RE: [squid-users] Getting error msgs when trying to start squid
> I have made I few changes to squid.conf based on what you > told me, but proxy still doesn't work. Define "doesn't work". Clients get an error? Won't start? Something else? If you get denies, you could try to add a deny_info for every ACL you have, to see which ACL is stopping you: - create a file ERR_ACL_NAME (replace 'ACL_NAME' with the ACL name you use, e.g. ERR_LOCALNET for the localnet ACL) in the errors directory (you can find the exact path by grepping for error_directory in the default squid config). Give it as only content "The ACL 'ACL_NAME' gave a deny". - deny_info ERR_ACL_NAME aclname (e.g. deny_info ERR_LOCALNET localnet) - Start the browser, and see which errorpage you get. If it doesn't start, the error log is your friend. You could also try to start the proxy with 'squid -N' to start squid as a console application instead of in daemon mode. The errors should then appear on your screen. Joost
Re: [squid-users] Memory leak?
Bin Liu wrote: Thanks for your reply. # /usr/local/squid/sbin/squid -v Squid Cache: Version 2.7.STABLE6 configure options: '--prefix=/usr/local/squid' '--with-pthreads' '--with-aio' '--with-dl' '--with-large-files' '--enable-storeio=ufs,aufs,diskd,coss,null' '--enable-removal-policies=lru,heap' '--enable-htcp' '--enable-kill-parent-hack' '--enable-snmp' '--enable-freebsd-tproxy' '--disable-poll' '--disable-select' '--enable-kqueue' '--disable-epoll' '--disable-ident-lookups' '--enable-stacktraces' '--enable-cache-digests' '--enable-err-languages=English' The squid process grows without bounds here. I've read the FAQ, and tried lowering cache_mem setting, decreasing cache_dir size. That server has 4GB physical memory, and with total cache_dir size setting to 60G, squid resident size still can grow beyond bound and start eating swap. Note that cache_mem is not a bound on squid memry usage. Merely the RAM cache_dir. The OS is FreeBSD 7.1-RELEASE. Thanks. Do you have access to any memory-tracing software (valgrind or similar?) tracking an actual memory usage while live can be done when built against valgrind and certain cachemgr reports. I'll have to look them up. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
Re: [squid-users] Squid BUG?
Herbert Faleiros wrote: On Tue, 21 Apr 2009 14:58:22 +1200 (NZST), "Amos Jeffries" wrote: [cut] As a side issue: know who the maintainer is for slackware? I'm trying to get in touch with them all. Sorry, here Squid was build from sources. The distro maintainer and more info (does not provide a binary Squid package) can be found here: http://bluewhite64.com (I'm still waiting for an official 64 bits Slackware port) does deleting the swap.state file(s) when squid is stopped fix things? Apparently yes: /dev/sdb1 276G 225G 37G 87% /var/cache/proxy/cache1 /dev/sdc1 276G 225G 53G 87% /var/cache/proxy/cache2 /dev/sdd1 276G 225G 37G 87% /var/cache/proxy/cache3 /dev/sde1 276G 225G 37G 87% /var/cache/proxy/cache4 It's running OK again. Now, another strange log: 2009/04/21 00:26:25| commonUfsDirRebuildFromDirectory: Swap data buffer length is not sane. Should I decrease cache_dir sizes? No. This seems to occur when either the stored object is corrupted, incompletely written, or the size of object is apparently larger than the size of the file. At a blind guess, I'd say its a 64-bit build reading a file stored by a 32-bit build. The result is that squid immediately dumps the file out of cache. So if it repeats for any given object or for any newly stored ones, its a problem, but once per existing object after a cache format upgrade may be acceptable. The stranger think was store rebuild reporting > 100%. Yes, we have seen a similar thing long ago in testing. I'm trying to remember and research what came of those. At present I'm thinking maybe it had something to do with 32-bit/64-bit changes in distro build vs what the cache was built with. Similar logs found here about memory usage (via mallinfo): Total in use: 1845425 KB 173% and sometimes negative values: total space in arena: -1922544 KB Ordinary blocks: -1922682 KB 49 blks Total in use: -1139886 KB 59% Ah, these seems to be regular popups. It's a counter overflow on the reporting. We try to fix in the latest release as discovered, there may be a patch already in later releases or HEAD. If not bug report time for that. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
Re: [squid-users] Can I rewrite URL on browser?
Oleg wrote: Hi2All. Can Squid redirect user's request to another URL on browser concordance? For example, if user use MSIE < 6.0 redirect him to page with browser update from IT site page. I'm found only access rules for browser string (User-Agent), but not I mean. I'd use a custom deny_info redirect for this. acl msie6 browser .. ... deny_info http://example.com/meis_update.html msie6 http_access deny msie6 Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
Re: [squid-users] Can I rewrite URL on browser?
Ya, is what I need! Thank you. Amos Jeffries пишет: Oleg wrote: Hi2All. Can Squid redirect user's request to another URL on browser concordance? For example, if user use MSIE < 6.0 redirect him to page with browser update from IT site page. I'm found only access rules for browser string (User-Agent), but not I mean. I'd use a custom deny_info redirect for this. acl msie6 browser .. ... deny_info http://example.com/meis_update.html msie6 http_access deny msie6 Amos
Re: [squid-users] Can I rewrite URL on browser?
Oleg wrote: Ya, is what I need! Thank you. Amos Jeffries пишет: Oleg wrote: Hi2All. Can Squid redirect user's request to another URL on browser concordance? For example, if user use MSIE < 6.0 redirect him to page with browser update from IT site page. I'm found only access rules for browser string (User-Agent), but not I mean. I'd use a custom deny_info redirect for this. acl msie6 browser .. ... deny_info http://example.com/meis_update.html msie6 http_access deny msie6 Amos PS. putting my web developers hat on; please, please bump them to IE 7 :) IE6 is a royal pain in the visuals. 7 is at least a bit better. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
[squid-users] caching cgi_bin in 3.0
Hello, I'm upgrading to 3.0 (finally) and I see that the new refresh_pattern default was added in the config file: refresh_pattern (cgi-bin|\?) 0 0% 0 I hope this is just to always verify the dynamic content, and should not have any impact of caching it, if it's cacheable, correct? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have.
[squid-users] allowedURL don't work
Hi
i have a new problems with my Squid Server (NTLM AD)
My configuration:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
#external_acl_type AD_Group children=50 concurrency=50 %LOGIN
/usr/lib/squid/wbinfo_group.pl
external_acl_type AD_Group children=50 concurrency=50 ttl=1800
negative_ttl=900 %LOGIN /usr/lib/squid/wbinfo_group.pl
cache_peer 127.0.0.1parent 80810 proxy-only no-query
weight=100 connect-timeout=5 login=*:password
## ACL des droits d'accès
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl Lan src 10.0.0.0/8 # RFC1918 possible internal network
acl Lan src 172.16.0.0/12 # RFC1918 possible internal network
acl Lan src 192.168.0.0/16 # RFC1918 possible internal network
##
## ACL pour les sites web consultable sans authentification
##
acl URL_Authorises dstdomain "/etc/squid-ntlm/allowedURL"
http_access allow URL_Authorises
##
acl SSL_ports port 443 563 1 1494 2598
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
##
# ACL pour definir les groupes AD autorisés a ce connecter
##
acl AllowedADUsers external AD_Group "/etc/squid-ntlm/allowedntgroups"
acl Winbind proxy_auth REQUIRED
##
##
# ACL pour les Droits d'accès d'apres l'Active Directory
##
# Droits d'accès d'apres l'Active Directory
http_access allow AllowedADUsers
http_access deny !AllowedADUsers
http_access deny !Winbind
##
http_access deny all
##
# Parametre Systeme
##
http_port 8080
hierarchy_stoplist cgi-bin ?
cache_mem 16 MB
#cache_dir ufs /var/spool/squid-ntlm 5000 16 256
cache_dir null /dev/null
#logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %#logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %%Sh/%h] [%
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid-ntlm/access.log squid
cache_log /var/log/squid-ntlm/cache.log
cache_store_log /var/log/squid-ntlm/store.log
# emulate_httpd_log off
mime_table /etc/squid-ntlm/mime.conf
pid_filename /var/run/squid-ntlm.pid
# debug_options ALL,1
log_fqdn off
ftp_user pr...@gw.phibee.net
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol on
refresh_pattern ^ftp: 144020% 10080
refresh_pattern ^gopher:14400% 1440
refresh_pattern (cgi-bin|\?)0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
error_directory /usr/share/squid/errors/French
icp_access allow Lan
icp_access deny all
htcp_access allow Lan
htcp_access deny all
Into my allowedURL, i have:
pagesjaunes.fr
estat.com
societe.com
quidonc.fr
when i want access to www.pagejaunes.fr, he request a authentification
... i want no authentification
and no limitation of surf.
Anyone see where is my error ?
the correct synthaxe are "pagesjaunes.fr" or ".pagesjaunes.fr" for
*.pagesjaunes.fr ?
thanks
jerome
Re: [squid-users] caching cgi_bin in 3.0
Matus UHLAR - fantomas wrote: Hello, I'm upgrading to 3.0 (finally) and I see that the new refresh_pattern default was added in the config file: refresh_pattern (cgi-bin|\?) 0 0% 0 I hope this is just to always verify the dynamic content, and should not have any impact of caching it, if it's cacheable, correct? Correct. If the dynamic content gives a "Cache-Control: max-age" and/or a "Expires" header that allows caching, the refresh pattern will not prevent caching it. Chris
Re: [squid-users] allowedURL don't work
Phibee Network Operation Center wrote:
Hi
i have a new problems with my Squid Server (NTLM AD)
My configuration:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
#external_acl_type AD_Group children=50 concurrency=50 %LOGIN
/usr/lib/squid/wbinfo_group.pl
external_acl_type AD_Group children=50 concurrency=50 ttl=1800
negative_ttl=900 %LOGIN /usr/lib/squid/wbinfo_group.pl
cache_peer 127.0.0.1parent 80810 proxy-only no-query
weight=100 connect-timeout=5 login=*:password
## ACL des droits d'accès
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl Lan src 10.0.0.0/8 # RFC1918 possible internal network
acl Lan src 172.16.0.0/12 # RFC1918 possible internal network
acl Lan src 192.168.0.0/16 # RFC1918 possible internal network
##
## ACL pour les sites web consultable sans authentification
##
acl URL_Authorises dstdomain "/etc/squid-ntlm/allowedURL"
http_access allow URL_Authorises
Are you sure you don't want to add additional restrictions to the
http_access allow (such as a limitation on the source IP, or something)?
##
acl SSL_ports port 443 563 1 1494 2598
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
##
# ACL pour definir les groupes AD autorisés a ce connecter
##
acl AllowedADUsers external AD_Group "/etc/squid-ntlm/allowedntgroups"
acl Winbind proxy_auth REQUIRED
##
##
# ACL pour les Droits d'accès d'apres l'Active Directory
##
# Droits d'accès d'apres l'Active Directory
http_access allow AllowedADUsers
http_access deny !AllowedADUsers
http_access deny !Winbind
These two deny lines are redundant, as everything is denied by the next
line...
##
http_access deny all
##
# Parametre Systeme
##
http_port 8080
hierarchy_stoplist cgi-bin ?
cache_mem 16 MB
#cache_dir ufs /var/spool/squid-ntlm 5000 16 256
cache_dir null /dev/null
#logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %%mt
#logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %%Sh/%h] [%
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid-ntlm/access.log squid
cache_log /var/log/squid-ntlm/cache.log
cache_store_log /var/log/squid-ntlm/store.log
# emulate_httpd_log off
mime_table /etc/squid-ntlm/mime.conf
pid_filename /var/run/squid-ntlm.pid
# debug_options ALL,1
log_fqdn off
ftp_user pr...@gw.phibee.net
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol on
refresh_pattern ^ftp: 144020% 10080
refresh_pattern ^gopher:14400% 1440
refresh_pattern (cgi-bin|\?)0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
error_directory /usr/share/squid/errors/French
icp_access allow Lan
icp_access deny all
htcp_access allow Lan
htcp_access deny all
Into my allowedURL, i have:
pagesjaunes.fr
estat.com
societe.com
quidonc.fr
when i want access to www.pagejaunes.fr, he request a authentification
... i want no authentification
and no limitation of surf.
Anyone see where is my error ?
the correct synthaxe are "pagesjaunes.fr" or ".pagesjaunes.fr" for
*.pagesjaunes.fr ?
The second option ".pagesjaunes.fr" will match http://pagesjaunes.fr,
http://www.pagesjaunes.fr and any other hostname in front of pagesjaunes.fr.
thanks
jerome
Chris
RE: [squid-users] allowedURL don't work
I'm trying to work with regex's and have a quick question in response to your
response. Wouldn't you also be able to do just a url_regex -I pagesjuanes and
allow that? That should theoretically work yes?
If you are doing a url_allow and if you have the period infront of the domain,
that allows anything from the "tld".pagesjuanes.fr correct?
---Paste
> when i want access to www.pagejaunes.fr, he request a authentification
> ... i want no authentification
> and no limitation of surf.
>
> Anyone see where is my error ?
> the correct synthaxe are "pagesjaunes.fr" or ".pagesjaunes.fr" for
> *.pagesjaunes.fr ?
The second option ".pagesjaunes.fr" will match http://pagesjaunes.fr,
http://www.pagesjaunes.fr and any other hostname in front of pagesjaunes.fr.
> thanks
> jerome
Chris
End Paste
-Original Message-
From: crobert...@gci.net [mailto:crobert...@gci.net]
Sent: Tuesday, April 21, 2009 12:59 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] allowedURL don't work
Phibee Network Operation Center wrote:
> Hi
>
> i have a new problems with my Squid Server (NTLM AD)
>
> My configuration:
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 15
> auth_param ntlm keep_alive on
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 15
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> #external_acl_type AD_Group children=50 concurrency=50 %LOGIN
> /usr/lib/squid/wbinfo_group.pl
> external_acl_type AD_Group children=50 concurrency=50 ttl=1800
> negative_ttl=900 %LOGIN /usr/lib/squid/wbinfo_group.pl
>
> cache_peer 127.0.0.1parent 80810 proxy-only no-query
> weight=100 connect-timeout=5 login=*:password
>
> ## ACL des droits d'accès
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl Lan src 10.0.0.0/8 # RFC1918 possible internal network
> acl Lan src 172.16.0.0/12 # RFC1918 possible internal network
> acl Lan src 192.168.0.0/16 # RFC1918 possible internal network
>
>
> ##
> ## ACL pour les sites web consultable sans authentification
> ##
> acl URL_Authorises dstdomain "/etc/squid-ntlm/allowedURL"
> http_access allow URL_Authorises
Are you sure you don't want to add additional restrictions to the
http_access allow (such as a limitation on the source IP, or something)?
> ##
>
> acl SSL_ports port 443 563 1 1494 2598
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 563 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> #http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> ##
> # ACL pour definir les groupes AD autorisés a ce connecter
> ##
> acl AllowedADUsers external AD_Group "/etc/squid-ntlm/allowedntgroups"
> acl Winbind proxy_auth REQUIRED
> ##
>
>
> ##
> # ACL pour les Droits d'accès d'apres l'Active Directory
> ##
> # Droits d'accès d'apres l'Active Directory
> http_access allow AllowedADUsers
> http_access deny !AllowedADUsers
> http_access deny !Winbind
These two deny lines are redundant, as everything is denied by the next
line...
> ##
>
> http_access deny all
>
>
> ##
> # Parametre Systeme
> ##
> http_port 8080
> hierarchy_stoplist cgi-bin ?
> cache_mem 16 MB
> #cache_dir ufs /var/spool/squid-ntlm 5000 16 256
> cache_dir null /dev/null
> #logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs % %mt
> #logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs % %Sh/%h] [% #logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs % logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs % "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> access_log /var/log/squid-ntlm/access.log squid
> cache_log /var/log/squid-nt
[squid-users] logging changes 2.6 -> 2.7
Hi all -
Recently upgraded a proxy-accelerator setup to using 2.7 (Debian
2.7.STABLE3-4.1, specifically) from 2.6 (2.6.20-1~bpo40+1). In this
setup, I'm using an external rewriter script to add virtual rooting bits
to the requested URL. (It's a zope system, using ther VirtualHostMonster
rewriter, like so:
Incoming request:
GET http://example.com/someimage.gif
Rewritten to:
GET
http://example.com/VirtualHostBase/http/example.com:80/somepath/VirtualHostRoot/someimage.gif
These are then farmed out to multiple cache_peer origin servers.
The change I'm seeing is that the access.log using a custom format
line:
logformat custom %ts.%03tu %6tr %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh/%h
The change is that in 2.6 %ru logged the requested URL as seen on the
wire. In 2.7, we get the rewritten URL.
Is this intentional? Is there a way around it? Since referer (sic) url
is not similarly rewritten, it gives log analysis software (that
attempts to determine click-traces and page views) fits. I can
post-process my logs, but I'd rather fix them at generation time. I can
understand the need to have the rewritten version available: just not at
the cost of missing what was actually on the wire that Squid read.
Ross
--
Ross Reedstrom, Ph.D. reeds...@rice.edu
Systems Engineer & Admin, Research Scientistphone: 713-348-6166
The Connexions Project http://cnx.orgfax: 713-348-3665
Rice University MS-375, Houston, TX 77005
GPG Key fingerprint = F023 82C8 9B0E 2CC6 0D8E F888 D3AE 810E 88F0 BEDE
[squid-users] Squid and TC - Traffic Shaping
Hello. I was writing a script to control traffic on our network. I created my rules with tc and noticed that it wasn't working correctly. I tried this traffic shaping on a linux router that has squid doing transparent cache. When measuring the download speed on speedtest.net the download speed is 70kbps when is supposed to be over 300kbps. I found it strange since I've done traffic shaping in the past and worked but not on a box with squid. I stopped the squid server and ran the test again and it gave me the speed I assigned to that machine. I assigned different bw and the test gave the correct speed. Have anybody used traffic shaping (TC in linux) on a box with squid? Is there a way to combine both a have them work side by side? Thanks in advanced for your help and input.
Re: [squid-users] allowedURL don't work
Dustin Hane wrote: I'm trying to work with regex's and have a quick question in response to your response. Wouldn't you also be able to do just a url_regex -I pagesjuanes and allow that? That should theoretically work yes? I think the -I needs to be lowercase, but otherwise that would work. It's just more resource intensive, and would allow "http://random.website/?fakequery=pagesjuanes&haha=true"; through. Handling regular expressions (url_regex, dstdom_regex) is far more complex than performing a string equality test (both for Squid and the maintainer). If you are doing a url_allow and if you have the period infront of the domain, that allows anything from the "tld".pagesjuanes.fr correct? Correct. A dstdomain ACL with a leading dot will match the base domain (pagesjuanes.fr in this case) AND "anything" dot base domain (tld.pagesjuanes.fr, www.pagesjuanes.fr, search.pagesjuanes.fr). If you have a few host names you wish to block, while allowing the majority, you can combine ACLs on a http_access line... # Allow most, block a few acl pagesjuanes dstdomain .pagesjuanes.fr acl pagesjuanesExceptions dstdomain blocked.pagesjuanes.fr bad.pagesjuanes.fr # Allow access to all pagesjuanes.fr domains, except blocked.pagesjuanes.fr and bad.pagesjuanes.fr http_access allow pagesjuanes !pagesjuanesExceptions # Block access to all pagesjuanes.fr domains not allowed above http_access deny pagesjuanes Chris
[squid-users] squid AND ssl
Hi, I have a simple webserver that listens on port 80 for requests. I would like to secure access to this webserver using squid and SSL. I can access the simple website through http without any issue. When I try and access it using https: I get a message in the cache file. See attached. The web page error show up as Connection to 192.168.0.1 Failed The system returned: (13) Permission denied I am running Squid stable 2.7 and I used openssl to generate the cert and key. I have attached my conf file and cache errors. Can squid secure an unsecure webserver the way i am trying to do do http_port 192.168.0.1:8080 cache_mgr administra...@server2003 visible_hostname server2003 cache_dir ufs c:/squid/var/cache 512 16 256 acl Query urlpath_regex cgi-bin \? acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl PURGE method PURGE acl to_localhost dst 127.0.0.1/8 acl SSL_ports port 441 443 https_port 192.168.0.1:443 accel cert=c:/squid/etc/ssl/mycert.pem key=c:/squid/etc/ssl/mykey.pem vhost cache_peer 192.168.0.1 parent 443 0 no-query originserver default ssl sslflags=DONT_VERIFY_PEER acl Safe_ports port 80 21 441 443 563 70 210 210 1025-65535 280 488 591 777 # acl CONNECT method CONNECT acl all src 0.0.0.0/0.0.0.0 url_rewrite_host_header off collapsed_forwarding on acl webSrv dst 192.168.0.1 acl webPrt port 80 http_access allow webSrv webprt http_access allow all always_direct allow all acl localnetwork1 src 192.168.0.0/255.255.255.0 hierarchy_stoplist cgi-bin ? refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 coredump_dir c:/squid/var/cache cache_mem 64 MB dns_testnames localhost http_access allow manager localhost # http_access deny manager # http_access deny !Safe_ports # http_access allow PURGE localhost http_access allow localnetwork1 # http_access deny PURGE access_log c:/squid/var/logs/access.log squid # no_cache deny QUERY http_reply_access allow all
[squid-users] SQUID and SSL
Hi, I have a simple webserver that listens on port 80 for requests. I would like to secure access to this webserver using squid and SSL. I can access the simple website through http without any issue. When I try and access it using https: I get a message in the cache file. See attached. The web page error show up as Connection to 192.168.0.1 Failed The system returned: (13) Permission denied I am running Squid stable 2.7 and I used openssl to generate the cert and key. I have attached my conf file and cache errors. Can squid secure an unsecure webserver the way i am trying to do do http://www.nabble.com/file/p23166622/squid.conf squid.conf http://www.nabble.com/file/p23166622/cache.txt cache.txt -- View this message in context: http://www.nabble.com/SQUID-and-SSL-tp23166622p23166622.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] logging changes 2.6 -> 2.7
That was fixed in STABLE4;
http://www.squid-cache.org/Versions/v2/2.7/squid-2.7.STABLE6-RELEASENOTES.html#s7
See also:
http://www.squid-cache.org/bugs/show_bug.cgi?id=2406
Cheers,
On 22/04/2009, at 5:46 AM, Ross J. Reedstrom wrote:
Hi all -
Recently upgraded a proxy-accelerator setup to using 2.7 (Debian
2.7.STABLE3-4.1, specifically) from 2.6 (2.6.20-1~bpo40+1). In this
setup, I'm using an external rewriter script to add virtual rooting
bits
to the requested URL. (It's a zope system, using ther
VirtualHostMonster
rewriter, like so:
Incoming request:
GET http://example.com/someimage.gif
Rewritten to:
GET
http://example.com/VirtualHostBase/http/example.com:80/somepath/VirtualHostRoot/someimage.gif
These are then farmed out to multiple cache_peer origin servers.
The change I'm seeing is that the access.log using a custom format
line:
logformat custom %ts.%03tu %6tr %>a %ui %un [%tl] "%rm %ru HTTP/%rv"
%Hs %h" "%{User-Agent}>h" %Ss:%Sh/%For}>h
The change is that in 2.6 %ru logged the requested URL as seen on the
wire. In 2.7, we get the rewritten URL.
Is this intentional? Is there a way around it? Since referer (sic) url
is not similarly rewritten, it gives log analysis software (that
attempts to determine click-traces and page views) fits. I can
post-process my logs, but I'd rather fix them at generation time. I
can
understand the need to have the rewritten version available: just
not at
the cost of missing what was actually on the wire that Squid read.
Ross
--
Ross Reedstrom, Ph.D.
reeds...@rice.edu
Systems Engineer & Admin, Research Scientistphone:
713-348-6166
The Connexions Project http://cnx.orgfax:
713-348-3665
Rice University MS-375, Houston, TX 77005
GPG Key fingerprint = F023 82C8 9B0E 2CC6 0D8E F888 D3AE 810E 88F0
BEDE
--
Mark Nottingham m...@yahoo-inc.com
[squid-users] caching behavior during COSS rebuild
So I'm running with COSS under 2.7STABLE6, we've noticed (as I can see others have, teh Googles tell me so) that the COSS rebuild a. happens every time squid is restarted, and b. takes quite a while if the COSS stripes are large. However, I've noticed that while the stripes are being rebuilt, squid still listens for and handles requests - it just SO_FAILs on every object that would normally get saved to a COSS stripe. So much for that hit ratio. SO - the questions are: 1. Is there *any* way to prevent the COSS rebuild if squid is terminated normally? 2. Is there a way to prevent squid from handling requests until the COSS stripe is fully rebuilt (this is obviously not good if you don't have redundant squids, but that's not a problem for us) ? Thanks, -C
Re: [squid-users] logging changes 2.6 -> 2.7
Ah thanks for the pointer, Mark. I'll take a look at backporting the
debian squeeze (testing) version back to lenny.
Ross
--
Ross Reedstrom, Ph.D. reeds...@rice.edu
Systems Engineer & Admin, Research Scientistphone: 713-348-6166
The Connexions Project http://cnx.orgfax: 713-348-3665
Rice University MS-375, Houston, TX 77005
GPG Key fingerprint = F023 82C8 9B0E 2CC6 0D8E F888 D3AE 810E 88F0 BEDE
On Wed, Apr 22, 2009 at 11:50:09AM +1000, Mark Nottingham wrote:
> That was fixed in STABLE4;
>
> http://www.squid-cache.org/Versions/v2/2.7/squid-2.7.STABLE6-RELEASENOTES.html#s7
>
> See also:
> http://www.squid-cache.org/bugs/show_bug.cgi?id=2406
>
> Cheers,
>
>
> On 22/04/2009, at 5:46 AM, Ross J. Reedstrom wrote:
>
> >Hi all -
> >Recently upgraded a proxy-accelerator setup to using 2.7 (Debian
> >2.7.STABLE3-4.1, specifically) from 2.6 (2.6.20-1~bpo40+1). In this
> >setup, I'm using an external rewriter script to add virtual rooting
> >bits
> >to the requested URL. (It's a zope system, using ther
> >VirtualHostMonster
> >rewriter, like so:
> >Incoming request:
> >GET http://example.com/someimage.gif
> >
> >Rewritten to:
> >
> >GET
> >http://example.com/VirtualHostBase/http/example.com:80/somepath/VirtualHostRoot/someimage.gif
> >
> >These are then farmed out to multiple cache_peer origin servers.
> >
> >The change I'm seeing is that the access.log using a custom format
> >line:
> >
> >logformat custom %ts.%03tu %6tr %>a %ui %un [%tl] "%rm %ru HTTP/%rv"
> >%Hs %h" "%{User-Agent}>h" %Ss:%Sh/% >For}>h
> >
> >The change is that in 2.6 %ru logged the requested URL as seen on the
> >wire. In 2.7, we get the rewritten URL.
> >
> >Is this intentional? Is there a way around it? Since referer (sic) url
> >is not similarly rewritten, it gives log analysis software (that
> >attempts to determine click-traces and page views) fits. I can
> >post-process my logs, but I'd rather fix them at generation time. I
> >can
> >understand the need to have the rewritten version available: just
> >not at
> >the cost of missing what was actually on the wire that Squid read.
> >
> >Ross
> >--
> >Ross Reedstrom, Ph.D.
> >reeds...@rice.edu
> >Systems Engineer & Admin, Research Scientistphone:
> >713-348-6166
> >The Connexions Project http://cnx.orgfax:
> >713-348-3665
> >Rice University MS-375, Houston, TX 77005
> >GPG Key fingerprint = F023 82C8 9B0E 2CC6 0D8E F888 D3AE 810E 88F0
> >BEDE
>
> --
> Mark Nottingham m...@yahoo-inc.com
>
[squid-users] Authenticator processes after reconfigure.
Hello. Version: Squid 3.0.STABLE13 on Gentoo 2.6.22-vs2.2.0.7 `squid -k reconfigure` do not close old authenticator processes if that was a clients. So my 'NTLM Authenticator Statistics' looks like below. Is anybody has same symptom? Oleg. NTLM Authenticator Statistics: program: /usr/bin/ntlm_auth number running: 23 of 15 requests sent: 8896 replies received: 8896 queue length: 0 avg service time: 0 msec # FD PID # Requests # Deferred Requests Flags Time Offset Request 1 12 23079 459 0 RS 0.002 0 (none) 2 13 23080 89 0 RS 0.000 0 (none) 3 14 23081 37 0 RS 0.000 0 (none) 4 15 23082 36 0 RS 0.002 0 (none) 5 16 23083 342 0 RS 0.000 0 (none) 6 17 23084 10570 RS 0.000 0 (none) 7 18 23085 97 0 RS 0.000 0 (none) 10 21 23089 71 0 RS 0.000 0 (none) 1 20 17695 653 0 0.003 0 (none) 2 22 17696 114 0 0.004 0 (none) 3 23 17697 22 0 0.008 0 (none) 4 24 17698 4 0 0.020 0 (none) 5 25 17699 0 0 0.000 0 (none) 6 26 17700 0 0 0.000 0 (none) 7 27 17701 0 0 0.000 0 (none) 8 28 17702 0 0 0.000 0 (none) 9 29 17703 0 0 0.000 0 (none) 10 30 17713 0 0 0.000 0 (none) 11 31 17714 0 0 0.000 0 (none) 12 32 17715 0 0 0.000 0 (none) 13 33 17716 0 0 0.000 0 (none) 14 34 17717 0 0 0.000 0 (none) 15 35 17718 0 0 0.000 0 (none) Flags key: B = BUSY C = CLOSING R = RESERVED or DEFERRED S = SHUTDOWN P = PLACEHOLDER
Re: [squid-users] CONNECT method support(for https) using squid3.1.0.6 + tproxy4
Hi, Amos
> Ah, you need the follow_x_forwarded_for feature on Proxy(1).
That's right, I know about that, but I'd like to use "source address
spoofing"...
Just only following enables my anxiety.
replacing In tunnelStart()#tunnel.cc
>sock = comm_openex(SOCK_STREAM,
> IPPROTO_TCP,
> temp,
> COMM_NONBLOCKING,
> getOutgoingTOS(request),
> url);
with
>if (request->flags.spoof_client_ip) {
>sock = comm_openex(SOCK_STREAM,
> IPPROTO_TCP,
> temp,
> (COMM_NONBLOCKING|COMM_TRANSPARENT),
> getOutgoingTOS(request),
> url);
>} else {
>sock = comm_openex(SOCK_STREAM,
> IPPROTO_TCP,
> temp,
> COMM_NONBLOCKING,
> getOutgoingTOS(request),
> url);
>}
I think it has no harmful effects. I long for that.
Would you modify that ?
Sincerely,
--
Mikio Kishi
On Sun, Apr 12, 2009 at 1:25 PM, Amos Jeffries wrote:
> Mikio Kishi wrote:
>>
>> Hi, Amos
>>
>>> What exactly are you trying to achieve with this?
>>
>> I'm really sorry... It's a little bit difficult to explain...
>> The following is the more detail.
>>
>> ---
>> The Internet
>> ---+
>> |
>> +-+-
>> |
>> +-+---+
>> | squid | (1)
>> | (tcp/8080) |
>> +-+---+
>> |.2
>> +-+ 10.0.0.0/24
>> |.1
>> +--+--+
>> | R |
>> +--+--+
>> |.1
>> ---+--+ 192.168.0.0/24
>> |.2
>> +++
>> | squid + |
>> | tproxy | (2)
>> | (tcp/8080) |
>> +++
>> |.2
>> ---+--+ 192.168.1.0/24
>> |.3
>> +--+-+
>> | client |
>> ++
>>
>> - The demand
>> - The client must use proxy(2) using tcp/8080
>> - by browser settings
>> HTTP -> proxy(2) (192.168.1.2:8080)
>> HTTPS -> proxy(2) (192.168.1.2:8080)
>> - proxy(2) don't have to be "transparent"
>> - The proxy(2)'s parent proxy must be proxy(1)
>> using cache_peer
>> - Both proxy(1) and proxy(2) must record
>> "client original source address" in access log for security action
>> !!! It's most important !!!
>>
>> I think that I have to use tproxy(not transparent)
>> to achieve above demands... what do you think ?
>
> Ah, you need the follow_x_forwarded_for feature on Proxy(1).
>
> proxy(2) will always be trying to set X-Forwarded-For header indicating the
> client IP. Which gets passed to proxy(1).
>
> By enabling follow_x_forwarded_for and log_uses_indirect_ip. proxy(1) should
> log the original client IP.
>
> http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/
> http://www.squid-cache.org/Doc/config/log_uses_indirect_client/
>
>
> Amos
>
>>
>> Sincerely,
>> --
>> Mikio Kishi
>>
>> On Thu, Apr 9, 2009 at 4:54 PM, Amos Jeffries
>> wrote:
>>>
>>> Mikio Kishi wrote:
Hi, Amos
> HTTPS encrypted traffic cannot be intercepted.
Yes, I know that. but, in this case, not "transparent".
> (1) (2)
>
> | |
> +--+ | ++ | +-+
> |WWW +---+ | | ++ WWW |
> |Client|.2 | .1| squid |.1 | .2| Server |
> +--+ +-+ + tproxy ++ |(tcp/443)|
> | | (tcp/8080) | | |(tcp/80) |
> | ++ | +-+
> 192.168.0.0/24 10.0.0.0/24
>
> (1) 192.168.0.2 --> 192.168.0.1:8080
> ^
> (2) 192.168.0.2 --> 10.0.0.2:443
> ^^^
Just only thing I'd like to do is "source address spoofing"
using tproxy.
Does that make sense ?
>>>
>>> No. Squid is perfectly capable of making HTTPS links outbound without
>>> tproxy. The far end only knows that some client connected.
>>>
>>> HTTPS cannot be spoofed, its part of the security involved with the SSL
>>> layer.
>>>
>>> What exactly are you trying to achieve with this?
>>>
>>> Amos
>>> --
>>> Please be using
>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
>>> Current Beta Squid 3.1.0.6
>>>
>
>
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
> Current Beta Squid 3.1.0.6
>
