Re: [squid-users] Need help in integrating squid and samba
On Tue, Sep 8, 2009 at 2:49 PM, Amos Jeffries squ...@treenet.co.nz wrote: Avinash Rao wrote: On Tue, Sep 8, 2009 at 12:19 PM, Amos Jeffriessqu...@treenet.co.nz wrote: Avinash Rao wrote: On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffriessqu...@treenet.co.nz wrote: Avinash Rao wrote: -- Forwarded message -- From: Avinash Rao avinash@gmail.com Date: Tue, Sep 8, 2009 at 11:13 AM Subject: Re: Fwd: [squid-users] Need help in integrating squid and samba To: Amos Jeffries squ...@treenet.co.nz Cc: Henrik Nordstrom hen...@henriknordstrom.net, squid-users@squid-cache.org On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries squ...@treenet.co.nz wrote: Avinash Rao wrote: On 8/31/09, Amos Jeffries squ...@treenet.co.nz wrote: Avinash Rao wrote: On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom hen...@henriknordstrom.net mailto:hen...@henriknordstrom.net wrote: sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao: I couldn't find any document that shows me how to enable wb_info for squid. Can anybody help me? external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl acl group1 external NT_Group group1 then use group1 whenever you want to match users belonging to that Windows group. Regards Henrik Hi Henrik, I have used the following in my squid.conf external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl group1 external NT_Group staff acl net time M T W T F S S 9:00-18:00 http_access allow net On my linux server, I have created a group called staff and made a couple of users a member of this group called staff. My intention is to provide access to users belonging to group staff on all days from morning 9am - 7PM. The rest should be denied. But this didn't work, when the Samba users login from a winxp client, it doesn't get access to internet at all. There is no http_access lien making any use of ACL group1 And _everybody_ (me included on this side of the Internet) is allowed to use your proxy between 9am ad 6pm. Amos Thanks for the reply, Ya i missed http_access allow group1 I didn't understand your second statement, are u telling me that i should deny access to net? You should combine the ACL with others on an http_access line so that its limited to who it allows. This: acl net time M T W T F S S 9:00-18:00 http_access allow net simply says all requests are allowed between time X and Y. Without additional controls, ie on IP address making the request, you end up with an open proxy. Amos Dear Amos, I am still not able to get this working. Here's what i want to accomplish. I have WinXP - SP2 clients logging onto the samba domain and LTSP users. All users use squid proxy. My intention is to control the samba users from accessing the internet at certain times. If i don't use the external_acl_type NT_Group as mentioned below, the squid works properly for all users, even windows and anybody using squid proxy. external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/ wbinfo_group.pl acl group1 external NT_Group group1 I have created a group called staff using net rpc command and i am i have made all the users using winxp a member of this group staff. So, my acl will look like external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl acl acl_name external NT_Group staff http_access allow staff According to my understanding, it should allow only those samba users which come under the group staff. But thats not happening, squid denies access to the internet. _when tested_ it should be doing that. Other rules around it have an effect that you may have overlooked. Then again the group name is case-sensitive. The helper is OS access permission sensitive, and NTLM auth has difficulties all of its own. I'll need to see the whole access config to know whats going on. And remind me what version of Squid this is. Amos hi, r...@sunbox:/etc/squid# dpkg -l | grep squid ii squid 2.6.18-1ubuntu3 Internet object cache (WWW proxy cache) ii squid-common 2.6.18-1ubuntu3 Internet object cache (WWW proxy cache) - co squid.conf visible_hostname sunbox hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY use: cache deny QUERY hosts_file /etc/hosts http_port 10.10.10.200:3128 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl acl staffgroup external NT_Group staff acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563
Re: [squid-users] squid didn't not write all logs
ons 2009-09-09 klockan 10:52 +0530 skrev Avinash Rao: Even i don't have access.log on my system. I see only cache.log and store.log under /var/log/squid. Why i access.log used and how can i enable it. I am using Squid2.6stable18. Have you configured the access_log directive in your squid.conf? Regards Henrik
Re: [squid-users] Need help in integrating squid and samba
ons 2009-09-09 klockan 12:02 +0530 skrev Avinash Rao: http_access allow staffgroup http_access allow student staffgroup The above is wrong. The first directive allows everyone in staffgroup without restriction, which means the second can not be reached. Squid uses the first http_access line matching the request to determine if the request is allowed or denied, any http_access rules following that is ignored. I am wondering if its really checking the NT group? I also tried using the squid_unix_group option, but the result was the same. It most likely is, assuming you have no proxy_auth REQUIRED acl used in parts of squid.conf not shown here. http_access deny extndeny http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #http_access allow friends WORKING #http_access deny friends http_access deny abc http_access deny videos http_access deny !AuthUsers Ok. http_access allow staffgroup http_access allow student staffgroup See above for why this is wrong. I guess the first of the two should go.. http_access allow manager localhost http_access deny manager http_access allow purge localhost There is a deny purge rule missing here. And the whole block should be before your custom rules (i.e. first rules in http_access). #http_access allow special_urls #http_access deny extndeny download http_access deny badurl #http_access deny malware_block_list #deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list This deny need to go before where you allow access to be effective. But maybe it is.. Not entirely obvious to me who should get denied and who not. http_access allow localhost http_access allow lan http_access deny all Ok. Regards Henrik
[squid-users] TCP_MISS/503
Hi all, Am running squid 2.6 in CentOS which is behind a firewall. Am able to access other websites using the proxy apart from aphrc.org. Its been recuring since yesterday in the afternoon and all was working well in the morning. This is the error message am getting from access.log. 1252483940.606 2 10.176.203.55 TCP_MISS/503 1660 GET http://www.aphrc.org/ - DIRECT/63.246.8.100 text/html I have entered the DNS nameservers in the squid file. All the help will highly be appreciated
Re: [squid-users] TCP_MISS/503
ons 2009-09-09 klockan 11:24 +0300 skrev Kevin Kimani: This is the error message am getting from access.log. 1252483940.606 2 10.176.203.55 TCP_MISS/503 1660 GET http://www.aphrc.org/ - DIRECT/63.246.8.100 text/html What error do you get in the browser (disable show friendly error message is using MSIE) Regards Henrik
Re: [squid-users] TCP_MISS/503
am using ubuntu. The browser displays The following error was encounterd Unable to determine IP address from hostname for www.aphrc.org the dns On Wed, Sep 9, 2009 at 11:58 AM, Henrik Nordstromhen...@henriknordstrom.net wrote: ons 2009-09-09 klockan 11:24 +0300 skrev Kevin Kimani: This is the error message am getting from access.log. 1252483940.606 2 10.176.203.55 TCP_MISS/503 1660 GET http://www.aphrc.org/ - DIRECT/63.246.8.100 text/html What error do you get in the browser (disable show friendly error message is using MSIE) Regards Henrik
[squid-users] Squid with Dansguardian (tcp_outgoing_address problem)
Dear All, My setup is like this. I'm using dansguardian, squid, havp and I have two ISP connections. In squid.conf I have given: acl mac arp '/etc/squid/mac' tcp_outgoing_address w.x.y.z mac So, when I'm using only squid, the mac ID's present in '/etc/squid/mac' are going through the IP w.x.y.z . But when I'm using dansguardian this rule is not working. It is going through default wan connection. Can anybody help me solve this problem. Thanks Regards, Santy
Re: [squid-users] TCP_MISS/503
am using ubuntu. The browser displays The following error was encounterd Unable to determine IP address from hostname for www.aphrc.org the dnsserver returned : DNS Domain 'www.aphrc.org' is invalid. Host not found (authoritative) This means that The cache was unable to resolve the the hostname presentedin the URL On Wed, Sep 9, 2009 at 12:09 PM, Kevin Kimanikevinkim...@gmail.com wrote: am using ubuntu. The browser displays The following error was encounterd Unable to determine IP address from hostname for www.aphrc.org the dns On Wed, Sep 9, 2009 at 11:58 AM, Henrik Nordstromhen...@henriknordstrom.net wrote: ons 2009-09-09 klockan 11:24 +0300 skrev Kevin Kimani: This is the error message am getting from access.log. 1252483940.606 2 10.176.203.55 TCP_MISS/503 1660 GET http://www.aphrc.org/ - DIRECT/63.246.8.100 text/html What error do you get in the browser (disable show friendly error message is using MSIE) Regards Henrik
Re: [squid-users] TCP_MISS/503
Hmm.. that does not match your access.log entry where it obviously could find the IP.. ons 2009-09-09 klockan 12:09 +0300 skrev Kevin Kimani: am using ubuntu. The browser displays The following error was encounterd Unable to determine IP address from hostname for www.aphrc.org the dns On Wed, Sep 9, 2009 at 11:58 AM, Henrik Nordstromhen...@henriknordstrom.net wrote: ons 2009-09-09 klockan 11:24 +0300 skrev Kevin Kimani: This is the error message am getting from access.log. 1252483940.606 2 10.176.203.55 TCP_MISS/503 1660 GET http://www.aphrc.org/ - DIRECT/63.246.8.100 text/html What error do you get in the browser (disable show friendly error message is using MSIE) Regards Henrik
Re: [squid-users] TCP_MISS/503
am also wondering why its not resolving. Am blank with no ideas not sure what to do next On Wed, Sep 9, 2009 at 12:49 PM, Henrik Nordstromhen...@henriknordstrom.net wrote: Hmm.. that does not match your access.log entry where it obviously could find the IP.. ons 2009-09-09 klockan 12:09 +0300 skrev Kevin Kimani: am using ubuntu. The browser displays The following error was encounterd Unable to determine IP address from hostname for www.aphrc.org the dns On Wed, Sep 9, 2009 at 11:58 AM, Henrik Nordstromhen...@henriknordstrom.net wrote: ons 2009-09-09 klockan 11:24 +0300 skrev Kevin Kimani: This is the error message am getting from access.log. 1252483940.606 2 10.176.203.55 TCP_MISS/503 1660 GET http://www.aphrc.org/ - DIRECT/63.246.8.100 text/html What error do you get in the browser (disable show friendly error message is using MSIE) Regards Henrik
[squid-users] Squid stops responding-LTSP and WinXP clients
Dear all, I am sure this question would have been posted many times. I read a few threads, but my requirement or setup is a bit different. I am running Squid2.6stable18 on Ubuntu Server 8.04 Server 64-bit installed on Sun Fire X4150 Server with 8GB RAM + 8 SAS HDD's - RAID 5 + 2 Quad Core Intel Xeon Processors. I have both LTSP and WinXP clients using Squid. Many times i have noticed, squid stops responding, the browser keeps trying to connect and i don't see any error in cache.log or store.log. My only way out is to restart squid. I read through cache_mem, my current configuration is 100MB, i changed it to 128MB, but squid couldn't start saying the cache_mem is more than cache_disk size. Why does this happen and what is the recommended configuration for the hardware i have? squid.conf: Please donot compare this config to my other posts, as this is on a different server and it has a very basic configuration. visible_hostname sunserver hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY hosts_file /etc/hosts http_port 10.10.10.10:3128 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70# gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 631 # cups acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl Safe_ports port 993 # IMAP acl Safe_ports port 587 # SMTP acl Safe_ports port 22# SSH acl purge method PURGE acl special_urls url_regex /etc/squid/squid-noblock.acl acl extndeny url_regex -i /etc/squid/blocks.files.acl acl malware_block_list url_regex -i /etc/squid/malware_block_list.txt acl badurl url_regex -i teen orkut youtube sex mp3 mp4 acl lan src 10.10.10.0/24 acl stud ident_regex babu acl download method GET acl CONNECT method CONNECT cache_mem 100 MB ident_lookup_access allow all deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access allow special_urls http_access deny extndeny download http_access deny extndeny http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny badurl http_access deny malware_block_list http_access allow localhost http_access allow lan http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid Many Thanks Avinash
Re: [squid-users] squid didn't not write all logs
Avinash Rao wrote: On Wed, Sep 9, 2009 at 6:22 AM, Amos Jeffries squ...@treenet.co.nz wrote: On Tue, 8 Sep 2009 23:09:10 +0200, Friedrich Hattendorf friedr...@hattendoerfer.de wrote: Hello list, we are running a debian ltsp system at our school since our last update squid wrote only the store.log cache.log but no longer the access.log Seems to be a problem of squid.conf: all three had the same entry: #Default: # cache_access_log /var/log/squid/access.log I deleted the # in the above line with access.log, restarted squid and the access .log was there again. But I don't comprehend, why the other two weren't conflicted. Somebody change the config file on you? Or maybe you have an automatic system that changes certain config lines to your local settings? cache_access_log is obsolete in 2.6 and later. Use access_log instead. Amos Even i don't have access.log on my system. I see only cache.log and store.log under /var/log/squid. Why i access.log used and how can i enable it. I am using Squid2.6stable18. Please read the two posts you quoted. The answer to your question is on the line above your question. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: [squid-users] msn messenger problem with squid
serfer wrote: Please help me in the above issue thanks Sure, go to Control Panel. Select Add Remove Programs and then click on Remove MSN Messenger Or were you referring to something other than _The_ MSN Messenger Problem? Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: [squid-users] Squid stops responding-LTSP and WinXP clients
Avinash Rao wrote: Dear all, I am sure this question would have been posted many times. I read a few threads, but my requirement or setup is a bit different. I am running Squid2.6stable18 on Ubuntu Server 8.04 Server 64-bit installed on Sun Fire X4150 Server with 8GB RAM + 8 SAS HDD's - RAID 5 + 2 Quad Core Intel Xeon Processors. I have both LTSP and WinXP clients using Squid. Many times i have noticed, squid stops responding, the browser keeps trying to connect and i don't see any error in cache.log or store.log. My only way out is to restart squid. Usually means Squid is doing something with its on-disk storage. I read through cache_mem, my current configuration is 100MB, i changed it to 128MB, but squid couldn't start saying the cache_mem is more than cache_disk size. Why does this happen and what is the recommended configuration for the hardware i have? You are missing a cache_dir option. Which means Squid-2 will be using the default and very inefficient 100 MB ufs formatted storage. Squid-3.1 and later are the only releases of Squid where cache_dir can be fully removed from the config. Either define a cache_dir to use the disks or setup the null cache_dir type for memory-only storage. squid.conf: Please donot compare this config to my other posts, as this is on a different server and it has a very basic configuration. visible_hostname sunserver hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY Drop 'no_cache' use instead: cache deny QUERY hosts_file /etc/hosts http_port 10.10.10.10:3128 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70# gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 631 # cups acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl Safe_ports port 993 # IMAP acl Safe_ports port 587 # SMTP acl Safe_ports port 22# SSH acl purge method PURGE acl special_urls url_regex /etc/squid/squid-noblock.acl acl extndeny url_regex -i /etc/squid/blocks.files.acl acl malware_block_list url_regex -i /etc/squid/malware_block_list.txt acl badurl url_regex -i teen orkut youtube sex mp3 mp4 acl lan src 10.10.10.0/24 acl stud ident_regex babu acl download method GET acl CONNECT method CONNECT cache_mem 100 MB ident_lookup_access allow all deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access allow special_urls http_access deny extndeny download http_access deny extndeny http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny badurl http_access deny malware_block_list http_access allow localhost http_access allow lan http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid Many Thanks Avinash -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: [squid-users] Squid with Dansguardian (tcp_outgoing_address problem)
Santhosh Kumar Gulla wrote: Dear All, My setup is like this. I'm using dansguardian, squid, havp and I have two ISP connections. In squid.conf I have given: acl mac arp '/etc/squid/mac' tcp_outgoing_address w.x.y.z mac So, when I'm using only squid, the mac ID's present in '/etc/squid/mac' are going through the IP w.x.y.z . But when I'm using dansguardian this rule is not working. It is going through default wan connection. Can anybody help me solve this problem. Not without a LOT more info about your setup, Squid, and operational needs and resources than you are likely to provide. Please understand WHY this is happening... DG plugs in between the client and Squid or Squid and the Internet. Which means... DG will be the 'client' as far as Squid can tell - thus the MAC address will always 100% be the MAC of the DG host machine. OR... Squid will always be connecting out to DG - thus Squid outgoing address is never contacting the Internet and so setting it means nothing. This is one of the reasons why ARP / MAC is considered generally useless. SOLUTION: Try another ACL type. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: [squid-users] TCP_MISS/503
Kevin Kimani wrote: am also wondering why its not resolving. Am blank with no ideas not sure what to do next On Wed, Sep 9, 2009 at 12:49 PM, Henrik Nordstromhen...@henriknordstrom.net wrote: Hmm.. that does not match your access.log entry where it obviously could find the IP.. Looks to me like your Squid resolved the domain to IP 63.246.8.100 and passed the request on. But got a 503 message back from that machine. Does the error page finish with the hostname and version of your Squid or some other? Lesson to anyone wanting to remove the squid signature from their error pages: THIS is why it is there!!! Amos ons 2009-09-09 klockan 12:09 +0300 skrev Kevin Kimani: am using ubuntu. The browser displays The following error was encounterd Unable to determine IP address from hostname for www.aphrc.org the dns On Wed, Sep 9, 2009 at 11:58 AM, Henrik Nordstromhen...@henriknordstrom.net wrote: ons 2009-09-09 klockan 11:24 +0300 skrev Kevin Kimani: This is the error message am getting from access.log. 1252483940.606 2 10.176.203.55 TCP_MISS/503 1660 GET http://www.aphrc.org/ - DIRECT/63.246.8.100 text/html What error do you get in the browser (disable show friendly error message is using MSIE) Regards Henrik -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
[squid-users] Delay pools problem
Hi everyone. I'm having delay pools issues. I've had declared 3 delay pools , and i'had made 3 different groups in 3 text files, each file contains the name of the user corresponding to the navegation speed I'had declared INFO as the highest privilege group, GRAL as standard navegation group , and REST as restricted navegation group. My problem , is that apparently my rule is not work, as all the users ara allowed in the delay_pool 1, and nobody are allowed in the other 2 delay_pools. I guess the problem is in the delay_access section...? My squid.conf section : delay_pools 3 delay_class 1 3 delay_class 2 3 delay_class 3 3 delay_access 1 allow info !gral !rest delay_access 1 deny gral rest delay_access 2 allow gral !rest delay_access 2 deny rest delay_access 3 allow rest delay_access 3 deny all delay_parameters 1 -1/-1 -1/1024000 15000/512000 delay_parameters 2 -1/-1 3/1024000 7000/512000 delay_parameters 3 -1/-1 3/1024000 3000/512000 acl info proxy_auth_regex -i /etc/squid/info.txt REQUIRED acl gral proxy_auth_regex -i /etc/squid/gral.txt REQUIRED acl rest proxy_auth_regex -i /etc/squid/rest.txt REQUIRED Thanks in advice !
[squid-users] Squid will not connect from outside
I am having problems connecting to Squid from outside my local network. I have set it up using NCSA authentication, and all seems correct. I can connect to it from within my local network (I commented out the 'http_access allow localnet' in squid.conf for that test) and it correctly asks for username and password and connects if right. I can do this both by referring to my computer's hostname within the local network and by referring to my router's IP address (I have set up port forwarding for port 3128 on my router). However, when I try from outside my local network (from at school), Firefox (using FoxyProxy) shows a 'proxy server refusing connections' error. This occurs both when I try to connect via the proxy server and when I nc into 3128 on my router's IP. Other services (such as ssh) work from school to my computer at home. Does anyone know why this might be? Thanks for any help. -- Tom Dickson-Hunt
Re: [squid-users] NTLM or fakeauth_auth
Quoting Henrik Nordstrom hen...@henriknordstrom.net: tis 2009-09-08 klockan 17:54 +0200 skrev apmail...@free.fr: Still, is it possible to present specific autentication schemes depending on the useragent ? Not yet. Maybe I didn't explain clearly : it's not the migration process in itself that worries us. It's the everyday use of the future AD authentication : Accounts getting locked too often. As anybody had such accounts locking problems ? If so, Could they share with us how they prevented these lockouts from happening ? From what I remember AD allows for bad NTLM logins with an old password for quite some time without locking the account, to avoid the issue with shares/applications continuing using the old password after the user have changed his password. But if using Negotiate (kerberos) then this pretty much should be a non-issue as Kerberos is ticket based and not directly derived from the password, or at least that's my understanding. I too was thinking of implementing kerberos, with the assumption (still to be verified) that those annoying pieces of software going to internet without the user's full knowledge ( a***e updater for instance ) would not implement this scheme. Will keep you posted, Thanks
Re: [squid-users] TCP_MISS/503
Thanks guys, Was able to resolve it but it was the firewall that was mis-behaving. @Amos..the error message ends with the version of squid and the admin email address On Wed, Sep 9, 2009 at 3:27 PM, Amos Jeffriessqu...@treenet.co.nz wrote: Kevin Kimani wrote: am also wondering why its not resolving. Am blank with no ideas not sure what to do next On Wed, Sep 9, 2009 at 12:49 PM, Henrik Nordstromhen...@henriknordstrom.net wrote: Hmm.. that does not match your access.log entry where it obviously could find the IP.. Looks to me like your Squid resolved the domain to IP 63.246.8.100 and passed the request on. But got a 503 message back from that machine. Does the error page finish with the hostname and version of your Squid or some other? Lesson to anyone wanting to remove the squid signature from their error pages: THIS is why it is there!!! Amos ons 2009-09-09 klockan 12:09 +0300 skrev Kevin Kimani: am using ubuntu. The browser displays The following error was encounterd Unable to determine IP address from hostname for www.aphrc.org the dns On Wed, Sep 9, 2009 at 11:58 AM, Henrik Nordstromhen...@henriknordstrom.net wrote: ons 2009-09-09 klockan 11:24 +0300 skrev Kevin Kimani: This is the error message am getting from access.log. 1252483940.606 2 10.176.203.55 TCP_MISS/503 1660 GET http://www.aphrc.org/ - DIRECT/63.246.8.100 text/html What error do you get in the browser (disable show friendly error message is using MSIE) Regards Henrik -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: [squid-users] Delay pools problem
Augusto Casagrande wrote: Hi everyone. I'm having delay pools issues. I've had declared 3 delay pools , and i'had made 3 different groups in 3 text files, each file contains the name of the user corresponding to the navegation speed I'had declared INFO as the highest privilege group, GRAL as standard navegation group , and REST as restricted navegation group. My problem , is that apparently my rule is not work, as all the users ara allowed in the delay_pool 1, and nobody are allowed in the other 2 delay_pools. I guess the problem is in the delay_access section...? My squid.conf section : delay_pools 3 delay_class 1 3 delay_class 2 3 delay_class 3 3 delay_access 1 allow info !gral !rest While explicit as it is, this line would be better expressed (and simpler for Squid to parse) as... delay_access 1 allow info ...assuming info, gral and rest don't have any overlap. If there is overlap, the original is fine. delay_access 1 deny gral rest This line says deny access to delay pool 1 for the intersection of gral AND rest. Since there are no further delay_access rules for pool 1, there is an implicit delay_access 1 allow all after. What you should have is... delay_access 1 deny all delay_access 2 allow gral !rest delay_access 2 allow gral delay_access 2 deny rest delay_access 2 deny all delay_access 3 allow rest delay_access 3 deny all delay_parameters 1 -1/-1 -1/1024000 15000/512000 delay_parameters 2 -1/-1 3/1024000 7000/512000 delay_parameters 3 -1/-1 3/1024000 3000/512000 acl info proxy_auth_regex -i /etc/squid/info.txt REQUIRED acl gral proxy_auth_regex -i /etc/squid/gral.txt REQUIRED acl rest proxy_auth_regex -i /etc/squid/rest.txt REQUIRED I have to imagine that the delay_parameters and ACLs are defined above the delay_access lines that reference them, as Squid reads the config file in a linear fashion. Thanks in advice ! Chris
[squid-users] Reverse Proxy with Multiple Backend Web Servers
Squid 3.0 is version. Can someone verify my squid.conf for me before I go to production with this? Thanks to all in advance!! http_port 80 accel defaultsite=img01.cprpt.com cache_peer 172.19.23.91 parent 80 0 no-query originserver name=myAccel acl all src 0.0.0.0/0.0.0.0 acl our_sites dstdomain img01.cprpt.com http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all cache_peer 172.19.23.92 parent 80 0 no-query originserver name=server_2 acl sites_server_2 dstdomain img02.cprpt.com cache_peer_access server_2 allow sites_server_2 visible_hostname bv-ic01 cache_dir ufs /data/spool/squid 100 16 256 cache_access_log /data/log/squid/access.log cache_log /data/log/squid/cache.log cache_store_log /data/log/squid/store.log
RE: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED
Thanks very much Henrik... Now everything is OK and running perfect. Like you said at the old post wich I rescued from googling, referring to dstdomain... Today, as you say so now, it remains active. That is, not EVERYTHING changes despite the time... Also, I have made a nice bash script which maintains the dynamic IP active in Squid, which works as if the IP was fixed... Thanks Henrik ;-) From: hen...@henriknordstrom.net To: squ...@treenet.co.nz CC: rac...@hotmail.com; squid-users@squid-cache.org Date: Tue, 8 Sep 2009 10:25:00 +0200 Subject: RE: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED tis 2009-09-08 klockan 11:29 +1200 skrev Amos Jeffries: [2] No. Go back to the _current_ documentation and responses. Disregard the terminology from a decade ago about a non-relevant release of Squid. Things change. The dstdomain acl is still the same www.example.com - Matches just the host www.example.com .example.com - Matches the whole example.com domain example.com - Matches just the host example.com, not www.example.com Regards Henrik _ Save time by using Hotmail to access your other email accounts. http://clk.atdmt.com/UKM/go/167688463/direct/01/
RE: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13
Long over-due but I finally got past my error with this. Thanks to all who responded, basically you were dead on, I just had to download the SDK CD (Disk 1) and install a few packages: -installing libcom_err-devel for krb5-devel (from SDK CD 1) /mnt/cdrom/suse/x86_64/libcom_err-devel-1.41.1-13.9.x86_64.rpm /mnt/cdrom/suse/x86_64/libcom_err-devel-32bit-1.41.1-13.9.x86_64.rpm -installing keyutils-devel for krb5-devl (from SDK CD 1) /mnt/cdrom/suse/x86_64/keyutils-devel-1.2-107.22.x86_64.rpm -installing krb5-devel (from SDK CD 1) /mnt/cdrom/suse/x86_64/krb5-devel-1.6.3-133.10.x86_64.rpm /mnt/cdrom/suse/x86_64/krb5-devel-32bit-1.6.3-133.10.x86_64.rpm Thanks all. Now that I have the EASY part out of the way, time to dig into the authentication /wrist! =D -Original Message- From: Daniel [mailto:sq...@zoomemail.com] Sent: Friday, August 14, 2009 4:22 PM To: 'Markus Moeller'; squid-users@squid-cache.org Subject: RE: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13 Markus, First, please correct me if I'm wrong but I looked for 'gssapi.h' in config.log and I'm assuming that config.log contains all the log information from doing a /configure? Assuming that I am correct, I couldn't find 'gssapi' anywhere inside the log file so I'm not sure if that's a good thing or a bad thing. I went ahead and dumped the output of the ./configure to a file and these are the only lines that I could find for gssapi.h: checking gssapi.h usability... no checking gssapi.h presence... no checking for gssapi.h... no checking gssapi/gssapi.h usability... no checking gssapi/gssapi.h presence... no checking for gssapi/gssapi.h... no If there's anything else that I could try, I'd greatly appreciate it. Thanks! -Original Message- From: news [mailto:n...@ger.gmane.org] On Behalf Of Markus Moeller Sent: Tuesday, August 11, 2009 3:25 PM To: squid-users@squid-cache.org Subject: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13 Hi Daniel, Did you see any configure errors for gssapi.h ? Markus Daniel sq...@zoomemail.com wrote in message news:001301ca19fe$9f450a50$ddcf1e...@com... Good afternoon, In my attempt to get Squid on our SLES 11 box authenticating with Kerberos (negotiate), I used the following to re-configure: ./configure --prefix=/usr/local/squid --enable-cachemgr-hostname=sclthdq01w --enable-auth=negotiate --enable-negotiate-auth-helpers=squid_kerb_auth The configure appears to run without any issues. However, upon running make all I receive the following errors: squid_kerb_auth.c:507: error: implicit declaration of function âgss_display_nameâ make[5]: *** [squid_kerb_auth.o] Error 1 make[5]: Leaving directory `/tmp/squid-3.1.0.13/helpers/negotiate_auth/squid_kerb_auth' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/tmp/squid-3.1.0.13/helpers/negotiate_auth/squid_kerb_auth' make[3]: *** [all] Error 2 make[3]: Leaving directory `/tmp/squid-3.1.0.13/helpers/negotiate_auth/squid_kerb_auth' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/tmp/squid-3.1.0.13/helpers/negotiate_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/tmp/squid-3.1.0.13/helpers' make: *** [all-recursive] Error 1 Any ideas?? As always, T.I.A. -Daniel
Re: [squid-users] Reverse Proxy with Multiple Backend Web Servers
On Wed, 9 Sep 2009 13:37:04 -0400, Jones, Keven keven.jo...@ncr.com wrote: Squid 3.0 is version. Can someone verify my squid.conf for me before I go to production with this? Sure. Thanks to all in advance!! http_port 80 accel defaultsite=img01.cprpt.com Missing vhost option. Needed for multiple domain routing. cache_peer 172.19.23.91 parent 80 0 no-query originserver name=myAccel acl all src 0.0.0.0/0.0.0.0 Squid-3 defines all internally for you. If you need to define it in the config then your version is too old and is very buggy. acl our_sites dstdomain img01.cprpt.com http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all cache_peer 172.19.23.92 parent 80 0 no-query originserver name=server_2 acl sites_server_2 dstdomain img02.cprpt.com cache_peer_access server_2 allow sites_server_2 No deny all here? or did you intend this server to be a backup provider of img01.cprpt.com as well? visible_hostname bv-ic01 cache_dir ufs /data/spool/squid 100 16 256 100 MB of disk storage. You sure about that? It's workable, but you may or may not want to alter it for better caching. AUFS on linux and diskd on *BSD do better storage management than plain ufs. cache_access_log /data/log/squid/access.log Use instead: access_log /data/log/squid/access.log cache_log /data/log/squid/cache.log cache_store_log /data/log/squid/store.log Set the above to none. The log is mostly a waste of disk IO time except for debugging storage problems and some extremely detailed disk usage analysis tools. Amos
[squid-users] Squid/LDAP re-challenges browser on http_access deny
Hi, I’m configuring a squid proxy box with LDAP authentication, and ACLs based on LDAP groups. I have the LDAP authentication working, as are groups. However, when I add a user to an “Access Denied” group, squid then causes the browser to bring up a authentication dialog box. Most squid installs I have seen bring up a squid “Cache Access Denied” screen at this point. This is what I would like it to do. I am unsure if what I am experiencing is expected behaviour, or whether I have an error in my config file. I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines from squid.conf are below. Note that the LDAP works correctly, and so I have not provided details. What is not acting as I expected is the behaviour of Squid when it hits the “http_access deny accessdenied” line. This seems to be what re-challenges the browser. As we are a school, we need to ensure that both the user is a valid user (from the initial challenge, which collects their machine login, invisible to the user), and that they have not been denied for some reason (hence the denied group). The re-challenge will lead to students logging into squid with their friends account. A Cache Access Denied screen is a much better alternative. Note that once I have this working, there will be other “denied” groups to deny on, prior to allowing access. Any suggestions or ideas are appreciated. Regards, Dion auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. auth_param basic children 5 auth_param basic realm VSC auth_param basic credentialsttl 5 minutes external_acl_type ldapgroup LOGIN .. acl ldap-auth proxy_auth REQUIRED acl accessdenied external ldapgroup InternetAccessDeny acl accessallowed external ldapgroup InternetAccess http_access deny accessdenied http_access allow accessallowed http_access deny all
Re: [squid-users] Squid/LDAP re-challenges browser on http_access deny
On Thu, 10 Sep 2009 10:55:58 +1000, Dion Beauglehall beaugleha...@vermontsc.vic.edu.au wrote: Hi, I’m configuring a squid proxy box with LDAP authentication, and ACLs based on LDAP groups. I have the LDAP authentication working, as are groups. However, when I add a user to an “Access Denied” group, squid then causes the browser to bring up a authentication dialog box. Most squid installs I have seen bring up a squid “Cache Access Denied” screen at this point. This is what I would like it to do. I am unsure if what I am experiencing is expected behaviour, or whether I have an error in my config file. I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines from squid.conf are below. Note that the LDAP works correctly, and so I have not provided details. What is not acting as I expected is the behaviour of Squid when it hits the “http_access deny accessdenied” line. This seems to be what re-challenges the browser. As we are a school, we need to ensure that both the user is a valid user (from the initial challenge, which collects their machine login, invisible to the user), and that they have not been denied for some reason (hence the denied group). The re-challenge will lead to students logging into squid with their friends account. A Cache Access Denied screen is a much better alternative. Yes it was a config issue. Re-writing your ACLs slightly to follow that exact logic as described above should solve your problem. Note that once I have this working, there will be other “denied” groups to deny on, prior to allowing access. Any suggestions or ideas are appreciated. Regards, Dion auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. auth_param basic children 5 auth_param basic realm VSC auth_param basic credentialsttl 5 minutes external_acl_type ldapgroup LOGIN .. acl ldap-auth proxy_auth REQUIRED acl accessdenied external ldapgroup InternetAccessDeny acl accessallowed external ldapgroup InternetAccess http_access deny accessdenied Change the above line to: http_access deny accessdenied all ... which will produce the Access Denied page instead of a challenge. Any other denied groups need to go in here one to a line with all at the end of each line. After all them add a new line: http_access deny !ldap-auth ... which will cause Squid to challenge if no credentials are given yet. People who have given _any_ valid credentials will not be asked twice. This action was being done as side-effect of the accessdenied ACL test, but with the new version it needs to be done separately. http_access allow accessallowed http_access deny all Amos
[squid-users] cache problem of image/gif
i'm using squid3.0 and meet some problem. request one: http://192.168.8.20/gmap/near?near=39.900711,116.392spn=1,1q=%D2%F4%C0%D6 above request return type TEXT/PLAIN cache ok request two: http://192.168.8.20/gmap/staticmap?center=30.279752,120.142699zoom=12size=240x320format=gifmaptype=roadmap above request return IMAGE/GIF,can't cache access.log : -- 1252545652.809 0 192.168.8.38 TCP_HIT/200 2966 GET http://192.168.8.20/gmap/near? - NONE/- text/plain 1252545670.510353 192.168.8.38 TCP_MISS/200 36526 GET http://192.168.8.20/gmap/staticmap? - FIRST_UP_PARENT/www image/gif 1252545693.538 0 192.168.8.38 TCP_HIT/200 2966 GET http://192.168.8.20/gmap/near? - NONE/- text/plain 1252545693.892356 192.168.8.38 TCP_MISS/200 36526 GET http://192.168.8.20/gmap/staticmap? - FIRST_UP_PARENT/www image/gif --- i reference some docs and add two lines to mime.conf, but it's of no use mime.conf #--- \.gif$ image/gif anthony-image.gif - image +download staticmap image/gif anthony-image.gif - image +download roadmap image/gif anthony-image.gif - image +download - i can't resolve it !! so anyone pls give me some suggestions, thanks a lot! 2009-09-10 jboot
[squid-users] Good book for squid
Can anyone recommend me a good book for squid? I prefer more advance level. I was looking at Squid: The Definitive Guide by O'Reilly, but the date is January 2004. Is it still good? Thanks in advance.
[squid-users] streaming and performance problems
Hi, In my setup, I am streaming live television from a streaming service in the Netherlands through Squid deployed on a Ubuntu server in the Netherlands to a Windows machine in Japan. I am the one and only user of the Squid server. I view .wmv stream in Explorer using Windows Media Player. The connection speed is excellent (I tested this with downloading files from various servers in Explorer). Still, after about one minute of perfect play, the image keeps rebuffering and the image freezes. I tried many things, but I just cannot get it to work properly. In the Squid log-file, it I get the following entries from the start until before the end of the stream: 1252558617.468 80 202.223.121.120 TCP_MISS/200 375 GET http://streams.kpn.net/cgi-bin/reflector.cgi? - DIRECT/213.75.10.25 video/x-ms-asf 1252558618.226 128 202.223.121.120 TCP_MISS/200 8068 GET http://213.75.12.48/ecv_live/22434_1252096281.wmv - DIRECT/213.75.12.48 application/vnd.ms.wms-hdr. asfv1 1252558715.247 6 202.223.121.120 TCP_MISS/200 208 POST http://213.75.12.48/ecv_live/22434_1252096281.wmv - DIRECT/213.75.12.48 - 1252558749.063 7 202.223.121.120 TCP_MISS/200 208 POST http://213.75.12.48/ecv_live/22434_1252096281.wmv - DIRECT/213.75.12.48 - 1252558987.624 185546 202.223.121.120 TCP_MISS/200 18111884 GET http://213.75.12.48/ecv_live/22434_1252096281.wmv - DIRECT/213.75.12.48 application/x-mms-framed Is there anything I can do to fix this? What can I try more to get this to work properly? Below this email my Squid configuration. To improve performance, I tried to switch off caching and increase the read_ahead_gap. I hope I did it correctly. Though, it did not help unfortunately. Thank you! Andrej acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl home src 202.223.121.120 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow home http_access deny all icp_access allow home icp_access deny all htcp_access allow home htcp_access deny all http_port 45678 hierarchy_stoplist cgi-bin ? cache_mem 512 MB maximum_object_size_in_memory 64 MB cache_dir null /null maximum_object_size 1 KB access_log /usr/local/squid/var/logs/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 read_ahead_gap 64 MB via off forwarded_for off request_header_access X-forwarded-For deny all icp_port 3130 acl streamorlarge urlpath_regex -i \.swf$ \.SWF$ \.asf$ \.asx$ \.wmv$ \.mpg$ \.rm$ \.mov$ \.flv$ \.mpeg$ \.FLV$ \.rar$ \.zip$ \.ZIP$ \.iso$ streams\.kpn\.net no_cache deny streamorlarge coredump_dir /usr/local/squid/var/cache
Re: [squid-users] Squid stops responding-LTSP and WinXP clients
On Wed, Sep 9, 2009 at 5:45 PM, Amos Jeffries squ...@treenet.co.nz wrote: Avinash Rao wrote: Dear all, I am sure this question would have been posted many times. I read a few threads, but my requirement or setup is a bit different. I am running Squid2.6stable18 on Ubuntu Server 8.04 Server 64-bit installed on Sun Fire X4150 Server with 8GB RAM + 8 SAS HDD's - RAID 5 + 2 Quad Core Intel Xeon Processors. I have both LTSP and WinXP clients using Squid. Many times i have noticed, squid stops responding, the browser keeps trying to connect and i don't see any error in cache.log or store.log. My only way out is to restart squid. Usually means Squid is doing something with its on-disk storage. I read through cache_mem, my current configuration is 100MB, i changed it to 128MB, but squid couldn't start saying the cache_mem is more than cache_disk size. Why does this happen and what is the recommended configuration for the hardware i have? You are missing a cache_dir option. Which means Squid-2 will be using the default and very inefficient 100 MB ufs formatted storage. Squid-3.1 and later are the only releases of Squid where cache_dir can be fully removed from the config. Either define a cache_dir to use the disks or setup the null cache_dir type for memory-only storage. squid.conf: Please donot compare this config to my other posts, as this is on a different server and it has a very basic configuration. visible_hostname sunserver hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY Drop 'no_cache' use instead: cache deny QUERY hosts_file /etc/hosts http_port 10.10.10.10:3128 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 631 # cups acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl Safe_ports port 993 # IMAP acl Safe_ports port 587 # SMTP acl Safe_ports port 22 # SSH acl purge method PURGE acl special_urls url_regex /etc/squid/squid-noblock.acl acl extndeny url_regex -i /etc/squid/blocks.files.acl acl malware_block_list url_regex -i /etc/squid/malware_block_list.txt acl badurl url_regex -i teen orkut youtube sex mp3 mp4 acl lan src 10.10.10.0/24 acl stud ident_regex babu acl download method GET acl CONNECT method CONNECT cache_mem 100 MB ident_lookup_access allow all deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access allow special_urls http_access deny extndeny download http_access deny extndeny http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny badurl http_access deny malware_block_list http_access allow localhost http_access allow lan http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid Many Thanks Avinash -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13 Thank you all for the information. I read the documentation. To begin with I have set cache_dir to 256MB and cache_mem also to 256 MB. Which takes the precedence? I guess the pages are stored/retrieved from the RAM. Does this setting mean that, once 256MB is reached in RAM it will start storing the pages in cache_dir? Thanks, Avinash
Re: [squid-users] Need help in integrating squid and samba
On Wed, Sep 9, 2009 at 12:56 PM, Henrik Nordstrom hen...@henriknordstrom.net wrote: ons 2009-09-09 klockan 12:02 +0530 skrev Avinash Rao: http_access allow staffgroup http_access allow student staffgroup The above is wrong. The first directive allows everyone in staffgroup without restriction, which means the second can not be reached. Squid uses the first http_access line matching the request to determine if the request is allowed or denied, any http_access rules following that is ignored. I am wondering if its really checking the NT group? I also tried using the squid_unix_group option, but the result was the same. It most likely is, assuming you have no proxy_auth REQUIRED acl used in parts of squid.conf not shown here. http_access deny extndeny http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #http_access allow friends WORKING #http_access deny friends http_access deny abc http_access deny videos http_access deny !AuthUsers Ok. http_access allow staffgroup http_access allow student staffgroup See above for why this is wrong. I guess the first of the two should go.. http_access allow manager localhost http_access deny manager http_access allow purge localhost There is a deny purge rule missing here. And the whole block should be before your custom rules (i.e. first rules in http_access). #http_access allow special_urls #http_access deny extndeny download http_access deny badurl #http_access deny malware_block_list #deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list This deny need to go before where you allow access to be effective. But maybe it is.. Not entirely obvious to me who should get denied and who not. http_access allow localhost http_access allow lan http_access deny all Ok. Regards Henrik Henrik, I understood what you said, I removed the conflicting entry, http_access allow staffgroup and yes my config has: acl AuthUsers proxy_auth REQUIRED http_access deny !AuthUsers But the result was the same. The time restriction is not working. Regards, Avinash
Re: [squid-users] Good book for squid
On Thu, Sep 10, 2009 at 10:18 AM, f0...@aol.com wrote: Can anyone recommend me a good book for squid? I prefer more advance level. I was looking at Squid: The Definitive Guide by O'Reilly, but the date is January 2004. Is it still good? Thanks in advance. I realized, if u installed Squid2.6stable18 on Ubuntu 8.04 Hardy, a squid.conf template is installed in /etc/squid/ and it is huge and has all the options and brief explanation! Hope this helps Avinash
Re: [squid-users] Good book for squid
2009/9/10 f0...@aol.com: Can anyone recommend me a good book for squid? I prefer more advance level. I was looking at Squid: The Definitive Guide by O'Reilly, but the date is January 2004. Is it still good? perhaps not. the most recent documents are in wiki.squid-cache.org