Re: [squid-users] missing cachemgr.cgi
Hi ajhart, Thanks for the reply, I really appreciate it!! The squid-cachemrg-3.0 rpm file I got form http://rpm.pbone.net/ If tried to install it but it need other older version packages that I already have. With the rpm -ql squid-cachemgr command, it tells me that there is no cachemgr package installed. Yes, rpm -ql only checks for packages which are already installed. If you have the package only on the disk (i.e. not installed) you can check its contents using: rpm -qpl /path/to/package.rpm The option -p checks the package file only. So you can find out where the files from the package will be placed. Regards, Peter -- Peter Albrecht Tel: +49-(0)-89-287793-83 Open Source School GmbH Fax: +49-(0)-89-287555-63 Amalienstraße 45 RG 80799 München http://www.opensourceschool.de HRB 172645 - Amtsgericht München Geschäftsführer: Peter Albrecht, Dr. Markus Wirtz
[squid-users] Optional ntlm fakeauth.
Hi, is there any way to use optional ntlm fakeauth? We have no need to stop users that not gets authenticated, but we would like to have them logged into the accesslog. For the moment we are using fakeauth_auth and it works almost out of the box. But a little wish, perhaps not possible to do, is that even when the auth is NONE or NA the user should get through. But I guess that this isn't possible, or the purpose of ntlm fakeauth.. I haven't really seen a way of doing this with acl rules either.. Any ideas out there? -- Regards Falk
RE: [squid-users] remove DOMAIN part from NTLM username
Dhruv Ahuja wrote: Hi All I am successfully using NTLM authentication in my Fedora 8 Squid and Windows 2003 Active Directory environment. With NTLM in place, the usernames appear to be in the form of DOMAIN\username, which prevents me for being able to use them in any LDAP filter within squid.conf to determine, let's say, users' OUs. I'd rather use OUs to identify the group of people than Windows Groups. The Windows Group Policy in place is working that way (on OUs). I have tried winbind use default domain = yes in smb.conf but that doesn't help. winbind use default domain = yes should remove the requirement of DOMAIN\username. Does /usr/bin/ntlm_auth --username=username work? Everything was working fine in a pure LDAP implementation earlier. Except the annoying password prompt window at browser startup! So, I have now switched to NTLM and no longer face that issue. All I need now is to keep the usernames of the format username rather than DOMAIN\username to get my LDAP filter, or any LDAP filter at all, working. Any ideas? Thanks -- Dhruv
Re: [squid-users] logfile_rotate not working correctly on squid2.6stable20
On ons, 2008-05-21 at 11:54 +0800, chris brain wrote: running squid2.6stable20 on opensuse 10.3 and the logfile_rotate command is set to 4 (logfile_rotate 4) and it is still keeping 10 days of logs. On our other 3 proxys running stable 16 it works ok. Perhaps you are also using logrotate or another external log rotation program? If so then logfile_rotate should be set to 0... Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Optional ntlm fakeauth.
On ons, 2008-05-21 at 09:23 +0200, Falk wrote: is there any way to use optional ntlm fakeauth? No, if you use authentication then the client has to complete the authentication hanshake. Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] problem with authentication with 3.0
Hello Guys, I have 2 boxes, one running squid 3.0-stable5 and other 3.0-stable6. Both hand compiled for enabling ldap authentication helpers. I got ldap authentication running successfully on both boxes, there's no problem on that. the problem is when i issued the 'transparent' option to my http_port parameter. Yes i know i cannot have authentication on transparent intercepted requests, i know that. My idea of enabling transparent on that port was to allow, without authentication, some antivirus and Windows Update stuff (and some other special URLs which would be exceptions to my auth rules). Sometimes these things (antivirus updates, Windows Update, antispyware updates, etc etc) seems to not use the IE proxy settings. I would like to allow some special URLs without authentication and then got everything authenticated with LDAP as it was working. This works fine in 2.5 which i was running until last month, just to let you know. I could enable the transparent parameters and still have authentication running. Altough, on squid 3.0 (stable5 and stable6 tested), despite the fact i'm sure that my ldap configuration is running fine, when i add the 'transparent' option to the http_port, my authentication simply stop working and i got cache.log filled with: 2008/05/21 11:48:18| ACHChecklist::authenticated: authentication not applicable on transparently intercepted requests. 2008/05/21 11:48:18| ACHChecklist::authenticated: authentication not applicable on transparently intercepted requests. 2008/05/21 11:48:18| ACHChecklist::authenticated: authentication not applicable on transparently intercepted requests. 2008/05/21 11:48:18| ACHChecklist::authenticated: authentication not applicable on transparently intercepted requests. 2008/05/21 11:48:18| ACHChecklist::authenticated: authentication not applicable on transparently intercepted requests. and lots of TCP_DENIED/403 on access.log, showing requests are all being denied. it seems to be that when transparent option is enabled, squid assumes ALL requests received are transparently intercepted, which is NOT true. Simply removing the transparent from http_port make things works again (ldap authentication), which proves my browsers do have the proxy settings correctly configured. is this transparent option/authentication behavior i noticed is expected, or it seems to be a bug ?? if this is somehow expected, i was thinking on having two http_port, one with transparent and other not. The one with transparent would be used on my iptables transparent proxy rules, and the non-transparent port would be used for configuring browsers. That way i think i can acchieve what i want. if this behavior i noticed is not expected, then i think we got a bug here . even with 3.0 stable 6 which was released some days ago. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
[squid-users] cache only certain files?
Hi, I'm struggling to get the logic right for only caching certain pages - it seems very easy to do the negative (don't cache ...) but the converse doesn't seem possible... I must be missing something. ie. I want to cache www.mysite.com www.mysite.com/hello/this.aspx?hi=thereyou=there www.mysite.com/good/by/my/friend/this.aspx?hi=thereyou=there www.mysite.com/images/test.gif but not the rest. Any ideas? Thanks, Anton
Re: [squid-users] serious squid (cache_dir) problem NOW confirmed with aufs
Henrik Nordstrom disse na ultima mensagem: On mån, 2008-05-05 at 10:13 -0300, Michel (M) wrote: ok I will do it swap.state.new is written and stops after some bytes ( 100 k), I guess then when the first client requests come in it stops writing it and swap.state grows out of bounds until disk is full like you must have seen I filed it in bugzilla meanwhile I can confirm the same problem with aufs and if some wants some special more detailed info I have the logs and swap.states backup here seems to happen only when a considerable cache_dir size when the rebuild is needing more then 60 seconds this as said before happens after a clean shutdown and with diskd would that be enough for a bug report? Please also include your cache_dir lines, and cache.log up to the point where swap.state.new stops growing. Regards Henrik A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br ... Tecnologia Internet Matik http://info.matik.com.br Sistemas Wireless para o Provedor Banda Larga Hospedagem e Email personalizado - e claro, no Brasil.
[squid-users] Block Windows Live Messenger with Squid
Hi Guys, I've a running a transparently working copy of squid 2.6 stable 19 on a Linux FC9 box. I wanted to block msn/windows live messenger through it, i've add following code in my squid.conf acl msnmime req_mime_type ^application/x-msn-messenger acl msngw url_regex -i gateway.dll http_access deny msnmime http_access deny msngw but messenger is still signing in... Does any body have another solution? Regards -- View this message in context: http://www.nabble.com/Block-Windows-Live-Messenger-with-Squid-tp17364328p17364328.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Block Windows Live Messenger with Squid
Messenger uses port 1863 tcp for communication, and some HTTPS SOAP requests to M$ servers. You need to block this port using iptables. iptables -A FORWARD -p tcp --dport 1863 -j DROP iptables -A FORWARD -p tcp --sport 1863 -j DROP adnann5 wrote: Hi Guys, I've a running a transparently working copy of squid 2.6 stable 19 on a Linux FC9 box. I wanted to block msn/windows live messenger through it, i've add following code in my squid.conf acl msnmime req_mime_type ^application/x-msn-messenger acl msngw url_regex -i gateway.dll http_access deny msnmime http_access deny msngw but messenger is still signing in... Does any body have another solution? Regards
RE: [squid-users] Block Windows Live Messenger with Squid
Messenger will also use port 80. You'll need to do l7-filter for that. Or using squid, setup acls for the messenger mimetype which will catch it if it's coming through port 80, and then also block port 1863. I believe that's been covered before in this group so you may want to search the archives. Sorry, but I don't have the exact details in front of me. Thomas J. Raef -Original Message- From: Cassiano Martin [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 11:05 AM To: adnann5 Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Block Windows Live Messenger with Squid Messenger uses port 1863 tcp for communication, and some HTTPS SOAP requests to M$ servers. You need to block this port using iptables. iptables -A FORWARD -p tcp --dport 1863 -j DROP iptables -A FORWARD -p tcp --sport 1863 -j DROP adnann5 wrote: Hi Guys, I've a running a transparently working copy of squid 2.6 stable 19 on a Linux FC9 box. I wanted to block msn/windows live messenger through it, i've add following code in my squid.conf acl msnmime req_mime_type ^application/x-msn-messenger acl msngw url_regex -i gateway.dll http_access deny msnmime http_access deny msngw but messenger is still signing in... Does any body have another solution? Regards No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.21/1458 - Release Date: 5/21/2008 7:21 AM No virus found in this outgoing message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.21/1458 - Release Date: 5/21/2008 7:21 AM
[squid-users] HTCP configuration, participation, peers
Hello, all - I'm running into some issues where I can't quite seem to get HTCP to work properly. I'm using 3.0STABLE5-2, with HTCP enabled at compile time, and although I have Squid set up properly working as a stand-alone reverse proxy cache, I cannot get one node to talk with another. So far as I understand, this should be the 'meat and potatoes' of what makes HTCP tick: cache_peer 239.4.8.12 multicast 80 4827 ttl=1 cache_peer 192.168.15.75 parent 80 4827 htcp no-query originserver name=localhost.localdomain cache_peer 192.168.15.85 neighbor 80 4827 htcp multicast-responder mcast_groups 239.4.8.12 - noting my multicast address as 239.4.8.12, with a negligible http port, making sure to use HTCP (implied with port 4827 as ICP port) with a TTL to live. - parent cache peer of 192.168.15.75, http port of 80, making sure to use HTCP (implied with port 4827 as ICP port), making this the final destination for queries - neighbor cache peer at 192.168.15.85 configured to participate in the multicast group and respond appropriately Now, those are my interpretations of the process. Of course I have a few other ACLs in there that also manage suqid in itself, but I'm not so sure they're directly related to this. I guess what my question is, is that I am having a bit of difficulty understanding which peer can be told to be the final destination for the request, i.e. that peer being the backend web server. Once I get that figured out, I believe that I can make all other peers neighbors (right?), which use that final destination to populate their cache. I hope I'm explaining this properly, I might be a bit off here. I suppose other than that, my first day using Squid has been a lot of fun! Thanks! -dant
[squid-users] Difference between TCP_MISS, UDP_MISS
Hello again - Reading my logs when trying to play with ICP and HTCP, I see a few options that I'm not too familiar with. I see TCP_MISS and UDP_MISS. From what I've read and understand on the documentation of the general log, TCP_MISS is written when an object is not found in *this* cache, and a UDP_MISS is written when an object is not found in *the* cache. Now, my question is are the difference between the two the difference between not finding the object on either a single server or via ICP/HTCP? Is that where the differentiation is? This is what I understand from the documentation, but I just wanted to make sure that my interpretation was correct. Thanks! -dant
[squid-users] Caching of directory objects, UDP_MISS
Hello again, all - Searching through my logs, I see UDP_MISS statements which are almost exclusively when an ICP query is made for an object of a directory type, not a file type: 1211373356.819 0 192.168.15.87 UDP_MISS/000 131 ICP_QUERY http://static-test-dev.domain.local/dev-secure-test.domain.local/content/viralPlayer/generator-test/ - NONE/- - It would make sense as to why Squid would be handing out a UDP_MISS for that, since it would also make sense that Squid has no desire to cache directories - but if that's the case, why would Squid ever report on a miss like that? How about disabling that object for logging altogether? Thanks! -dant
[squid-users] Need RPM of squid3stable6
Hello, I have been exeperiencing the same authentication bug reported previously (basic authentication not working). I'd like to try stable5 or 6 as announced, but need an RPM since I am using Fedora 9. Is there one available? If so where? Thanks, Cliff
[squid-users] intermittent timeouts Cisco 4948 swtich, WCCPv2, Squid 2.6stable12]
Have WCCPv2 running between Cisco 4948 gigE switch and Squid on Linux server (WCCPv2 is working fine, see redirects on TCPDUMP). Routing incoming WCCP redirects to ETH0 and outgoing to ETH1 on server. Squid starts without error and performs well for about 20 minutes; then some web pages time out indiscriminately and customers must refresh several times (address not valid error appears in browser). Don't see any errors in the access.log Approximately 7500 customers can be hitting the Squid server during heavy use, but the box has more than adequate memory and disk space to accomodate those numbers from what I've read. Could the page time-out errors be due to DNS settings? Any help/recommendations are appreciated. thanks -Ryan Setup Details below: Squid Server: GNU/Linux kernel 2.6.19.7 4-AMD dual-core 2.6 gig Opteron processors 32 gig DDR2 RAM 4-28 gig cache drives Cisco 4948 switch running 12.2(40)SG Squid server ETH0 Cisco 4948 switch WCCPv2 vlan port Squid server ETH1 Cisco 4948 switch INTERNET vlan port IPTABLES PREROUTING 0.0.0.0/0 port 80 to 0.0.0.0/0 port 3124 http_port xxx.xxx.xxx.xxx:3124 transparent http_port localhost: hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl our_networks src xxx.xxx.xxx.xxx/19 xxx.xxx.xxx.xxx/19 acl apache rep_header Server ^Apache broken_vary_encoding allow apache cache_mem 16 GB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB memory_replacement_policy lru #memory_replacement_policy LFUDA cache_dir aufs /squid0 285520 16 256 cache_dir aufs /squid1 285520 16 256 cache_dir aufs /squid2 285520 16 256 cache_dir aufs /squid3 285520 16 256 dns_nameservers xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx positive_dns_ttl 1 minute negative_dns_ttl 1 second logformat common %a %ui %un [%tl] %rm %ru HTTP/%rv %Hs %st %Ss:%Sh access_log /usr/local/squid/var/logs/access.log squid #access_log none cache_log /usr/local/squid/var/logs/cache.log cache_store_log /usr/local/squid/var/logs/store.log #cache_log none #cache_store_log none emulate_httpd_log off log_ip_on_direct on pid_filename /usr/local/squid/var/logs/squid.pid debug_options ALL,1 80,9 refresh_pattern -i .*akamai\.net.* 10080 100% 20160 override-expire refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl example src xxx.xxx.xxx.xxx/255.255.255.255 acl all src 0.0.0.0/0.0.0.0 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl NO_CACHE dstdomain /usr/local/squid/etc/no_cache.conf http_access allow manager localhost http_access allow manager example http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow our_networks http_access deny all http_reply_access allow all tcp_outgoing_address 0.0.0.0 cache_effective_user squid visible_hostname proxy..com wccp2_router xxx.xxx.xxx.xxx wccp2_rebuild_wait on wccp2_forwarding_method 2 wccp2_return_method 2 wccp2_assignment_method 2 wccp2_service standard 0 wccp2_weight 1 coredump_dir /usr/local/squid/var/cache client_persistent_connections on server_persistent_connections off persistent_connection_after_error off cache_effective_group squid #no_cache deny our_networks no_cache deny NO_CACHE dns_testnames xxx.xxx.xxx.xxx pipeline_prefetch on shutdown_lifetime 1 second half_closed_clients off maximum_object_size 1024 KB
[squid-users] logging ident while avoiding an ident lookup for each request
Hi, I have a case where a squid provides caching services for a multi-user Unix system which has identd enabled. I'd like squid to log the ident value of a user with the access in the access log. I have already accomplished this (it's rather easy to do), but I am concerned about load issues this might impose on the multi-user system and on the network since the amount of TCP connections on the network is neatly doubled. Is it possible to have squid send some kind of identification to the browser so that an ident lookup is only necessary for the first http request in a session and the client can be identified by the bit sent back by the browser for the rest of the session? Or am I chasing a phantom here and the load imposed by the ident-lookups (which includes TCP session building and teardown) is negligible? Which other solutions are possible? Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
Re: [squid-users] Caching of directory objects, UDP_MISS
Dan Trainor wrote: Hello again, all - Searching through my logs, I see UDP_MISS statements which are almost exclusively when an ICP query is made for an object of a directory type, not a file type: 1211373356.819 0 192.168.15.87 UDP_MISS/000 131 ICP_QUERY http://static-test-dev.domain.local/dev-secure-test.domain.local/content/viralPlayer/generator-test/ - NONE/- - It would make sense as to why Squid would be handing out a UDP_MISS for that, since it would also make sense that Squid has no desire to cache directories - but if that's the case, why would Squid ever report on a miss like that? How about disabling that object for logging altogether? Thanks! -dant Squid does not know about those real servers disks at all. So it may be directory listing in HTML, index page or others possible HTTP response of that URL. You can customize access log not to log this thing.
Re: [squid-users] Caching of directory objects, UDP_MISS
On Thu, 2008-05-22 at 04:23 +0700, Phattanon Duangdara wrote: Dan Trainor wrote: Hello again, all - Searching through my logs, I see UDP_MISS statements which are almost exclusively when an ICP query is made for an object of a directory type, not a file type: 1211373356.819 0 192.168.15.87 UDP_MISS/000 131 ICP_QUERY http://static-test-dev.domain.local/dev-secure-test.domain.local/content/viralPlayer/generator-test/ - NONE/- - It would make sense as to why Squid would be handing out a UDP_MISS for that, since it would also make sense that Squid has no desire to cache directories - but if that's the case, why would Squid ever report on a miss like that? How about disabling that object for logging altogether? Thanks! -dant Squid does not know about those real servers disks at all. So it may be directory listing in HTML, index page or others possible HTTP response of that URL. You can customize access log not to log this thing. Thanks for the response, Phattanon - I figured that would be the case, I just wanted to confirm. I will look into crafting a rule to not log such elements. Thanks -dant
Re: [squid-users] Difference between TCP_MISS, UDP_MISS
Dan Trainor wrote: Hello again - Reading my logs when trying to play with ICP and HTCP, I see a few options that I'm not too familiar with. I see TCP_MISS and UDP_MISS. From what I've read and understand on the documentation of the general log, TCP_MISS is written when an object is not found in *this* cache, and a UDP_MISS is written when an object is not found in *the* cache. Now, my question is are the difference between the two the difference between not finding the object on either a single server or via ICP/HTCP? Is that where the differentiation is? This is what I understand from the documentation, but I just wanted to make sure that my interpretation was correct. Thanks! -dant For ICP/HTCP query, your server will log UDP_MISS/HIT, If you found UDP_HIT you would expect TCP_HIT followed soon. 1211405991.407 0 192.168.182.8 UDP_MISS/000 68 ICP_QUERY http://video1.foo.bar:8020/01/47ccdcfd.flv - NONE/- - In case someone getting file from your proxy, now your server log TCP_XXX And in this case, if your server found HIT from your sibling/neighbor you will see TCP_MISS with SIBLING_HIT or something similar. 1211405990.193 197970 61.114.111.122 TCP_HIT/200 10551690 GET http://video1.foo.bar:8020/01/48345aa0.flv - NONE/- video/flv 1211405990.657 148869 61.27.146.156 TCP_MISS/200 5860778 GET http://video1.foo.bar:8020/01/4780515a.flv - FIRST_UP_PARENT/videoserv1 video/flv 1211406200.674 5541 221.90.102.240 TCP_MISS/200 438409 GET http://video1.foo.bar:8020/01/47b26d73.flv - SIBLING_HIT/videocache1 video/flv Let say UDP_MISS : object not in my cache, so you should get it yourself TCP_MISS : object not in my cache, I will get it for you
Re: [squid-users] Difference between TCP_MISS, UDP_MISS
On Thu, 2008-05-22 at 04:53 +0700, Phattanon Duangdara wrote: Dan Trainor wrote: Hello again - Reading my logs when trying to play with ICP and HTCP, I see a few options that I'm not too familiar with. I see TCP_MISS and UDP_MISS. From what I've read and understand on the documentation of the general log, TCP_MISS is written when an object is not found in *this* cache, and a UDP_MISS is written when an object is not found in *the* cache. Now, my question is are the difference between the two the difference between not finding the object on either a single server or via ICP/HTCP? Is that where the differentiation is? This is what I understand from the documentation, but I just wanted to make sure that my interpretation was correct. Thanks! -dant For ICP/HTCP query, your server will log UDP_MISS/HIT, If you found UDP_HIT you would expect TCP_HIT followed soon. 1211405991.407 0 192.168.182.8 UDP_MISS/000 68 ICP_QUERY http://video1.foo.bar:8020/01/47ccdcfd.flv - NONE/- - In case someone getting file from your proxy, now your server log TCP_XXX And in this case, if your server found HIT from your sibling/neighbor you will see TCP_MISS with SIBLING_HIT or something similar. 1211405990.193 197970 61.114.111.122 TCP_HIT/200 10551690 GET http://video1.foo.bar:8020/01/48345aa0.flv - NONE/- video/flv 1211405990.657 148869 61.27.146.156 TCP_MISS/200 5860778 GET http://video1.foo.bar:8020/01/4780515a.flv - FIRST_UP_PARENT/videoserv1 video/flv 1211406200.674 5541 221.90.102.240 TCP_MISS/200 438409 GET http://video1.foo.bar:8020/01/47b26d73.flv - SIBLING_HIT/videocache1 video/flv Let say UDP_MISS : object not in my cache, so you should get it yourself TCP_MISS : object not in my cache, I will get it for you Hi, Phattanon - Perfect, that's exactly what I was looking for - and I can see this as depicted in my logs. As far as ICP/HTCP requests go, I've been looking for quite a while for a clear-cut definition between ICP and HTCP, and have yet to find one. I understand that HTCP is ICP's predecessor, but have not yet been able to identify which advantages that it has over ICP. As this relates to our conversation, can you please elaborate on it a bit? I think knowing this, I can make some better decisions as to how my configuration will be set up. Thanks -dant
Re: [squid-users] problem with authentication with 3.0
On ons, 2008-05-21 at 12:04 -0300, Leonardo Rodrigues Magalhães wrote: it seems to be that when transparent option is enabled, squid assumes ALL requests received are transparently intercepted, which is NOT true. Simply removing the transparent from http_port make things works again (ldap authentication), which proves my browsers do have the proxy settings correctly configured. is this transparent option/authentication behavior i noticed is expected, or it seems to be a bug ?? Not sure if it's a bug or a feature.. But it's very easy to live with. Just set up another http_port for the transparent interception. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] cache only certain files?
On ons, 2008-05-21 at 17:11 +0200, Anton Melser wrote: Hi, I'm struggling to get the logic right for only caching certain pages - it seems very easy to do the negative (don't cache ...) but the converse doesn't seem possible... I must be missing something. To allow caching of only some URLs then allow those, then deny everything.. The default is to cache. If it doesn't get cached then the content most likely do not want to be cached. If this is your problem then see the following: http://www.mnot.net/cache_docs/ http://www.mnot.net/cacheability/ Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Caching of directory objects, UDP_MISS
On ons, 2008-05-21 at 14:03 -0600, Dan Trainor wrote: It would make sense as to why Squid would be handing out a UDP_MISS for that, since it would also make sense that Squid has no desire to cache directories Squid does not make a distinction between a directory and a page or another HTTP objects. It's all HTTP objects. But on most servers directory listings is dynamically generated and by default not cacheable. However. directories with an index page quite often is cachable. For example http://www.squid-cache.org/Versions/v3/3.0/ Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Caching of directory objects, UDP_MISS
On Thu, 2008-05-22 at 00:18 +0200, Henrik Nordstrom wrote: On ons, 2008-05-21 at 14:03 -0600, Dan Trainor wrote: It would make sense as to why Squid would be handing out a UDP_MISS for that, since it would also make sense that Squid has no desire to cache directories Squid does not make a distinction between a directory and a page or another HTTP objects. It's all HTTP objects. But on most servers directory listings is dynamically generated and by default not cacheable. However. directories with an index page quite often is cachable. For example http://www.squid-cache.org/Versions/v3/3.0/ Regards Henrik Hello, Henrik - That would make perfect sense in what I saw, seeing as where were no index pages being served from the URL which I saw as part of the miss. Thanks for the explanation. Thanks -dant
Re: [squid-users] Need RPM of squid3stable6
On ons, 2008-05-21 at 15:44 -0500, Cliff Hayes wrote: I'd like to try stable5 or 6 as announced, but need an RPM since I am using Fedora 9. Fedora development is on 3.0.STABLE6. I don't know why FC9 haven't been updated yet, but you should be able to use the Fedora development version. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] problem with authentication with 3.0
On ons, 2008-05-21 at 19:16 -0300, Leonardo Rodrigues Magalhães wrote: Anyway, i think this should be investigated and, if declared as feature and not bug, it should be at least documented. Actual 'transparent' option documentation says nothing about authentication mechanisms completly stop working as it seems to happen. What OS are you using? And what is the output of /usr/local/squid/sbin/squid -v Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] problem with authentication with 3.0
Henrik Nordstrom escreveu: Not sure if it's a bug or a feature.. But it's very easy to live with. Just set up another http_port for the transparent interception. Yeah i also dont know if this is a bug or a feature :) And it's easy to live with, i agree with that. Anyway, i think this should be investigated and, if declared as feature and not bug, it should be at least documented. Actual 'transparent' option documentation says nothing about authentication mechanisms completly stop working as it seems to happen. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
Re: [squid-users] problem with authentication with 3.0
Henrik Nordstrom escreveu: On ons, 2008-05-21 at 19:16 -0300, Leonardo Rodrigues Magalhães wrote: Anyway, i think this should be investigated and, if declared as feature and not bug, it should be at least documented. Actual 'transparent' option documentation says nothing about authentication mechanisms completly stop working as it seems to happen. What OS are you using? And what is the output of /usr/local/squid/sbin/squid -v Linux Fedora Core 5 with 2.6.24.3 kernel hand compiled. [EMAIL PROTECTED] ~]# uname -a Linux firewall.something.com.br 2.6.24.3-grsec #2 Wed May 14 16:44:01 BRT 2008 i686 i686 i386 GNU/Linux [EMAIL PROTECTED] ~]# [EMAIL PROTECTED] ~]# squid -v Squid Cache: Version 3.0.STABLE6 configure options: '--prefix=/usr' '--exec-prefix=/usr/bin' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--libexecdir=/usr/bin' '--sysconfdir=/etc/squid' '--datadir=/var/squid' '--localstatedir=/var' '--enable-removal-policies=heap,lru' '--enable-storeio=ufs,aufs,diskd,coss,null' '--enable-delay-pools' '--enable-async-io=4' '--enable-http-violations' '--enable-err-language=Portuguese English' '--enable-default-err-language=Portuguese' '--enable-snmp' '--disable-ident-lookups' '--enable-linux-netfilter' '--enable-underscores' '--enable-auth=basic digest ntlm negotiate' '--enable-basic-auth-helpers=DB LDAP MSNT NCSA SMB multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB fakeauth no_check' '--enable-digest-auth-helpers=password ldap' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user ldap_group session wbinfo_group' '--enable-useragent-log' '--enable-referer-log' '--disable-wccp' '--enable-arp-acl' '--with-large-files' '--enable-large-cache-files' '--disable-hostname-checks' '--enable-ssl' '--enable-external-acl-helpers=ip_user ldap_group' '--enable-icmp' [EMAIL PROTECTED] ~]# -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
Re: [squid-users] problem with authentication with 3.0
Leonardo Rodrigues Magalhães wrote: Henrik Nordstrom escreveu: Not sure if it's a bug or a feature.. But it's very easy to live with. Just set up another http_port for the transparent interception. Yeah i also dont know if this is a bug or a feature :) And it's easy to live with, i agree with that. Anyway, i think this should be investigated and, if declared as feature and not bug, it should be at least documented. Actual 'transparent' option documentation says nothing about authentication mechanisms completly stop working as it seems to happen. I've seen this at close quarters recently. It worked in 2.5 because there was only one port. In 3.0 and later it turns off several components doing expensive network or kernel lookups, not just authentication. The fix here is in the documentation as you point out. Amos -- Please use Squid 2.6.STABLE20 or 3.0.STABLE6
[squid-users] Squid 3.0 vs. 2.6 Releases
What are the primary differences between these releases? If I am running Squid 2.6stable20 will it be relatively easy to upgrade too the latest stable 3 release? Never had much trouble going from one STABLE 2.6 to the next. Does Squid 3 handle .NET issues or IIS webservers any better then 2.6? Matt
Re: [squid-users] logging ident while avoiding an ident lookup for each request
Marc Haber wrote: Hi, I have a case where a squid provides caching services for a multi-user Unix system which has identd enabled. I'd like squid to log the ident value of a user with the access in the access log. I have already accomplished this (it's rather easy to do), but I am concerned about load issues this might impose on the multi-user system and on the network since the amount of TCP connections on the network is neatly doubled. Is it possible to have squid send some kind of identification to the browser so that an ident lookup is only necessary for the first http request in a session and the client can be identified by the bit sent back by the browser for the rest of the session? Or am I chasing a phantom here and the load imposed by the ident-lookups (which includes TCP session building and teardown) is negligible? Which other solutions are possible? Greetings Marc Squid considers identd lookups to be an authentication type. Which gets cached for a short period against the client IP to prevent such loading of the network. Amos -- Please use Squid 2.6.STABLE20 or 3.0.STABLE5
[squid-users] Propagation of HTCP CLR command to cache peers
Hi, all - I'm doing some testing when trying to clear individual objects from the cache, and came up with a few questions that I have not been able to figure out based on my research. I'm essentially trying to get those HTCP CLR commands to propagate to other cache_peer hosts. As I understand it so far, the only way to relay these messages would be to enable all cache peers as multicast peers, which after me sending the HTCP CLR command to one peer, would then relay that message to the multicast members. Since I cannot confirm this, I need to ask - is that how it works? Am I looking at it from the right angle? Any help would be much appreciated. Thanks -dant
Re: [squid-users] Squid 3.0 vs. 2.6 Releases
Matt wrote: What are the primary differences between these releases? If I am running Squid 2.6stable20 will it be relatively easy to upgrade too the latest stable 3 release? Never had much trouble going from one STABLE 2.6 to the next. Does Squid 3 handle .NET issues or IIS webservers any better then 2.6? Matt Both are based on 2.5. - 3.0 adds features geared towards content adaptation. - 2.6 adds performance upgrades for high-traffic acceleration clients. The upgrade itself should be easy. Last time we checked 3.0 was on par with 2.6s6, so its a step down from s20. You probably want to wait for 3.1 or later. But it depends entirely on your performance and more importantly feature needs. As for .NET and IIS issues. Other than their chunk-encoding problem I'm not aware of any affecting squid. In that case 2.6 is slightly better than 3.0 and worse than 3.1. Amos -- Please use Squid 2.6.STABLE20 or 3.0.STABLE6
Re: [squid-users] Squid 3.0 vs. 2.6 Releases
What are the primary differences between these releases? If I am running Squid 2.6stable20 will it be relatively easy to upgrade too the latest stable 3 release? Never had much trouble going from one STABLE 2.6 to the next. Does Squid 3 handle .NET issues or IIS webservers any better then 2.6? Both are based on 2.5. - 3.0 adds features geared towards content adaptation. - 2.6 adds performance upgrades for high-traffic acceleration clients. The upgrade itself should be easy. Last time we checked 3.0 was on par with 2.6s6, so its a step down from s20. You probably want to wait for 3.1 or later. But it depends entirely on your performance and more importantly feature needs. As for .NET and IIS issues. Other than their chunk-encoding problem I'm not aware of any affecting squid. In that case 2.6 is slightly better than 3.0 and worse than 3.1. I have problems with users connecting to websites on IIS servers not able to authenticate with user name and password. Some other user complains they cannot upload .NET. Will the chunked-encoding issue cause this? Matt
Re: [squid-users] Squid 3.0 vs. 2.6 Releases
What are the primary differences between these releases? If I am running Squid 2.6stable20 will it be relatively easy to upgrade too the latest stable 3 release? Never had much trouble going from one STABLE 2.6 to the next. Does Squid 3 handle .NET issues or IIS webservers any better then 2.6? Both are based on 2.5. - 3.0 adds features geared towards content adaptation. - 2.6 adds performance upgrades for high-traffic acceleration clients. The upgrade itself should be easy. Last time we checked 3.0 was on par with 2.6s6, so its a step down from s20. You probably want to wait for 3.1 or later. But it depends entirely on your performance and more importantly feature needs. As for .NET and IIS issues. Other than their chunk-encoding problem I'm not aware of any affecting squid. In that case 2.6 is slightly better than 3.0 and worse than 3.1. I have problems with users connecting to websites on IIS servers not able to authenticate with user name and password. Some other user complains they cannot upload .NET. Will the chunked-encoding issue cause this? No. Thats another two issues altogether. The authentication one is probably a configuration issue. But may be an auth bug. The upload one may be related to squid blocking unknown HTTP request methods, or the size of the objects being uploaded. A good cache.log trace of the two operations should lead you to the problem. Amos
Re: [squid-users] Squid 3.0 vs. 2.6 Releases
I have problems with users connecting to websites on IIS servers not able to authenticate with user name and password. Some other user complains they cannot upload .NET. Will the chunked-encoding issue cause this? No. Thats another two issues altogether. The authentication one is probably a configuration issue. But may be an auth bug. The upload one may be related to squid blocking unknown HTTP request methods, or the size of the objects being uploaded. A good cache.log trace of the two operations should lead you to the problem. On the authentication issue I tried changing log level to 9 for a short time but it did not tell me much. Saw the POST when the username and password was submitted but not much else. Its a IIS/6 server with ASP.NET version 2. Looks to be using javascript to log in. Any ideas what I can change on Squid to make it work? Its does this both in transparent and non-transparent modes. I was hoping maybe Squid v3 had some improvements that would make it work. Matt
Re: [squid-users] Block Windows Live Messenger with Squid
Another URL, http://blogs.techrepublic.com.com/networking/?p=308 On Wed, May 21, 2008 at 9:48 PM, Thomas Raef [EMAIL PROTECTED] wrote: Messenger will also use port 80. You'll need to do l7-filter for that. Or using squid, setup acls for the messenger mimetype which will catch it if it's coming through port 80, and then also block port 1863. I believe that's been covered before in this group so you may want to search the archives. Sorry, but I don't have the exact details in front of me. Thomas J. Raef -Original Message- From: Cassiano Martin [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 11:05 AM To: adnann5 Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Block Windows Live Messenger with Squid Messenger uses port 1863 tcp for communication, and some HTTPS SOAP requests to M$ servers. You need to block this port using iptables. iptables -A FORWARD -p tcp --dport 1863 -j DROP iptables -A FORWARD -p tcp --sport 1863 -j DROP adnann5 wrote: Hi Guys, I've a running a transparently working copy of squid 2.6 stable 19 on a Linux FC9 box. I wanted to block msn/windows live messenger through it, i've add following code in my squid.conf acl msnmime req_mime_type ^application/x-msn-messenger acl msngw url_regex -i gateway.dll http_access deny msnmime http_access deny msngw but messenger is still signing in... Does any body have another solution? Regards No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.21/1458 - Release Date: 5/21/2008 7:21 AM No virus found in this outgoing message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.21/1458 - Release Date: 5/21/2008 7:21 AM -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid 3.0 vs. 2.6 Releases
I have problems with users connecting to websites on IIS servers not able to authenticate with user name and password. Some other user complains they cannot upload .NET. Will the chunked-encoding issue cause this? No. Thats another two issues altogether. The authentication one is probably a configuration issue. But may be an auth bug. The upload one may be related to squid blocking unknown HTTP request methods, or the size of the objects being uploaded. A good cache.log trace of the two operations should lead you to the problem. On the authentication issue I tried changing log level to 9 for a short time but it did not tell me much. Saw the POST when the username and password was submitted but not much else. Its a IIS/6 server with ASP.NET version 2. Looks to be using javascript to log in. Any ideas what I can change on Squid to make it work? Its does this both in transparent and non-transparent modes. I was hoping maybe Squid v3 had some improvements that would make it work. Interception 'transparent' mode ports do not even attempt to perform authentication. Though with most javascript methods HTTP authentication is not involved anyway. Making sure the interception and direct-proxy listening ports are different should fix it for most users. If the code itself is failing on a side-band authentication there is nothing you can do to fix it in squid. Only the sites webmaster can fix those. Amos
[squid-users] Re: What is the best way to authenticate remote users with dynamic ip?
Hello, list. I want to setup public proxy, that will serve clients from anywhere, after registration. I will setup captive portal for authorization/registration and external authenticator, that will check user validity, and redirect unauthorizated to captive portal. I guess that simple basic/digest auth will be better choice, but I want to use captive portal, so its no option for me, alas. So I need some kind of session authentication. For now I'm stick to cookie authentication, but not sure if it possible. I can configure captive portal to set cookie and external helper to check for it, but I believe client will not send that cookie until squid ask him, and squid will not, are not he? What can I do it that case? Is there any better way, to approach my target? Yes. Using the HTTP native authentication methods is much better than cookies. It will also make your authenticated website pieces handle and scale better across the Internet. Lookup: auth_param - for the authentication config. deny_info - for the access denied portal redirection. Squid has a session helper for handling the multiple request relations. Though I have not needed to use it. Amos
Re: [squid-users] Site filtering issue
Shelton, may be the tag http_access allow our_network should go after and not before (or may be you don't need it at all) http_access denied custom_denied_domains dst etc/squid/denied_domains.acl hope to be helpful. i'm a beginner. Regards, Felix Lazaro Carbonell Site filtering issue I am having issues with filtering of my websites. I have setup squid 2.6.STABLE17 over a Fedora 8 machine. Below is my squid.conf file. Squid seems to log all sites that are going out from other stations but does not filter and of the sites. They all go through. My denied_domains.acl has .youtube.com .hotmail.com .live.com But these sites don't seem to get blocked out. I had also issues this command thinking that it was to do with Iptables iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 Initially squid wouldn't work; everything would be blocked so I disable the firewall which allowed access. SO I put a custom allow to port 3128 which opened it up but to all sites. -- squid.conf -- visible_hostname vanderpolgroup http_port 3128 maximum_object_size 32768 KB maximum_object_size_in_memory 128 KB cache_mem 256 MB cache_dir ufs /var/spool/squid 7 32 512 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl our_network src 192.168.10.0/24 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 # SSL acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 563 70 acl CONNECT method CONNECT acl custom_allowed_domains dstdomain /etc/squid/allowed_domains.acl acl custom_denied_domains dstdomain /etc/squid/denied_domains.acl acl ads_blacklist dstdom_regex /etc/squid/blacklist/ads/domains acl aggressive_blacklist dstdom_regex /etc/squid/blacklist/aggressive/domains acl audio-video_blacklist dstdom_regex /etc/squid/blacklist/audio-video/domains acl drugs_blacklist dstdom_regex /etc/squid/blacklist/drugs/domains acl gambling_blacklist dstdom_regex /etc/squid/blacklist/gambling/domains acl hacking_blacklist dstdom_regex /etc/squid/blacklist/hacking/domains acl mail_blacklist dstdom_regex /etc/squid/blacklist/mail/domains acl porn_blacklist dstdom_regex /etc/squid/blacklist/porn/domains acl proxy_blacklist dstdom_regex /etc/squid/blacklist/proxy/domains acl redirector_blacklist dstdom_regex /etc/squid/blacklist/redirector/domains acl spyware_blacklist dstdom_regex /etc/squid/blacklist/spyware/domains acl suspect_blacklist dstdom_regex /etc/squid/blacklist/suspect/domains acl violence_blacklist dstdom_regex /etc/squid/blacklist/violence/domains acl warez_blacklist dstdom_regex /etc/squid/blacklist/warez/domains acl networking_blacklist dstdom_regex /etc/squid/blacklist/networking/domains Please go through those lists carefully and consider if you actually for-real need the regex. 'dstdomain' can take whole domains or wildcard sub-domains and is VERY much more efficient than any regex. http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow our_network http_access deny all None of the http_access lines after this will ever match. 'deny all' does exactly what it sounds like. You want 'deny all' to be the very last http_access config line. And the 'allow our_network' should probably join it at the end. Perhapse with a 'deny !our_network' left here to speed up denial of external connection attempts. icp_access allow all #miss_access allow all http_access allow custom_allowed_domains http_access deny custom_denied_domains http_access deny ads_blacklist http_access deny aggressive_blacklist http_access deny audio-video_blacklist http_access deny drugs_blacklist http_access deny gambling_blacklist http_access deny hacking_blacklist http_access deny mail_blacklist http_access deny porn_blacklist http_access deny proxy_blacklist http_access deny redirector_blacklist http_access deny spyware_blacklist http_access deny suspect_blacklist http_access deny violence_blacklist http_access deny warez_blacklist http_access deny networking_blacklist cache_mgr [EMAIL PROTECTED] Thanks Sheldon
Re: Re[2]: [squid-users] Issue with header_access and validation
But wouldnt that only override max-age which is received in headers sent by servers? The ones we want to override are from client requests only. Plus refresh_pattern can not take an acl since it's global and only based on path.(ie no acls) Or am I not seeing things clearly? refresh_pattern gets involved when updating something already in cache. AFTER the IMS has been actioned. header_access gets involved when sending the request to the server or the response to the client. Thus it was working too late for your earlier config. The closest thing I know of squid offering is the 'reload_into_ims' or 'refresh_stale_hit' options. The first to reduce possibly large full object requests down to the smaller 304's. The latter to reduce the amount of 304's to one at a time. Amos Thanks for any help again. ?Use refresh_pattern entries to override the max-age. ?On Fri, May 02, 2008, Paul-Kenji Cahier wrote: ?Hello, ?In our current situation, we are trying to have Cache-control: max-age=0 headers from clients to be ignored ?in the cache decision process, while keeping all of the 'Cache-control: no-cache' and 'Pragma: no-cache' ?still valid as making revalidation mandatory. ?Without trying to do anything, when squid receives the max-age=0 directive, it decides to TCP_REFRESH_HIT since ?the client asks it. ?Our current approach was the following: ?acl static_content req_header Cache-control max.age=0 ?header_access Cache-Control deny static_content ?While the acl is properly matched, it seems the header_access does not ever get applied when deciding of what to do, ?with the result that it's effectively being ignored. ?Is there any way to make it be applied earlier/another way to ignore only 'Cache-control: max.age=0' headers? ?(we would also preferably rather be able to define that with an acl so we can only apply that directive to ?really probably static content) ?The whole goal is to avoid firefox's F5/refresh button from forcing thousands of TCP_REFRESH_HIT/304 all the time, ?which not only strains the servers but takes longer. Of course we also want users that want to force a refresh ?(through ctrl+shift+R, which actually adds the no-cache directives) to be able to do so.(Caching is good, ?but forcing delays before things are checked again is not) ?Any suggestions will be really appreciated... We have tried to rewrite urls through privoxy, but it came messy ?and fairly heavy on load, so a squid only solution would really be best. ?-- ?Best regards, ? Paul-Kenji Cahier ?mailto:[EMAIL PROTECTED]