Re: [squid-users] delay pools and ident users
ons 2009-09-02 klockan 12:24 +0600 skrev Yuri Vorobyev: > It is possible to limit bandwidth to users, based on ident acl's? > I'm upgraded to version 3.0.18 and trying this: For this to work reliably you probably need to refer to an ident acl in http_access, making Squid wait a little for the ident lookup to complete. Add the following before your other http_access rules acl ident ident REQUIRED http_access deny ident_aware_hosts ident !all Regards Henrik
RE: [squid-users] delay pools and ident users
Hello. > > It is possible to limit bandwidth to users, based on ident acl's? > > I'm upgraded to version 3.0.18 and trying this: > > For this to work reliably you probably need to refer to an ident acl in > http_access, making Squid wait a little for the ident lookup to > complete. > > Add the following before your other http_access rules > > acl ident ident REQUIRED > http_access deny ident_aware_hosts ident !all Unfortunately it doesn't work.
RE: [squid-users] delay pools and ident users
ons 2009-09-02 klockan 14:38 +0600 skrev Yuri Vorobyev: > > acl ident ident REQUIRED > > http_access deny ident_aware_hosts ident !all > > Unfortunately it doesn't work. Which Squid version? Regards Henrik
RE: [squid-users] delay pools and ident users
> > > acl ident ident REQUIRED > > > http_access deny ident_aware_hosts ident !all > > > > Unfortunately it doesn't work. > > Which Squid version? > 3.0.18
[squid-users] DNS+squid
Hi all, i need to control the access to my proxy checking first if the computer has: 1- FQDN 2- IP-address(of course in my checklist file) 3- reverse PTR record. It's posible? Thanks in advance Hermidio
Re: [squid-users] DNS+squid
Hermidio A. Rodriguez Chavez wrote: Hi all, i need to control the access to my proxy checking first if the computer has: 1- FQDN 2- IP-address(of course in my checklist file) 3- reverse PTR record. It's posible? Not without patching. Squid only does domain->IP (dst ACL) and IP->rDNS (dstdomain ACL if raw-IP was given). not the combo sequence. Reverse-DNS is very rarely correct anyway. Consider virtual-hosting and content delivery networks where One single IP has up to thousands of domains. There is zero chance of all those having rDNS correct. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
[squid-users] low file descriptors suddenly
Hi all, Is there any reason to know why squid suddenly reports 1024 file descriptors, if i restart it it goes normal to 64k descriptors. TIA LD
Re: [squid-users] low file descriptors suddenly
ons 2009-09-02 klockan 09:27 -0500 skrev Luis Daniel Lucio Quiroz: > Is there any reason to know why squid suddenly reports 1024 file descriptors, > if i restart it it goes normal to 64k descriptors. Someone may have restarted it before with a low ulimit.. Regards Henrik
[squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED
When I try, from the internal LAN, to load any page of my website running on server (Debian Lenny iptables-apache2-Squid2.7-samba3, ALL ON SAME SERVER), the Squid launches some of this 3 pages error warn: 1) Unable to forward this request at this time 2) (111) Conection refused 3) Access denied In Squid.conf I have these lines: http_port 192.168.000.1:3128 transparent http_port 127.0.0.1:80 accel defaultsite=mysite.com vhost cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo cache_peer_access mysite.com allow MyWeb cache_peer_access mysite.com deny all Where the acl "MyWeb" is: acl myweb dstdomain mysite.com mysite1.com mysite2.com.ar (The sites are all on the same Apache, Virtual directory) In iptables I have only these lines to the webserver: # WWW $IPTABLES -A tcp_packets -p TCP -s 0/0 -dport 80 -j allowed $IPTABLES-t nat-A PREROUTING -s $LAN_IP_RANGE -p tcp -dport 80 -j REDIRECT -to-ports 3128 Any idea? Thanks in advance
[squid-users] Squid and two Active Directory
Hi, Im looking for instructions about how to authenticate my squid with two Active Directories. I could authenticate it with one AD with ntlm. Thanks for answering Daniel Merino Consultor Junior en Seguridad Informática Secure Soft S.A.C. C Begonias 630-656 Oficina 14 (Segundo Piso) San Isidro. Lima27 - PERU (511) 994622555 (RPC) (511) 4402031 (TeleFax) + dmer...@securesoft.com.pe : http://www.securesoft.com.pe __ Information from ESET Smart Security, version of virus signature database 4389 (20090902) __ The message was checked by ESET Smart Security. http://www.eset.com
Re: [squid-users] low file descriptors suddenly
Le mercredi 2 septembre 2009 10:55:09, vous avez écrit : > Usually happens when file descriptors been set in sysctl.conf where squid > has been started before sysctl > > > - Original Message > From: Luis Daniel Lucio Quiroz > To: squid-users@squid-cache.org > Sent: Wednesday, September 2, 2009 10:27:27 PM > Subject: [squid-users] low file descriptors suddenly > > Hi all, > > Is there any reason to know why squid suddenly reports 1024 file > descriptors, if i restart it it goes normal to 64k descriptors. > > TIA > > LD > MMM the fact is that i set my filedescriptos in /etc/security/limits.conf look: * - nofile 131072 There is no reason about sysctrl.conf. What othere place should I look? Thanx LD
Re: [squid-users] Squid and two Active Directory
ons 2009-09-02 klockan 12:21 -0500 skrev SecureSoft - Daniel Merino: > I’m looking for instructions about how to authenticate my squid with two > Active Directories. I could authenticate it with one AD with ntlm. Thanks > for answering Set up a trust relation between the two. Regards Henrik
RE: [squid-users] Squid and two Active Directory
How works this? Because when i configure the squid Server in the Kerberos and samba i set up a active directory config and I dont know how to add another one. This trust relation, its like the 2 active directory know each other and when I ask groups and users from the first active directory it also give me the users and groups from the other AD in trust relation? Daniel Merino Consultor Junior en Seguridad Informática Secure Soft S.A.C. C Begonias 630-656 Oficina 14 (Segundo Piso) San Isidro. Lima27 - PERU (511) 994622555 (RPC) (511) 4402031 (TeleFax) + dmer...@securesoft.com.pe : http://www.securesoft.com.pe -Mensaje original- De: Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Enviado el: Miércoles, 02 de Septiembre de 2009 12:41 p.m. Para: SecureSoft - Daniel Merino CC: squid-users@squid-cache.org Asunto: Re: [squid-users] Squid and two Active Directory ons 2009-09-02 klockan 12:21 -0500 skrev SecureSoft - Daniel Merino: > Im looking for instructions about how to authenticate my squid with two > Active Directories. I could authenticate it with one AD with ntlm. Thanks > for answering Set up a trust relation between the two. Regards Henrik __ Information from ESET Smart Security, version of virus signature database 4390 (20090902) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4390 (20090902) __ The message was checked by ESET Smart Security. http://www.eset.com
RE: [squid-users] Squid and two Active Directory
ons 2009-09-02 klockan 12:52 -0500 skrev SecureSoft - Daniel Merino: > How works this? Because when i configure the squid Server in the Kerberos > and samba i set up a active directory config and I don’t know how to add > another one. Trust relations is configured in the active directory servers. But for kerberos I think you can just use a merged keytab with principals from both trees. But not entirely sure.. > This trust relation, its like the 2 active directory know each other and > when I ask groups and users from the first active directory it also give me > the users and groups from the other AD in trust relation? Yes. Regards Henrik
[squid-users] R: [squid-users] Squid and two Active Directory
Hi, If the the two domains are placed in two different AD Forests, a forest trust is needed for Kerberos authentication. But the two AD forests must be at least Windows 2003 AD Forests running in forest and domain Windows 2003 native mode. Here you can find more details: http://technet.microsoft.com/en-us/library/cc736526(WS.10).aspx Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it > -Messaggio originale- > Da: Henrik Nordstrom [mailto:hen...@henriknordstrom.net] > Inviato: mercoledì 2 settembre 2009 20.26 > A: SecureSoft - Daniel Merino > Cc: squid-users@squid-cache.org > Oggetto: RE: [squid-users] Squid and two Active Directory > > ons 2009-09-02 klockan 12:52 -0500 skrev SecureSoft - Daniel Merino: > > How works this? Because when i configure the squid Server in the > Kerberos > > and samba i set up a active directory config and I don't know how to add > > another one. > > Trust relations is configured in the active directory servers. > > But for kerberos I think you can just use a merged keytab with > principals from both trees. But not entirely sure.. > > > This trust relation, its like the 2 active directory know each other and > > when I ask groups and users from the first active directory it also give > me > > the users and groups from the other AD in trust relation? > > Yes. > > Regards > Henrik
Re: [squid-users] DNS+squid
Amos Jeffries wrote: Hermidio A. Rodriguez Chavez wrote: Hi all, i need to control the access to my proxy checking first if the computer has: 1- FQDN 2- IP-address(of course in my checklist file) 3- reverse PTR record. It's posible? Not without patching. Squid only does domain->IP (dst ACL) and IP->rDNS (dstdomain ACL if raw-IP was given). not the combo sequence. Reverse-DNS is very rarely correct anyway. Consider virtual-hosting and content delivery networks where One single IP has up to thousands of domains. There is zero chance of all those having rDNS correct. This assumes the determination is made based on the destination. If the determination is made based on the source (requester), then an external_acl_type would be workable. Amos Chris
[squid-users] Re: If refresh_pattern only extends expiration, how to force time-to-live in Squid code?
(Resending, first time accidentally sent with HTML formatting, bounced) Now I see the Expires header having a value in the past, which may confuse clients and caches further down the chain. Scenario: origin returns max-age=900 (15 min) and refresh_pattern overrides expire to 24 hours, what do the headers to the client look like? On the first request (cache-miss), the Expires header is not added to the response sent to client. On subsequent cache-hits the Expires header is added to the response sent to client. (Why this artifact?) The Expires header is set to time the object was received from the origin plus the value in the Max-age header. This results in the Expires header having a value in the past when the cached object is older than the Max-age. How to fix it best? (in my local version) Since my trouble is the Expires header having a value in the past, I consider suppressing the Squid artifact of inserting an Expires header. Is there a Squid configuration ability to do so? If not, what would be the right way to do it in my local code branch? On Fri, Aug 28, 2009 at 6:12 PM, Guy Bashkansky wrote: > > Henrik, > Thanks, it works! > Guy > > On Thu, Aug 27, 2009 at 2:00 AM, Henrik Nordstrom > wrote: >> >> ons 2009-08-26 klockan 18:17 -0700 skrev Guy Bashkansky: >> >> > If indeed refresh_pattern only extends expiration, I would like to >> > develop a feature that enforces an exact time-to-live (per URL) in my >> > local branch of Squid code. >> >> See the refreshStaleness() function. Should be sufficient to move the >> max age check up above the expires check. >> >> Regards >> Henrik >> > -- Forwarded message -- From: Guy Bashkansky Date: Wed, Aug 26, 2009 at 6:17 PM Subject: If refresh_pattern only extends expiration, how to force time-to-live in Squid code? To: squid-...@squid-cache.org I've tried to set an exact time-to-live (override origin cache control) in Squid (2.4 STABLE6) configuration by refresh_pattern, e.g.: refresh_pattern 30_minutes_cache_control_url 15 0% 15 override-expire ignore-max-age Observed: URL is matched (in log), but objects still cached for 30 minutes, rather than for 15 minutes, as hoped. If indeed refresh_pattern only extends expiration, I would like to develop a feature that enforces an exact time-to-live (per URL) in my local branch of Squid code. What would be the most reasonable way to do this? How can I force objects to expire from cache after a given time? Thanks.
Re: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED
RicardoCh wrote: When I try, from the internal LAN, to load any page of my website running on server (Debian Lenny iptables-apache2-Squid2.7-samba3, ALL ON SAME SERVER), the Squid launches some of this 3 pages error warn: 1) Unable to forward this request at this time 2) (111) Conection refused 3) Access denied In Squid.conf I have these lines: http_port 192.168.000.1:3128 transparent http_port 127.0.0.1:80 accel defaultsite=mysite.com vhost cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo cache_peer_access mysite.com allow MyWeb cache_peer_access mysite.com deny all Where the acl "MyWeb" is: acl myweb dstdomain mysite.com mysite1.com mysite2.com.ar (The sites are all on the same Apache, Virtual directory) In iptables I have only these lines to the webserver: # WWW $IPTABLES -A tcp_packets -p TCP -s 0/0 -dport 80 -j allowed $IPTABLES-t nat-A PREROUTING -s $LAN_IP_RANGE -p tcp -dport 80 -j REDIRECT -to-ports 3128 Any idea? Thanks in advance Wow... You are intercepting ALL port 80 traffic and passing it to Squid on port 3128. You have Squid in accelerator mode passing traffic to itself. Finally, you have a cache_peer_access setup that doesn't match any peers. First, I would advise not redirecting traffic destined for the accelerated site. Assuming mysite.com (and its variants) resolves to 192.168.0.1, replace your iptables redirection rule with... $IPTABLES -t nat -A PREROUTING -s $LAN_IP_RANGE -d !192.168.0.1 -p tcp -dport 80 -j REDIRECT -to-ports 3128 Next, don't have Squid listen on localhost port 80. That's where Apache should be listening. Instead have Squid listen to the "publicly" accessible IP address... http_port 192.168.0.1:80 accel defaultsite=mysite.com vhost Finally, the first argument to cache_peer_access should match SOMETHING about the defined cache_peer. With the peer defined as... cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo ...use either the IP... cache_peer_access 127.0.0.1 allow MyWeb ...or the name... cache_peer_access Ricardo allow MyWeb ...in the cache_peer_access definition. Chris
[squid-users] Re: If refresh_pattern only extends expiration, how to force time-to-live in Squid code?
ons 2009-09-02 klockan 12:42 -0700 skrev Guy Bashkansky: > Now I see the Expires header having a value in the past, which may > confuse clients and caches further down the chain. > Scenario: origin returns max-age=900 (15 min) and refresh_pattern > overrides expire to 24 hours, what do the headers to the client look > like? > > On the first request (cache-miss), the Expires header is not added to > the response sent to client. > On subsequent cache-hits the Expires header is added to the response > sent to client. (Why this artifact?) Is it? Should not, at least not unless you run 2.7 with the act-as-origin option.. > The Expires header is set to time the object was received from the > origin plus the value in the Max-age header. odd.. Regards Henrik
[squid-users] Re: If refresh_pattern only extends expiration, how to force time-to-live in Squid code?
I'm using a customized version of Squid 2.4 STABLE6. But nothing seems to be customized in refresh.c, except for my own recent swap of age and expires checks (as recommended). Probably the expires header is added in some other place, it's just difficult to figure out exactly where in the code and how it is controlled. On Wed, Sep 2, 2009 at 1:29 PM, Henrik Nordstrom wrote: > ons 2009-09-02 klockan 12:42 -0700 skrev Guy Bashkansky: > >> Now I see the Expires header having a value in the past, which may >> confuse clients and caches further down the chain. >> Scenario: origin returns max-age=900 (15 min) and refresh_pattern >> overrides expire to 24 hours, what do the headers to the client look >> like? >> >> On the first request (cache-miss), the Expires header is not added to >> the response sent to client. >> On subsequent cache-hits the Expires header is added to the response >> sent to client. (Why this artifact?) > > Is it? Should not, at least not unless you run 2.7 with the > act-as-origin option.. > >> The Expires header is set to time the object was received from the >> origin plus the value in the Max-age header. > > odd.. > > Regards > Henrik > >
Re: [squid-users] Squid and two Active Directory
squid_kerb_auth should be able to handel two AD Forests without trust. Use the -s GSS_C_NO_NAME and add keys from both ADs to the keytab. Regards Markus "Guido Serassio" wrote in message news:58fd293ce494af419a59ef7e597fa4e6393...@hermes.acmeconsulting.loc... Hi, If the the two domains are placed in two different AD Forests, a forest trust is needed for Kerberos authentication. But the two AD forests must be at least Windows 2003 AD Forests running in forest and domain Windows 2003 native mode. Here you can find more details: http://technet.microsoft.com/en-us/library/cc736526(WS.10).aspx Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Inviato: mercoledì 2 settembre 2009 20.26 A: SecureSoft - Daniel Merino Cc: squid-users@squid-cache.org Oggetto: RE: [squid-users] Squid and two Active Directory ons 2009-09-02 klockan 12:52 -0500 skrev SecureSoft - Daniel Merino: > How works this? Because when i configure the squid Server in the Kerberos > and samba i set up a active directory config and I don't know how to add > another one. Trust relations is configured in the active directory servers. But for kerberos I think you can just use a merged keytab with principals from both trees. But not entirely sure.. > This trust relation, its like the 2 active directory know each other and > when I ask groups and users from the first active directory it also give me > the users and groups from the other AD in trust relation? Yes. Regards Henrik
[squid-users] Re: squid_kerb_auth and Windows 2008
"Markus Moeller" wrote in message news:h7bduh$l5...@ger.gmane.org... I finally could look more into Windows 2008 and I found some unusal behaviour. Firstly you need hotfix 951191 and possibly [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc] "KdcUseRequestedEtypesForTickets"=dword:0001 Secondly it looks like 2008 creates the HTTP principal out of a host principal ( see my posts on the MIT Kerberos mailing list). The work around I got is: use msktutil msktutil -c -b "CN=COMPUTERS" -s host/ -h -k /etc/krb5.keytab --computer-name squid-host --upn host/ --server --verbose --enctypes 28 delete any AD entry for HTTP/ Then use ktutil (for MIT Kerberos) #ktutil: addent -key -p HTTP/@DOMAIN -k 2 -e aes256-cts-hmac-sha1-96 Key for HTTP/@DOMAIN (hex): 3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03 ktutil: wkt /etc/krb5.keytab ktutil: quit where the key is the same key as the host key which you can get with klist -ekKt /etc/krb5.keytab klist -ekKt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal - 2 08/29/09 22:08:24 host/@DOMAIN (ArcFour with HMAC/md5) (0x824b609421c13ca9f6f0faf93163fe7a) 2 08/29/09 22:08:24 host/@DOMAIN (AES-128 CTS mode with 96-bit SHA-1 HMAC) (0x700fd54f1d4ec2cd379d239f056235b3) 2 08/29/09 22:08:24 host/@DOMAIN (AES-256 CTS mode with 96-bit SHA-1 HMAC) (0x3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03) I would appreciate if someone could confirm/deny this. I found the problem. msktutil has a bug when using a computername with uppercase letters. Regards Markus Regards Markus
RE: [squid-users] sometimes the users can´t visit an y webpage
Hi, thanks for your interest Well, today I had same problem, this is an extract to my cache.log. The problem happened about 15:30hrs, and the user reported me about 16:00 hrs, and I had to restart the "squid service". Any Idea? What does it mean "httpReadReply Excess data from..."? 2009/09/02 06:32:19| storeDirWriteCleanLogs: Starting... 2009/09/02 06:32:19| 65536 entries written so far. 2009/09/02 06:32:19|131072 entries written so far. 2009/09/02 06:32:19| Finished. Wrote 132412 entries. 2009/09/02 06:32:19| Took 0.0 seconds (4109238.7 entries/sec). 2009/09/02 06:32:19| logfileRotate: /var/log/squid/store.log 2009/09/02 06:32:19| logfileRotate (stdio): /var/log/squid/store.log 2009/09/02 06:32:19| logfileRotate: /var/log/squid/access.log 2009/09/02 06:32:19| logfileRotate (stdio): /var/log/squid/access.log 2009/09/02 06:32:19| logfileRotate: /var/log/squid/access1.log 2009/09/02 06:32:19| logfileRotate (stdio): /var/log/squid/access1.log 2009/09/02 15:32:49| httpReadReply: Excess data from "GET http://www.paginasamarillas.com.pe/js/scriptTagHead.js.jsp"; 2009/09/02 15:32:49| httpReadReply: Excess data from "GET http://www.paginasamarillas.com.pe/js/scriptHome.js.jsp"; 2009/09/02 15:32:49| httpReadReply: Excess data from "GET http://www.paginasamarillas.com.pe/searchBarLocality.do?stateId=&cityId=&sub urbId=" 2009/09/02 15:59:54| Preparing for shutdown after 337998 requests 2009/09/02 15:59:54| Waiting 30 seconds for active connections to finish 2009/09/02 15:59:54| FD 11 Closing HTTP connection 2009/09/02 16:00:25| Shutting down... 2009/09/02 16:00:25| FD 12 Closing ICP connection 2009/09/02 16:00:25| WARNING: Closing client 172.20.100.1 connection due to lifetime timeout 2009/09/02 16:00:25| http://mail.google.com/mail/images/cleardot.gif?zx=g31q8sija2fo 2009/09/02 16:00:25| WARNING: Closing client 172.20.100.136 connection due to lifetime timeout 2009/09/02 16:00:25|http://kh.google.com/geauth 2009/09/02 16:00:25| WARNING: Closing client 172.20.100.1 connection due to lifetime timeout 2009/09/02 16:00:25| http://toolbarqueries.clients.google.com/history/feeds/default/subscriptions /browser 2009/09/02 16:00:25| WARNING: Closing client 172.20.100.1 connection due to lifetime timeout 2009/09/02 16:00:25| http://mail.google.com/mail/images/cleardot.gif?zx=8w46jyqzoqzz 2009/09/02 16:00:25| Closing unlinkd pipe on FD 14 2009/09/02 16:00:25| storeDirWriteCleanLogs: Starting... 2009/09/02 16:00:25| 65536 entries written so far. 2009/09/02 16:00:25|131072 entries written so far. 2009/09/02 16:00:25| Finished. Wrote 131216 entries. 2009/09/02 16:00:25| Took 0.0 seconds (4147942.1 entries/sec). CPU Usage: 287.160 seconds = 128.300 user + 158.860 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 3 Memory usage for squid via mallinfo(): total space in arena: 296144 KB Ordinary blocks: 295038 KB 22411 blks Small blocks: 0 KB 6 blks Holding blocks: 280 KB 1 blks Free Small blocks: 0 KB Free Ordinary blocks:1105 KB Total in use: 295318 KB 100% Total free: 1105 KB 0% 2009/09/02 16:00:25| logfileClose: closing log /var/log/squid/store.log 2009/09/02 16:00:25| logfileClose: closing log /var/log/squid/access.log 2009/09/02 16:00:25| logfileClose: closing log /var/log/squid/access1.log 2009/09/02 16:00:25| Squid Cache (Version 2.7.STABLE3): Exiting normally. 2009/09/02 16:00:26| Starting Squid Cache version 2.7.STABLE3 for i386-debian-linux-gnu... 2009/09/02 16:00:26| Process ID 17213 2009/09/02 16:00:26| With 1024 file descriptors available 2009/09/02 16:00:26| Using epoll for the IO loop 2009/09/02 16:00:26| DNS Socket created at 0.0.0.0, port 38200, FD 6 2009/09/02 16:00:26| Adding domain sensormatic.com.pe from /etc/resolv.conf 2009/09/02 16:00:26| Adding domain sensormatic.com.pe from /etc/resolv.conf 2009/09/02 16:00:26| Adding nameserver 200.48.225.130 from /etc/resolv.conf 2009/09/02 16:00:26| Adding nameserver 200.48.225.146 from /etc/resolv.conf 2009/09/02 16:00:26| User-Agent logging is disabled. 2009/09/02 16:00:26| Referer logging is disabled. 2009/09/02 16:00:26| logfileOpen: opening log /var/log/squid/access.log 2009/09/02 16:00:26| logfileOpen: opening log /var/log/squid/access1.log 2009/09/02 16:00:26| Unlinkd pipe opened on FD 12 2009/09/02 16:00:26| Swap maxSize 4194304 KB, estimated 322638 objects 2009/09/02 16:00:26| Target number of buckets: 16131 2009/09/02 16:00:26| Using 16384 Store buckets 2009/09/02 16:00:26| Max Mem size: 262144 KB 2009/09/02 16:00:26| Max Swap size: 4194304 KB 2009/09/02 16:00:26| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2009/09/02 16:00:26| logfileOpen: opening log /var/log/squid/store.log 2009/09/02 16:00:26| Rebuilding storage in /var/spool/squid (CLEAN) 2009/09/02 16:00:26| Using Least Load store dir selection 2009/09/02 16:00:26| Set Current Directory to /var/sp
[squid-users] Re: If refresh_pattern only extends expiration, how to force time-to-live in Squid code?
ons 2009-09-02 klockan 13:42 -0700 skrev Guy Bashkansky: > I'm using a customized version of Squid 2.4 STABLE6. But nothing > seems to be customized in refresh.c, except for my own recent swap of > age and expires checks (as recommended). Ouch.. that's a very very old relese. Upgrading highly recommended. > Probably the expires header is added in some other place, it's just > difficult to figure out exactly where in the code and how it is > controlled. grep -4 HDR_EXPIRES src/*.c Regards Henrik
Re: [squid-users] low file descriptors suddenly
ons 2009-09-02 klockan 12:31 -0500 skrev Luis Daniel Lucio Quiroz: > MMM > the fact is that i set my filedescriptos in /etc/security/limits.conf > look: > * - nofile 131072 This is only used by interactive logins (PAM), not during the system startup. Regards Henrik
RE: [squid-users] sometimes the users can´t visit any webpage
On Wed, 2 Sep 2009 16:33:49 -0500, "Jesus Angeles" wrote: > Hi, thanks for your interest > > Well, today I had same problem, this is an extract to my cache.log. The > problem happened about 15:30hrs, and the user reported me about 16:00 hrs, > and I had to restart the "squid service". > > Any Idea? What does it mean "httpReadReply Excess data from..."? The server at www.paginasamarillas.com.pe is pushing more data into Squid after the objects its supposed to be sending have supposedly finished. This is a broken web server or a malicious attack. Not good either way. > > 2009/09/02 06:32:19| storeDirWriteCleanLogs: Starting... > 2009/09/02 06:32:19| 65536 entries written so far. > 2009/09/02 06:32:19|131072 entries written so far. > 2009/09/02 06:32:19| Finished. Wrote 132412 entries. > 2009/09/02 06:32:19| Took 0.0 seconds (4109238.7 entries/sec). > 2009/09/02 06:32:19| logfileRotate: /var/log/squid/store.log > 2009/09/02 06:32:19| logfileRotate (stdio): /var/log/squid/store.log > 2009/09/02 06:32:19| logfileRotate: /var/log/squid/access.log > 2009/09/02 06:32:19| logfileRotate (stdio): /var/log/squid/access.log > 2009/09/02 06:32:19| logfileRotate: /var/log/squid/access1.log > 2009/09/02 06:32:19| logfileRotate (stdio): /var/log/squid/access1.log > 2009/09/02 15:32:49| httpReadReply: Excess data from "GET > http://www.paginasamarillas.com.pe/js/scriptTagHead.js.jsp"; > 2009/09/02 15:32:49| httpReadReply: Excess data from "GET > http://www.paginasamarillas.com.pe/js/scriptHome.js.jsp"; > 2009/09/02 15:32:49| httpReadReply: Excess data from "GET > http://www.paginasamarillas.com.pe/searchBarLocality.do?stateId=&cityId=&sub > urbId=" Server at www.paginasamarillas.com.pe told Squid it was sending objects of size X then sent X + N bytes of data down the link. A response splitting attack is probably underway. Squid drops those connections. > 2009/09/02 15:59:54| Preparing for shutdown after 337998 requests > 2009/09/02 15:59:54| Waiting 30 seconds for active connections to finish Someone shutdown Squid. > 2009/09/02 15:59:54| FD 11 Closing HTTP connection > 2009/09/02 16:00:25| Shutting down... > 2009/09/02 16:00:25| FD 12 Closing ICP connection > 2009/09/02 16:00:25| WARNING: Closing client 172.20.100.1 connection due to > lifetime timeout > 2009/09/02 16:00:25| > http://mail.google.com/mail/images/cleardot.gif?zx=g31q8sija2fo > 2009/09/02 16:00:25| WARNING: Closing client 172.20.100.136 connection due > to lifetime timeout > 2009/09/02 16:00:25| http://kh.google.com/geauth > 2009/09/02 16:00:25| WARNING: Closing client 172.20.100.1 connection due to > lifetime timeout > 2009/09/02 16:00:25| > http://toolbarqueries.clients.google.com/history/feeds/default/subscriptions > /browser > 2009/09/02 16:00:25| WARNING: Closing client 172.20.100.1 connection due to > lifetime timeout > 2009/09/02 16:00:25| > http://mail.google.com/mail/images/cleardot.gif?zx=8w46jyqzoqzz Two clients had their 4 active connections closed on them. > 2009/09/02 16:00:25| Squid Cache (Version 2.7.STABLE3): Exiting normally. > 2009/09/02 16:00:26| Starting Squid Cache version 2.7.STABLE3 for > i386-debian-linux-gnu... > > > -Mensaje original- > De: Jeff Pang [mailto:pa...@arcor.de] > Enviado el: Lunes, 31 de Agosto de 2009 08:44 p.m. > Para: squid-users > Asunto: Re: [squid-users] sometimes the users can´t visit any webpage > > 2009/9/1 Jesus Angeles : >> Hi all, I have a problem. Three weeks ago I installed Squid 2.7.STABLE3 + >> Dansguardian 2.10.1.1 in GNU/Linux Ubuntu Server 9.04. First week was ok, >> but the service was started to fail, sometimes (once or twice for day ) > the >> users can´t visit any webpage, the web browser shows a blank page (delay > on >> load), in those moment I check: >> - The squid service is running. >> - The dansguardian is ok, because if the users try visit a > prohibited >> web, It shows the access denied page. >> - The logfile (access.log) is generating logs (I checked with tail >> -f). >> - The memory and HD space is ok (I have configured 256 MB in > cache_mem >> and 4096 MB in cache_dir) >> Then, in those moments, I have to execute /etc/init.d/squid reload to >> solve the problem. >> > > Have you checked cache.log for the special requests? > Only the info on cache.log (or with debug level) is valuable. > > Jeff.
RE: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED
Hi Chris, thanks for your support... I did everything you recommended, but when I make a request to the website (running on the same server), this error now in browser: Unable to forward this request at this time. This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that: The cache administrator does not allow this cache to make direct connections to origin servers, and All configured parent caches are currently unreachable. And the Apache2 webserver (I repeat: ON THE SAME SERVER THAT SQUID 2.7) launch this error: Starting web server: apache2(98)Address already in use: make_sock: could not bind to address [::]:80 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down Unable to open logs failed! But if I comment the line in the squid.conf, both errors (the browser and Apache2) disappear completely ... http_port 80 accel defaultsite=mysite.com vhost Besides, I can access the site from the internal network and from outside, it is clear that without Accelerator mode ... Ricardo -Mensaje original- De: Chris Robertson [mailto:crobert...@gci.net] Enviado el: miércoles, 02 de septiembre de 2009 05:11 p.m. Para: squid-users@squid-cache.org Asunto: Re: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED RicardoCh wrote: > When I try, from the internal LAN, to load any page of my website running on > server (Debian Lenny iptables-apache2-Squid2.7-samba3, ALL ON SAME SERVER), > the Squid launches some of this 3 pages error warn: > > 1) Unable to forward this request at this time > 2) (111) Conection refused > 3) Access denied > > In Squid.conf I have these lines: > > http_port 192.168.000.1:3128 transparent > http_port 127.0.0.1:80 accel defaultsite=mysite.com vhost > cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo > > cache_peer_access mysite.com allow MyWeb > cache_peer_access mysite.com deny all > > Where the acl "MyWeb" is: > acl myweb dstdomain mysite.com mysite1.com mysite2.com.ar > (The sites are all on the same Apache, Virtual directory) > > In iptables I have only these lines to the webserver: > > # WWW > $IPTABLES -A tcp_packets -p TCP -s 0/0 -dport 80 -j allowed > > $IPTABLES-t nat-A PREROUTING -s $LAN_IP_RANGE -p tcp -dport 80 -j REDIRECT > -to-ports 3128 > > > Any idea? > Thanks in advance > Wow... You are intercepting ALL port 80 traffic and passing it to Squid on port 3128. You have Squid in accelerator mode passing traffic to itself. Finally, you have a cache_peer_access setup that doesn't match any peers. First, I would advise not redirecting traffic destined for the accelerated site. Assuming mysite.com (and its variants) resolves to 192.168.0.1, replace your iptables redirection rule with... $IPTABLES -t nat -A PREROUTING -s $LAN_IP_RANGE -d !192.168.0.1 -p tcp -dport 80 -j REDIRECT -to-ports 3128 Next, don't have Squid listen on localhost port 80. That's where Apache should be listening. Instead have Squid listen to the "publicly" accessible IP address... http_port 192.168.0.1:80 accel defaultsite=mysite.com vhost Finally, the first argument to cache_peer_access should match SOMETHING about the defined cache_peer. With the peer defined as... cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo ...use either the IP... cache_peer_access 127.0.0.1 allow MyWeb ...or the name... cache_peer_access Ricardo allow MyWeb ...in the cache_peer_access definition. Chris
RE: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED
tor 2009-09-03 klockan 00:32 -0300 skrev RicardoCh: > Starting web server: apache2(98)Address already in use: make_sock: could not > bind to address [::]:80 > (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 > no listening sockets available, shutting down > Unable to open logs You need to tell Apache to listen on the loopback address. http://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen Regards Henrik
RE: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED
Bingo!!! Thanks Henrik and Chris... -Mensaje original- De: Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Enviado el: jueves, 03 de septiembre de 2009 12:50 a.m. Para: RicardoCh CC: 'Chris Robertson'; squid-users@squid-cache.org Asunto: RE: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED tor 2009-09-03 klockan 00:32 -0300 skrev RicardoCh: > Starting web server: apache2(98)Address already in use: make_sock: could not > bind to address [::]:80 > (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 > no listening sockets available, shutting down > Unable to open logs You need to tell Apache to listen on the loopback address. http://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen Regards Henrik
[squid-users] msn messenger problem with squid
Dear All I m running Linux Proxy Server on RHEL-5 64bit for providing http access to users in my office, i m facing a problem while using msn messenger on LAN, we access msn messenger through above mentioned proxy server, whenever I sign in to msn messenger, it gets signed on but after a short while it gets signed out automatically and shows message "your connection with windows live messenger has been lost reconnecting" i have removed all the acls on squid which were blocking msn msgr even then i m unable to solve this problem, i have put some acls to access msn messenger but in vain, when i test proxy and ports on msn msgr it sticks on key ports and shows error, plz tell me which ports msn uses and what to do on proxy server end solve this problem which is a headache for me now I ill really appreciate your cooperation Thanks -- View this message in context: http://www.nabble.com/msn-messenger-problem-with-squid-tp25270715p25270715.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Java not working behind squid
> >> Try putting this acl > >> > >> acl Java browser Java/1.4 Java/1.5 Java/1.6 > >> http_access allow Java > >> > >> This worked for me when using NTLauth. > > > > Thanks, though I'm not the one in need of a solution > and I'm not that > keen > > to give Java full unauthenticated browsing > rights. > > > > Perhaps Truth Seeker(?) might try that though. > > > > Am I to understand that Java is just really bad at > NTLM auth, so much so > > that people just whitelist it for unauthenticated > access? > > Yes. > Personally I recommend adding other ACL such as sources > which are allowed > to use Java in this way. To reduce the impact and security > holes this > method opens. > > Amos Well Amos, could you please give me an example acl entry to achieve what you said...
