[squid-users] why http code status is 0 when tcp_hit:none ?
squid log: 218.108.56.170 - - [03/Dec/2008:20:01:08 +0800] 6582 "GET /public/js/livecast/function.js HTTP/1.1" 0 0 "http://xxx.com.cn/livecast/k/live.php?id=313"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)" TCP_HIT:NONE 60.221.78.60 - - [03/Dec/2008:20:01:23 +0800] 6988 "GET /public/js/livecast/function.js HTTP/1.1" 0 0 "http://xxx.com.cn/livecast/k/live.php?id=313"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" TCP_HIT:NONE
Re: [squid-users] Any workaround for http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube/Discussion
Sorry to have to ask again after waiting 2 days long for response. I'm so eager to get it working that i can't seem to do anything else. Does anyone have a working solution for caching Youtube and Google videos? Any ideas or pointers to some links would be much appreciated. Thanks & regards, Khem On Wednesday 03 December 2008 04:12:03 pm Khemara Lyn wrote: > Hi All again, > > I've been following the config examples on the Squid Web site: > > http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube > http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube/Discussio >n > > I can say it works great. I've been using Squid for quite a while now and > had always wanted to be able to cache Youbue videos but could not until I > read the above 2 links. > > However, I still encounter this error message in Cache log such as this > one: > > 2008/12/03 15:49:07| clientCacheHit: request has > store_url > 'http://video-srv.youtube.com.SQUIDINTERNAL/get_video?video_id=FC4E946i6aE' >; mem object in hit has mis-matched > url > 'http://chi-v249.chi.youtube.com/get_video?video_id=FC4E946i6aE&ip=202.79.2 >9.2&signature=615BA17FC5B6A9B22724204532BA756082C2A57B.1264B3777118E945D75D8 >653BEBDAABE375B89E3&sver=2&expire=1228315101&key=yt4&ipbits=0'! ... > > Could someone explain what it means? I'm greatful for any idea or pointer > to a workaround. > > I also read the thread in this list on this for a workaround by Horacio > with his great PHP script but that did not work for me either. > > Any more hints would be much appreciated. > > Regards, > Khem
Re: [squid-users] NTLM Auth for workstation not users
As I already told you I don't want to make list with IPs, i want to allow computers based on AD group, for one-place-administration. I can try an external acl with nslookup or nmblookup. Do you have other sugestion? On Wed, Dec 3, 2008 at 11:50 PM, Tom Porch <[EMAIL PROTECTED]> wrote: > Or reservations in DHCP rather than setting on each workstation > > > From: Kinkie [EMAIL PROTECTED] > Sent: 03 December 2008 21:34 > To: Razvan Grigore > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] NTLM Auth for workstation not users > > On Wed, Dec 3, 2008 at 8:13 PM, Razvan Grigore <[EMAIL PROTECTED]> wrote: >> Hello, >> >> I successfully implemented a working solution with squid 3.0STABLE10, >> NTLM Auth & samba. >> I have an AD group with users that are allowed to access the internet. >> >> What is demanded now by my company is to add to that internet group >> some computer accounts, that will have access to the proxy no matter >> what user is logged on them. >> >> Now, from AD point of view, it's easy to add the computer name to that >> group. The problem is with squid acl's. Can you please give me an >> example as how I should get it working? Or external acl is the answer >> here? If yes, can you also give me an example? > > Give those computers static IP address and list those IP address in an > allowed ACL. > > > -- >/kinkie >
Re: [squid-users] Squid3 + Digestauth agains a HTTP/FTP ntlm site aware
> Hi Squids, > > Currently we have Squid 3.0.9 running with ldap_digest helper. It runs > very > cool, how ever, some sites are presenting problems. > > In sites such as ftp://partnerweb.trendmicro.com.br using squid it fails. > It > seems that this site use NTLM and squid get confuses about authentication > user > for squid and then authenticating site using NTLM. > > Any comment? 3.0 does not support NTLM passthru. If you can, please test out the 3.1 release. They are expected to support it. Daily snapshot has the most bug fixes and stable code. http://www.squid-cache.org/Versions/v3/3.1/ Amos
Re: [squid-users] Number of Spindles
Why aren't there any (or marginal / insignificant) improvements over 3 spindles? Is it because squid is a single threaded application? On this note, what impact does the L1 and L2 directories have on AUFS performance? I understand that these are there to control the number of objects in each folder. But, what would be a good number of files to keep in a directory, performance wise? Regards HASSAN - Original Message - From: "Amos Jeffries" <[EMAIL PROTECTED]> To: "Henrik Nordstrom" <[EMAIL PROTECTED]> Cc: "Nyamul Hassan" <[EMAIL PROTECTED]>; "Squid Users" Sent: Monday, December 01, 2008 04:33 Subject: Re: [squid-users] Number of Spindles sön 2008-11-30 klockan 09:56 +0600 skrev Nyamul Hassan: "The primary purpose of these tests is to show that Squid's performance doesn't increase in proportion to the number of disk drives. Excluding other factors, you may be able to get better performance from three systems with one disk drive each, rather than a single system with three drives." There is a significant difference up to 3 drives in my tests. Um, can you clarify please? Do you mean difference in experience than described, or separate systems are faster up to 3 drives? Amos
[squid-users] Routing requests issues in hierarchy setup
Hi Folks: I'm getting puzzled with routing requests with Squid 2.7STABLE5 and how 'always_direct' and 'never_direct' works. Basically I'd like to route a requests with a specific extension to another squid instance, requests to my domain to go directly and outside requests go through my parent proxys. Following the informations in http://wiki.squid-cache.org/KnowledgeBase/HierarchyControl and in the comments of squid.conf.default I've made: # parent cache's (border caches) cache_peer proxy1.bar.com parent 3128 0 no-query no-delay round-robin no-digest name=proxy1 cache_peer proxy2.bar.com parent 3128 0 no-query no-delay round-robin no-digest name=proxy2 cache_peer proxy3.bar.com parent 3128 0 no-query no-delay round-robin no-digest name=proxy3 cache_peer proxy4.bar.com parent 3128 0 no-query no-delay round-robin no-digest name=proxy4 # other squid instance cache_peer localhost parent 3129 0 no-query no-digest name=tier2 acl bar dstdomain .bar.com acl foo dstdomain foo.bar.com acl caching_tier2 url_regex -i (\.css|\.jar|\.png|\.gif|\.jpg|\.js)$ # removing Pragma header and sending specific requests to foo header_access pragma deny caching_tier2 cache_peer_access tier2 allow caching_tier2 foo cache_peer_access tier2 deny all cache_peer_access proxy1 deny caching_tier2 foo cache_peer_access proxy2 deny caching_tier2 foo cache_peer_access proxy3 deny caching_tier2 foo cache_peer_access proxy4 deny caching_tier2 foo always_direct allow !caching_tier2 bar never_direct allow all Since 'allow' match of 'always_direct' goes directs, any request to domain 'bar.com' which doesn't matches 'caching_tier2' ACL should go direct. But what is happening is: request to http://foo.bar.com/something.jpg => routed to tier2 => OK request to http://other.bar.com/ => routed to parents => NOT OK! request to http://outside.world.com/ => routed to parents => OK! So...Where am I messing things up ?? :-) Thanks in advance Lucas Brasilino
RE: [squid-users] NTLM Auth for workstation not users
Or reservations in DHCP rather than setting on each workstation From: Kinkie [EMAIL PROTECTED] Sent: 03 December 2008 21:34 To: Razvan Grigore Cc: squid-users@squid-cache.org Subject: Re: [squid-users] NTLM Auth for workstation not users On Wed, Dec 3, 2008 at 8:13 PM, Razvan Grigore <[EMAIL PROTECTED]> wrote: > Hello, > > I successfully implemented a working solution with squid 3.0STABLE10, > NTLM Auth & samba. > I have an AD group with users that are allowed to access the internet. > > What is demanded now by my company is to add to that internet group > some computer accounts, that will have access to the proxy no matter > what user is logged on them. > > Now, from AD point of view, it's easy to add the computer name to that > group. The problem is with squid acl's. Can you please give me an > example as how I should get it working? Or external acl is the answer > here? If yes, can you also give me an example? Give those computers static IP address and list those IP address in an allowed ACL. -- /kinkie
Re: [squid-users] NTLM Auth for workstation not users
On Wed, Dec 3, 2008 at 8:13 PM, Razvan Grigore <[EMAIL PROTECTED]> wrote: > Hello, > > I successfully implemented a working solution with squid 3.0STABLE10, > NTLM Auth & samba. > I have an AD group with users that are allowed to access the internet. > > What is demanded now by my company is to add to that internet group > some computer accounts, that will have access to the proxy no matter > what user is logged on them. > > Now, from AD point of view, it's easy to add the computer name to that > group. The problem is with squid acl's. Can you please give me an > example as how I should get it working? Or external acl is the answer > here? If yes, can you also give me an example? Give those computers static IP address and list those IP address in an allowed ACL. -- /kinkie
[squid-users] MAC Filtering
I am running squid3 installed in debian (apt-get install squid3). I am trying to do some mac filtering but doing: acl accept arp 00:1A:78:4D:59:F6 http_access allow accept http_access deny all But, when I try to to restart the server I get this message: Restarting Squid HTTP Proxy 3.0: squid3 Waiting.done. 2008/12/03 16:41:08| aclParseAclLine: Invalid ACL type 'arp' 2008/12/03 16:41:08| storeDirWriteCleanLogs: Starting... 2008/12/03 16:41:08| Finished. Wrote 0 entries. 2008/12/03 16:41:08| Took 0.0 seconds ( 0.0 entries/sec). FATAL: Bungled squid.conf line 14: acl accept arp 00:1A:73:4D:58:F7 Squid Cache (Version 3.0.PRE5): Terminated abnormally. CPU Usage: 0.012 seconds = 0.008 user + 0.004 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 failed! I've read that I need to configure squid with option --enable-arp-acl. How can I do this since I didn't compile from source. Thanks.
[squid-users] Sending mail through port 80
Hello. My ISP SMTP server accepts connections to port 80 instead of 25. I am unable to send mail using this server from the LAN because squid catches all the traffic through port 80. How can I tell squid to ignore or not cache connections to that server? Would that still work? Thank you in advanced for your help.
[squid-users] NTLM Auth for workstation not users
Hello, I successfully implemented a working solution with squid 3.0STABLE10, NTLM Auth & samba. I have an AD group with users that are allowed to access the internet. What is demanded now by my company is to add to that internet group some computer accounts, that will have access to the proxy no matter what user is logged on them. Now, from AD point of view, it's easy to add the computer name to that group. The problem is with squid acl's. Can you please give me an example as how I should get it working? Or external acl is the answer here? If yes, can you also give me an example? Thank you! Razvan
[squid-users] Squid3 + Digestauth agains a HTTP/FTP ntlm site aware
Hi Squids, Currently we have Squid 3.0.9 running with ldap_digest helper. It runs very cool, how ever, some sites are presenting problems. In sites such as ftp://partnerweb.trendmicro.com.br using squid it fails. It seems that this site use NTLM and squid get confuses about authentication user for squid and then authenticating site using NTLM. Any comment? Regards, LD
Re: [squid-users] NTLM Password Cache on Squid ?
Leonardo Rodrigues Magalhães wrote: squid has all the caching mechanisms too. check your TTL parameters on your squid authentication mechanism. For example: auth_param basic credentialsttl 300 seconds or external_acl_type ldap_group ttl=300 %LOGIN Those parameters can make squid 'thinks' a password is OK when it was changed, as well as believe a user is member of a group when it's not anymore. That is true, but if you call the NTLM auth helper on the command line this does not come into the line; the an actual query is performed and the answer comes directly from the ADC. And even then I observed large delays. JC
Re: [squid-users] NTLM Password Cache on Squid ?
Jakob Curdes escreveu: - When we change a password on the Active Directory, squid don't see the change before a lot of hours ... That is an AD "feature". If you use AD groups, you can take somebody out of the group and AD will happily repsond that the user is a group member for several hours. You can easily check the AD answer using the squid auth helper. Probably this can be configured on the AD side but I am not an AD freak so I cannot help there. squid has all the caching mechanisms too. check your TTL parameters on your squid authentication mechanism. For example: auth_param basic credentialsttl 300 seconds or external_acl_type ldap_group ttl=300 %LOGIN Those parameters can make squid 'thinks' a password is OK when it was changed, as well as believe a user is member of a group when it's not anymore. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
Re: [squid-users] NTLM Password Cache on Squid ?
- When we change a password on the Active Directory, squid don't see the change before a lot of hours ... That is an AD "feature". If you use AD groups, you can take somebody out of the group and AD will happily repsond that the user is a group member for several hours. You can easily check the AD answer using the squid auth helper. Probably this can be configured on the AD side but I am not an AD freak so I cannot help there. HTH, J.Curdes
[squid-users] NTLM Password Cache on Squid ?
Hi we have a small problems ... : - We use Squid with Windbind/NTLM auth - When we change a password on the Active Directory, squid don't see the change before a lot of hours ... he have a cache ? can i put a TTL ? thanks for your help jerome
[squid-users] RE: [Bulk] [squid-users] SSL on Squid 2.7 Windows
Hi Raphaël I just did try that and took out the option accel but still the same; squid is not lessening on port 443. The version I did download should have ssl included (http://squid.acmeconsulting.it/download/squid-2.7.STABLE5-bin-SSL.zip) Theo jraph wrote: > > Hello > > I'm setting up a reverse proxy https using linux. Could you try to remove > option accel ? > I don't know if this is the case for Windows but in Debian I had to > recompile Squid to include ssl, due to the licenses. If not the http is ok > but the https will not start with the default install. > > Regards > > Raphaël > > -Message d'origine- > De : TheoB [mailto:[EMAIL PROTECTED] > Envoyé : mercredi 3 décembre 2008 15:25 > À : squid-users@squid-cache.org > Objet : [Bulk] [squid-users] SSL on Squid 2.7 Windows > > I have a running http reverse proxy setup. Now I want to add SSL. > > The first thing I try is to make squid listening on port 443: > > https_port 192.168.1.151:443 accel cert=C:/squid/ssl/xxx.pem > key=C:/squid/ssl/xxx.pem defaultsite=mirror.xxx.com vhost > > Squid starts but is not listening on 192.168.1.151:443. In the log I see > no > indication that squid tries to set up an https listener. > > How to get squid to lissen on 192.168.1.151:443 ? > Does anybody have experience rung squid as an accelerating reverse proxy > using SSL on windows? > > I use Squid 2.7 STABLE with SSL Support > (http://squid.acmeconsulting.it/download/squid-2.7.STABLE5-bin-SSL.zip) on > a > windows 2003 server box. > > Thanks > Theo > > > -- > View this message in context: > http://www.nabble.com/SSL-on-Squid-2.7-Windows-tp20813896p20813896.html > Sent from the Squid - Users mailing list archive at Nabble.com. > > > > -- View this message in context: http://www.nabble.com/SSL-on-Squid-2.7-Windows-tp20813896p20816825.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] RE: [Bulk] [squid-users] SSL on Squid 2.7 Windows
Hello I'm setting up a reverse proxy https using linux. Could you try to remove option accel ? I don't know if this is the case for Windows but in Debian I had to recompile Squid to include ssl, due to the licenses. If not the http is ok but the https will not start with the default install. Regards Raphaël -Message d'origine- De : TheoB [mailto:[EMAIL PROTECTED] Envoyé : mercredi 3 décembre 2008 15:25 À : squid-users@squid-cache.org Objet : [Bulk] [squid-users] SSL on Squid 2.7 Windows I have a running http reverse proxy setup. Now I want to add SSL. The first thing I try is to make squid listening on port 443: https_port 192.168.1.151:443 accel cert=C:/squid/ssl/xxx.pem key=C:/squid/ssl/xxx.pem defaultsite=mirror.xxx.com vhost Squid starts but is not listening on 192.168.1.151:443. In the log I see no indication that squid tries to set up an https listener. How to get squid to lissen on 192.168.1.151:443 ? Does anybody have experience rung squid as an accelerating reverse proxy using SSL on windows? I use Squid 2.7 STABLE with SSL Support (http://squid.acmeconsulting.it/download/squid-2.7.STABLE5-bin-SSL.zip) on a windows 2003 server box. Thanks Theo -- View this message in context: http://www.nabble.com/SSL-on-Squid-2.7-Windows-tp20813896p20813896.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] SSL on Squid 2.7 Windows
I have a running http reverse proxy setup. Now I want to add SSL. The first thing I try is to make squid listening on port 443: https_port 192.168.1.151:443 accel cert=C:/squid/ssl/xxx.pem key=C:/squid/ssl/xxx.pem defaultsite=mirror.xxx.com vhost Squid starts but is not listening on 192.168.1.151:443. In the log I see no indication that squid tries to set up an https listener. How to get squid to lissen on 192.168.1.151:443 ? Does anybody have experience rung squid as an accelerating reverse proxy using SSL on windows? I use Squid 2.7 STABLE with SSL Support (http://squid.acmeconsulting.it/download/squid-2.7.STABLE5-bin-SSL.zip) on a windows 2003 server box. Thanks Theo -- View this message in context: http://www.nabble.com/SSL-on-Squid-2.7-Windows-tp20813896p20813896.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Any workaround for http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube/Discussion
Hi All again, I've been following the config examples on the Squid Web site: http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube/Discussion I can say it works great. I've been using Squid for quite a while now and had always wanted to be able to cache Youbue videos but could not until I read the above 2 links. However, I still encounter this error message in Cache log such as this one: 2008/12/03 15:49:07| clientCacheHit: request has store_url 'http://video-srv.youtube.com.SQUIDINTERNAL/get_video?video_id=FC4E946i6aE'; mem object in hit has mis-matched url 'http://chi-v249.chi.youtube.com/get_video?video_id=FC4E946i6aE&ip=202.79.29.2&signature=615BA17FC5B6A9B22724204532BA756082C2A57B.1264B3777118E945D75D8653BEBDAABE375B89E3&sver=2&expire=1228315101&key=yt4&ipbits=0'! ... Could someone explain what it means? I'm greatful for any idea or pointer to a workaround. I also read the thread in this list on this for a workaround by Horacio with his great PHP script but that did not work for me either. Any more hints would be much appreciated. Regards, Khem
Re: [squid-users] How to handle the error: Unsupported method 'BitTorrent'
Thanks, Amos. Feel safe, then. On Wednesday 03 December 2008 11:44:32 am Amos Jeffries wrote: > Khemara Lyn wrote: > > Dear All, > > > > How can I handle this error in Cache log: > > > > parseHttpRequest: Unsupported method 'BitTorrent' > > > > Is it serious or does it affect Squid performance? > > It's only a waste of TCP connections, if you have available fd and > socket capacity on the system you can safely ignore it. > > > I am using Squid-2.7 compiled from source with transparent proxy and > > talking WCCP2 to a CISCO router. > > > > Can I tell Squid to immediately drop any invalid request or unsupported > > method? > > It already does. That message is the warning that one has been dropped. > > > Amos