[squid-users] Transfer-Encoding: chunked
Hello, I'm using a reverse squid for caching purposes. When requesting a page in my site via HTTP/1.1 I see : Transfer-Encoding: chunked I understand that HTTP/1.1 has the ability to cut up a large server response and send it one chunk at a time. What would happen to my site if I remove chunked encoding? Will it slow it down? let's say the pages are big and it would be more efficiant to use chucks for the response, but what if I don't? Could it be that some clients will not support that? Thanks a million, Adam
[squid-users] TCP_SWAPFAIL_MISS
TCP_SWAPFAIL_MISS why i got msg alot of TCP_SWAPFAIL_MISS on my access.log ? -- -=-=-=-= Personal Blog http://my.blog.or.id ( lagi belajar ) Hot News !!! : Pengin punya Layanan SMS PREMIUM ? Contact me ASAP. dapatkan Share revenue MAXIMAL tanpa syarat traffic...
[squid-users] Multiple Domain on LDAP
hi list, Please assume that, i have 4 domain in my company. I can make LDAP auth. on squid successfully. Is it possible to make LDAP auth. for all domain? Domain names and controllers are different. abc.com, gft.com, mnt.com etc. Thanx ..
Re: [squid-users] Multiple Domain on LDAP
Emre YILMAZ wrote: hi list, Please assume that, i have 4 domain in my company. I can make LDAP auth. on squid successfully. Is it possible to make LDAP auth. for all domain? Domain names and controllers are different. abc.com, gft.com, mnt.com etc. Thanx .. Hello It might be more useful to use RADIUS with several LDAP backend through the LDAP-PROXY feature that comes with RADIUS
[squid-users] NTLM Authenticator with big requests number
From: Serassio Guido guido.seras...@dont-contact.us Date: Fri, 24 Jun 2005 09:37:06 +0200 Hi, This behaviour is correct by Microsoft NTLM design. When negotiated, NTLM authentication cannot be cached: You are using use_ntlm_negotiate on, so every Challenge/Response request must be handled from Winbind. When using use_ntlm_negotiate on, max_challenge_reuses and max_challenge_lifetime are not (and cannot be) used. This is the only stable configuration using NTLM, disabling use_ntlm_negotiate is a worst option. Regards Guido Hello, I want to know if this is true. I have Squid 3.0.STABLE10 on Centos and I successfully implemented an NTLM transparent authenticator for my proxy users. The problem is that my NTLM auth helper has very intense activity compared with my external acl helpers. Here's the details: NTLM Authenticator Statistics: program: /usr/bin/ntlm_auth number running: 10 of 10 requests sent: 5539 replies received: 5539 queue length: 0 avg service time: 0 msec while: External ACL Statistics: ad_group Cache size: 155 program: /usr/lib/squid/squid_ldap_group number running: 5 of 5 requests sent: 230 replies received: 230 queue length: 0 avg service time: 3 msec and External ACL Statistics: host_ad_group Cache size: 112 program: /usr/lib/squid/hostname.pl number running: 5 of 5 requests sent: 162 replies received: 162 queue length: 0 avg service time: 50 msec So I think the external ACL's can successffuly cache the requests while the ntlm auth can't. I specified in squid.conf authenticate_ttl 1 hour authenticate_ip_ttl 30 minutes and at the external acls ttl=1800. What is the problem? And how can I reduce the AD query number? Thank you! Razvan
RE: [squid-users] Squid failover between DIRECT connect and PARENT PROXY
Hi Chris, Many thanks for your reply, I have try to set nonhierarchical_direct to off, but this have no effect. I have comment hierarchy_stoplist cgi-bin ?, this have solved google form, but google use GET method. My problem whit POST method forms persist... Best Regards, Sébastien. -Message d'origine- De : crobert...@gci.net [mailto:crobert...@gci.net] Envoyé : jeudi 8 janvier 2009 21:45 À : squid-users@squid-cache.org Objet : Re: [squid-users] Squid failover between DIRECT connect and PARENT PROXY Sébastien WENSKE wrote: Hi all, I've set a squid server to use direct connections by default and to use a parent proxy if direct is unavailable: - http_port 8080 acl manager proto cache_object acl localhost src 127.0.0.1 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all icp_access deny all htcp_access deny all cache_peer 10.151.8.10 parent 3128 0 name=prod default prefer_direct on cache_peer_access prod allow all hierarchy_stoplist cgi-bin ? cache_mem 4000 MB maximum_object_size_in_memory 5000 KB cache_dir ufs /var/cache/squid 10 64 512 maximum_object_size 40960 KB access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log pid_filename /var/log/squid/squid.pid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 icp_port 0 coredump_dir /var/cache -- When I simulate an issue (DIRECT/ unavailable), this will work for GET, but POST try always DIRECT/ --- 1231334419.908292 127.0.0.1 TCP_MISS/200 2383 GET http://playlist.yacast.net/ - DEFAULT_PARENT/10.151.8.10 text/html 1231334427.526 0 127.0.0.1 TCP_MISS/503 2373 POST http://playlist.yacast.net/ - DIRECT/playlist.yacast.net text/html 1231334562.494 0 127.0.0.1 TCP_MISS/503 2373 POST http://playlist.yacast.net/ - DIRECT/playlist.yacast.net text/html 1231335100.244311 127.0.0.1 TCP_MISS/200 7401 GET http://www.google.fr/ - DEFAULT_PARENT/10.151.8.10 text/html 1231335100.599318 127.0.0.1 TCP_MISS/204 492 GET http://clients1.google.com/generate_204 - DEFAULT_PARENT/10.151.8.10 text/html 1231335158.319311 127.0.0.1 TCP_MISS/200 2383 GET http://playlist.yacast.net/ - DEFAULT_PARENT/10.151.8.10 text/html 1231335159.585 0 127.0.0.1 TCP_MISS/503 2373 POST http://playlist.yacast.net/ - DIRECT/playlist.yacast.net text/html --- Any ideas ??? Change nonhierarchical_direct from the default of on to off. http://www.squid-cache.org/Doc/config/nonhierarchical_direct/ Best Regards, Sébastien WENSKE Chris
Re: [squid-users] Fwd: Webapp problems with squid 2.7.STABLE3
On Sat, Jan 10, 2009 at 11:01 AM, Chris Nighswonger cnighswon...@foundations.edu wrote: Attached is the current config. The config on the upgrade was a simple cp of the previous config file. The only thing different now is the addition of ignore_expect_100 on at the end per the suggestion earlier in this thread. (Which did allow the webapp to work correctly.) --snip-- Thanks for the help on this one. If anyone sees any other optimizations I should have in my squid.conf, feel free to point them out. I suppose I just stared too long at things this past Friday. The ssl problem is not with squid, but with my virus scanning config. A direct connection to squid by the client works fine. This is normally the first thing I do... when I'm not burned out that is. ;-) Kind Regards, Chris -- Christopher Nighswonger Faculty Member Network Systems Director Foundations Bible College Seminary www.foundations.edu www.fbcradio.org
[squid-users] Supress squid errors message
Hi friend's i've installed squid 3.01 in my server ,i like supress or not show to my users any message , i try delete all message u=in error_directory but them the squid do not run later, some can help me todo that? Thanks un advance hermidio
[squid-users] dstdom_regex question
I'm using authentication and trying to allow unauthenticated access to http://java.sun.com/update/1.6.0/map-1.6.0.xml and all associated urls so Java will update transparently rather than prompting the user for credentials. I have been trying to do this using dstdom_regex and cannot seem to get things to work the way I imagine they should. I have tried two ways. acl AuthorizedUsers proxy_auth REQUIRED acl JavaUpdate dstdom_regex -i sun.*update http_access allow JavaUpdate http_access allow AuthorizedUsers and acl AuthorizedUsers proxy_auth REQUIRED acl JavaUpdate1 dstdom_regex -i sun acl JavaUpdate2 dstdom_regex -i update http_access allow JavaUpdate1 JavaUpdate2 http_access allow AuthorizedUsers Neither acl catches http://java.sun.com/update/1.6.0/map-1.6.0.xml and it falls through to AuthorizedUsers per cache.log: 2009/01/12 09:39:15| The request GET http://java.sun.com/update/1.6.0/map-1.6.0.xml is DENIED, because it matched 'AuthorizedUsers' However, this does work: acl AuthorizedUsers proxy_auth REQUIRED acl JavaUpdate dstdom_regex -i sun http_access allow JavaUpdate http_access allow AuthorizedUsers cache.log now says: 2009/01/12 09:37:44| The request GET http://java.sun.com/update/1.6.0/map-1.6.0.xml is ALLOWED, because it matched 'JavaUpdate' But it allows access to any url containing 'sun' which is not what I want. Am I going about this wrong or just missing something about dstdom_regex? Kind Regards, Chris -- Christopher Nighswonger Faculty Member Network Systems Director Foundations Bible College Seminary www.foundations.edu www.fbcradio.org
Re: [squid-users] Transfer-Encoding: chunked
Adam Squids wrote: Hello, I'm using a reverse squid for caching purposes. When requesting a page in my site via HTTP/1.1 I see : Transfer-Encoding: chunked I understand that HTTP/1.1 has the ability to cut up a large server response and send it one chunk at a time. What would happen to my site if I remove chunked encoding? Will it slow it down? let's say the pages are big and it would be more efficiant to use chucks for the response, but what if I don't? Could it be that some clients will not support that? Some will, some won't. As long as our site is doing it properly and only sending chunks to clients who say they know HTTP/1.1 it's a good thing. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] NTLM Authenticator with big requests number
Razvan Grigore wrote: From: Serassio Guido guido.seras...@dont-contact.us Date: Fri, 24 Jun 2005 09:37:06 +0200 Hi, This behaviour is correct by Microsoft NTLM design. When negotiated, NTLM authentication cannot be cached: You are using use_ntlm_negotiate on, so every Challenge/Response request must be handled from Winbind. When using use_ntlm_negotiate on, max_challenge_reuses and max_challenge_lifetime are not (and cannot be) used. This is the only stable configuration using NTLM, disabling use_ntlm_negotiate is a worst option. Regards Guido Hello, I want to know if this is true. Very high likelihood of being true. Guido is the author of the NTLM negotiate code. I have Squid 3.0.STABLE10 on Centos and I successfully implemented an NTLM transparent authenticator for my proxy users. The problem is that my NTLM auth helper has very intense activity compared with my external acl helpers. Here's the details: NTLM Authenticator Statistics: program: /usr/bin/ntlm_auth number running: 10 of 10 requests sent: 5539 replies received: 5539 queue length: 0 avg service time: 0 msec while: External ACL Statistics: ad_group Cache size: 155 program: /usr/lib/squid/squid_ldap_group number running: 5 of 5 requests sent: 230 replies received: 230 queue length: 0 avg service time: 3 msec and External ACL Statistics: host_ad_group Cache size: 112 program: /usr/lib/squid/hostname.pl number running: 5 of 5 requests sent: 162 replies received: 162 queue length: 0 avg service time: 50 msec So I think the external ACL's can successffuly cache the requests while the ntlm auth can't. I specified in squid.conf authenticate_ttl 1 hour authenticate_ip_ttl 30 minutes and at the external acls ttl=1800. What is the problem? And how can I reduce the AD query number? Thank you! Razvan -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
RE: [squid-users] dstdom_regex question
Chris, dstdom is checking against the destination host name (java.sun.com). You need to check against the URL using url_regex Tim -Original Message- From: Chris Nighswonger [mailto:cnighswon...@foundations.edu] Sent: 12 January 2009 15:51 To: Squid Users Subject: [squid-users] dstdom_regex question I'm using authentication and trying to allow unauthenticated access to http://java.sun.com/update/1.6.0/map-1.6.0.xml and all associated urls so Java will update transparently rather than prompting the user for credentials. I have been trying to do this using dstdom_regex and cannot seem to get things to work the way I imagine they should. I have tried two ways. acl AuthorizedUsers proxy_auth REQUIRED acl JavaUpdate dstdom_regex -i sun.*update http_access allow JavaUpdate http_access allow AuthorizedUsers and acl AuthorizedUsers proxy_auth REQUIRED acl JavaUpdate1 dstdom_regex -i sun acl JavaUpdate2 dstdom_regex -i update http_access allow JavaUpdate1 JavaUpdate2 http_access allow AuthorizedUsers Neither acl catches http://java.sun.com/update/1.6.0/map-1.6.0.xml and it falls through to AuthorizedUsers per cache.log: 2009/01/12 09:39:15| The request GET http://java.sun.com/update/1.6.0/map-1.6.0.xml is DENIED, because it matched 'AuthorizedUsers' However, this does work: acl AuthorizedUsers proxy_auth REQUIRED acl JavaUpdate dstdom_regex -i sun http_access allow JavaUpdate http_access allow AuthorizedUsers cache.log now says: 2009/01/12 09:37:44| The request GET http://java.sun.com/update/1.6.0/map-1.6.0.xml is ALLOWED, because it matched 'JavaUpdate' But it allows access to any url containing 'sun' which is not what I want. Am I going about this wrong or just missing something about dstdom_regex? Kind Regards, Chris -- Christopher Nighswonger Faculty Member Network Systems Director Foundations Bible College Seminary www.foundations.edu www.fbcradio.org This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person. Clifford Chance LLP is a limited liability partnership registered in England Wales under number OC323571. The firm's registered office and principal place of business is at 10 Upper Bank Street, London, E14 5JJ. For further details, including a list of members and their professional qualifications, see our website at www.cliffordchance.com. The firm uses the word 'partner' to refer to a member of Clifford Chance LLP or an employee or consultant with equivalent standing and qualifications. The firm is regulated by the Solicitors Regulation Authority. The Authority's rules can be accessed by clicking on the following link: http://www.sra.org.uk/code-of-conduct.page Clifford Chance as a global firm regularly shares client and/or matter-related data among its different offices and support entities in strict compliance with internal control policies and statutory requirements. Incoming and outgoing email communications may be monitored by Clifford Chance, as permitted by applicable law and regulations. For further information about Clifford Chance please see our website at http://www.cliffordchance.com or refer to any Clifford Chance office.
Re: [squid-users] dstdom_regex question
Chris Nighswonger wrote: I'm using authentication and trying to allow unauthenticated access to http://java.sun.com/update/1.6.0/map-1.6.0.xml and all associated urls so Java will update transparently rather than prompting the user for credentials. I have been trying to do this using dstdom_regex and cannot seem to get things to work the way I imagine they should. I have tried two ways. acl AuthorizedUsers proxy_auth REQUIRED acl JavaUpdate dstdom_regex -i sun.*update http_access allow JavaUpdate http_access allow AuthorizedUsers and acl AuthorizedUsers proxy_auth REQUIRED acl JavaUpdate1 dstdom_regex -i sun acl JavaUpdate2 dstdom_regex -i update http_access allow JavaUpdate1 JavaUpdate2 http_access allow AuthorizedUsers snip Am I going about this wrong or just missing something about dstdom_regex? ... by attempting to match a part of the path 'update' against a domain name... Try this: acl Sun dstdomain java.sun.com acl SunUpdate urlpath_regex -i ^/update http_access deny Sun SunUpdate Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] dstdom_regex question
On Mon, Jan 12, 2009 at 11:00 AM, Amos Jeffries squ...@treenet.co.nz wrote: Chris Nighswonger wrote: I'm using authentication and trying to allow unauthenticated access to http://java.sun.com/update/1.6.0/map-1.6.0.xml and all associated urls so Java will update transparently rather than prompting the user for credentials. I have been trying to do this using dstdom_regex and cannot seem to get things to work the way I imagine they should. I have tried two ways. acl AuthorizedUsers proxy_auth REQUIRED acl JavaUpdate dstdom_regex -i sun.*update http_access allow JavaUpdate http_access allow AuthorizedUsers and acl AuthorizedUsers proxy_auth REQUIRED acl JavaUpdate1 dstdom_regex -i sun acl JavaUpdate2 dstdom_regex -i update http_access allow JavaUpdate1 JavaUpdate2 http_access allow AuthorizedUsers snip Am I going about this wrong or just missing something about dstdom_regex? ... by attempting to match a part of the path 'update' against a domain name... Try this: acl Sun dstdomain java.sun.com I ended up makeing this line acl Sun dstdomain .sun.com because the server name changes from time to time it appears. Otherwise it works great. Thanks Amos and Tim. Kind Regards, Chris -- Christopher Nighswonger Faculty Member Network Systems Director Foundations Bible College Seminary www.foundations.edu www.fbcradio.org
Re: [squid-users] Supress squid errors message
Hermidio A. Rodriguez Chavez wrote: Hi friend's i've installed squid 3.01 in my server ,i like supress or not show to my users any message , i try delete all message u=in error_directory but them the squid do not run later, some can help me todo that? Did your typo hide a 3.0 or a 3.1? If I understand you correct. I think you mean the TCP_RESET part of deny_info. http://www.squid-cahe.org/Doc/config/deny_info/ Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
[squid-users] Re: R: [squid-users] max_user_ip directive on balanced proxy with ntlm authentication in AD2003
Of course, I've paste it here: http://pastebin.com/f77eec269 Regards, LD On Monday 12 January 2009 02:54:28 Luca Forti wrote: Hi, thanks for your answer but I have not found it ☹ Can you send me by email the solution? Thanks! Luca Da: Luis Daniel Lucio Quiroz [mailto:luis.daniel.lu...@gmail.com] Inviato: giovedì 8 gennaio 2009 17.06 A: squid-users@squid-cache.org Cc: Luca Forti Oggetto: Re: [squid-users] max_user_ip directive on balanced proxy with ntlm authentication in AD2003 This subject has already discussed in list. I did publish a helper that resolve this. Look for in archive. LD On Thursday 08 January 2009 08:15:26 lukefo wrote: Hi to all,I’d like to know if there is any solution to implement a max_user_ip directive for avoiding user account sharing within a squid farm balanced by an hw appliance. The squid servers are configured with ntlm authentication in Active Directory 2003. I have already implemented max_user_ip directive in every squid server and It works fine when using a single ip server address, but the problem here is making it functioning on balanced ip addresses (the virtual ones). Thanks in advance.
[squid-users] NTLM Authenticator Reserved status problem
Hello all, After I started my NTLM squid3.0STABLE10 configuration in production, I noticed in cache manager that after about 30 min, some of the ntlm_auth helper is going in R state, one by one at 10 min interval and they never comes back. This is explained by R = RESERVED or DEFERRED in help note. If I reload configuration, new helpers are opened, and the reserved ones are changing status to RS, but they are never stopped until I completely restart squid, or manually kill the PID's. What is the problem? There are no other problems with working configuration. Razvan