[squid-users] Squid-2.6.5 SSL reverse proxy ?
Hello All, I’m running Squid-2.6.5 as a reverse proxy compiled with SSL support, but having trouble getting SSL working. I have Squid setup to distribute requests to several backend apache and IIS servers. My config has been working fine on port 80 plain http. However I am now trying to secure one of the servers with SSL on 443. I have read the wiki and the following example config: http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate and have also trawled the web, without luck. One difference is don’t have a wildcard cert, just cert for a single address, I have installed it in both the Squid machine and the Apache machine. The apache machine serves SSL when I use a host entry, so I’m sure that’s it’s working. When I use the following squid.conf (below) Squid starts without any problems and asks me for the certs pass phrase, then when I make a SSL browser request I get connection refused? port 80 works fine? Nothing of note in the access or cache logs? I have tried all sorts of permutations and I'm lost! :( Any help appreciated. Kind regards, Stonie. https_port 443 cert=/root/mysslsite.crt key=/root/mysslsite.key defaultsite=www.mysslsite.com.au vhost vport http_port 80 vhost vport forwarded_for on acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache # Setup for server number one and its sites cache_peer 192.168.1.202 parent 80 0 no-query originserver name=tracServer login=PASS acl tracSites dstdomain src..net cache_peer_access tracServer allow tracSites http_access allow tracSites # Setup for server number two and its sites cache_peer 192.168.1.201 parent 80 0 no-query originserver name=MS08-Web login=PASS acl MS08-WebSites dstdomain www..com cache_peer_access MS08-Web allow MS08-WebSites http_access allow MS08-WebSites # Setup for server number three and its sites cache_peer 192.168.1.206 parent 80 0 no-query originserver name=JoomlaServer login=PASS cache_peer 192.168.1.206 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=JoomlaServerSSL acl JoomlaSites dstdomain www.mysslsite.com.au cache_peer_access JoomlaServer allow JoomlaSites cache_peer_access JoomlaServerSSL allow JoomlaSites http_access allow JoomlaSites # standard security stuff squid acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all icp_access allow all # HTTP Extensions for Subversion extension_methods REPORT MERGE MKACTIVITY CHECKOUT
Re: [squid-users] High CPU Utilization
Ross Kovelman wrote: From: Amos Jeffries squ...@treenet.co.nz Date: Mon, 19 Oct 2009 18:14:33 +1300 Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] High CPU Utilization Ross Kovelman wrote: Any reason why I would have high CPU utilization, avg around 90%? I did build it for PPC although I do have a large dstdomain list which contains URL's that are not allowed on the network. It is a Mac G4 dual 1.33. This is with no load, or I should say no users on the network. Thanks Could be a few things: * bug 2541 (except latest 3.0 and 3.1 releases) * lots of regex patterns * garbage collection of the various caches * UFS storage system catching up after a period of load * memory swapping * RAID * ... any combination of the above. If you have the strace tool available you can look inside Squid and see. Or a use squid -k debug to toggle full debug on/off for a short period and troll the cache.log afterwards. Amos, I am not using a raid, although my single drive performance might be slow? Will need to check on the i/o. When I do run squid or make any changes to the config I do get a lot of : 2009/10/16 14:44:08| WARNING: You should probably remove 'xxx.com' from the ACL named 'bad_url' 2009/10/16 14:44:08| WARNING: 'xxx.com' is a subdomain of 'xxx.com' 2009/10/16 14:44:08| WARNING: because of this 'xxx.com' is ignored to keep splay tree searching predictable 2009/10/16 14:44:08| WARNING: You should probably remove 'xxx.com' from the ACL named 'bad_url' Would this by chance do it? There is about 22,000 sites in the bad_url file. I don't think so. Those warnings are produced by Squid as it prunes them out of the ACL by itself. You can get rid of the duplicates and sub-domains manually to reduce the warnings. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14
[squid-users] squid centralized log
Hello all, I have 4 different squid servers (three running squid-2.7.STABLE7 and one squid-3.0.STABLE16) working on different subnets, and I'd like to centralize their access.log entries to a remote log server. I've read somewhere that using the syslog facility with huge amounts of traffic causes log to be incomplete on the centralized log server. So, please, can someone out there point me to a good and reliable solution? I've found something about mysql, but not so sure the bandwidth consumption would benefit.. Thanks in advance, Marcos (sorry for my english :)
[squid-users] Squid Logs
Hello, I have configured named on the machine running squid to retrieve the forward and reverse zones from my DNS server (windows). I also have squid configured to log the fqdn (log_fqdn on). I have also tries playing around with the dns_nameservers option, but I'm still getting IPs in my log files. Is there a way to only log the fqdn, do I need to change the dns expiry settings to less than one day? Please help. Nadeem.
Re: Res: [squid-users] Squid 3.0STABLE19 - performance
On 16.10.09 12:33, Marcos wrote: i think that you should : - at least double ram memory of your server to handle the amount of connections. - increase cache_mem parameter - look at squid's logs - look at sysctl parameters of you S.O. I think that he should first change from 'ufs' cache_dir type to 'aufs' or 'diskd' and also use separate drive for the cache (either new one or move system logs and everything but the cache to new disk). The filesystem information is this: Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda2 5080828 4252116566452 89% / /dev/sda5141129204 2496448 131348084 2% /var /dev/sda1 101086 11303 84564 12% /boot tmpfs 1031764 0 1031764 0% /dev/shm The top output top - 09:50:08 up 3 days, 17:07, 1 user, load average: 0.09, 0.06, 0.01 Tasks: 88 total, 1 running, 87 sleeping, 0 stopped, 0 zombie Cpu(s): 0.5%us, 0.5%sy, 0.0%ni, 98.5%id, 0.0%wa, 0.2%hi, 0.3%si, 0.0%st Mem: 2063532k total, 2001504k used,62028k free, 199476k buffers Swap: 5245212k total,0k used, 5245212k free, 1415224k cached according to this, he has still much of RAM unused by squid (use as system cache is not an error!) acl mynet src /etc/squid/mynet ## allow over 400 Ips Maybe you should specify CIDR ranges instead of IPs ? memory_replacement_policy lru cache_replacement_policy lru heap policies (even heap lru) are much faster here. cache_dir ufs /var/spool/squid/cache 8 16 256 IOEngine=Blocking maximum_object_size 4194304 bytes putting 4 MB would be much more readable here -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends?
[squid-users] Squid Reverse Proxy help
Need help with finalizing my config. This config is not working for the 2nd server. Can Anyone see what I'm missing or have configured incorreclty. img01.cprpt.com is caching but img02.cprpt.com will not. I had orginiall forgotten the 2nd cache_peer_access server_2 allow sites_server2 but this has been added and still not working. This url should work as the images and directories exist: http://img02.cprpt.com/img/bvt/10002/ncrLogo_100909.gif Thanks for looking at this for me! --- Squid.conf: http_port 80 accel defaultsite=img01.cprpt.com cache_peer 172.19.23.91 parent 80 0 no-query originserver name=myAccel cache_peer 172.19.23.92 parent 80 0 no-query originserver name=server_2 acl all src 0.0.0.0/0.0.0.0 acl our_sites dstdomain img01.cprpt.com acl sites_server_2 dstdomain img02.cprpt.com http_access allow our_sites http_access allow sites_server_2 cache_peer_access myAccel allow our_sites cache_peer_access server_2 allow sites_server_2 cache_peer_access myAccel deny all cache_peer_access server_2 deny all visible_hostname bv-ic01 cache_dir ufs /data/spool/squid 100 16 256 cache_access_log /data/log/squid/access.log cache_log /data/log/squid/cache.log cache_store_log /data/log/squid/store.log
[squid-users] Squid not caching some sites
My squid web cache proxy server is not caching sites such as... http://www.netsmartz.org/resources/reallife.htm http://www.netsmartz.org/stories/canttake.htm http://www.nsteens.org/videos/social-networking/ These sites contain video that, when played, are choppy and cut out. I'm certain that these videos aren't getting cached. And this is kind of the point to the whole web cache project. I need for teachers to be able to cache these kinds of things, so when the students try to access them they play quicker and more smooth. How do I convince squid to cache these? Here is my current squid.conf http_port 3128 acl QUERY urlpath_regex cgi-bin \? cache_mem 512 MB# May need to set lower if I run low on RAM maximum_object_size_in_memory 2048 KB # May need to set lower if I run low on RAM maximum_object_size 1 GB cache_dir aufs /cache 50 256 256 redirect_rewrites_host_header off cache_replacement_policy lru acl all src all acl localnet src 10.80.0.0/255.255.0.0 acl localhost src 127.0.0.1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/8 acl Safe_ports port 80 443 210 119 70 21 1025-65535 acl SSL_Ports port 443 acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports http_access allow localnet http_access allow localhost http_access deny all icp_port 0 refresh_pattern \.jpg$ 3600 50% 60 refresh_pattern \.gif$ 3600 50% 60 refresh_pattern \.css$ 3600 50% 60 refresh_pattern \.js$ 3600 50% 60 refresh_pattern \.html$ 300 50% 10 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 access_log /var/log/squid/access.log squid visible_hostname AMSPX01 -- View this message in context: http://www.nabble.com/Squid-not-caching-some-sites-tp25962650p25962650.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] How To Allow Different Sites at Different Times
mån 2009-10-19 klockan 14:44 +1300 skrev Amos Jeffries: http_access allow timothy timothys_schooltime whitelist_sos http_access deny timothy all The final line there does not permit Squid to challenge for authentication. I assume you have some other way to make the browser send it later on? Amos, Squid challenges on the first auth related ACL encountered in http_access processing. What the above configuration do not is to rechallenge to allow timothy once authenticated to try to log in as someone else when trying to access something timothy is not allowed to access. Regards Henrik
Re: [squid-users] squid centralized log
anti spamЯ escreveu: Hello all, I have 4 different squid servers (three running squid-2.7.STABLE7 and one squid-3.0.STABLE16) working on different subnets, and I'd like to centralize their access.log entries to a remote log server. I've read somewhere that using the syslog facility with huge amounts of traffic causes log to be incomplete on the centralized log server. So, please, can someone out there point me to a good and reliable solution? I've found something about mysql, but not so sure the bandwidth consumption would benefit.. do you need logs in realtime on the centralized server ??? i ask that because most of people need logs for some scheduled log processing, like once a day or once a week. For those, some log rotation procedure and some rsync, correctly timed, would be enough to getting logs to some centralized server and, after that, do the log analyzing. Just do the rotation and syncing before the log analyzing schedule runs and you should be OK. if you need them in realtime, then you'll have to look syslog/mysql or something related subject in which i cant give any kind of advice because i've never used that. but log rotation/rsyncing works just fine, i use that in lots of situations. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
Re: [squid-users] High CPU Utilization
From: Amos Jeffries squ...@treenet.co.nz Date: Tue, 20 Oct 2009 00:14:58 +1300 To: Ross Kovelman rkovel...@gruskingroup.com Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] High CPU Utilization Ross Kovelman wrote: From: Amos Jeffries squ...@treenet.co.nz Date: Mon, 19 Oct 2009 18:14:33 +1300 Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] High CPU Utilization Ross Kovelman wrote: Any reason why I would have high CPU utilization, avg around 90%? I did build it for PPC although I do have a large dstdomain list which contains URL's that are not allowed on the network. It is a Mac G4 dual 1.33. This is with no load, or I should say no users on the network. Thanks Could be a few things: * bug 2541 (except latest 3.0 and 3.1 releases) * lots of regex patterns * garbage collection of the various caches * UFS storage system catching up after a period of load * memory swapping * RAID * ... any combination of the above. If you have the strace tool available you can look inside Squid and see. Or a use squid -k debug to toggle full debug on/off for a short period and troll the cache.log afterwards. Amos, I am not using a raid, although my single drive performance might be slow? Will need to check on the i/o. When I do run squid or make any changes to the config I do get a lot of : 2009/10/16 14:44:08| WARNING: You should probably remove 'xxx.com' from the ACL named 'bad_url' 2009/10/16 14:44:08| WARNING: 'xxx.com' is a subdomain of 'xxx.com' 2009/10/16 14:44:08| WARNING: because of this 'xxx.com' is ignored to keep splay tree searching predictable 2009/10/16 14:44:08| WARNING: You should probably remove 'xxx.com' from the ACL named 'bad_url' Would this by chance do it? There is about 22,000 sites in the bad_url file. I don't think so. Those warnings are produced by Squid as it prunes them out of the ACL by itself. You can get rid of the duplicates and sub-domains manually to reduce the warnings. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14 Amos, Looked to be a permission issue as Squid would crash and restart. Thanks smime.p7s Description: S/MIME cryptographic signature
Re: [squid-users] WCCP
From: Amos Jeffries squ...@treenet.co.nz Date: Mon, 19 Oct 2009 17:05:15 +1300 Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP Ross Kovelman wrote: From: Amos Jeffries squ...@treenet.co.nz Date: Mon, 19 Oct 2009 14:32:17 +1300 Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP Ross Kovelman wrote: I am going to be using WCCP. I did another reconfigure with the --enable WCCP option. How can I check that it is on and running? The next step I need to do is upgrade to version 2 since the Cisco only communicates on version 2. I tried to do the patch upgrade patch but then I get a response with path to upgrade and I am not sure where the file is I need patch. There is zero need to patch for support WCCPv2. It's been built into Squid for many years now. Run ./configure --help. * If it lists --disable-wccpv2 there is no need to do anything. * If it lists --enable-wccpv2 , add that to your build options. * If it does not mention wccpv2 at all upgrade your Squid version. Then setup squid.conf with the relevant wccp2_* options. http://www.squid-cache.org/Doc/config/ or the wiki example configs have details on those. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14 Amos, Thanks again. Running the ./configure --help only says this: --disable-wccp Disable Web Cache Coordination V1 Protocol --disable-wccpv2Disable Web Cache Coordination V2 Protocol When I did the install I ran the ./configure --enable wccp option. I didn't say --enable-wccpv2, does this matter? I also have this in the config: wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 I am running Squid Web Proxy 2.7.STABLE5. Okay. Thats fine. The ./configure results mean that both WCCP versions are built into Squid by default unless you explicitly say --disable. Nothing extra needed to build them. The config options you have there are already WCCPv2-only options for Cisco. Nothing new needed there either. If thats not working its a config error somewhere. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14 Amos, I am getting this in my cache log: Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 20. commBind: Cannot bind socket FD 21 to *:3128: (48) Address already in use Accepting proxy HTTP connections at 0.0.0.0, port 80, FD 21. commBind: Cannot bind socket FD 22 to *:80: (48) Address already in use Accepting ICP messages at 0.0.0.0, port 3130, FD 22. WCCP Disabled. Accepting WCCPv2 messages on port 2048, FD 23. Initialising all WCCPv2 lists As from my other posting I need WCCP enabled but it is showing disabled. Any reason why? How can I resolve this. Below is my lines in config wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 smime.p7s Description: S/MIME cryptographic signature
Re: [squid-users] Squid-2.6.5 SSL reverse proxy ?
mån 2009-10-19 klockan 20:33 +1100 skrev Stonie: https_port 443 cert=/root/mysslsite.crt key=/root/mysslsite.key defaultsite=www.mysslsite.com.au vhost vport That should probably be https_port you.external.ip:443
Re: [squid-users] squid centralized log
mån 2009-10-19 klockan 14:26 +0200 skrev anti spamЯ: I have 4 different squid servers (three running squid-2.7.STABLE7 and one squid-3.0.STABLE16) working on different subnets, and I'd like to centralize their access.log entries to a remote log server. My recommendation would be to log to file, rotate the logs fairly frequently (number of times a day) using logrotate with timestamped logs (using date + time, not numbered), and poll the logs with rsync over ssh to the central location. This way the proxy servers operation is fully independent of the log server, and you won't loose any log records unless the log server is down for longer than the interval kept locally on the proxy servers by logrotate. I've read somewhere that using the syslog facility with huge amounts of traffic causes log to be incomplete on the centralized log server. Yes, at least for syslog-over-UDP communication which is the default syslog network protocol. syslog-ng and some other syslog servers can also log over TCP which is not as sensitive, but it's still a little fragile as syslog is only best-effort and do not keep track of what log entries have actually reached the central server, so if there is even a temporary communication glitch then log entries will be lost. Regards Henrik
Re: [squid-users] Squid Logs
mån 2009-10-19 klockan 06:24 -0700 skrev Nadeem Semaan: I have configured named on the machine running squid to retrieve the forward and reverse zones from my DNS server (windows). I also have squid configured to log the fqdn (log_fqdn on). I have also tries playing around with the dns_nameservers option, but I'm still getting IPs in my log files. Is there a way to only log the fqdn, do I need to change the dns expiry settings to less than one day? Please help. If log_fqdn is on then Squid will log the host name, provided the DNS server responds in a reasonable time. Can you resolve the IP addresses from the Squid server? dig -x ip.of.client.station or alternatively dig -x ip.of.client.station @selected.nameserver.address Regards Henrik
Re: [squid-users] WCCP
From: Ross Kovelman rkovel...@gruskingroup.com Date: Mon, 19 Oct 2009 14:21:44 -0400 To: Amos Jeffries squ...@treenet.co.nz Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP From: Amos Jeffries squ...@treenet.co.nz Date: Mon, 19 Oct 2009 17:05:15 +1300 Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP Ross Kovelman wrote: From: Amos Jeffries squ...@treenet.co.nz Date: Mon, 19 Oct 2009 14:32:17 +1300 Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP Ross Kovelman wrote: I am going to be using WCCP. I did another reconfigure with the --enable WCCP option. How can I check that it is on and running? The next step I need to do is upgrade to version 2 since the Cisco only communicates on version 2. I tried to do the patch upgrade patch but then I get a response with path to upgrade and I am not sure where the file is I need patch. There is zero need to patch for support WCCPv2. It's been built into Squid for many years now. Run ./configure --help. * If it lists --disable-wccpv2 there is no need to do anything. * If it lists --enable-wccpv2 , add that to your build options. * If it does not mention wccpv2 at all upgrade your Squid version. Then setup squid.conf with the relevant wccp2_* options. http://www.squid-cache.org/Doc/config/ or the wiki example configs have details on those. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14 Amos, Thanks again. Running the ./configure --help only says this: --disable-wccp Disable Web Cache Coordination V1 Protocol --disable-wccpv2Disable Web Cache Coordination V2 Protocol When I did the install I ran the ./configure --enable wccp option. I didn't say --enable-wccpv2, does this matter? I also have this in the config: wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 I am running Squid Web Proxy 2.7.STABLE5. Okay. Thats fine. The ./configure results mean that both WCCP versions are built into Squid by default unless you explicitly say --disable. Nothing extra needed to build them. The config options you have there are already WCCPv2-only options for Cisco. Nothing new needed there either. If thats not working its a config error somewhere. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14 Amos, I am getting this in my cache log: Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 20. commBind: Cannot bind socket FD 21 to *:3128: (48) Address already in use Accepting proxy HTTP connections at 0.0.0.0, port 80, FD 21. commBind: Cannot bind socket FD 22 to *:80: (48) Address already in use Accepting ICP messages at 0.0.0.0, port 3130, FD 22. WCCP Disabled. Accepting WCCPv2 messages on port 2048, FD 23. Initialising all WCCPv2 lists As from my other posting I need WCCP enabled but it is showing disabled. Any reason why? How can I resolve this. Below is my lines in config wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 Issue now is Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 21. Accepting transparently proxied HTTP connections at 0.0.0.0, port 80, FD 22. Accepting ICP messages at 0.0.0.0, port 3130, FD 23. WCCP Disabled. Accepting WCCPv2 messages on port 2048, FD 24. Initialising all WCCPv2 lists Ready to serve requests. Why would it be disabled? Or is it not? Thanks smime.p7s Description: S/MIME cryptographic signature
Re: [squid-users] Squid-2.6.5 SSL reverse proxy ?
Thanks for the reply Henrik, I still have the same symptoms with those settings. I have tried both: https_port my.external.ip:443 https_port my.external.ip:443 cert=/root/mysslsite.crt key=/root/mysslsite.key defaultsite=www.mysslsite.com.au vhost vport The first fails with a cant find cert on startup, and the second has the same symptoms as with my original config. Any ideas? Cheers, Stonie. On Tue, Oct 20, 2009 at 5:40 AM, Henrik Nordstrom hen...@henriknordstrom.net wrote: mån 2009-10-19 klockan 20:33 +1100 skrev Stonie: https_port 443 cert=/root/mysslsite.crt key=/root/mysslsite.key defaultsite=www.mysslsite.com.au vhost vport That should probably be https_port you.external.ip:443 -- Interested in purchasing Australian produced carbon offsets? Visit www.fairgocarbon.com.au Please consider the environment before printing this email.
Re: [squid-users] WCCP
On Mon, 19 Oct 2009 14:21:44 -0400, Ross Kovelman wrote: From: Amos Jeffries Ross Kovelman wrote: From: Amos Jeffries: Ross Kovelman wrote: I am going to be using WCCP. I did another reconfigure with the --enable WCCP option. How can I check that it is on and running? The next step I need to do is upgrade to version 2 since the Cisco only communicates on version 2. I tried to do the patch upgrade patch but then I get a response with path to upgrade and I am not sure where the file is I need patch. There is zero need to patch for support WCCPv2. It's been built into Squid for many years now. Run ./configure --help. * If it lists --disable-wccpv2 there is no need to do anything. * If it lists --enable-wccpv2 , add that to your build options. * If it does not mention wccpv2 at all upgrade your Squid version. Then setup squid.conf with the relevant wccp2_* options. http://www.squid-cache.org/Doc/config/ or the wiki example configs have details on those. Thanks again. Running the ./configure --help only says this: --disable-wccp Disable Web Cache Coordination V1 Protocol --disable-wccpv2Disable Web Cache Coordination V2 Protocol When I did the install I ran the ./configure --enable wccp option. I didn't say --enable-wccpv2, does this matter? I also have this in the config: wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 I am running Squid Web Proxy 2.7.STABLE5. Okay. Thats fine. The ./configure results mean that both WCCP versions are built into Squid by default unless you explicitly say --disable. Nothing extra needed to build them. The config options you have there are already WCCPv2-only options for Cisco. Nothing new needed there either. If thats not working its a config error somewhere. I am getting this in my cache log: Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 20. commBind: Cannot bind socket FD 21 to *:3128: (48) Address already in use Accepting proxy HTTP connections at 0.0.0.0, port 80, FD 21. commBind: Cannot bind socket FD 22 to *:80: (48) Address already in use http://wiki.squid-cache.org/SquidFaq/TroubleShooting#Cannot_bind_socket_FD_NN_to_.2A:8080_.28125.29_Address_already_in_use I would suspect this as part of the problem. The WCCP router will be trying to contact whatever software is already running on port 3128, not the Squid you are starting with WCCP config. Accepting ICP messages at 0.0.0.0, port 3130, FD 22. WCCP Disabled. Accepting WCCPv2 messages on port 2048, FD 23. Initialising all WCCPv2 lists As from my other posting I need WCCP enabled but it is showing disabled. Any reason why? How can I resolve this. Below is my lines in config wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 The above are only the config of how squid sends packets to the Cisco. WCCP requires configuration Cisco, the squid box OS and firewall, and routing tables. Any one of which could be the problem. The tutorials and troubleshooting info we have at present is a little spread out and disjointed. What how-to are you working from? Amos
Re: [squid-users] WCCP
From: Amos Jeffries squ...@treenet.co.nz Date: Tue, 20 Oct 2009 11:04:42 +1300 To: Ross Kovelman rkovel...@gruskingroup.com Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP On Mon, 19 Oct 2009 14:21:44 -0400, Ross Kovelman wrote: From: Amos Jeffries Ross Kovelman wrote: From: Amos Jeffries: Ross Kovelman wrote: I am going to be using WCCP. I did another reconfigure with the --enable WCCP option. How can I check that it is on and running? The next step I need to do is upgrade to version 2 since the Cisco only communicates on version 2. I tried to do the patch upgrade patch but then I get a response with path to upgrade and I am not sure where the file is I need patch. There is zero need to patch for support WCCPv2. It's been built into Squid for many years now. Run ./configure --help. * If it lists --disable-wccpv2 there is no need to do anything. * If it lists --enable-wccpv2 , add that to your build options. * If it does not mention wccpv2 at all upgrade your Squid version. Then setup squid.conf with the relevant wccp2_* options. http://www.squid-cache.org/Doc/config/ or the wiki example configs have details on those. Thanks again. Running the ./configure --help only says this: --disable-wccp Disable Web Cache Coordination V1 Protocol --disable-wccpv2Disable Web Cache Coordination V2 Protocol When I did the install I ran the ./configure --enable wccp option. I didn't say --enable-wccpv2, does this matter? I also have this in the config: wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 I am running Squid Web Proxy 2.7.STABLE5. Okay. Thats fine. The ./configure results mean that both WCCP versions are built into Squid by default unless you explicitly say --disable. Nothing extra needed to build them. The config options you have there are already WCCPv2-only options for Cisco. Nothing new needed there either. If thats not working its a config error somewhere. I am getting this in my cache log: Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 20. commBind: Cannot bind socket FD 21 to *:3128: (48) Address already in use Accepting proxy HTTP connections at 0.0.0.0, port 80, FD 21. commBind: Cannot bind socket FD 22 to *:80: (48) Address already in use http://wiki.squid-cache.org/SquidFaq/TroubleShooting#Cannot_bind_socket_FD_NN_ to_.2A:8080_.28125.29_Address_already_in_use I would suspect this as part of the problem. The WCCP router will be trying to contact whatever software is already running on port 3128, not the Squid you are starting with WCCP config. Accepting ICP messages at 0.0.0.0, port 3130, FD 22. WCCP Disabled. Accepting WCCPv2 messages on port 2048, FD 23. Initialising all WCCPv2 lists As from my other posting I need WCCP enabled but it is showing disabled. Any reason why? How can I resolve this. Below is my lines in config wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 The above are only the config of how squid sends packets to the Cisco. WCCP requires configuration Cisco, the squid box OS and firewall, and routing tables. Any one of which could be the problem. The tutorials and troubleshooting info we have at present is a little spread out and disjointed. What how-to are you working from? Amos Amos, I just did a TCP dump and I think my problem is the GRE packet. It is being listed I think as unknown. Shouldn't squid be able to pick the packet up and open it? The Cisco sees squid and relays the information good but it is stopping at the squid box. Any ideas? I am just google'ing around no set how to. Thanks
Re: [squid-users] Squid-2.6.5 SSL reverse proxy ?
tis 2009-10-20 klockan 07:45 +1100 skrev Stonie: Thanks for the reply Henrik, Still the same symptoms with those settings. I have tried both https_port my.external.ip:443 https_port my.external.ip:443 cert=/root/mysslsite.crt key=/root/mysslsite.key defaultsite=www.mysslsite.com.au vhost vport I meant the second (hence the dots). the first fails with a cant find cert on startup, and the second has the same symptoms as with my original config. And no significant errors logged at startup or in cache.log? Regards Henrik
Re: [squid-users] WCCP
On Mon, 19 Oct 2009 18:26:18 -0400, Ross Kovelman rkovel...@gruskingroup.com wrote: From: Amos Jeffries squ...@treenet.co.nz Date: Tue, 20 Oct 2009 11:04:42 +1300 To: Ross Kovelman rkovel...@gruskingroup.com Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP On Mon, 19 Oct 2009 14:21:44 -0400, Ross Kovelman wrote: From: Amos Jeffries Ross Kovelman wrote: From: Amos Jeffries: Ross Kovelman wrote: I am going to be using WCCP. I did another reconfigure with the --enable WCCP option. How can I check that it is on and running? The next step I need to do is upgrade to version 2 since the Cisco only communicates on version 2. I tried to do the patch upgrade patch but then I get a response with path to upgrade and I am not sure where the file is I need patch. There is zero need to patch for support WCCPv2. It's been built into Squid for many years now. Run ./configure --help. * If it lists --disable-wccpv2 there is no need to do anything. * If it lists --enable-wccpv2 , add that to your build options. * If it does not mention wccpv2 at all upgrade your Squid version. Then setup squid.conf with the relevant wccp2_* options. http://www.squid-cache.org/Doc/config/ or the wiki example configs have details on those. Thanks again. Running the ./configure --help only says this: --disable-wccp Disable Web Cache Coordination V1 Protocol --disable-wccpv2Disable Web Cache Coordination V2 Protocol When I did the install I ran the ./configure --enable wccp option. I didn't say --enable-wccpv2, does this matter? I also have this in the config: wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 I am running Squid Web Proxy 2.7.STABLE5. Okay. Thats fine. The ./configure results mean that both WCCP versions are built into Squid by default unless you explicitly say --disable. Nothing extra needed to build them. The config options you have there are already WCCPv2-only options for Cisco. Nothing new needed there either. If thats not working its a config error somewhere. I am getting this in my cache log: Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 20. commBind: Cannot bind socket FD 21 to *:3128: (48) Address already in use Accepting proxy HTTP connections at 0.0.0.0, port 80, FD 21. commBind: Cannot bind socket FD 22 to *:80: (48) Address already in use http://wiki.squid-cache.org/SquidFaq/TroubleShooting#Cannot_bind_socket_FD_NN_ to_.2A:8080_.28125.29_Address_already_in_use I would suspect this as part of the problem. The WCCP router will be trying to contact whatever software is already running on port 3128, not the Squid you are starting with WCCP config. Accepting ICP messages at 0.0.0.0, port 3130, FD 22. WCCP Disabled. Accepting WCCPv2 messages on port 2048, FD 23. To answer your earlier question: the above two lines means WCCPv1 is disabled, WCCPv2 is being used. Initialising all WCCPv2 lists As from my other posting I need WCCP enabled but it is showing disabled. Any reason why? How can I resolve this. Below is my lines in config wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 The above are only the config of how squid sends packets to the Cisco. WCCP requires configuration Cisco, the squid box OS and firewall, and routing tables. Any one of which could be the problem. The tutorials and troubleshooting info we have at present is a little spread out and disjointed. What how-to are you working from? Amos Amos, I just did a TCP dump and I think my problem is the GRE packet. It is being listed I think as unknown. Shouldn't squid be able to pick the packet up and open it? The Cisco sees squid and relays the information good but it is stopping at the squid box. Any ideas? I am just google'ing around no set how to. Okay. I've polished up our exemplar configs a little: http://wiki.squid-cache.org/Features/Wccp2 (some way to go though). There are four parts to WCCP systems: 1) WCCP capture and redirect 2) gre tunnel between the Cisco and Squid boxes 3) squid box firewall settings and NAT capture of received gre packets http://wiki.squid-cache.org/ConfigExamples/Intercept#Traffic_Interception_capture_into_Squid 4) squid.conf settings to make Squid contact the cisco router Amos
Re: [squid-users] Squid not caching some sites
On Mon, 19 Oct 2009 10:51:03 -0700 (PDT), ant2ne tcy...@altonschools.org wrote: My squid web cache proxy server is not caching sites such as... http://www.netsmartz.org/resources/reallife.htm http://www.netsmartz.org/stories/canttake.htm http://www.nsteens.org/videos/social-networking/ These sites contain video that, when played, are choppy and cut out. I'm certain that these videos aren't getting cached. And this is kind of the point to the whole web cache project. I need for teachers to be able to cache these kinds of things, so when the students try to access them they play quicker and more smooth. How do I convince squid to cache these? Depends on why. Enter the page URLs at www.redbot.org to get a report about the page (the check links sub-report will cover details of the embeded videos, images etc) Here is my current squid.conf http_port 3128 acl QUERY urlpath_regex cgi-bin \? Delete the above line. cache_mem 512 MB# May need to set lower if I run low on RAM maximum_object_size_in_memory 2048 KB The above will kill any videos 2MB as they are forced to storage on disk before sending to the browsers. # May need to set lower if I run low on RAM maximum_object_size 1 GB cache_dir aufs /cache 50 256 256 redirect_rewrites_host_header off cache_replacement_policy lru acl all src all acl localnet src 10.80.0.0/255.255.0.0 or in CIDR... acl localnet src 10.80.0.0/16 acl localhost src 127.0.0.1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/8 acl Safe_ports port 80 443 210 119 70 21 1025-65535 acl SSL_Ports port 443 acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports http_access allow localnet http_access allow localhost http_access deny all icp_port 0 refresh_pattern \.jpg$ 3600 50% 60 refresh_pattern \.gif$ 3600 50% 60 refresh_pattern \.css$ 3600 50% 60 refresh_pattern \.js$ 3600 50% 60 refresh_pattern \.html$ 300 50% 10 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 access_log /var/log/squid/access.log squid visible_hostname AMSPX01 Amos
Re: [squid-users] Squid Reverse Proxy help
On Mon, 19 Oct 2009 11:23:58 -0400, Jones, Keven keven.jo...@ncr.com wrote: Need help with finalizing my config. This config is not working for the 2nd server. Can Anyone see what I'm missing or have configured incorreclty. img01.cprpt.com is caching but img02.cprpt.com will not. I had orginiall forgotten the 2nd cache_peer_access server_2 allow sites_server2 but this has been added and still not working. This url should work as the images and directories exist: http://img02.cprpt.com/img/bvt/10002/ncrLogo_100909.gif Thanks for looking at this for me! --- Squid.conf: http_port 80 accel defaultsite=img01.cprpt.com For multiple domains (virtual hosting) the vhost option is required here. Without it squid will assume everything is under the defaultsite. cache_peer 172.19.23.91 parent 80 0 no-query originserver name=myAccel cache_peer 172.19.23.92 parent 80 0 no-query originserver name=server_2 acl all src 0.0.0.0/0.0.0.0 acl our_sites dstdomain img01.cprpt.com acl sites_server_2 dstdomain img02.cprpt.com http_access allow our_sites http_access allow sites_server_2 cache_peer_access myAccel allow our_sites cache_peer_access server_2 allow sites_server_2 cache_peer_access myAccel deny all cache_peer_access server_2 deny all visible_hostname bv-ic01 cache_dir ufs /data/spool/squid 100 16 256 cache_access_log /data/log/squid/access.log cache_log /data/log/squid/cache.log cache_store_log /data/log/squid/store.log
Re: [squid-users] WCCP
From: Amos Jeffries squ...@treenet.co.nz Date: Tue, 20 Oct 2009 12:40:02 +1300 To: Ross Kovelman rkovel...@gruskingroup.com Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP On Mon, 19 Oct 2009 18:26:18 -0400, Ross Kovelman rkovel...@gruskingroup.com wrote: From: Amos Jeffries squ...@treenet.co.nz Date: Tue, 20 Oct 2009 11:04:42 +1300 To: Ross Kovelman rkovel...@gruskingroup.com Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP On Mon, 19 Oct 2009 14:21:44 -0400, Ross Kovelman wrote: From: Amos Jeffries Ross Kovelman wrote: From: Amos Jeffries: Ross Kovelman wrote: I am going to be using WCCP. I did another reconfigure with the --enable WCCP option. How can I check that it is on and running? The next step I need to do is upgrade to version 2 since the Cisco only communicates on version 2. I tried to do the patch upgrade patch but then I get a response with path to upgrade and I am not sure where the file is I need patch. There is zero need to patch for support WCCPv2. It's been built into Squid for many years now. Run ./configure --help. * If it lists --disable-wccpv2 there is no need to do anything. * If it lists --enable-wccpv2 , add that to your build options. * If it does not mention wccpv2 at all upgrade your Squid version. Then setup squid.conf with the relevant wccp2_* options. http://www.squid-cache.org/Doc/config/ or the wiki example configs have details on those. Thanks again. Running the ./configure --help only says this: --disable-wccp Disable Web Cache Coordination V1 Protocol --disable-wccpv2Disable Web Cache Coordination V2 Protocol When I did the install I ran the ./configure --enable wccp option. I didn't say --enable-wccpv2, does this matter? I also have this in the config: wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 I am running Squid Web Proxy 2.7.STABLE5. Okay. Thats fine. The ./configure results mean that both WCCP versions are built into Squid by default unless you explicitly say --disable. Nothing extra needed to build them. The config options you have there are already WCCPv2-only options for Cisco. Nothing new needed there either. If thats not working its a config error somewhere. I am getting this in my cache log: Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 20. commBind: Cannot bind socket FD 21 to *:3128: (48) Address already in use Accepting proxy HTTP connections at 0.0.0.0, port 80, FD 21. commBind: Cannot bind socket FD 22 to *:80: (48) Address already in use http://wiki.squid-cache.org/SquidFaq/TroubleShooting#Cannot_bind_socket_FD_NN_ to_.2A:8080_.28125.29_Address_already_in_use I would suspect this as part of the problem. The WCCP router will be trying to contact whatever software is already running on port 3128, not the Squid you are starting with WCCP config. Accepting ICP messages at 0.0.0.0, port 3130, FD 22. WCCP Disabled. Accepting WCCPv2 messages on port 2048, FD 23. To answer your earlier question: the above two lines means WCCPv1 is disabled, WCCPv2 is being used. Initialising all WCCPv2 lists As from my other posting I need WCCP enabled but it is showing disabled. Any reason why? How can I resolve this. Below is my lines in config wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 The above are only the config of how squid sends packets to the Cisco. WCCP requires configuration Cisco, the squid box OS and firewall, and routing tables. Any one of which could be the problem. The tutorials and troubleshooting info we have at present is a little spread out and disjointed. What how-to are you working from? Amos Amos, I just did a TCP dump and I think my problem is the GRE packet. It is being listed I think as unknown. Shouldn't squid be able to pick the packet up and open it? The Cisco sees squid and relays the information good but it is stopping at the squid box. Any ideas? I am just google'ing around no set how to. Okay. I've polished up our exemplar configs a little: http://wiki.squid-cache.org/Features/Wccp2 (some way to go though). There are four parts to WCCP systems: 1) WCCP capture and redirect 2) gre tunnel between the Cisco and Squid boxes 3) squid box firewall settings and NAT capture of received gre packets http://wiki.squid-cache.org/ConfigExamples/Intercept#Traffic_Interception_capt ure_into_Squid 4) squid.conf settings to make Squid contact the cisco router Amos From what I have read and what you show only for the PIX and ASA should be the same. The Pix is actually correct for the ASA, although that is what Cisco told me to do. As far as: wccp2_router - My cisco router address wccp2_forwarding_method - I took this out of my config as GRE is default wccp2_return_method
Re: [squid-users] WCCP
On Mon, 19 Oct 2009 20:06:55 -0400, Ross Kovelman rkovel...@gruskingroup.com wrote: From: Amos Jeffries squ...@treenet.co.nz Date: Tue, 20 Oct 2009 12:40:02 +1300 To: Ross Kovelman rkovel...@gruskingroup.com Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP On Mon, 19 Oct 2009 18:26:18 -0400, Ross Kovelman rkovel...@gruskingroup.com wrote: From: Amos Jeffries squ...@treenet.co.nz Date: Tue, 20 Oct 2009 11:04:42 +1300 To: Ross Kovelman rkovel...@gruskingroup.com Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP On Mon, 19 Oct 2009 14:21:44 -0400, Ross Kovelman wrote: From: Amos Jeffries Ross Kovelman wrote: From: Amos Jeffries: Ross Kovelman wrote: I am going to be using WCCP. I did another reconfigure with the --enable WCCP option. How can I check that it is on and running? The next step I need to do is upgrade to version 2 since the Cisco only communicates on version 2. I tried to do the patch upgrade patch but then I get a response with path to upgrade and I am not sure where the file is I need patch. There is zero need to patch for support WCCPv2. It's been built into Squid for many years now. Run ./configure --help. * If it lists --disable-wccpv2 there is no need to do anything. * If it lists --enable-wccpv2 , add that to your build options. * If it does not mention wccpv2 at all upgrade your Squid version. Then setup squid.conf with the relevant wccp2_* options. http://www.squid-cache.org/Doc/config/ or the wiki example configs have details on those. Thanks again. Running the ./configure --help only says this: --disable-wccp Disable Web Cache Coordination V1 Protocol --disable-wccpv2Disable Web Cache Coordination V2 Protocol When I did the install I ran the ./configure --enable wccp option. I didn't say --enable-wccpv2, does this matter? I also have this in the config: wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 I am running Squid Web Proxy 2.7.STABLE5. Okay. Thats fine. The ./configure results mean that both WCCP versions are built into Squid by default unless you explicitly say --disable. Nothing extra needed to build them. The config options you have there are already WCCPv2-only options for Cisco. Nothing new needed there either. If thats not working its a config error somewhere. I am getting this in my cache log: Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 20. commBind: Cannot bind socket FD 21 to *:3128: (48) Address already in use Accepting proxy HTTP connections at 0.0.0.0, port 80, FD 21. commBind: Cannot bind socket FD 22 to *:80: (48) Address already in use http://wiki.squid-cache.org/SquidFaq/TroubleShooting#Cannot_bind_socket_FD_NN_ to_.2A:8080_.28125.29_Address_already_in_use I would suspect this as part of the problem. The WCCP router will be trying to contact whatever software is already running on port 3128, not the Squid you are starting with WCCP config. Accepting ICP messages at 0.0.0.0, port 3130, FD 22. WCCP Disabled. Accepting WCCPv2 messages on port 2048, FD 23. To answer your earlier question: the above two lines means WCCPv1 is disabled, WCCPv2 is being used. Initialising all WCCPv2 lists As from my other posting I need WCCP enabled but it is showing disabled. Any reason why? How can I resolve this. Below is my lines in config wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 The above are only the config of how squid sends packets to the Cisco. WCCP requires configuration Cisco, the squid box OS and firewall, and routing tables. Any one of which could be the problem. The tutorials and troubleshooting info we have at present is a little spread out and disjointed. What how-to are you working from? Amos Amos, I just did a TCP dump and I think my problem is the GRE packet. It is being listed I think as unknown. Shouldn't squid be able to pick the packet up and open it? The Cisco sees squid and relays the information good but it is stopping at the squid box. Any ideas? I am just google'ing around no set how to. Okay. I've polished up our exemplar configs a little: http://wiki.squid-cache.org/Features/Wccp2 (some way to go though). There are four parts to WCCP systems: 1) WCCP capture and redirect 2) gre tunnel between the Cisco and Squid boxes 3) squid box firewall settings and NAT capture of received gre packets http://wiki.squid-cache.org/ConfigExamples/Intercept#Traffic_Interception_capt ure_into_Squid 4) squid.conf settings to make Squid contact the cisco router Amos From what I have read and what you show only for the PIX and ASA should be the same. The Pix is actually correct for the ASA, although that is what Cisco told me to do. As far as: wccp2_router - My cisco router address
[squid-users] Compiling squid 3.0 on AIX
Hi, I'm trying to build squid 3.0 on AIX 5.3 using GCC 4.3.1. It appears to forget to build many files. One example is src/cbdata.o My link fails with: g++ -Werror -Wall -Wpointer-arith -Wwrite-strings -Wcomments -g -O2 -g -o cf_gen cf_gen.o debug.o time.o globals.o ./.libs/ libsquid.a ./.libs/libauth.a -L/usr/local/lib -lstdc++ -L/usr/local/ build/squid-3.0.S TABLE19/lib -lmiscutil -lm -lbind -lnsl -Wl,-blibpath:/usr/local/ lib:/usr/local/lib/gcc/powerpc-ibm-aix5.3.0.0/4.3.1:/usr/local/lib/gcc/ powerpc-ibm-aix5.3.0.0/4.3.1/../../..:/usr/lib:/lib ld: 0711-317 ERROR: Undefined symbol: .cbdataInternalLock(void const*) ld: 0711-317 ERROR: Undefined symbol: .cbdataInternalUnlock(void const*) ld: 0711-317 ERROR: Undefined symbol: .cbdataInternalFree(void*) ld: 0711-317 ERROR: Undefined symbol: .cbdataReferenceValid(void const*) ld: 0711-317 ERROR: Undefined symbol: .cbdataInternalAddType(cbdata_type, char const*, int, void (*) (void*)) ld: 0711-317 ERROR: Undefined symbol: .cbdataInternalAlloc(cbdata_type) ld: 0711-317 ERROR: Undefined symbol: .eventAdd(char const*, void (*) (void*), void*, double, int, bool) ld: 0711-317 ERROR: Undefined symbol: .commSetSelect ld: 0711-317 ERROR: Undefined symbol: .fd_close ld: 0711-317 ERROR: Undefined symbol: .fd_open ld: 0711-317 ERROR: Undefined symbol: .ipcache_nbgethostbyname ld: 0711-317 ERROR: Undefined symbol: .dlinkDelete ld: 0711-317 ERROR: Undefined symbol: .dlinkAddTail ld: 0711-317 ERROR: Undefined symbol: .fatalf ld: 0711-317 ERROR: Undefined symbol: .MemBuf::freeFunc() ld: 0711-317 ERROR: Undefined symbol: .cbdataInternalReferenceDoneValid(void**, void**) ld: 0711-317 ERROR: Undefined symbol: .fd_bytes ld: 0711-317 ERROR: Undefined symbol: .fdNFree ld: 0711-317 ERROR: Undefined symbol: .PconnPool::count(int) ld: 0711-317 ERROR: Undefined symbol: .comm_select ld: 0711-317 ERROR: Undefined symbol: .fatal_dump ld: 0711-317 ERROR: Undefined symbol: .fdAdjustReserved ld: 0711-317 ERROR: Undefined symbol: .commResetSelect ld: 0711-317 ERROR: Undefined symbol: .ipcacheMarkBadAddr ld: 0711-317 ERROR: Undefined symbol: .ipcacheMarkGoodAddr ld: 0711-317 ERROR: Undefined symbol: .netdbDeleteAddrNetwork ld: 0711-317 ERROR: Undefined symbol: .ipcacheCycleAddr ld: 0711-317 ERROR: Undefined symbol: .fatal ld: 0711-317 ERROR: Undefined symbol: .AuthUserHashPointer::AuthUserHashPointer(AuthUser*) ld: 0711-317 ERROR: Undefined symbol: .AuthUserHashPointer::user() const ld: 0711-317 ERROR: Undefined symbol: .aclCacheMatchFlush ld: 0711-317 ERROR: Undefined symbol: .dlinkNodeDelete ld: 0711-317 ERROR: Undefined symbol: .authenticateAuthUserInuse(AuthUser*) ld: 0711-317 ERROR: Undefined symbol: .HttpHeader::getStr(http_hdr_type) const ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. If I compile src/cbdata by hand and add it to the link line, the first few symbols become defined. It appears as if many files (cbdata being one of them) are not being compiled at all. Often with AIX, that can be caused by AIX's sed. I am using GNU's sed and GNU's make. And GNU's bash to process the configure. I'm fairly good at tracking this sort of thing down but I thought I would ask for any suggestions first. Thank you, Perry Smith Ease Software, Inc. ( http://www.easesoftware.com ) Low cost SATA Disk Systems for IBMs p5, pSeries, and RS/6000 AIX systems
Re: [squid-users] WCCP
From: Amos Jeffries squ...@treenet.co.nz Date: Tue, 20 Oct 2009 13:20:27 +1300 To: Ross Kovelman rkovel...@gruskingroup.com Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP On Mon, 19 Oct 2009 20:06:55 -0400, Ross Kovelman rkovel...@gruskingroup.com wrote: From: Amos Jeffries squ...@treenet.co.nz Date: Tue, 20 Oct 2009 12:40:02 +1300 To: Ross Kovelman rkovel...@gruskingroup.com Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP On Mon, 19 Oct 2009 18:26:18 -0400, Ross Kovelman rkovel...@gruskingroup.com wrote: From: Amos Jeffries squ...@treenet.co.nz Date: Tue, 20 Oct 2009 11:04:42 +1300 To: Ross Kovelman rkovel...@gruskingroup.com Cc: squid-users@squid-cache.org squid-users@squid-cache.org Subject: Re: [squid-users] WCCP On Mon, 19 Oct 2009 14:21:44 -0400, Ross Kovelman wrote: From: Amos Jeffries Ross Kovelman wrote: From: Amos Jeffries: Ross Kovelman wrote: I am going to be using WCCP. I did another reconfigure with the --enable WCCP option. How can I check that it is on and running? The next step I need to do is upgrade to version 2 since the Cisco only communicates on version 2. I tried to do the patch upgrade patch but then I get a response with path to upgrade and I am not sure where the file is I need patch. There is zero need to patch for support WCCPv2. It's been built into Squid for many years now. Run ./configure --help. * If it lists --disable-wccpv2 there is no need to do anything. * If it lists --enable-wccpv2 , add that to your build options. * If it does not mention wccpv2 at all upgrade your Squid version. Then setup squid.conf with the relevant wccp2_* options. http://www.squid-cache.org/Doc/config/ or the wiki example configs have details on those. Thanks again. Running the ./configure --help only says this: --disable-wccp Disable Web Cache Coordination V1 Protocol --disable-wccpv2Disable Web Cache Coordination V2 Protocol When I did the install I ran the ./configure --enable wccp option. I didn't say --enable-wccpv2, does this matter? I also have this in the config: wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 I am running Squid Web Proxy 2.7.STABLE5. Okay. Thats fine. The ./configure results mean that both WCCP versions are built into Squid by default unless you explicitly say --disable. Nothing extra needed to build them. The config options you have there are already WCCPv2-only options for Cisco. Nothing new needed there either. If thats not working its a config error somewhere. I am getting this in my cache log: Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 20. commBind: Cannot bind socket FD 21 to *:3128: (48) Address already in use Accepting proxy HTTP connections at 0.0.0.0, port 80, FD 21. commBind: Cannot bind socket FD 22 to *:80: (48) Address already in use http://wiki.squid-cache.org/SquidFaq/TroubleShooting#Cannot_bind_socket_FD_NN_ to_.2A:8080_.28125.29_Address_already_in_use I would suspect this as part of the problem. The WCCP router will be trying to contact whatever software is already running on port 3128, not the Squid you are starting with WCCP config. Accepting ICP messages at 0.0.0.0, port 3130, FD 22. WCCP Disabled. Accepting WCCPv2 messages on port 2048, FD 23. To answer your earlier question: the above two lines means WCCPv1 is disabled, WCCPv2 is being used. Initialising all WCCPv2 lists As from my other posting I need WCCP enabled but it is showing disabled. Any reason why? How can I resolve this. Below is my lines in config wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 The above are only the config of how squid sends packets to the Cisco. WCCP requires configuration Cisco, the squid box OS and firewall, and routing tables. Any one of which could be the problem. The tutorials and troubleshooting info we have at present is a little spread out and disjointed. What how-to are you working from? Amos Amos, I just did a TCP dump and I think my problem is the GRE packet. It is being listed I think as unknown. Shouldn't squid be able to pick the packet up and open it? The Cisco sees squid and relays the information good but it is stopping at the squid box. Any ideas? I am just google'ing around no set how to. Okay. I've polished up our exemplar configs a little: http://wiki.squid-cache.org/Features/Wccp2 (some way to go though). There are four parts to WCCP systems: 1) WCCP capture and redirect 2) gre tunnel between the Cisco and Squid boxes 3) squid box firewall settings and NAT capture of received gre packets http://wiki.squid-cache.org/ConfigExamples/Intercept#Traffic_Interception_capt ure_into_Squid 4) squid.conf settings to make Squid contact the cisco
[squid-users] help on squid setup
Dear All, I have used Squid before but im little confused on as how to implement squid on the following setup current setup as follows DSL router with a public Ip for the WAN ( connection to the ISP) lan ip address on dsl router is 192.168.1.254 local network 192.168.100.0/24 right now the clients have the gateway as 192.168.1.254 and they are able to access internet fine I want to implement linux squid proxy server so that i have better controls that is ( time based restrictions , ip based restrictions and block certain web sites ) through squid ACLS I think i have to implement squid as a transparent proxy server with 2 lan cards on the squid server apprecite if someone could advise me as how to go about the setup or some links which do explain about the setup i like to implement thanks and regards simon -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] If used as transparent proxy, anyway to authenticate users?
Hello, Squid user based authentication is a high advantage to placing access lists. Iam however forced to place squid as a transparent proxy but I need some kind of authentication for users passed to squid to manage the ACLs (specific allow lists, reply body size, etc) . Is there _any_ work arround (even if it is complex) that I can authenticate users with a transparent proxy? Perhaps with a captive portal that displays a single login page until authenticated and then somehow passing that authentication to squid so it gives them the allowed access? Thanks Andres