[squid-users] Squid 3.1.0.13: assertion failed: src/store_client.cc:430: "STORE_DISK_CLIENT == getType()"

[Silamael]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello everyone,

We're running Squid version 3.1.0.12 with the fix for the DoS
vulnerability applied and have from time to time crashes due to this
assertion:
assertion failed: src/store_client.cc:430: "STORE_DISK_CLIENT == getType()"

I searched in Squids Bugzilla and only found the Bug#2155 which is
marked as resolved fixed.
Can anyone confirm that this problem got fixed in version 3.1.0.13?

Thanks in advance!

- -- Matthias
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqbfIEACgkQGgHcOSur6dRIwgCgzW/cd3Bd3kyBsYn6CqMYTunZ
JBQAn20Zvg4AjKqkRXkETt92doOKXnql
=M+mD
-END PGP SIGNATURE-

[squid-users] Piping proxies

[Christophe Gevrey]

Hello all:

I am using Squid at home for regular usage.

My "normal" URLs, for example http://google.com are fetched from my 
Internet connection.
What I would like to achieve is for some patterns like 
http://my.private.network.com to fetch those URLs from another proxy 
which is open via an ssh tunnel on the machine where Squid runs: 
http://localhost:3129


Is that possible?

Thank you for your help.

Christophe

Re: [squid-users] Tproxy Iptables + ebtables Problem

[Amos Jeffries]

pokeman wrote:

no answer ?




pokeman wrote:
Hello 
one of my server FC11 x64 bit running Tproxy with combination of iptables

+ ebtables rules during peek hours machine was crash with given such as
error "kernel panic " . when i replace tproxy with netfilter and remove
ebtables rules just use simple iptables with NAT rules everything was
fine. anyone faced this issue before ?

 http://www.nabble.com/file/p25184594/IMG0115A.jpg 





There are some patches for SYN related issues with TPROXY just appeared 
in the iptables/ebtables developer mailing lists. It may be related.


If in doubt try to get hold of Balabit who are the official authors and 
support group for tproxy kernel changes.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

Re: [squid-users] Large content storedir

[Amos Jeffries]

pokeman wrote:
How to retrive list of large object save in my cache drives so i can purge it 


Define large. Then configure maximum_object_size to prevent future work.
http://www.squid-cache.org/Doc/config/maximum_object_size/

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

Re: Fwd: [squid-users] Need help in integrating squid and samba

[Amos Jeffries]

Avinash Rao wrote:



On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom 
mailto:hen...@henriknordstrom.net>> wrote:


sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
 > I couldn't find any document that shows me how to enable wb_info
for squid.
 > Can anybody help me?

external_acl_type NT_Group %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl

acl group1 external NT_Group group1


then use group1 whenever you want to match users belonging to that
Windows group.

Regards
Henrik


Hi Henrik,

I have used the following in my squid.conf

external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl 
group1 external NT_Group staff

acl net time M T W T F S S 9:00-18:00
http_access allow net

On my linux server, I have created a group called staff and made a 
couple of users a member of this group called staff. My intention is to 
provide access to users belonging to group staff on all days from 
morning 9am - 7PM. The rest should be denied.


But this didn't work, when the Samba users login from a winxp client, it 
doesn't get access to internet at all.


There is no http_access lien making any use of ACL "group1"

And _everybody_ (me included on this side of the Internet) is allowed to 
use your proxy between 9am ad 6pm.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

Re: Fwd: [squid-users] After shutdown squid, navigation still works

[Amos Jeffries]

Anderson dos Santos Donda wrote:

In my test, even after 10 minutes the squid still works...

This directive is in seconds or miliseconds? I don't have this on my squid.conf



Seconds. The default is 30 seconds.

If it's an urgent shutdown, call "squid k shutdown" twice a second or 
two apart. That will force an immediate close.


If that still fails you probably have a PID problem, see the FAQ on how 
to diagnose and solve them:


http://wiki.squid-cache.org/SquidFaq/TroubleShooting?highlight=(PID)#head-fa2a8d93db2ab1c414c4d0e71106ce871d2087e1


As for the "WARNING: transparent proxying not supported"  this means you 
are attempting to perform NAT interception (AKA 'transparent' proxying) 
with a Squid where NAT support is not built-in.


See the package supplier if you use a packages version. Or the 
./configure --help  options for the _one_! which enables transparent 
interception with your OS and firewall combination and rebuild Squid.


Amos



On Fri, Aug 28, 2009 at 9:09 AM, Jeff Pang wrote:

2009/8/28 Anderson dos Santos Donda :

My squid works fine, all acls works too..

but when I shutdown the squid ( sbin/squid -k shutdown )

The navigation still working on clients,

how long time does it continue to work for?
If you shutdown squid and in the short time the connected session
still works, then it is most probably correct.
b/c squid needs time to wait for the current connections to be
finished before it exits finally.

see "shutdown_lifetime" directive in squid.conf.

HTH.




--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

[squid-users] Failing disk handling...

[John Doe]

Hi,

I was just wondering, since it is advised to avoid RAID for the store_dirs, how 
"gracefuly" would squid handle a disk failure ...?
Will it just remove the bad disk store_dir and continue to function normaly 
with the remaining disks?

Thx,
JD


  

Re: [squid-users] Squid 3.1.0.13: assertion failed: src/store_client.cc:430: "STORE_DISK_CLIENT == getType()"

[Amos Jeffries]

Silamael wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello everyone,

We're running Squid version 3.1.0.12 with the fix for the DoS
vulnerability applied and have from time to time crashes due to this
assertion:
assertion failed: src/store_client.cc:430: "STORE_DISK_CLIENT == getType()"

I searched in Squids Bugzilla and only found the Bug#2155 which is
marked as resolved fixed.
Can anyone confirm that this problem got fixed in version 3.1.0.13?

Thanks in advance!

- -- Matthias
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqbfIEACgkQGgHcOSur6dRIwgCgzW/cd3Bd3kyBsYn6CqMYTunZ
JBQAn20Zvg4AjKqkRXkETt92doOKXnql
=M+mD
-END PGP SIGNATURE-


2155 was cosed as it looked identical to 2127 which was resolved in 
3.1.0.10.


I think it's not actually fixed or not properly since you two are still 
seeing it.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

Re: [squid-users] Providing access to few sites for different users

[Amos Jeffries]

Avinash Rao wrote:

Hi all,

I have many users using squid2.6 stable18 version. There are many
users who need access to sites like youtube, onlinemovies etc.. but, i
have to block access to these sites for other users and all of them
are online at the same time.

I have used acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe
in my squid.conf.

Can i use unix groups to achieve this?
Say for example, create acl's for users in a particular group and give
them access

external_acl_type unix_group %LOGIN /usr/lib/squid/squid_unix_group -p
acl staffgroup external unix_group staff

Users in staff group should have access to youtube etc..
How do i do this?

Thanks
Avinash


You need to use the groups management built into your user accounts system.

If you use unix accounts (on the Squid machine I think) to control your 
users then yes the unix groups on that machine can be checked.

http://www.squid-cache.org/Versions/v3/3.1/manuals/squid_unix_group

Otherwise check out the authentication section of the FAQ for more ways.
http://wiki.squid-cache.org/SquidFaq

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

Re: [squid-users] Piping proxies

[Amos Jeffries]

Christophe Gevrey wrote:

Hello all:

I am using Squid at home for regular usage.

My "normal" URLs, for example http://google.com are fetched from my 
Internet connection.
What I would like to achieve is for some patterns like 
http://my.private.network.com to fetch those URLs from another proxy 
which is open via an ssh tunnel on the machine where Squid runs: 
http://localhost:3129


Is that possible?

Thank you for your help.

Christophe


Probably. Depends if Squid is able to connect through the tunnel simply 
by connecting to the other proxies IP address or not.


If so use http://www.squid-cache.org/Doc/config/cache_peer/

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

Re: [squid-users] Failing disk handling...

[Amos Jeffries]

John Doe wrote:

Hi,

I was just wondering, since it is advised to avoid RAID for the store_dirs, how 
"gracefuly" would squid handle a disk failure ...?
Will it just remove the bad disk store_dir and continue to function normaly 
with the remaining disks?

Thx,
JD


Most Squid do not handle it. Instant crash.

The newer ones have partial recovery for some types of failure on some 
types of disk. Partial disk failure resulting in corruption is handled 
easily. Loss of access to the device is still a crash on all but COSS 
store types.


Further work has been done, but the results still have yet to be made 
public by the authors.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

[squid-users] Restricting access to users logging onto windows domain

[Tejpal Amin]

HI,

I have a squid proxy which uses NTLM authentication for authenticating users.

I would like to restrict access only to users logging onto domain for
the other users it should deny access.
The problem I am facing is that for machines that are not joined to
windows domain, the squid throws up an authentication dialog box.

Please advice on how to stop this pop up.

Regards,
Tejpal Amin

[squid-users] Few questions regarding TPROXY

[Alans]

Hi,

I'm new to Squid and Iptable, I have some questions:
1.  TPROXY is used so that squid go to internet with different IPs,
right?
2.  How to check if TPROXY is used with Iptable?
3.  If it's, then is there any other ways to go out with different IPs
each time other than TPROXY?

Regards,
Alans

Re: Fwd: [squid-users] Need help in integrating squid and samba

[Avinash Rao]

On 8/31/09, Amos Jeffries  wrote:
> Avinash Rao wrote:
>
> >
> >
> > On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
>  > wrote:
> >
> >sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
> > > I couldn't find any document that shows me how to enable wb_info
> >for squid.
> > > Can anybody help me?
> >
> >external_acl_type NT_Group %LOGIN
> >/usr/local/squid/libexec/wbinfo_group.pl
> >
> >acl group1 external NT_Group group1
> >
> >
> >then use group1 whenever you want to match users belonging to that
> >Windows group.
> >
> >Regards
> >Henrik
> >
> >
> > Hi Henrik,
> >
> > I have used the following in my squid.conf
> >
> > external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl
> group1 external NT_Group staff
> > acl net time M T W T F S S 9:00-18:00
> > http_access allow net
> >
> > On my linux server, I have created a group called staff and made a couple
> of users a member of this group called staff. My intention is to provide
> access to users belonging to group staff on all days from morning 9am - 7PM.
> The rest should be denied.
> >
> > But this didn't work, when the Samba users login from a winxp client, it
> doesn't get access to internet at all.
> >
>
> There is no http_access lien making any use of ACL "group1"
>
> And _everybody_ (me included on this side of the Internet) is allowed to use
> your proxy between 9am ad 6pm.
>
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
>  Current Beta Squid 3.1.0.13
>


Thanks for the reply, Ya i missed http_access allow group1
I didn't understand your second statement, are u telling me that i
should deny access to net?

AW: [squid-users] Mixing cached and non-cached access of same URLs by session-id

[Schermuly-Koch, Achim]

Hi amos,

thanks for your advise so far. I am still not sure wich path to follow...


>> We are using squid as a reverse-proxy cache to speed up our website.
>> A large area of the website is public. But there is also a
>> personalized area. If a user logs into his personal site, we maintain
>> a session for the user (using standard tomcat features jsession-id
>> cookie with optional url-rewriting).

>> [...] the pages on the public area has a small caveat: If the user
>> was logged in the private area, we maintain the "logged-in" state and
>> reflect that state on public pages also (outputting "Welcome John
>> Doe" in a small box). Of course we must not cache these pages.

>> # Recognizes mysite acl MYSITE url_regex ^http://[^.]*\.mysite\.de
>> 
>> # Don't cache pages, if user sends or gets a cookie
>> acl JSESSIONID1 req_header Cookie -i  jsessionid
>> cache deny MYSITE JSESSIONID1
>> 
>> acl JSESSIONID2 rep_header Set-Cookie -i jsessionid
>> cache deny MYSITE JSESSIONID2

>> This seemed to wor fine. Until i did a jmeter test, mixing Requests
>> with and without sessionid cookies. Is seems that if i request an
>> already cached url with a session-cookie, that the cached document is
>> flushed.  


>[...]

>Of course if Squid find that it has a cached copy it will erase. Because 
>the _UR_ is not to be cached. Content is not considered.

>This is NOT the right way to do privacy caching. See below for why and 
>how to do it.

[...]

> The biggest surprise of all is still hiding unseen by you:

> Every other cache around the Internet visitors use maybe storing the 
> private area pages!!

> This is because you use a local configuration completely internal to 
> your Squid to determine what is cacheable and what is not.

> The correct way to do this is to:

>  * have the web server which generates the pages add a header 
> ("Cache-Control: private") to all pages which are in the private area of 
> the website. This tells every shared cache (your Squid included) not to 
> store the private info.

I agree with that. Do i have to configure the reverse-proxy *explicitely*
to avoid caching "Cache-Control: private" marked pages?

A problem i foresee with that solution is, if i set "Cache-Control: 
private" for pages  containing personalized content, they will bounce 
cached pages with the same URL - but without personalized content 
(rember: the page is rendered different, depending on wether the 
user is in a session.)

>  * have the personal adjustments to the public pages done as small 
> includes so that the main body and content of the page can be cached 
> normally, but the small modifications are not.
> For example I like including a small CSS/AJAX script which changes a 
> generic HTML div [..]

I have thought of that, too. But i would prefer not to touch 
the application.

> The HTTP way to achieve similar is to add "ETag:" header with some hash 
> of the page content in it. So each unique copy of the page is stored 
> separately. The personalized pages get "Cache-Control: private" added as 
> well so that whole request get discarded.

That sounds interesting... Are the following assumptions correct:

The ETag would be generated by the webserver. A public page (/index.jsp) 
would have _one_ ETag if rendered without and a different unique ETag for 
each request  (to the same /index.jsp) with a session-cookie. The cache 
for the publicly cached page would be left untouched, if the response 
bears a "Cache-Control: private" header but with a different ETag. That 
implies, the cache is flushed when the webserver responds, not when the 
client requests. 

Does the Etag have to be unique resource-wide, or is it also possible
to use the same ETag for different resources (since they have
different URLs)?

Is it another "very bad idea (tm)" to reuse the same ETag for each 
personalized page. I would assume, it doesn't matter since they are
marked "private" anyway?

> Some details indicate "Vary:" header for this, but basing it on the 
> cookie header with a session ID inside is another very bad idea that 
> will destroy your HIT rates.

> Amos


Achim

RE: [squid-users] Laptops/Mobile Phones using Squid on the road

[Dave Burkholder]

Here is a link to my Squid config. 
http://www.thinkwelldesigns.com/backups/squid.zip 

The ACL rules I use are in the section below:

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

The only way I have been able to make this work reliably is to add more ACL 
rules such as:

acl elmerlaptop src ##.##.##.##
http_access allow elmerlaptop

But as I mentioned before, the public IP of the laptop changes.




-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Wednesday, August 26, 2009 7:41 PM
To: Dave Burkholder
Subject: RE: [squid-users] Laptops/Mobile Phones using Squid on the road

On Wed, 26 Aug 2009 15:27:32 -0400, "Dave Burkholder"
 wrote:
> Authentication was created for exactly this purpose.
> 
> With explicitly set proxy settings in the browsers, there is no reason 
> why you can't allow them to login to the proxy when they are on the 
> road. Or even at HQ.
> 
> Note that by entering the proxy settings in the browsers you are no 
> longer using "transparent mode".
> 
> Assuming by "transparent" you actually mean "NAT intercepting" you 
> should of course have Squid listening on one port for the intercepted 
> requests (authentication not possible) and another for the configured 
> browsers (authentication possible).
> 
> Amos


Sorry if you get this twice, my mail app died...

I think the DG rules and access may have to be adjusted to let external
people who are logged in through.

If not that I think I'm going to have to see your acl and http_access lines
config to see if there is any obvious reason for the denial.

Amos

[squid-users] URL rewrite Help

[Trevor Merrill]

I am currently testing squid in a reverse proxy configuration with JBoss 
Portal backend servers. My goal is to phase out Apache and mod_proxy and 
gain some speed with squid. I have a basic reverse proxy configuration 
working for www.mydomain.com but I need to try and duplicate the 
following in squid:

(Apache conf example)

  ServerName subdomain.mydomain.com
  ServerAlias *.subdomain.mydomain.com
  ServerAdmin webmas...@mydomain.com

  ProxyRequests Off
  ProxyPreserveHost On

  
   Order deny,allow
   Allow from all
  

  RewriteEngine On
  RewriteRule .* - [E=DEFAULT_PORTAL:subdomain]
  RewriteCond %{REQUEST_URI} ^/?$
  RewriteRule .* http://192.168.5.44:8380/portal/%{ENV:DEFAULT_PORTAL} [P,L]

  ProxyPass / http://192.168.5.66:8380/
  ProxyPassReverse / http://192.168.5.66:8380/

  ErrorLog /var/log/apache2/error.log
  LogLevel warn
  CustomLog /var/log/apache2/access.log combined


Is it possible to do this sort of rewriting in squid? Essentially all I 
am doing is changing the HTTP request from http://subdomain.mydomain.com 
-> http://backendJBossserverIP:8080/portal/subdomain, the host stays the 
same so the public sees http://www.mydomain.com/portal/subdomain. I am 
having a tough time finding examples or some direction to start heading in.

For fun here is my current squid conf and the corresponding Apache conf 
that I was able to essentially replace:

(Apache conf snippet)

  ServerName www.mydomain.com
  ServerAlias mydomain.com
  ServerAdmin webmas...@mydomain.com

  ProxyRequests Off
  ProxyPreserveHost On
  
   Order deny,allow
   Allow from all
  

  ProxyPass / http://192.168.5.66:8380/
  ProxyPassReverse / http://192.168.5.66:8380/

  ErrorLog /var/log/apache2/error.log
  LogLevel warn
  CustomLog /var/log/apache2/access.log combined


(Squid conf snippet)
> cache_peer 192.168.5.66 parent 8080 0 no-query no-digest originserver 
> name=testerJBoss
> acl TesterJBoss_sites dstdomain .mydomain.com
> cache_peer_access testerJBoss allow TesterJBoss_sites
> http_access allow TesterJBoss_sites
> http_access deny All
Thanks for the help.

Trevor Merrill

[squid-users] sometimes the users can´t visit any webpage

[Jesus Angeles]

Hi all, I have a problem. Three weeks ago I installed Squid 2.7.STABLE3 +
Dansguardian 2.10.1.1 in GNU/Linux Ubuntu Server 9.04. First week was ok,
but the service was started to fail, sometimes (once or twice for day ) the
users can´t visit any webpage, the web browser shows a blank page (delay on
load), in those moment I check:
-   The squid service is running.
-   The dansguardian is ok, because if the users try visit a prohibited
web, It shows the access denied page.
-   The logfile  (access.log) is generating logs (I checked with tail
-f).
-   The memory and HD space is ok (I have configured 256 MB in cache_mem
and 4096 MB in cache_dir)
Then, in those moments, I have to execute “/etc/init.d/squid reload” to
solve the problem.

What could be happening?

Regards,

Jesus

Re: [squid-users] Purge tool in 'related software' not downloadable

[Ross J. Reedstrom]

The Internet Archive to the rescue:

http://web.archive.org/web/20070729044433/http://www.wa.apana.org.au/~dean/squidpurge/

Ross
-- 
Ross Reedstrom, Ph.D. reeds...@rice.edu
Systems Engineer & Admin, Research Scientistphone: 713-348-6166
The Connexions Project  http://cnx.orgfax: 713-348-3665
Rice University MS-375, Houston, TX 77005
GPG Key fingerprint = F023 82C8 9B0E 2CC6 0D8E  F888 D3AE 810E 88F0 BEDE



On Thu, Aug 27, 2009 at 04:24:03PM -0700, Lu, Roy wrote:
> Hi List,
> 
> I tried to download the purge tool in the 'related software' page, but
> the links seem to be broken. The last version on page
> http://www.wa.apana.org.au/~dean/squidpurge/ is
> purge-20040201-src.tar.gz, however, all the download links returned a
> 404 error. Is this tool still maintained and available?
> 
> Thanks.
> Roy
> **
>  
> This message may contain confidential or proprietary information intended 
> only for the use of the 
> addressee(s) named above or may contain information that is legally 
> privileged. If you are 
> not the intended addressee, or the person responsible for delivering it to 
> the intended addressee, 
> you are hereby notified that reading, disseminating, distributing or copying 
> this message is strictly 
> prohibited. If you have received this message by mistake, please immediately 
> notify us by  
> replying to the message and delete the original message and any copies 
> immediately thereafter. 
> 
> Thank you. 
> **
>  
> FACLD
> 
> 

[squid-users] troubles using squid_kerb_auth and squid_kerb_ldap

[Chris Richardson]

Hi everyone here is what i am tring to do i want to use kerb for SSO
and use squid_kerb_ldap to do acls based on groups however i am
running into a problem normal kerb_auth works great but when i try to
use kerb_ldap i get aclMatchExternal: squid_kerb_ldap user not
authenticated (0)

here are snippets of the config

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on


external_acl_type squid_kerb_ldap ttl=3600  negative_ttl=3600  %LOGIN
/usr/sbin/squid_kerb_ldap -d -g proxyus...@windowskdc

acl auth proxy_auth REQUIRED
acl ldap_group_check external squid_kerb_ldap

http_access allow ldap_group_check
http_access deny all

oh this is squid 3.0 on a win2003 AD domain

thanks
-Chris

[squid-users] Re: troubles using squid_kerb_auth and squid_kerb_ldap

[Markus Moeller]

Could you post an extract of cache.log showing the squid_kerb_auth and 
squid_kerb_ldap entries.


Markus

"Chris Richardson"  wrote in message 
news:af01ca210908311222m104d2d2amdef43eca8e695...@mail.gmail.com...

Hi everyone here is what i am tring to do i want to use kerb for SSO
and use squid_kerb_ldap to do acls based on groups however i am
running into a problem normal kerb_auth works great but when i try to
use kerb_ldap i get aclMatchExternal: squid_kerb_ldap user not
authenticated (0)

here are snippets of the config

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on


external_acl_type squid_kerb_ldap ttl=3600  negative_ttl=3600  %LOGIN
/usr/sbin/squid_kerb_ldap -d -g proxyus...@windowskdc

acl auth proxy_auth REQUIRED
acl ldap_group_check external squid_kerb_ldap

http_access allow ldap_group_check
http_access deny all

oh this is squid 3.0 on a win2003 AD domain

thanks
-Chris

Re: [squid-users] URL rewrite Help

[Youenn Boussard]

Hello,

You can try this in your squid.conf :

url_rewrite_program iRedirector.py
url_rewrite_children 1
url_rewrite_concurrency 20
url_rewrite_host_header off
Get and customize this files (this is template file )
https://ingeniweb.svn.sourceforge.net/svnroot/ingeniweb/iw.recipe.squid/trunk/iw/recipe/squid/templates/iRedirector.py_tmpl 
 (rename iRedirector.py)
https://ingeniweb.svn.sourceforge.net/svnroot/ingeniweb/iw.recipe.squid/trunk/iw/recipe/squid/templates/squidRewriteRules.py_tmpl 
 (rename squidRewriteRules.py)
And  you configure in squidRewriteRules the redirection as mod rewrite  
(if you can) for apache.

rewrites = (
(r'http://192.168.5.44:8380/(.*)',
   r'http://backendJBossserverIP:8080/portal/subdomain/\1', 'P,L'),
)
...

Regards Youenn.
Le 31 août 09 à 18:21, Trevor Merrill a écrit :

I am currently testing squid in a reverse proxy configuration with  
JBoss
Portal backend servers. My goal is to phase out Apache and mod_proxy  
and

gain some speed with squid. I have a basic reverse proxy configuration
working for www.mydomain.com but I need to try and duplicate the
following in squid:

(Apache conf example)

 ServerName subdomain.mydomain.com
 ServerAlias *.subdomain.mydomain.com
 ServerAdmin webmas...@mydomain.com

 ProxyRequests Off
 ProxyPreserveHost On

 
  Order deny,allow
  Allow from all
 

 RewriteEngine On
 RewriteRule .* - [E=DEFAULT_PORTAL:subdomain]
 RewriteCond %{REQUEST_URI} ^/?$
 RewriteRule .* http://192.168.5.44:8380/portal/% 
{ENV:DEFAULT_PORTAL} [P,L]


 ProxyPass / http://192.168.5.66:8380/
 ProxyPassReverse / http://192.168.5.66:8380/

 ErrorLog /var/log/apache2/error.log
 LogLevel warn
 CustomLog /var/log/apache2/access.log combined


Is it possible to do this sort of rewriting in squid? Essentially  
all I

am doing is changing the HTTP request from http://subdomain.mydomain.com
-> http://backendJBossserverIP:8080/portal/subdomain, the host stays  
the

same so the public sees http://www.mydomain.com/portal/subdomain. I am
having a tough time finding examples or some direction to start  
heading in.


For fun here is my current squid conf and the corresponding Apache  
conf

that I was able to essentially replace:

(Apache conf snippet)

 ServerName www.mydomain.com
 ServerAlias mydomain.com
 ServerAdmin webmas...@mydomain.com

 ProxyRequests Off
 ProxyPreserveHost On
 
  Order deny,allow
  Allow from all
 

 ProxyPass / http://192.168.5.66:8380/
 ProxyPassReverse / http://192.168.5.66:8380/

 ErrorLog /var/log/apache2/error.log
 LogLevel warn
 CustomLog /var/log/apache2/access.log combined


(Squid conf snippet)

cache_peer 192.168.5.66 parent 8080 0 no-query no-digest originserver
name=testerJBoss
acl TesterJBoss_sites dstdomain .mydomain.com
cache_peer_access testerJBoss allow TesterJBoss_sites
http_access allow TesterJBoss_sites
http_access deny All

Thanks for the help.

Trevor Merrill




Youenn Boussard
INGENIWEB (TM) - SAS 5 Euros - RC B 438 725 632
1, rue Royale
227, Les Bureaux de la Colline - Bat D
92213  - Saint Cloud Cedex
Tél : 01 78 15 24 00 / Fax : 01 46 02 44 04

[squid-users] inintended computers are using the proxy

[ant2ne]

Squid is up and running great. I want to push out proxy settings to the
windows xp computers VIA domian level group policy so that some computers
use the proxy server (Gorup A)  and some do not (group B). This is
accomplished by configured gmc.mscUser Configuration | Windows Settings |
Internet Explorer Maintenance | Connection/Proxy Settings. (and including a
loop back) F

or group A this is working great. But for some reason group B is getting
configured in their browsers as well. I don't understand what is going on.
how are computers in group B getting configured like computers in group A.
Both are in separate OUs and only OU A has the policy linked for it.

Do web browsers have a way of auto discovering squid and configuring
themselves? If so how do I turn that feature off?
-- 
View this message in context: 
http://www.nabble.com/inintended-computers-are-using-the-proxy-tp25230790p25230790.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] URL rewrite Help

[Henrik Nordstrom]

mån 2009-08-31 klockan 09:21 -0700 skrev Trevor Merrill:
> I am currently testing squid in a reverse proxy configuration with JBoss 
> Portal backend servers. My goal is to phase out Apache and mod_proxy and 
> gain some speed with squid. I have a basic reverse proxy configuration 
> working for www.mydomain.com but I need to try and duplicate the 
> following in squid:

I would suggest you first check if the JBoss Portal backend can be
reconfigured to support vhost on it's own without needing a reverse
proxy playing tricks with rewriting URLs. Simplifies matters greatly in
the long run.

Failing that you can do the rewrites you describe with a small URL
rewriter helper doing the needed rewrites.

The equivalence of ProxyPassReverse however (location_rewrite_program)
requires Squid-2.7. Not yet available in Squid-3.

Regards
Henrik

Re: [squid-users] inintended computers are using the proxy

[Henrik Nordstrom]

mån 2009-08-31 klockan 14:36 -0700 skrev ant2ne:

> Do web browsers have a way of auto discovering squid and configuring
> themselves? If so how do I turn that feature off?

Only if announced by your domain via DHCP and/or DNS. See WPAD.

Regards
Henrik

[squid-users] Bdigest_pw_auth???

[Luis Daniel Lucio Quiroz]

2009/08/31 20:45:40| AuthConfig::CreateAuthUser: Unsupported or 
unconfigured/inactive proxy-auth scheme, 'Bdigest_pw_auth(LDAP_backend) 
WARNING, LDAP error 'No such object'


Does anyone knows what this means.  I've digest ldap auth enable, but when I 
see this in reath is request.

Any comment why this happens?

TIA

LD

[squid-users] Reverse Proxy Question

[Jones, Keven]

Hello All,

I need to cache images for one url using 2 web servers for the actual images. 
When I look at the squid examples of Reverse Proxing, I only see Where it is 
possible to specify multiple domains and point each to a separte server. I need 
to know how to point a single domain to multiple, in my case 2 servers.

Ex. ConfigExamples/Reverse/MultipleWebservers only show how to configure 
multiple domains to talk to mutiple web servers:

example.com -> server 1 
download.example.com -> server 2
*.example.net -> server 2
example.net -> server 2

I need :
Example.com -->server1 or server2

Is this possible? If so anyone have the documentation on how to accomplish this.

Any help with understanding this is appreciated.

Re: [squid-users] sometimes the users can´t visit a ny webpage

[Jeff Pang]

2009/9/1 Jesus Angeles :
> Hi all, I have a problem. Three weeks ago I installed Squid 2.7.STABLE3 +
> Dansguardian 2.10.1.1 in GNU/Linux Ubuntu Server 9.04. First week was ok,
> but the service was started to fail, sometimes (once or twice for day ) the
> users can´t visit any webpage, the web browser shows a blank page (delay on
> load), in those moment I check:
> -       The squid service is running.
> -       The dansguardian is ok, because if the users try visit a prohibited
> web, It shows the access denied page.
> -       The logfile  (access.log) is generating logs (I checked with tail
> -f).
> -       The memory and HD space is ok (I have configured 256 MB in cache_mem
> and 4096 MB in cache_dir)
> Then, in those moments, I have to execute “/etc/init.d/squid reload” to
> solve the problem.
>

Have you checked cache.log for the special requests?
Only the info on cache.log (or with debug level) is valuable.

Jeff.

[squid-users] Squid as LoadBalance

[Jones, Keven]

Does anyone know if this is sufficient squid.conf:


cache_peer 172.19.23.91 parent 80 0 no-query originserver name=server_1
acl sites_server_1 dstdomain img01.cprpt.com
cache_peer_access server_1 allow sites_server_1
cache_peer 172.19.23.92 parent 80 0 no-query originserver name=server_2
acl sites_server_2 dstdomain img01.cprpt.com
cache_peer_access server_2 allow sites_server_2
cache_peer 172.19.23.91 parent 80 0 no-query originserver round-robin
cache_peer 172.19.23.92 parent 80 0 no-query originserver round-robin

To allow squid to provice cache for 2 web servers uitlizing one url ?

Thx

Re: [squid-users] Squid as LoadBalance

[Jeff Pang]

2009/9/1 Jones, Keven :
>
> Does anyone know if this is sufficient squid.conf:
>
>
> cache_peer 172.19.23.91 parent 80 0 no-query originserver name=server_1
> acl sites_server_1 dstdomain img01.cprpt.com
> cache_peer_access server_1 allow sites_server_1
> cache_peer 172.19.23.92 parent 80 0 no-query originserver name=server_2
> acl sites_server_2 dstdomain img01.cprpt.com
> cache_peer_access server_2 allow sites_server_2
> cache_peer 172.19.23.91 parent 80 0 no-query originserver round-robin
> cache_peer 172.19.23.92 parent 80 0 no-query originserver round-robin
>
> To allow squid to provice cache for 2 web servers uitlizing one url ?
>

No. That should be:

cache_peer 172.19.23.91 parent 80 0 no-query originserver
name=server_1 round-robin
cache_peer 172.19.23.92 parent 80 0 no-query originserver
name=server_2 round-robin
acl sites_server_1 dstdomain img01.cprpt.com
cache_peer_access server_1 allow sites_server_1
cache_peer_access server_2 allow sites_server_1


Or you could use my perl module to create a reverse proxy with
loadbalancing quickly:

http://search.cpan.org/~pangj/Net-Squid-ReverseProxy-0.01/lib/Net/Squid/ReverseProxy.pm

HTH.

Re: [squid-users] Few questions regarding TPROXY

[Amos Jeffries]

On Mon, 31 Aug 2009 15:25:32 +0300, "Alans"  wrote:
> Hi,
> 
> I'm new to Squid and Iptable, I have some questions:
> 1.TPROXY is used so that squid go to internet with different IPs,
> right?
> 2.How to check if TPROXY is used with Iptable?
> 3.If it's, then is there any other ways to go out with different IPs
> each time other than TPROXY?
> 
> Regards,
> Alans

TPROXY is done by the kernel outside of Squid. The IPs are already changed
by the time they arrive, all Squid does is use the socket IP_TRANSPARENT
test to see if they arrived via TPROXY and set the same flag on the
outbound links.  The kernel will kill the TCP open attempt if the IPs used
on outbound do not match any IPs it sent to Squid.

Contact the kernel people for any more details.

Amos