Re: [squid-users] HTTP Header
In your vBulletin includes/init.php file change define('IPADDRESS', $_SERVER['REMOTE_ADDR']); to define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']);. No. I don't this. Because, this is not right method.. - Original Message - From: Chris Robertson crobert...@gci.net To: squid-users@squid-cache.org Sent: Thursday, January 08, 2009 10:52 PM Subject: Re: [squid-users] HTTP Header Mehmet ÇELiK wrote: Hi all, I am using Squid as Reverse Proxy for my Web Servers. Client IP Address is directing to Web Servers with X_FORWARDED_FOR. But, I want to write Client IP Address to Remote_Address.. I want to this, because.. I am using vBulletin Forum and vBulletin are taking Reverse Proxy IP as REMOTE_ADDR. When a user access with wrong password.. vBulletin is denying Reverse Proxy IP.. This event is affecting all users. Can I write Client IP Address to $_SERVER['REMOTE_ADDR'] in PHP.. It's possible ? Regards, Mehmet CELIK http://www.vbulletin.com/forum/showthread.php?p=805786#post805786 In your vBulletin includes/init.php file change define('IPADDRESS', $_SERVER['REMOTE_ADDR']); to define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']);. Chris No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.10.5/1882 - Release Date: 08.01.2009 08:13
[squid-users] Antwort: Re: [squid-users] Antwort: [squid-users] Antwort: Re: [squid-users] Problems to access specific site
Good suggestion - I will inform them!! Thanks! Matus UHLAR - fantomas uh...@fantomas.s An k squid-users@squid-cache.org Kopie 08.01.2009 17:20 Thema Re: [squid-users] Antwort: [squid-users] Antwort: Re: [squid-users] Problems to access specific site On 08.01.09 15:04, David Walcher wrote: forwarded_for off It means that the server/application is broken. You should complain to them. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept.
Re: [squid-users] HTTP Header
Mehmet ÇELiK wrote: In your vBulletin includes/init.php file change define('IPADDRESS', $_SERVER['REMOTE_ADDR']); to define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']);. No. I don't this. Because, this is not right method.. In my PHP-apps I do the equivalent of this: if ($trust_XFF $_SERVER['HTTP_X_FORWARDED_FOR']) define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']); else define('IPADDRESS', $_SERVER['REMOTE_ADDR']); Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] HTTP Header
Mehmet ÇELiK wrote: In your vBulletin includes/init.php file change define('IPADDRESS', $_SERVER['REMOTE_ADDR']); to define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']);. No. I don't this. Because, this is not right method.. On 09.01.09 22:40, Amos Jeffries wrote: In my PHP-apps I do the equivalent of this: if ($trust_XFF $_SERVER['HTTP_X_FORWARDED_FOR']) define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']); else define('IPADDRESS', $_SERVER['REMOTE_ADDR']); Is that working? Afaik, x-forwarded-for may contain more IP addresses, where not all of them may be trusted. I think that proper validator should have list of (un)trusted networks and match REMOTE_ADDR and HTTP_X_FORWARDED_FOR until untrusted IP is found (the same waty as squid's follow_x_forwarded_for directive does. If anyone have such PHP, please paste a link. I think that could be used in many other PHP applications (and I'd post that to horde people) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages.
Re: [squid-users] HTTP Header
Matus UHLAR - fantomas wrote: Mehmet ÇELiK wrote: In your vBulletin includes/init.php file change define('IPADDRESS', $_SERVER['REMOTE_ADDR']); to define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']);. No. I don't this. Because, this is not right method.. On 09.01.09 22:40, Amos Jeffries wrote: In my PHP-apps I do the equivalent of this: if ($trust_XFF $_SERVER['HTTP_X_FORWARDED_FOR']) define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']); else define('IPADDRESS', $_SERVER['REMOTE_ADDR']); Is that working? Afaik, x-forwarded-for may contain more IP addresses, where not all of them may be trusted. I think that proper validator should have list of (un)trusted networks and match REMOTE_ADDR and HTTP_X_FORWARDED_FOR until untrusted IP is found (the same waty as squid's follow_x_forwarded_for directive does. If anyone have such PHP, please paste a link. I think that could be used in many other PHP applications (and I'd post that to horde people) This is one I have linked for signups. Goes a little further than trusting the XFF and assuming only one proxy is in use. Copes with both IPv4 and IPv6. ?php function userIP() { global $_SERVER; if($_SERVER['HTTP_X_FORWARDED_FOR']) $base = $_SERVER['HTTP_X_FORWARDED_FOR']; else $base = $_SERVER['REMOTE_ADDR']; $ip=; foreach( explode(,,$base) as $key = $val) { $bits=; if(!ereg[0-9]{1,3}\.){3}([0-9]{1,3}))|([0-9a-f]{0,4}:(([0-9a-f]{1,4}:){0,6}|:)[0-9a-f]{0,4})),$val, $bits)) { return ; // BAD IP. } // TODO some test to see if its an acceptable IP. // return ; if its not good. $ip = $bits[1]; } return $ip; } ? Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
[squid-users] Transparent but not intercepting proxy
Hi all. Is it possible to run SQUID proxy server in transparent mode without interception ? ie SQUID pass original address of the client (tproxy patch), but clients connections are not intercepted automatically and user have to set proxy server manually in his browser ?
Re: [squid-users] HTTP Header
Matus UHLAR - fantomas wrote: Mehmet ÇELiK wrote: In your vBulletin includes/init.php file change define('IPADDRESS', $_SERVER['REMOTE_ADDR']); to define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']);. No. I don't this. Because, this is not right method.. On 09.01.09 22:40, Amos Jeffries wrote: In my PHP-apps I do the equivalent of this: if ($trust_XFF $_SERVER['HTTP_X_FORWARDED_FOR']) define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']); else define('IPADDRESS', $_SERVER['REMOTE_ADDR']); Is that working? Afaik, x-forwarded-for may contain more IP addresses, where not all of them may be trusted. I think that proper validator should have list of (un)trusted networks and match REMOTE_ADDR and HTTP_X_FORWARDED_FOR until untrusted IP is found (the same waty as squid's follow_x_forwarded_for directive does. If anyone have such PHP, please paste a link. I think that could be used in many other PHP applications (and I'd post that to horde people) Actually come to think of it that way wrong anyways. This is better... function userIP() { global $_SERVER; $ip=; $l = explode(,,$_SERVER['HTTP_X_FORWARDED_FOR'].,.$_SERVER['REMOTE_ADDR']); rsort($l); foreach( $l as $key = $val) { if(!$val) continue; $bits=; if(!ereg[0-9]{1,3}\.){3}([0-9]{1,3}))|([0-9a-f]{0,4}:(([0-9a-f]{1,4}:){0,6}|:)[0-9a-f]{0,4})),$val, $bits)) { return ; // BAD IP. } // TODO some test to see if its an acceptable IP. // return ; if its not a good IP. $ip = $bits[1]; } return $ip; } Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
[squid-users] squid 3.0 stable 8 or 11 max_user_ip stored information
Hi to all, I'd like to know where the max_user_ip directive (with ntlm authentication in AD 2003) store the information about logged user. So I''ll try to share it for an balanced environment Thanks in advance. Luca Forti
[squid-users] Re: WCCP configuration
Hi, Thanks for the reply. It did help us solve the problem. But there is a new issue. We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. We also find that the http request is pathetically slow. squid.conf wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 http_port 3128 transparent tproxy iptable: /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 We created a gre tunnel based on the router identifier. wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid machine) The following command is assigned at the router interface connected to the lan. ip wccp 80 redirect in ip wccp 90 redirect out Following command at the router interface connected to squid. ip wccp redirect exclude in Router : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(13b) Kernel : linux-2.6.20.21 IPtable : iptables-1.3.8 Os Ver : squid-2.7 Stable 5 #lsmod ip_gre 19616 0 iptable_filter 11136 0 ipt_TPROXY 11136 1 ipt_REDIRECT 10624 0 xt_tcpudp 11904 1 reiserfs 235144 5 iptable_tproxy 23036 2 ipt_TPROXY iptable_nat15492 1 iptable_tproxy ip_nat 24620 3 ipt_REDIRECT,iptable_tproxy,iptable_nat ip_tables 25448 3 iptable_filter,iptable_tproxy,iptable_nat x_tables 23560 5 ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables ip_conntrack 53400 3 iptable_tproxy,iptable_nat,ip_nat The internet works, but the browsing is dead slow. Temporarily we have bypassed squid to browse the net. Thanks VK -Original Message- From: Henrik Nordstrom hen...@henriknordstrom.net To: vivek...@aol.in Cc: squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thu, 8 Jan 2009 12:05 am Subject: Re: WCCP configuration ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: wccp2_router xxx.xx.xxx.xxx wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 Router Eth0 - connected to lan. Eth1 - connecte to squid. Have you also configured * A loopback address on the router, giving it a easily identified router ID * the required GRE/WCCP tunnel interface on the Squid server * disabled rp_filter on the above GRE/WCCP interface. * And adjusted the REDIRECT/NAT rules to act on traffic received on the GRE/WCCP interface configured above? Service Identifier: web-cache Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:11336 Process: 0 Fast: 0 CEF: 11336 Looks fine. Is there any simple way of configuring WCCP. We have beating round the bush all day long to configure wccp. WCCP as such is configured. But something is missing in the interception at the proxy. Most likely the GRE interface mentioned above. Regards Henrik You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
Re: [squid-users] Fwd: Webapp problems with squid 2.7.STABLE3
On Thu, Jan 8, 2009 at 11:23 PM, Amos Jeffries squ...@treenet.co.nz wrote: Chris Robertson wrote: Try http://www.squid-cache.org/Doc/config/ignore_expect_100/ This workaround did fix the problem for now. That said, the squid setting is only a bandaid over the top, and only works in that one proxy. All web clients attempting to send Expect: 100, are expected to behave sensibly when it fails and they get given the 417 response. It should simply re-try without the expectation. I sent an email off to USPS tech support with the grueling details, but I won't hold my breath. ;-) Thanks for the help. Kind Regards, Chris -- Christopher Nighswonger Faculty Member Network Systems Director Foundations Bible College Seminary www.foundations.edu www.fbcradio.org
[squid-users] Re: freeAllContexts trashes hostname?
On Fri, 2009-01-09 at 01:01 -0800, David Molnar wrote: I noticed that the host name was being passed around as a pointer in the DynamicSslCert code, and I had a hunch that perhaps the buffer was being free'd at some point. I found a call to freeAllContexts() in ConnStateData::switchToHttps in client_side.cc. My bug. I did not realize freeAllContexts() frees the request. The fix, similar to what you have described, has been committed to the DynamicSslCert branch (r9342). Your debugging and analysis made the fix trivial. Do you mind if I add you to the Squid CONTRIBUTORS file? Thank you, Alex.
[squid-users] WCCP, transparent, with SSL
I emailed about this once in the past, not sure I got a real definitive answer, so I dropped it, but not I would like to implement this. We use Squid utilizing WCCP, currently just service cache (port 80) redirection. I would like to redirect 443 to the squid proxy as well (I know you cant cache it). I just want squid to make the request on behalf of the employee, so I can also log https visits. So for example, I could block access to lets say www.microsoft.com using squid and employees would get blocked cause port 80 is redirected via wccp to the proxy server, but they could visit https://www.microsoft.com because its not configured to go to the proxy via wccp. I understand we need to configure the router, but what different should be don on the proxy server? We have the correct iptables rules setup to dnat port 80 to 3128, I assume this is not as easy as doing a 443 to 3128. Regards, Nick
Re: [squid-users] Fwd: Webapp problems with squid 2.7.STABLE3
On Fri, Jan 9, 2009 at 9:42 AM, Chris Nighswonger cnighswon...@foundations.edu wrote: On Thu, Jan 8, 2009 at 11:23 PM, Amos Jeffries squ...@treenet.co.nz wrote: Chris Robertson wrote: Try http://www.squid-cache.org/Doc/config/ignore_expect_100/ This workaround did fix the problem for now. That said, the squid setting is only a bandaid over the top, and only works in that one proxy. All web clients attempting to send Expect: 100, are expected to behave sensibly when it fails and they get given the 417 response. It should simply re-try without the expectation. I sent an email off to USPS tech support with the grueling details, but I won't hold my breath. ;-) Thanks for the help. BTW, we started back up for the spring semester yesterday. I did my upgrade over the break. Now I am having multiple sites (many are ssl) unaccessible which were accessible under 2.6.STABLE12. Did I miss some major changes between 2.6 and 2.7? I'm considering rolling back to 2.6 to quell the rebellion... :-( Kind Regards, Chris -- Christopher Nighswonger Faculty Member Network Systems Director Foundations Bible College Seminary www.foundations.edu www.fbcradio.org
RE: [squid-users] Re: WCCP configuration
With TProxy, I think you need to use Squid3-HEAD to reliably fix your issueAmos would know for sure. Nick From: vivek...@aol.in [mailto:vivek...@aol.in] Sent: Fri 1/9/2009 8:39 AM To: hen...@henriknordstrom.net Cc: squid-users@squid-cache.org; squ...@treenet.co.nz Subject: [squid-users] Re: WCCP configuration Hi, Thanks for the reply. It did help us solve the problem. But there is a new issue. We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. We also find that the http request is pathetically slow. squid.conf wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 http_port 3128 transparent tproxy iptable: /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 We created a gre tunnel based on the router identifier. wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid machine) The following command is assigned at the router interface connected to the lan. ip wccp 80 redirect in ip wccp 90 redirect out Following command at the router interface connected to squid. ip wccp redirect exclude in Router : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(13b) Kernel : linux-2.6.20.21 IPtable : iptables-1.3.8 Os Ver : squid-2.7 Stable 5 #lsmod ip_gre 19616 0 iptable_filter 11136 0 ipt_TPROXY 11136 1 ipt_REDIRECT 10624 0 xt_tcpudp 11904 1 reiserfs 235144 5 iptable_tproxy 23036 2 ipt_TPROXY iptable_nat15492 1 iptable_tproxy ip_nat 24620 3 ipt_REDIRECT,iptable_tproxy,iptable_nat ip_tables 25448 3 iptable_filter,iptable_tproxy,iptable_nat x_tables 23560 5 ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables ip_conntrack 53400 3 iptable_tproxy,iptable_nat,ip_nat The internet works, but the browsing is dead slow. Temporarily we have bypassed squid to browse the net. Thanks VK -Original Message- From: Henrik Nordstrom hen...@henriknordstrom.net To: vivek...@aol.in Cc: squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thu, 8 Jan 2009 12:05 am Subject: Re: WCCP configuration ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: wccp2_router xxx.xx.xxx.xxx wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 Router Eth0 - connected to lan. Eth1 - connecte to squid. Have you also configured * A loopback address on the router, giving it a easily identified router ID * the required GRE/WCCP tunnel interface on the Squid server * disabled rp_filter on the above GRE/WCCP interface. * And adjusted the REDIRECT/NAT rules to act on traffic received on the GRE/WCCP interface configured above? Service Identifier: web-cache Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:11336 Process: 0 Fast: 0 CEF: 11336 Looks fine. Is there any simple way of configuring WCCP. We have beating round the bush all day long to configure wccp. WCCP as such is configured. But something is missing in the interception at the proxy. Most likely the GRE interface mentioned above. Regards Henrik You are invited to Get a Free AOL Email ID. - http://webmail.aol.in http://webmail.aol.in/
[squid-users] Windows 7 beta and NTLM
We use NTLM authentication, but the new windows 7 beta (yes, its beta but its nice to know of potential issues before they get widely released) seems to be having trouble authenticating. A standard authentication from XP provides the following in /var/log/squid/cache.log: Got user=[912058] domain=[UK] workstation=[LONW037057] len1=24 len2=24 An authentication from Windows 7 beta is shown below: Got user=[009340] domain=[UK] workstation=[LONW032292] len1=24 len2=332 Login for user [uk]\[0093...@[lonw032292] failed due to [Invalid parameter] I see the different len2 information at the end, so I assume MS has extended something. The packages we are running are squid-2.6.STABLE20-1.el5 and samba-common-3.0.28-1.el5_2.1. I am curious whether a package upgrade will fix the problem, if this windows 7 thingy has introduced an incompatibility that we expect MS to fix with their next release or if this is a valid request that uses a hitherto unused part of the protocol and therefore we should allow for it. Tim Towers Senior Security Analyst Global Network Services CLIFFORD CHANCE LLP 10 Upper Bank Street London E14 5JJ *:Direct Dial +44 (0)20 7006 5645 *:Mobile+44 (0)794 9244498 *:Switchboard +44 (0)20 7006 1000 *:Email tim.tow...@cliffordchance.com This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person. Clifford Chance LLP is a limited liability partnership registered in England Wales under number OC323571. The firm's registered office and principal place of business is at 10 Upper Bank Street, London, E14 5JJ. For further details, including a list of members and their professional qualifications, see our website at www.cliffordchance.com. The firm uses the word 'partner' to refer to a member of Clifford Chance LLP or an employee or consultant with equivalent standing and qualifications. The firm is regulated by the Solicitors Regulation Authority. The Authority's rules can be accessed by clicking on the following link: http://www.sra.org.uk/code-of-conduct.page Clifford Chance as a global firm regularly shares client and/or matter-related data among its different offices and support entities in strict compliance with internal control policies and statutory requirements. Incoming and outgoing email communications may be monitored by Clifford Chance, as permitted by applicable law and regulations. For further information about Clifford Chance please see our website at http://www.cliffordchance.com or refer to any Clifford Chance office.
RE: [squid-users] Windows 7 beta and NTLM
We use NTLM authentication, but the new windows 7 beta (yes, its beta but its nice to know of potential issues before they get widely released) seems to be having trouble authenticating. A standard authentication from XP provides the following in /var/log/squid/cache.log: Got user=[912058] domain=[UK] workstation=[LONW037057] len1=24 len2=24 An authentication from Windows 7 beta is shown below: Got user=[009340] domain=[UK] workstation=[LONW032292] len1=24 len2=332 Login for user [uk]\[0093...@[lonw032292] failed due to [Invalid parameter] I see the different len2 information at the end, so I assume MS has extended something. The packages we are running are squid-2.6.STABLE20-1.el5 and samba-common-3.0.28-1.el5_2.1. I am curious whether a package upgrade will fix the problem, if this windows 7 thingy has introduced an incompatibility that we expect MS to fix with their next release or if this is a valid request that uses a hitherto unused part of the protocol and therefore we should allow for it. Are you actually talking about Windows 7 or IE8? Other NTLM-enabled browsers may still work, IE: firefox.
RE: [squid-users] Windows 7 beta and NTLM
The packages we are running are squid-2.6.STABLE20-1.el5 and samba-common-3.0.28-1.el5_2.1. I am curious whether a package upgrade will fix the problem, if this windows 7 thingy has introduced an incompatibility that we expect MS to fix with their next release or if this is a valid request that uses a hitherto unused part of the protocol and therefore we should allow for it. Are you actually talking about Windows 7 or IE8? Other NTLM-enabled browsers may still work, IE: firefox. I just booted win7 and connecte it to my proxy server using dansguardian and squid (with NTLM) and all is working perfectly.
Re: [squid-users] Fwd: Webapp problems with squid 2.7.STABLE3
Chris Nighswonger wrote: On Fri, Jan 9, 2009 at 9:42 AM, Chris Nighswonger cnighswon...@foundations.edu wrote: On Thu, Jan 8, 2009 at 11:23 PM, Amos Jeffries squ...@treenet.co.nz wrote: Chris Robertson wrote: Try http://www.squid-cache.org/Doc/config/ignore_expect_100/ This workaround did fix the problem for now. That said, the squid setting is only a bandaid over the top, and only works in that one proxy. All web clients attempting to send Expect: 100, are expected to behave sensibly when it fails and they get given the 417 response. It should simply re-try without the expectation. I sent an email off to USPS tech support with the grueling details, but I won't hold my breath. ;-) Thanks for the help. BTW, we started back up for the spring semester yesterday. I did my upgrade over the break. Now I am having multiple sites (many are ssl) unaccessible which were accessible under 2.6.STABLE12. Did I miss some major changes between 2.6 and 2.7? I'm considering rolling back to 2.6 to quell the rebellion... :-( We can't really tell what or if you missed anything without config details :). Whats the current config and the diff between the old and new squid.conf? Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] Re: WCCP configuration
Ritter, Nicholas wrote: With TProxy, I think you need to use Squid3-HEAD to reliably fix your issueAmos would know for sure. Nick Yes. Squid-2.* has no support for TPROXY v4.1+ 3.1.0.3 or later is needed. Which is at least an RC beta now, more stable that pure 3.HEAD alpha code. Also the squid.conf and configure details have changed. http://wiki.squid-cache.org/Features/Tproxy4 Amos From: vivek...@aol.in [mailto:vivek...@aol.in] Sent: Fri 1/9/2009 8:39 AM To: hen...@henriknordstrom.net Cc: squid-users@squid-cache.org; squ...@treenet.co.nz Subject: [squid-users] Re: WCCP configuration Hi, Thanks for the reply. It did help us solve the problem. But there is a new issue. We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. We also find that the http request is pathetically slow. squid.conf wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 http_port 3128 transparent tproxy iptable: /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 We created a gre tunnel based on the router identifier. wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid machine) The following command is assigned at the router interface connected to the lan. ip wccp 80 redirect in ip wccp 90 redirect out Following command at the router interface connected to squid. ip wccp redirect exclude in Router : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(13b) Kernel : linux-2.6.20.21 IPtable : iptables-1.3.8 Os Ver : squid-2.7 Stable 5 #lsmod ip_gre 19616 0 iptable_filter 11136 0 ipt_TPROXY 11136 1 ipt_REDIRECT 10624 0 xt_tcpudp 11904 1 reiserfs 235144 5 iptable_tproxy 23036 2 ipt_TPROXY iptable_nat15492 1 iptable_tproxy ip_nat 24620 3 ipt_REDIRECT,iptable_tproxy,iptable_nat ip_tables 25448 3 iptable_filter,iptable_tproxy,iptable_nat x_tables 23560 5 ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables ip_conntrack 53400 3 iptable_tproxy,iptable_nat,ip_nat The internet works, but the browsing is dead slow. Temporarily we have bypassed squid to browse the net. Thanks VK -Original Message- From: Henrik Nordstrom hen...@henriknordstrom.net To: vivek...@aol.in Cc: squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thu, 8 Jan 2009 12:05 am Subject: Re: WCCP configuration ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: wccp2_router xxx.xx.xxx.xxx wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 Router Eth0 - connected to lan. Eth1 - connecte to squid. Have you also configured * A loopback address on the router, giving it a easily identified router ID * the required GRE/WCCP tunnel interface on the Squid server * disabled rp_filter on the above GRE/WCCP interface. * And adjusted the REDIRECT/NAT rules to act on traffic received on the GRE/WCCP interface configured above? Service Identifier: web-cache Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:11336 Process: 0 Fast: 0 CEF: 11336 Looks fine. Is there any simple way of configuring WCCP. We have beating round the bush all day long to configure wccp. WCCP as such is configured. But something is missing in the interception at the proxy. Most likely the GRE interface mentioned above. Regards Henrik You are invited to Get a Free AOL Email ID. - http://webmail.aol.in http://webmail.aol.in/ -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] Transparent but not intercepting proxy
NTPT wrote: Hi all. Is it possible to run SQUID proxy server in transparent mode without interception ? ie SQUID pass original address of the client (tproxy patch), but clients connections are not intercepted automatically and user have to set proxy server manually in his browser ? No. See X-Forwarded-For: header if you ave an application that needs to detect the client behind a proxy. Sometimes also Client-IP: Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] squid 3.0 stable 8 or 11 max_user_ip stored information
Luca Forti wrote: Hi to all, I'd like to know where the max_user_ip directive (with ntlm authentication in AD 2003) store the information about logged user. So I''ll try to share it for an balanced environment Thanks in advance. It's a low-level reference counter lock on an internal object cache of AuthUser/auth_user_t. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] Windows 7 beta and NTLM
Jason Gauthier wrote: The packages we are running are squid-2.6.STABLE20-1.el5 and samba-common-3.0.28-1.el5_2.1. I am curious whether a package upgrade will fix the problem, if this windows 7 thingy has introduced an incompatibility that we expect MS to fix with their next release or if this is a valid request that uses a hitherto unused part of the protocol and therefore we should allow for it. Are you actually talking about Windows 7 or IE8? Other NTLM-enabled browsers may still work, IE: firefox. I just booted win7 and connecte it to my proxy server using dansguardian and squid (with NTLM) and all is working perfectly. IIRC microsoft released a paper announcing they were obsoleting NTLM in favour of kerberos/negotiate starting from Vista. The underlying OS may not be capable of NTLM in places. Of course, the browser should still know it. Whether that works depends on which NTLM helper is being used. The squid bundled ntlm_auth helper appears useless after WinXP. Samba one of same name keeps working fine. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
[squid-users] Any one can help me to start Squid as service.
I have installed Squid 3.0 STABLE11 on RHEL-4 on the /usr/local/squid folder from source and enabling delay pools. It's work fine. But my problem is that I have to start it manually by giving this command #/usr/local/squid/sbin/squid start So any one show me that how can squid start automatically as a service. -- Balram
Re: [squid-users] Possible regressions in dstdom_regex based matching
On Friday 09 January 2009 1:58:17 am Chris Robertson wrote: Sameer Naik wrote: Hi, I have created a filter file named block.lst with the following contents /youtube. /orkut. /songs.pk /senduit. I have created an acl based on the domain regex for the above filter by specifying the following rule in the squid.conf acl list_blocked dstdom_regex /squid/lists/block.lst to block all users from accessing the domains specified in the above list, i have specified the following rule in squid.conf http_access denyall list_blocked As a result of the above changes, access to http://www.youtube.com, http://youtube.com, http://www.orkut.com and http://orkut.com is restricted, Are you sure these are being blocked by the list_blocked ACL? If you really start the lines with a forward slash,. there is no way it's going to match www.youtube.com. As an aside, is there a reason you aren't using dstdomain acls? Preface the domain with a dot (e.g. .youtube.com) and it will match in a regex like fashion. sorry my bad, its actually a back slash not forward slash. The reason i am using dstdom_regex is say if i enter \yahoo. this will block all yahoo domains like yahoo.com, yahoo.co.in, yahoo.kr and so on. But however, http://www.songs.pk and http://songs.pk remains accessible and at the same time http://www.senduit.com remains accessible while http://senduit.com becomes restricted. I see similar issues with a couple of domains. I really have no clue why this is happening. I am using squid3-STABLE11 and have seen these issues in earlier versions as well. In your squid.conf, set debug_options ALL,1 28,3, reconfigure squid and tail your cache.log. That might give you a better idea of what's going on. Please let me know if theres something wrong with what i am doing. Regards ~Sameer Chris