Re: [squid-users] bypass proxy for local addresses
On 29.06.08 10:07, Michel wrote: in order not to bother with client configurations and browser problems a good solution (because support free) is a transparent proxy and then you configure your firewall to skip the fwd rules for the addresses of your choice However since intercepting of connections causes many troubles, It's much better to configure WPAD properly -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watson.
Re: [squid-users] cache-control
On 30.06.08 11:49, Jeff Peng wrote: The cache-control values like no-cache and no-store, are used for a cache/proxy server generally. Do they have the same effect to useragent's local buffer (ig, Firefox's disk buffer)? Thanks. RFC 2616 describes how proxies and user agents should traat those headers. I think you should read that for best understanding of those. Note that some browsers and proxies do not behave as they should, but it's always better to know how they should behave and where they violate that, in order to understand all the stuff -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Re: [squid-users] Re: YouTube and other streaming media (caching)
DearAdrianHenrik does can told me, how to do caching youtube google video CDN object in squid 2.6 stable20... please Tue, 27 May 2008 18:30:40 -0700 This stuff requires Squid-2.7. Henrik will roll Squid-2.7.STABLE2 soon, so wait until thats done. Adrian On Tue, May 27, 2008, [EMAIL PROTECTED] wrote: See Thread at: http://www.techienuggets.com/Detail?tx=32811 Posted on behalf of a User We have about 600 users behind a squid 2.6stable20 proxy, and youtube represents a big chunk of our bandwidth. Will this method work in 2.6 or is 2.7 needed? We tried to used 3.0 for a while, but suffered a proxy auth bug, and when that was fixed, it was unstable, so I went back to 2.6 Thanks. In Response To: On Thu, Apr 17, 2008 at 08:11:51AM +0800, Adrian Chadd wrote: The problem with caching Youtube (and other CDN content) is that the same content is found at lots of different URLs/hosts. This unfortunately means you'll end up caching multiple copies of the same content and (almost!) never see hits.
Re: [squid-users] bypass proxy for local addresses
On 29.06.08 10:07, Michel wrote: in order not to bother with client configurations and browser problems a good solution (because support free) is a transparent proxy and then you configure your firewall to skip the fwd rules for the addresses of your choice However since intercepting of connections causes many troubles, It's much better to configure WPAD properly well, I do not know about such problems, may be you should analise each of it and configure things properly, in my experience most of common interception problems are caused by wrong network settings or such ping-pong-setups like router sending traffic back or gateway forwards to external proxy michel
[squid-users] Youtube video caching with Squid3
Hello Is it possible to cache youtube videos with Squid3? Thank You!
Re: [squid-users] Reverse proxies...
I still have the GET internal://pc-03/squid-internal-periodic/store_digest problem though.. What problem? It's cache digest exchanges between the Squids.. Not really a problem but pc-03 (or it's corresponding IP) are nowhere in the conf files, and so I was just wondering how the same (internal://pc-03/) did end up in the 3 squids logs... If the 3 squids were really on 3 different servers, there would be 3 different hostnames/IPs in the logs, right? But no big deal as long as it works ^_^ Thx, JD
[squid-users] SSL Client certificates
Hello, I have a problem regarding the authentication of client certificates. The situation: We have an application server (appsrv), running a web-application on port 7511 (plaintext http). Internal clients connect to this server using plain http over port 7511 directly to the server. External clients connect using https over port 443 through a reverse proxy. The proxy connects plain http to port 7511 on the appsrv. Corporate policy requires us to place the reverse proxy in a secure subnet (ssn). This is a sort of dmz behind a dmz. Note that the proxy now has no working connection to the Internet. In the dmz exists machine that does a port-forwarding of port 443 to our proxy. The firewalls are configured to allow that. Our proxy connects to port 7511 of the appsrv. The firewalls are configured to allow that too. Internet -- firewall -- dmz -- firewall -- ssn -- firewal -- local lan || | | clients 443--- port forw. --443- rev. proxy 7511--- appsrv The reverse proxy is a Squid-cache, version 2.6.STABLE19, running on Red Hat Enterprise Linux AS release 4 (Nahant Update 6). The config of the squid box is (more or less) as follows https_port our_ip:443 \ cert=/etc/ssl/server.crt \ key=/etc/ssl/server.key \ clientca=/etc/ssl/clientca.ca-bundle \ cafile=/etc/ssl/root.ca-bundle \ defaultsite=appsrv \ vhost \ sslflags=NO_SESSION_REUSE cache_peer appsrv parent 7511 0 originserver no-query default no-digest I've got a few questions about this, which I can't find in the manual, the FAQ and, for that matter with Google. First, the browser (IE and FF) give me a selection box where I can select the client certificate to use. But not all client certificates I installed are listed. How does the browser know which certificates to select, or, how does the server tell this to the browser? Second, the only way out to the internet is through another proxy (I think a Microsoft ISA server). How can I tell Squid (or OpenSSL) to use this proxy for outgoing CA and CRL verification requests. I have put 'http_proxy=http://192.168.x.y:8080;' into the /etc/sysconfig/network file, which is sourced by /etc/init.d/squid, but I haven't been able to verify if this is working. Third. Recently we changed to another SSL provider (Comodo) and I've changed something in the configuration and client certificate verification didn't work anymore. I'ver tried some things, but I'm at a loss here. Can anyone clarify what actually happens during client verification? Currently I've disabled client certificate verification (removed the clientca line), so the users can still work. I don't have a test platform, and the pilot site was forced into production before I had time to test it all. I've read somewhere that this client certificate stuff in Squid is still experimental, but we'd really want to have it working. Thanks in advance, Kind Regards, Alex van Denzel.
Re: [squid-users] cache-control
On mån, 2008-06-30 at 11:49 +0800, Jeff Peng wrote: The cache-control values like no-cache and no-store, are used for a cache/proxy server generally. Do they have the same effect to useragent's local buffer (ig, Firefox's disk buffer)? Thanks. They should. With the exception being if you navigate the history (back/forward). Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Youtube video caching with Squid3
On mån, 2008-06-30 at 12:05 +0200, Egi wrote: Hello Is it possible to cache youtube videos with Squid3? Not yet. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Reverse proxies...
On mån, 2008-06-30 at 03:08 -0700, John Doe wrote: I still have the GET internal://pc-03/squid-internal-periodic/store_digest problem though.. What problem? It's cache digest exchanges between the Squids.. Not really a problem but pc-03 (or it's corresponding IP) are nowhere in the conf files, and so I was just wondering how the same (internal://pc-03/) did end up in the 3 squids logs... Odd.. If the 3 squids were really on 3 different servers, there would be 3 different hostnames/IPs in the logs, right? IP yes. Hostname is what they request.. IP is from where the request was sent. The hostname in the URL is what that IP requested.. or how it was rebuilt using the http_port options in accelerator mode.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] SSL Client certificates
On mån, 2008-06-30 at 12:11 +0200, Alex van Denzel wrote: In the dmz exists machine that does a port-forwarding of port 443 to our proxy. The firewalls are configured to allow that. Hmm... then you loose the source IP before it reaches your Squid, which would make the Squid logs a lot less useful. Our proxy connects to port 7511 of the appsrv. The firewalls are configured to allow that too. Ok. The reverse proxy is a Squid-cache, version 2.6.STABLE19, running on Red Hat Enterprise Linux AS release 4 (Nahant Update 6). Ok. First, the browser (IE and FF) give me a selection box where I can select the client certificate to use. But not all client certificates I installed are listed. How does the browser know which certificates to select, or, how does the server tell this to the browser? Thats done by the clientca option. It's also possible to request any certificate but not sure this is implemented in Squid. Second, the only way out to the internet is through another proxy (I think a Microsoft ISA server). How can I tell Squid (or OpenSSL) to use this proxy for outgoing CA and CRL verification requests. Squid does not automatically fetch CRL lists. You have to set up this manually, and install the CRLs in a directory found by openssl. Hmm.. we really should add a config option to specify the directory. Third. Recently we changed to another SSL provider (Comodo) and I've changed something in the configuration and client certificate verification didn't work anymore. I'ver tried some things, but I'm at a loss here. Probably the CA of the issuer isn't known to your Squid.. clientca= doesn't automatically make those CAs trusted, it just makes Squid request a sertificate issued by the subject of any certificate in that file. Could just as well be a list of issuer names.. Can anyone clarify what actually happens during client verification? 1. Squid request a certificate, asking the client to provide one which matches clientca=.. 2. Client sends certificate to Squid. 3. OpenSSL automatically verifies the certificate, which involves finding the proper CA in the local CA store and also that it's not revoked by a CRL in the local CRL store. I've read somewhere that this client certificate stuff in Squid is still experimental, but we'd really want to have it working. Yes, it's still a bit experimental. Mainly due to the lack of OCSP for online certificate validation without requiring the admin to set up CRL downloads.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Re: YouTube and other streaming media (caching)
On mån, 2008-06-30 at 16:29 +0800, Eric.chen wrote: does can told me, how to do caching youtube google video CDN object in squid 2.6 stable20... You need the store url capability found in 2.7 to be able to alias away the CDN server names. Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] Microsoft Product Activation not working.
Hi , Since installing squid we are unable to activated windows products online , As soon as i turn squid off thou , products can be activated . How can i get past this problem ? Regards Rinus Reyneke VPN Technologies www.vpnt.co.za 0832336623 012-998-6629
Re: [squid-users] SQUID 3 digest problem
Hi! Sorry for the late, i'm using digest_ldap_auth, and yes that is the only messages error that i get. Thanks! Henrik Nordstrom escribió: On fre, 2008-06-27 at 16:44 -0430, Edward Ortega wrote: WARNING: digestauthenticator #31 (FD 38) exited WARNING: digestauthenticator #30 (FD 37) exited WARNING: digestauthenticator #29 (FD 36) exited WARNING: digestauthenticator #28 (FD 35) exited WARNING: digestauthenticator #27 (FD 34) exited WARNING: digestauthenticator #26 (FD 33) exited Too few digestauthenticator processes are running The digestauthenticator helpers are crashing too rapidly, need help! What are you using as digest auth helper? auth_param digest program ...? And is there any other related errormessage in cache.log before this? Regards Henrik
[squid-users] Re: Re: Re[squid-users] verse proxy to Sharepoint
OK, does this mean I've misunderstood? I thought Samba had to be both configured and running for the squid helpers to work. Your email suggests that the helpers themselves do it all??? Thanks Andrew Henrik Nordstrom-5 wrote: On fre, 2008-06-27 at 02:38 -0700, afstcklnd wrote: OK, really at a loss now. Got rid of this problem by refining a few things but now still not working but no real evidence of why not? Although maybe == log.smbd == [2008/06/26 21:28:35, 3] printing/printing.c:start_background_queue(1397) start_background_queue: Starting background LPQ thread [2008/06/26 21:28:35, 2] lib/util_sock.c:open_socket_in(1268) bind failed on port 445 socket_addr = 0.0.0.0. Error = Address already in use Sounds like you already have Samba running... Regards Henrik -- View this message in context: http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18196220.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Build ACL with AD group and website list
Hi all, I´m trying use an ACL do allow/deny a single group um my Windows 2003 domain access webmail. All people will be able to access all sites (if squidguard permit) but no one webmail site (if user is not a Webmail group menber). A word list with most common webmails exist (webmail_list.txt) My question is: Where put webmail_list.txt working together Webmail group anyone can give some help ? This is my squid.conf entry: acl ntlm proxy_auth REQUIRED external_acl_type nt_group ttl=0 %LOGIN /usr/lib64/squid/wbinfo_group.pl #my Webmail_Group have only 10 users that will be able to access this sites/service acl webmail_users external nt_group Webmail_Group dstdomain -i /etc/squid/webmail_list.txt #Internal ACLs http_access deny !Safe_ports http_access allow ntlm webmail_users http_access deny limite_max http_access allow localhost http_access deny all Is not working. all users can access all sites including webmail_list any idea ? thanks in advance Alexandre Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. http://br.new.mail.yahoo.com/addresses
[squid-users] udp_incoming_address and udp_outgoing_address
Hi again, Since my servers have 2 nics, I want to use the internal nic for the ICP traffic... But I am a bit confused by the udp params. From the doc: # If udp_outgoing_address is set to 255.255.255.255 (the default) # it will use the same socket as udp_incoming_address. Outgoing using the same socket as incoming is fine with me, so I tried: udp_incoming_address 192.168.17.11 udp_outgoing_address 255.255.255.255 But my siblings won't talk. From the doc: # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use port 3130. So I created eth aliases just for udp_outgoing_address, which works but is a bit overkill... By curiosity, I tried to put the same IP for incoming and outgoing and it seems to work fine... I understand incoming has to listen on a specific port but why would outgoing use this and only this same specific port...? What am I getting wrong? Thx, JD
[squid-users] Squid performance for an ISP
Hi I was wondering which is the best configuration for linux box and Squid to prevent pornographic child sites acting as a transparent proxy for 600 users. Could a 1Gb RAM machine do this? Another question is, what are the posible reasons for several TCP_MISS in the squid log? like a checklist or something Thanks in advanced!
Re: [squid-users] Re: Re: Re[squid-users] verse proxy to Sharepoint
No, the helpers require Samba running. The error message suggest you are trying to start Samba while Samba is already running, full or partial. Regards Henrik On mån, 2008-06-30 at 06:52 -0700, afstcklnd wrote: OK, does this mean I've misunderstood? I thought Samba had to be both configured and running for the squid helpers to work. Your email suggests that the helpers themselves do it all??? Thanks Andrew Henrik Nordstrom-5 wrote: On fre, 2008-06-27 at 02:38 -0700, afstcklnd wrote: OK, really at a loss now. Got rid of this problem by refining a few things but now still not working but no real evidence of why not? Although maybe == log.smbd == [2008/06/26 21:28:35, 3] printing/printing.c:start_background_queue(1397) start_background_queue: Starting background LPQ thread [2008/06/26 21:28:35, 2] lib/util_sock.c:open_socket_in(1268) bind failed on port 445 socket_addr = 0.0.0.0. Error = Address already in use Sounds like you already have Samba running... Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] udp_incoming_address and udp_outgoing_address
On mån, 2008-06-30 at 08:25 -0700, John Doe wrote: From the doc: # If udp_outgoing_address is set to 255.255.255.255 (the default) # it will use the same socket as udp_incoming_address. Yes.. which is another way of saying that in most situations where you need Squid to use specific addresses you should only set the incoming.. Outgoing using the same socket as incoming is fine with me, so I tried: udp_incoming_address 192.168.17.11 udp_outgoing_address 255.255.255.255 But my siblings won't talk. And they are trying to contact on this address, and allowed by icp_access http_access? So I created eth aliases just for udp_outgoing_address, which works but is a bit overkill... By curiosity, I tried to put the same IP for incoming and outgoing and it seems to work fine... Odd.. Which Squid version? Squid should not even start with ICP enabled and incoming outgoing set to the same address... I understand incoming has to listen on a specific port but why would outgoing use this and only this same specific port...? What am I getting wrong? You are correct that outgoing ICP could in theory use a random port, but most people like to see it using a fixed port for firewalling reasons so Squid uses the same port number for both. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid performance for an ISP
On mån, 2008-06-30 at 21:25 +0200, Carlos Alberto Bernat Orozco wrote: Another question is, what are the posible reasons for several TCP_MISS in the squid log? like a checklist or something Can you be a bit more specific? Several in what way? Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] SQUID 3 digest problem
On mån, 2008-06-30 at 08:32 -0430, Edward Ortega wrote: Sorry for the late, i'm using digest_ldap_auth, and yes that is the only messages error that i get. Are you really really really sure that's the only message you get? rm /usr/local/squid/var/logs/cache.log Try to start Squid then send me the full cache.log output. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid performance for an ISP
Thanks for the answer! When I was playing with squid (first setup), I found many TCP_MISS running on my log, when the users surf many sites. I can say 90% of my entire squid log was TCP_MISS. And I didn't found many information about TCP_MISS in the web site like meaning and issues. The same for MEM_HIT and other parameters. Why these can be posible to have many of this? And, where can I get more info about? I don't know if can be more specific Thanks in advanced 2008/6/30 Henrik Nordstrom [EMAIL PROTECTED]: On mån, 2008-06-30 at 21:25 +0200, Carlos Alberto Bernat Orozco wrote: Another question is, what are the posible reasons for several TCP_MISS in the squid log? like a checklist or something Can you be a bit more specific? Several in what way? Regards Henrik
[squid-users] difference at dynamic pages cache
Hello, In older squid (before 3.0), the config directives for dynamic pages are: acl QUERY urlpath_regex cgi-bin \? cache deny QUERY In squid 3.0, the directives above were removed, and uses a refresh_pattern instead: refresh_pattern (cgi-bin|\?)0 0% 0 What's the difference in effect between those two config? Thanks. -- Regards, Jeff. - [EMAIL PROTECTED]
Re: [squid-users] difference at dynamic pages cache
Hello, In older squid (before 3.0), the config directives for dynamic pages are: acl QUERY urlpath_regex cgi-bin \? cache deny QUERY In squid 3.0, the directives above were removed, and uses a refresh_pattern instead: refresh_pattern (cgi-bin|\?)0 0% 0 What's the difference in effect between those two config? Old squid did not cache any dynamic pages at all by default. RFC 2616 allows dynamic pages to be cached if they have expiry information. Squid 3.0 config has been updated to do that. The same config is also usually safe to use these days in squid back as far as 2.6, but we decided not to make the policy change in squid-2 with such a large number of people affected. The net result is a few more percentage points on the hit ratio and a slightly better standard-compliance rating. Amos
Re: [squid-users] Youtube video caching with Squid3
On 6/30/08, Henrik Nordstrom [EMAIL PROTECTED] wrote: On mån, 2008-06-30 at 12:05 +0200, Egi wrote: Hello Is it possible to cache youtube videos with Squid3? Not yet. Is it the youtube problem or squid? Thanks
Re: [squid-users] multi original servers
On Tue, Jun 10, 2008 at 12:33 AM, Ben Hollingsworth [EMAIL PROTECTED] cache_peer INTERNALIP1 parent 80 0 no-query originserver login=PASS name=INTERNALNAME1-peer sourcehash cache_peer INTERNALIP2 parent 80 0 no-query originserver login=PASS name=INTERNALNAME2-peer sourcehash where is sourcehash selection? In squid-3.0's config file, I didn't see that keyword.
Re: [squid-users] multi original servers
Jeff Peng wrote: On Tue, Jun 10, 2008 at 12:33 AM, Ben Hollingsworth [EMAIL PROTECTED] cache_peer INTERNALIP1 parent 80 0 no-query originserver login=PASS name=INTERNALNAME1-peer sourcehash cache_peer INTERNALIP2 parent 80 0 no-query originserver login=PASS name=INTERNALNAME2-peer sourcehash where is sourcehash selection? In squid-3.0's config file, I didn't see that keyword. Apparently it was new in 2.6 and none ported it over. Amos -- Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Re: [squid-users] difference at dynamic pages cache
Thanks Amos. refresh_pattern (cgi-bin|\?)0 0% 0 does this mean for each request of dynamic page, squid will validate it to original server? On Tue, Jul 1, 2008 at 11:33 AM, Amos Jeffries [EMAIL PROTECTED] wrote: Old squid did not cache any dynamic pages at all by default. RFC 2616 allows dynamic pages to be cached if they have expiry information. Squid 3.0 config has been updated to do that. The same config is also usually safe to use these days in squid back as far as 2.6, but we decided not to make the policy change in squid-2 with such a large number of people affected. The net result is a few more percentage points on the hit ratio and a slightly better standard-compliance rating.
Re: [squid-users] difference at dynamic pages cache
Jeff Peng wrote: Thanks Amos. refresh_pattern (cgi-bin|\?)0 0% 0 does this mean for each request of dynamic page, squid will validate it to original server? If it contains no Expire: or Cache-Control: headers will always re-validate. If they are present they will be obeyed. Amos On Tue, Jul 1, 2008 at 11:33 AM, Amos Jeffries [EMAIL PROTECTED] wrote: Old squid did not cache any dynamic pages at all by default. RFC 2616 allows dynamic pages to be cached if they have expiry information. Squid 3.0 config has been updated to do that. The same config is also usually safe to use these days in squid back as far as 2.6, but we decided not to make the policy change in squid-2 with such a large number of people affected. The net result is a few more percentage points on the hit ratio and a slightly better standard-compliance rating. -- Please use Squid 2.7.STABLE3 or 3.0.STABLE7
