Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency steps.
Good writeup! I'm rapidly coming to the conclusion that the problem with transparency setups is not just a lack of documentation and examples, but a lack of clear explanation and understanding of what is actually going on. I had one user try to manually configure GRE interfaces on the Cisco side because that is how they thought WCCP worked. Another policy routed TCP to the proxy and didn't quite get why some connections where hanging (ICMP doesn't make it to the proxy, so PMTU is guaranteed to break without blackhole detection in one or more participants end-nodes/proxy.) Combined with all of the crazy IOS related bugs and crackery that is going on and I'm not really surprised the average joe doesn't have much luck. :) I reckon what would be really, really useful is a writeup of all of the related technologies involved in all parts of transparent interception, including a writeup on what WCCPv2 actually is and how it works; what the various interception options are and do (especially TPROXY4, which AFAICT is severely lacking in -actual- documentation about what it is, how it works and how to code for it) so there is at least a small chance that someone with a bit of clue can easily figure all the pieces out and debug stuff. I also see people doing TPROXY4/Linux hackery involving -bridging- proxies instead of routed/WCCPv2 proxies. That is another fun one. Finally, figuring out how to tie all of that junk into a cache hierarchy is also hilariously amusing to get right. Just for the record, the kernel and iptables binary shipping with the latest Debian unstable supports TPROXY4 fine. I didn't have to recompile my kernel or anything - I just had to tweak a few things (disable pmtu, for example) and add some iptables rules. Oh, and compile Squid right. 2c, Adrian
Re: [squid-users] Cache youtube videos WITHOUT videocache?
2009/7/20 Mark Lodge mlodg...@gmail.com: I've come across this at http://wiki.squid-cache.org/Features/StoreUrlRewrite Feature: Store URL Rewriting? Does this mean i can cache videos without using videocache? That was the intention. Unfortunately, people didn't really pick up on the power of the feature and have stuck to abusing the redirector API to serve this kind of content. The advantage of the redirector approach is that it can bypass all of the cache rule checking which goes on inside Squid. A lot of these video (and CDN content sites in general - they charge for content served! :) make content caching quite difficult if not impossible. The store URL rewriting scheme also requires a set of refresh patterns to override the don't cache me please! tags added to content. I'd love to see a community take on board the store URL rewriter interface and maintain rulesets for caching youtube, maps, windows updates, etc. It just doesn't seem like it'll happen. Adrian
Re: [squid-users] Cannot login to Yahoo webmail
austinhere wrote: 1246076496.527 79 (ip_hidden) TCP_MISS/200 4467 CONNECT login.yahoo.com:443 - DIRECT/209.191.92.114 - 1246076496.689139 (ip_hidden) TCP_MISS/302 1451 GET http://us.f1119.mail.yahoo.com/ym/login? - DIRECT/98.137.26.66 text/html 1246076496.730 38 (ip_hidden) TCP_MISS/302 564 GET http://login.yahoo.com/config/mail? - DIRECT/209.191.92.114 text/html 1246076496.828 94 (ip_hidden) TCP_MISS/200 10754 CONNECT login.yahoo.com:443 - DIRECT/209.191.92.114 - 1246076496.949 42 (ip_hidden) TCP_MISS/200 3005 CONNECT us.bc.yahoo.com:443 - DIRECT/68.142.213.159 - trying to get Squid working with Yahoo webmail (and some others that arent working) ...i can use gmail and even services like Meebo without an issue but things like my Yahoo and my GoDaddy webmail seem to authenticate (if i use wrong credentials it tells me so) but then doesnt actually log in... just tosses me back to the login GET POST CONNECT methods all allowed not caching... I am running a multiple IP setup using this: http_port x.x.x.246:3129 http_port x.x.x.247:3130 http_port x.x.x.248:3131 http_port x.x.x.249:3132 http_port x.x.x.250:3133 acl example_dst1 myip x.x.x.246 acl example_dst2 myip x.x.x.247 acl example_dst3 myip x.x.x.248 acl example_dst4 myip x.x.x.249 acl example_dst5 myip x.x.x.250 tcp_outgoing_address x.x.x.246 example_dst1 tcp_outgoing_address x.x.x.247 example_dst2 tcp_outgoing_address x.x.x.248 example_dst3 tcp_outgoing_address x.x.x.249 example_dst4 tcp_outgoing_address x.x.x.250 example_dst5 Tried this... no change: acl url dstdomain .yahoo.com always_direct allow url prevents a cache_peer being used to forward traffic. You don't seem to have any so forcing always_direct is not worthwhile. cache deny url Any ideas? The trace you provided show several requests going through from your client to various yahoo domains and not having any problems at all. The problem is either with the data inside the requests/replies being passed around or in some transaction you omit from the above trace (it happens sometimes that a second security check gets done on strange domains). We can't tell whats going wrong from the given info. Perhapse the HTTP headers involved may help. And an indication whether the browser is configured to use the proxy or if its intercepted. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.9
Re: [squid-users] Cannot login to Yahoo webmail
We can't tell whats going wrong from the given info. Perhapse the HTTP headers involved may help. And an indication whether the browser is configured to use the proxy or if its intercepted. Sorry for the long post but here's the Header info from the login process through the proxy: https://login.yahoo.com/config/login?.intl=us.partner=.last=.src=fpctx.pd=fpctx_ver%3D0%26c%3D%26ivt%3D%26sg%3Dpkg=stepid=.done=http%3a//www.yahoo.com GET /config/login?.intl=us.partner=.last=.src=fpctx.pd=fpctx_ver%3D0%26c%3D%26ivt%3D%26sg%3Dpkg=stepid=.done=http%3a//www.yahoo.com HTTP/1.1 Host: login.yahoo.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: B=afvpbj154cml2b=4d=ytuFSENpYEJWf8sJ0lKqNP8uBuaeUTJ_lgUffw--s=jn; F=a=2Q0mS8kMvTLzg1uan_YhLcVORDPzfsF7tZGWi1KBQqXkkQzn83G8IOTxy5Bmf5NeCCJ6d.Y-b=yjGX; PH=fn=1V5CPZ_yD.HkA0mbFUyE0KtA9Q--l=en-US; YLS=v=1p=0n=0; Y=v=1n=7vq916o3hossip=; HP=1 Pragma: no-cache Cache-Control: no-cache HTTP/1.x 200 OK Date: Sat, 27 Jun 2009 18:32:57 GMT P3P: policyref=http://info.yahoo.com/w3c/p3p.xml;, CP=CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV Cache-Control: private Connection: close Transfer-Encoding: chunked Content-Type: text/html Content-Encoding: gzip -- https://s.yimg.com/lq/i/reg/css/yregbase_sec_1.2.css GET /lq/i/reg/css/yregbase_sec_1.2.css HTTP/1.1 Host: s.yimg.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729) Accept: text/css,*/*;q=0.1 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://login.yahoo.com/config/login?.intl=us.partner=.last=.src=fpctx.pd=fpctx_ver%3D0%26c%3D%26ivt%3D%26sg%3Dpkg=stepid=.done=http%3a//www.yahoo.com Pragma: no-cache Cache-Control: no-cache HTTP/1.x 200 OK Cache-Control: max-age=31536 Date: Sat, 27 Jun 2009 18:32:57 GMT Content-Encoding: gzip Content-Type: text/css Expires: Mon, 24 Jun 2019 15:57:38 GMT Last-Modified: Wed, 20 May 2009 16:45:42 GMT Accept-Ranges: bytes Server: Footprint Distributor V4.4 Vary: Accept-Encoding Content-Length: 1890 X-WR-MODIFICATION: Content-Length Connection: close -- https://a248.e.akamai.net/sec.yimg.com/a/ya/yahoo_mail6/200805718_105073_480x165_susi_onesearch.jpg GET /sec.yimg.com/a/ya/yahoo_mail6/200805718_105073_480x165_susi_onesearch.jpg HTTP/1.1 Host: a248.e.akamai.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729) Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://login.yahoo.com/config/login?.intl=us.partner=.last=.src=fpctx.pd=fpctx_ver%3D0%26c%3D%26ivt%3D%26sg%3Dpkg=stepid=.done=http%3a//www.yahoo.com Pragma: no-cache Cache-Control: no-cache HTTP/1.x 200 OK Last-Modified: Tue, 23 Sep 2008 17:50:40 GMT Accept-Ranges: bytes Content-Length: 40475 Cneonction: close Content-Type: image/jpeg Date: Sat, 27 Jun 2009 18:32:57 GMT Connection: keep-alive Expires: Mon, 15 Oct 2018 22:20:02 GMT Cache-Control: max-age=31536 -- https://s.yimg.com/lq/i/reg/gradient2.png GET /lq/i/reg/gradient2.png HTTP/1.1 Host: s.yimg.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729) Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://login.yahoo.com/config/login?.intl=us.partner=.last=.src=fpctx.pd=fpctx_ver%3D0%26c%3D%26ivt%3D%26sg%3Dpkg=stepid=.done=http%3a//www.yahoo.com Pragma: no-cache Cache-Control: no-cache HTTP/1.x 200 OK Cache-Control: max-age=31536 Date: Sat, 27 Jun 2009 18:32:57 GMT Content-Length: 158 Content-Type: image/png Expires: Tue, 18 Jun 2019 06:41:40 GMT Last-Modified: Wed, 29 Apr 2009 16:50:25 GMT Accept-Ranges: bytes Server: Footprint Distributor V4.4 Connection: close -- https://s.yimg.com/lq/i/reg/cs.gif GET /lq/i/reg/cs.gif HTTP/1.1 Host: s.yimg.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729) Accept:
[squid-users] Use squidclient to request ICP query
Hi List, Is there a way to use squidclient to send an ICP_QUERY to squid? I know I can send an HTTP request to one squid and let it send an ICP_QUERY to its sibling. But I am wondering if it is possible to send an ICP_QUERY to the sibling squid directly using squidclient? Thanks. Roy ** This message may contain confidential or proprietary information intended only for the use of the addressee(s) named above or may contain information that is legally privileged. If you are not the intended addressee, or the person responsible for delivering it to the intended addressee, you are hereby notified that reading, disseminating, distributing or copying this message is strictly prohibited. If you have received this message by mistake, please immediately notify us by replying to the message and delete the original message and any copies immediately thereafter. Thank you. ** FACLD
Re: [squid-users] Cannot login to Yahoo webmail
On Internet Explorer only I do see this: 1246151383.634 73 64.72.120.73 TCP_MISS/200 4343 CONNECT login.yahoo.com:443 - DIRECT/209.191.92.114 - 1246151383.775 93 64.72.120.73 TCP_MISS/200 36243 GET http://www.yahoo.com/ - DIRECT/209.191.93.52 text/html 1246151383.874 95 64.72.120.73 TCP_MISS/200 35736 GET http://www.yahoo.com/? - DIRECT/209.191.93.52 text/html 1246151384.007131 64.72.120.73 TCP_MISS/200 431 GET http://srd.yahoo.com/hp5-v501-err/Object%20doesn%27t%20support%20this%20property%20or%20method,http%3A//www.yahoo.com/%3Fr267%3D1246151834,2979/*1 - DIRECT/72.30.13.205 image/gif 1246151384.849 11302 64.72.120.73 TCP_MISS/200 42658 CONNECT a248.e.akamai.net:443 - DIRECT/65.117.152.9 - 1246151384.859 17 64.72.120.73 TCP_MISS/200 390 GET http://us.bc.yahoo.com/b? - DIRECT/68.142.213.132 image/gif 1246151384.903 51 64.72.120.73 TCP_MISS/304 186 GET http://pt.rewardtv.com/notice.do? - DIRECT/138.108.9.100 - 1246151384.916 65 64.72.120.73 TCP_MISS/302 373 GET http://ads.bluelithium.com/pixel? - DIRECT/76.13.216.11 - 1246151384.918 65 64.72.120.73 TCP_MISS/200 431 GET http://srd.yahoo.com/M=737450.13532669.13599725.7674020/D=yahoo_top/S=2716149:FPAD/_ylt=A0LEaraIxEZK_FEBd1X1cSkA;_ylg=X3oDMTBmNWJvMjFuBGNjA3VzBGNfY2FjaGUDMA--/Y=YAHOO/EXP=1246159016/L=a8D4HULEarau_eRALfUSnrh7YAhB9kpGxIgAB3y8/B=81SfBNG_RvQ-/J=1246151816507659/K=Iu0.PoY8CbwnoRd_i45elg/A=5768585/N=3110/id=load_nocap/fv=0/0.04701745383442896/*1 - DIRECT/98.136.114.40 image/gif --- This line concerns me a bit: GET http://srd.yahoo.com/hp5-v501-err/Object%20doesn%27t%20support%20this%20property%20or%20method,http%3A//www.yahoo.com/%3Fr267%3D1246151834,2979/*1 - DIRECT/72.30.13.205 image/gif Not sure if this is relevant as I do not see it when using Firefox and I tried explicitly allowing all methods (GET POST PUT HEAD CONNECT TRACE OPTIONS DELETE) just to be safe. -- View this message in context: http://www.nabble.com/Cannot-login-to-Yahoo-webmail-tp24230471p24238010.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] squid and ipv6
Hello, I am running Squid 2.7 on Windows on my laptop mainly to cache content from the internet. I know that Squid 2.7 does not have IPv6 support. I am going to Japan and I will connect to the internet using a 3G card on my laptop. Do you think I will have some issues with the network over there running Squid: ipv6 issues ? I am not familiar with the network state in Japan. Laurent