue wrote: > > I was wondering if there was a way for Squid to pass on some basic > > information to the server citing that the original request was Secure, > > so that the backend server will respond correctly. > > Yes. See the front-end-https cache_peer option. Thanks Henrik Either I have this implemented wrong (more likely). Or the directive is not quite right. I seem to see this header: Front-End-Https: On:, If I hit the page via port 80 or port 443, this in itself tells me that I've misunderstood and botched the config, or this is not quite working correctly (betting against me, vs the feature).. Here is the pertinent configuration, As I stated above if i hit any of the domains on port 80 (http://blah) or on port 443 (https://blah), I see the header, which I should not see if I hit the page on port 80. Thanks Tory http_port 80 accel vhost http_port 199 accel vhost http_port 360 accel vhost cache_peer 10.40.5.229 parent 80 0 no-query originserver front-end-https cache_peer 10.40.5.152 parent 80 0 no-query originserver front-end-https cache_peer 10.40.5.231 parent 80 0 no-query originserver front-end-https cache_peer_domain 10.40.5.229 !submit-dev.eng.domain.com cache_peer_domain 10.40.5.229 !admanager-dev.eng.domain.com cache_peer_domain 10.40.5.152 !apps-dev.eng.domain.com cache_peer_domain 10.40.5.152 !dev-cache.eng.domain.com cache_peer_domain 10.40.5.152 !devcache01.eng.domain.com cache_peer_domain 10.40.5.152 !admanager-dev.eng.domain.com cache_peer_domain 10.40.5.231 !submit-dev.eng.domain.com cache_peer_domain 10.40.5.231 !apps-dev.eng.domain.com cache_peer_domain 10.40.5.231 !dev-cache.eng.domain.com cache_peer_domain 10.40.5.231 !devcache01.eng.domain.com ##SSL DIRECTIVES## https_port 443 accel cert=/etc/squid/wildcard.eng.domain.com.pem vhost https_port 444 accel cert=/etc/squid/wildcard.domain.com.pem vhost
Re: [squid-users] serious squid (cache_dir) problem
On mån, 2008-05-05 at 10:13 -0300, Michel (M) wrote: > ok I will do it > > swap.state.new is written and stops after some bytes ( < 100 k), I guess > then when the first client requests come in it stops writing it and > swap.state grows out of bounds until disk is full > > seems to happen only when a considerable cache_dir size when the rebuild > is needing more then 60 seconds > > this as said before happens after a clean shutdown and with diskd > > would that be enough for a bug report? Please also include your cache_dir lines, and cache.log up to the point where swap.state.new stops growing. Regards Henrik
Re: [squid-users] Squid sends TCP_DENIED/407 even on already authenticated users
On mån, 2008-05-05 at 10:03 -0300, Julio Cesar Gazquez wrote: > Squid 2.6.18, and also observed on Squid 3 (-pre6). 2.6.18 should work fine. Squid-3.0.PRE6 is known to be a bit broken however. What auth param settings are you using? Regards Henrik
Re: [squid-users] Re: Authentication on squid parent and auth headers
On mån, 2008-05-05 at 08:03 -0400, Emanuel dos Reis Rodrigues wrote: > But, I like to the user insert username and password > > this is possbile yes. cache_peer ... login=PASS enables forwarding of login details to a peer. Note that it's literally the string login=PASS, not the login and password. See the description of cache_peer for full details on the login option. Regards Henrik
Re: [squid-users] regular long processing time in squid 2.6.12
On mån, 2008-05-05 at 15:34 +0800, Shaojie Liu wrote: > we r using squid 2.6.12 for months. recently when we parsing squid > access log and studying on the value of "serveing time", we fount it > to be interesting that many slow serving actions is finished within > 120 seconds or 60 seconds. 120 seconds is the default "connect timeout" in Linux. The time it takes for a connection to a non-responding/down server to time out. Regards Henrik
Re: [squid-users] serious squid (cache_dir) problem
Adrian Chadd disse na ultima mensagem: > Interesting! can you throw that into a bugzilla report? That seems like > enough to start debugging the issue. > ok I will do it swap.state.new is written and stops after some bytes ( < 100 k), I guess then when the first client requests come in it stops writing it and swap.state grows out of bounds until disk is full seems to happen only when a considerable cache_dir size when the rebuild is needing more then 60 seconds this as said before happens after a clean shutdown and with diskd would that be enough for a bug report? > > Adrian > > > On Sat, May 03, 2008, Michel (M) wrote: >> >> Hi there >> >> this problem is around since long time but only when an incorrect >> shutdown >> (powerfailure or kill) was the reason, but now it became a pattern ... >> >> but there was a workaraound, adding -F to squid start config so it >> didn't >> attend any request so long as the logs were not ready >> >> but this is not the case anymore, any request before swap_state is ready >> is fucking up the swap_state and it is growing out of bounds beyond >> available disk space and then squid dies because out of disk space when >> RunCache didn't terminated earlier because of number of insuccessfull >> retries >> >> >> >> FreeBSD 7.0-STABLE amd64 and i386 (Latest Sources) >> Squid > 2.6STABLE19-20080?* (I do not know which exact version) >> >> I believe major problem is I use diskd for cache_dir here which seems >> to >> be abandoned (unfortunatly) ... >> >> I do not know about this issue when using aufs and ufs because I am not >> using it >> >> some comment on this? >> >> >> Michel >> >> ... >> >> >> >> >> >> Tecnologia Internet Matik http://info.matik.com.br >> Sistemas Wireless para o Provedor Banda Larga >> Hospedagem e Email personalizado - e claro, no Brasil. >> > > -- > - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid > Support - > - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - > > > > > > > > A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada > segura. > Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br > ... Tecnologia Internet Matik http://info.matik.com.br Sistemas Wireless para o Provedor Banda Larga Hospedagem e Email personalizado - e claro, no Brasil.
Re: [squid-users] cache_dir (dirty) question
Adrian Chadd disse na ultima mensagem: > On Sun, May 04, 2008, Michel (M) wrote: >> >> >> I never thought so much about this but now it came up. I thought that >> the >> cache_dir dirty came when an unclean shutdown ocurred, or better, caused >> by file corruptions of the underlying FS >> >> thing is I am running ZFS and so there are no corrupt files even after >> power outage >> >> why squid still see dirty cache_dirs ? > > Its a function of the state of the cache log, -not- of the cache dir as > a whole. > > thank's for clarification > > > Adrian > > -- > - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid > Support - > - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - > > > > > > > > A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada > segura. > Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br > ... Tecnologia Internet Matik http://info.matik.com.br Sistemas Wireless para o Provedor Banda Larga Hospedagem e Email personalizado - e claro, no Brasil.
Re: [squid-users] Squid sends TCP_DENIED/407 even on already authenticated users
El Viernes 02 Mayo 2008 22:15:25 escribió: > On ons, 2008-04-30 at 13:29 -0300, Julio Cesar Gazquez wrote: > > We are starting to deploy digest based authentication on a large network, > > and we found a weird problem: Sometimes authenticated requests are > > answered by TCP_DENIED/407 responses. > > Which Squid version? Squid 2.6.18, and also observed on Squid 3 (-pre6). Yet at this point, once dismissed digest's nonce changes, the problem seems to be a corner case on the combination of a broken browser (IE7) and a broken website (rosario3.com) doing weird things. -- Julio César Gázquez Area Seguridad Informática -- Int. 736 Municipalidad de Rosario
Re: [squid-users] squid reverse proxy isssue
On mån, 2008-05-05 at 11:07 +0530, Indunil Jayasooriya wrote: > May 5 11:01:56 mail squid: Bungled squid.conf line 76: http_port 80 > accel defaultsite=your.main.website > > This is on RedHat EL 5 with default RPM squid-2.6.STABLE6-3.el5 > > Any advice to get it working. Skip the accel directive, or upgrade to a more recent Squid version.. More recent RHEL packages can be found from the download section of the web site. Regards Henrik
Re: [squid-users] regular long processing time in squid 2.6.12
Hi, Are any of your clients using Outlook, Outlook Express, or Entourage ? There is probably a bug in their HTTP implementation, when a client receives an email with image links, it takes forever (60 to 120 seconds, incidently) unless you include the following configuration line in squid.conf : persistent_request_timeout 1 seconds Taking the same link and loading it in a web browser (IE, Firefox, Safari) is OK... Hope that helps, please report to the list. Best, François On Mon, 5 May 2008 18:59:05 +0800 Adrian Chadd <[EMAIL PROTECTED]> wrote: > Thats interesting. Solving it will probably involve some more in-depth > analysis of source and packet dumps.. :/ > > > > Adrian > > On Mon, May 05, 2008, Shaojie Liu wrote: > > hi, all > > > > we r using squid 2.6.12 for months. recently when we parsing squid > > access log and studying on the value of "serveing time", we fount it > > to be interesting that many slow serving actions is finished within > > 120 seconds or 60 seconds. > > > > it seems like that there is a machanism inside squid to ensure that > > all content can be server in a certain threshhold time, say 120s or > > 60s. or at least there is a timeout setting or configuratioin. > > > > a few sample data as following: > > > > -content- process time(s)- > > xx.js 119.931 > > xx.jpg 119.813 > > xx.gif 120.133 > > xx.gif 59.92 > > xx.png 119.239 > > > > i strongly feel that the time figure indicated something. meanwhile, > > the load on squid box is pretty low(usually under 1), and > > requests/second is aroun 100/s. > > > > anybody have met same problem? any good suggestions? appreciated. thanks. >
[squid-users] Re: Authentication on squid parent and auth headers
Emanuel dos Reis Rodrigues wrote: Helo All, I have 2 squid servers: SQUID1 ---> SQUID2 ---> Internet The SQUID2 have authentication required. The SQUID1 is access free and use: cache_peer IP_SQUID2 parent 3128 0 no-query no-digest default My client conect on SQUID1 and password is required. My client insert the username and password for autentication required for SQUID2 ... The password never is be ok ... always repeat the authentication I using one sniffer to identify Authentication Headers and see ,, the SQUID1 don't forward the headers of authentication to the SQUID2 ... what I do to the SQUID1 forwarding the headers to the parent squid ? On lör, 2008-05-03 at 15:36 -0400, Emanuel dos Reis Rodrigues wrote: Helo All, I have 2 squid servers: SQUID1 ---> SQUID2 ---> Internet The SQUID2 have authentication required. The SQUID1 is access free and use: cache_peer IP_SQUID2 parent 3128 0 no-query no-digest default You also need login=PASS Regards Henrik But, I like to the user insert username and password this is possbile -- Emanuel dos Reis Rodrigues Linux Professional Certified Network Security [EMAIL PROTECTED] +55 95 8112-9628
Re: [squid-users] prioritize particular site
Mathias R. Baumgartner ha scritto: what you want is traffic shaping. imho squid is not the ideal solution for that. you can probably find better approaches here: http://www.knowplace.org/pages/howtos/traffic_shaping_with_linux.php http://www.edseek.com/~jasonb/articles/traffic_shaping/ I suggest having a look at squid's delay pools feature. On 5/4/08, beko <[EMAIL PROTECTED]> wrote: Amos Jeffries-2 wrote: > > beko wrote: >> Hello, >> >> is it possible to prioritize particular site? We use one bussiness >> application, which is on remote server and regular traffic is slowing it >> down. >> >> J. > > Yes. > > The question is though; How do you want to 'prioritize' it? > Then; can squid do that type of 'prioritization'? > > More info would be helpful. > > Amos > -- > Please use Squid 2.6.STABLE20 or 3.0.STABLE5 > > In this application we need to upload/download some files (usually 1-2MB). While downloading/uploading from this application I want other download to be slowed down. Or if there are two requests at the very same time, I want to be sure that request to this site will go first. -- View this message in context: http://www.nabble.com/prioritize-particular-site-tp17036222p17044730.html Sent from the Squid - Users mailing list archive at Nabble.com. -- Marcello Romani Responsabile IT Ottotecnica s.r.l. http://www.ottotecnica.com
Re: [squid-users] regular long processing time in squid 2.6.12
Thats interesting. Solving it will probably involve some more in-depth analysis of source and packet dumps.. :/ Adrian On Mon, May 05, 2008, Shaojie Liu wrote: > hi, all > > we r using squid 2.6.12 for months. recently when we parsing squid > access log and studying on the value of "serveing time", we fount it > to be interesting that many slow serving actions is finished within > 120 seconds or 60 seconds. > > it seems like that there is a machanism inside squid to ensure that > all content can be server in a certain threshhold time, say 120s or > 60s. or at least there is a timeout setting or configuratioin. > > a few sample data as following: > > -content- process time(s)- > xx.js 119.931 > xx.jpg 119.813 > xx.gif 120.133 > xx.gif 59.92 > xx.png 119.239 > > i strongly feel that the time figure indicated something. meanwhile, > the load on squid box is pretty low(usually under 1), and > requests/second is aroun 100/s. > > anybody have met same problem? any good suggestions? appreciated. thanks. -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] Squid and munin
Munin ships with a squid_ module; or at least, the freebsd/debian/ubuntu packages do. Adrian On Mon, May 05, 2008, Usrbich wrote: > > Can someone please provide me munin scripts for squid, like cache status, > client requests, traffic status? > -- > View this message in context: > http://www.nabble.com/Squid-and-munin-tp17053991p17053991.html > Sent from the Squid - Users mailing list archive at Nabble.com. -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Fwd: [squid-users] squid reverse proxy isssue
HI ALL, My reverse proxy does not work. Pls help me to solve this. my squid.conf is like this http_port 80 accel defaultsite=your.main.website cache_peer 192.168.9.4 parent 80 0 no-query originserver acl our_sites dstdomain your.main.website http_access allow our_sites /etc/hosts file has below line. from squid box , I can ping your.main.website 192.168.9.4your.main.website here is the log. [EMAIL PROTECTED] squid]# tail -f /var/log/messages May 5 16:20:56 mail squid: Bungled squid.conf line 76: http_port 80 accel defaultsite=your.main.website [EMAIL PROTECTED] squid]# /etc/init.d/squid restart Stopping squid:[FAILED] Starting squid:[FAILED] Where have I gone wrong? I am on RedHat EL 5 with below rpm squid-2.6.STABLE6-5.el5_1.3 -- Forwarded message -- From: Indunil Jayasooriya <[EMAIL PROTECTED]> Date: Mon, May 5, 2008 at 11:50 AM Subject: Re: [squid-users] squid reverse proxy isssue To: Paul Bertain <[EMAIL PROTECTED]> Cc: squid-users > Can your Squid box resolve your "http_port" line? Whatever you have as the > actual "your.main.website" needs to be resolveable. No, your.main.website can not be resolved. I added your.main.websit to /etc/hosts file. Now , I can ping your.main.website What I did was I configured apache to run on the samebox on 127.0.0.1 pls see below I have added this to http.conf file. Listen 127.0.0.1:80 I can telnet to 127.0.0.1 and your.main.websit on port 80. pls see below [EMAIL PROTECTED] squid]# telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. [EMAIL PROTECTED] squid]# telnet your.main.websit 80 Trying 127.0.0.1... Connected to your.main.websit (127.0.0.1). Escape character is '^]'. Then, I chaned squid.conf as below http_port 192.1.54.101:80 accel defaultsite=your.main.websit cache_peer 127.0.0.1 parent 80 0 no-query originserver cache_peer_access 127.0.0.1 allow our_sites acl our_sites dstdomain your.main.websit again, same error. Pls see below. [EMAIL PROTECTED] squid]# /etc/init.d/squid restart Stopping squid:[FAILED] Starting squid:[FAILED] [EMAIL PROTECTED] squid]# tail -f /var/log/messages May 5 11:37:20 mail squid: Bungled squid.conf line 76: http_port 192.1.54.101:80 accel defaultsite=your.main.websit May 5 11:46:27 mail last message repeated 4 times Hope to hear from you. -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya
Re: [squid-users] SYSLOG
On mån, 2008-05-05 at 09:41 +0800, [EMAIL PROTECTED] wrote: > Every string with data has another empty string! > > Does anyone have any ideas? How correct it? It's a bug in Squid. Supposed to be fixed but something went slightly wrong when the fix was forwardported to Squid-3... Now fixed. A workaround is to use a custom access log format. The bug only shows up when using the builtin log formats.. Regards Henrik
[squid-users] Squid and munin
Can someone please provide me munin scripts for squid, like cache status, client requests, traffic status? -- View this message in context: http://www.nabble.com/Squid-and-munin-tp17053991p17053991.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] regular long processing time in squid 2.6.12
hi, all we r using squid 2.6.12 for months. recently when we parsing squid access log and studying on the value of "serveing time", we fount it to be interesting that many slow serving actions is finished within 120 seconds or 60 seconds. it seems like that there is a machanism inside squid to ensure that all content can be server in a certain threshhold time, say 120s or 60s. or at least there is a timeout setting or configuratioin. a few sample data as following: -content- process time(s)- xx.js 119.931 xx.jpg 119.813 xx.gif 120.133 xx.gif 59.92 xx.png 119.239 i strongly feel that the time figure indicated something. meanwhile, the load on squid box is pretty low(usually under 1), and requests/second is aroun 100/s. anybody have met same problem? any good suggestions? appreciated. thanks.