Re: [squid-users] transparent proxy environment (squid3 + tproxy)
Matus UHLAR - fantomas wrote: On 06.02.09 13:29, Mikio Kishi wrote: I'd like to build the transparent proxy environment using squid3 + tproxy (http://www.balabit.com/support/community/products/tproxy/). I researched it on the Internet, but I didn't know which combination of each (squid, tproxy, and also linux kernel) version is the best right now. latest, latest, latest? You can shoose between squid 2.7 and 3.1 since they have different functionality. On 07.02.09 01:45, Amos Jeffries wrote: hmm, functionality is the same I thought.. setup and requirements are very different. Ops, I've meant features. e.g. ICAP in 3.x, working COSS in 2.7 (afaik). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer
[squid-users] Time acl issue
Greetings! I'm trying to use a time acl to liberate some site access for just a period of time, but the access stand available for an user after the time window expiration until the session is totally closed (i.e. close the browser [not only a firefix tab]). Is there any feature which take care of this? Thanks in advance. Veja quais são os assuntos do momento no Yahoo! +Buscados http://br.maisbuscados.yahoo.com
Re: [squid-users] check squid alive via remote http request
Henrik Nordstrom wrote: lör 2009-02-07 klockan 02:03 +1300 skrev Amos Jeffries: Evgeniy Zaitsev wrote: Hello. We are using large squid cluster (~30 dedicated machines with squid) to proxy-caching static content. All separate squid's configured as sibling (each other, i.e. one level hierarchy). All requests to squid-machines go through one balancer. Balancer check each squid (alive/not alive) via tcp-check (if port 3128/tcp accept connections, then squid is alive). But we want to use http checks for squid alive checking. Is it possible? Depends on your balancer. Squid does it automatically when no-query options is missing from cache_peer lines. I think you meant only-if-cached... Querying the cache manager interface should work. cache_object://$SQUIDHOST/menu So does querying of any of the squid-internal-... objects which may be simpler, depending on the capabilities of the load balancer in question. http://$SQUIDHOST/squid-internal-static/icons/anthony-unknown.gif or similar. Regards Henrik Thanks Henrik and Amos! http checks via GET http://squid_host:3128/squid-internal-static/icons/anthony-portal.gif is more more conveniently than cache_object://$SQUIDHOST/menu . But both ways suit me. -- Cheers, Evgeniy Zaitsev, networking/servers section mailto:eig...@ixbt.com iXBT.com/Digit-Life.com jabber:eig...@jabber.ru
Re: [squid-users] Squid-2.7-STABLE6 dns.median_svc_time is always 0
Hi, I new to the squd-users list and I apologize if I am not posting correctly but I have been using squid for many years and this is my first post. I have read through the FAQs/Wiki and bugzilla database so see if this is a known issue or a configuration issue on my part but I am not finding anything relevant to Median Service Time for DNS Lookups always being Zero. So I switched back to the 2.6-STABLE22 build line and it works as I expected. Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 0.03241 0.03427 Cache Misses: 0.12106 0.12106 Cache Hits:0.00091 0.00091 Near Hits: 0.07409 0.07825 Not-Modified Replies: 0.00091 0.00091 DNS Lookups: 0.00094 0.00094 ICP Queries: 0.0 0.0 I would migrate from 2.6 to 3.0 build line but follow_x_forwarded is required for our installatons. I would appreciate any pointers or advice on what the issue is or if I am posting this issue to the wrong list. Thank you in advance, Q - Original Message From: Quin Guin quing...@yahoo.com To: squid-users@squid-cache.org Sent: Sunday, February 8, 2009 7:54:05 PM Subject: [squid-users] Squid-2.7-STABLE6 dns.median_svc_time is always 0 Hello, I am currently in the process of moving from 2.6 to 2.7 and I am seeing an issue on 2 of the servers that I just installed 2.7-STABLE6 on. The dns.median_svc_time = 0.00 seconds is always 0 now matter and squid is processing request just fine. I an running Linux 2.6.9 kernel and did not have this issue on 2.6-STABLE22 and I am using squids internal DNS with out any issues. I just want to make sure that I don't have any issue before rolling out 2.7 to the rest of my squid servers. Here is an example from one of the 2.7-STABLE6 servers: Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 0.03066 0.03241 Cache Misses: 0.10857 0.10857 Cache Hits:0.0 0.0 Near Hits: 0.06286 0.06286 Not-Modified Replies: 0.0 0.0 DNS Lookups: 0.0 0.0 ICP Queries: 0.0 0.0 Regards, Q
[squid-users] Multi-process or Single Thread?
Hello, I have a SMP quad core server (effective core = 8). Currently my squid is just serving 7 sites using single squid process (behind a load balancer, as a reverse proxy). The disk is a RAID 5 system. So it is recommended to just use a single thread like current setup, or to fork squid process listening on different port(e.g. one port for one web sites, so end up I might have 7 squid processing running on the same server, bind to the load banlancer) Any comments? Thanks.
RE: [squid-users] Build patch fails to apply on Squid 2.7 stable6
Hi Henrik, Can you please (or anyone else who can do this) regenerate the squid 2.7 build patch to reflect the changes that Amos mentioned in the autoconf toolchain. Thank you for your time. Ragheb Rustom -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Sunday, February 08, 2009 11:11 PM To: Ragheb Rustom Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Build patch fails to apply on Squid 2.7 stable6 Hi, I have been trying to compile squid 2.7-stable6 on Fedora Core 9 x86-64 system. I have already done all the changes I need in the spec file in order to create my system rpms but I noticed that when the rpmbuild try to build the rpm it fails when it tries to apply the squid2.6Stable2 build patch with the following errors. I have even tried to do the compile process manually but also the same error appears when I manually try to apply the same patch. All other patches have been installed successfully only the build patch fails to apply. Below are the error messages I get from the build patching process + echo 'Patch #201 (squid-2.5.STABLE11-config.patch):' Patch #201 (squid-2.5.STABLE11-config.patch): + patch -p1 -b --suffix .config -s + echo 'Patch #202 (squid-2.5.STABLE4-location.patch):' Patch #202 (squid-2.5.STABLE4-location.patch): + patch -p1 -b --suffix .location -s + echo 'Patch #203 (squid-2.6.STABLE2-build.patch):' Patch #203 (squid-2.6.STABLE2-build.patch): + patch -p1 -b --suffix .build -s 1 out of 2 hunks FAILED -- saving rejects to file src/Makefile.in.rej error: Bad exit status from /var/tmp/rpm-tmp.93888 (%prep) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.93888 (%prep) D: May free Score board((nil)) Now these are the errors I get from the manual application of the build patch patching file errors/Makefile.in Hunk #1 succeeded at 235 with fuzz 1 (offset 14 lines). Hunk #2 succeeded at 417 (offset 4 lines). Hunk #3 succeeded at 450 (offset 14 lines). patching file icons/Makefile.in Hunk #1 succeeded at 272 (offset 14 lines). patching file src/Makefile.in Hunk #1 FAILED at 586. Hunk #2 succeeded at 926 (offset 84 lines). 1 out of 2 hunks FAILED -- saving rejects to file src/Makefile.in.rej Here are the contents of the src/Makefile.in.rej *** *** 586,603 DEFAULT_CONFIG_FILE = $(sysconfdir)/squid.conf DEFAULT_MIME_TABLE = $(sysconfdir)/mime.conf DEFAULT_DNSSERVER = $(libexecdir)/`echo dnsserver | sed '$(transform);s/$$/$(EXEEXT)/'` - DEFAULT_LOG_PREFIX = $(localstatedir)/logs DEFAULT_CACHE_LOG = $(DEFAULT_LOG_PREFIX)/cache.log DEFAULT_ACCESS_LOG = $(DEFAULT_LOG_PREFIX)/access.log DEFAULT_STORE_LOG = $(DEFAULT_LOG_PREFIX)/store.log - DEFAULT_PID_FILE = $(DEFAULT_LOG_PREFIX)/squid.pid - DEFAULT_SWAP_DIR = $(localstatedir)/cache DEFAULT_PINGER = $(libexecdir)/`echo pinger | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_UNLINKD = $(libexecdir)/`echo unlinkd | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_DISKD = $(libexecdir)/`echo diskd-daemon | sed '$(transform);s/$$/$(EXEEXT)/'` - DEFAULT_ICON_DIR = $(datadir)/icons - DEFAULT_ERROR_DIR = $(datadir)/errors/@ERR_DEFAULT_LANGUAGE@ - DEFAULT_MIB_PATH = $(datadir)/mib.txt DEFAULT_HOSTS = @OPT_DEFAULT_HOSTS@ # Don't automatically uninstall config files --- 586,603 DEFAULT_CONFIG_FILE = $(sysconfdir)/squid.conf DEFAULT_MIME_TABLE = $(sysconfdir)/mime.conf DEFAULT_DNSSERVER = $(libexecdir)/`echo dnsserver | sed '$(transform);s/$$/$(EXEEXT)/'` + DEFAULT_LOG_PREFIX = $(localstatedir)/log/squid DEFAULT_CACHE_LOG = $(DEFAULT_LOG_PREFIX)/cache.log DEFAULT_ACCESS_LOG = $(DEFAULT_LOG_PREFIX)/access.log DEFAULT_STORE_LOG = $(DEFAULT_LOG_PREFIX)/store.log + DEFAULT_PID_FILE = $(localstatedir)/run/squid.pid + DEFAULT_SWAP_DIR = $(localstatedir)/spool/squid DEFAULT_PINGER = $(libexecdir)/`echo pinger | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_UNLINKD = $(libexecdir)/`echo unlinkd | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_DISKD = $(libexecdir)/`echo diskd-daemon | sed '$(transform);s/$$/$(EXEEXT)/'` + DEFAULT_ICON_DIR = $(pkgdatadir)/icons + DEFAULT_ERROR_DIR = $(pkgdatadir)/errors/@ERR_DEFAULT_LANGUAGE@ + DEFAULT_MIB_PATH = $(sysconfdir)/mib.txt DEFAULT_HOSTS = @OPT_DEFAULT_HOSTS@ # Don't automatically uninstall config files From what I could see is that the above changes are not being done to the src/Makefile.in but I cannot understand why this is happening. I would really appreciate your help guys on this. We have recently upgraded the autoconf toolchain used to generate Makefile.in and configure scripts. The Makefile.in files are quite different. If you are the maintainer you will need to regenerate the patches. If you are just trying to build the prepared package, then please contact the maintainer to get the package updated. Amos
Re: [squid-users] Squid-2.7-STABLE6 dns.median_svc_time is always 0
Hi, I new to the squd-users list and I apologize if I am not posting correctly but I have been using squid for many years and this is my first post. I have read through the FAQs/Wiki and bugzilla database so see if this is a known issue or a configuration issue on my part but I am not finding anything relevant to Median Service Time for DNS Lookups always being Zero. So I switched back to the 2.6-STABLE22 build line and it works as I expected. Do you mean you went back and re-installed 2.6? or you changed from using some non-working build options, to using the old working configure options but still with 2.7? Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 0.03241 0.03427 Cache Misses: 0.12106 0.12106 Cache Hits:0.00091 0.00091 Near Hits: 0.07409 0.07825 Not-Modified Replies: 0.00091 0.00091 DNS Lookups: 0.00094 0.00094 ICP Queries: 0.0 0.0 I would migrate from 2.6 to 3.0 build line but follow_x_forwarded is required for our installatons. I would appreciate any pointers or advice on what the issue is or if I am posting this issue to the wrong list. You may also want to give 3.1 a test instead of 3.0 and see if it meets your needs. The XFF stuff has been ported there. Amos Thank you in advance, Q - Original Message From: Quin Guin quing...@yahoo.com To: squid-users@squid-cache.org Sent: Sunday, February 8, 2009 7:54:05 PM Subject: [squid-users] Squid-2.7-STABLE6 dns.median_svc_time is always 0 Hello, I am currently in the process of moving from 2.6 to 2.7 and I am seeing an issue on 2 of the servers that I just installed 2.7-STABLE6 on. The dns.median_svc_time = 0.00 seconds is always 0 now matter and squid is processing request just fine. I an running Linux 2.6.9 kernel and did not have this issue on 2.6-STABLE22 and I am using squids internal DNS with out any issues. I just want to make sure that I don't have any issue before rolling out 2.7 to the rest of my squid servers. Here is an example from one of the 2.7-STABLE6 servers: Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 0.03066 0.03241 Cache Misses: 0.10857 0.10857 Cache Hits:0.0 0.0 Near Hits: 0.06286 0.06286 Not-Modified Replies: 0.0 0.0 DNS Lookups: 0.0 0.0 ICP Queries: 0.0 0.0 Regards, Q
Re: [squid-users] Multi-process or Single Thread?
Hello, I have a SMP quad core server (effective core = 8). Currently my squid is just serving 7 sites using single squid process (behind a load balancer, as a reverse proxy). The disk is a RAID 5 system. So it is recommended to just use a single thread like current setup, or to fork squid process listening on different port(e.g. one port for one web sites, so end up I might have 7 squid processing running on the same server, bind to the load banlancer) Any comments? A single squid process works most effectively in one dedicated thread. Using a separate one for helpers and OS etc. With the other cores you can do what you like, including setting up additional Squid as load failovers. Squid does not really matter the number of websites its processing simultaneously. Whatever you setup, I would really recommend not sharing a single disk between multiple Squid, even on a fast machine. The one-cache_dir-per-disk rule of thumb still applies. RAID-5 may be an issue, or it may not. Be aware of this: http://wiki.squid-cache.org/SquidFaq/RAID Amos
[squid-users] How to enable transparent proxy (squid-3.0.STABLE13)
Dear All, I am want to configure squid as a transparent proxy using squid-3.0.STABLE13 version. I have compile squid with following parameters written below. /configure --enable-delay-pools --enable-snmp --enable-arp-acl --enable-default-err-language=English --enable-default-err-language=English --enable-linux-netfilter --disable-ident-lookups --with-filedescriptors=51200 when I open /usr/local/squid/etc/squid.conf I didn't find these options their to enable transperent proxy. httpd_accel_host httpd_accel_port httpd_accel_with_proxy httpd_accel_uses_host_header if I have done any mistake during compiling section please advise me how to recompile / update it from source I will be very thankfull to you. Regards Asghar
Re: [squid-users] How to enable transparent proxy (squid-3.0.STABLE13)
2009/2/10 M. Asghar Nazir asghar_na...@yahoo.com: Dear All, I am want to configure squid as a transparent proxy using squid-3.0.STABLE13 version. I have compile squid with following parameters written below. /configure --enable-delay-pools --enable-snmp --enable-arp-acl --enable-default-err-language=English --enable-default-err-language=English --enable-linux-netfilter --disable-ident-lookups --with-filedescriptors=51200 when I open /usr/local/squid/etc/squid.conf I didn't find these options their to enable transperent proxy. httpd_accel_host httpd_accel_port httpd_accel_with_proxy httpd_accel_uses_host_header This is the very old directives in Squid-2.5 version. You could check the new configure directives in squid.conf.default or configure samples on: http://wiki.squid-cache.org/ConfigExamples/ -- Jeff Peng Office: +86-20-38350822 AIM: jeffpang www.dtonenetworks.com
[squid-users] Re: Failover to second LDAP server with squid_ldap_auth
Hi there Can anyone help me with this one? I'm stuck and this becomes rather urgent for us. Any help would be highly appreciated. Best Regards, Christoph G. Christoph G. wrote: Dear Squid-Users I tried to figure out, how to setup up my squid auth helpers to use a second LDAP server if the first one is unreachable. From several postings on this mailing list I thougth that squid_ldap_auth and squid_ldap_group which come with the squid source are able to support this option: e.g. http://www.squid-cache.org/mail-archive/squid-users/200412/0290.html And reading the man page also lets me believe that I can just pass two IP addresses to make it work: http://linux.die.net/man/8/squid_ldap_auth ---snip--- -h ldapserver Specify the LDAP server to connect to. Servers (!) can also be specified last on the command line. ---snap--- So I tried this on the command line: # squid_ldap_auth -b dc=some,dc=com -f sAC=%s -D cn=ad,ou=Users,dc=some,dc=com -w *** -c 2 -t 2 -p 3268 -h 10.0.0.1 10.0.0.2 This works fine if the first IP (10.0.0.1) is answering properly to my LDAP requests but it doesn't if only the second host (10.0.0.2) is reachable and answering LDAP requests. Instead I get the following error message: someone *** squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' ERR Success I'm using Squid Cache: Version 2.7.STABLE4. What am I doing wrong? Best Regards, Christoph G.
Re: [squid-users] How to enable transparent proxy (squid-3.0.STABLE13)
Dear Jeff! Thanks for your quick reply. Actually I have only work on squid 2.5 version and after a very long time now I need to rebuilt proxy in my new company using new version squid 3.0. could you please help me with a live Config Examples of squid 3.0 transparent proxy version. Rgd, --- On Tue, 2/10/09, Jeff Peng j...@dtonenetworks.com wrote: From: Jeff Peng j...@dtonenetworks.com Subject: Re: [squid-users] How to enable transparent proxy (squid-3.0.STABLE13) To: asghar_na...@yahoo.com Cc: squid-users@squid-cache.org Date: Tuesday, February 10, 2009, 9:01 AM 2009/2/10 M. Asghar Nazir asghar_na...@yahoo.com: Dear All, I am want to configure squid as a transparent proxy using squid-3.0.STABLE13 version. I have compile squid with following parameters written below. /configure --enable-delay-pools --enable-snmp --enable-arp-acl --enable-default-err-language=English --enable-default-err-language=English --enable-linux-netfilter --disable-ident-lookups --with-filedescriptors=51200 when I open /usr/local/squid/etc/squid.conf I didn't find these options their to enable transperent proxy. httpd_accel_host httpd_accel_port httpd_accel_with_proxy httpd_accel_uses_host_header This is the very old directives in Squid-2.5 version. You could check the new configure directives in squid.conf.default or configure samples on: http://wiki.squid-cache.org/ConfigExamples/ -- Jeff Peng Office: +86-20-38350822 AIM: jeffpang www.dtonenetworks.com
Re: [squid-users] How to enable transparent proxy (squid-3.0.STABLE13)
2009/2/10 M. Asghar Nazir asghar_na...@yahoo.com: Dear Jeff! Thanks for your quick reply. Actually I have only work on squid 2.5 version and after a very long time now I need to rebuilt proxy in my new company using new version squid 3.0. could you please help me with a live Config Examples of squid 3.0 transparent proxy version. There is already a tproxy sample on squid-wiki: http://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY -- Jeff Peng Office: +86-20-38350822 AIM: jeffpang www.dtonenetworks.com
Re: [squid-users] How to enable transparent proxy (squid-3.0.STABLE13)
M. Asghar Nazir wrote: Dear Jeff! Thanks for your quick reply. Actually I have only work on squid 2.5 version and after a very long time now I need to rebuilt proxy in my new company using new version squid 3.0. could you please help me with a live Config Examples of squid 3.0 transparent proxy version. Rgd, Three things: 1) please don't hijack discussions. They can lead to confusion such as Jeff's assumption that you were still talking about tproxy. 2) Are you trying to setup a website accelerator proxy (reverse proxy) or a traffic intercepting proxy? Both of your emails to date contradict each other. The httpd_accel_* are old 2.5 config for accelerators. Replaced with any of the setups listed under Reverse Proxy at: http://wiki.squid-cache.org/ConigExamples Transparent proxy is a single broad term used for several other very different types of setup. Please clarify what you need. 3) The ConfigExamples wiki pages details how to setup their config. In most cases they are live configs used by people somewhere on the web. Amos --- On Tue, 2/10/09, Jeff Peng j...@dtonenetworks.com wrote: From: Jeff Peng j...@dtonenetworks.com Subject: Re: [squid-users] How to enable transparent proxy (squid-3.0.STABLE13) To: asghar_na...@yahoo.com Cc: squid-users@squid-cache.org Date: Tuesday, February 10, 2009, 9:01 AM 2009/2/10 M. Asghar Nazir asghar_na...@yahoo.com: Dear All, I am want to configure squid as a transparent proxy using squid-3.0.STABLE13 version. I have compile squid with following parameters written below. /configure --enable-delay-pools --enable-snmp --enable-arp-acl --enable-default-err-language=English --enable-default-err-language=English --enable-linux-netfilter --disable-ident-lookups --with-filedescriptors=51200 when I open /usr/local/squid/etc/squid.conf I didn't find these options their to enable transperent proxy. httpd_accel_host httpd_accel_port httpd_accel_with_proxy httpd_accel_uses_host_header This is the very old directives in Squid-2.5 version. You could check the new configure directives in squid.conf.default or configure samples on: http://wiki.squid-cache.org/ConfigExamples/ -- Jeff Peng Office: +86-20-38350822 AIM: jeffpang www.dtonenetworks.com -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5
Re: [squid-users] Re: Failover to second LDAP server with squid_ldap_auth
Christoph G. wrote: Hi there Can anyone help me with this one? I'm stuck and this becomes rather urgent for us. Any help would be highly appreciated. Have you tried it with a single hostname that resolves to two IPs? IFAIK, none of the bundled helpers are designed to do failover to secondary servers like this. Amos Best Regards, Christoph G. Christoph G. wrote: Dear Squid-Users I tried to figure out, how to setup up my squid auth helpers to use a second LDAP server if the first one is unreachable. From several postings on this mailing list I thougth that squid_ldap_auth and squid_ldap_group which come with the squid source are able to support this option: e.g. http://www.squid-cache.org/mail-archive/squid-users/200412/0290.html And reading the man page also lets me believe that I can just pass two IP addresses to make it work: http://linux.die.net/man/8/squid_ldap_auth ---snip--- -h ldapserver Specify the LDAP server to connect to. Servers (!) can also be specified last on the command line. ---snap--- So I tried this on the command line: # squid_ldap_auth -b dc=some,dc=com -f sAC=%s -D cn=ad,ou=Users,dc=some,dc=com -w *** -c 2 -t 2 -p 3268 -h 10.0.0.1 10.0.0.2 This works fine if the first IP (10.0.0.1) is answering properly to my LDAP requests but it doesn't if only the second host (10.0.0.2) is reachable and answering LDAP requests. Instead I get the following error message: someone *** squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' ERR Success I'm using Squid Cache: Version 2.7.STABLE4. What am I doing wrong? Best Regards, Christoph G. -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5
Re: [squid-users] Re: Failover to second LDAP server with squid_ldap_auth
Hi Amos Thank you very much for your reply. Have you tried it with a single hostname that resolves to two IPs? I already thought of this. You can do load-balancing like this, as some of the requests go to the first and some to the second ldap server, but it wouldn't help if one of the server is just not available. The requests to this server would just fail and the ldap helper would not try the other server (aka failover). IFAIK, none of the bundled helpers are designed to do failover to secondary servers like this. I'm a bit confused. Some mailing list entries indicate that the helpers are able to connect to two ldap servers and even in the header of the source file of squid_ldap_auth I saw this comment: * 2003-03-01: David J N Begley * - Support for Netscape API method of ldap over SSL * connections * - Timeout option for better recovery when using * multiple LDAP servers But the help text of the squid helper is quite unclear and I just don't manage to get it to run. And if the helpers do not support failover, how do other people achieve redundancy? Best Regards, Christoph G. Amos Jeffries wrote: Christoph G. wrote: Hi there Can anyone help me with this one? I'm stuck and this becomes rather urgent for us. Any help would be highly appreciated. Have you tried it with a single hostname that resolves to two IPs? IFAIK, none of the bundled helpers are designed to do failover to secondary servers like this. Amos Best Regards, Christoph G. Christoph G. wrote: Dear Squid-Users I tried to figure out, how to setup up my squid auth helpers to use a second LDAP server if the first one is unreachable. From several postings on this mailing list I thougth that squid_ldap_auth and squid_ldap_group which come with the squid source are able to support this option: e.g. http://www.squid-cache.org/mail-archive/squid-users/200412/0290.html And reading the man page also lets me believe that I can just pass two IP addresses to make it work: http://linux.die.net/man/8/squid_ldap_auth ---snip--- -h ldapserver Specify the LDAP server to connect to. Servers (!) can also be specified last on the command line. ---snap--- So I tried this on the command line: # squid_ldap_auth -b dc=some,dc=com -f sAC=%s -D cn=ad,ou=Users,dc=some,dc=com -w *** -c 2 -t 2 -p 3268 -h 10.0.0.1 10.0.0.2 This works fine if the first IP (10.0.0.1) is answering properly to my LDAP requests but it doesn't if only the second host (10.0.0.2) is reachable and answering LDAP requests. Instead I get the following error message: someone *** squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' ERR Success I'm using Squid Cache: Version 2.7.STABLE4. What am I doing wrong? Best Regards, Christoph G. -- christoph göldi security engineer open systems ag räffelstrasse 29 ch-8045 zürich t +41 44 455 74 00 f +41 44 455 74 01 c...@open.ch http://www.open.ch
Re: [squid-users] How to enable transparent proxy (squid-3.0.STABLE13)
Dear Amos! I want to setup same setup same setup like in version 2.5 using these commands written bellow. httpd_accel_host httpd_accel_port httpd_accel_with_proxy httpd_accel_uses_host_header and add prerouting rule to redirect all tcp 80 traffic to squid port 3128. Because I don't want to setup proxy setting on all of my lan users computers. if any user want to brows the internet port 80 req redirect it to squid port 3128. And I really don't have any idea how to setup in new version of squid 3.0. please advise Rgd, - Original Message From: Amos Jeffries squ...@treenet.co.nz To: asghar_na...@yahoo.com Cc: Jeff Peng j...@dtonenetworks.com; squid-users@squid-cache.org Sent: Tuesday, February 10, 2009 9:52:54 AM Subject: Re: [squid-users] How to enable transparent proxy (squid-3.0.STABLE13) M. Asghar Nazir wrote: Dear Jeff! Thanks for your quick reply. Actually I have only work on squid 2.5 version and after a very long time now I need to rebuilt proxy in my new company using new version squid 3.0. could you please help me with a live Config Examples of squid 3.0 transparent proxy version. Rgd, Three things: 1) please don't hijack discussions. They can lead to confusion such as Jeff's assumption that you were still talking about tproxy. 2) Are you trying to setup a website accelerator proxy (reverse proxy) or a traffic intercepting proxy? Both of your emails to date contradict each other. The httpd_accel_* are old 2.5 config for accelerators. Replaced with any of the setups listed under Reverse Proxy at: http://wiki.squid-cache.org/ConigExamples Transparent proxy is a single broad term used for several other very different types of setup. Please clarify what you need. 3) The ConfigExamples wiki pages details how to setup their config. In most cases they are live configs used by people somewhere on the web. Amos --- On Tue, 2/10/09, Jeff Peng j...@dtonenetworks.com wrote: From: Jeff Peng j...@dtonenetworks.com Subject: Re: [squid-users] How to enable transparent proxy (squid-3.0.STABLE13) To: asghar_na...@yahoo.com Cc: squid-users@squid-cache.org Date: Tuesday, February 10, 2009, 9:01 AM 2009/2/10 M. Asghar Nazir asghar_na...@yahoo.com: Dear All, I am want to configure squid as a transparent proxy using squid-3.0.STABLE13 version. I have compile squid with following parameters written below. /configure --enable-delay-pools --enable-snmp --enable-arp-acl --enable-default-err-language=English --enable-default-err-language=English --enable-linux-netfilter --disable-ident-lookups --with-filedescriptors=51200 when I open /usr/local/squid/etc/squid.conf I didn't find these options their to enable transperent proxy. httpd_accel_host httpd_accel_port httpd_accel_with_proxy httpd_accel_uses_host_header This is the very old directives in Squid-2.5 version. You could check the new configure directives in squid.conf.default or configure samples on: http://wiki.squid-cache.org/ConfigExamples/ -- Jeff Peng Office: +86-20-38350822 AIM: jeffpang www.dtonenetworks.com -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5
Re: [squid-users] Re: Failover to second LDAP server with squid_ldap_auth
Christoph Goeldi wrote: Hi Amos Thank you very much for your reply. Have you tried it with a single hostname that resolves to two IPs? I already thought of this. You can do load-balancing like this, as some of the requests go to the first and some to the second ldap server, but it wouldn't help if one of the server is just not available. The requests to this server would just fail and the ldap helper would not try the other server (aka failover). IFAIK, none of the bundled helpers are designed to do failover to secondary servers like this. I'm a bit confused. Some mailing list entries indicate that the helpers are able to connect to two ldap servers and even in the header of the source file of squid_ldap_auth I saw this comment: * 2003-03-01: David J N Begley * - Support for Netscape API method of ldap over SSL * connections * - Timeout option for better recovery when using * multiple LDAP servers But the help text of the squid helper is quite unclear and I just don't manage to get it to run. And if the helpers do not support failover, how do other people achieve redundancy? I wasn't paying much attention to the LDAP side of things before this year sorry. Haven't seen it mentioned apart from your post so far. Amos Best Regards, Christoph G. Amos Jeffries wrote: Christoph G. wrote: Hi there Can anyone help me with this one? I'm stuck and this becomes rather urgent for us. Any help would be highly appreciated. Have you tried it with a single hostname that resolves to two IPs? IFAIK, none of the bundled helpers are designed to do failover to secondary servers like this. Amos Best Regards, Christoph G. Christoph G. wrote: Dear Squid-Users I tried to figure out, how to setup up my squid auth helpers to use a second LDAP server if the first one is unreachable. From several postings on this mailing list I thougth that squid_ldap_auth and squid_ldap_group which come with the squid source are able to support this option: e.g. http://www.squid-cache.org/mail-archive/squid-users/200412/0290.html And reading the man page also lets me believe that I can just pass two IP addresses to make it work: http://linux.die.net/man/8/squid_ldap_auth ---snip--- -h ldapserver Specify the LDAP server to connect to. Servers (!) can also be specified last on the command line. ---snap--- So I tried this on the command line: # squid_ldap_auth -b dc=some,dc=com -f sAC=%s -D cn=ad,ou=Users,dc=some,dc=com -w *** -c 2 -t 2 -p 3268 -h 10.0.0.1 10.0.0.2 This works fine if the first IP (10.0.0.1) is answering properly to my LDAP requests but it doesn't if only the second host (10.0.0.2) is reachable and answering LDAP requests. Instead I get the following error message: someone *** squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' ERR Success I'm using Squid Cache: Version 2.7.STABLE4. What am I doing wrong? Best Regards, Christoph G. -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5