[squid-users] RPC ORVER HTTPS
Hi All, I have successfully configured reverse proxy, But have issue with RCP over https Testing my setup with the following link https://www.testexchangeconnectivity.com/ have the below error Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server hubsexchange.airarabiauae.com Failed to ping Endpoint Additional Details An RPC Error was thrown by the RPC Runtime. Error 1818 1818 What could be the problem? Squid Cache: Version 2.7.STABLE6 Need help please. //Remy -- Disclaimer and Confidentiality This material has been checked for computer viruses and although none has been found, we cannot guarantee that it is completely free from such problems and do not accept any liability for loss or damage which may be caused. Please therefore check any attachments for viruses before using them on your own equipment. If you do find a computer virus please inform us immediately so that we may take appropriate action. This communication is intended solely for the addressee and is confidential. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. The views expressed in this message are those of the individual sender, and may not necessarily be that of ISA.
Re: [squid-users] squid never asks for authentication
Chris Robertson wrote: Amos Jeffries wrote: Chris Robertson wrote: The wiki is misleading on this. http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication Thanks for finding that. Clarified a bit and moved the page to where it should be. http://wiki.squid-cache.org/Features/Authentication Amos I would request that you leave some kind of redirection page at http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication, as I (for one) have linked to that URL numerous times in past emails... While its new location does show up in the list of pages with similar names (near the bottom), it is a shame to uproot it so completely. Chris oops. fixed. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
Re: [squid-users] How to set Squid for tunneling and authentication with out cache.
Chris Robertson wrote: csampath wrote: Hi This is my first post. I am trying to configure the squid smiler to ssl VPN. Struggling for the configuration from 2 days. My requirement is client web requests (HTTP or HTTPS ) should come to squid. Squid authenticate the user for the first time (of-course based of the client ip) and just redirect the traffic between the client and the server. I don't want cache client)<> SQUID<->Intranet/Internet | | RADIUS SERVER MY SQUID configuration is as follows (it doesn't serve the purpose) : - https_port 10.10.10.11:1443 accel vport vhost protocol=http cert=/mi/portalCA/server-cert.pem key=/mi/portalCA/server-key.pem acl CONNECT method CONNECT acl SSL method CONNECT #http_port 10.10.10.11:80 accel vport vhost Set... http_port 3128 ...instead of the above https_port and http_port directives. auth_param basic program /usr/local/squid/libexec/squid_radius_auth -f /usr/local/squid/etc/squid_radius_conf auth_param basic children 5 auth_param basic realm Web-Proxy auth_param basic credentialsttl 120 minute auth_param basic casesensitive off acl radius-auth proxy_auth REQUIRED no_cache deny all ... also "no_cache" is obsolete. Write that as simply "cache deny all" which means don't store anything. As you stated one of your requirements. http_access deny !radius-auth http_access allow all always_direct allow all http_reply_access allow all #miss_access allow all Then have your client(s) use 10.10.10.11 port 3128 as a proxy for HTTP and HTTPS. When Accessing the SSL request I am getting the following error clientNegotiateSSL: Error negotiating SSL connection on FD 17: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) When it authenticates, it is looping . For every request it is asking the credentials Please advise me with the correct configuration. appreciate your support. Thanks -Sampath Chris Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
Re: [squid-users] security risk ?
Ralf Hildebrandt wrote: * RoLaNd RoLaNd : i've visited the following site : http://whatismyipaddress.com/ and found out that i may have misconfigured a security feature in squid as it gives out it's info without any restrictions.. No. It gives out some required IDs needed to close security risks and occasional routing issues as well. http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls for example visiting the site above would result to : Proxy Server Detected! (proxy test results)Proxy Server IP address: X.X.X.X Proxy Server Details: 1.1 AynaProxy:3128 (squid/2.6.STABLE21)Proxy Reports IP as: 192.168.75.139 what have i missed ? how can i stop this ?! Look at the disclose_x_forwarded_for option No such option. whatsmyip is looking at many different things. That particular detection message is due to a combination of the Via: unique-id assigned to squid 2.6STABLE21 used to prevent HTTP forwarding loops. Along with the visible_hostname you set in your squid.conf and the original IP address of the proxy client. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
Re: [squid-users] How to set Squid for tunneling and authentication with out cache.
csampath wrote: Hi This is my first post. I am trying to configure the squid smiler to ssl VPN. Struggling for the configuration from 2 days. My requirement is client web requests (HTTP or HTTPS ) should come to squid. Squid authenticate the user for the first time (of-course based of the client ip) and just redirect the traffic between the client and the server. I don't want cache client)<> SQUID<->Intranet/Internet | | RADIUS SERVER MY SQUID configuration is as follows (it doesn't serve the purpose) : - https_port 10.10.10.11:1443 accel vport vhost protocol=http cert=/mi/portalCA/server-cert.pem key=/mi/portalCA/server-key.pem acl CONNECT method CONNECT acl SSL method CONNECT #http_port 10.10.10.11:80 accel vport vhost Set... http_port 3128 ...instead of the above https_port and http_port directives. auth_param basic program /usr/local/squid/libexec/squid_radius_auth -f /usr/local/squid/etc/squid_radius_conf auth_param basic children 5 auth_param basic realm Web-Proxy auth_param basic credentialsttl 120 minute auth_param basic casesensitive off acl radius-auth proxy_auth REQUIRED no_cache deny all http_access deny !radius-auth http_access allow all always_direct allow all http_reply_access allow all #miss_access allow all Then have your client(s) use 10.10.10.11 port 3128 as a proxy for HTTP and HTTPS. When Accessing the SSL request I am getting the following error clientNegotiateSSL: Error negotiating SSL connection on FD 17: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) When it authenticates, it is looping . For every request it is asking the credentials Please advise me with the correct configuration. appreciate your support. Thanks -Sampath Chris
Re: [squid-users] Tuning problem in squid
Thanigairajan wrote: Hi , I am facing some performance issues in squid . i.e. I have Debian etch with squid,squidguard,shorewall. Internet is working in normal speed if clients are approx 50 . If clients are approx 70 -100 it is getting very slow. I googled for tuning and done the following things, redirect_children 10 cache_dir ufs /var/spool/squid 1000 16 256 cache_mem 48 MB pipeline_prefetch on fqdncache_size 2048 maximum_object_size 8192 KB Can you please suggest me how can i improve much ? * Try AUFS cache_dir type. Works well, even in Etch. * You have heaps of RAM, bump up the cache_mem if you can. That will leave more objects in RAM-cache for faster fetches. * only 1GB of cache is currently allocated. test increasing that a bit as well. * turn off pipeline_prefetch. * turn on collaped_forwarding. * do what you can to eliminate the redirector. that may mean fast ACLs and url_rewrite_access * use the latest squid. If things continue, check the cachemgr stats and see if there is any indication of whats slowing things down. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
Re: [squid-users] multiport config question
Al - Image Hosting Services wrote: Hi, I am hoping that someone can give me an example. I want to run squid on two ports, with the idea that on port 8080 it will be filtered and on port 8081 it will not be. I think that I can use: acl with_filter myport 8080 acl without_filter myport 8081 Correct. Those will match requests arriving in "http_port 8080" and "http_port 8081" respectively. It looks like this sets the port numbers, but I am not sure how or even if there is an acl for "url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf" http://www.squid-cache.org/Doc/config/url_rewrite_access I already have: acl custom-auth proxy_auth REQUIRED http_access allow custom-auth http_access allow localhost http_access deny all for authentication, so I think that will also work to complicate things. Would anyone be able to give me some ideas on this? http://wiki.squid-cache.org/SquidFaq/SquidAcl Squid has full boolean logic in it's ACL. (A and (B or X) but not Y) etc. If you can state your needs in such a way then it can be configured. Rows are vertically first-match wins. 'acl' lines define 'OR' groups. *_access lines define an 'AND' condition out of multiple ACL named groups. placing '!' before an acl name on *_access makes it 'NOT'. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
Re: [squid-users] Hiding Cache
Jamie Orzechowski wrote: I have TProxy working now but all those "what is my ip" sites are still able to detect the cache http://www.spyber.com is an example ... Proxy IP detected! 66.78.102.3 Whois Host: cache-02.ripnet.com ISP: RipNET Limited Country: (CAN) - Canada Region/State: Ontario City: Brockville Any ideas how to make the cache more transparent so these sites are unable to detect the cache? Why? What are you doing that is so illegal it must break HTTP protocol like that? Every one of those sites uses different methods to detect the network paths. When they try hard enough they can identify the proxy by the port 80 routing AS path itself. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
Re: [squid-users] squid never asks for authentication
Amos Jeffries wrote: Chris Robertson wrote: The wiki is misleading on this. http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication Thanks for finding that. Clarified a bit and moved the page to where it should be. http://wiki.squid-cache.org/Features/Authentication Amos I would request that you leave some kind of redirection page at http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication, as I (for one) have linked to that URL numerous times in past emails... While its new location does show up in the list of pages with similar names (near the bottom), it is a shame to uproot it so completely. Chris
Re: [squid-users] security risk ?
* RoLaNd RoLaNd : > i've visited the following site : http://whatismyipaddress.com/ > and found out that i may have misconfigured a security feature in squid as it > gives out it's info without any restrictions.. > > for example visiting the site above would result to : > > > Proxy Server Detected! > (proxy test results)Proxy Server IP address: X.X.X.X Proxy Server Details: > 1.1 AynaProxy:3128 (squid/2.6.STABLE21)Proxy Reports IP as: 192.168.75.139 > > > what have i missed ? how can i stop this ?! Look at the disclose_x_forwarded_for option -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12200 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] custom auth not working
Hi, Ok, I will give this a try. Thank you for the idea. As you can probably tell, we are really not perl programmers, but with your help it looks like we are going to be able to make it work. Thankyou, Al On Thu, 11 Jun 2009, Chris Robertson wrote: Date: Thu, 11 Jun 2009 16:13:23 -0800 From: Chris Robertson To: squid-users@squid-cache.org Subject: Re: [squid-users] custom auth not working Al - Image Hosting Services wrote: Hi, On Thu, 11 Jun 2009, Chris Robertson wrote: # Flush STDOUT $|=1; That fixed it. So, it is working. Would you have an idea on how to get it to reconnect to the mysql server, if the connection goes down? Replace... $sth->execute(); ...with... $sth->execute() or die $dbh->errstr; ...so your helper just exits on that condition. Squid will kick of another one (and I think retry). If something is really wrong, Squid will quit with a "Helpers dying too rapidly" message. Best Regards, Al Chris
[squid-users] multiport config question
Hi, I am hoping that someone can give me an example. I want to run squid on two ports, with the idea that on port 8080 it will be filtered and on port 8081 it will not be. I think that I can use: acl with_filter myport 8080 acl without_filter myport 8081 It looks like this sets the port numbers, but I am not sure how or even if there is an acl for "url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf" I already have: acl custom-auth proxy_auth REQUIRED http_access allow custom-auth http_access allow localhost http_access deny all for authentication, so I think that will also work to complicate things. Would anyone be able to give me some ideas on this? Best Regards, Al
[squid-users] security risk ?
Hello, i've visited the following site : http://whatismyipaddress.com/ and found out that i may have misconfigured a security feature in squid as it gives out it's info without any restrictions.. for example visiting the site above would result to : Proxy Server Detected! (proxy test results)Proxy Server IP address: X.X.X.X Proxy Server Details: 1.1 AynaProxy:3128 (squid/2.6.STABLE21)Proxy Reports IP as: 192.168.75.139 what have i missed ? how can i stop this ?! _ More than messages–check out the rest of the Windows Live™. http://www.microsoft.com/windows/windowslive/
Re: [squid-users] Gzip
On Fri, Jun 12, 2009 at 4:23 PM, ADEBAYO, FOLUSO, ATTSI wrote: > Hi All, > Does anyone know of a way to implement gzip in Squid 2.6? I am new > to Squid and need to have this completed ASAP. Can't be done. The best option is squid 3.1 with the accompanying eCAP GZIP module, or MAYBE some ICAP service (but I don't know of any such service). -- /kinkie
Re: [squid-users] Tuning problem in squid
On Fri, Jun 12, 2009 at 4:01 PM, Thanigairajan wrote: > Hi , > > I am facing some performance issues in squid . > > i.e. I have Debian etch with squid,squidguard,shorewall. > Internet is working in normal speed if clients are approx 50 . > If clients are approx 70 -100 it is getting very slow. > > I googled for tuning and done the following things, > redirect_children 10 > cache_dir ufs /var/spool/squid 1000 16 256 ufs is definitely not suited for anything but testing. Please try aufs instead. > cache_mem 48 MB 48Mb of cache_mem on a 4gb server? This could definitely be raised. > pipeline_prefetch on > fqdncache_size 2048 > maximum_object_size 8192 KB > > Can you please suggest me how can i improve much ? > > FYI : We have Leased line .so we are getting constant bandwidth. > We are running the server in desktop HP Compaq with 4GB RAM, Core2Duo Unless your issues can be solved by these simple hints, we need to have more informations, such as the output from "squid -v" and a more complete configuration excerpt. -- /kinkie
[squid-users] How to set Squid for tunneling and authentication with out cache.
Hi This is my first post. I am trying to configure the squid smiler to ssl VPN. Struggling for the configuration from 2 days. My requirement is client web requests (HTTP or HTTPS ) should come to squid. Squid authenticate the user for the first time (of-course based of the client ip) and just redirect the traffic between the client and the server. I don't want cache client)<> SQUID<->Intranet/Internet | | RADIUS SERVER MY SQUID configuration is as follows (it doesn't serve the purpose) : - https_port 10.10.10.11:1443 accel vport vhost protocol=http cert=/mi/portalCA/server-cert.pem key=/mi/portalCA/server-key.pem acl CONNECT method CONNECT acl SSL method CONNECT #http_port 10.10.10.11:80 accel vport vhost auth_param basic program /usr/local/squid/libexec/squid_radius_auth -f /usr/local/squid/etc/squid_radius_conf auth_param basic children 5 auth_param basic realm Web-Proxy auth_param basic credentialsttl 120 minute auth_param basic casesensitive off acl radius-auth proxy_auth REQUIRED no_cache deny all http_access deny !radius-auth http_access allow all always_direct allow all http_reply_access allow all #miss_access allow all When Accessing the SSL request I am getting the following error clientNegotiateSSL: Error negotiating SSL connection on FD 17: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) When it authenticates, it is looping . For every request it is asking the credentials Please advise me with the correct configuration. appreciate your support. Thanks -Sampath -- View this message in context: http://www.nabble.com/How-to-set-Squid-for-tunneling-and-authentication-with-out-cache.-tp2381p2381.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Gzip
Hi All, Does anyone know of a way to implement gzip in Squid 2.6? I am new to Squid and need to have this completed ASAP. Thanks
[squid-users] Tuning problem in squid
Hi , I am facing some performance issues in squid . i.e. I have Debian etch with squid,squidguard,shorewall. Internet is working in normal speed if clients are approx 50 . If clients are approx 70 -100 it is getting very slow. I googled for tuning and done the following things, redirect_children 10 cache_dir ufs /var/spool/squid 1000 16 256 cache_mem 48 MB pipeline_prefetch on fqdncache_size 2048 maximum_object_size 8192 KB Can you please suggest me how can i improve much ? FYI : We have Leased line .so we are getting constant bandwidth. We are running the server in desktop HP Compaq with 4GB RAM, Core2Duo Thanks, MThanigairajan -- Thanks & Regards MThanigairajan The Most Certain Way To Succeed Is To Try One More Time -- By Edison
[squid-users] Hiding Cache
I have TProxy working now but all those "what is my ip" sites are still able to detect the cache http://www.spyber.com is an example ... Proxy IP detected! 66.78.102.3 Whois Host: cache-02.ripnet.com ISP: RipNET Limited Country: (CAN) - Canada Region/State: Ontario City: Brockville Any ideas how to make the cache more transparent so these sites are unable to detect the cache?
Re: [squid-users] certain pages loading correctly in Firefox but not IE
Timothy Larrea wrote: Hi All, we currently have a squid proxy (2.6.stable5 ) running, and it seems that certain pages, such as our google docs site, and youtube don't load correctly when using IE as the browser, but Firefox is fine. In IE, the page loads all the text, but it seems to be missing the CSS data and javascripts, so the text is large and all over the place. Another odd thing is that if you attempt to load a page, close IE, then reopen it and load that page again, it works 2nd time around. I've tested this on a clean XP install with IE6 IE7, Vista, Windows 7 etc. Any suggestions would be appreciated. IE has trouble loading things sometimes. That other browsers can get it shows its unlikely to be a Squid issue. Look at the headers being sent by each browser in their requests for the CSS and compare. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
Re: [squid-users] connect FTP server from squid
cable linux wrote: Hi, I want to use squid to connect to ftp servers, all firewalls are disable, but i am not able to connect What version of Squid are you using? And how are you attempting to access the FTP servers? Do they require login to access? Here is my squid.conf http_port 3128 icp_port 3130 hierarchy_stoplist cgi-bin? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_dir ufs /var/spool/squid 1 32 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log ftp_user Squid@ ftp_list_width 32 ftp_passive on ftp_sanitycheck on dns_nameservers xx.xx.xx.xx xx.xx.xx.xx acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl bims src 192.168.100.0/255.255.255.0 http_access allow bims http_access deny all http_reply_access allow all icp_access allow all visible_hostname bims acl FTP proto FTP always_direct allow FTP In absence of further info, that looks like it should work. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
[squid-users] connect FTP server from squid
Hi, I want to use squid to connect to ftp servers, all firewalls are disable, but i am not able to connect Here is my squid.conf http_port 3128 icp_port 3130 hierarchy_stoplist cgi-bin? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_dir ufs /var/spool/squid 1 32 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log ftp_user Squid@ ftp_list_width 32 ftp_passive on ftp_sanitycheck on dns_nameservers xx.xx.xx.xx xx.xx.xx.xx acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl bims src 192.168.100.0/255.255.255.0 http_access allow bims http_access deny all http_reply_access allow all icp_access allow all visible_hostname bims acl FTP proto FTP always_direct allow FTP
Re: [squid-users] Squid 3.1 Release Date
Amos Jeffries wrote: Silamael wrote: Francois Cami wrote: On Tue, Mar 3, 2009 at 8:32 AM, Silamael wrote: Is there any date when Squid 3.1 will be official released? Thanks in advance! http://wiki.squid-cache.org/ReleaseProcess#head-eea0e990c0003af12917552175691a5120980cdd Thanks for the reply but this doesn't answer my question. I now that Squid 3.1 is already released in X.Y.0.z. I just wanted to know if there is any planned date. If you say, most likely in April, that's already enough. Just need an approximate date for some internal plannings. -- Matthias We don't exactly date things here. With everyone working on voluntary time its unpredictable. Though there has been a fairly regular 4-week cycle for new X.Y.0.z beta releases. For planning and upgrade testing, 3.1.0.6 is a fairly stable point to begins with. Back before we/I decided to adopt the fluid feature inclusion we had a set of approved features for 3.1. The last of these given a guarantee of being in 3.1 is still grinding it's way through testing (far too slowly). I expect that will take us through March and maybe April before 3.1 gets a chance of even starting the stable waiting period. There is also a short list of RC bugs which we consider major enough to need fixing before we call it stable. Many of these bugs are only confirmed to exist in 3.0. But they are serious enough that we really NEED someone who can see them in 3.0 to test 3.1 and confirm they are not still hiding. Last time I had to guesstimate a timeline I said mid-year (june/july) 2009, I've seen no reason to change it for better or worse yet. Amos Seeing as its june/july time period now I reckon it's also time for an update. Since I wrote that in March: * The last holdout feature mentioned has now been removed from the 3.1 blockers list. * 3.1.0.9 will have everything short of bug fixes included by the end of June. * Rollout of official beta packages has begun on OS distributions. * More RC bugs are appearing, but people are more dedicated than ever to fixing them. So July 1st is looking like the start of the end-game on 3.1 betas. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
Re: [squid-users] Web mail attachments page cannot display
web wrote: You assume wrong. "no_cache" directive is an obsolete spelling of "cache" directive. - How do I choose to not have sites come from the cache? i.e. retrieve from the site every time? http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers Amos From: Amos Jeffries [squ...@treenet.co.nz] Sent: Friday, 12 June 2009 11:48 AM To: web Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Web mail attachments page cannot display web wrote: Hi, I have 500 squidnt 2.7 stable 5 appliances out at distributed offices. It is being reported to me that when connected to the local caching appliance, intermittently they are getting page cannot display messages when using webmail and adding attachments. If they point to the upstream (parent) cache, they are not experiencing the problem. What I have tried, is to put the URL for the webmail in the nocache.conf file, so it doesn't cache this information, therefore I would assume that its going direct (much the same way as if they pointed their caching appliance to upstream server). You assume wrong. "no_cache" directive is an obsolete spelling of "cache" directive. The only way to make requests go directly to an outside server without involving Squid is to do it at the browser (explicit settings or WPAD/PAC file) or the fireawall (interception bypass rules). Once the request reaches Squid its too late to not handle. > The upstream (core) squid appliance is managed outside our company, so we dont have anything to do with it, but it shouldn't matter either as it works pointing directly to it. Does anyone have any suggestions to what I could try or what I am doing wrong? I have pasted the local caching appliance config to help with identifying the problem. Thanks in advance. 'always_direct' is the directive to make Squid use a direct link to the outside server instead of one of the cache_peer links. I'd try setting: always_direct allow nocache Which will cut the proxy hierarchy to one layer and improve the chances of a successful request. I've seen this type of thing with a slow link and large uploaded file (order of MB such as MS office generated files). Amos > http_port 8080 > cache_peer proxy. parent 8080 3130 no-query default login=PASS > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY change that to "cache deny" > cache_mem 32 MB > maximum_object_size 30720 KB > cache_dir aufs d:/squid/var/cache 6 16 256 60GB of storage with a 30MB absolute cap on object size... cap of 32MB worth of objects stored in RAM-cache at any point. > auth_param digest children 5 > auth_param digest realm Squid proxy-caching web server > auth_param digest nonce_garbage_interval 5 minutes > auth_param digest nonce_max_duration 30 minutes > auth_param digest nonce_max_count 50 > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > acl snmppublic snmp_community xx > acl snmpprivate snmp_community xx > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > acl block url_regex -i "d:/squid/var/logs/block.conf" > acl unblock url_regex -i "d:/squid/var/logs/unblock.conf" > acl nocache url_regex -i "d:/squid/var/logs/nocache.conf" > no_cache deny nocache > http_access deny block !unblock Two regex ACL in a row. See how much of that you can alter into dstdomain or such. It's much faster. Best configuration for regex is where a fast ACL like dstdomain is tested first to short-circuit the regex from being needed on as much traffic as possible. > http_access allow all Eeek! mostly-open proxy. Better define some security on that right quick. Start with an ACL defining what the local client networks are. If you intended this as an accelerator then please use the recommended accelerator configs to secure your destinations. http://wiki.squid-cache.org/ConfigExamples > http_access deny all > http_reply_access allow all > icp_access allow all > cache_mgr webmaster > visible_hostname SquidNT.proxy.local > alw
