[squid-users] Squid & Win XP & transparent mode
Hello. Any one could tell me where i can download latest binary version of squid compiled with options to works in transparent mode ? I don't like configure IE7 in all my clients. :-) Thanks.
Re: [squid-users] Squid & Win XP & transparent mode
Configuring all your clients is not that bad, there are mechanisms to do it almost painlessly: Among the availble options there's DHCP, wpad and if you have a domain you can also use group policies and logon scrips. Teharding your question, what OS would you need the binary for? MS Windows? On 11/12/08, Jose <[EMAIL PROTECTED]> wrote: > Hello. > Any one could tell me where i can download latest binary version of squid > compiled with options to works in transparent mode ? I don't like configure > IE7 in all my clients. :-) > > > Thanks. > > > -- /kinkie
Re: [squid-users] Someone's using my cache?
> >> http_access allow accel_hosts > >> http_access allow manager localhost > >> http_access deny manager > >> http_access allow all > >> > > The line above permits anyone who can send a packet to your proxy to use > > it as a relay for any purpose they like. > > The restrictions above it are not denying anything except cache_mgr:// > > protocol. So there is no protection inside Squid. > > The default config is safe if you set localnet to you internal IPs only: On 11.11.08 19:57, [EMAIL PROTECTED] wrote: > I actually need to allow public connections since we don't know which > machines are actually connecting for the testing. in such case you should restrict destinations only to your servers. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside...
Re: [squid-users] Squid & Win XP & transparent mode
Binarys are for Windows xp professional. We don't use dhcp, domain. All my network is in a workgroup without servers. Usually we use Wingate like proxy in a similar environment, working in transparent mode (NAT) and works fine, but now we want, testing this proxy. Thanks. - Original Message - From: "Kinkie" <[EMAIL PROTECTED]> To: "Jose" <[EMAIL PROTECTED]>; Sent: Wednesday, November 12, 2008 9:37 AM Subject: Re: [squid-users] Squid & Win XP & transparent mode Configuring all your clients is not that bad, there are mechanisms to do it almost painlessly: Among the availble options there's DHCP, wpad and if you have a domain you can also use group policies and logon scrips. Teharding your question, what OS would you need the binary for? MS Windows? On 11/12/08, Jose <[EMAIL PROTECTED]> wrote: Hello. Any one could tell me where i can download latest binary version of squid compiled with options to works in transparent mode ? I don't like configure IE7 in all my clients. :-) Thanks. -- /kinkie
[squid-users] NTLM auth popup boxes && Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. --- samba-3.0.32.orig/source/include/local.h2008-08-25 23:09:21.0 +0200 +++ samba-3.0.32/source/include/local.h 2008-10-09 13:09:59.784144000 +0200 @@ -222,7 +222,7 @@ #define WINBIND_SERVER_MUTEX_WAIT_TIME (( ((NUM_CLI_AUTH_CONNECT_RETRIES) * ((CLI_AUTH_TIMEOUT)/1000)) + 5)*2) /* Max number of simultaneous winbindd socket connections. */ -#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200 +#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 1024 /* Buffer size to use when printing backtraces */ #define BACKTRACE_STACK_SIZE 64 I currently do not use 'auth_param ntlm keep_alive on' because I do not know if it will not cause some side effects for web browser used in our company (ie/windows xp sp2). I already use some parameters today like these ones below ... set shmsys:shminfo_shmseg=16 set shmsys:shminfo_shmmni=32 set shmsys:shminfo_shmmax=2097152 set msgsys:msginfo_msgmni=40 set msgsys:msginfo_msgmax=2048 set msgsys:msginfo_msgmnb=8192 set msgsys:msginfo_msgssz=64 set msgsys:msginfo_msgtql=2048 set rlim_fd_max=8192 arp_cleanup_interval=6 ip_forward_directed_broadcasts=0 ip_forward_src_routed=0 ip6_forward_src_routed=0 ip_ignore_redirect=1 ip6_ignore_redirect=1 ip_ire_flush_interval=6 ip_ire_arp_interval=6 ip_respond_to_address_mask_broadcast=0 ip_respond_to_echo_broadcast=0 ip6_respond_to_echo_multicast=0 ip_respond_to_timestamp=0 ip_respond_to_timestamp_broadcast=0 ip_send_redirects=0 ip6_send_redirects=0 ip_strict_dst_multihoming=1 ip6_strict_dst_multihoming=1 ip_def_ttl=255 tcp_conn_req_max_q0=4096 tcp_conn_req_max_q=1024 tcp_rev_src_routes=0 tcp_extra_priv_ports_add="6112" udp_extra_priv_ports_add="" tcp_smallest_anon_port=32768 tcp_largest_anon_port=65535 udp_smallest_anon_port=32768 udp_largest_anon_port=65535 tcp_smallest_nonpriv_port=1024 udp_smallest_nonpriv_port=1024 after some investigations on my servers, I notice we often get lots of connections in status CLOSE_WAIT and FIN_WAIT_2. I also get lots of connections in status ESTABLISHED. If I have a look on squid statistics these are some files giving an idea on the load handled by our machines .. SUNW,Sun-Fire-V210 2048 Memory size bge0 100-fdx (or) 1000-fdx client_http.requests = 242/sec server.http.requests = 163/sec Number of clients accessing cache: 1486 cpu_usage = 45.065136% /dev/dsk/c0t0d0s520655529 15015444 5433530 74% /var/cache0 /dev/dsk/c0t1d0s520655529 14971972 5477002 74% /var/cache1 1746418 Store Entries (some) 1265 ESTABLISHED tcp connections (at high load) (some) 132 CLOSE_WAIT (or) FIN_WAIT_2 connections so these servers are relatively heavy loaded and this is the reason why I think I still can tune some tcp/udp values in order to optimize and reduce the cpu usage on my servers. I already found some ideas on the net like these values below but this is not guraranteed .. ndd -set /dev/tcp tcp_time_wait_interval 6 ndd -set /dev/tcp tcp_fin_wait_2_flush_interval 67500 ndd -set /dev/tcp tcp_keepalive_interval 15000 many thks to help me because we are really in trouble and I am sure we can solve these little problems by setting/tuning some parameters. vincent. - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
[squid-users] IMAP support
Hello, how can I access to IMAP (gmail IMAP for example)servers trough squid, I just add imap ports in squid.conf as Safe_port and SSL_port, but it does not work. Thanks
Re: [squid-users] IMAP support
julian julian wrote: Hello, how can I access to IMAP (gmail IMAP for example)servers trough squid, I just add imap ports in squid.conf as Safe_port and SSL_port, but it does not work. IMAP protocol is not HTTP protocol. Squid cannot handle IMAP requests. They only way to do this is configure all the mail clients to use a HTTP proxy and wrap the requests into HTTP first. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
Re: [squid-users] IMAP support
On 12.11.08 05:57, julian julian wrote: > Hello, how can I access to IMAP (gmail IMAP for example)servers trough > squid, I just add imap ports in squid.conf as Safe_port and SSL_port, but > it does not work. why would you want to access IMAP through squid ? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Re: [squid-users] IMAP support
Ok, I'm using thunderbird and set the proxy manually, but when I try to conect I get an error, should I make some special config in squid? --- On Wed, 11/12/08, Amos Jeffries <[EMAIL PROTECTED]> wrote: > From: Amos Jeffries <[EMAIL PROTECTED]> > Subject: Re: [squid-users] IMAP support > To: [EMAIL PROTECTED] > Cc: "squid" > Date: Wednesday, November 12, 2008, 6:02 AM > julian julian wrote: > > Hello, how can I access to IMAP (gmail IMAP for > example)servers trough squid, I just add imap ports in > squid.conf as Safe_port and SSL_port, but it does not work. > > IMAP protocol is not HTTP protocol. Squid cannot handle > IMAP requests. > > They only way to do this is configure all the mail clients > to use a HTTP proxy and wrap the requests into HTTP first. > > Amos > -- Please be using > Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 > Current Beta Squid 3.1.0.2
Re: [squid-users] IMAP support
Because all my traffic to internet is managed by squid. Do you have any suggestion? --- On Wed, 11/12/08, Matus UHLAR - fantomas <[EMAIL PROTECTED]> wrote: > From: Matus UHLAR - fantomas <[EMAIL PROTECTED]> > Subject: Re: [squid-users] IMAP support > To: squid-users@squid-cache.org > Date: Wednesday, November 12, 2008, 6:13 AM > On 12.11.08 05:57, julian julian wrote: > > Hello, how can I access to IMAP (gmail IMAP for > example)servers trough > > squid, I just add imap ports in squid.conf as > Safe_port and SSL_port, but > > it does not work. > > why would you want to access IMAP through squid ? > > -- > Matus UHLAR - fantomas, [EMAIL PROTECTED] ; > http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this > address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek > reklamnu postu. > Boost your system's speed by 500% - DEL > C:\WINDOWS\*.*
[squid-users] error 401 when going via squid ???
Hi I have a client that when he tries to access agentdeal.marvel.com the web server (IIS) does give a login prompt as it should and instead returns a 401 error. squid access logs 1226493177.205 2413 192.168.1.54 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html 1226493178.700 1256 192.168.1.54 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/favicon.ico - DIRECT/65.202.37.147 text/html 1226493181.792 1369 192.168.1.54 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/favicon.ico - DIRECT/65.202.37.147 text/html 1226493257.082 4573 192.168.1.54 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html 1226493679.353 1306 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html 1226493680.560 1068 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/favicon.ico - DIRECT/65.202.37.147 text/html 1226494460.532 3644 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/ - DIRECT/65.202.37.147 text/html 1226494460.975347 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/favicon.ico - DIRECT/65.202.37.147 text/html 1226494463.518346 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html 1226494463.960341 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/favicon.ico - DIRECT/65.202.37.147 text/html 1226494464.332338 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/favicon.ico - DIRECT/65.202.37.147 text/html 1226494521.459350 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html 1226494563.667397 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html 1226494784.619 1406 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html 1226494803.850869 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html 1226494818.346 1700 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html 1226496149.953608 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html 1226496150.337335 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/favicon.ico - DIRECT/65.202.37.147 text/html 1226496153.533541 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/favicon.ico - DIRECT/65.202.37.147 text/html 1226496170.539336 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html 1226496174.885332 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html 1226496372.749672 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html 1226496390.734476 192.168.1.10 TCP_MISS/401 2199 GET http://agentdeal.marvel.com/clm - DIRECT/65.202.37.147 text/html I get the same problem with our proxy and some other people have this problem when, behind squid proxy's . Many thanks Greg
[squid-users] Gzip at Squid?
Hello, I am using Squid as reverse proxy in front of a web server (Apache). If my Apache cannot have gzip enabled, is it possible to gzip the page using Squid before sending to client? Thanks/
Re: [squid-users] Squid & Win XP & transparent mode
Jose wrote: Binarys are for Windows xp professional. We don't use dhcp, domain. All my network is in a workgroup without servers. Usually we use Wingate like proxy in a similar environment, working in transparent mode (NAT) and works fine, but now we want, testing this proxy. Thanks. IIRC Guido knew of major problems with non-Server versions of Windows and was always recommending people not use them as Servers. DNS WPAD should still work for you though. It requires only a DNS + small Web server. Amos - Original Message - From: "Kinkie" <[EMAIL PROTECTED]> To: "Jose" <[EMAIL PROTECTED]>; Sent: Wednesday, November 12, 2008 9:37 AM Subject: Re: [squid-users] Squid & Win XP & transparent mode Configuring all your clients is not that bad, there are mechanisms to do it almost painlessly: Among the availble options there's DHCP, wpad and if you have a domain you can also use group policies and logon scrips. Teharding your question, what OS would you need the binary for? MS Windows? On 11/12/08, Jose <[EMAIL PROTECTED]> wrote: Hello. Any one could tell me where i can download latest binary version of squid compiled with options to works in transparent mode ? I don't like configure IE7 in all my clients. :-) Thanks. -- /kinkie -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1
Re: [squid-users] IMAP support
Ok, I'm using thunderbird and set the proxy manually, but when I try to conect I get an error, should I make some special config in squid? --- On Wed, 11/12/08, Amos Jeffries <[EMAIL PROTECTED]> wrote: > From: Amos Jeffries <[EMAIL PROTECTED]> > Subject: Re: [squid-users] IMAP support > To: [EMAIL PROTECTED] > Cc: "squid" > Date: Wednesday, November 12, 2008, 6:02 AM > julian julian wrote: > > Hello, how can I access to IMAP (gmail IMAP for > example)servers trough squid, I just add imap ports in > squid.conf as Safe_port and SSL_port, but it does not work. > > IMAP protocol is not HTTP protocol. Squid cannot handle > IMAP requests. > > They only way to do this is configure all the mail clients > to use a HTTP proxy and wrap the requests into HTTP first. > > Amos > -- Please be using > Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 > Current Beta Squid 3.1.0.2
Re: [squid-users] IMAP support
Because all my traffic to internet is managed by squid. Do you have any suggestion? --- On Wed, 11/12/08, Matus UHLAR - fantomas <[EMAIL PROTECTED]> wrote: > From: Matus UHLAR - fantomas <[EMAIL PROTECTED]> > Subject: Re: [squid-users] IMAP support > To: squid-users@squid-cache.org > Date: Wednesday, November 12, 2008, 6:13 AM > On 12.11.08 05:57, julian julian wrote: > > Hello, how can I access to IMAP (gmail IMAP for > example)servers trough > > squid, I just add imap ports in squid.conf as > Safe_port and SSL_port, but > > it does not work. > > why would you want to access IMAP through squid ? > > -- > Matus UHLAR - fantomas, [EMAIL PROTECTED] ; > http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this > address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek > reklamnu postu. > Boost your system's speed by 500% - DEL > C:\WINDOWS\*.*
Re: [squid-users] IMAP support
julian julian wrote: > Ok, I'm using thunderbird and set the proxy manually, but when I try to > conect I get an error, should I make some special config in squid? squid is not an imap proxy... if you need an imap alg you'll have to look elsewhere, what it sounds like you need is a nat box... joelja > > --- On Wed, 11/12/08, Amos Jeffries <[EMAIL PROTECTED]> wrote: > >> From: Amos Jeffries <[EMAIL PROTECTED]> >> Subject: Re: [squid-users] IMAP support >> To: [EMAIL PROTECTED] >> Cc: "squid" >> Date: Wednesday, November 12, 2008, 6:02 AM >> julian julian wrote: >>> Hello, how can I access to IMAP (gmail IMAP for >> example)servers trough squid, I just add imap ports in >> squid.conf as Safe_port and SSL_port, but it does not work. >> >> IMAP protocol is not HTTP protocol. Squid cannot handle >> IMAP requests. >> >> They only way to do this is configure all the mail clients >> to use a HTTP proxy and wrap the requests into HTTP first. >> >> Amos >> -- Please be using >> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 >> Current Beta Squid 3.1.0.2 > > > >
Re: [squid-users] IMAP support
Hi, On Wed, Nov 12, julian julian wrote: > Ok, I'm using thunderbird and set the proxy manually, but when I try > to conect I get an error, should I make some special config in squid? as Amos said, squid is an http proxy. You are looking for an imap proxy like: http://www.imapproxy.org/ -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgp7oyeBF7gvt.pgp Description: PGP signature
Re: [squid-users] Run squid2.5.6 and dansguardian got error message: (111) Connection refused
hi, when I change log_ip_on_direct to off in squid.conf, the info change to : 1226524531.343152 10.0.2.110 TCP_MISS/503 2322 GET http://wiki.squid-cache.org/wiki/squidtheme/img/moin-www.png - DIRECT/wiki.squid-cache.org text/html 1226524536.129143 10.0.2.110 TCP_MISS/503 2392 GET http://www.5ilinux.com/blog/archives/77.html - DIRECT/www.5ilinux.com text/html 1226524537.361143 10.0.2.110 TCP_MISS/503 2680 GET http://www.google.com/ - DIRECT/www.google.com text/html 1226524540.545134 10.0.2.110 TCP_MISS/503 2680 GET http://www.google.com/ - DIRECT/www.google.com text/html 1226524541.745144 10.0.2.110 TCP_MISS/503 2680 GET http://www.google.com/ - DIRECT/www.google.com text/html "/usr/local/squid/var/logs/access.log" 84L, 9994C 36,1 15% 1226524673.913144 10.0.2.110 TCP_MISS/503 2268 GET http://203.208.39.99/ - DIRECT/203.208.39.99 text/html 1226524676.055145 10.0.2.110 TCP_MISS/503 2268 GET http://203.208.39.99/ - DIRECT/203.208.39.99 text/html 1226525378.813143 10.0.2.110 TCP_MISS/503 2685 GET http://zh-cn.fxfeeds.mozilla.com/zh-CN/firefox/headlines.xml - DIRECT/zh-cn.fxfeeds.mozilla.com text/html 1226525556.977143 10.0.2.110 TCP_MISS/503 2268 GET http://203.208.39.99/ - DIRECT/203.208.39.99 text/html 1226525751.173146 10.0.2.110 TCP_MISS/503 1929 GET http://www.google.com/ - DIRECT/www.google.com text/html 1226525768.345154 10.0.2.110 TCP_MISS/503 1929 GET http://www.google.com/ - DIRECT/www.google.com text/html 2008/11/11 Amos Jeffries <[EMAIL PROTECTED]>: > zhang yikai wrote: >> hi Amos, I use wget and in the /etc/wgetrc file: >> >> http_proxy = http://10.0.2.110:9090 >> >> and I can connect to google from this computer: >> >> [EMAIL PROTECTED] ~]# ping www.google.com >> PING www.google.com (64.233.189.147): 56 data bytes >> 64 bytes from 64.233.189.147: icmp_seq=0 ttl=237 time=40 ms >> > > Yes. ... and squid on that working machine logs: > ... google.com ... DIRECT/64.233.189.147 > > squid on failed machine logs: > > ... google.com ... DIRECT/10.0.2.110 > > can you see the problem? > > Amos > >> >> - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "zhang yikai" <[EMAIL PROTECTED]> Cc: "Amos Jeffries" <[EMAIL PROTECTED]>; "Kinkie" <[EMAIL PROTECTED]>; Sent: Tuesday, November 11, 2008 3:32 PM Subject: Re: [squid-users] Run squid2.5.6 and dansguardian got error message: (111) Connection refused >>> Understood. We got squid + dansguardian working together. >>> >>> Different problem: why does google.com resolve to 10.0.2.110? >>> >>> every other working machine resolves google.com to IPs elsewhere on the net. >>> >>> Amos >>> -- >>> Please be using >>> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 >>> Current Beta Squid 3.1.0.1 > > > -- > Please be using > Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 > Current Beta Squid 3.1.0.1 >
Re: [squid-users] Run squid2.5.6 and dansguardian got error message: (111) Connection refused
zhang yikai wrote: hi, when I change log_ip_on_direct to off in squid.conf, the info change to : Sigh. You have said your machine was broken with net access. We looked and found that it was finding the wrong DNS IPs. If you want it working, that is what you have to fix. Amos 1226524531.343152 10.0.2.110 TCP_MISS/503 2322 GET http://wiki.squid-cache.org/wiki/squidtheme/img/moin-www.png - DIRECT/wiki.squid-cache.org text/html 1226524536.129143 10.0.2.110 TCP_MISS/503 2392 GET http://www.5ilinux.com/blog/archives/77.html - DIRECT/www.5ilinux.com text/html 1226524537.361143 10.0.2.110 TCP_MISS/503 2680 GET http://www.google.com/ - DIRECT/www.google.com text/html 1226524540.545134 10.0.2.110 TCP_MISS/503 2680 GET http://www.google.com/ - DIRECT/www.google.com text/html 1226524541.745144 10.0.2.110 TCP_MISS/503 2680 GET http://www.google.com/ - DIRECT/www.google.com text/html "/usr/local/squid/var/logs/access.log" 84L, 9994C 36,1 15% 1226524673.913144 10.0.2.110 TCP_MISS/503 2268 GET http://203.208.39.99/ - DIRECT/203.208.39.99 text/html 1226524676.055145 10.0.2.110 TCP_MISS/503 2268 GET http://203.208.39.99/ - DIRECT/203.208.39.99 text/html 1226525378.813143 10.0.2.110 TCP_MISS/503 2685 GET http://zh-cn.fxfeeds.mozilla.com/zh-CN/firefox/headlines.xml - DIRECT/zh-cn.fxfeeds.mozilla.com text/html 1226525556.977143 10.0.2.110 TCP_MISS/503 2268 GET http://203.208.39.99/ - DIRECT/203.208.39.99 text/html 1226525751.173146 10.0.2.110 TCP_MISS/503 1929 GET http://www.google.com/ - DIRECT/www.google.com text/html 1226525768.345154 10.0.2.110 TCP_MISS/503 1929 GET http://www.google.com/ - DIRECT/www.google.com text/html 2008/11/11 Amos Jeffries <[EMAIL PROTECTED]>: zhang yikai wrote: hi Amos, I use wget and in the /etc/wgetrc file: http_proxy = http://10.0.2.110:9090 and I can connect to google from this computer: [EMAIL PROTECTED] ~]# ping www.google.com PING www.google.com (64.233.189.147): 56 data bytes 64 bytes from 64.233.189.147: icmp_seq=0 ttl=237 time=40 ms Yes. ... and squid on that working machine logs: ... google.com ... DIRECT/64.233.189.147 squid on failed machine logs: ... google.com ... DIRECT/10.0.2.110 can you see the problem? Amos - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "zhang yikai" <[EMAIL PROTECTED]> Cc: "Amos Jeffries" <[EMAIL PROTECTED]>; "Kinkie" <[EMAIL PROTECTED]>; Sent: Tuesday, November 11, 2008 3:32 PM Subject: Re: [squid-users] Run squid2.5.6 and dansguardian got error message: (111) Connection refused Understood. We got squid + dansguardian working together. Different problem: why does google.com resolve to 10.0.2.110? every other working machine resolves google.com to IPs elsewhere on the net. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1 -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1 -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
Re: [squid-users] IMAP support
Not wishing to sound patronising, but my suggestion would be to not use Squid to manage all your traffic to the internet. Squid is an http caching proxy that can also handle https and ftp (kind of) there is a hell of a lot of internet traffic that is not http. You need a firewall to control access and a squid box to cache and control web access. 2008/11/12 julian julian <[EMAIL PROTECTED]>: > Because all my traffic to internet is managed by squid. Do you have any > suggestion? > > > --- On Wed, 11/12/08, Matus UHLAR - fantomas <[EMAIL PROTECTED]> wrote: > > > >> From: Matus UHLAR - fantomas <[EMAIL PROTECTED]> >> Subject: Re: [squid-users] IMAP support >> To: squid-users@squid-cache.org >> Date: Wednesday, November 12, 2008, 6:13 AM >> On 12.11.08 05:57, julian julian wrote: >> > Hello, how can I access to IMAP (gmail IMAP for >> example)servers trough >> > squid, I just add imap ports in squid.conf as >> Safe_port and SSL_port, but >> > it does not work. >> >> why would you want to access IMAP through squid ? >> >> -- >> Matus UHLAR - fantomas, [EMAIL PROTECTED] ; >> http://www.fantomas.sk/ >> Warning: I wish NOT to receive e-mail advertising to this >> address. >> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek >> reklamnu postu. >> Boost your system's speed by 500% - DEL >> C:\WINDOWS\*.* > > > >
Re: [squid-users] IMAP support
squid is a http/ftp/gopher proxy. It does not support mail protocols used by Thunderbird, which are the standards SMTP, POP3 and IMAP4. squid has nothing to do with thunderbird. There's no need for special configs because it simply wont work through squid. julian julian escreveu: Ok, I'm using thunderbird and set the proxy manually, but when I try to conect I get an error, should I make some special config in squid? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
Re: [squid-users] IMAP support
julian julian schrieb: Because all my traffic to internet is managed by squid. Do you have any suggestion? As already said, squid is not an "internet proxy" (there is no such thing) but an HTTP proxy, meaning that it only understands HTTP (and a bit of HTTPS). Your client talks IMAP with the server which squid does not understand. There are IMAP proxies out there but not on this list. This is not a configuration problem but rather like you want to get a translator speaking only spanish to translate from english to german - that won't work also. Regards, Jakob Curdes
Re: [squid-users] IMAP support
julian julian escreveu: Because all my traffic to internet is managed by squid. Do you have any suggestion? no, it's not. Only http/https/ftp/gopher can be handled by squid. and it wont help keep sending messages asking about IMAP support ... squid can't do that. period. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
[squid-users] Authenticate again Active Directory
Hi All I've been trying to get squid to authenticate against Active Directory as well as deny access to users in a security group. I have not been able to get this to work reliably. This is what I have done so far. In squid.conf, I have these entries auth_param basic program /usr/local/libexec/squid/ squid_ldap_auth -R -b "dc=atlas,dc=local" -v 2 -D "cn=adquery,ou=OU_name,dc=my,dc=domain" -w "password" -f sAMAccountName=%s -h 192.168.2.90 auth_param basic children 5 auth_param basic realm Atlas Protection auth_param basic credentialsttl 5 minutes external_acl_type InetGroup %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b "dc=my,dc=domain" -v 2 -D "cn=adquery,ou=OU_name,dc=my,dc=domain" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%a,dc=my,dc=domain))" -h 192.168.2.90 acl domain_name proxy_auth REQUIRED src 192.168.2.0/24 http_access allow domain_name http_access allow localhost acl InetAccess external InetGroup nointernet http_access deny InetAccess I created a security group in AD and put several users in. When these users try to log on, they get the popup bix to log on but even when they are in the nointernet group, they can still get on. I am at a loss. Can anyone please point out what I am doing wrong or help me with troubleshooting this? Thanks.
Re: [squid-users] IMAP support
Words by Leonardo Rodrigues Magalhães [Wed, Nov 12, 2008 at 02:19:05PM -0200]: > >squid is a http/ftp/gopher proxy. It does not support mail protocols > used by Thunderbird, which are the standards SMTP, POP3 and IMAP4. > Not completely right, Thunderbird may also need to do some http to render html e-mails with external references. >squid has nothing to do with thunderbird. There's no need for special > configs because it simply wont work through squid. > > > julian julian escreveu: >> Ok, I'm using thunderbird and set the proxy manually, but when I try to >> conect I get an error, should I make some special config in squid? >> > -- Jose Celestino | http://japc.uncovering.org/files/japc-pgpkey.asc "One man’s theology is another man’s belly laugh." -- Robert A. Heinlein
Re: [squid-users] error 401 when going via squid ???
On Wed, Nov 12, 2008 at 3:32 PM, Gregory Machin <[EMAIL PROTECTED]> wrote: > Hi Hello Greg, > I have a client that when he tries to access agentdeal.marvel.com the > web server (IIS) does give a login prompt as it should and instead > returns a 401 error. [...] > I get the same problem with our proxy and some other people have this > problem when, behind squid proxy's . What version of Squid, and is IIS trying to offer "Integrated Microsoft Windows Authentication" (a.k.a. NTLM)? -- /kinkie
Re: [squid-users] Authenticate again Active Directory
Mine is this auth_param basic program /usr/lib64/squid/squid_ldap_auth -b DC=XXX,DC=XXX -D [EMAIL PROTECTED] -w Elmasmejor3567 -f sAMAccountName=%s -h XXX.XXX.XXX.XXX. 1 -s sub -p 389 -v 3 -P -O -R auth_param basic children 25 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off > Hi All > I've been trying to get squid to authenticate against Active Directory > as well as deny access to users in a security group. I have not been > able to get this to work reliably. This is what I have done so far. > > In squid.conf, I have these entries > > auth_param basic program /usr/local/libexec/squid/ > squid_ldap_auth -R -b "dc=atlas,dc=local" -v 2 -D > "cn=adquery,ou=OU_name,dc=my,dc=domain" -w "password" -f > sAMAccountName=%s -h 192.168.2.90 > auth_param basic children 5 > auth_param basic realm Atlas Protection > auth_param basic credentialsttl 5 minutes > > external_acl_type InetGroup %LOGIN > /usr/local/libexec/squid/squid_ldap_group -R -b "dc=my,dc=domain" -v 2 > -D "cn=adquery,ou=OU_name,dc=my,dc=domain" -w "password" -f > "(&(objectclass=person)(sAMAccountName=%v) > (memberof=cn=%a,dc=my,dc=domain))" -h 192.168.2.90 > > acl domain_name proxy_auth REQUIRED src 192.168.2.0/24 > http_access allow domain_name > http_access allow localhost > acl InetAccess external InetGroup nointernet > http_access deny InetAccess > > I created a security group in AD and put several users in. When these > users try to log on, they get the popup bix to log on but even when > they are in the nointernet group, they can still get on. I am at a > loss. Can anyone please point out what I am doing wrong or help me > with troubleshooting this? > > Thanks. On Wednesday 12 November 2008 10:40:39 Peter Fraser wrote:
Re: [squid-users] Squid stops suddenly
I've read stable10 changelog, do you think upgradint to 10 will fix this? > Luis Daniel Lucio Quiroz wrote: > > Using squid 3 stable 9, with digest ldap auth, randomly i got this: > > > > assertion failed: ACLProxyAuth.cc:146: > > "authenticateValidateUser(auth_user_request)" > > > > later, squid dies > > > > Any comment? > > Looks similar to one of the open bugs, but not the same one. > > Can you report as a new bug with full stack trace of the assertion and a > detailed cache.log trace leading up to it please? > > Amos On Tuesday 11 November 2008 23:36:11 Amos Jeffries wrote:
Re: [squid-users] About squid ICAP implementation
Hi, Henrik Thank you for your reply. >> - Question.1 >> If there is no "icap_access" setting, >> The default icap access control is "allow" or "deny" ? >> It looks "allow"... > > Should be deny.. icap_access selects which icap class to forward the > request via, and without any icap_access directive there is no selected > icap class.. hmmm, however it looks "allow" In ACLChecklist.cc#check() > 128 /* deny if no rules present */ > 129 currentAnswer(ACCESS_DENIED); > .. > 188 > 189 checkCallback(currentAnswer() != ACCESS_DENIED ? ACCESS_DENIED : > ACCESS_ALLOWED); I think it may be ACCESS_ALLOWED if currentAnswer is ACCESS_DENIED, right ? >> - Question.2 >> Could we set "more than two" REQMOD icap servers (per request) ? > > Only one is supported at this stage. I see. By the way, do you have any plan to support multi REQMOD icap servers (per request) ? >> - Question.3 >> squid "always" sends "Allow: 204" header to icap server, right ? > > Yes, unless forcibly disabled by setting icap_preview_enable off. But, it looks more complex condition (checking virginBody) In ICAP/ICAPModXact.cc > 1266 // decides whether to allow 204 responses > 1267 bool ICAPModXact::shouldAllow204() > 1268 { > 1269 if (!service().allows204()) > 1270 return false; > 1271 > 1272 return canBackupEverything(); > 1273 } > 1274 > 1275 // used by shouldAllow204 and decideOnRetries > 1276 bool ICAPModXact::canBackupEverything() const > 1277 { > 1278 if (!virginBody.expected()) > 1279 return true; // no body means no problems with backup > 1280 > 1281 // if there is a body, check whether we can backup it all > 1282 > 1283 if (!virginBody.knownSize()) > 1284 return false; > 1285 > 1286 // or should we have a different backup limit? > 1287 // note that '<' allows for 0-termination of the "full" backup > buffer > 1288 return virginBody.size() < TheBackupLimit; > 1289 } -- Sincerely, Mikio Kishi
Re: [squid-users] Someone's using my cache?
> Ah. Gottcha. You are wanting a reverse proxy. Darn, sorry, I should have thought about that distinction, like I said, this is yet another project on my plate so don't have it all down yet :). > http://wiki.squid-cache.org/SquidFaq/ReverseProxy > contains a usable config for accelerating a hidden web server securely. Yes, I did come across this but I wasn't sure if this was what I'm looking for. In the case of using the proxy, there is a virtual host server on the lan which handles a dozen or so sites which I wanted to use a reverse proxy to speed up connections to. On the public side, each domain has it's www IP pointing to that virtual hosting server. The web server is responding based on names so should squid be pointing to the server or dies it have to know about each site name as well? The examples in the URL seem to show a number of combinations and since I've not had the chance to actually sit down and start learning this, I ended up using what I posted, the hole. Mike
Re: [squid-users] About squid ICAP implementation
On tor, 2008-11-13 at 05:31 +0900, Mikio Kishi wrote: > In ACLChecklist.cc#check() > > > 128 /* deny if no rules present */ > > 129 currentAnswer(ACCESS_DENIED); > > .. > > 188 > > 189 checkCallback(currentAnswer() != ACCESS_DENIED ? ACCESS_DENIED : > > ACCESS_ALLOWED); > > I think it may be ACCESS_ALLOWED if currentAnswer is ACCESS_DENIED, right ? Hmm.. that indeed looks wrong.. It should be initialized to ACCESS_ALLOWED. And affects every access list without a default.. not just icap_access. Please file a bug report on this. > I see. By the way, do you have any plan to support multi REQMOD icap > servers (per request) ? That question is best asked on the squid-dev list. I am not currently involved in the ICAP implementation. > >> - Question.3 > >> squid "always" sends "Allow: 204" header to icap server, right ? > > > > Yes, unless forcibly disabled by setting icap_preview_enable off. > > But, it looks more complex condition (checking virginBody) Right. Confused things a litte, mixing up Allow: 204 with the preview. Been a while since I worked with ICAP. Allow: 204 is sent if it's known the whole message can be buffered within the buffer limits (SQUID_TCP_SO_RCVBUF). It's not relaed to previews. REgards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Strange RST packet
On tis, 2008-11-11 at 16:53 -0600, Luis Daniel Lucio Quiroz wrote: > I have a pcap file captured and, traffic is exchanged and then suddenly a RST > from squid to client. No FIN before? Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid stops suddenly
On tis, 2008-11-11 at 18:56 -0600, Luis Daniel Lucio Quiroz wrote: > Using squid 3 stable 9, with digest ldap auth, randomly i got this: > > assertion failed: ACLProxyAuth.cc:146: > "authenticateValidateUser(auth_user_request)" > > later, squid dies > > Any comment? File a bug. Don't forget to include a stack backtrace if possible (see FAQ on how to report bugs) Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid & Win XP & transparent mode
On ons, 2008-11-12 at 10:06 +0100, Jose wrote: > Binarys are for Windows xp professional. We don't use dhcp, domain. All my > network is in a workgroup without servers. Transparent interception is not yet officially supported on Windows as far as I know. But may still work reasonably well if you can convince a local firewall on the Squid server to NAT incoming packets to port 80 (any destination) to itself. Squid does not automate NAT rules for you. Not on on any platform. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] IMAP support
On ons, 2008-11-12 at 17:34 +, Jose Celestino wrote: > Not completely right, Thunderbird may also need to do some http to > render html e-mails with external references. Yuck.. will defenitely stay away from Thunderbird then. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Gzip at Squid?
On ons, 2008-11-12 at 22:33 +0800, howard chen wrote: > If my Apache cannot have gzip enabled, is it possible to gzip the page > using Squid before sending to client? No. squid requires the web server to do the compression, and also requires the web server to do it correctly (which most versions of Apache don't unless you spend some time on tuning the config..) Regards Henrik signature.asc Description: This is a digitally signed message part
RE: [squid-users] parseHTTPRequest problem with SQUID3
So, do I need to file a bug report, so that this can get addressed? Or are the devs already aware? -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 11, 2008 5:56 PM To: Gregori Parker Cc: Amos Jeffries; squid-users@squid-cache.org Subject: RE: [squid-users] parseHTTPRequest problem with SQUID3 Increases in compatibility are in the release notes and ChangeLog The regression in 0.9 support you hit is a bug. > Is there any possibility of restoring 0.9 support in Squid3? I can > always have my load-balancer format the requests to contain the > HTTP/1.0\n, but that seems like a real hidden gotcha for anyone > migrating from 2.6 to 3.0 - which is fine, as long as it's called out in > the release notes. Yes, it is a bug in both squid and the balancer. Squid is supposed to be able to handle obsolete 0.9 anyway. We have to track it down and fix. But its not to say that the load balancer itself isn't 'broke' for sending 0.9 traffic. Amos
Re: [squid-users] Someone's using my cache?
Any chance someone could give me a working config to get me started? -The server has 2GB of memory and 1TB of space which is can use. There is nothing else running on it, this is all it will do, be a reverse proxy. -1 public IP to a named based web server hosting a dozen sites. -Squid used as a proxy server for http/https at 192.168.1.35. -The web server/s are identical, at 192.168.1.40 and 192.168.1.92 on the lan, same segment as the squid is. I can either load balance between the two but since 192.168.1.92 is really just a backup and much slower, it would be best to use this one as a fail over. Not sure what other info is required? Mike
Re: [squid-users] Strange RST packet
No, no FIN, but RST > On tis, 2008-11-11 at 16:53 -0600, Luis Daniel Lucio Quiroz wrote: > > I have a pcap file captured and, traffic is exchanged and then suddenly a > > RST from squid to client. > > No FIN before? > > Regards > Henrik On Wednesday 12 November 2008 14:58:27 Henrik Nordstrom wrote:
Re: [squid-users] IMAP support
Henrik Nordstrom wrote: On ons, 2008-11-12 at 17:34 +, Jose Celestino wrote: Not completely right, Thunderbird may also need to do some http to render html e-mails with external references. Yuck.. will defenitely stay away from Thunderbird then. Regards Henrik Don't worry... It doesn't load anything until you ask it to... TB ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. **
Re: [squid-users] Squid stops suddenly
After debugin ate level 3 I realize this error happens when analizin http_reply_access with user acl. > Luis Daniel Lucio Quiroz wrote: > > Using squid 3 stable 9, with digest ldap auth, randomly i got this: > > > > assertion failed: ACLProxyAuth.cc:146: > > "authenticateValidateUser(auth_user_request)" > > > > later, squid dies > > > > Any comment? > > Looks similar to one of the open bugs, but not the same one. > > Can you report as a new bug with full stack trace of the assertion and a > detailed cache.log trace leading up to it please? > > Amos On Tuesday 11 November 2008 23:36:11 Amos Jeffries wrote:
Re: [squid-users] Gzip at Squid?
> Hello, > > I am using Squid as reverse proxy in front of a web server (Apache). > > If my Apache cannot have gzip enabled, is it possible to gzip the page > using Squid before sending to client? > Not at present. Content encoding is on my worklist, but the bugs and prep for 3.1 releases are delaying things a lot. If anyone else wants to write an eCAP module for 3.2 that does it cleanly encoding/decoding. Speak up and jump in please :) Amos
RE: [squid-users] parseHTTPRequest problem with SQUID3
On ons, 2008-11-12 at 13:51 -0800, Gregori Parker wrote: > So, do I need to file a bug report, so that this can get addressed? Or > are the devs already aware? The devs are aware (or at least both me and Amos), but please file a bug report anyway. Much easier for us to track the issue then. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Someone's using my cache?
On ons, 2008-11-12 at 16:18 -0600, [EMAIL PROTECTED] wrote: > Any chance someone could give me a working config to get me started? > > -The server has 2GB of memory and 1TB of space which is can use. There is > nothing else running on it, this is all it will do, be a reverse proxy. > > -1 public IP to a named based web server hosting a dozen sites. > > -Squid used as a proxy server for http/https at 192.168.1.35. > > -The web server/s are identical, at 192.168.1.40 and 192.168.1.92 on the lan, > same segment as the squid is. > I can either load balance between the two but since 192.168.1.92 is really > just a backup and much slower, it would be best to use this one as a fail > over. > > Not sure what other info is required? > > Mike Basic setup: http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-7fa129a6528d9a5c914f8dd5671668173e39e341 Load balancing: http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-81d06e5a0d3a3ed4bdf7a7cb9077370a7b02bfaf for failover, simply don't specify a load balancing method. For clarity you can mark the preferred one with default but the order in squid.conf does pretty much the same.. Cache: see cache_dir, cache_mem and FAQ on memory usage. cache_dir: http://www.squid-cache.org/Doc/config/cache_dir/ cache_mem: http://www.squid-cache.org/Doc/config/cache_mem/ How much memory do I need in my Squid server? http://wiki.squid-cache.org/SquidFaq/SquidMemory#head-09818ad4cb8a1dfea1f51688c41bdf4b79a69991 There isn't very much documentation on the https support unfortunately, but it's pretty much the same except for https_port (and corresponding certificates) and the ssl option to cache_peer if the backend is using https as well. There is some https examples in the wiki http://wiki.squid-cache.org/ConfigExamples/SslReverseProxyWithWildcardCertifiate http://wiki.squid-cache.org/ConfigExamples/SquidAndRPCOverHttp http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Cannot get conent from msnbc that have # in U
On 12-Nov-08 My Secret NSA Wiretap Overheard Amos Jeffries Saying : > Nicole wrote: >> On 11-Nov-08 My Secret NSA Wiretap Overheard Nicole Saying : >>> >>> Hello all >>> >>> I have started to receive complains from people trying to get video's from >>> msnbc.com that use a # character in the URL. >>> >>> Such as: >>> >>> http://www.msnbc.msn.com/id/22425001/vp/27657223#27657223 >>> http://www.msnbc.msn.com/id/22425001/vp/27652443#27652443 >>> >>> >>> The access log shows that it is removing the pound sign and everything >>> after. >>> >>> 7 TCP_MISS:DIRECT >>> 9.2.2.7 - - [11/Nov/2008:09:59:30 -0800] "GET >>> http://www.msnbc.msn.com/id/22425001/vp/27657223 HTTP/1.1" 200 477 >>> TCP_MISS:DIRECT >>> 9.2.2.7 - - [11/Nov/2008:10:00:18 -0800] "GET >>> http://www.msnbc.msn.com/id/22425001/vp/27652443 HTTP/1.1" 200 477 >>> TCP_MISS:DIRECT >>> >>> >>> I cannot see in my config why it would be truncating out the pound >>> character. >>> >>> >>> Any assistance greatly appreciated. >>> >>> >> >> On additional i forgot to include: >> This seems true for squid 2.6 and 2.7-stable5 >> >> >> cache.log: >> 2008/11/11 16:33:28| Oversized chunk header on port 59375, url >> http://www.msnbc.msn.com/id/3036677 >> >> >> This seems to be true on every browser I test. Enable proxy.. will not >> load. >> Disable proxy (on the browser) and the url loads. >> > > Ah. Bingo. > This is a combination of two problems: > 1) the msnbc stream software is sending chunked-encoded response to > Squid when it should not be. > 2) and the hack in Squid-2 to cope with that bad behavior has a limit > on the header size it can handle. > > You might have to use the Accept-Encoding hack on them: > > # Fix broken sites by removing Accept-Encoding header > acl broken dstdomain ... > header_access Accept-Encoding deny broken > > PS. an upgrade to 3.1 beta might be an option for you also. > > Amos > -- > Please be using >Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 >Current Beta Squid 3.1.0.2 Ah ha! (leave it to MS to have something non standard and wierd) I tried the fix you suggested above but it did not seem to work. I guess I will setup an acl to allow msn.com to bypass my one obfuscation tweak. Thanks tons for you help! Nicole -- |\ __ /| (`\ | o_o |__ ) ) // \\ - [EMAIL PROTECTED] - Powered by FreeBSD - -- "The term "daemons" is a Judeo-Christian pejorative. Such processes will now be known as "spiritual guides" - Politicaly Correct UNIX Page
Re: [squid-users] Someone's using my cache?
>> Ah. Gottcha. You are wanting a reverse proxy. > > Darn, sorry, I should have thought about that distinction, like I said, > this is yet another project on my plate so don't have it all down yet :). > >> http://wiki.squid-cache.org/SquidFaq/ReverseProxy >> contains a usable config for accelerating a hidden web server securely. > > Yes, I did come across this but I wasn't sure if this was what I'm looking > for. > In the case of using the proxy, there is a virtual host server on the lan > which handles a dozen or so sites which I wanted to use a reverse proxy to > speed up connections to. > > On the public side, each domain has it's www IP pointing to that virtual > hosting server. The web server is responding based on names so should > squid be pointing to the server or dies it have to know about each site > name as well? > > The examples in the URL seem to show a number of combinations and since > I've not had the chance to actually sit down and start learning this, I > ended up using what I posted, the hole. It's one basic config, with need-based variants. The 'vhost' variation is the one you want by the sounds. Yes the proxy needs to have a list of the domains that are acceptable, just like the virtual host needs to know the domains its serving. A dozen should be easily manageable. If there are too many or need changing frequently they can be moved into a separate file which squid loads into an ACL. If its still just a presentation demo as you said earlier, you can hack a little by configuring the browser used to demo to use the proxy as a normal proxy, but have the proxy itself setup as a reverse. That way the main production DNS stays normal. For a full rollout to go live the domain DNS gets pointed at the proxy instead of the virtual host and things keep flowing. Amos
Re: [squid-users] Squid stops suddenly
> I've read stable10 changelog, do you think upgradint to 10 will fix this? > I don't know of anything that might do it thats not already in s9. Always worth a shot though just in case and to get the current assert location. Amos > >> Luis Daniel Lucio Quiroz wrote: >> > Using squid 3 stable 9, with digest ldap auth, randomly i got this: >> > >> > assertion failed: ACLProxyAuth.cc:146: >> > "authenticateValidateUser(auth_user_request)" >> > >> > later, squid dies >> > >> > Any comment? >> >> Looks similar to one of the open bugs, but not the same one. >> >> Can you report as a new bug with full stack trace of the assertion and a >> detailed cache.log trace leading up to it please? >> >> Amos > On Tuesday 11 November 2008 23:36:11 Amos Jeffries wrote: > > > >
Re: [squid-users] Squid stops suddenly
> I've read stable10 changelog, do you think upgradint to 10 will fix this? > I don't know of anything that might do it thats not already in s9. Always worth a shot though just in case and to get the current assert location. Our bugzilla is at http;//bugs.squid-cache.org/ Amos > >> Luis Daniel Lucio Quiroz wrote: >> > Using squid 3 stable 9, with digest ldap auth, randomly i got this: >> > >> > assertion failed: ACLProxyAuth.cc:146: >> > "authenticateValidateUser(auth_user_request)" >> > >> > later, squid dies >> > >> > Any comment? >> >> Looks similar to one of the open bugs, but not the same one. >> >> Can you report as a new bug with full stack trace of the assertion and a >> detailed cache.log trace leading up to it please? >> >> Amos > On Tuesday 11 November 2008 23:36:11 Amos Jeffries wrote: > > > >
Re: [squid-users] About squid ICAP implementation
Hi, Henrik >> I think it may be ACCESS_ALLOWED if currentAnswer is ACCESS_DENIED, right ? > > Hmm.. that indeed looks wrong.. > > It should be initialized to ACCESS_ALLOWED. > > And affects every access list without a default.. not just icap_access. That's right! I think so, too > Please file a bug report on this. OK!, I'll try it. >> I see. By the way, do you have any plan to support multi REQMOD icap >> servers (per request) ? > > That question is best asked on the squid-dev list. I am not currently > involved in the ICAP implementation. I see. I'll also try it. >> >> - Question.3 >> >> squid "always" sends "Allow: 204" header to icap server, right ? >> > >> > Yes, unless forcibly disabled by setting icap_preview_enable off. >> >> But, it looks more complex condition (checking virginBody) > > Right. Confused things a litte, mixing up Allow: 204 with the preview. > Been a while since I worked with ICAP. > > Allow: 204 is sent if it's known the whole message can be buffered > within the buffer limits (SQUID_TCP_SO_RCVBUF). It's not relaed to > previews. thank you! -- Sincerely, Mikio Kishi
[squid-users] Squid and Radius authentication
I'm trying to get the squid_radius_auth working and have tried to manually connect to my Microsoft radius server. I cannot get an ok for a response when manually testing the connection. Although, I can see the attempts in my Microsoft radius server log so I know I'm hitting it. I have a feeling it's my configuration in my Microsoft radius server. I've dug around and cannot find any articles on the setup for the radius server side; just the squid side (which again I think is working ok). Does anyone have information on this or suggestions to try? Thanks Scott
[squid-users] refresh_pattern rule
Hi All, Most of the requests served by squid has expire time of 1 hour because of this we are not seeing expected HIT ratio. What would be refresh_pattern rule we should apply to get higher HIT ratio ? Cache_mem is 2 GB and cache_dir is 6 GB. Currently we are using following refresh pattern rule. refresh_pattern . 020% 3600 Regards Nitesh
[squid-users] large memory squid
Hi, I am about to take ownership of a new 2CPU, 4 core server with 32GB of RAM - I intend to add the server to my squid reverse proxy farm. My site is approximately 300GB including archives and I think 32GB of memory alone will suffice as cache for small, hot objects without necessitating any additional disk cache. Are there any potential bottlenecks if I set the disk cache to something like 500MB and cache_mem to something like 22GB. I'm using Centos 5's Squid 2.6. I have a full set of monitoring scripts as per http://www.squid-cache.org/~wessels/squid-rrd/ (thanks again) and of course I will be able to benchmark this myself once I have the box - but any tips in advance would be appreciated. Thanks, John