RE: [squid-users] Error 1067 when starting service in Windows 2003 Server
> "Could not start the Squid service on local computer. Error > 1067: the process terminated unexpectedly." In case you didn't install squid in c:\squid: Did you run 'squid -O "-f d:\path\to\config" -n Servicename' to tell the service where the config is? And in addition to Guido's checks: - Check the eventlog. A short (and translated) version of the HOWTO for windows that I use at work: - Download - Install in d:\apps\squid\VERSION - Config (we have a template that sets up basic access) - Install service: sbin\squid -f etc\squid.conf -n "SquidVERSION" (<-- Servicename may NOT contain spaces!) - Install cache dirs: sbin\squid -z -f etc\squid.conf -n "SquidVERSION" - Configure service: sbin\squid -O "-f d:\apps\squid\VERSION\etc\squid.conf" -n "SquidVERSION" - Start service Joost
[squid-users] squid cachehttp hits oid for solarwinds
Hi Dear I want Add Squid Cache to Solarwinds Orion For Monitor Performance , But I cant Found Oid For This Work. Please Help Me
Re: [squid-users] Fwd: Howto Measure bandwidth consumption of HTTPS traffic?
i used to measure the traffic on my squid box before (eth0 and eth1) using a shell script and pass it to MRTG. - Original Message From: M Admin To: squid-users@squid-cache.org Sent: Wednesday, April 15, 2009 7:47:57 PM Subject: [squid-users] Fwd: Howto Measure bandwidth consumption of HTTPS traffic? Hello everyone -- I am currently proxying all traffic from the client through SQUID. I am trying to measure the amount of bandwidth used by the client. The client is connecting to Gmail.com via HTTPS. I see the connections to Gmail in the access.log as such: 1239680667.335 216115 172.19.240.27 TCP_MISS/200 2964 CONNECT mail.google.com:443 - DIRECT/74.125.155.18 - but it doesnt seem like all client requests show up in the log. I am running Firebug 1.3.1 in the client and I see many GET and POST requests from the client to Google that don't show up in the access.log. Can I use SQUID for this function? Ie measure bandwidth for HTTPS traffic for 1 and eventually multiple users? Is it accurate? My setup. Ubuntu Dapper Squid Proxy: Squid Cache version 2.5.STABLE12 for i386-debian-linux-gnu - setup for proxying only, not caching with the configuration option: cache deny all Browser User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.6) Gecko/20070725 (CK-GoogleCorp) Firefox/2.0.0.6. Cache Size = 0 MB Calamaris Reports: Calamaris Revision: 2.99.1.3 Firebug: 1.3.1
[squid-users] Fwd: Howto Measure bandwidth consumption of HTTPS traffic?
Hello everyone -- I am currently proxying all traffic from the client through SQUID. I am trying to measure the amount of bandwidth used by the client. The client is connecting to Gmail.com via HTTPS. I see the connections to Gmail in the access.log as such: 1239680667.335 216115 172.19.240.27 TCP_MISS/200 2964 CONNECT mail.google.com:443 - DIRECT/74.125.155.18 - but it doesnt seem like all client requests show up in the log. I am running Firebug 1.3.1 in the client and I see many GET and POST requests from the client to Google that don't show up in the access.log. Can I use SQUID for this function? Ie measure bandwidth for HTTPS traffic for 1 and eventually multiple users? Is it accurate? My setup. Ubuntu Dapper Squid Proxy: Squid Cache version 2.5.STABLE12 for i386-debian-linux-gnu - setup for proxying only, not caching with the configuration option: cache deny all Browser User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.6) Gecko/20070725 (CK-GoogleCorp) Firefox/2.0.0.6. Cache Size = 0 MB Calamaris Reports: Calamaris Revision: 2.99.1.3 Firebug: 1.3.1
Re: [squid-users] Add authorization header?
austijc wrote: I'm trying to have squid add an authorization header when a user accesses a particular URL pattern. Here's the situation; Internal users access the Internet through squid and authenticate to an LDAP server. We have a partner site we'd like to give access to these users but local users do not have individual accounts on that server. Instead the partner provides a single login for all our users. So, I'd like to automatically add that single login information to the request when the local users access the URL pattern. That allows them to login to the proxy once and then access the partner site without having to login again or even know the login/password of that site. Does squid support anything like that? I've been digging through the manual but haven't found anything. Have a look at cache_peer. Something like... cache_peer partner.example.com parent 80 0 no-query originserver login=account:password acl partner dstdomain .partner.example.com cache_peer_access partner.example.com allow partner cache_peer_access partner.example.com deny all ...should (if I have my directives correct) pass requests for any subdomain for partner.example.com (inclusive of partner.example.com itself) to partner.example.com AND supply HTTP authorization credentials of "account" and "password". Can the request be modified by an external program? Chris
RE: [squid-users] %EXT_USER value
> Thanks for the reply Amos. > > Please see my previous mail for a complete explanation of my > requirements. > http://www.squid-cache.org/mail-archive/squid-users/200904/0295.html > > I'm using > Squid Cache: Version 3.0.STABLE13 > > I'm looking for a way to pass a variable to an external acl which must > contain an already authenticated username. > I can not use %LOGIN because squid will assume that it's an auth helper > and prompt the user for re-authentication on ERR return and I want to > return a custom page on ERR return. > > I just thought %EXT_USER will contain the username from and external > auth helper. Ah, no the auth helpers are what fill %LOGIN. Unless you force browsers to add the user details (the popup or 407 with %LOGIN) then its down to blind chance that you get it at all. > Conf example > === > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > external_acl_type QuotaUser ttl=1 negative_ttl=0 children=3 %EXT_USER > /sqm/bin/quota_user.pl > acl password proxy_auth REQUIRED > acl quota_user external QuotaUser > http_access deny !password > http_access deny quota_user > http_access allow all > deny_info ERR_CUSTOM_IN_QUOTA_USER quota_user > > > > > > > > > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: 15 April 2009 01:56 PM > To: Bartel Viljoen > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] %EXT_USER value > > Bartel Viljoen wrote: >> Dear Squid users. >> >> Does anyone have a working squid conf example of the %EXT_USER that is > >> available in squid 3. When I debug the value of %EXT_USER via a >> external helper, the value is always "-", even though the log file is >> showing the real username. > > %EXT_USER is the value returned from an external helper. So most cases > it would not exist yet. How exectly are you testing it and what exact > release version of squid-3 is this? > >> >> Currently I'm using the following auth program auth_param ntlm program > >> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp >> >> A squid conf example would be of great help. > > Then the value you are probably looking for is %LOGIN. > > Amos > -- > Please be using >Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 >Current Beta Squid 3.1.0.7 > > - > Network & Computing Consultants > Tel: 0861-555444 | Fax: 0861-555445 > http://www.ncc.co.za > > This e-mail is subjected to a disclaimer that can be viewed at: > http://www.ncc.co.za/legal/email-disclaimer.html > > Email Managed by MailXServer - http://www.mailxserver.com > - > >
RE: [squid-users] SNMP MIB updates?
> Thanks for the reply Amos, I agree with your statements and am glad that > this might get placed on the someday-roadmap for Squid. I may not have > permission to send to squid-dev, so please send it on if it doesn't find > its way. > > I have been working off of the squid/share/mib.txt MIB that came with the > 3.0-STABLE13 build I'm currently running on most systems. Ah, okay there have been some fairly large changes since. Please grab the one from 3.HEAD. (If you are wanting to change much or the internals of squid that underly the MIB you will need the bzr VCS anyway to work with the 3.HEAD branch.) > > cachePeerTable should be constructed using standard integer index, > initialized on first run and adjusted as configuration changes and gets > reloaded, with one of the OIDs returning the IP as a label. So, I build > and configure squid and run it for the first time with 3 cache peers > configured, they get indexed as 1,2,3 on the table...I reconfigure squid > and remove all 3 peers (peers == parents and/or siblings, something that > needs to be decided as well), replacing them with new ones - at this point > you can either rebuild the table using the new peers or append them as > 4,5,6 and blank out 1,2,3. Cisco switches build their ifIndex table using > the latter method, which works well when linecards are added or removed > (granted, switchports in general are a bit more static than an application > level configuration). > > Also, I have tried the -Cc options when snmpwalk-ing and one big problem I > run into is that I have two parents configured with the same IP (different > hostname)...this causes snmpwalk to get stuck endlessly grabbing the same > OID. Something like Cacti wont even begin to handle this table > gracefully, so it's essentially unusable. > > cacheHtcp* is great...but that would just make me want a cacheCarp as > well. Perhaps you could just abstract whatever is being used under > something like cacheSiblingProto? > > In regards to adding a cacheHttpMisses (and pending, and negative) - I > noticed that the cacheIpCache table has an OIDs for misses, pending hits > and negative hits, so why cant the cacheProtoAggregateStats have these as > well for HTTP? I've ran into cacti templates that get this elusive metric > by subtracting cacheHttpHits from cacheProtoClientHttpRequests. > > In regards to cacheMemUsage, I'm just interested in seeing a > cacheMemCacheUsage added. This would be especially useful for diskless > caches...there's a cacheSysVMsize that tells me how much total memory can > be used for caching, but nothing that tells me how much is actually used. > Seeing these metrics graphed over time would help determine optimal > high/low swap values. MemUsage is currently an integer OID counting in KB > - that should be changed to a Counter32 and represented in bits. > > In regards to bits vs KB, everything everywhere is represented in bits, > except for Squid...which is no big deal, except that it requires Cacti > users to build in some extra math (result = value * 1024 * 8). This is > very low hanging fruit IMO. > > Not sure what to say about the CPU usage metric, perhaps it's not > refreshing often enough (if it's meant to be a gauge). Perhaps it could > be indexed into time-averages similar to the service timers, i.e. 1 min, 5 > min and 60 min averages. Shouldn't be too difficult to do. > > Regarding the differences between the cacheProtoAggregateStats and > cacheIpCache tables. I can share graphs with you offline, but the curves > graph out to be exactly the same, the numbers are just way off. For > example I graph HTTP Requests per second using data from the > cacheProtoAggregateStats table and I see a current of 350 rps (and about > 310 hits per second), graphing IP Requests per second using data from the > cachIpCache table I see a current of 1190 rps (and about 1150 hits per > second). Notice here that the differences match up perfectly, and the > deltas are always the same, the IP table just counts a LOT more hits and > requests over time than the HTTP/ProtoAggStats table does. I cant account > for the difference, so a detailed definition would help me a lot. I'm > going to try turning off ICP/HTCP and seeing if there is any difference. > If you want to see my graphs for a better idea of what I'm saying, I can > attach them and send off-list. > > Thanks guys, > Gregori > > > > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Wednesday, April 15, 2009 5:23 AM > To: Gregori Parker > Cc: squid-users@squid-cache.org; Squid Developers > Subject: Re: [squid-users] SNMP MIB updates? > > Gregori Parker wrote: >> I was creating a fresh batch of cacti graph templates for Squid the >> other day (focused on reverse proxy setups, I will release them soon), >> and while crawling the Squid MIB I noticed that HTCP metrics don't >> register anywhere. Furthermore, the entire MIB seems to be in need of >> updating - here's a list of
Re: [squid-users] Using Squid as a proxy to change network devices' properties instead of web broswers'?
Question about this proxycfg.exe in XP: Does this work for all Internet program? I can get it to work with IE (v6-v7) and CDBurnerXP (to download its update for the program), but not Firefox. I read that the program has to know winHTTP. Am I understanding this correctly? If so, then how do I know which programs support that to do proxy? -- "In an ant colony, dew is a flood." --Afghan /\___/\ / /\ /\ \ Phil/Ant @ http://antfarm.ma.cx (Personal Web Site) | |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net \ _ / E-mail: phi...@earthlink.net or a...@zimage.com ( )
RE: [squid-users] Using Squid as a proxy to change network devices' properties instead of web broswers'?
> That would solve this problem, but by forcing the use of a proxy, we get > better control of the web traffic. It also allows us to use group policy > to block access to setting the proxy for users not allowed to browse the > web, without jumping through hoops required to setup authentication on the > proxy server. We can't just block access to IE, because these users do > need access to intranet applications. Currently there are only a couple > of users that have laptops and access sites that have this problem the > others are on desktops, and setting them to use the configuration script > is a onetime deal. Even these users are a very small percentage probably > only around 2% of all users. > Setting up a transparent proxy with authentication to stop the users not > allowed internet access would have an impact on the other 98% of users who > work just fine with the auto detect settings. Overlooking the fact you can't do www auth on transparent proxies. You can do IP-validation and such authorizations only. > Of course if Sun just > implemented an auto detect option in the Java Runtime Environment proxy > settings, all my problems would just go away. :) Amos > > Thanks, > Dean Weimer > Network Administrator > Orscheln Management Co > > -Original Message- > From: Hunter Fuller [mailto:hackmies...@gmail.com] > Sent: Wednesday, April 15, 2009 11:25 AM > To: Dean Weimer; squid-users@squid-cache.org > Subject: Re: [squid-users] Using Squid as a proxy to change network > devices' properties instead of web broswers'? > > You can't do transparent proxying here? > -hackmiester > Too short? http://five.sentenc.es/ > > > > 2009/4/15 Dean Weimer : >> Interesting, saw this and thought that it might solve some problems I >> have been having with applications that import settings from the >> browser, but don't work with auto detect. I thought I would try this on >> Vista, of course it doesn't exist, but there is a replacement. >> >> In Vista (of course you have to run as admin): >> To Display current setting: >> netsh winhttp show proxy >> To import form IE: >> netsh winhttp import proxy source=ie >> (Does anyone know if you can use a different source?) >> To manually set it: >> netsh winhttp set myproxy:port ";localsite1;localsite2;..." >> To Set back to direct: >> netsh winhttp reset proxy >> >> Also I noticed that it imports no proxy if you are set to use a script >> or automatically detect, the proxycfg in XP still pulls the manual >> configuration even after I set it to auto detect. It was set to manual >> configuration the first time I ran the command, so it appears to not >> look at the current settings but looks at what is in the registry for >> the manual configuration whether or not it is currently enabled. >> >> In XP: >> To Display Current Settings: >> proxycfg -d >> To Import from IE: >> Proxycfg -u >> To Manually Set: >> Proxycfg -p myproxy:port ";localsite1;localsite2;..." >> >> Looks like under my environment I will have to use the manual set >> options to possibly solve the issue, the main problem I have found is >> that Java doesn't seem to work correctly if the browser is configured >> for auto detect, it will work however, if the browser is set to use a >> specific configuration script, or a manually configured proxy. Both of >> these options however do require the user to change settings if they >> have a laptop and try to use it outside of our network. >> Guess if this command fixes the problem I can look at writing a startup >> script to detect if they are on our local LAN or not and set it to >> direct or a manual proxy depending on the result, then push this script >> to clients with group policy. >> >> Thanks, >> Dean Weimer >> Network Administrator >> Orscheln Management Co >> >> -Original Message- >> From: Amos Jeffries [mailto:squ...@treenet.co.nz] >> Sent: Wednesday, April 15, 2009 7:32 AM >> To: Phillip Pi >> Cc: squid-users@squid-cache.org >> Subject: Re: [squid-users] Using Squid as a proxy to change network >> devices' properties instead of web broswers'? >> >> Phillip Pi wrote: >>> Hello. >>> >>> I got Squid v2.7 stable 6 installed and working in a Windows XP Pro. >>> SP2 >>> machine, with its IIS, as a proxy server. I can make clients' web >>> browsers (e.g., IE and Firefox in Windows XP), go through this proxy >>> server with no problems. >>> >>> I am wondering if I can use Squid to do the same proxy for network >>> devices (e.g., onboard network). I would like to be able to set up PCs' >>> Internet access instead of web browsers. >>> >>> Thank you in advance. :) >> >> The use of Squid as HTTP proxy is limited only individual app or devices >> capabilities. >> >> On windows XP the command "proxycfg -u" IIRC is sufficient to get the >> MS-produced apps using the same settings as IE, whether they are proxy >> or not. >> >> I've heard tell of people using ActiveDirectory to push out proxy >> settings to all machines in a contro
[squid-users] Add authorization header?
I'm trying to have squid add an authorization header when a user accesses a particular URL pattern. Here's the situation; Internal users access the Internet through squid and authenticate to an LDAP server. We have a partner site we'd like to give access to these users but local users do not have individual accounts on that server. Instead the partner provides a single login for all our users. So, I'd like to automatically add that single login information to the request when the local users access the URL pattern. That allows them to login to the proxy once and then access the partner site without having to login again or even know the login/password of that site. Does squid support anything like that? I've been digging through the manual but haven't found anything. Can the request be modified by an external program? -- View this message in context: http://www.nabble.com/Add-authorization-header--tp23068246p23068246.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] squid 3.0.STABLE14 not redirecting to squidGuard
That does the trick. Thanks! I suppose this means squidGuard 1.4 is not
compatible with the new url_rewrite_concurrency helper method.
Original-Nachricht
> vollkom...@gmx.net wrote:
> > Currently running squid 3.0.STABLE14-20090412, but the issue has been
> around for months, possibly ever since moving to 3.0STABLE release from
> 3.0PRE, or maybe
> >
> > squid 3.0 config:
> >
> > url_rewrite_program /usr/local/squid/bin/squidGuard -c
> /Applications/squid/squidguard.conf
> > url_rewrite_children 8
> > url_rewrite_concurrency 8
> > url_rewrite_host_header off
> >
> > cache.log with debug_options 61,5
> >
> > 2009/04/14 19:58:13.313| redirectStart: 'http://doubleclick.net/'
> > 2009/04/14 19:58:13.313| redirectHandleRead: {}
> > 2009/04/14 19:58:13.506| redirectStart: 'http://www.doubleclick.com/'
> > 2009/04/14 19:58:13.507| redirectHandleRead: {}
> >
> >
> > squidGuard 1.4 is blocking just fine by itself:
> >
> > echo "http://doubleclick.net 1.2.3.4/- user GET -" | squidGuard -c
> /Applications/squid/squidguard.conf -d
>
> That test is _not_ allowing for concurrency. Which adds a channel-ID
> column as the first entry
>
> Try without the "url_rewrite_concurrency" line.
>
> Amos
> --
> Please be using
>Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
>Current Beta Squid 3.1.0.7
--
Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss
für nur 17,95 Euro/mtl.!*
http://dslspecial.gmx.de/freedsl-surfflat/?ac=OM.AD.PD003K11308T4569a
Re: [squid-users] squid - loading, checking and purging
Sir June wrote: 1) $ squidclient -m HEAD -H "Cache-Control: only-if-cached\n" URL the above works fine. what are the other "Cache-control: " headers ? Best to send you to the source: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html 2) $ squidclient -m purge URL-> works fine 3) i used in a [ for loop ] and with export http_proxy=localhost:3128 $ wget -olog --proxy=on $i $ curl -v -o /dev/null $i $ squidclient URL | head -14 |grep -i cache >> log thanks for all your help. sirjune Chris
Re: [squid-users] squid - loading, checking and purging
1) $ squidclient -m HEAD -H "Cache-Control: only-if-cached\n" URL the above works fine. what are the other "Cache-control: " headers ? 2) $ squidclient -m purge URL -> works fine 3) i used in a [ for loop ] and with export http_proxy=localhost:3128 $ wget -olog --proxy=on $i $ curl -v -o /dev/null $i $ squidclient URL | head -14 |grep -i cache >> log thanks for all your help. sirjune - Original Message From: Chris Robertson To: squid-users@squid-cache.org Sent: Wednesday, April 15, 2009 1:50:37 PM Subject: Re: [squid-users] squid - loading, checking and purging Amos Jeffries wrote: > Sir June wrote: >> i'm looking for command-line options.. > > squidclient is your friend for atomic type object operations. Just be careful > when pulling binary objects since it will dump the resulting page to > stdout/screen. Performing a "HEAD" method request would alleviate pulling the whole object. > > 1) squidclient -H "Cache-Control: only-if-cached\n" > http://example.com/mypage.html squidclient -m HEAD -H "Cache-Control: only-if-cached\n" http://example.com/mypage.html > > 2) squidclient -m PURGE http://example.com/mypage.html > > > 3) fast way: wget -i list.txt -O /dev/null > alternative: > for f in `cat list.txt`; do squidclient $f >/dev/null; done > > Amos Chris
AW: [squid-users] ident auth problem with squid 3.1.0.6
/push Is there no one who could help me with this problem? Or is there someone else who have the same issue? Every information regarding this would be fine! Thanks!
[squid-users] ICP purging
Hi Squider, Currently i have 4 squid servers running as reverse proxy for a slow apache web server. Also those 4 squid servers are running sibling among them through ICP. this configuration was excerpted from one of the 4 sibling. cache_peer 10.6.1.3 sibling 80 3130 proxy-only no-netdb-exchange no-digest no-delay cache_peer 10.6.1.5 sibling 80 3130 proxy-only no-netdb-exchange no-digest no-delay cache_peer 10.6.1.6 sibling 80 3130 proxy-only no-netdb-exchange no-digest no-delay Now, new requirement came from a development team. "they want to be able to update obj in the original web server and make sure that the old version of the updated obj will be flush from those 4 squid servers." One way that i tried is using squidclient -p80 -h squid1 -m PURGE http://me.avatar.m.com/ after they updated the obj in the original web server. Unfortunately, doing soi have to run the command to all 4 squid servers while there is only one server that has the obj. Keep reading ICP spec I saw the opcode 14 - ICP_OP_PURGE it sound like a clean way to let ICP notify each node to flush the obj if it has. I would like to ask if any version of Squid does implement this ICP operation? and to accomplish the scenario i mentioned what would Squid gurus would recommend.? Truly hope this make sense. Patrick
RE: [squid-users] Using Squid as a proxy to change network devices' properties instead of web broswers'?
That would solve this problem, but by forcing the use of a proxy, we get better control of the web traffic. It also allows us to use group policy to block access to setting the proxy for users not allowed to browse the web, without jumping through hoops required to setup authentication on the proxy server. We can't just block access to IE, because these users do need access to intranet applications. Currently there are only a couple of users that have laptops and access sites that have this problem the others are on desktops, and setting them to use the configuration script is a onetime deal. Even these users are a very small percentage probably only around 2% of all users. Setting up a transparent proxy with authentication to stop the users not allowed internet access would have an impact on the other 98% of users who work just fine with the auto detect settings. Of course if Sun just implemented an auto detect option in the Java Runtime Environment proxy settings, all my problems would just go away. Thanks, Dean Weimer Network Administrator Orscheln Management Co -Original Message- From: Hunter Fuller [mailto:hackmies...@gmail.com] Sent: Wednesday, April 15, 2009 11:25 AM To: Dean Weimer; squid-users@squid-cache.org Subject: Re: [squid-users] Using Squid as a proxy to change network devices' properties instead of web broswers'? You can't do transparent proxying here? -hackmiester Too short? http://five.sentenc.es/ 2009/4/15 Dean Weimer : > Interesting, saw this and thought that it might solve some problems I have > been having with applications that import settings from the browser, but > don't work with auto detect. I thought I would try this on Vista, of course > it doesn't exist, but there is a replacement. > > In Vista (of course you have to run as admin): > To Display current setting: > netsh winhttp show proxy > To import form IE: > netsh winhttp import proxy source=ie > (Does anyone know if you can use a different source?) > To manually set it: > netsh winhttp set myproxy:port ";localsite1;localsite2;..." > To Set back to direct: > netsh winhttp reset proxy > > Also I noticed that it imports no proxy if you are set to use a script or > automatically detect, the proxycfg in XP still pulls the manual configuration > even after I set it to auto detect. It was set to manual configuration the > first time I ran the command, so it appears to not look at the current > settings but looks at what is in the registry for the manual configuration > whether or not it is currently enabled. > > In XP: > To Display Current Settings: > proxycfg -d > To Import from IE: > Proxycfg -u > To Manually Set: > Proxycfg -p myproxy:port ";localsite1;localsite2;..." > > Looks like under my environment I will have to use the manual set options to > possibly solve the issue, the main problem I have found is that Java doesn't > seem to work correctly if the browser is configured for auto detect, it will > work however, if the browser is set to use a specific configuration script, > or a manually configured proxy. Both of these options however do require the > user to change settings if they have a laptop and try to use it outside of > our network. > Guess if this command fixes the problem I can look at writing a startup > script to detect if they are on our local LAN or not and set it to direct or > a manual proxy depending on the result, then push this script to clients with > group policy. > > Thanks, > Dean Weimer > Network Administrator > Orscheln Management Co > > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Wednesday, April 15, 2009 7:32 AM > To: Phillip Pi > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] Using Squid as a proxy to change network devices' > properties instead of web broswers'? > > Phillip Pi wrote: >> Hello. >> >> I got Squid v2.7 stable 6 installed and working in a Windows XP Pro. SP2 >> machine, with its IIS, as a proxy server. I can make clients' web >> browsers (e.g., IE and Firefox in Windows XP), go through this proxy >> server with no problems. >> >> I am wondering if I can use Squid to do the same proxy for network >> devices (e.g., onboard network). I would like to be able to set up PCs' >> Internet access instead of web browsers. >> >> Thank you in advance. :) > > The use of Squid as HTTP proxy is limited only individual app or devices > capabilities. > > On windows XP the command "proxycfg -u" IIRC is sufficient to get the > MS-produced apps using the same settings as IE, whether they are proxy > or not. > > I've heard tell of people using ActiveDirectory to push out proxy > settings to all machines in a controlled network environment, mayhap an > expert on that will say how if you need it. > > Other devices and apps you will have to check out individually and see > what can be done. > > As a fallback for the really limited apps there is always interception
Re: [squid-users] squid cache problem
Luciano Sousa wrote: hello. i'm having a problem with idiot. at least once every two days I have to clear the cache of my squid, because it begins to deny all access, probably because it is full ... Your cache.log (/usr/local/squid/logs/cache.log) might give more information on what's going on. my squid.conf http_port 3128 icp_port 3128 hierarchy_stoplist cgi-bin ? cache_mem 500 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB ipcache_size 1024 ipcache_low 90 ipcache_high 95 cache_dir ufs /usr/local/squid/cache 1500 32 256 cache_access_log /usr/local/squid/logs/access.log pid_filename /usr/local/squid/logs/squid.pid acl manager proto cache_object cache_log /usr/local/squid/logs/cache.log cache_store_log /usr/local/squid/logs/store.log logformat logluciano IP do cliente: %>a - Username: %un - Horario: [%tl] - Metodo: %rm - URL: %ru - Status HTTP: %Hs - Status Squid: %Ss - Porta: %>p cache_access_log /usr/local/squid/logs/logteste.log logluciano auth_param ntlm program /usr/bin/ntlm_auth domain/pdc --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param basic children 5 auth_param basic realm Digite o LOGIN/SENHA auth_param basic credentialsttl 1 minute auth_param basic casesensitive off external_acl_type nt_group %LOGIN /usr/local/squid/etc/wbinfo_group.pl acl AllowedWindowsGroups external nt_group testnet http_access allow AllowedWindowsGroups acl localhost src 127.0.0.1/255.255.255.255 acl redelocal src 192.168.1.0/24 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 6959#mirc acl Safe_ports port 900 #mirc acl Safe_ports port 23 #smtp acl Safe_ports port 143 #imap acl CONNECT method CONNECT acl acesso proxy_auth REQUIRED http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow acesso http_access allow redelocal For what it's worth, you are allowing unauthenticated requests from your local network. Authentication is requested, the client is allowed if authentication is provided (but not denied if it's not). The next step checks the client's source IP and allows based on that (with an implicit deny following). Perhaps that's to plan, but I thought it might be worth a mention. icp_access allow all debug_options ALL,1 33,2 thank's. Chris
Re: [squid-users] squid - loading, checking and purging
Amos Jeffries wrote: Sir June wrote: i'm looking for command-line options.. squidclient is your friend for atomic type object operations. Just be careful when pulling binary objects since it will dump the resulting page to stdout/screen. Performing a "HEAD" method request would alleviate pulling the whole object. 1) squidclient -H "Cache-Control: only-if-cached\n" http://example.com/mypage.html squidclient -m HEAD -H "Cache-Control: only-if-cached\n" http://example.com/mypage.html 2) squidclient -m PURGE http://example.com/mypage.html 3) fast way: wget -i list.txt -O /dev/null alternative: for f in `cat list.txt`; do squidclient $f >/dev/null; done Amos Chris
Re: [squid-users] delay_pools on "aborted" objects
Pieter De Wit wrote: Hey Guys, What does squid do when a request is aborted and it's meant to carry on downloading the object (via quick_abort) and the client was part of a delay_pool. From http://wiki.squid-cache.org/Features/DelayPools (under the heading of "There are some limitations of delay pools"): "delay pools are incompatible with slow aborts; quick abort should be set fairly low to prevent objects being retrieved at full speed once there are no clients requesting them (as the traffic allocation is based on the current clients, and when there are no clients attached to the object there is no way to determine the traffic allocation)." e.g. Client -> delay_pool -> Squid # Downloads at dp speed Client --x--> delay_pool -> Squid # Now what speed ? Cheers, Pieter Chris
RE: [squid-users] SNMP MIB updates?
Thanks for the reply Amos, I agree with your statements and am glad that this might get placed on the someday-roadmap for Squid. I may not have permission to send to squid-dev, so please send it on if it doesn't find its way. I have been working off of the squid/share/mib.txt MIB that came with the 3.0-STABLE13 build I'm currently running on most systems. cachePeerTable should be constructed using standard integer index, initialized on first run and adjusted as configuration changes and gets reloaded, with one of the OIDs returning the IP as a label. So, I build and configure squid and run it for the first time with 3 cache peers configured, they get indexed as 1,2,3 on the table...I reconfigure squid and remove all 3 peers (peers == parents and/or siblings, something that needs to be decided as well), replacing them with new ones - at this point you can either rebuild the table using the new peers or append them as 4,5,6 and blank out 1,2,3. Cisco switches build their ifIndex table using the latter method, which works well when linecards are added or removed (granted, switchports in general are a bit more static than an application level configuration). Also, I have tried the -Cc options when snmpwalk-ing and one big problem I run into is that I have two parents configured with the same IP (different hostname)...this causes snmpwalk to get stuck endlessly grabbing the same OID. Something like Cacti wont even begin to handle this table gracefully, so it's essentially unusable. cacheHtcp* is great...but that would just make me want a cacheCarp as well. Perhaps you could just abstract whatever is being used under something like cacheSiblingProto? In regards to adding a cacheHttpMisses (and pending, and negative) - I noticed that the cacheIpCache table has an OIDs for misses, pending hits and negative hits, so why cant the cacheProtoAggregateStats have these as well for HTTP? I've ran into cacti templates that get this elusive metric by subtracting cacheHttpHits from cacheProtoClientHttpRequests. In regards to cacheMemUsage, I'm just interested in seeing a cacheMemCacheUsage added. This would be especially useful for diskless caches...there's a cacheSysVMsize that tells me how much total memory can be used for caching, but nothing that tells me how much is actually used. Seeing these metrics graphed over time would help determine optimal high/low swap values. MemUsage is currently an integer OID counting in KB - that should be changed to a Counter32 and represented in bits. In regards to bits vs KB, everything everywhere is represented in bits, except for Squid...which is no big deal, except that it requires Cacti users to build in some extra math (result = value * 1024 * 8). This is very low hanging fruit IMO. Not sure what to say about the CPU usage metric, perhaps it's not refreshing often enough (if it's meant to be a gauge). Perhaps it could be indexed into time-averages similar to the service timers, i.e. 1 min, 5 min and 60 min averages. Shouldn't be too difficult to do. Regarding the differences between the cacheProtoAggregateStats and cacheIpCache tables. I can share graphs with you offline, but the curves graph out to be exactly the same, the numbers are just way off. For example I graph HTTP Requests per second using data from the cacheProtoAggregateStats table and I see a current of 350 rps (and about 310 hits per second), graphing IP Requests per second using data from the cachIpCache table I see a current of 1190 rps (and about 1150 hits per second). Notice here that the differences match up perfectly, and the deltas are always the same, the IP table just counts a LOT more hits and requests over time than the HTTP/ProtoAggStats table does. I cant account for the difference, so a detailed definition would help me a lot. I'm going to try turning off ICP/HTCP and seeing if there is any difference. If you want to see my graphs for a better idea of what I'm saying, I can attach them and send off-list. Thanks guys, Gregori -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, April 15, 2009 5:23 AM To: Gregori Parker Cc: squid-users@squid-cache.org; Squid Developers Subject: Re: [squid-users] SNMP MIB updates? Gregori Parker wrote: > I was creating a fresh batch of cacti graph templates for Squid the other day > (focused on reverse proxy setups, I will release them soon), and while > crawling the Squid MIB I noticed that HTCP metrics don't register anywhere. > Furthermore, the entire MIB seems to be in need of updating - here's a list > of things I would like to understand or see updated at some point... > Excellent to see someone working on that update and the squid SNMP stuff too. Thank you. In answer to your points below, please retain followup to squid-dev mailing list (cc'd) about any further on these. Firstly which of the _3_ Squid MIB are you trying to get updated?
Re: [squid-users] Using Squid as a proxy to change network devices' properties instead of web broswers'?
> > >I got Squid v2.7 stable 6 installed and working in a Windows XP Pro. SP2 > > >machine, with its IIS, as a proxy server. I can make clients' web > > >browsers (e.g., IE and Firefox in Windows XP), go through this proxy > > >server with no problems. > > > > > >I am wondering if I can use Squid to do the same proxy for network > > >devices (e.g., onboard network). I would like to be able to set up PCs' > > >Internet access instead of web browsers. > > > > The use of Squid as HTTP proxy is limited only individual app or devices > > capabilities. > > > > On windows XP the command "proxycfg -u" IIRC is sufficient to get the > > MS-produced apps using the same settings as IE, whether they are proxy > > or not. OK, I think this is perfect after trying it in a Dell OEM Windows XP Home SP2. Is this a common method for Windows' proxy setups? -- "In an ant colony, dew is a flood." --Afghan /\___/\ / /\ /\ \ Phil/Ant @ http://antfarm.ma.cx (Personal Web Site) | |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net \ _ / E-mail: phi...@earthlink.net or a...@zimage.com ( )
RE: [squid-users] Error 1067 when starting service in Windows 2003 Server
Hi Guido, Thank you for your reply. The cache log states the following at the very end: " 2009/04/15 11:11:11| Loaded Icons. 2009/04/15 11:11:11| commBind: Cannot bind socket FD 12 to xx.xx.xxx.xxx:80: (10013) WSAEACCES, Permission denied. FATAL: Cannot open HTTP Port Squid Cache (Version 2.7.STABLE5): Terminated abnormally. " Our server has 3 IP addresses linked onto the one NIC, could it have something to do with this do you think? The other two IPs are being used by two websites already, but the IP we are using is free... Many thanks, Philip -Original Message- From: Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Sent: Wednesday, April 15, 2009 4:06 AM To: Philip de Souza; squid-users@squid-cache.org Subject: Re: [squid-users] Error 1067 when starting service in Windows 2003 Server Hi, At 22.11 14/04/2009, Philip de Souza wrote: >Wow this is frustrating! > >Sorry, but I need help again. I had everything working on our testbed >Windows 2003 platform (for reverse proxy accelerator services), and so when >I go and deploy Squid in the same fashion on the live proxy server, I get >the following when trying to start the SQUID service: > >"Could not start the Squid service on local computer. Error 1067: the >process terminated unexpectedly." > >I actually received this error when trying to start it on the test server as >well, but was able to resolve it by upgrading the server to SP2. The live >server already has SP2 installed but I installed all outstanding patches on >it anyway, just in case - no deal. On both machines I ran the squid -z >command to establish the log directory first. I'm really floored by why this >is happening though and would GREATLY appreciate anybody's help. We're >supposed to be going live with this now and this recurring issue is really >raining on the parade! > >Many thanks as ever. Look the following: - cache.log messages - squid.exe.log in the sbin folder - Try to start squid from command line and see what happens Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] Using Squid as a proxy to change network devices' properties instead of web broswers'?
You can't do transparent proxying here? -hackmiester Too short? http://five.sentenc.es/ 2009/4/15 Dean Weimer : > Interesting, saw this and thought that it might solve some problems I have > been having with applications that import settings from the browser, but > don't work with auto detect. I thought I would try this on Vista, of course > it doesn't exist, but there is a replacement. > > In Vista (of course you have to run as admin): > To Display current setting: > netsh winhttp show proxy > To import form IE: > netsh winhttp import proxy source=ie > (Does anyone know if you can use a different source?) > To manually set it: > netsh winhttp set myproxy:port ";localsite1;localsite2;..." > To Set back to direct: > netsh winhttp reset proxy > > Also I noticed that it imports no proxy if you are set to use a script or > automatically detect, the proxycfg in XP still pulls the manual configuration > even after I set it to auto detect. It was set to manual configuration the > first time I ran the command, so it appears to not look at the current > settings but looks at what is in the registry for the manual configuration > whether or not it is currently enabled. > > In XP: > To Display Current Settings: > proxycfg -d > To Import from IE: > Proxycfg -u > To Manually Set: > Proxycfg -p myproxy:port ";localsite1;localsite2;..." > > Looks like under my environment I will have to use the manual set options to > possibly solve the issue, the main problem I have found is that Java doesn't > seem to work correctly if the browser is configured for auto detect, it will > work however, if the browser is set to use a specific configuration script, > or a manually configured proxy. Both of these options however do require the > user to change settings if they have a laptop and try to use it outside of > our network. > Guess if this command fixes the problem I can look at writing a startup > script to detect if they are on our local LAN or not and set it to direct or > a manual proxy depending on the result, then push this script to clients with > group policy. > > Thanks, > Dean Weimer > Network Administrator > Orscheln Management Co > > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Wednesday, April 15, 2009 7:32 AM > To: Phillip Pi > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] Using Squid as a proxy to change network devices' > properties instead of web broswers'? > > Phillip Pi wrote: >> Hello. >> >> I got Squid v2.7 stable 6 installed and working in a Windows XP Pro. SP2 >> machine, with its IIS, as a proxy server. I can make clients' web >> browsers (e.g., IE and Firefox in Windows XP), go through this proxy >> server with no problems. >> >> I am wondering if I can use Squid to do the same proxy for network >> devices (e.g., onboard network). I would like to be able to set up PCs' >> Internet access instead of web browsers. >> >> Thank you in advance. :) > > The use of Squid as HTTP proxy is limited only individual app or devices > capabilities. > > On windows XP the command "proxycfg -u" IIRC is sufficient to get the > MS-produced apps using the same settings as IE, whether they are proxy > or not. > > I've heard tell of people using ActiveDirectory to push out proxy > settings to all machines in a controlled network environment, mayhap an > expert on that will say how if you need it. > > Other devices and apps you will have to check out individually and see > what can be done. > > As a fallback for the really limited apps there is always interception > at the network gateway device. Though this has a whole other set of > problems and should only be considered as a last resort. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 > Current Beta Squid 3.1.0.7 >
RE: [squid-users] %EXT_USER value
Thanks for the reply Amos. Please see my previous mail for a complete explanation of my requirements. http://www.squid-cache.org/mail-archive/squid-users/200904/0295.html I'm using Squid Cache: Version 3.0.STABLE13 I'm looking for a way to pass a variable to an external acl which must contain an already authenticated username. I can not use %LOGIN because squid will assume that it's an auth helper and prompt the user for re-authentication on ERR return and I want to return a custom page on ERR return. I just thought %EXT_USER will contain the username from and external auth helper. Conf example === auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp external_acl_type QuotaUser ttl=1 negative_ttl=0 children=3 %EXT_USER /sqm/bin/quota_user.pl acl password proxy_auth REQUIRED acl quota_user external QuotaUser http_access deny !password http_access deny quota_user http_access allow all deny_info ERR_CUSTOM_IN_QUOTA_USER quota_user -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: 15 April 2009 01:56 PM To: Bartel Viljoen Cc: squid-users@squid-cache.org Subject: Re: [squid-users] %EXT_USER value Bartel Viljoen wrote: > Dear Squid users. > > Does anyone have a working squid conf example of the %EXT_USER that is > available in squid 3. When I debug the value of %EXT_USER via a > external helper, the value is always "-", even though the log file is > showing the real username. %EXT_USER is the value returned from an external helper. So most cases it would not exist yet. How exectly are you testing it and what exact release version of squid-3 is this? > > Currently I'm using the following auth program auth_param ntlm program > /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > > A squid conf example would be of great help. Then the value you are probably looking for is %LOGIN. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7 - Network & Computing Consultants Tel: 0861-555444 | Fax: 0861-555445 http://www.ncc.co.za This e-mail is subjected to a disclaimer that can be viewed at: http://www.ncc.co.za/legal/email-disclaimer.html Email Managed by MailXServer - http://www.mailxserver.com -
RE: [squid-users] Using Squid as a proxy to change network devices' properties instead of web broswers'?
Interesting, saw this and thought that it might solve some problems I have been having with applications that import settings from the browser, but don't work with auto detect. I thought I would try this on Vista, of course it doesn't exist, but there is a replacement. In Vista (of course you have to run as admin): To Display current setting: netsh winhttp show proxy To import form IE: netsh winhttp import proxy source=ie (Does anyone know if you can use a different source?) To manually set it: netsh winhttp set myproxy:port ";localsite1;localsite2;..." To Set back to direct: netsh winhttp reset proxy Also I noticed that it imports no proxy if you are set to use a script or automatically detect, the proxycfg in XP still pulls the manual configuration even after I set it to auto detect. It was set to manual configuration the first time I ran the command, so it appears to not look at the current settings but looks at what is in the registry for the manual configuration whether or not it is currently enabled. In XP: To Display Current Settings: proxycfg -d To Import from IE: Proxycfg -u To Manually Set: Proxycfg -p myproxy:port ";localsite1;localsite2;..." Looks like under my environment I will have to use the manual set options to possibly solve the issue, the main problem I have found is that Java doesn't seem to work correctly if the browser is configured for auto detect, it will work however, if the browser is set to use a specific configuration script, or a manually configured proxy. Both of these options however do require the user to change settings if they have a laptop and try to use it outside of our network. Guess if this command fixes the problem I can look at writing a startup script to detect if they are on our local LAN or not and set it to direct or a manual proxy depending on the result, then push this script to clients with group policy. Thanks, Dean Weimer Network Administrator Orscheln Management Co -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, April 15, 2009 7:32 AM To: Phillip Pi Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Using Squid as a proxy to change network devices' properties instead of web broswers'? Phillip Pi wrote: > Hello. > > I got Squid v2.7 stable 6 installed and working in a Windows XP Pro. SP2 > machine, with its IIS, as a proxy server. I can make clients' web > browsers (e.g., IE and Firefox in Windows XP), go through this proxy > server with no problems. > > I am wondering if I can use Squid to do the same proxy for network > devices (e.g., onboard network). I would like to be able to set up PCs' > Internet access instead of web browsers. > > Thank you in advance. :) The use of Squid as HTTP proxy is limited only individual app or devices capabilities. On windows XP the command "proxycfg -u" IIRC is sufficient to get the MS-produced apps using the same settings as IE, whether they are proxy or not. I've heard tell of people using ActiveDirectory to push out proxy settings to all machines in a controlled network environment, mayhap an expert on that will say how if you need it. Other devices and apps you will have to check out individually and see what can be done. As a fallback for the really limited apps there is always interception at the network gateway device. Though this has a whole other set of problems and should only be considered as a last resort. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
Re: [squid-users] Putting squid-machine on IPcop's router DMZ interface
Donatas Gedvilas wrote: Hello, I am looking for a help and I am not very good in english so sorry in advance:). I am a system-network administrator in one company. I like open source and I have the task "to control users http traffic", my deadline 3 months. I refused "Fortigate" and "Astaro" complete comercial products. I have 110 users at all, but in one office there are about 50 so I started there. As far as I know a little debian, I choosed it and squid as a proxy-cache. I installed it on separate machine listening on 3128 port, with SNMP enabled and MRTG for monitoring, W3Perl for making nice statistics. For now I configured 10 users browsers (we use Firefox as the main, and IE for specific http) to go through my proxy. Everything is working fine because squid handles with real users ip addresses, and W3perl output generated from access.log looks fine because I made translation Name Surname - users IP address. And is easy to change user browser settings to go directly if something is wrong with "squid-machine". But this configuration is good only for testing purposes. Users (intermediate level) can easy change browser settings not to go through proxy. Yes I know there are some methodics how to disable changing such settings, but doing this with 40-50 users is not a good idea:) So I need transparent proxy configuration - in my oppinion.? Better to prefer WPAD / PAC files if you can. Then browsers just get set to 'auto detect'. Also, for better control a port-80 block on the firewall is good to force use of the proxy. Only choose intercept to act as a last-choice backup for the stuff where both the above fails. Capability limits and breakages under intercept are great. I am using "IPcop" router firewalling machine for testing purposes one year and it works fine in my case. (It also have built-in proxy but I don't like it for several reasons, very week logs and poor caching capabilities and everything on one machine ). So am planing to put Squid-proxy-macnine in DMZ (ipcop's orange interface, as I read from http://www.deckle.co.za/squid-users-guide is the best place for cache.) My trusted hosts would be on green network (trusted) and Ipcop hand-off's any http 80, ftp 21 and https 443 requests to DMZ (my orange) interface on squid-proxy-machine listening on 3128 port, and squid then would be able to communicate with ISP' cache-servers on the red side with UDP-ICP protocol for example - am I right? If you wish. Topology does not matter for what you have described as your requirements. The main question is in that configuration my squid-machine would be able to autenticate every user traffic going from green and give nice outputs with Names Surnames, or all users ip's from green would be covered by one orange (DMZ) ip and squid-machine wouldn't be able to see nice outputs based on ip's. #1 limit of interception is no HTTP authentication. There are tricks and ways around that, but its actualy easier to get your head around WPAD/PAC than to get side-band auth right. Also I have www server and planing ftp server to put on DMZ. Please, advise my how to do the best in that way or give another configuration example, because I can't to test this way now in practice (because my squid-machine is placed in one office and ipcop firewall in another (different cities, different branches). I would be waiting for any help thanks Check through: http://wiki.squid-cache.org/ConfigExamples and see if any of the examples suite you or leads to a good idea. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
Re: [squid-users] squid - Reverse Proxy to access customer's modem interface
Antoine Rouchet wrote: Hello everyone I'm Antoine Rouchet, I work for a french cable ISP (Numericable). My actual project is to allow our hotliners and IT staff to access customer's modem web management interface: - We have several thousands of modems on the network, each of them have a management web interface to which the customer can access (with "user" privileges) from his local private network, and to which we can access over the dedicated "modem" network too (with more privileges). - But it is not possible to allow the access to this "modem" network to untrusted people, so the idea is to set up a unique gateway (an HTTP server/proxy) our staff can access via an URL (like: http://modemgw.staff.private/modem/ip_10.1.2.3/). - Of course the main problem is that every customer's modem cannot be declared in the proxy configuration file, it must be dynamic (i.e.: a directive in the configuration file allow reverse proxying to 10.0.0.0/8 from *.private) I know squid can do everything here, but I'm not sure for the last condition (target not declared in configuration file). Does anyone have an idea about that? Any help is welcome, of course. (I've also tried with Apache + mod_proxy/mod_html/mod_rewrite. But the only thing mod_rewrite support is to declare a simple proxy with a RewriteRule (P flag) directive, so there is no rewriting of the HTML/headers.) Best regards, Antoine Rouchet. url_rewrite_program to alter the URL from http://modemgw.staff.private/modem/10.1.2.3/ to http://10.1.2.3/ inside squid. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
[squid-users] squid cache problem
hello. i'm having a problem with idiot. at least once every two days I have to clear the cache of my squid, because it begins to deny all access, probably because it is full ... my squid.conf http_port 3128 icp_port 3128 hierarchy_stoplist cgi-bin ? cache_mem 500 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB ipcache_size 1024 ipcache_low 90 ipcache_high 95 cache_dir ufs /usr/local/squid/cache 1500 32 256 cache_access_log /usr/local/squid/logs/access.log pid_filename /usr/local/squid/logs/squid.pid acl manager proto cache_object cache_log /usr/local/squid/logs/cache.log cache_store_log /usr/local/squid/logs/store.log logformat logluciano IP do cliente: %>a - Username: %un - Horario: [%tl] - Metodo: %rm - URL: %ru - Status HTTP: %Hs - Status Squid: %Ss - Porta: %>p cache_access_log /usr/local/squid/logs/logteste.log logluciano auth_param ntlm program /usr/bin/ntlm_auth domain/pdc --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param basic children 5 auth_param basic realm Digite o LOGIN/SENHA auth_param basic credentialsttl 1 minute auth_param basic casesensitive off external_acl_type nt_group %LOGIN /usr/local/squid/etc/wbinfo_group.pl acl AllowedWindowsGroups external nt_group testnet http_access allow AllowedWindowsGroups acl localhost src 127.0.0.1/255.255.255.255 acl redelocal src 192.168.1.0/24 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 6959#mirc acl Safe_ports port 900 #mirc acl Safe_ports port 23 #smtp acl Safe_ports port 143 #imap acl CONNECT method CONNECT acl acesso proxy_auth REQUIRED http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow acesso http_access allow redelocal icp_access allow all debug_options ALL,1 33,2 thank's.
Re: [squid-users] Using Squid as a proxy to change network devices' properties instead of web broswers'?
Thanks. So Squid cannot do what I am looking for and is only for http. I will check out proxycfg.exe command. This is a new one to me. I hope Vista and Windows 7 have it too. On Thu, Apr 16, 2009 at 12:32:15AM +1200, Amos Jeffries wrote: > >I got Squid v2.7 stable 6 installed and working in a Windows XP Pro. SP2 > >machine, with its IIS, as a proxy server. I can make clients' web > >browsers (e.g., IE and Firefox in Windows XP), go through this proxy > >server with no problems. > > > >I am wondering if I can use Squid to do the same proxy for network > >devices (e.g., onboard network). I would like to be able to set up PCs' > >Internet access instead of web browsers. > > > >Thank you in advance. :) > > The use of Squid as HTTP proxy is limited only individual app or devices > capabilities. > > On windows XP the command "proxycfg -u" IIRC is sufficient to get the > MS-produced apps using the same settings as IE, whether they are proxy > or not. > > I've heard tell of people using ActiveDirectory to push out proxy > settings to all machines in a controlled network environment, mayhap an > expert on that will say how if you need it. > > Other devices and apps you will have to check out individually and see > what can be done. > > As a fallback for the really limited apps there is always interception > at the network gateway device. Though this has a whole other set of > problems and should only be considered as a last resort.
Re: [squid-users] It doesnt cacche
Merdouille wrote: Hi, I dont understand why my squid doesn't cache anything : Here you neglect to say what version and release of squid you are using... my acces log said TCP_CLIENT_REFRESH_MISS:DIRECT Here you show a line which indicates that yes, your squid cached something, and on being retrieved the client forced squid to fetch a new one anyways. Ref: http://wiki.squid-cache.org/SquidFaq/SquidLogs my cfg : # On écoute le port 80 pour faire un proxy transparent http_port 80 transparent #=== GESTIONS DES LOGS # emplacement access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log cache_swap_log /var/log/squid/swap.log useragent_log /var/log/squid/useragent.log referer_log /var/log/squid/referer.log # Options emulate_httpd_log on client_netmask 255.255.255.255 #== GESTION DU CACHE # Objet a cacher # ici il y a des expressions régulières puis la durée minimum, le % de temps accpetable # typemin % max options refresh_pattern -i \*.jpg$ 150% 2override-expire reload-into-ims ignore-reload # Cache Disque # modelientaille R1 R2 options cache_dir ufs /var/spool/squid/ 100016 256 max-size=32768 Objects 32 KB maximum object size stored? maximum_object_size 32768 KB Yet 32 MB can be attempted to be stored? This combo might lead to problems. minimum_object_size 0 KB # Cache RAM cache_mem 100 MB maximum_object_size_in_memory 4096 KB memory_replacement_policy lru cache_replacement_policy lru #== REWRITE URL url_rewrite_program /etc/squid/rewriter.php url_rewrite_children 20 redirector_bypass off #== ACL's acl all src all acl rw url_regex -ihttp://192.168.100.189/img=* acl out dstdomain "/etc/squid/white" acl localhost src 127.0.0.1 acl manager proto cache_object #= Application des ACL url_rewrite_access allow rw http_access allow manager localhost http_access allow rw http_access denyall http_reply_access allow out deny_info TCP_RESET all #=== MISC pid_filename /var/run/squid.pid cachemgr_passwd toto all # pas de protocole d'échnage de cache icp_port 0 # pas de snmp snmp_port 0 half_closed_clients off dns_nameservers 192.168.100.1 192.168.100.1 One nameserver, one entry. Or better yet; place the correct network nameserver in /etc/resolv.conf and drop this setting entirely. #évite de garder des stat sur les IP client_db off buffered_logs on client_persistent_connections off if i use http_port 80 tranparent, url rewrite is OK but without cache If i use http_port 80, squid send me an error page like : While trying to process the request: GET /img=http%3A%2F%2Ffiles.macbidouille.com%2Fmbv2%2Fnews%2F200509%2Fnano_1yen.jpg HTTP/1.1 Host: 192.168.100.189 Invalid Request Yes. Well. Intercepted requests and reverse-proxy requests are not the same URL format as forward-proxy requests. Please specify the correct input mode the requests are coming in as: http://wiki.squid-cache.org/SquidFaq (section: "Modes") Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
Re: [squid-users] squid - loading, checking and purging
Sir June wrote: i'm looking for command-line options.. squidclient is your friend for atomic type object operations. Just be careful when pulling binary objects since it will dump the resulting page to stdout/screen. 1) squidclient -H "Cache-Control: only-if-cached\n" http://example.com/mypage.html 2) squidclient -m PURGE http://example.com/mypage.html 3) fast way: wget -i list.txt -O /dev/null alternative: for f in `cat list.txt`; do squidclient $f >/dev/null; done Amos - Original Message From: Pieter De Wit To: Sir June Cc: squid-users@squid-cache.org Sent: Tuesday, April 14, 2009 9:48:50 PM Subject: Re: [squid-users] squid - loading, checking and purging Hi :) 1 - I *think* webmin has this feature - not sure how to do it directly with squid. 2 - As above 3 - export HTTP_PROXY="squid:port" wget 3a - It wont be 100% sure if the object will be stored as squid will work it out (using policies etc) Just a bit of help :) Cheers, Pieter On Tue, 14 Apr 2009, Sir June wrote: Hi, I just joined this mailing list and i'd like to get insights on how to do the following? 1) how to check if an object or a URL is in the squid cache? 2) how to purge an object or a URL from the squid cache? 3) if i have a long list (1000 items) of objects/url that i want to load into the cache, how do i load it? thanks, sirjune -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
Re: [squid-users] Using Squid as a proxy to change network devices' properties instead of web broswers'?
Phillip Pi wrote: Hello. I got Squid v2.7 stable 6 installed and working in a Windows XP Pro. SP2 machine, with its IIS, as a proxy server. I can make clients' web browsers (e.g., IE and Firefox in Windows XP), go through this proxy server with no problems. I am wondering if I can use Squid to do the same proxy for network devices (e.g., onboard network). I would like to be able to set up PCs' Internet access instead of web browsers. Thank you in advance. :) The use of Squid as HTTP proxy is limited only individual app or devices capabilities. On windows XP the command "proxycfg -u" IIRC is sufficient to get the MS-produced apps using the same settings as IE, whether they are proxy or not. I've heard tell of people using ActiveDirectory to push out proxy settings to all machines in a controlled network environment, mayhap an expert on that will say how if you need it. Other devices and apps you will have to check out individually and see what can be done. As a fallback for the really limited apps there is always interception at the network gateway device. Though this has a whole other set of problems and should only be considered as a last resort. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
Re: [squid-users] SNMP MIB updates?
Gregori Parker wrote: I was creating a fresh batch of cacti graph templates for Squid the other day (focused on reverse proxy setups, I will release them soon), and while crawling the Squid MIB I noticed that HTCP metrics don't register anywhere. Furthermore, the entire MIB seems to be in need of updating - here's a list of things I would like to understand or see updated at some point... Excellent to see someone working on that update and the squid SNMP stuff too. Thank you. In answer to your points below, please retain followup to squid-dev mailing list (cc'd) about any further on these. Firstly which of the _3_ Squid MIB are you trying to get updated? Squid-2.x, 3.0, or 3.x MIB? * cachePeerTable should be re-created so that it doesnt index by ip address (results in OID not increasing error when walking!) While we do see this as a minor issue in need of cleanup one day its not a major problem (the -Cc options of snmpwalk is created for such) but has major alterations needed to fix it. If you want to spend the time please discuss ideas on how it can be solved with us first. There have been many discussions and attempts in the past which can be leveraged to reduce dead-end work. * update cacheIcp* to register HTCP now that it is built in by default Good idea, but I would rather see a cacheHtcp* added instead of cacheIcp* extended with a new protocol. If it does make more sense to details them together then a better name than cacheIcp needs to be chosen for the joint tables. * add a cacheHttpMisses (and pending, and negative) to cacheProtoAggregateStats okay, details on what you are thinking though please. * more detailed memory counters - the current cacheMemUsage doesnt seem to measure how much memory is being used for caching (in my diskless cache setups, the counter flatlines around 600MB when I know there is much more than that being used) Thing to look at here is SNMP data type the counter is being forced into. We hit a similar issue just a short while ago that turned out to be a too-small field. I don't know of SNMP being updated for sizes since the 64-bit stuff went default. Otherwise might be explained by; not all memory is accounted for by Squid MemPools, certain objects and such use stack, or unaccounted heap space. These are all design choices within the code itself, not an SNMP solvable issue. * cacheCpuUsage is constant at 8% across a variety of squid servers at all times - I can see that this doesnt match up with what I see locally via top or in my normal unix cpu graphs. Does sound like trouble. At least it needs to be investigated and any results documented about whats actually going on. * throughput should be measured in bits instead of kilobytes throughout the MIB Ah, nice, but AFAIK the output reflects the level of details kept in counters. An upgrade of that I agree is needed. Just be careful not to get into too much work there. Btw, I've been trying to understand the differences between the cacheProtoAggregateStats and cacheIpCache tables - I get very different numbers in terms of requests, hits, etc and I cant account for it. Anyone have info on this? Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
Re: [squid-users] squid 3.0.STABLE14 not redirecting to squidGuard
vollkom...@gmx.net wrote:
Currently running squid 3.0.STABLE14-20090412, but the issue has been around
for months, possibly ever since moving to 3.0STABLE release from 3.0PRE, or
maybe
squid 3.0 config:
url_rewrite_program /usr/local/squid/bin/squidGuard -c
/Applications/squid/squidguard.conf
url_rewrite_children 8
url_rewrite_concurrency 8
url_rewrite_host_header off
cache.log with debug_options 61,5
2009/04/14 19:58:13.313| redirectStart: 'http://doubleclick.net/'
2009/04/14 19:58:13.313| redirectHandleRead: {}
2009/04/14 19:58:13.506| redirectStart: 'http://www.doubleclick.com/'
2009/04/14 19:58:13.507| redirectHandleRead: {}
squidGuard 1.4 is blocking just fine by itself:
echo "http://doubleclick.net 1.2.3.4/- user GET -" | squidGuard -c
/Applications/squid/squidguard.conf -d
That test is _not_ allowing for concurrency. Which adds a channel-ID
column as the first entry
Try without the "url_rewrite_concurrency" line.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
Current Beta Squid 3.1.0.7
Re: [squid-users] %EXT_USER value
Bartel Viljoen wrote: Dear Squid users. Does anyone have a working squid conf example of the %EXT_USER that is available in squid 3. When I debug the value of %EXT_USER via a external helper, the value is always "-", even though the log file is showing the real username. %EXT_USER is the value returned from an external helper. So most cases it would not exist yet. How exectly are you testing it and what exact release version of squid-3 is this? Currently I'm using the following auth program auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp A squid conf example would be of great help. Then the value you are probably looking for is %LOGIN. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
Re: [squid-users] Squid with Tproxy
trasor wrote: Running squid with tproxy I am seeing entries in the cache log of 'commBind: cannot bind to socket FD # to x.x.x.ip: (22) Invalid argument'. This is followed by a 'Warning: Reset of FD # for x.x.x.ip failed to bind: (22) Invalid argument'. From reading, this may be related to an end user using ftp and as such should be ok just a nuisance in the cache log. However, I am also seeing 'assertion failed: MemBuf .cc:388: "new_cap > (size_t) capacity"' whereby squid immediately restarts initialization and once initialized I start seeing the same 'commBind' entries. I understand these 'commBind' entries are occurring because squid has reinitialized and are no longer bond to the associated connections. My server has 16GB of ram and the swap is not being touched so I am not following why the 'new_cap is greater than size_t capacity'. There are also occasions where after the assertion failure occurs, squid does not restart on its own. Squid uses dynamic-length buffers which greatly help overruns. That assertion is showing that a buffer is being _expanded_ to a size smaller than it started. We need a stack trace to see where that shrink is occuring, it may be useful to allow shrinks, but we have yet to find a real case for it. Another issue is dealing with Norton LiveUpdate and http1.1 Looking thru the forums I see the fix is to place http11 after the http_port, i.e. 'http_port 3129 tproxy http11'. But according to the change log that function has not been ported over from 2.7 as of yet, correct? I did run across an entry in the change details for Squid 3 Head dealing with http1.1, http://www.squid-cache.org/Versions/v3/HEAD/changesets/b9622.patch. Will this patch allow Live Updates to work? There was a broken version of Norton LU that refused to respond to HTTP/1.0 clients. Last I heard they Norton released an updated version without that problem. cache.log: 2009/04/12 07:56:11| assertion failed: MemBuf.cc:388: "new_cap > (size_t) capacity" 2009/04/12 07:56:14| Starting Squid Cache version 3.1.0.6 for x86_64-unknown-linux-gnu... 2009/04/12 07:56:14| Process ID 16647 2009/04/12 07:56:14| With 1024 file descriptors available 2009/04/12 07:56:14| Initializing IP Cache... 2009/04/12 07:56:14| DNS Socket created at [::], FD 7 2009/04/12 07:56:14| Adding domain lhtot.com from /etc/resolv.conf 2009/04/12 07:56:14| Adding nameserver 12.199.163.4 from /etc/resolv.conf 2009/04/12 07:56:14| Adding nameserver 74.51.162.4 from /etc/resolv.conf 2009/04/12 07:56:14| Unlinkd pipe opened on FD 12 2009/04/12 07:56:14| Store logging disabled 2009/04/12 07:56:14| Swap maxSize 1143357440 KB, estimated 87950572 objects 2009/04/12 07:56:14| Target number of buckets: 4397528 2009/04/12 07:56:14| Using 8388608 Store buckets 2009/04/12 07:56:14| Max Mem size: 4194304 KB 2009/04/12 07:56:14| Max Swap size: 1143357440 KB 2009/04/12 07:56:14| Version 1 of swap file without LFS support detected... 2009/04/12 07:56:14| Rebuilding storage in /cache (DIRTY) 2009/04/12 07:56:14| Using Least Load store dir selection 2009/04/12 07:56:14| Set Current Directory to /cache 2009/04/12 07:56:14| Loaded Icons. 2009/04/12 07:56:14| Accepting spoofing HTTP connections at 0.0.0.0:3129, FD 15. 2009/04/12 07:56:14| HTCP Disabled. 2009/04/12 07:56:14| Squid modules loaded: 0 2009/04/12 07:56:14| Ready to serve requests. 2009/04/12 07:56:14| Store rebuilding is 0.67% complete 2009/04/12 07:56:16| Done reading /cache swaplog (610295 entries) 2009/04/12 07:56:16| Finished rebuilding storage from disk. 2009/04/12 07:56:16|604141 Entries scanned 2009/04/12 07:56:16| 0 Invalid entries. 2009/04/12 07:56:16| 0 With invalid flags. 2009/04/12 07:56:16|598162 Objects loaded. 2009/04/12 07:56:16| 0 Objects expired. 2009/04/12 07:56:16| 5979 Objects cancelled. 2009/04/12 07:56:16| 0 Duplicate URLs purged. 2009/04/12 07:56:16| 0 Swapfile clashes avoided. 2009/04/12 07:56:16| Took 2.34 seconds (255507.19 objects/sec). 2009/04/12 07:56:16| Beginning Validation Procedure 2009/04/12 07:56:17| 262144 Entries Validated so far. 2009/04/12 07:56:17| 524288 Entries Validated so far. 2009/04/12 07:56:17| 786432 Entries Validated so far. 2009/04/12 07:56:17| 1048576 Entries Validated so far. 2009/04/12 07:56:17| Completed Validation Procedure 2009/04/12 07:56:17| Validated 1196349 Entries 2009/04/12 07:56:17| store_swap_size = 9346436 2009/04/12 07:56:17| storeLateRelease: released 0 objects 2009/04/12 07:58:14| commBind: Cannot bind socket FD 147 to 64.201.93.245: (22) Invalid argument 2009/04/12 07:58:14| WARNING: Reset of FD 147 for 64.201.93.245 failed to bind: (22) Invalid argument 2009/04/12 07:58:14| commBind: Cannot bind socket FD 147 to 64.201.93.245: (22) Invalid argument 2009/04/12 07:58:14| WARNING: Reset of FD 147 for 64.201.93.245 failed to bind: (22) Invalid argument 2009/04/12 07:59:11| assertion failed: MemBuf.cc:388: "new_cap > (size
Re: [squid-users] squid - loading, checking and purging
i'm looking for command-line options.. - Original Message From: Pieter De Wit To: Sir June Cc: squid-users@squid-cache.org Sent: Tuesday, April 14, 2009 9:48:50 PM Subject: Re: [squid-users] squid - loading, checking and purging Hi :) 1 - I *think* webmin has this feature - not sure how to do it directly with squid. 2 - As above 3 - export HTTP_PROXY="squid:port" wget 3a - It wont be 100% sure if the object will be stored as squid will work it out (using policies etc) Just a bit of help :) Cheers, Pieter On Tue, 14 Apr 2009, Sir June wrote: > > Hi, > > I just joined this mailing list and i'd like to get insights on how to do the > following? > > 1) how to check if an object or a URL is in the squid cache? > > 2) how to purge an object or a URL from the squid cache? > > 3) if i have a long list (1000 items) of objects/url that i want to load > into the cache, how do i load it? > > > thanks, > sirjune > > > >
[squid-users] Antwort: Re: [squid-users] Fw: multiple A records with squid
Hi Guido, thank you for your help and reply! Somehow I missed that option when searching for that at www.squid-cache.org. I was looking for options with "DNS" in the name :-) Regards, Martin Guido Serassio wrote on 15.04.2009 13:04:33: > Hi, > > At 09.01 15/04/2009, martin.pichlma...@continental-corporation.com wrote: > >Hello all, > > > >some of my users complain that a page (www.bestjobs.ro) with cookies and > >some other stuff hangs sometimes, > >returns "Connection reset by peer" and so on. > >Some problems can be resolved by reloading the page, some can not. > >The pages that make problems are not the normal ones but after logging in > >and using some of the > >"more advanced features" of the web server regarding commenting to some of > >the information there. > >If the users access the web server without squid -- directly connected to > >the internet -- it all works. > > > >It seems to me that the problems have something to do with DNS; > >www.bestjobs.ro returns not > >one but 5 IPv4 addresses. > >With Windows XP and no proxy the browser always uses only one IP; > >squid -- I use version 3.0-STABLE 11 on RedHat AS 5 -- uses all 5 IPs in a > >round-robin fashion. > >The web servers do not serve static but dynamic pages and therefore I > >think the requests _should_ > >always go to the same IP address. But the load balancing probably makes > >the problems. > > > >I am fully aware that the problem is not the fault of squid but of the DNS > >loadbalancing of the web servers. > >Nevertheless I have to provide a solution... > > > >Is there a parameter within squid to change the behaviour of DNS load > >balancing when there > >is more than one IP in a DNS response? > >I do not want to disable load balancing but put a "on hold" parameter so > >that squid uses the > >same IP maybe a minute and then switches to the next IP and uses that for > >the next one minute > >and not a different IP for every request. > >Even better would be a source address affinity -- for one client all > >requests go to IP 1 of the pool, > >the next client is routed over squid to IP 2 and so on. > > > >Is there a solution to that? > > Sure, try: > http://www.squid-cache.org/Versions/v3/3.0/cfgman/balance_on_multiple_ip.html > > Regards > > Guido > > > > - > > Guido Serassio > Acme Consulting S.r.l. - Microsoft Certified Partner > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY > Tel. : +39.011.9530135 Fax. : +39.011.9781115 > Email: guido.seras...@acmeconsulting.it > WWW: http://www.acmeconsulting.it/ >
Re: [squid-users] Error 1067 when starting service in Windows 2003 Server
Hi, At 22.11 14/04/2009, Philip de Souza wrote: Wow this is frustrating! Sorry, but I need help again. I had everything working on our testbed Windows 2003 platform (for reverse proxy accelerator services), and so when I go and deploy Squid in the same fashion on the live proxy server, I get the following when trying to start the SQUID service: "Could not start the Squid service on local computer. Error 1067: the process terminated unexpectedly." I actually received this error when trying to start it on the test server as well, but was able to resolve it by upgrading the server to SP2. The live server already has SP2 installed but I installed all outstanding patches on it anyway, just in case - no deal. On both machines I ran the squid -z command to establish the log directory first. I'm really floored by why this is happening though and would GREATLY appreciate anybody's help. We're supposed to be going live with this now and this recurring issue is really raining on the parade! Many thanks as ever. Look the following: - cache.log messages - squid.exe.log in the sbin folder - Try to start squid from command line and see what happens Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] Fw: multiple A records with squid
Hi, At 09.01 15/04/2009, martin.pichlma...@continental-corporation.com wrote: Hello all, some of my users complain that a page (www.bestjobs.ro) with cookies and some other stuff hangs sometimes, returns "Connection reset by peer" and so on. Some problems can be resolved by reloading the page, some can not. The pages that make problems are not the normal ones but after logging in and using some of the "more advanced features" of the web server regarding commenting to some of the information there. If the users access the web server without squid -- directly connected to the internet -- it all works. It seems to me that the problems have something to do with DNS; www.bestjobs.ro returns not one but 5 IPv4 addresses. With Windows XP and no proxy the browser always uses only one IP; squid -- I use version 3.0-STABLE 11 on RedHat AS 5 -- uses all 5 IPs in a round-robin fashion. The web servers do not serve static but dynamic pages and therefore I think the requests _should_ always go to the same IP address. But the load balancing probably makes the problems. I am fully aware that the problem is not the fault of squid but of the DNS loadbalancing of the web servers. Nevertheless I have to provide a solution... Is there a parameter within squid to change the behaviour of DNS load balancing when there is more than one IP in a DNS response? I do not want to disable load balancing but put a "on hold" parameter so that squid uses the same IP maybe a minute and then switches to the next IP and uses that for the next one minute and not a different IP for every request. Even better would be a source address affinity -- for one client all requests go to IP 1 of the pool, the next client is routed over squid to IP 2 and so on. Is there a solution to that? Sure, try: http://www.squid-cache.org/Versions/v3/3.0/cfgman/balance_on_multiple_ip.html Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
[squid-users] Putting squid-machine on IPcops router DMZ interface
Hello, I am looking for a help and I am not very good in english so sorry in advance:). I am a system-network administrator in one company. I like open source and I have the task "to control users http traffic", my deadline 3 months. I refused "Fortigate" and "Astaro" complete comercial products. I have 110 users at all, but in one office there are about 50 so I started there. As far as I know a little debian, I choosed it and squid as a proxy-cache. I installed it on separate machine listening on 3128 port, with SNMP enabled and MRTG for monitoring, W3Perl for making nice statistics. For now I configured 10 users browsers (we use Firefox as the main, and IE for specific http) to go through my proxy. Everything is working fine because squid handles with real users ip addresses, and W3perl output generated from access.log looks fine because I made translation Name Surname - users IP address. And is easy to change user browser settings to go directly if something is wrong with "squid-machine". But this configuration is good only for testing purposes. Users (intermediate level) can easy change browser settings not to go through proxy. Yes I know there are some methodics how to disable changing such settings, but doing this with 40-50 users is not a good idea:) So I need transparent proxy configuration - in my oppinion.? I am using "IPcop" router firewalling machine for testing purposes one year and it works fine in my case. (It also have built-in proxy but I don't like it for several reasons, very week logs and poor caching capabilities and everything on one machine ). So am planing to put Squid-proxy-macnine in DMZ (ipcop's orange interface, as I read from http://www.deckle.co.za/squid-users-guide is the best place for cache.) My trusted hosts would be on green network (trusted) and Ipcop hand-off's any http 80, ftp 21 and https 443 requests to DMZ (my orange) interface on squid-proxy-machine listening on 3128 port, and squid then would be able to communicate with ISP' cache-servers on the red side with UDP-ICP protocol for example - am I right? The main question is in that configuration my squid-machine would be able to autenticate every user traffic going from green and give nice outputs with Names Surnames, or all users ip's from green would be covered by one orange (DMZ) ip and squid-machine wouldn't be able to see nice outputs based on ip's. Also I have www server and planing ftp server to put on DMZ. Please, advise my how to do the best in that way or give another configuration example, because I can't to test this way now in practice (because my squid-machine is placed in one office and ipcop firewall in another (different cities, different branches). I would be waiting for any help thanks
[squid-users] Putting squid-machine on IPcop's router DMZ interface
Hello, I am looking for a help and I am not very good in english so sorry in advance:). I am a system-network administrator in one company. I like open source and I have the task "to control users http traffic", my deadline 3 months. I refused "Fortigate" and "Astaro" complete comercial products. I have 110 users at all, but in one office there are about 50 so I started there. As far as I know a little debian, I choosed it and squid as a proxy-cache. I installed it on separate machine listening on 3128 port, with SNMP enabled and MRTG for monitoring, W3Perl for making nice statistics. For now I configured 10 users browsers (we use Firefox as the main, and IE for specific http) to go through my proxy. Everything is working fine because squid handles with real users ip addresses, and W3perl output generated from access.log looks fine because I made translation Name Surname - users IP address. And is easy to change user browser settings to go directly if something is wrong with "squid-machine". But this configuration is good only for testing purposes. Users (intermediate level) can easy change browser settings not to go through proxy. Yes I know there are some methodics how to disable changing such settings, but doing this with 40-50 users is not a good idea:) So I need transparent proxy configuration - in my oppinion.? I am using "IPcop" router firewalling machine for testing purposes one year and it works fine in my case. (It also have built-in proxy but I don't like it for several reasons, very week logs and poor caching capabilities and everything on one machine ). So am planing to put Squid-proxy-macnine in DMZ (ipcop's orange interface, as I read from http://www.deckle.co.za/squid-users-guide is the best place for cache.) My trusted hosts would be on green network (trusted) and Ipcop hand-off's any http 80, ftp 21 and https 443 requests to DMZ (my orange) interface on squid-proxy-machine listening on 3128 port, and squid then would be able to communicate with ISP' cache-servers on the red side with UDP-ICP protocol for example - am I right? The main question is in that configuration my squid-machine would be able to autenticate every user traffic going from green and give nice outputs with Names Surnames, or all users ip's from green would be covered by one orange (DMZ) ip and squid-machine wouldn't be able to see nice outputs based on ip's. Also I have www server and planing ftp server to put on DMZ. Please, advise my how to do the best in that way or give another configuration example, because I can't to test this way now in practice (because my squid-machine is placed in one office and ipcop firewall in another (different cities, different branches). I would be waiting for any help thanks -- Pagarbiai, Donatas Gedvilas d.gedvilas@gmail.com 8~601 78210 8~41 52 35 75 VI "Siauliu regiono keliai" IT skyrius
[squid-users] Unable to upload files
Hi All, I have a Squid Proxy Setup Integrated with Active Directory for Loginned based User Access . Am facing now some issues while uploading some Pdfs file through Java Applet . There is a requirement to upload some pdf files to Java Based Website .For uploading the Files an applet will open and then we need to select the file. But after selecting the file to upload , its giving Java Exception Error and failed to download . I have checked the forums and updated squid with following option : acl Java browser Java/1.4 Java/1.5 Java/1.6 Java/1.6.0_12 jupload/0.87 http_access allow Java POST But still issue persists . Can anyone help on this . Thanks for the cooperation . Best Regards John
[squid-users] squid - Reverse Proxy to access customer's modem interface
Hello everyone I'm Antoine Rouchet, I work for a french cable ISP (Numericable). My actual project is to allow our hotliners and IT staff to access customer's modem web management interface: - We have several thousands of modems on the network, each of them have a management web interface to which the customer can access (with "user" privileges) from his local private network, and to which we can access over the dedicated "modem" network too (with more privileges). - But it is not possible to allow the access to this "modem" network to untrusted people, so the idea is to set up a unique gateway (an HTTP server/proxy) our staff can access via an URL (like: http://modemgw.staff.private/modem/ip_10.1.2.3/). - Of course the main problem is that every customer's modem cannot be declared in the proxy configuration file, it must be dynamic (i.e.: a directive in the configuration file allow reverse proxying to 10.0.0.0/8 from *.private) I know squid can do everything here, but I'm not sure for the last condition (target not declared in configuration file). Does anyone have an idea about that? Any help is welcome, of course. (I've also tried with Apache + mod_proxy/mod_html/mod_rewrite. But the only thing mod_rewrite support is to declare a simple proxy with a RewriteRule (P flag) directive, so there is no rewriting of the HTML/headers.) Best regards, Antoine Rouchet.
[squid-users] It doesnt cacche
Hi, I dont understand why my squid doesn't cache anything : my acces log said TCP_CLIENT_REFRESH_MISS:DIRECT my cfg : # On écoute le port 80 pour faire un proxy transparent http_port 80 transparent #=== GESTIONS DES LOGS # emplacement access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log cache_swap_log /var/log/squid/swap.log useragent_log /var/log/squid/useragent.log referer_log /var/log/squid/referer.log # Options emulate_httpd_log on client_netmask 255.255.255.255 #== GESTION DU CACHE # Objet a cacher # ici il y a des expressions régulières puis la durée minimum, le % de temps accpetable # typemin % max options refresh_pattern -i \*.jpg$ 150% 2override-expire reload-into-ims ignore-reload # Cache Disque # modelientaille R1 R2 options cache_dir ufs /var/spool/squid/ 100016 256 max-size=32768 maximum_object_size 32768 KB minimum_object_size 0 KB # Cache RAM cache_mem 100 MB maximum_object_size_in_memory 4096 KB memory_replacement_policy lru cache_replacement_policy lru #== REWRITE URL url_rewrite_program /etc/squid/rewriter.php url_rewrite_children 20 redirector_bypass off #== ACL's acl all src all acl rw url_regex -ihttp://192.168.100.189/img=* acl out dstdomain "/etc/squid/white" acl localhost src 127.0.0.1 acl manager proto cache_object #= Application des ACL url_rewrite_access allow rw http_access allow manager localhost http_access allow rw http_access denyall http_reply_access allow out deny_info TCP_RESET all #=== MISC pid_filename /var/run/squid.pid cachemgr_passwd toto all # pas de protocole d'échnage de cache icp_port 0 # pas de snmp snmp_port 0 half_closed_clients off dns_nameservers 192.168.100.1 192.168.100.1 #évite de garder des stat sur les IP client_db off buffered_logs on client_persistent_connections off if i use http_port 80 tranparent, url rewrite is OK but without cache If i use http_port 80, squid send me an error page like : While trying to process the request: GET /img=http%3A%2F%2Ffiles.macbidouille.com%2Fmbv2%2Fnews%2F200509%2Fnano_1yen.jpg HTTP/1.1 Host: 192.168.100.189 Invalid Request -- View this message in context: http://www.nabble.com/It-doesnt-cacche-tp23055372p23055372.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Squid with Tproxy
Running squid with tproxy I am seeing entries in the cache log of 'commBind: cannot bind to socket FD # to x.x.x.ip: (22) Invalid argument'. This is followed by a 'Warning: Reset of FD # for x.x.x.ip failed to bind: (22) Invalid argument'. From reading, this may be related to an end user using ftp and as such should be ok just a nuisance in the cache log. However, I am also seeing 'assertion failed: MemBuf .cc:388: "new_cap > (size_t) capacity"' whereby squid immediately restarts initialization and once initialized I start seeing the same 'commBind' entries. I understand these 'commBind' entries are occurring because squid has reinitialized and are no longer bond to the associated connections. My server has 16GB of ram and the swap is not being touched so I am not following why the 'new_cap is greater than size_t capacity'. There are also occasions where after the assertion failure occurs, squid does not restart on its own. Another issue is dealing with Norton LiveUpdate and http1.1 Looking thru the forums I see the fix is to place http11 after the http_port, i.e. 'http_port 3129 tproxy http11'. But according to the change log that function has not been ported over from 2.7 as of yet, correct? I did run across an entry in the change details for Squid 3 Head dealing with http1.1, http://www.squid-cache.org/Versions/v3/HEAD/changesets/b9622.patch. Will this patch allow Live Updates to work? cache.log: 2009/04/12 07:56:11| assertion failed: MemBuf.cc:388: "new_cap > (size_t) capacity" 2009/04/12 07:56:14| Starting Squid Cache version 3.1.0.6 for x86_64-unknown-linux-gnu... 2009/04/12 07:56:14| Process ID 16647 2009/04/12 07:56:14| With 1024 file descriptors available 2009/04/12 07:56:14| Initializing IP Cache... 2009/04/12 07:56:14| DNS Socket created at [::], FD 7 2009/04/12 07:56:14| Adding domain lhtot.com from /etc/resolv.conf 2009/04/12 07:56:14| Adding nameserver 12.199.163.4 from /etc/resolv.conf 2009/04/12 07:56:14| Adding nameserver 74.51.162.4 from /etc/resolv.conf 2009/04/12 07:56:14| Unlinkd pipe opened on FD 12 2009/04/12 07:56:14| Store logging disabled 2009/04/12 07:56:14| Swap maxSize 1143357440 KB, estimated 87950572 objects 2009/04/12 07:56:14| Target number of buckets: 4397528 2009/04/12 07:56:14| Using 8388608 Store buckets 2009/04/12 07:56:14| Max Mem size: 4194304 KB 2009/04/12 07:56:14| Max Swap size: 1143357440 KB 2009/04/12 07:56:14| Version 1 of swap file without LFS support detected... 2009/04/12 07:56:14| Rebuilding storage in /cache (DIRTY) 2009/04/12 07:56:14| Using Least Load store dir selection 2009/04/12 07:56:14| Set Current Directory to /cache 2009/04/12 07:56:14| Loaded Icons. 2009/04/12 07:56:14| Accepting spoofing HTTP connections at 0.0.0.0:3129, FD 15. 2009/04/12 07:56:14| HTCP Disabled. 2009/04/12 07:56:14| Squid modules loaded: 0 2009/04/12 07:56:14| Ready to serve requests. 2009/04/12 07:56:14| Store rebuilding is 0.67% complete 2009/04/12 07:56:16| Done reading /cache swaplog (610295 entries) 2009/04/12 07:56:16| Finished rebuilding storage from disk. 2009/04/12 07:56:16|604141 Entries scanned 2009/04/12 07:56:16| 0 Invalid entries. 2009/04/12 07:56:16| 0 With invalid flags. 2009/04/12 07:56:16|598162 Objects loaded. 2009/04/12 07:56:16| 0 Objects expired. 2009/04/12 07:56:16| 5979 Objects cancelled. 2009/04/12 07:56:16| 0 Duplicate URLs purged. 2009/04/12 07:56:16| 0 Swapfile clashes avoided. 2009/04/12 07:56:16| Took 2.34 seconds (255507.19 objects/sec). 2009/04/12 07:56:16| Beginning Validation Procedure 2009/04/12 07:56:17| 262144 Entries Validated so far. 2009/04/12 07:56:17| 524288 Entries Validated so far. 2009/04/12 07:56:17| 786432 Entries Validated so far. 2009/04/12 07:56:17| 1048576 Entries Validated so far. 2009/04/12 07:56:17| Completed Validation Procedure 2009/04/12 07:56:17| Validated 1196349 Entries 2009/04/12 07:56:17| store_swap_size = 9346436 2009/04/12 07:56:17| storeLateRelease: released 0 objects 2009/04/12 07:58:14| commBind: Cannot bind socket FD 147 to 64.201.93.245: (22) Invalid argument 2009/04/12 07:58:14| WARNING: Reset of FD 147 for 64.201.93.245 failed to bind: (22) Invalid argument 2009/04/12 07:58:14| commBind: Cannot bind socket FD 147 to 64.201.93.245: (22) Invalid argument 2009/04/12 07:58:14| WARNING: Reset of FD 147 for 64.201.93.245 failed to bind: (22) Invalid argument 2009/04/12 07:59:11| assertion failed: MemBuf.cc:388: "new_cap > (size_t) capacity" 2009/04/12 07:59:14| Starting Squid Cache version 3.1.0.6 for x86_64-unknown-linux-gnu... 2009/04/12 07:59:14| Process ID 16655 2009/04/12 07:59:14| With 1024 file descriptors available 2009/04/12 07:59:14| Initializing IP Cache... 2009/04/12 07:59:14| DNS Socket created at [::], FD 7 2009/04/12 07:59:14| Adding domain lhtot.com from /etc/resolv.conf 2009/04/12 07:59:14| Adding nameserver 12.199.163.4 from /etc/resolv.conf 2009/04/12 07:59:14| Adding nameserver 74
[squid-users] %EXT_USER value
Dear Squid users. Does anyone have a working squid conf example of the %EXT_USER that is available in squid 3. When I debug the value of %EXT_USER via a external helper, the value is always "-", even though the log file is showing the real username. Currently I'm using the following auth program auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp A squid conf example would be of great help. Regards Bartel Viljoen - Network & Computing Consultants Tel: 0861-555444 | Fax: 0861-555445 http://www.ncc.co.za This e-mail is subjected to a disclaimer that can be viewed at: http://www.ncc.co.za/legal/email-disclaimer.html Email Managed by MailXServer - http://www.mailxserver.com -
[squid-users] Fw: multiple A records with squid
Hello all, some of my users complain that a page (www.bestjobs.ro) with cookies and some other stuff hangs sometimes, returns "Connection reset by peer" and so on. Some problems can be resolved by reloading the page, some can not. The pages that make problems are not the normal ones but after logging in and using some of the "more advanced features" of the web server regarding commenting to some of the information there. If the users access the web server without squid -- directly connected to the internet -- it all works. It seems to me that the problems have something to do with DNS; www.bestjobs.ro returns not one but 5 IPv4 addresses. With Windows XP and no proxy the browser always uses only one IP; squid -- I use version 3.0-STABLE 11 on RedHat AS 5 -- uses all 5 IPs in a round-robin fashion. The web servers do not serve static but dynamic pages and therefore I think the requests _should_ always go to the same IP address. But the load balancing probably makes the problems. I am fully aware that the problem is not the fault of squid but of the DNS loadbalancing of the web servers. Nevertheless I have to provide a solution... Is there a parameter within squid to change the behaviour of DNS load balancing when there is more than one IP in a DNS response? I do not want to disable load balancing but put a "on hold" parameter so that squid uses the same IP maybe a minute and then switches to the next IP and uses that for the next one minute and not a different IP for every request. Even better would be a source address affinity -- for one client all requests go to IP 1 of the pool, the next client is routed over squid to IP 2 and so on. Is there a solution to that? Best regards, Martin
