[squid-users] Squid-3.1: comm_open: socket failure: (97) Address family not supported by protocol
With squid-3.1 I'm getting this error: 2009/10/11 10:56:30| Starting Squid Cache version 3.1.0.14 for i486-pc-linux-gnu... 2009/10/11 10:56:30| Process ID 19416 2009/10/11 10:56:30| With 4096 file descriptors available 2009/10/11 10:56:30| Initializing IP Cache... 2009/10/11 10:56:30| comm_open: socket failure: (97) Address family not supported by protocol 2009/10/11 10:56:30| DNS Socket created at 0.0.0.0, FD 6 2009/10/11 10:56:30| Adding domain charite.de from /etc/resolv.conf 2009/10/11 10:56:30| Adding nameserver 127.0.0.1 from /etc/resolv.conf 2009/10/11 10:56:30| Adding nameserver 141.42.1.11 from /etc/resolv.conf 2009/10/11 10:56:30| Adding nameserver 141.42.2.22 from /etc/resolv.conf 2009/10/11 10:56:31| Unlinkd pipe opened on FD 11 2009/10/11 10:56:31| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2009/10/11 10:56:31| Store logging disabled 2009/10/11 10:56:31| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2009/10/11 10:56:31| Target number of buckets: 1008 2009/10/11 10:56:31| Using 8192 Store buckets 2009/10/11 10:56:31| Max Mem size: 262144 KB 2009/10/11 10:56:31| Max Swap size: 0 KB 2009/10/11 10:56:31| Using Least Load store dir selection 2009/10/11 10:56:31| Current Directory is /etc/service/squid-nocache 2009/10/11 10:56:31| Loaded Icons. 2009/10/11 10:56:31| Accepting HTTP connections at 127.0.0.1:, FD 12. 2009/10/11 10:56:31| HTCP Disabled. 2009/10/11 10:56:31| Squid modules loaded: 0 2009/10/11 10:56:31| Adaptation support is off. 2009/10/11 10:56:31| Ready to serve requests. 2009/10/11 10:56:31| comm_open: socket failure: (97) Address family not supported by protocol ... Config: http_port localhost: ftp_list_width 80 request_header_max_size 15 KB request_body_max_size 750 MB half_closed_clients off forwarded_for on #acl all src 0.0.0.0/0 http_access allow all no_cache deny all snmp_port 0 icp_port 0 cache_mgr mun...@charite.de visible_hostname proxy-cvk-1-nocache.charite.de #cache_dir null /tmp icon_directory /usr/share/squid3/icons error_directory /usr/share/squid3/errors/de #logformat squidport %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %un %Sh/%A %mt %p # cache_access_log /var/log/squid/access-nocache.log squidport cache_access_log /var/log/squid/access-nocache.log cache_log /var/log/squid/cache-nocache.log cache_store_log none pid_filename /var/run/squid-nocache.pid
RE: [squid-users] Squid.conf Question Reverse Proxy
I have added the missing allow. Here is my squid.conf. I still am getting page not found http 404. Any ideas? Thanks for the help! http_port 80 accel defaultsite=img01.cprpt.com cache_peer 172.19.23.91 parent 80 0 no-query originserver name=myAccel cache_peer 172.19.23.92 parent 80 0 no-query originserver name=server_2 acl all src 0.0.0.0/0.0.0.0 acl our_sites dstdomain img01.cprpt.com acl sites_server_2 dstdomain img02.cprpt.com http_access allow our_sites http_access allow sites_server_2 cache_peer_access myAccel allow our_sites cache_peer_access server_2 allow sites_server_2 cache_peer_access myAccel deny all cache_peer_access server_2 deny all visible_hostname bv-ic01 cache_dir ufs /data/spool/squid 100 16 256 cache_access_log /data/log/squid/access.log cache_log /data/log/squid/cache.log cache_store_log /data/log/squid/store.log -Original Message- From: Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Sent: Friday, October 09, 2009 6:01 PM To: Jones, Keven Cc: Chris Robertson; squid-users@squid-cache.org Subject: RE: [squid-users] Squid.conf Question Reverse Proxy fre 2009-10-09 klockan 14:56 -0400 skrev Jones, Keven: I have cleaned up my squid.conf. For some reason the img02.cprpt.com url will not pull from the designated server: http_port 80 accel defaultsite=img01.cprpt.com cache_peer 172.19.23.91 parent 80 0 no-query originserver name=myAccel cache_peer 172.19.23.92 parent 80 0 no-query originserver name=server_2 acl all src 0.0.0.0/0.0.0.0 acl our_sites dstdomain img01.cprpt.com acl sites_server_2 dstdomain img02.cprpt.com http_access allow our_sites You are missing http_access allow sites_server_2 Regards Henrik
Re: [squid-users] Squid-3.1: comm_open: socket failure: (97) Address family not supported by protocol
* Ralf Hildebrandt ralf.hildebra...@charite.de: With squid-3.1 I'm getting this error: My other squid instance reports: 2009/10/11 11:30:57| comm_udp_sendto: FD 6, (family=10) 127.0.0.1:53: (97) Address family not supported by protocol 2009/10/11 11:30:57| idnsSendQuery: FD 6: sendto: (97) Address family not supported by protocol 2009/10/11 11:30:57| comm_udp_sendto: FD 6, (family=10) 141.42.1.11:53: (97) Address family not supported by protocol 2009/10/11 11:30:57| idnsSendQuery: FD 6: sendto: (97) Address family not supported by protocol Which seems related somehow. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] (mis)understanding delay pools?
On Sun, 11 Oct 2009, Amos Jeffries wrote: See http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes The YOU/ME example mistake is exactly the one you have made above. How infuriating. Thanks very much for pointing it out to me :-) Gavin
Re: [squid-users] Squid-3.1: comm_open: socket failure: (97) Address family not supported by protocol
* Ralf Hildebrandt ralf.hildebra...@charite.de: * Ralf Hildebrandt ralf.hildebra...@charite.de: With squid-3.1 I'm getting this error: My other squid instance reports: 2009/10/11 11:30:57| comm_udp_sendto: FD 6, (family=10) 127.0.0.1:53: (97) Address family not supported by protocol 2009/10/11 11:30:57| idnsSendQuery: FD 6: sendto: (97) Address family not supported by protocol 2009/10/11 11:30:57| comm_udp_sendto: FD 6, (family=10) 141.42.1.11:53: (97) Address family not supported by protocol 2009/10/11 11:30:57| idnsSendQuery: FD 6: sendto: (97) Address family not supported by protocol Which seems related somehow. My machine had no ipv6 support, the Debian package was built WITH ipv6 support - fail -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
[squid-users] acl regex not working right
Hi guys the following acl is supposed to deny access to any sites with the word warez in the URL. But it's not working. What am I doing wrong? acl warez-sites url_regex -i warez http_access deny warez-sites OS: Ubuntu 8.04 Squid: 2.6.18-1ubuntu3 Thanks Dayo
Re: [squid-users] (mis)understanding delay pools?
Hi, just a further question on this. On Sun, 11 Oct 2009, Amos Jeffries wrote: acl accommclients_old src 10.2.0.0/16 acl accommclients src 172.17.0.0/20 acl studentclients src 172.18.0.0/16 acl studentwificlients src 172.19.0.0/23 acl summerschoolclients src 172.19.4.0/24 delay_access 1 allow accommclients accommclients_old studentclients studentwificlients See http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes The YOU/ME example mistake is exactly the one you have made above. I feel pretty stupid falling on such a bog standard mistake and I'm annoyed at myself that it has been in place for some months now. It strikes me that, in this case, the mistake lead to an internally contradictory (multiple times over!!) config. It couldn't possibly have been correct. Would it be practical for squid to give a warning in this instance? I'm not saying squid should necessarily molly-coddle its users, but if it weren't difficult to do perhaps it would lead to a greater degree of people spotting their own mistakes early (before they use it for months thinking it's working or give up confused or ask the mailing list). Compilers, for example, do a certain amount of this kind of thing which often prevents bugs in code. Just looking at the FAQ page it might be nice to warn on: - An _access combination of ACLs which cannot match anything (eg colour is black and colour is white) - An _access which comes after one which is more general than it (eg allow all red colours; deny pink) - Possibly suggest use of src instead of srcdomain (though this is probably not wrong in some instances) though there are probably others. Perhaps this has been suggested before or perhaps there are good reasons not to do it? Perhaps it's already there and I haven't spotted it? Gavin
[squid-users] Re: acl regex not working right [SOLVED]
Original Message Subject:acl regex not working right Date: Sun, 11 Oct 2009 13:15:43 +0100 From: Dayo Adewunmi contactd...@gmail.com Reply-To: contactd...@gmail.com To: squid-users@squid-cache.org Hi guys the following acl is supposed to deny access to any sites with the word warez in the URL. But it's not working. What am I doing wrong? acl warez-sites url_regex -i warez http_access deny warez-sites OS: Ubuntu 8.04 Squid: 2.6.18-1ubuntu3 Thanks Dayo Hey guys, nevermind. There's nothing wrong with the ACL. It's place I put it in the config file. Order is everything with ACLs. A previous ACL had already allowed access, which is why acl warez-sites never came into play. Squid quits parsing at the first successful ACL. Best regards Dayo
Re: [squid-users] (mis)understanding delay pools?
On Sun, 11 Oct 2009 13:36:24 +0100, Gavin McCullagh gavin.mccull...@gcd.ie wrote: Hi, just a further question on this. On Sun, 11 Oct 2009, Amos Jeffries wrote: acl accommclients_old src 10.2.0.0/16 acl accommclients src 172.17.0.0/20 acl studentclients src 172.18.0.0/16 acl studentwificlients src 172.19.0.0/23 acl summerschoolclients src 172.19.4.0/24 delay_access 1 allow accommclients accommclients_old studentclients studentwificlients See http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes The YOU/ME example mistake is exactly the one you have made above. I feel pretty stupid falling on such a bog standard mistake and I'm annoyed at myself that it has been in place for some months now. It strikes me that, in this case, the mistake lead to an internally contradictory (multiple times over!!) config. It couldn't possibly have been correct. Would it be practical for squid to give a warning in this instance? I'm not saying squid should necessarily molly-coddle its users, but if it weren't difficult to do perhaps it would lead to a greater degree of people spotting their own mistakes early (before they use it for months thinking it's working or give up confused or ask the mailing list). Compilers, for example, do a certain amount of this kind of thing which often prevents bugs in code. Just looking at the FAQ page it might be nice to warn on: - An _access combination of ACLs which cannot match anything (eg colour is black and colour is white) - An _access which comes after one which is more general than it (eg allow all red colours; deny pink) - Possibly suggest use of src instead of srcdomain (though this is probably not wrong in some instances) though there are probably others. Perhaps this has been suggested before or perhaps there are good reasons not to do it? Perhaps it's already there and I haven't spotted it? Gavin The only reason its not done so far is that none has been bothered to make Squid barf on such things. It doesn't help that some people want Squid to run silently on defaults despite admin screwed configs. So squid needs to barf loudly and keep going anyway with some workaround action. I'm slowly making Squid-3 validate and complain about bad config. Any help welcome, either coding or pointers at things like this that could be checked. The bad ones that are still present are mostly comparisons of separate but linked settings (the access line ME/YOU problems is a perfect example) There is a third-party validator that will scan ACL and access lines for this type of mistake. (Sorry I've misplaced my reference link for that.) Amos
Re: [squid-users] Squid-3.1: comm_open: socket failure : (97) Address family not supported by protocol
On Sun, 11 Oct 2009 11:05:52 +0200, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: With squid-3.1 I'm getting this error: 2009/10/11 10:56:30| Starting Squid Cache version 3.1.0.14 for i486-pc-linux-gnu... 2009/10/11 10:56:30| Process ID 19416 2009/10/11 10:56:30| With 4096 file descriptors available 2009/10/11 10:56:30| Initializing IP Cache... 2009/10/11 10:56:30| comm_open: socket failure: (97) Address family not supported by protocol 2009/10/11 10:56:30| DNS Socket created at 0.0.0.0, FD 6 2009/10/11 10:56:30| Adding domain charite.de from /etc/resolv.conf 2009/10/11 10:56:30| Adding nameserver 127.0.0.1 from /etc/resolv.conf 2009/10/11 10:56:30| Adding nameserver 141.42.1.11 from /etc/resolv.conf 2009/10/11 10:56:30| Adding nameserver 141.42.2.22 from /etc/resolv.conf 2009/10/11 10:56:31| Unlinkd pipe opened on FD 11 2009/10/11 10:56:31| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2009/10/11 10:56:31| Store logging disabled 2009/10/11 10:56:31| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2009/10/11 10:56:31| Target number of buckets: 1008 2009/10/11 10:56:31| Using 8192 Store buckets 2009/10/11 10:56:31| Max Mem size: 262144 KB 2009/10/11 10:56:31| Max Swap size: 0 KB 2009/10/11 10:56:31| Using Least Load store dir selection 2009/10/11 10:56:31| Current Directory is /etc/service/squid-nocache 2009/10/11 10:56:31| Loaded Icons. 2009/10/11 10:56:31| Accepting HTTP connections at 127.0.0.1:, FD 12. 2009/10/11 10:56:31| HTCP Disabled. 2009/10/11 10:56:31| Squid modules loaded: 0 2009/10/11 10:56:31| Adaptation support is off. 2009/10/11 10:56:31| Ready to serve requests. 2009/10/11 10:56:31| comm_open: socket failure: (97) Address family not supported by protocol You have IPv6 disabled in your system somehow. Squid opens IPv4/IPv6 hybrid sockets to receive and send both v4 and v6 traffic in one socket for simplicity and ease of transition. If that fails like in your case it falls back to IPv4-only sockets. I recommend re-enabling IPv6 socket capability in your OS. If you have OpenBSD or MacOSX they do not support these hybrid socket features at all. I'm still working on getting support for their 'split-stack'. So they will work very slightly better for now with IPv6 disabled in Squid. Amos
[squid-users] Digest Ldap Authentication got failed for some user accounts
Dear Sir, Thanks a lot for the response. I need to resolve this problem soon, because the servers are in online. My Squid version is Squid 3.0 STABLE 15 On Sun, Oct 11, 2009 at 2:40 AM, Henrik Nordstrom hen...@henriknordstrom.net wrote: lör 2009-10-10 klockan 20:23 +0530 skrev sankar m: I'm using digest_ldap_auth with Open Ldap combination for Digest Authentication. It works well, but some users got authentication failed. I'm able to get the valid hash from the LDAP server through the command line, Do these users have any odd characters in their password? Digest unfortunately only works reliably for us-ascii characters. We are using ASCII characters only, the password value contains only characters and numerals like de5h12, and userid contains only alphabets. I believe that the problem may be in the squid digest cache, because while authentication, there has been no transaction between squid and LDAP server. Hence, squid is referring its memory for already authenticated users. Note that I'm running the squid server for 2 days without restarting. I found something strange today. Please have a close look at this issue. My IP: 10.16.10.135 Userid: murthy Password: blahblah When I try to authenticate proxy, I'm getting a different user id in the access.log line instead of the userid murthy. proxy1:/var/log/squid# tail -f access.log|grep 10.16.10.135 1255251231.018 21 10.16.10.135 TCP_DENIED/407 3447 GET http://www.google.com/ chandar NONE/- text/html Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.14) Gecko/2009090216 Ubuntu/8.04 (hardy) Firefox/3.0.14 Why squid is referring some other account.? What could be wrong.? Is that squid memory got crashed? Kindly suggest me. Thanks and Regards, Sankar.M Note that I'm running FIVE squid servers. I successfully authenticated with 2nd proxy server using the same user account which got failed with the first proxy server. Squid returning the TCP_DENIED/407 response to the client. Same userid is working when I do restart squid (even reconfigure doesn't help), but I feel it is never be a right way. After the successful restart, some other accounts are not working. Which Squid version? My Squid version is Squid 3.0 STABLE 15 Regards Henrik
Re: [squid-users] Digest Ldap Authentication got failed for some user accounts
Dear Sir, Here are some additional details that may help. Unique authenticated users per proxy : 315 users/day Proxy utilization per day : 20 GB per day Squid Disk cache : Disabled System memory and load status: Mem: 8183880k total, 5938872k used, 2245008k free, 524284k buffers load average: 0.76, 0.65, 0.64 System Processor : Intel(R) Xeon(R) CPU 2.83GHz Quad-Core System Memory: 8 GB Please ask me for any additional information if required. Regards, Sankar.M Squid configured with, # ./configure --prefix=/usr/local/squid --localstatedir=/var/logs/squid --exec-prefix=/usr/local/squid --enable-linux-netfilter --disable-ident-lookups --with-filedescriptors=8192 --enable-snmp --enable-delay-pools --enable-cache-digests --enable-poll --enable-truncate --enable-removal-policies --enable-auth=basic digest --enable-auth-basic-helpers=squid_radius_auth --enable-digest-auth-helpers=ldap On 10/11/09, Henrik Nordstrom hen...@henriknordstrom.net wrote: lör 2009-10-10 klockan 20:23 +0530 skrev sankar m: I'm using digest_ldap_auth with Open Ldap combination for Digest Authentication. It works well, but some users got authentication failed. I'm able to get the valid hash from the LDAP server through the command line, Do these users have any odd characters in their password? Digest unfortunately only works reliably for us-ascii characters. Note that I'm running FIVE squid servers. I successfully authenticated with 2nd proxy server using the same user account which got failed with the first proxy server. Squid returning the TCP_DENIED/407 response to the client. Same userid is working when I do restart squid (even reconfigure doesn't help), but I feel it is never be a right way. After the successful restart, some other accounts are not working. Which Squid version? Regards Henrik
