[squid-users] R: Re: [squid-users] R: Re: [squid-users] Squid cache cgi-bin

[projpr...@libero.it]

ok

i report here what my con file (the only mistake I found is  about the 
coredump_dir that it´s still in windows format):


acl all src all
acl SSL_ports port 443
acl Safe_ports port 8080# http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT

acl server_sites dstdomain domain.server.org

external_acl_type squid_ldap children=50 %LOGIN usr/sbin/squid_ldap_group -R -
v "3" -s "sub" -b "dc=dom, dc=org" -f "(&(objectClass=person)(sAMAccountName=%v)
(memberOf=cn=%a,ou=one,ou=twon,ou=three,dc=four,dc=five,dc=org))" -d -D 
"cn=..." -w "x" -h "another.server.org" -p "3268"

acl static urlpath_regex .gif .jpg .html
acl authorized_one external squid_ldap one
acl authorized_two external squid_ldap two
acl authorized_three external squid_ldap three
acl authorized_four external squid_ldap four
acl authorized_five external squid_ldap five
acl authorized_six external squid_ldap six
acl fly urlpath_regex some part to match in the eddress
acl password proxy_auth REQUIRED
cache allow static

cache_peer_access server allow server_sites
cache_peer_access server deny all

cache_peer 1xx..x.x.xx parent 81xx 0 no-query originserver name=server

http_access allow password server_sites authorized_one
http_access allow password server_sites authorized_two fly

http_access deny all

cache_dir ufs /var/cache/squid 100 16 256

refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

acl apache rep_header Server ^Apache

#  TAG: cache_dns_program
# cache_dns_program c:/squid/libexec/dnsserver.exe
#   For heavily loaded caches on large servers, you should
#   (see res_init(3)).  This prevents caches in a hierarchy
#   message to cache.log.  You can allow responses from unknown
#  TAG: ipcache_size(number of entries)
#  TAG: ipcache_low (percent)
#  TAG: ipcache_high(percent)
#   The size, low-, and high-water marks for the IP cache.
# ipcache_size 1024
# ipcache_low 90
# ipcache_high 95
#  TAG: fqdncache_size  (number of entries)
#   Maximum number of FQDN cache entries.
# fqdncache_size 1024
#  TAG: cachemgr_passwd
#   Specify passwords for cachemgr operations.
#   Usage: cachemgr_passwd password action action ...
#   Some valid actions are (see cache manager menu for a full list):
#   fqdncache
#   ipcache
# cachemgr_passwd secret shutdown
# cachemgr_passwd lesssecret info stats/objects
# cachemgr_passwd disable all
#   When you enable this option, client no-cache or ``reload''
#   see also refresh_pattern for a more selective approach.
#   are in a complex cache hierarchy to work around access
#   Enable this option and Squid will never try to validate cached
# Leave coredumps in the first cache dir
coredump_dir c:/squid/var/cache


>Messaggio originale
>Da: squ...@treenet.co.nz
>Data: 25-feb-2009 3.51
>A: "projpr...@libero.it"
>Cc: 
>Ogg: Re: [squid-users] R: Re: [squid-users] Squid cache cgi-bin
>
>projpr...@libero.it wrote:
>> Hi,
>> 
>> first thanks already for your answer.
>> 
>> I´m using squid 3 on SLES 11 server, is working as reverse proxy in front 
of 
>> a web server that takes the role of parent.
>> 
>> The configuration works properly for my reverse purpose.
>> 
>> just the caching doesn´t work.
>> 
>> In order in squid.conf
>> 
>> -auth parameter (line 294)
>> -acl (line 627)
>> -cache or no_cache(line 645)
>> -cache_peer_access (line 692)
>> -http_access (line 696)
>> -http_port and cache_peer (ca. line 1138)
>> -hierarchy_stop_list (line 1723)
>> -Refresh_pattern (line 2764)
>> 
>> I mainteined the original conf file and in this way I inserted in the 
right 
>> place my instructions.
>> I f there´s any kind of mistake (or obsolete instructions) please tell me. 
I 
>> don´t understand if there´s any kind of instrauction that create a 
conflict for 
>> caching.
>> Thanks in advance
>
>I meant the details of those lines.
>
>For example the output of:
>   grep -E 
>"^(acl|http_access|cache|no_cache|cache_peer|refresh_pattern)" squid.conf
>
>Amos
>
>> 
>> 
>>> Messaggio originale
>>> Da: squ...@treenet.co.nz
>>> Data: 23-feb-2009 23.38
>>> A: "projpr...@libero.it"
>>> Cc: 
>>> Ogg: Re: [squid-users] Squid cache cgi-bin
>>>
 Hi,

 I have some questions about squid as reverse proxy.

 The web server I´m accelerating (cache_peer) has dynamic content
 (cgi-
 bin).

 At the beginning I left the default cache refresh values (so for cgi-
bin 
>> \
  /
 ? has a value "0") and the hierarchy list for cgi-bin and  
"no_cache
 deny
 all".

 Now this pages contain some elements like .gif that I´d like to cash:
 these
 elements have not the path http://nameserver/cgi-bi/... but a path like
 http:
 //nameserver/icons...

 I tried with a normal ACL  el

Re: [squid-users] cache_object localhost info dosent clear when cache is wiped

[Amos Jeffries]

Woodward, Andrew wrote:

Hi group,

I've got a cluster of three squid/3.0.STABLE12 servers that are running
as reverse proxy accelerators. We periodically update the content that
the squid servers source and are using the below script to accomplish
the task. The problem is that when we perform this task, the
cache_object://localhost/info is not reset. Is there a process to
clearing the data in this item as well?


The data gets reset every time that particular squid restarts.
I suspect you are not pulling the data from the same cache process that 
you are cycling.





--BlastCache.sh--
#!/bin/bash
#
# File:   BlastCache.sh
# Author: Andrew Woodward

wdir=/usr/local/squid


cdir=${wdir}/var/cache
mkdir ${cdir}/junk

killall -9 RunCache

${wdir}/sbin/squid -k shutdown
sleep 2s
killall -9 squid
sleep 2s

mv ${cdir}/?? swap.state* ${cdir}/junk

${wdir}/sbin/squid -z
${wdir}/bin/RunCache &

rm -rf ${cdir}/junk

sleep 3s
ls -sl ${wdir}/var/cache/swap.state
ps axl | grep squid
---EOF---


Andrew Woodward



Aha, somebody who actually uses RunCache.

Does "${wdir}/sbin/squid -sY" work for you?
or does it really require RunCache to operate?
I'm looking toward deprecating it in Squid-3

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.5

Re: [squid-users] Squid Crashes when cache dir fills

[Amos Jeffries]

Wilson Hernandez - MSD, S. A. wrote:

I have cache_dir ufs /var/log/squid 6 255 255

with a 80GB harddrive.


So its probably not the cache dir filling up then.
It will be something else causing the system to use more than 20 GB for 
other stuff.


Logs or journaling maybe? Are they all rotating regularly?

Amos



Andrew Loughnan wrote:

Hi Wilson

Check that your cache_dir is not too big ? (cache_dir diskd 
/var/spool/squid 2 32 256)


Let us know what you have as your configs for this?
If it runs out of space it will crash all the time
Regards
Andrew Loughnan
Computer Services Manager
 
St Joseph's College 135 Aphrasia Street Newtown Vic 3220

E: andr...@sjc.vic.edu.au
P/h: (03) 5226-8165 M:  0412-523-011
Fax:(03) 5221-6983
-Original Message-
From: Wilson Hernandez - MSD, S. A. [mailto:w...@msdrd.com] Sent: 
Tuesday, 24 February 2009 10:37 PM

To: squid-users@squid-cache.org
Subject: [squid-users] Squid Crashes when cache dir fills

Hello.

I have experienced some sort of crash with squid. I noticed that when 
the cache directory fills up, squid stops caching, it only allows 
communication through with the messenger and users start getting the 
unable to redirect message on the browser.


If I delete the directory and create it again squid -z then everything 
works fine.








--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.5

Re: [squid-users] squis is asking if a cached object is modified

[Amos Jeffries]

Donoso Gabilondo, Daniel wrote:

I have two pc's with Fedora core 10 and squid.3.0.STABLE13
The content of squid.conf file in both pc's is the same. Squid is
configured as an accelerator.


No your squid is configured as a twisted open proxy. See below for fixes...



Squid stores the objects correctly in both pc's, but in one pc it is
always asking to the http server if the object is modified, and I don't
know why. If I stop the http server, then gets the cached object. The
other pc is always getting the cached object. The http server sends
always the mage-axe=86400 value in the header.

What I am doing wrong? My squid.conf file content is this:


You may not be doing anything wrong. Squid still suffers from bug #7.
http://www.squid-cache.org/bugs/show_bug.cgi?id=7

I seem to remember helping you with .home.nl earlier. That config was a 
bit weird, but there are some entries in your listed config which worry 
me terribly...


The global access to permit Purge opens a number of DDoS vectors.

And the use of "always_direct allow all" as the first always_direct line 
will prevent your otherwise listed cache_peer link every being used.


Also the fact that the cache_peer link settings are listed LAST in the 
config, instead of first indicates its not going to be used even if 
available.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.5

Re: [squid-users] Squid Crashes when cache dir fills

[Wilson Hernandez - MSD, S. A.]

I have cache_dir ufs /var/log/squid 6 255 255

with a 80GB harddrive.

Andrew Loughnan wrote:

Hi Wilson

Check that your cache_dir is not too big ? (cache_dir diskd /var/spool/squid 
2 32 256)

Let us know what you have as your configs for this?
If it runs out of space it will crash all the time 


Regards
Andrew Loughnan
Computer Services Manager
 
St Joseph's College 
135 Aphrasia Street Newtown Vic 3220

E: andr...@sjc.vic.edu.au
P/h: (03) 5226-8165 
M:  0412-523-011
Fax:(03) 5221-6983 


-Original Message-
From: Wilson Hernandez - MSD, S. A. [mailto:w...@msdrd.com] 
Sent: Tuesday, 24 February 2009 10:37 PM

To: squid-users@squid-cache.org
Subject: [squid-users] Squid Crashes when cache dir fills

Hello.

I have experienced some sort of crash with squid. I noticed that when 
the cache directory fills up, squid stops caching, it only allows 
communication through with the messenger and users start getting the 
unable to redirect message on the browser.


If I delete the directory and create it again squid -z then everything 
works fine.





--
*Wilson Hernandez*
Presidente
829.848.9595
809.766.0441
www.msdrd.com 
Conservando el medio ambiente

Re: [squid-users] vary_ignore_expire on

[Amos Jeffries]

squid proxy wrote:

hi

could someone explain pls what

vary_ignore_expire on

exactly means?
how is your squid configured?

Piotr


http://www.squid-cache.org/Doc/config/vary_ignore_expire/

WARNING: This is an HTTP violation. Use at your own peril.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.5

Re: [squid-users] R: Re: [squid-users] Squid cache cgi-bin

[Amos Jeffries]

projpr...@libero.it wrote:

Hi,

first thanks already for your answer.

I´m using squid 3 on SLES 11 server, is working as reverse proxy in front of 
a web server that takes the role of parent.


The configuration works properly for my reverse purpose.

just the caching doesn´t work.

In order in squid.conf

-auth parameter (line 294)
-acl (line 627)
-cache or no_cache(line 645)
-cache_peer_access (line 692)
-http_access (line 696)
-http_port and cache_peer (ca. line 1138)
-hierarchy_stop_list (line 1723)
-Refresh_pattern (line 2764)

I mainteined the original conf file and in this way I inserted in the right 
place my instructions.
I f there´s any kind of mistake (or obsolete instructions) please tell me. I 
don´t understand if there´s any kind of instrauction that create a conflict for 
caching.

Thanks in advance


I meant the details of those lines.

For example the output of:
  grep -E 
"^(acl|http_access|cache|no_cache|cache_peer|refresh_pattern)" squid.conf


Amos





Messaggio originale
Da: squ...@treenet.co.nz
Data: 23-feb-2009 23.38
A: "projpr...@libero.it"
Cc: 
Ogg: Re: [squid-users] Squid cache cgi-bin


Hi,

I have some questions about squid as reverse proxy.

The web server I´m accelerating (cache_peer) has dynamic content
(cgi-
bin).

At the beginning I left the default cache refresh values (so for cgi-bin 

\

 /
? has a value "0") and the hierarchy list for cgi-bin and  "no_cache
deny
all".

Now this pages contain some elements like .gif that I´d like to cash:
these
elements have not the path http://nameserver/cgi-bi/... but a path like
http:
//nameserver/icons...

I tried with a normal ACL  elements url_regex  .gif .html .jpeg

and then

cache allow static

But it seems squid is not caching nothing!!!

Could you give me any kind of advice?

Thanks in advance



It's a little unclear what config you are having trouble using.
The various options you mention above are a mix of current, obsolete,
deprecated, and irrelevant.

But the use of correct options in the correct order is important for a
working Squid.

What version are you using?

And in the order listed in yoru squid.conf, what lines do you have that
start with:
cache, no_cache, refresh_pattern, acl, or cache_peer*


Amos








--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.5

Re: [squid-users] unproxying intranet

[Amos Jeffries]

squid proxy wrote:

at my squid 3.0 I have the have the following:

acl intranet dstdomain ^http://192.168.0.5


Will never match dstdomain cannot process sub-domain name "^http://192";


always_direct allow intranet


Forces all intranet requests through the proxy to perform DNS lookups 
and. This is one of _the_ most inefficient ways to do intranet server 
access with Squid...



cache deny intranet


Prevents storage of intranet files on the proxy - increasing load on 
network and intranet web servers...


None of that above prevent requests going into and through squid. They 
just make squid process them in a very inefficient way. You are saved 
only by the invalid sub-domain on your 'intranet' ACL.


The ONLY way to prevent browsers going through a proxy for particular 
sites is to configure the browser correctly not to use the proxy for 
those sites. (WPAD + proxy/pac has already been suggested to you).


If proxy.pac is truely not an option then the requests will end up going 
through the proxy. The best way to handle it it to permit file caching, 
and setup a cache_peer + dstdomain ACL, for DNS-free access between the 
proxy and the intranet servers.


Amos



Piotr


On Tue, Feb 24, 2009 at 2:33 PM, sameer shinde  wrote:

Hi All,

We've configured squid3.0_Stble1 along with squidguard as our proxy server.
The server is working fine along with proxing but the problem is out local
intranet sites are also being accessed through proxy server, which increases
unnecessary load on our proxy.
How can I bypass proxy for our local network, so that intranet site will be
directly be accessed without proxy server.

We've IE & firefox at the client site & we've bypassed the local intranet sites
in the LAN configuration option of IE, but somehow it is still going to proxy
server.

Any highlights?


~~
Sameer Shinde.
M:- +91 98204 61580
Millions saw the apple fall, but Newton was the one who asked why.




--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.5

[squid-users] cache_object localhost info dosent clear when cache is wiped

[Woodward, Andrew]

Hi group,

I've got a cluster of three squid/3.0.STABLE12 servers that are running
as reverse proxy accelerators. We periodically update the content that
the squid servers source and are using the below script to accomplish
the task. The problem is that when we perform this task, the
cache_object://localhost/info is not reset. Is there a process to
clearing the data in this item as well?


--BlastCache.sh--
#!/bin/bash
#
# File:   BlastCache.sh
# Author: Andrew Woodward

wdir=/usr/local/squid


cdir=${wdir}/var/cache
mkdir ${cdir}/junk

killall -9 RunCache

${wdir}/sbin/squid -k shutdown
sleep 2s
killall -9 squid
sleep 2s

mv ${cdir}/?? swap.state* ${cdir}/junk

${wdir}/sbin/squid -z
${wdir}/bin/RunCache &

rm -rf ${cdir}/junk

sleep 3s
ls -sl ${wdir}/var/cache/swap.state
ps axl | grep squid
---EOF---


Andrew Woodward

Re: [squid-users] Re: HTTPS not Working

[Chris Robertson]

Alfred Rapozo wrote:

This is my squid.conf file.
The other weird thing is that squid is not logging https requests, and
I have set firefox to use the same proxy for all protocols.


If Squid's not logging the requests, it's likely not receiving them.  
Check for firewall rules that might interfere.


Chris

Re: [squid-users] Unsupported methods

[Chris Robertson]

Wilson Hernandez - MSD, S. A. wrote:

Hello.

I noticed a lot of unsupported method log in cache.log and is filling 
the log with those type of messages. What type of methods are these? 
Can someone please explain or guide me to where I can better 
understand the "extension methods and or its types"? and what they 
really are? So I can avoid having these type of logs:


2009/02/17 15:18:46| clientParseRequestMethod: Unsupported method 
attempted by 192.168.2.245: This is not a bug. see squid.conf 
extension_methods
2009/02/17 15:18:46| clientParseRequestMethod: Unsupported method in 
request 'NICK n[M-00-CRI-XP-14]___'



2009/02/21 20:36:29| clientParseRequestMethod: Unsupported method 
attempted by 192.168.2.241: This is not a bug. see squid.conf 
extension_methods
2009/02/21 20:36:29| clientParseRequestMethod: Unsupported method in 
request 'NICK [00|ESP|016294017]__'



Thanks in advanced for your help.


http://www.squid-cache.org/mail-archive/squid-users/200812/0313.html

Chris

Re: [squid-users] Squid Whitelist Regexp Question.

[Chris Robertson]

Brian Carpenter wrote:

On Tue, Feb 24, 2009 at 8:44 AM, Matus UHLAR - fantomas
 wrote:
  

On 21.02.09 16:18, Brian Carpenter wrote:


I am blocking access to .google-analytics. on my home network, but a
few sites like songza.com require a google-analytics.com cookie to be
set in order to function properly.  So my question is this, how do I
allow google-analytics.com, but only from a certain domain, such as
songza.com or whatever?  I have no clue when it comes to regexp.
  

you must check for referer in allowed domains.




That's great, but it doesn't explain how I go about doing it. :)
  


Well, you didn't explain how you are "blocking access to 
.google-analytics on your home network"...  :o)


We can only give advice in the context of the information given.

Chris

RE: [squid-users] pop up authentication prompts

[nick . apostolou]

Thanks for the heads up. 

Willing to test and try squid_kerb_auth. 

Do you have any configuration/compile options you can share on this. 

This is my smb.conf, as you can see "security = domain"

squid2# cat /usr/local/samba/lib/smb.conf
workgroup = apac
netbios name = squid2
server string = New Sydney Lan Proxy
security = domain
password server = audc1 audc2
wins server = 192.168.71.21 192.168.48.23
winbind uid = 1-2
winbind gid = 1-2
winbind use default domain =  yes
client NTLMv2 auth = No
client lanman auth = Yes
allow trusted domains = no

Regards
Nick Apostolou
IT Infrastructure | ABN AMRO Bank Australia/NZ
Ph: +61 2 8259 5330 | Fax: +61 2 8259 5440 | Mobile: + 61 401 709 007
email: nick.aposto...@au.abnamro.com




"Plant, Dean"  
24/02/2009 08:52 PM

To
, 
cc

Subject
RE: [squid-users] pop up authentication prompts






Plant, Dean wrote:
> nick.aposto...@au.abnamro.com wrote:
>> Hi,
>> 
>> Anyone got any suggestions on my authentication prompt problems with
>> NTLM authentication?
>> 
>> I've also got a test box which was build with a tar ball of the
>> squid and samba directories which authenticates with no problem and
>> does not give any errors in the cache.log.
>> 
>> Regards
>> Nick Apostolou
>> IT Infrastructure | ABN AMRO Bank Australia/NZ
>> Ph: +61 2 8259 5330 | Fax: +61 2 8259 5440 | Mobile: + 61 401 709 007
>> email: nick.aposto...@au.abnamro.com
> 
> Try the squid_kerb_auth module. We are running 2.6.x and we have
> suffered the same random pop-ups on NTLM, adding Kerberos
> authentication to the top of the auth configuration fixes the random
> pop-ups on IE 7 and Firefox. IE 6 does not support Kerberos so leave
> NTLM in your configuration if you have this browser on site. XP users
> will also suffer Kerberos ticket renewal issues if your users leave
> their machines on overnight and XP is not patched to SP3. 
> 

Just reread over my notes and IE6 *is* supposed to support kerb
authentication. We just had issues with it's reliability in testing so
left in NTLM to ensure that if kerb_auth failed it could drop back to
NTLM.




ABN AMRO Bank N.V. is an authorised agent of The Royal Bank of Scotland plc
---
This message (including any attachments) is confidential and may be privileged. 
If you have received it by mistake please notify the sender by return e-mail 
and delete this message from your system. Any unauthorised use or dissemination 
of this message in whole or in part is strictly prohibited. Please note that 
e-mails are susceptible to change. ABN AMRO Bank N.V, which has its seat at 
Amsterdam, the Netherlands, and is registered in the Commercial Register under 
number 33002587, including its group companies, shall not be liable for the 
improper or incomplete transmission of the information contained in this 
communication nor for any delay in its receipt or damage to your system. ABN 
AMRO Bank N.V. (or its group companies) does not guarantee that the integrity 
of this communication has been maintained nor that this communication is free 
of viruses, interceptions or interference.
---

RE: [squid-users] Squid 3.0 and Active Directory

[Joseph L. Casale]

>I have 3 users for my test:
>
>Admin (who is member of InternetAccess)
>User1 (who is a domain account but not member of InternetAccess)
>User2 (who is a local account of my pc-client)

/snip

>The problem appear with user1 who is supposed to don’t have an access to
>internet, but after logon on windows he can go through.

/snip

>acl xptest src 10.100.30.0/255.255.255.0

/snip

>http_access allow xptest


Who's xptest? You allowed that whole subnet through?

I am not an expert, but I do it like this:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--require-membership-of=DOMAIN\\GROUP
auth_param ntlm children 5

acl ntlm proxy_auth REQUIRED
acl our_networks src 192.168.0.0/24 192.168.2.0/24

http_access allow ntlm our_networks
http_access deny all

HTH,
jlc

Re: [squid-users] Squid Whitelist Regexp Question.

[Brian Carpenter]

On Tue, Feb 24, 2009 at 8:44 AM, Matus UHLAR - fantomas
 wrote:
> On 21.02.09 16:18, Brian Carpenter wrote:
>> I am blocking access to .google-analytics. on my home network, but a
>> few sites like songza.com require a google-analytics.com cookie to be
>> set in order to function properly.  So my question is this, how do I
>> allow google-analytics.com, but only from a certain domain, such as
>> songza.com or whatever?  I have no clue when it comes to regexp.
>
> you must check for referer in allowed domains.
>

That's great, but it doesn't explain how I go about doing it. :)

[squid-users] Squid asking if cached objects are modified

[Donoso Gabilondo, Daniel]

I have two pc's with Fedora core 10 and squid.3.0.STABLE13 The content
of squid.conf file in both pc's is the same. Squid is configured as an
accelerator.  

Squid stores the objects correctly in both pc's, but in one pc it is
always asking to the http server if the object is modified, and I don't
know why. If I stop the http server, then gets the cached object. The
other pc is always getting the cached object. The http server sends
always the mage-axe=86400 value in the header.

What I am doing wrong? My squid.conf file content is this:


acl manager proto cache_object
acl localnet src 192.168.0.0/16
acl myserver.com src 192.168.0.0/16
acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst
127.0.0.0/8 acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl Purge method PURGE
check_hostnames on
hosts_file /etc/hosts
dns_defnames on
http_access allow all Purge
minimum_expiry_time 120 seconds
http_access allow manager localhost
http_access allow manager
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access allow !localnet
http_access allow myserver.com
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid #acl QUERY urlpath_regex
cgi-bin \?
#no_cache deny QUERY
cache allow all
#refresh_pattern ^ftp:  144020% 10080
#refresh_pattern ^gopher:   14400%  1440
#refresh_pattern .  0   20% 4320
refresh_pattern .   0   0%  0
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
coredump_dir /var/spool/squid
cache_dir ufs /var/spool/squid 700 32 512 maximum_object_size 8830
KB cache_mem 120 MB http_port 3128 accel defaultsite=myserver.com:8080
cache_peer myserver.com parent 80 0 no-query originserver forwarded_for
on
icp_port3130
icp_access allow all
acl HOMEdstdomain .home.nl
always_direct allow all
never_direct allow HOME
never_direct allow all
cache_peer_access myserver.com allow all http_access allow HOME
http_access allow all

myserver.com is in the etc/hosts file and in both pc's is the same.

Thank you,

Daniel

Re: [squid-users] unproxying intranet

[Shekhar Gupta]

No , not exactly i am looking after 3 nodes , i am having WPAD
Server and the all the browser are configured for Auto Detect Setting
and they pick this file and according to their network they go from
their respective proxy .

Sudhir
+91-9818180743

On Tue, Feb 24, 2009 at 8:15 PM, sameer shinde  wrote:
> On Tue, Feb 24, 2009 at 8:09 PM, Shekhar Gupta  
> wrote:
>> The best way to do this will be using WPAD or proxy.pac file .
>>
> in that case, I've to copy proxy.pac in all the systems.
> I'm managing my users LAN configuration thru, AD group policy
>
>
>
> ~~
> Sameer Shinde.
> M:- +91 98204 61580
> Millions saw the apple fall, but Newton was the one who asked why.
>

Re: [squid-users] Re: winbindd_pam_auth_crap: invalid password length 24/260

[Kinkie]

On Tue, Feb 24, 2009 at 3:32 PM, Charles Regan  wrote:
> I was half wrong. It's working with firefox now, but with IE same thing.
>  winbindd_pam_auth_crap: invalid password length 24/282

You really want to talk to the Samba guys about this. We (squid
developers) developed the helper concept together with them, but it's
now being maintained 100% by the Samba developers.


-- 
/kinkie

[squid-users] squis is asking if a cached object is modified

[Donoso Gabilondo, Daniel]

I have two pc's with Fedora core 10 and squid.3.0.STABLE13
The content of squid.conf file in both pc's is the same. Squid is
configured as an accelerator.  

Squid stores the objects correctly in both pc's, but in one pc it is
always asking to the http server if the object is modified, and I don't
know why. If I stop the http server, then gets the cached object. The
other pc is always getting the cached object. The http server sends
always the mage-axe=86400 value in the header.

What I am doing wrong? My squid.conf file content is this:


acl manager proto cache_object
acl localnet src 192.168.0.0/16
acl myserver.com src 192.168.0.0/16
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl Purge method PURGE
check_hostnames on
hosts_file /etc/hosts
dns_defnames on
http_access allow all Purge
minimum_expiry_time 120 seconds
http_access allow manager localhost
http_access allow manager
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access allow !localnet
http_access allow myserver.com
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
#acl QUERY urlpath_regex cgi-bin \?
#no_cache deny QUERY
cache allow all
#refresh_pattern ^ftp:  144020% 10080
#refresh_pattern ^gopher:   14400%  1440
#refresh_pattern .  0   20% 4320
refresh_pattern .   0   0%  0
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
coredump_dir /var/spool/squid
cache_dir ufs /var/spool/squid 700 32 512 
maximum_object_size 8830 KB
cache_mem 120 MB
http_port 3128 accel defaultsite=myserver.com:8080 
cache_peer myserver.com parent 80 0 no-query originserver
forwarded_for on
icp_port3130
icp_access allow all
acl HOMEdstdomain .home.nl
always_direct allow all
never_direct allow HOME
never_direct allow all
cache_peer_access myserver.com allow all
http_access allow HOME
http_access allow all

myserver.com is in the etc/hosts file and in both pc's is the same.

Thank you,

Daniel

Re: [squid-users] HTTPS not Working

[Kinkie]

On Tue, Feb 24, 2009 at 2:41 PM, Alfred Rapozo  wrote:
> I have setup squid in a box with the default configuration and
> everything works, but i cannot access any https sites, I get a failed
> to connect from the browser.
> My lab setup works fine and the installation process was the same for both.

Hi Alfred,
  In order to help you we need more informations: what squid version,
how did you obtain it (from source? from some vendor/distribution?),
what kind of scenario you're using (forward proxy, reverse proxy,
etc), the browser configuration you're using, etc.
A common problem with defaults is that everyone has their own..



-- 
/kinkie

Re: [squid-users] unproxying intranet

[squid proxy]

at my squid 3.0 I have the have the following:

acl intranet dstdomain ^http://192.168.0.5
always_direct allow intranet
cache deny intranet

Piotr


On Tue, Feb 24, 2009 at 2:33 PM, sameer shinde  wrote:
> Hi All,
>
> We've configured squid3.0_Stble1 along with squidguard as our proxy server.
> The server is working fine along with proxing but the problem is out local
> intranet sites are also being accessed through proxy server, which increases
> unnecessary load on our proxy.
> How can I bypass proxy for our local network, so that intranet site will be
> directly be accessed without proxy server.
>
> We've IE & firefox at the client site & we've bypassed the local intranet 
> sites
> in the LAN configuration option of IE, but somehow it is still going to proxy
> server.
>
> Any highlights?
>
>
> ~~
> Sameer Shinde.
> M:- +91 98204 61580
> Millions saw the apple fall, but Newton was the one who asked why.
>

Re: [squid-users] unproxying intranet

[sameer shinde]

On Tue, Feb 24, 2009 at 8:09 PM, Shekhar Gupta  wrote:
> The best way to do this will be using WPAD or proxy.pac file .
>
in that case, I've to copy proxy.pac in all the systems.
I'm managing my users LAN configuration thru, AD group policy



~~
Sameer Shinde.
M:- +91 98204 61580
Millions saw the apple fall, but Newton was the one who asked why.

Re: [squid-users] Squid Whitelist Regexp Question.

[Matus UHLAR - fantomas]

On 21.02.09 16:18, Brian Carpenter wrote:
> I am blocking access to .google-analytics. on my home network, but a
> few sites like songza.com require a google-analytics.com cookie to be
> set in order to function properly.  So my question is this, how do I
> allow google-analytics.com, but only from a certain domain, such as
> songza.com or whatever?  I have no clue when it comes to regexp.

you must check for referer in allowed domains.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*

[squid-users] vary_ignore_expire on

[squid proxy]

hi

could someone explain pls what

vary_ignore_expire on

exactly means?
how is your squid configured?

Piotr

Re: [squid-users] unproxying intranet

[Shekhar Gupta]

The best way to do this will be using WPAD or proxy.pac file .

On Tue, Feb 24, 2009 at 7:03 PM, sameer shinde  wrote:
> Hi All,
>
> We've configured squid3.0_Stble1 along with squidguard as our proxy server.
> The server is working fine along with proxing but the problem is out local
> intranet sites are also being accessed through proxy server, which increases
> unnecessary load on our proxy.
> How can I bypass proxy for our local network, so that intranet site will be
> directly be accessed without proxy server.
>
> We've IE & firefox at the client site & we've bypassed the local intranet 
> sites
> in the LAN configuration option of IE, but somehow it is still going to proxy
> server.
>
> Any highlights?
>
>
> ~~
> Sameer Shinde.
> M:- +91 98204 61580
> Millions saw the apple fall, but Newton was the one who asked why.
>

[squid-users] Re: winbindd_pam_auth_crap: invalid password length 24/260

[Charles Regan]

I was half wrong. It's working with firefox now, but with IE same thing.
 winbindd_pam_auth_crap: invalid password length 24/282


On Sun, Feb 22, 2009 at 4:19 PM, Charles Regan  wrote:
> Got it working ...
> I changed my smb.conf
> workgroup=domain.local to workgroup=domain and now it's working!
>
>
>
> On Sun, Feb 22, 2009 at 3:55 PM, Charles Regan  
> wrote:
>> smb.conf
>> workgroup = domain.local
>

[squid-users] Re: HTTPS not Working

[Alfred Rapozo]

This is my squid.conf file.
The other weird thing is that squid is not logging https requests, and
I have set firefox to use the same proxy for all protocols.

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
acl SSL method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow CONNECT SSL_ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid



On Tue, Feb 24, 2009 at 9:41 AM, Alfred Rapozo  wrote:
> I have setup squid in a box with the default configuration and
> everything works, but i cannot access any https sites, I get a failed
> to connect from the browser.
> My lab setup works fine and the installation process was the same for both.
>

[squid-users] HTTPS not Working

[Alfred Rapozo]

I have setup squid in a box with the default configuration and
everything works, but i cannot access any https sites, I get a failed
to connect from the browser.
My lab setup works fine and the installation process was the same for both.

[squid-users] unproxying intranet

[sameer shinde]

Hi All,

We've configured squid3.0_Stble1 along with squidguard as our proxy server.
The server is working fine along with proxing but the problem is out local
intranet sites are also being accessed through proxy server, which increases
unnecessary load on our proxy.
How can I bypass proxy for our local network, so that intranet site will be
directly be accessed without proxy server.

We've IE & firefox at the client site & we've bypassed the local intranet sites
in the LAN configuration option of IE, but somehow it is still going to proxy
server.

Any highlights?


~~
Sameer Shinde.
M:- +91 98204 61580
Millions saw the apple fall, but Newton was the one who asked why.

[squid-users] Squid 3.0 and Active Directory

[Fady01]

Hi everyone,

I’m writing to you because I have a  problem with squid 3.0.STABLE13. I have
installed squid on a Linux Centos 5.2 and I have Active Directory configured
on a Windows 2003Server. I would like allow the access to internet to the
users who are member of the  “InternetAccess” group and deny the access for
others. 
In order to achieve this I have  configured Kerberos, samba, pam and winbind
then I joined my squid server on the domain. In the squid configuration I
have chosen to use the NTLM authentication.

I have 3 users for my test:

Admin (who is member of InternetAccess)
User1 (who is a domain account but not member of InternetAccess)
User2 (who is a local account of my pc-client)


The authentication work well because admin can go on internet after he is
logon on windows. When user2 try to go on internet a authentication is
required with an authentication window.
The problem appear with user1 who is supposed to don’t have an access to
internet, but after logon on windows he can go through.


This is my configuration :

==
Squid.conf
==

# proxy_port
http_port 3128

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apachee
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern .   0   20% 4320

#Connexion
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic realm Squid Proxy


auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic 
--require-membership-of="mydomainname+InternetAccess"
auth_param basic children 5
auth_param basic realm Squid Proxy

#ACL
acl password proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl xptest src 10.100.30.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80  # http
 acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#Allow or deny rules. The order is important
#http_access allow manager localhost


http_access allow password
http_access allow xptest
http_access deny localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost



coredump_dir /var/spool/squid

==
krb5.conf
===

 [r...@bblw093 etc]# vim /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MY_DOMAIN_NAME
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 MY_DOMAIN_NAME = {
  kdc = MY_DOMAIN_SERVER_IP:88
  admin_server = MY_DOMAIN_SERVER_IP_ADDRESS:749
  default_domain = MY_DOMAIN_NAME
  kdc = MY_DOMAIN_SERVER_IP_ADDRESS }

[domain_realm]
 . MY_DOMAIN_NAME = MY_DOMAIN_NAME
MY_DOMAIN_NAME = MY_DOMAIN_NAME


[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf


[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

==
smb.conf
==
 [global]

security = ads
#netbios name = CENTOS
realm = MY_DOMAIN_NAME
password server = MY_DOMAIN_SERVER
workgroup = MY_NETBIOS_DOMAIN_NAME
idmap uid = 500-1000
idmap gid = 500-1000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no

nsswitch.conf
==
passwd: compat winbind files
shadow: compat winbind files
group:  compat winbind files


passwd: compat winbind files
shadow: compat winbind files
group:  compat winbind files
hosts:  files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:files
services:   files winbind
netgro

RE: [squid-users] No SSL to SSL redirection problem

[Roberto O. Fernández Crisial]

Hi guys,

I made the easy way. My Squid is Listen on ports 80 and 443, so the 
Apache (in httpd_accel_... mode) was configured to rewrite url via .htaccess 
file.

1st request: http://www.foo.com/bar
2nd request (forwarded): https://www.foo.com/bar

Here is the .htaccess file's lines:

RewriteEngine On
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Thank you for your help!

Regards,
Roberto.

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Lunes 23 de Febrero de 2009 22:32
To: Roberto O. Fernández Crisial
Cc: 'John Doe'; squid-users@squid-cache.org
Subject: RE: [squid-users] No SSL to SSL redirection problem

> I think url_rewrite_access is not supported by Squid 2.5 and supported on
> Squid 2.6+.
>
> I was looking and I found this
> http://www.squid-cache.org/mail-archive/squid-users/200502/0150.html but I
> do not want to limit access on port 80.
>
> Any ideas?


Step 1: upgrade to a current Squid which support your requirements.

Step 2: try the advised rewriter access controls.


Amos

>
> Thank you,
>
> Roberto O. Fernández Crisial
>
>
> -Original Message-
> From: John Doe [mailto:jd...@yahoo.com]
> Sent: Lunes 23 de Febrero de 2009 14:41
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] No SSL to SSL redirection problem
>
>
>> > > “http://...”, even after be matched with script, and makes an
>> infinite loop
>> > > requests (the script redirects to https but the Squid take it as
>> http and
>> > > make the redirection again). What I can do? How can I make the
>> “http” to
>> > > “https” to work fine?
>> >
>> > What is your acl for the rewrite?
>> > Maybe that would prevent the loops...
>> >
>> >   url_rewrite_access allow !SSL_ports
>> >
>> I do not have a line " url_rewrite_access allow !SSL_ports" I have one
>> like
>> this "http_access deny CONNECT !SSL_ports"..
>
> This access is just basic security.
>
> I was suggesting:
>url_rewrite_access allow !SSL_ports
> in order to only rewrite non-https URLs to avoid the loops.
>
> JD
>
>
>
>
>

RE: [squid-users] Squid Crashes when cache dir fills

[Andrew Loughnan]

Hi Wilson

Check that your cache_dir is not too big ? (cache_dir diskd /var/spool/squid 
2 32 256)

Let us know what you have as your configs for this?
If it runs out of space it will crash all the time 

Regards
Andrew Loughnan
Computer Services Manager
 
St Joseph's College 
135 Aphrasia Street Newtown Vic 3220
E: andr...@sjc.vic.edu.au
P/h: (03) 5226-8165 
M:  0412-523-011
Fax:(03) 5221-6983 

-Original Message-
From: Wilson Hernandez - MSD, S. A. [mailto:w...@msdrd.com] 
Sent: Tuesday, 24 February 2009 10:37 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Squid Crashes when cache dir fills

Hello.

I have experienced some sort of crash with squid. I noticed that when 
the cache directory fills up, squid stops caching, it only allows 
communication through with the messenger and users start getting the 
unable to redirect message on the browser.

If I delete the directory and create it again squid -z then everything 
works fine.

RE: [squid-users] pop up authentication prompts

[Plant, Dean]

Plant, Dean wrote:
> nick.aposto...@au.abnamro.com wrote:
>> Hi,
>> 
>> Anyone got any suggestions on my authentication prompt problems with
>> NTLM authentication?
>> 
>> I've also got a test box which was build with a tar ball of the
>> squid and samba directories which authenticates with no problem and
>> does not give any errors in the cache.log.
>> 
>> Regards
>> Nick Apostolou
>> IT Infrastructure | ABN AMRO Bank Australia/NZ
>> Ph: +61 2 8259 5330 | Fax: +61 2 8259 5440 | Mobile: + 61 401 709 007
>> email: nick.aposto...@au.abnamro.com
> 
> Try the squid_kerb_auth module. We are running 2.6.x and we have
> suffered the same random pop-ups on NTLM, adding Kerberos
> authentication to the top of the auth configuration fixes the random
> pop-ups on IE 7 and Firefox. IE 6 does not support Kerberos so leave
> NTLM in your configuration if you have this browser on site. XP users
> will also suffer Kerberos ticket renewal issues if your users leave
> their machines on overnight and XP is not patched to SP3.  
> 

Just reread over my notes and IE6 *is* supposed to support kerb
authentication. We just had issues with it's reliability in testing so
left in NTLM to ensure that if kerb_auth failed it could drop back to
NTLM.

[squid-users] Unsupported methods

[Wilson Hernandez - MSD, S. A.]

Hello.

I noticed a lot of unsupported method log in cache.log and is filling 
the log with those type of messages. What type of methods are these? Can 
someone please explain or guide me to where I can better understand the 
"extension methods and or its types"? and what they really are? So I can 
avoid having these type of logs:


2009/02/17 15:18:46| clientParseRequestMethod: Unsupported method 
attempted by 192.168.2.245: This is not a bug. see squid.conf 
extension_methods
2009/02/17 15:18:46| clientParseRequestMethod: Unsupported method in 
request 'NICK n[M-00-CRI-XP-14]___'



2009/02/21 20:36:29| clientParseRequestMethod: Unsupported method 
attempted by 192.168.2.241: This is not a bug. see squid.conf 
extension_methods
2009/02/21 20:36:29| clientParseRequestMethod: Unsupported method in 
request 'NICK [00|ESP|016294017]__'



Thanks in advanced for your help.

[squid-users] Squid Crashes when cache dir fills

[Wilson Hernandez - MSD, S. A.]

Hello.

I have experienced some sort of crash with squid. I noticed that when 
the cache directory fills up, squid stops caching, it only allows 
communication through with the messenger and users start getting the 
unable to redirect message on the browser.


If I delete the directory and create it again squid -z then everything 
works fine.

[squid-users] I: Re: [squid-users] Squid cache cgi-bin

[projpr...@libero.it]

>Messaggio originale
>Da: projpr...@libero.it
>Data: 24-feb-2009 10.09
>A: 
>Cc: 
>Ogg: R: Re: [squid-users] Squid cache cgi-bin
>
>Hi,
>
>first thanks already for your answer.
>
>I´m using squid 3 on SLES 11 server, is working as reverse proxy in front 
of 
>a web server that takes the role of parent.
>
>The configuration works properly for my reverse purpose.
>
>just the caching doesn´t work.
>
>In order in squid.conf
>
>-auth parameter (line 294)
>-acl (line 627)
>-cache or no_cache(line 645)
>-cache_peer_access (line 692)
>-http_access (line 696)
>-http_port and cache_peer (ca. line 1138)
>-hierarchy_stop_list (line 1723)
>-Refresh_pattern (line 2764)
>
>I mainteined the original conf file and in this way I inserted in the 
right 
>place my instructions.
>I f there´s any kind of mistake (or obsolete instructions) please tell me. 
I 
>don´t understand if there´s any kind of instrauction that create a conflict 
for 
>caching.
>Thanks in advance
>
>
>>Messaggio originale
>>Da: squ...@treenet.co.nz
>>Data: 23-feb-2009 23.38
>>A: "projpr...@libero.it"
>>Cc: 
>>Ogg: Re: [squid-users] Squid cache cgi-bin
>>
>>> Hi,
>>>
>>> I have some questions about squid as reverse proxy.
>>>
>>> The web server I´m accelerating (cache_peer) has dynamic content
>>> (cgi-
>>> bin).
>>>
>>> At the beginning I left the default cache refresh values (so for cgi-
bin 
>\
>>>  /
>>> ? has a value "0") and the hierarchy list for cgi-bin and  "no_cache
>>> deny
>>> all".
>>>
>>> Now this pages contain some elements like .gif that I´d like to cash:
>>> these
>>> elements have not the path http://nameserver/cgi-bi/... but a path like
>>> http:
>>> //nameserver/icons...
>>>
>>> I tried with a normal ACL  elements url_regex  .gif .html .jpeg
>>>
>>> and then
>>>
>>> cache allow static
>>>
>>> But it seems squid is not caching nothing!!!
>>>
>>> Could you give me any kind of advice?
>>>
>>> Thanks in advance
>>>
>>
>>
>>It's a little unclear what config you are having trouble using.
>>The various options you mention above are a mix of current, obsolete,
>>deprecated, and irrelevant.
>>
>>But the use of correct options in the correct order is important for a
>>working Squid.
>>
>>What version are you using?
>>
>>And in the order listed in yoru squid.conf, what lines do you have that
>>start with:
>>cache, no_cache, refresh_pattern, acl, or cache_peer*
>>
>>
>>Amos
>>
>>
>
>

[squid-users] R: Re: [squid-users] Squid cache cgi-bin

[projpr...@libero.it]

Hi,

first thanks already for your answer.

I´m using squid 3 on SLES 11 server, is working as reverse proxy in front of 
a web server that takes the role of parent.

The configuration works properly for my reverse purpose.

just the caching doesn´t work.

In order in squid.conf

-auth parameter (line 294)
-acl (line 627)
-cache or no_cache(line 645)
-cache_peer_access (line 692)
-http_access (line 696)
-http_port and cache_peer (ca. line 1138)
-hierarchy_stop_list (line 1723)
-Refresh_pattern (line 2764)

I mainteined the original conf file and in this way I inserted in the right 
place my instructions.
I f there´s any kind of mistake (or obsolete instructions) please tell me. I 
don´t understand if there´s any kind of instrauction that create a conflict for 
caching.
Thanks in advance


>Messaggio originale
>Da: squ...@treenet.co.nz
>Data: 23-feb-2009 23.38
>A: "projpr...@libero.it"
>Cc: 
>Ogg: Re: [squid-users] Squid cache cgi-bin
>
>> Hi,
>>
>> I have some questions about squid as reverse proxy.
>>
>> The web server I´m accelerating (cache_peer) has dynamic content
>> (cgi-
>> bin).
>>
>> At the beginning I left the default cache refresh values (so for cgi-bin 
\
>>  /
>> ? has a value "0") and the hierarchy list for cgi-bin and  "no_cache
>> deny
>> all".
>>
>> Now this pages contain some elements like .gif that I´d like to cash:
>> these
>> elements have not the path http://nameserver/cgi-bi/... but a path like
>> http:
>> //nameserver/icons...
>>
>> I tried with a normal ACL  elements url_regex  .gif .html .jpeg
>>
>> and then
>>
>> cache allow static
>>
>> But it seems squid is not caching nothing!!!
>>
>> Could you give me any kind of advice?
>>
>> Thanks in advance
>>
>
>
>It's a little unclear what config you are having trouble using.
>The various options you mention above are a mix of current, obsolete,
>deprecated, and irrelevant.
>
>But the use of correct options in the correct order is important for a
>working Squid.
>
>What version are you using?
>
>And in the order listed in yoru squid.conf, what lines do you have that
>start with:
>cache, no_cache, refresh_pattern, acl, or cache_peer*
>
>
>Amos
>
>

RE: [squid-users] pop up authentication prompts

[Plant, Dean]

nick.aposto...@au.abnamro.com wrote:
> Hi,
> 
> Anyone got any suggestions on my authentication prompt problems with
> NTLM 
> authentication?
> 
> I've also got a test box which was build with a tar ball of the squid
> and 
> samba directories which authenticates with no problem and does not
> give 
> any errors in the cache.log.
> 
> Regards
> Nick Apostolou
> IT Infrastructure | ABN AMRO Bank Australia/NZ
> Ph: +61 2 8259 5330 | Fax: +61 2 8259 5440 | Mobile: + 61 401 709 007
> email: nick.aposto...@au.abnamro.com

Try the squid_kerb_auth module. We are running 2.6.x and we have
suffered the same random pop-ups on NTLM, adding Kerberos authentication
to the top of the auth configuration fixes the random pop-ups on IE 7
and Firefox. IE 6 does not support Kerberos so leave NTLM in your
configuration if you have this browser on site. XP users will also
suffer Kerberos ticket renewal issues if your users leave their machines
on overnight and XP is not patched to SP3.

HTH

Dean

> 
> 
> 
> 
> nick.aposto...@au.abnamro.com
> 20/02/2009 03:46 PM
> 
> To
> squid-users@squid-cache.org
> cc
> 
> Subject
> [squid-users] pop up authentication prompts
> 
> 
> 
> 
> 
> 
> Hi,
> 
> Random users are getting pop up authentication prompts rather than
> getting 
> 
> authenticated transparently via NTLM.
> This has only started to occur in the last week and the previous few
> months I have not had a problem.
> 
> There are 2 proxy servers running squid/samba and both get entries in
> cache.log every minute such as this.
> 
> [2009/02/20 14:29:48,  1] libsmb/ntlmssp.c:ntlmssp_update(333)
>   got NTLMSSP command 3, expected 1
> [2009/02/20 14:30:48,  1] libsmb/ntlmssp.c:ntlmssp_update(333)
>   got NTLMSSP command 3, expected 1
> [2009/02/20 14:31:48,  1] libsmb/ntlmssp.c:ntlmssp_update(333)
>   got NTLMSSP command 3, expected 1
> [2009/02/20 14:32:48,  1] libsmb/ntlmssp.c:ntlmssp_update(333)
>   got NTLMSSP command 3, expected 1
> [2009/02/20 14:33:48,  1] libsmb/ntlmssp.c:ntlmssp_update(333)
>   got NTLMSSP command 3, expected 1
> [2009/02/20 14:34:48,  1] libsmb/ntlmssp.c:ntlmssp_update(333)
>   got NTLMSSP command 3, expected 1
> [2009/02/20 14:35:48,  1] libsmb/ntlmssp.c:ntlmssp_update(333)
>   got NTLMSSP command 3, expected 1
> 
> These 2 proxies use an upstream squid to pass on requests via
> cache_peer 
> statements.
> 
> I had the domain controllers rebooted yesterday and followed that
> with a 
> clean reboot of the squid (running on Solaris 10 x86) and within 30
> seconds of the cache being up the cache.log files starts to log these
> entries.
> 
> Samba Version 3.2.0 (compiled with --quiet --with-winbind
> --with-ads=no -prefix=/usr/local/samba --localstatedir=/var/samba)
> 
> Squid Cache: Version 2.7.STABLE2
> configure options:  '--enable-snmp'
> '--enable-external-acl-helpers=unix_group,wbinfo_group'
> '--enable-auth=ntlm,basic' '--enable-storeio=ufs,aufs'
> '--prefix=/usr/local/squid' '--localstatedir=/var/squid'
> 
> Reading though the archives there are suggestion about upgrading
> versions 
> but all relate to much older versions.
> 
> Anyone come across this with more recent versions (not that mine are
> the 
> latest) and is there a possible resolution to it?
> 
> 
> Regards
> Nick Apostolou
> IT Infrastructure | ABN AMRO Bank Australia/NZ
> Ph: +61 2 8259 5330 | Fax: +61 2 8259 5440 | Mobile: + 61 401 709 007
> email: nick.aposto...@au.abnamro.com
> 
> 
> ABN AMRO Bank N.V. is an authorised agent of The Royal Bank of
> Scotland 
> plc
>

---
> This message (including any attachments) is confidential and may be
> privileged. If you have received it by mistake please notify the
> sender by 
> return e-mail and delete this message from your system. Any
> unauthorised 
> use or dissemination of this message in whole or in part is strictly
> prohibited. Please note that e-mails are susceptible to change. ABN
> AMRO 
> Bank N.V, which has its seat at Amsterdam, the Netherlands, and is
> registered in the Commercial Register under number 33002587,
> including its 
> group companies, shall not be liable for the improper or incomplete
> transmission of the information contained in this communication nor
> for 
> any delay in its receipt or damage to your system. ABN AMRO Bank N.V.
> (or 
> its group companies) does not guarantee that the integrity of this
> communication has been maintained nor that this communication is free
> of 
> viruses, interceptions or interference.
>

---
> 
> 
> 
> ABN AMRO Bank N.V. is an authorised agent of The Royal Bank of
> Scotland plc
>

---
> This message (including any attachments) is confidential and may be
> privileged. If you have received it by mistake please notify the
> sender by return e-mail and delete this message from your system. Any
> unauthorised use