Re: [squid-users] Forcing a local subnet to go direct?
JOREar wrote: I'm rather new to Squid and have a configuration issue to force all requests to local subnets to go direct instead of redirecting through to a corporate proxy. Is it something that can be easily accomplished? Turn off whatever mechanism the local nets currently have that forces them to use the corporate proxy. Once the requests have already entered Squid there is no way to prevent them entering Squid. Only the browser or network settings can change that. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
Re: [squid-users] Cache-Control problems with Korean sites
Mike Mitchell wrote: We're having problems accessing Korean Government sites like parcel.epost.go.kr and www.g2b.go.krhttp://www.g2b.go.kr from a squid cache that is physically in Seoul, Korea. I performed network captures and found that if the request included a 'Cache-Control' header the remote server did not send TCP ACK messages back for the request. The remote server did complete the three-way TCP connection handshake, but would not acknowledge the request. When I stripped the 'Cache-Control' header using acl NoCacheCtl dstdomain .epost.go.kr .gtb.go.kr header_access Cache-Control deny NoCacheCtl the TCP ACKs started coming back and we could retrieve content. My guess is there is a firewall protecting the remote web servers. Has anyone seen this behavior before? Any cache-control values? or just specific ones? It's really up to whoever runs the broken software to fix the issue. Just find out where the breakage is and yell loudly at them. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
Re: [squid-users] squid behind firewall with only port 8081 redirecting to squid
frech wrote: Hi Amos, thanx again ;-) OK, just to make it really clear (sorry about my bad english!!!) i try to make a small illustration: workgroupconnected by workstation1) workstation2| |---network-HUB--eth1-{ Squid-Server }-eth0---SWITCHFirewall-WWW workstation3| (192.168.3.0) (192.168.1.0) Port 8080| dataserver ) There is NO router in the network of my workgroup. But the squid has to act as something like a router. Is this how you expected? Ah, something happened to your diagram, but I managed to decipher it. Yes, thats one of the regular setups. Better than the one I was thinking of earlier. You can ignore the policy routing and NAT stuff entirely to start with that setup. The Squid box in that setup _is_ a router. From an empty setup: * assign the IPs to squid interfaces. (This alone sets up most of the routing properly in Squid box.) * add default route to Squid box (if missing, check first): route add default gw 192.168.1.1 dev eth0 * Turn on the IP forwarding settings in Squid box sysctl.conf. * add route to firewall to gw net-3 through the squid box: route add 192.168.3.0/24 gw 192.168.1.2 dev eth* * run whatever ping tests you can to check that traffic from 192.168.3.* workstations can get to the places they need to. Thats it for routing. Normal Squid config we already covered. Now setup the 192.168.3.* boxes to use the proxy instead of going direct to the Internet for web stuff. Simple. Done. NP: It's also a good idea to setup the firewall on the Squid box and consider it an extra layer of protection for both subnets from bad action in the other subnet. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
Re: AW: AW: [squid-users] Squid 3.1.0.11 beta is available
Zeller, Jan wrote: Hi Amos, thank you very much for your patch ! Great ! Applied it like this : $ patch -p0 b9052.patch patching file src/client_side.cc Hunk #1 succeeded at (offset 81 lines). $ make make install - this time is successful but now I get : squid-3.1.0.11/sbin# ./squid -k check -f /etc/squid3/squid.conf-3.1.0.11 2009/07/20 14:38:43| assertion failed: mem.cc:236: size == StrPoolsAttrs[i].obj_size Aborted Any ideas ? Thats a new one. Can you run squid under a debugger and get a stack trace of where thats happening? ie: gdb squid --args -NCXd9enterbtenter Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
Re: AW: AW: [squid-users] Squid 3.1.0.11 beta is available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Zeller, Jan wrote: Hi Amos, thank you very much for your patch ! Great ! Applied it like this : $ patch -p0 b9052.patch patching file src/client_side.cc Hunk #1 succeeded at (offset 81 lines). $ make make install - this time is successful but now I get : squid-3.1.0.11/sbin# ./squid -k check -f /etc/squid3/squid.conf-3.1.0.11 2009/07/20 14:38:43| assertion failed: mem.cc:236: size == StrPoolsAttrs[i].obj_size Aborted Any ideas ? kind regards, Jan I have the same problem under OpenBSD 4.4. - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpld0cACgkQGgHcOSur6dS2OQCdG4JmIQFVrdIfv3RKPyP/BRtR 8KMAniSHZfmbj+3GJqRZlOOWYu9PnCsQ =QdIz -END PGP SIGNATURE-
[squid-users] Changing HTTP BASIC 'Realm' to force user logout / reauthentication
Hello squid users. Is anyone able to help me, please ? I mistakenly thought I was clever and could force users to logout of squid by changing the realm and immediately restarting the server. I even thought I could do this with a small cron job, say, 4 times a day. Background: http://httpd.apache.org/docs/1.3/howto/auth.html so that if other resources are requested *from the same realm*, the same username and password can be returned to authenticate Re-creation: 1. HTTP authenticate 2. delta squid.conf, specifically, auth_param basic realm *Change Realm * 3. service squid restart 4. F5 refresh However, I surf seamlessly without the HTTP BASIC prompt. Should this not work ? Cdlt, Dave
Re: [squid-users] squid behind firewall with only port 8081 redirecting to squid
That's it - it works now. I think, I overdone it at the beginning ;-) Thank you again! Kai -- View this message in context: http://www.nabble.com/squid-behind-firewall-with-only-port-8081-redirecting-to-squid-tp24565455p24583947.html Sent from the Squid - Users mailing list archive at Nabble.com.
AW: AW: AW: [squid-users] Squid 3.1.0.11 beta is available
Hi Amos, I entered this : # gdb --args ./squid -NCXd9 and got this : GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu... (gdb) bt No stack. hmmm...am I doing something wrong ? kind regards, Jan -Ursprüngliche Nachricht- Von: Amos Jeffries [mailto:squ...@treenet.co.nz] Gesendet: Dienstag, 21. Juli 2009 10:00 An: Zeller, Jan Cc: squid-users@squid-cache.org Betreff: Re: AW: AW: [squid-users] Squid 3.1.0.11 beta is available Zeller, Jan wrote: Hi Amos, thank you very much for your patch ! Great ! Applied it like this : $ patch -p0 b9052.patch patching file src/client_side.cc Hunk #1 succeeded at (offset 81 lines). $ make make install - this time is successful but now I get : squid-3.1.0.11/sbin# ./squid -k check -f /etc/squid3/squid.conf-3.1.0.11 2009/07/20 14:38:43| assertion failed: mem.cc:236: size == StrPoolsAttrs[i].obj_size Aborted Any ideas ? Thats a new one. Can you run squid under a debugger and get a stack trace of where thats happening? ie: gdb squid --args -NCXd9enterbtenter Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
Re: AW: AW: AW: [squid-users] Squid 3.1.0.11 beta is available
Zeller, Jan wrote: Hi Amos, I entered this : # gdb --args ./squid -NCXd9 and got this : GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu... (gdb) bt No stack. hmmm...am I doing something wrong ? Sorry my fault. gdb --args squid -NCXd9 . (gdb) run bt is after the crash to display. Amos kind regards, Jan -Ursprüngliche Nachricht- Von: Amos Jeffries [mailto:squ...@treenet.co.nz] Gesendet: Dienstag, 21. Juli 2009 10:00 An: Zeller, Jan Cc: squid-users@squid-cache.org Betreff: Re: AW: AW: [squid-users] Squid 3.1.0.11 beta is available Zeller, Jan wrote: Hi Amos, thank you very much for your patch ! Great ! Applied it like this : $ patch -p0 b9052.patch patching file src/client_side.cc Hunk #1 succeeded at (offset 81 lines). $ make make install - this time is successful but now I get : squid-3.1.0.11/sbin# ./squid -k check -f /etc/squid3/squid.conf-3.1.0.11 2009/07/20 14:38:43| assertion failed: mem.cc:236: size == StrPoolsAttrs[i].obj_size Aborted Any ideas ? Thats a new one. Can you run squid under a debugger and get a stack trace of where thats happening? ie: gdb squid --args -NCXd9enterbtenter Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
AW: AW: AW: AW: [squid-users] Squid 3.1.0.11 beta is available
No problem Amos I consulted the man gdb ;) and I also tried run in the gdb console but there is still the No stack message ...? (gdb) run -NXCd9 . . . 2009/07/21 12:00:43.919| assertion failed: mem.cc:236: size == StrPoolsAttrs[i].obj_size Program exited with code 01. (gdb) bt No stack. (gdb) quit Do you need all the other stuff right from the start ? kind regards, Jan -Ursprüngliche Nachricht- Von: Amos Jeffries [mailto:squ...@treenet.co.nz] Gesendet: Dienstag, 21. Juli 2009 11:57 An: Zeller, Jan Cc: squid-users@squid-cache.org Betreff: Re: AW: AW: AW: [squid-users] Squid 3.1.0.11 beta is available Zeller, Jan wrote: Hi Amos, I entered this : # gdb --args ./squid -NCXd9 and got this : GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu... (gdb) bt No stack. hmmm...am I doing something wrong ? Sorry my fault. gdb --args squid -NCXd9 . (gdb) run bt is after the crash to display. -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
Re: AW: AW: AW: AW: [squid-users] Squid 3.1.0.11 beta is available
Zeller, Jan wrote: No problem Amos I consulted the man gdb ;) and I also tried run in the gdb console but there is still the No stack message ...? (gdb) run -NXCd9 . . . 2009/07/21 12:00:43.919| assertion failed: mem.cc:236: size == StrPoolsAttrs[i].obj_size Program exited with code 01. (gdb) bt No stack. (gdb) quit Do you need all the other stuff right from the start ? There are many ways to run stuff with gdb. The one I gave was simply the easiest to instruct. The way you just did was another. I think the no stack is probably the lack of debug symbols in your build. You will need to check/fix that before we can continue. I don't know how you build Squid so can't help with this bit I'm sorry. Amos -Ursprüngliche Nachricht- Von: Amos Jeffries [mailto:squ...@treenet.co.nz] Gesendet: Dienstag, 21. Juli 2009 11:57 An: Zeller, Jan Cc: squid-users@squid-cache.org Betreff: Re: AW: AW: AW: [squid-users] Squid 3.1.0.11 beta is available Zeller, Jan wrote: Hi Amos, I entered this : # gdb --args ./squid -NCXd9 and got this : GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu... (gdb) bt No stack. hmmm...am I doing something wrong ? Sorry my fault. gdb --args squid -NCXd9 . (gdb) run bt is after the crash to display. -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
Hi Amos, I send the trace as requested, yesterday I just came back from holidays and I was out: CONNECT tp.seg-social.es:443 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729) Proxy-Connection: keep-alive Host: tp.seg-social.es HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE16 Mime-Version: 1.0 Date: Tue, 21 Jul 2009 10:28:20 GMT Content-Type: text/html Content-Length: 1681 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: NTLM Proxy-Authenticate: Basic realm=ProxySquid X-Cache: MISS from deil-trinity2 X-Cache-Lookup: NONE from deil-trinity2:3128 Via: 1.0 deil-trinity2 (squid/3.0.STABLE16) Proxy-Connection: close !DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01//EN http://www.w3.org/TR/html4/strict.dtd; htmlhead meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 titleERROR: Cache Access Denied/title style type=text/css!--BODY{background-color:#ff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--/style /head body h1ERROR/h1 h2Cache Access Denied./h2 hr pThe following error was encountered while trying to retrieve the URL: a href=https://tp.seg-social.es/*;https://tp.seg-social.es/*/a/p blockquote pbCache Access Denied./b/p /blockquote pSorry, you are not currently allowed to request https://tp.seg-social.es/* from this cache until you have authenticated yourself./p pPlease contact the a href=mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_CACHE_ACCESS_DENIEDamp;body=CacheHost%3A%20deil-trinity2%0D%0AErrPage%3A%20ERR_CACHE_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2021%20Jul%202009%2010%3A28%3A20%20GMT%0D%0A%0D%0AClientIP%3A%20172.28.3.186%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20Mozilla%2F5.0%20(Windows%3B%20U%3B%20Windows%20NT%205.1%3B%20es-ES%3B%20rv%3A1.9.1.1)%20Gecko%2F20090715%20Firefox%2F3.5.1%20(.NET%20CLR%203.5.30729)%0D%0AProxy-Connection%3A%20keep-alive%0D%0AHost%3A%20tp.seg-social.es%0D%0A%0D%0A%0D%0Acache administrator/a if you have difficulties authenticating yourself or a href=http://deil-trinity2/cgi-bin/chpasswd.cgi;change/a your default password./p br hr div id=footerGenerated Tue, 21 Jul 2009 10:28:20 GMT by deil-trinity2 (squid/3.0.STABLE16)/div /body/html Thanks a lot 2009/7/20 Gontzal gontz...@gmail.com: Responses in the message. 2009/7/20 Amos Jeffries squ...@treenet.co.nz: Gontzal wrote: Hi Amos, First of all sorry for the delay. Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried with reply_header_access with the same result: none. By none you mean Java still getting the NTLM Proxy_auth header? I think so, because it is not starting the java applet, neither asking for basic auth Do you have a trace of the 407 reply from Squid to be sure of that? I don't know how to get the trace, if you can give me more info to get the trace i would appreciate. I just have the information from the acces.log Same entries on access.log: 172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] CONNECT tp.seg-social.es:443 HTTP/1.1 407 2015 TCP_DENIED:NONE In the access.log of the parent proxy I get: 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 - This is part of my conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm ProxySquid auth_param basic credentialsttl 2 hours external_acl_type winbind_group children=10 %LOGIN /usr/sbin/wbinfo_group.pl acl Java browser Java/1.4 Java/1.5 Java/1.6 acl javaConnect method CONNECT reply_header_access Proxy-Authenticate deny Java javaConnect header_replace Proxy-Authenticate basic realm=ProxySquid and after that the http_access tags Another question, the realm value must be the same as defined on auth_param basic realm ProxySquid or may be the domain name as defined on smb.conf? In my case it's not the same value. The realm returned by Squid should always be the one configured in squid.conf auth_param the value of realm must be between or not? Thanks again. Gontzal Amos 2009/7/2 Amos Jeffries squ...@treenet.co.nz: On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal gontz...@gmail.com wrote: Hi, I've recompiled squid, now 3.0 stable 16 on a non-production opensuse 10.3 server with the --enable-http-violations option I've added the following lines to my squid.conf file: acl Java browser Java/1.4 Java/1.5 Java/1.6 header_access Proxy-Authenticate deny Java header_replace Proxy-Authenticate Basic realm= The header tags are before the http_access tags, I don't know if it is correct. I've also disable the option http_access allow Java Squid runs correctly but when i check for java, it doesn't work, it
[squid-users] howto block audio/video streaming
Squid 2.7 STABLE 5 how can I block audio/video streaming via squid ? I have blocked a lot many streaming wesbites(like youtube) but I want to block all of them.. and I think the best method is to block all types of audio/video streaming rather then blocking websites(that are increasing day-by-day) Regards -ms
[squid-users] Ident and 3.1
SQ 3.1.0.7 We are running a new squid box to replace our 2.6 box. It all works fine except it does seem to be requesting IDENT, I have tried recompiling with enable-ident-lookups but this seems to have made no difference. I have tried acl_ident_aware_hosts src 10.106.88.0/21 ident_lookup_access allow ident_aware_hosts ident_lookup_access deny all ( nothing seems to be blocked even if there is no ident returned?? ) also tried ident_lookup on ( causes a config error ) and acl validuser ident REQUIRED http_access allow valideuser Nothign seesm to work I just get a DASH where the user name should be. I have tested the ident server response via telnet and it responds with the correct information. SO in order to log the ident user name, and prevent access from and request without a username What should I be doing in SQ3.1 as it works fine on 2.6. Cheers Rob
Re: [squid-users] howto block audio/video streaming
Muhammad Sharfuddin wrote: Squid 2.7 STABLE 5 how can I block audio/video streaming via squid ? I have blocked a lot many streaming wesbites(like youtube) but I want to block all of them.. and I think the best method is to block all types of audio/video streaming rather then blocking websites(that are increasing day-by-day) Regards -ms http://wiki.squid-cache.org/ConfigExamples Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
Re: [squid-users] Changing HTTP BASIC 'Realm' to force user logout / reauthentication
David (Dave) Donnan wrote: Hello squid users. Is anyone able to help me, please ? I mistakenly thought I was clever and could force users to logout of squid by changing the realm and immediately restarting the server. I even thought I could do this with a small cron job, say, 4 times a day. Background: http://httpd.apache.org/docs/1.3/howto/auth.html so that if other resources are requested *from the same realm*, the same username and password can be returned to authenticate Re-creation: 1. HTTP authenticate 2. delta squid.conf, specifically, auth_param basic realm *Change Realm * 3. service squid restart 4. F5 refresh However, I surf seamlessly without the HTTP BASIC prompt. Should this not work ? A requested realm is sent by Squid, but any realm may come back. If the Basic authenticator verifies the full realm/username/password trio sent from client, Squid will accept them as valid and store for future lookups. AFAIK the realm config option in Squid is just to have something Squid can suggest in a 407 before the authenticator gets involved. I would think it possible that browsers might ignore the realm, and try to use any known user/pass they already have before bothering the user with annoying popups. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
Re: [squid-users] Ident and 3.1
twintu...@f2s.com wrote: SQ 3.1.0.7 We are running a new squid box to replace our 2.6 box. It all works fine except it does seem to be requesting IDENT, I have tried recompiling with enable-ident-lookups but this seems to have made no difference. I have tried acl_ident_aware_hosts src 10.106.88.0/21 ident_lookup_access allow ident_aware_hosts ident_lookup_access deny all ( nothing seems to be blocked even if there is no ident returned?? ) This only blocks the actual sending of an ident packet. The HTTP request itself will go through normally. also tried ident_lookup on ( causes a config error ) and acl validuser ident REQUIRED http_access allow valideuser 3.1 triggers an ident request as soon as a client connects. I would expect this to check for an existing result from that previous, trigger another if still needed. And permit the HTTP request through if any ident at all was returned. Nothign seesm to work I just get a DASH where the user name should be. Default log format or a custom one? Usernames have several different logformat tags and places logged to cater for the different types of username. I have tested the ident server response via telnet and it responds with the correct information. SO in order to log the ident user name, and prevent access from and request without a username What should I be doing in SQ3.1 as it works fine on 2.6. There were ident fixes as afar up as 3.1.0.8, and some further shuffling in 3.1.0.9. Still some bugs open, and of course the possibility of unknown bugs still to fix. Can you try 3.1.0.10? If still present in that release please see if you can track down whats actually going wrong and report it. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
Re: [squid-users] howto block audio/video streaming
On Tue, 2009-07-21 at 22:53 +1200, Amos Jeffries wrote: Muhammad Sharfuddin wrote: Squid 2.7 STABLE 5 how can I block audio/video streaming via squid ? I have blocked a lot many streaming wesbites(like youtube) but I want to block all of them.. and I think the best method is to block all types of audio/video streaming rather then blocking websites(that are increasing day-by-day) Regards -ms http://wiki.squid-cache.org/ConfigExamples Amos nice url, but there I did not found any thing to block audio/video streaming. Please help Regards -ms
Re: [squid-users] howto block audio/video streaming
Muhammad Sharfuddin wrote: On Tue, 2009-07-21 at 22:53 +1200, Amos Jeffries wrote: Muhammad Sharfuddin wrote: Squid 2.7 STABLE 5 how can I block audio/video streaming via squid ? I have blocked a lot many streaming wesbites(like youtube) but I want to block all of them.. and I think the best method is to block all types of audio/video streaming rather then blocking websites(that are increasing day-by-day) Regards -ms http://wiki.squid-cache.org/ConfigExamples Amos nice url, but there I did not found any thing to block audio/video streaming. Please help Section 2.5 Multimedia and Data Stream filtering Also, ConfigExamples/DynamicContent/YouTube and ConfigExamples/BlockingMimeTypes Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
[squid-users] Squid3 / NTLM / token id cache
Hello, I've installed 2 Squid 3.0.STABLE5 + samba-winbind on a mandriva 2008.1 with ntlm authentification . It works, clients are able to surf on the web using the Proxy and usernames are correctly logged. But we experienced some latency issues on websites. When i look into access.log file i observe a lot of 407 authentification request. So i read about ntlm authentification and see that there is an authentification request for each connection. There is nearly 6000 users on the 2 squid servers and i have noticed there's some great traffic between squid boxes and AD server, which is expected, because of the authentication traffic. On previous version we could use following settings (ntlm parameters on 2.5 squid and i noticed they didnt exists after 2.6) : max_challenge_reuses number max_challenge_lifetime timespan What similar option on squid 3 can be used to reduce authentication traffic ? Is there any solution to avoid an authentification request to each connection and have a possibility to reuse a token id ? * Squid.conf : auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 80 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid AD auth_param basic credentialsttl 2 hours * What i found on cache.log files : libsmb/ntlmssp.c:ntlmssp_update(327) Failed to parse NTLMSSP packet, could not extract NTLMSSP command (~= each second) Regards, Frederic THOMAS
[squid-users] rep_mime_type is evaluated before content has been reached ?
rep_mime_type can´t be used for parent selection because this is evaluated before content has been reached ? This is true ? Jorge. - Original Message - From: Frederic THOMAS frederic.tho...@atosorigin.com To: squid-users@squid-cache.org Sent: Tuesday, July 21, 2009 9:18 AM Subject: [squid-users] Squid3 / NTLM / token id cache Hello, I've installed 2 Squid 3.0.STABLE5 + samba-winbind on a mandriva 2008.1 with ntlm authentification . It works, clients are able to surf on the web using the Proxy and usernames are correctly logged. But we experienced some latency issues on websites. When i look into access.log file i observe a lot of 407 authentification request. So i read about ntlm authentification and see that there is an authentification request for each connection. There is nearly 6000 users on the 2 squid servers and i have noticed there's some great traffic between squid boxes and AD server, which is expected, because of the authentication traffic. On previous version we could use following settings (ntlm parameters on 2.5 squid and i noticed they didnt exists after 2.6) : max_challenge_reuses number max_challenge_lifetime timespan What similar option on squid 3 can be used to reduce authentication traffic ? Is there any solution to avoid an authentification request to each connection and have a possibility to reuse a token id ? * Squid.conf : auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 80 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid AD auth_param basic credentialsttl 2 hours * What i found on cache.log files : libsmb/ntlmssp.c:ntlmssp_update(327) Failed to parse NTLMSSP packet, could not extract NTLMSSP command (~= each second) Regards, Frederic THOMAS
Re: [squid-users] howto block audio/video streaming
Muhammad Sharfuddin a écrit : On Tue, 2009-07-21 at 22:53 +1200, Amos Jeffries wrote: Muhammad Sharfuddin wrote: Squid 2.7 STABLE 5 how can I block audio/video streaming via squid ? I have blocked a lot many streaming wesbites(like youtube) but I want to block all of them.. and I think the best method is to block all types of audio/video streaming rather then blocking websites(that are increasing day-by-day) Regards -ms http://wiki.squid-cache.org/ConfigExamples Amos nice url, but there I did not found any thing to block audio/video streaming. Please help Regards -ms -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr Here is what I've done on my test squid conf which hasn't been validated yet acl novid rep_mime_type audio video http_reply_access deny novid -- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] rep_mime_type is evaluated before content has been reached ?
2009/7/21 Soporte Técnico @lemNet sopo...@nodoalem.com.ar: rep_mime_type can´t be used for parent selection because this is evaluated before content has been reached ? Correct. Adrian
Re: [squid-users] Forcing a local subnet to go direct?
I was actually able to accomplish this much easier than I thought. I was just not getting the syntax correct. acl local-network dst 10.50.0.0/16, 10.45.0.0/16 always_direct allow local-network Thanks all for your help. -- View this message in context: http://www.nabble.com/Forcing-a-local-subnet-to-go-direct--tp24573056p24587618.html Sent from the Squid - Users mailing list archive at Nabble.com.
AW: AW: AW: AW: AW: [squid-users] Squid 3.1.0.11 beta is available
Hi Amos, I now explicitly enabled --enable-stacktraces Enable automatic call backtrace on fatal errors during the build and added CFLAGS=-g -ggdb in front of ./configure but the result seems to be the same... # ./squid -v Squid Cache: Version 3.1.0.11 configure options: '--prefix=/opt/squid-3.1.0.11' '--enable-icap-client' '--enable-ssl' '--enable-linux-netfilter' '--disable-ipv6' '--disable-translation' '--disable-auto-locale' '--with-pthreads' '--with-filedescriptors=32768' '--enable-stacktraces' 'CFLAGS=-g -ggdb' --with-squid=/usr/local/src/squid-3.1.0.11 --enable-ltdl-convenience 2009/07/21 15:43:50| assertion failed: mem.cc:236: size == StrPoolsAttrs[i].obj_size Aborted # gdb --args ./squid -NCXd9 GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu... (gdb) bt No stack. (gdb) quit I also followed the guidelines on http://wiki.squid-cache.org/SquidFaq/TroubleShooting#head-b09c6d3a618b5b8aca46a10bd1c5d88c38375ed2 # nm ./squid |head 00959d00 B AS_tree_head 00965740 B AclMatchedName U BIO_ctrl@@OPENSSL_0.9.8 U BIO_free@@OPENSSL_0.9.8 U BIO_new@@OPENSSL_0.9.8 U BIO_new_file@@OPENSSL_0.9.8 U BIO_s_mem@@OPENSSL_0.9.8 008580d8 D Biggest_FD 005fb168 R CacheDigestHashFuncCount 008cf880 B CcFieldsInfo What am I doing wrong here ? kind regards, Jan -Ursprüngliche Nachricht- Von: Amos Jeffries [mailto:squ...@treenet.co.nz] Gesendet: Dienstag, 21. Juli 2009 12:22 An: Zeller, Jan Cc: squid-users@squid-cache.org Betreff: Re: AW: AW: AW: AW: [squid-users] Squid 3.1.0.11 beta is available Zeller, Jan wrote: No problem Amos I consulted the man gdb ;) and I also tried run in the gdb console but there is still the No stack message ...? (gdb) run -NXCd9 . . . 2009/07/21 12:00:43.919| assertion failed: mem.cc:236: size == StrPoolsAttrs[i].obj_size Program exited with code 01. (gdb) bt No stack. (gdb) quit Do you need all the other stuff right from the start ? There are many ways to run stuff with gdb. The one I gave was simply the easiest to instruct. The way you just did was another. I think the no stack is probably the lack of debug symbols in your build. You will need to check/fix that before we can continue. I don't know how you build Squid so can't help with this bit I'm sorry. Amos
RE: [squid-users] Cache-Control problems with Korean sites
I used telnet to connect to the problem web server and sent a minimal HTTP request. The web server returned a page, so I tried again adding a header from the trace one at a time until I did not get a response. I only tried one value of Cache-Control, max-age=0. I've tried accessing the Korean Government sites from other proxy servers around the world and I get the same behavior. I know the problem isn't with the proxy server's ISP, but rather with the Korean Government sites. Mike Mitchell -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Tuesday, July 21, 2009 2:37 AM To: Mike Mitchell Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Cache-Control problems with Korean sites Mike Mitchell wrote: We're having problems accessing Korean Government sites like parcel.epost.go.kr and www.g2b.go.krhttp://www.g2b.go.kr from a squid cache that is physically in Seoul, Korea. I performed network captures and found that if the request included a 'Cache-Control' header the remote server did not send TCP ACK messages back for the request. The remote server did complete the three-way TCP connection handshake, but would not acknowledge the request. When I stripped the 'Cache-Control' header using acl NoCacheCtl dstdomain .epost.go.kr .gtb.go.kr header_access Cache-Control deny NoCacheCtl the TCP ACKs started coming back and we could retrieve content. My guess is there is a firewall protecting the remote web servers. Has anyone seen this behavior before? Any cache-control values? or just specific ones? It's really up to whoever runs the broken software to fix the issue. Just find out where the breakage is and yell loudly at them. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
[squid-users] Are these acl / http_access correct ?
Hi all, I'm fairly new to squid, and i'm trying to configure it for filtering web access from multiple vlans, allowing such of them going to some destinations (and nowhere else), and others... going to others destinations, etc.. All other vlans are granted to go everywhere (I hope this is clever... I'm french... sorry! :-)) Here is how i think it can be done... but i doubt. Could you please tell me if this is good, and if not, could you explain me what to do to have a correct filtering configuration. Thanks a lot! ### SOURCES ### # [VLAN 1] acl src_vlan_1 src 192.168.1.0/24 # [VLAN 2] acl src_vlan_2 src192.168.2.0/24 # [Tous VLANs] acl all src all ### DESTINATIONS ### # [VLAN 1] acl dst_VLAN1_SITES dstdomain .google.fr .yahoo.com # [VLAN 2] acl dst_VLAN2_SITES dstdomain .voila.fr .altavista.com # [All destinations] acl ALL_INTERNETdst 0.0.0.0/32 ### AUTORISATIONS ### # VLAN 1 http_access allow dst_VLAN1_SITES src_vlan_1 http_access deny src_vlan_1 ALL_INTERNET # VLAN 2 http_access allow dst_VLAN2_SITE_CLIENT src_vlan_2 http_access deny src_vlan_2 ALL_INTERNET http_access allow all ALL_INTERNET -- View this message in context: http://www.nabble.com/Are-these-acl---http_access-correct---tp24588523p24588523.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: AW: AW: AW: AW: AW: [squid-users] Squid 3.1.0.11 beta is available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Zeller, Jan wrote: Hi Amos, I now explicitly enabled --enable-stacktraces Enable automatic call backtrace on fatal errors during the build and added CFLAGS=-g -ggdb in front of ./configure but the result seems to be the same... # ./squid -v Squid Cache: Version 3.1.0.11 configure options: '--prefix=/opt/squid-3.1.0.11' '--enable-icap-client' '--enable-ssl' '--enable-linux-netfilter' '--disable-ipv6' '--disable-translation' '--disable-auto-locale' '--with-pthreads' '--with-filedescriptors=32768' '--enable-stacktraces' 'CFLAGS=-g -ggdb' --with-squid=/usr/local/src/squid-3.1.0.11 --enable-ltdl-convenience 2009/07/21 15:43:50| assertion failed: mem.cc:236: size == StrPoolsAttrs[i].obj_size Aborted # gdb --args ./squid -NCXd9 GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu... (gdb) bt No stack. (gdb) quit You forgot to tell gdb to run the program. # gdb --args ./squid -NCXd9 start gdb and tell it to use -NCXd9 as arguments for squid When you get the gdb prompt, enter: (gdb) r which will run squid. When it crashes you type (gdb) bt to get the backtrace. If squid does not crash, typing bt is pretty useless. Same, if it even didn't run before ;) - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpl0pYACgkQGgHcOSur6dRRagCfQpDfLaFqg1mLwJCVTcAUJRWP R+oAn2LnoLTxNJV6+YX+Q8Ja8ILUHayl =JhHL -END PGP SIGNATURE-
Re: AW: AW: AW: AW: AW: [squid-users] Squid 3.1.0.11 beta is available
my 2 cents: someone needs to explain how to set a breakpoint because when the assertion fails, the program exits (see previous emails: Program exited with code 01) The question is where to set the breakpoint but probably Amos knows where to set it. Marcus Silamael wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Zeller, Jan wrote: Hi Amos, I now explicitly enabled --enable-stacktraces Enable automatic call backtrace on fatal errors during the build and added CFLAGS=-g -ggdb in front of ./configure but the result seems to be the same... # ./squid -v Squid Cache: Version 3.1.0.11 configure options: '--prefix=/opt/squid-3.1.0.11' '--enable-icap-client' '--enable-ssl' '--enable-linux-netfilter' '--disable-ipv6' '--disable-translation' '--disable-auto-locale' '--with-pthreads' '--with-filedescriptors=32768' '--enable-stacktraces' 'CFLAGS=-g -ggdb' --with-squid=/usr/local/src/squid-3.1.0.11 --enable-ltdl-convenience 2009/07/21 15:43:50| assertion failed: mem.cc:236: size == StrPoolsAttrs[i].obj_size Aborted # gdb --args ./squid -NCXd9 GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu... (gdb) bt No stack. (gdb) quit You forgot to tell gdb to run the program. # gdb --args ./squid -NCXd9 start gdb and tell it to use -NCXd9 as arguments for squid When you get the gdb prompt, enter: (gdb) r which will run squid. When it crashes you type (gdb) bt to get the backtrace. If squid does not crash, typing bt is pretty useless. Same, if it even didn't run before ;) - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpl0pYACgkQGgHcOSur6dRRagCfQpDfLaFqg1mLwJCVTcAUJRWP R+oAn2LnoLTxNJV6+YX+Q8Ja8ILUHayl =JhHL -END PGP SIGNATURE-
Re: AW: AW: AW: AW: AW: [squid-users] Squid 3.1.0.11 beta is available
Er.. not really The failing line gets invoked very often, so setting a breakpoint there would be quite time-consuming. I really hope that there is some other way. (crossing fingers) Francesco On Tue, Jul 21, 2009 at 4:49 PM, Marcus Koolmarcus.k...@urlfilterdb.com wrote: my 2 cents: someone needs to explain how to set a breakpoint because when the assertion fails, the program exits (see previous emails: Program exited with code 01) The question is where to set the breakpoint but probably Amos knows where to set it. Marcus Silamael wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Zeller, Jan wrote: Hi Amos, I now explicitly enabled --enable-stacktraces Enable automatic call backtrace on fatal errors during the build and added CFLAGS=-g -ggdb in front of ./configure but the result seems to be the same... # ./squid -v Squid Cache: Version 3.1.0.11 configure options: '--prefix=/opt/squid-3.1.0.11' '--enable-icap-client' '--enable-ssl' '--enable-linux-netfilter' '--disable-ipv6' '--disable-translation' '--disable-auto-locale' '--with-pthreads' '--with-filedescriptors=32768' '--enable-stacktraces' 'CFLAGS=-g -ggdb' --with-squid=/usr/local/src/squid-3.1.0.11 --enable-ltdl-convenience 2009/07/21 15:43:50| assertion failed: mem.cc:236: size == StrPoolsAttrs[i].obj_size Aborted # gdb --args ./squid -NCXd9 GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu... (gdb) bt No stack. (gdb) quit You forgot to tell gdb to run the program. # gdb --args ./squid -NCXd9 start gdb and tell it to use -NCXd9 as arguments for squid When you get the gdb prompt, enter: (gdb) r which will run squid. When it crashes you type (gdb) bt to get the backtrace. If squid does not crash, typing bt is pretty useless. Same, if it even didn't run before ;) - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpl0pYACgkQGgHcOSur6dRRagCfQpDfLaFqg1mLwJCVTcAUJRWP R+oAn2LnoLTxNJV6+YX+Q8Ja8ILUHayl =JhHL -END PGP SIGNATURE- -- /kinkie
[squid-users] RE: Squid on Windows, slow file transfers
I installed Squid 2.7.STABLE6 on a Linux virtual machine, which is running on the same physical machine that Squid on Windows is running. I copied the configuration file in, changed a couple paths to the Linux paths, and started up Squid. I then changed the NAT to the Virtual Machine, and now file transfers are as fast as they should be. While this solution works, I'd rather not have to run another virtual machine just for Squid when it works fine under Windows except for the slow transfers.. It sounds like there's a bug in Squid windows, or some hidden setting or something? I can't imagine I'm the first person to encounter this problem. -Original Message- From: Joseph Jamieson [mailto:jjamie...@futurefoundations.com] Sent: Monday, July 20, 2009 5:41 PM To: squid-users@squid-cache.org Subject: [squid-users] Squid on Windows, slow file transfers Hello, I have squid 2.7.STABLE6 running on Server 2008. Its purpose is a reverse-proxy for several web services. For instance, one service is OWA, another is a web-based file-sharing utility, and another is a plain old web site. All DNS records (mail., files., www.) point to the same IP which is NATted to Squid. Each of these services is running on a separate machine. It all works great. Squid determines which back-end machine/port to request the data from based on http headers. It's squid at its finest. However, file transfers through it are very slow. The connection is 20Mbit. When I go directly to the web file server via a direct NAT, I can download at full speed. 1.5MB/s is common from this method. However, when I go through the squid reverse-proxy, response time is great but file transfers never go above 200K/s. It's almost as if connections are capped/throttled at a certain speed within squid. I tested a direct web server on port 80 under the suspicion that the ISP was throttling port 80 but it was fine. I am having a devil of a time tracking down this problem, and any suggestions are most welcome. Thanks. Joe
[squid-users] saved uid
I'm using squid 2.6 on Centos 5.3 I've seen that the squid process keeps a saved user id of root (real and effective uid are that of user squid). Is this normal? How can I change it, and make squid give up root privileges completely? Thanks, Adrian Buciuman
RE: [squid-users] next Squid 2.7 release?
Hi Amos and Guido, As per below email, 2.7 STABLE 7 was supposed to support Windows 7. Windows 7 is releasing on October 2009 and we would like to have our product support that as well. To do that, we need Squid to support Windows 7. Can you please tell me when Squid 2.7 STABLE 7 will be released? Thanks Balaji -Original Message- From: Balaji Ganesan [mailto:bgane...@venturiwireless.com] Sent: Wednesday, June 03, 2009 9:37 AM To: Guido Serassio; Amos Jeffries Cc: squid-users@squid-cache.org Subject: RE: [squid-users] next Squid 2.7 release? Thanks Amos and Guido. Guido, Do we have any timeline on when we can expect this? Thanks again. Thanks Balaji -Original Message- From: Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Sent: Wednesday, June 03, 2009 4:16 AM To: Amos Jeffries; Balaji Ganesan Cc: squid-users@squid-cache.org Subject: R: [squid-users] next Squid 2.7 release? Hi, They are alredy many Windows changes to be included, and I think that they should be in a final STABLE 2.7 release. But if 2.7 STABLE6 will be considered the final STABLE 2.7 release, we will build an updated 2.7 STABLE6-2 binary for Windows. But I think also that a new STABLE release could be better and more clear for users. Regards Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: i...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -Messaggio originale- Da: Amos Jeffries [mailto:squ...@treenet.co.nz] Inviato: mercoledì 3 giugno 2009 2.13 A: Balaji Ganesan Cc: squid-users@squid-cache.org Oggetto: Re: [squid-users] next Squid 2.7 release? Priorità: Alta On Tue, 2 Jun 2009 16:44:50 -0700, Balaji Ganesan bgane...@venturiwireless.com wrote: Hi, Can anyone please let me know when is the next stable 2.7 release intended. I believe Windows 7 support is on the next release and I would like to have that for my work. Also please let me know which STABLE version will that one be. Thanks Balaji Henrik who maintains Squid-2 and makes these decisions for that branch is taking a long overdue break from squid at present. He will be back at some undefined point in the future. The next numerical release of 2.7 will be 2.7.STABLE7 if it comes out. No release is timelined at present, though I have little doubt there will be one eventually. Meanwhile you should contact Acme Consulting (http://squid.acmeconsulting.it/) about an updated build. Amos
[squid-users] Authentication with Squid 3.0 forwarding the authentication to external web content filter - Edirectory
We are currently using Squid 3.0 Stable 13. We are currently sending every= =3D one through the proxy/cache. We are implementing a user based web cont= ent =3D filtering solution (not a linux based solution) that authenticates = users ag=3D ainst edirectory. The current solution sends all users who use= the proxy s=3D erver as a guest account as the Squid box does not hit agai= nst edirectory. =3D My question is this, if I set up the squid caching se= rver to use the exte=3D rnal authentication (LDAP), will it pass the edirec= tory credentials onto th=3D e web filter or will it not pass them at all. = So if a client computer logs=3D into novell with the username jsmith will = it pass jsmith the to the web fi=3D lter or will it not pass any username? Thank you, The information contained in this email may be confidential and/or privileged. It has been sent for the sole use of the intended recipient(s). If the reader of this message is not an intended recipient, you are hereby notified that any unauthorized review, use, disclosure, dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message.
Re: [squid-users] Squid on Windows, slow file transfers
Hi, At 01.36 21/07/2009, Amos Jeffries wrote: However, file transfers through it are very slow. The connection is 20Mbit. When I go directly to the web file server via a direct NAT, I can download at full speed. 1.5MB/s is common from this method. However, when I go through the squid reverse-proxy, response time is great but file transfers never go above 200K/s. Could be many things. From disk speeds, to OS swapping, or FD exhaustion (Windows is system-capped at 1K handles IIRC). To be precise, the FD limit on Windows is 2048, it's hard coded in the MS C Runtime Library. Another thing to check is any antivirus software running on the proxy machine. Please also note that the Windows 2008 support in the 2.7 STABLE6 and previous is not optimal (fixed in the next 2.7 STABLE7), but this it should not impact on throughput. Regards Guido - = Guido Serassio Acme Consulting S.r.l. - Microsoft Gold Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] RE: Squid on Windows, slow file transfers
Hi, At 17.58 21/07/2009, Joseph Jamieson wrote: I installed Squid 2.7.STABLE6 on a Linux virtual machine, which is running on the same physical machine that Squid on Windows is running. I copied the configuration file in, changed a couple paths to the Linux paths, and started up Squid. I then changed the NAT to the Virtual Machine, and now file transfers are as fast as they should be. While this solution works, I'd rather not have to run another virtual machine just for Squid when it works fine under Windows except for the slow transfers.. It sounds like there's a bug in Squid windows, or some hidden setting or something? I can't imagine I'm the first person to encounter this problem. The problem could be Windows itself: the network I/O capability of Squid when running on Windows is limited by design because select() is the only multiplatform compatible comm loop available, but it's the worse On same HW, a Linux build will be always a better performer. Regards - = Guido Serassio Acme Consulting S.r.l. - Microsoft Gold Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] SQUID Home Proxy AD
Hi, At 15.38 20/07/2009, Jeremey Wise wrote: Current Setup: VMWare ESX hosting Windows 2003 Server setup_squid_2_5_stable_3_eng.exe installed and working. This is a very OLD, unsupported and unofficial build, please use the 2.7 STABLE6 official binaries. Regards Guido I have googled around to find a better how to for windows hosted Squid or forum specific to that branch of the squid project but I have not found any. I am more than glad to document the setup process and post examples for the community Any Linux documentation is fine, just change file system paths ... :-) Regards - = Guido Serassio Acme Consulting S.r.l. - Microsoft Gold Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
RE: [squid-users] next Squid 2.7 release?
Hi, At 20.30 21/07/2009, Balaji Ganesan wrote: Hi Amos and Guido, As per below email, 2.7 STABLE 7 was supposed to support Windows 7. It WILL support Windows 7 and any other new Windows future versions. Windows 7 is releasing on October 2009 and we would like to have our product support that as well. To do that, we need Squid to support Windows 7. Can you please tell me when Squid 2.7 STABLE 7 will be released? There is still no planned release date, but all the related changes now are in the 2.7 STABLE source code, so the release time should not be far away. Regards - = Guido Serassio Acme Consulting S.r.l. - Microsoft Gold Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] The squid service on local computer started and then stopped on windows 2003
Hi, At 12.14 06/07/2009, giorgio.bo...@radicigroup.com wrote: Good morning to all I have to install Squid on windows 2003 R2 Sp2. When start the squid service fron control panel of windows receive this message : The Squid service on Local Computer Started and then stopped.Some service stop automatically if they have not work to to, for example the performance Logs And Alerts service. If I start squid from windows prompt it start. You can help me. What in log files ? Regards Guido - = Guido Serassio Acme Consulting S.r.l. - Microsoft Gold Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: AW: AW: AW: AW: AW: [squid-users] Squid 3.1.0.11 beta is available
Just break on SIGABRT and SIGSEGV. The actual place in the code where things failed will be slightly further up the callstack than the break point but it -will- be triggered. Just remember to ignore SIGPIPE's or you'll have a strangely failing Squid. :) adrian 2009/7/21 Marcus Kool marcus.k...@urlfilterdb.com: my 2 cents: someone needs to explain how to set a breakpoint because when the assertion fails, the program exits (see previous emails: Program exited with code 01) The question is where to set the breakpoint but probably Amos knows where to set it. Marcus Silamael wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Zeller, Jan wrote: Hi Amos, I now explicitly enabled --enable-stacktraces Enable automatic call backtrace on fatal errors during the build and added CFLAGS=-g -ggdb in front of ./configure but the result seems to be the same... # ./squid -v Squid Cache: Version 3.1.0.11 configure options: '--prefix=/opt/squid-3.1.0.11' '--enable-icap-client' '--enable-ssl' '--enable-linux-netfilter' '--disable-ipv6' '--disable-translation' '--disable-auto-locale' '--with-pthreads' '--with-filedescriptors=32768' '--enable-stacktraces' 'CFLAGS=-g -ggdb' --with-squid=/usr/local/src/squid-3.1.0.11 --enable-ltdl-convenience 2009/07/21 15:43:50| assertion failed: mem.cc:236: size == StrPoolsAttrs[i].obj_size Aborted # gdb --args ./squid -NCXd9 GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu... (gdb) bt No stack. (gdb) quit You forgot to tell gdb to run the program. # gdb --args ./squid -NCXd9 start gdb and tell it to use -NCXd9 as arguments for squid When you get the gdb prompt, enter: (gdb) r which will run squid. When it crashes you type (gdb) bt to get the backtrace. If squid does not crash, typing bt is pretty useless. Same, if it even didn't run before ;) - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpl0pYACgkQGgHcOSur6dRRagCfQpDfLaFqg1mLwJCVTcAUJRWP R+oAn2LnoLTxNJV6+YX+Q8Ja8ILUHayl =JhHL -END PGP SIGNATURE-
Re: [squid-users] Authentication with Squid 3.0 forwarding the authentication to external web content filter - Edirectory
On Tue, 21 Jul 2009 14:41:38 -0400, Schuetz, Charles cschu...@pltechs.com wrote: We are currently using Squid 3.0 Stable 13. We are currently sending every= =3D one through the proxy/cache. We are implementing a user based web cont= ent =3D filtering solution (not a linux based solution) that authenticates = users ag=3D ainst edirectory. The current solution sends all users who use= the proxy s=3D erver as a guest account as the Squid box does not hit agai= nst edirectory. =3D My question is this, if I set up the squid caching se= rver to use the exte=3D rnal authentication (LDAP), will it pass the edirec= tory credentials onto th=3D e web filter or will it not pass them at all. = So if a client computer logs=3D into novell with the username jsmith will = it pass jsmith the to the web fi=3D lter or will it not pass any username? Try the Squid eDirectory auth helper. It depends on how the other system is plugged into Squid as to how and what gets passed along. If the filtering solution is an HTTP peer hop the cache_peer option login=PASS (with exact text 'PASS' meaning pass-thru) will cause Squid to relay the credentials it gets given to the peer. AFAIK this only works for basic auth credentials in 3.0. If the filtering solution is ICAP capable, then everything received from the client goes through to the ICAP server AFAIK. If the filtering solution is a redirector the login is not passed, only the username if known. If the filtering solution is an external ACl the username/pass combo (%LOGIN) or the full raw auth headers ( %{Proxy-Authentication} and %{WWW-Authentication}) can be passed. Amos Thank you, The information contained in this email may be confidential and/or privileged. It has been sent for the sole use of the intended recipient(s). If the reader of this message is not an intended recipient, you are hereby notified that any unauthorized review, use, disclosure, dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message.
Re: [squid-users] saved uid
On Tue, 21 Jul 2009 20:06:48 +0300, Adrian Buciuman adibuciu...@gmail.com wrote: I'm using squid 2.6 on Centos 5.3 I've seen that the squid process keeps a saved user id of root (real and effective uid are that of user squid). Is this normal? How can I change it, and make squid give up root privileges completely? Thanks, Adrian Buciuman squid.conf chroot option http://www.squid-cache.org/Versions/v2/2.6/cfgman/chroot.html WARNING: This will prevent many operations such as closest-source discovery, IDENT, ARP, interception mode and reverse proxy mode. Which require system networking resources only accessible with root privileges to startup/restart/reconfigure. Amos
Re: [squid-users] Squid3 / NTLM / token id cache
On Tue, 21 Jul 2009 09:47:48 -0300, Soporte Técnico @lemNet sopo...@nodoalem.com.ar wrote: rep_mime_type can´t be used for parent selection because this is evaluated before content has been reached ? This is true ? No. It can't be evaluated because selecting a source is based on the _request_. And what does this have to do with reducing NTLM authentication workload? Amos Jorge. - Original Message - From: Frederic THOMAS frederic.tho...@atosorigin.com To: squid-users@squid-cache.org Sent: Tuesday, July 21, 2009 9:18 AM Subject: [squid-users] Squid3 / NTLM / token id cache Hello, I've installed 2 Squid 3.0.STABLE5 + samba-winbind on a mandriva 2008.1 with ntlm authentification . It works, clients are able to surf on the web using the Proxy and usernames are correctly logged. But we experienced some latency issues on websites. When i look into access.log file i observe a lot of 407 authentification request. So i read about ntlm authentification and see that there is an authentification request for each connection. There is nearly 6000 users on the 2 squid servers and i have noticed there's some great traffic between squid boxes and AD server, which is expected, because of the authentication traffic. On previous version we could use following settings (ntlm parameters on 2.5 squid and i noticed they didnt exists after 2.6) : max_challenge_reuses number max_challenge_lifetime timespan What similar option on squid 3 can be used to reduce authentication traffic ? Is there any solution to avoid an authentification request to each connection and have a possibility to reuse a token id ? * Squid.conf : auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 80 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid AD auth_param basic credentialsttl 2 hours * What i found on cache.log files : libsmb/ntlmssp.c:ntlmssp_update(327) Failed to parse NTLMSSP packet, could not extract NTLMSSP command (~= each second) Regards, Frederic THOMAS
Re: [squid-users] Forcing a local subnet to go direct?
On Tue, 21 Jul 2009 06:26:04 -0700 (PDT), JOREar jor...@msn.com wrote: I was actually able to accomplish this much easier than I thought. I was just not getting the syntax correct. acl local-network dst 10.50.0.0/16, 10.45.0.0/16 NP: no comma in the squid.conf syntax for dst. always_direct allow local-network Thanks all for your help. If preventing the local network from ever using any of your configured proxy peers fixes it, what was the problem? Amos
RE: [squid-users] Cache-Control problems with Korean sites
On Tue, 21 Jul 2009 10:09:32 -0400, Mike Mitchell mike.mitch...@sas.com wrote: I used telnet to connect to the problem web server and sent a minimal HTTP request. The web server returned a page, so I tried again adding a header from the trace one at a time until I did not get a response. I only tried one value of Cache-Control, max-age=0. I've tried accessing the Korean Government sites from other proxy servers around the world and I get the same behavior. I know the problem isn't with the proxy server's ISP, but rather with the Korean Government sites. Okay so its definitely that issue then. Very strange. The safe approach is to leave the site inaccessible and nag their admin(s) until its fixed. The header stripping may be the best short-term workaround if the above is not an option. Being squid-2 it will also need a bit more work to make it safe and not strip the reply controls (think of your Squid acting as a Cache-Control: private remover for government security logins). * Try to strip the reply controls: I'd add an external ACL that takes only the _request_ Cache-Control header and returns false if its missing. I'd also add a cache deny NoCacheCtl rule to prevent your Squid being poisoned by any bad data coming back. And most definitely track down someone who can look at the issue and nag them until its fixed. I can't stress how important that is. Amos Mike Mitchell -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Tuesday, July 21, 2009 2:37 AM To: Mike Mitchell Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Cache-Control problems with Korean sites Mike Mitchell wrote: We're having problems accessing Korean Government sites like parcel.epost.go.kr and www.g2b.go.krhttp://www.g2b.go.kr from a squid cache that is physically in Seoul, Korea. I performed network captures and found that if the request included a 'Cache-Control' header the remote server did not send TCP ACK messages back for the request. The remote server did complete the three-way TCP connection handshake, but would not acknowledge the request. When I stripped the 'Cache-Control' header using acl NoCacheCtl dstdomain .epost.go.kr .gtb.go.kr header_access Cache-Control deny NoCacheCtl the TCP ACKs started coming back and we could retrieve content. My guess is there is a firewall protecting the remote web servers. Has anyone seen this behavior before? Any cache-control values? or just specific ones? It's really up to whoever runs the broken software to fix the issue. Just find out where the breakage is and yell loudly at them. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
Re: [squid-users] Forcing a local subnet to go direct?
Amos Jeffries-2 wrote: On Tue, 21 Jul 2009 06:26:04 -0700 (PDT), JOREar jor...@msn.com wrote: I was actually able to accomplish this much easier than I thought. I was just not getting the syntax correct. acl local-network dst 10.50.0.0/16, 10.45.0.0/16 NP: no comma in the squid.conf syntax for dst. always_direct allow local-network Thanks all for your help. If preventing the local network from ever using any of your configured proxy peers fixes it, what was the problem? Amos The problem is that a new proxy server (not a squid proxy) has problems with some internal applications. When outside hosts on spoke VLANs connect to their squid proxy, it forwards the request to a central proxy cache. In order to make the web applications work properly, the requests for these applications need to go directly to the servers hosting them instead of through the corporate proxy server. -- View this message in context: http://www.nabble.com/Forcing-a-local-subnet-to-go-direct--tp24573056p24599930.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Forcing a local subnet to go direct?
On Tue, 21 Jul 2009 21:34:57 -0700 (PDT), JOREar jor...@msn.com wrote: Amos Jeffries-2 wrote: On Tue, 21 Jul 2009 06:26:04 -0700 (PDT), JOREar jor...@msn.com wrote: I was actually able to accomplish this much easier than I thought. I was just not getting the syntax correct. acl local-network dst 10.50.0.0/16, 10.45.0.0/16 NP: no comma in the squid.conf syntax for dst. always_direct allow local-network Thanks all for your help. If preventing the local network from ever using any of your configured proxy peers fixes it, what was the problem? Amos The problem is that a new proxy server (not a squid proxy) has problems with some internal applications. When outside hosts on spoke VLANs connect to their squid proxy, it forwards the request to a central proxy cache. In order to make the web applications work properly, the requests for these applications need to go directly to the servers hosting them instead of through the corporate proxy server. Ah thought so. always_direct seems to only asked about in the presence of locally hosted apps. Just checking whether you had a broken accelerator config or not. Sound like not, (but you may want to look into the functionality anyway). Amos
Re: [squid-users] Are these acl / http_access correct ?
On Tue, 21 Jul 2009 07:16:36 -0700 (PDT), danifty dani...@gmail.com wrote: Hi all, I'm fairly new to squid, and i'm trying to configure it for filtering web access from multiple vlans, allowing such of them going to some destinations (and nowhere else), and others... going to others destinations, etc.. All other vlans are granted to go everywhere (I hope this is clever... I'm french... sorry! :-)) Here is how i think it can be done... but i doubt. Could you please tell me if this is good, and if not, could you explain me what to do to have a correct filtering configuration. Thanks a lot! ### SOURCES ### # [VLAN 1] acl src_vlan_1src 192.168.1.0/24 # [VLAN 2] acl src_vlan_2 src192.168.2.0/24 # [Tous VLANs] acl all src all Your idea here is slightly broken. all means all Internet. When defined like this, it means any source on Internet. Best use: # [Tous VLANs] acl Tous_VLANs src 192.168.0.0/16 (NP: that covers all vlans inside 192.168.*.0/24. Add other ranges as needed to the list) ### DESTINATIONS ### # [VLAN 1] acl dst_VLAN1_SITES dstdomain .google.fr .yahoo.com # [VLAN 2] acl dst_VLAN2_SITES dstdomain .voila.fr .altavista.com # [All destinations] acl ALL_INTERNETdst 0.0.0.0/32 Broken. This only permits if the _single_ ip == 0.0.0.0 is requested. And requires a destination Ip lookup before anything can be done. Best use the all ACL defined above instead. # [All Internet] acl all src all ### AUTORISATIONS ### # VLAN 1 http_access allowdst_VLAN1_SITES src_vlan_1 http_access deny src_vlan_1 ALL_INTERNET http_access allow dst_VLAN1_SITES src_vlan_1 http_access deny src_vlan_1 # VLAN 2 http_access allowdst_VLAN2_SITE_CLIENT src_vlan_2 http_access deny src_vlan_2 ALL_INTERNET http_access allow dst_VLAN2_SITE_CLIENT src_vlan_2 http_access deny src_vlan_2 http_access allowall ALL_INTERNET Means any source on Internet can go to any destination on Internet through your proxy. Definitely NOT a good idea. Please use: http_access allow Tous_VLANs http-access deny all Amos