Re: [squid-users] QUID stops responding intermittently.
Hi Amos, Thanks for your quick help. I am using following (I suppose latest available series) of Squid Index of /jskala/squid/squid-3.0.STABLE16-1.el5/i386 I've made those ufs/aufs changes & cache_low/high in squid.conf. I'll let you know about the feedback soon. Also I've removed spaces from time ACL elements MTWHF ... -Asim Ahmed Amos Jeffries wrote: On Tue, 20 Oct 2009 19:53:02 +0500, "Asim Ahmed @ Folio3" wrote: - Hi all, I have installed Squid 3.0 STABLE on RHEL5. I am using it on conjunction 3.0STABLE what? there are now around 21 releases in circulation. with Shorewall 4.4.2.2. I've tested that Shorewall is working fine on machine. The problem is that SQUID stops responding intermittently. This period ranges from minuts / hours / days. Some time it works absolutely fine and at other times it just dies. Even "tail -f access.log" does not show any activity at all. Internet stops working. Machine is Pentium D 2.0 GHz with 2 GB of RAM. Out of my squid.conf through *grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'* is acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 192.168.4.0/24 # RFC1918 possible internal network acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl BusinessHours time M T W H F 9:00-13:00 acl BusinessHours time M T W H F 14:30-19:00 The above should have no spaces in the day specifier: MTWHF acl BadSites dstdomain "/etc/squid/restricted_sites.list" http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny BadSites BusinessHours http_access allow localnet http_access deny all icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all reply_body_max_size 5 MB http_port 46095 transparent include /etc/squid/mediatypes.list hierarchy_stoplist cgi-bin ? cache_mem 256 MB cache_dir ufs /var/spool/squid 16384 16 256 This is probably the cause. UFS file system is extremely slow. Also with 10GB the default garbage collection settings for 3.0 are too wide. Squid can block up while removing 5% of the cached files once an hour. I recommend setting: cache_dir aufs /var/spool/squid 16384 16 256 cache_swap_low 90 cache_swap_high 92 Also check cache.log for signs of squid dying. Restarting and reloading a large cache through slow disk IO systems can cause a few dozen seconds delay in request handling. please use the latest release available (there are current 'unofficial' packages for RHEL in the www.squid-cache.org binary downloads pages). access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 shutdown_lifetime 5 seconds visible_hostname gateway.folio3.com icp_port 3130 coredump_dir /var/spool/squid Any help on where to look for the error and any remedy would be appriciated. Amos -- Regards, Asim Ahmed Khan IT Manager, Folio3 (Pvt.) Ltd. www.folio3.com Direct: 92-21-4323721-4 Ext 110 Email: aah...@folio3.com
[squid-users] [SOLVED] Re: [squid-users] Squid-2.6.5 SSL reverse proxy ?
Henrik, That resolved the issue. Many thanks. really appreciated. - Cheers Stonie. On Wed, Oct 21, 2009 at 6:10 AM, Henrik Nordstrom wrote: > tis 2009-10-20 klockan 23:47 +1100 skrev Stonie: >> Henrik, >> >> Your help is much appreciated, I have the following after a restart: >> >> r...@squidvm:~# /etc/init.d/squid restart >> Restarting Squid HTTP proxy: squidEnter PEM pass phrase: > > Right.. that won't work. IF using an encrypted SSL key then you need to > start Squid in foreground mode. > > /usr/sbin/squid -NY > > or give Squid a program it can call to retreive the SSL key encryption > passphrase. (see squid.conf) > > Or alternateively decrypt the SSL key to have it stored without a > passphrase > > openssl rsa -in cert_key.pem -out cert_key_unencrypted.pem > > Regards > Henrik > > -- Interested in purchasing Australian produced carbon offsets? Visit www.fairgocarbon.com.au Please consider the environment before printing this email.
[squid-users] forwarding each src ip to specific proxy
Hello guys, I understand that to forward all requests to another proxy I would do something like this: cache_peer parent 0 no-query default acl all src 0.0.0.0/0.0.0.0 http_access allow all never_direct allow all However, I want to be able to forward different src ips to different proxies. What is the best way to do this, or should I just repeat the above lines one for each specific IP? Thank you. Andres
Re: [squid-users] Not able to access Thunderbird from a linux client through squid
On Wed, Oct 14, 2009 at 3:20 PM, Matus UHLAR - fantomas wrote: >> > On 29.09.09 12:22, Avinash Rao wrote: >> >> I understand, but why isn't it working? If the machine has direct >> >> connection to internet (modem connected to the machine) thunderbird >> >> works, but if it has to go through proxy it doesn't work. > >> On Mon, Oct 5, 2009 at 1:50 PM, Matus UHLAR - fantomas >> wrote: >> > He just said it. Squid is a HTTP proxy and can not be used as proxy for >> > POP/IMAP/SMTP protocols. You must connect to those services directly, not >> > through proxy. > > On 13.10.09 11:12, Avinash Rao wrote: >> Thank you for your message. That is what i am saying, I have >> configured Thunderbird to access internet directly and still it >> doesn't work. > > I'm sorry but this is completely off-topic on this list. Have you tried to > contact your ISP? We won't help you anymore on this list. > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > WinError #98652: Operation completed successfully. > Thank you for your response. My question is, how come Internet works through browsers when configured to use proxy but only thunderbird doesn't work through proxy nor direct connection. So, it all comes down to the proxy and which is why i posted this question. Thanks Avinash
RE: [squid-users] How To Allow Different Sites at Different Times
Hello Henrik, I don't understand what you mean, can you please elavorate? Manuel -Original Message- From: Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Sent: Monday, October 19, 2009 2:16 PM To: Amos Jeffries Cc: squid-users@squid-cache.org Subject: Re: [squid-users] How To Allow Different Sites at Different Times mån 2009-10-19 klockan 14:44 +1300 skrev Amos Jeffries: > > http_access allow timothy timothys_schooltime whitelist_sos > > http_access deny timothy all > > > > The final line there does not permit Squid to challenge for > authentication. I assume you have some other way to make the browser > send it later on? Amos, Squid challenges on the first auth related ACL encountered in http_access processing. What the above configuration do not is to rechallenge to allow timothy once authenticated to try to log in as someone else when trying to access something timothy is not allowed to access. Regards Henrik
[squid-users] TCP_HIT/504 problem with small Squid cluster
Hi - first time poster so be gentle. Some general info regarding my setup: 0) Running Squid 2.7 in reverse proxy mode 1) Each Squid is configured to use it's local webserver on 127.0.0.1 as the origin server and the other servers in the farm as siblings 2) This Squid cache is transparent to the end-user (although I do pass along a select few cache controls such as if-none-match). 3) It is protected behind local AUTH applications which perform complex access checks before passing the request onto Squid 4) All documents will be requested and cached as [http://127.0.0.1/URL] so Squid is really only serving a single domain Transparent Proxy Cluster [user agent] | v [Load Balancer] | | --- | | | | v v v v [WEB1-AUTH] [WEB2-AUTH] [WEB3-AUTH] [WEB4-AUTH] | | | | v v v v [SQUID1] (icp) [SQUID2] (icp) [SQUID3] (icp) [SQUID4] | | | | v v v v [WEB1-ORIG] [WEB2-ORIG] [WEB3-ORIG] [WEB4-ORIG] Here is a simplified squid.conf from the first server (all others have the same settings except the sibling list is shifted). #-- http_port 3128 act-as-origin accel vhost http11 icp_port 3130 cache_dir ufs /cache/data 2048 16 256 cache_mem 8 GB request_timeout 5 seconds persistent_request_timeout 5 seconds refresh_pattern . 0 20% 4320 negative_ttl 0 acl all src all acl localhost src 127.0.0.1/xx acl localnet src 127.0.0.1/xx acl localnet src x acl Safe_ports port 3128 acl Safe_ports port 80 http_access allow localhost http_access deny !Safe_ports http_access allow localnet http_access deny all icp_access allow localnet icp_access deny all ## Origin server cache_peer 127.0.0.1 parent 80 0 name=localweb max-conn=250 no-query no-netdb-exchange originserver http11 cache_peer_access localweb allow localnet cache_peer_access localweb deny all ## Sibling Caches # cache_peer [IP_OF_SIBLING_1] sibling 3128 3130 proxy-only cache_peer [IP_OF_SIBLING_2] sibling 3128 3130 proxy-only cache_peer [IP_OF_SIBLING_3] sibling 3128 3130 proxy-only cache_peer [IP_OF_SIBLING_4] sibling 3128 3130 proxy-only Here is a simplified squid.conf from the first server (all others have the same settings except the sibling list is shifted). #-- http_port 3128 act-as-origin accel vhost http11 icp_port 3130 cache_dir ufs /cache/data 2048 16 256 cache_mem 8 GB request_timeout 5 seconds persistent_request_timeout 5 seconds refresh_pattern . 0 20% 4320 negative_ttl 0 acl all src all acl localhost src 127.0.0.1/xx acl localnet src 127.0.0.1/xx acl localnet src x acl Safe_ports port 3128 acl Safe_ports port 80 http_access allow localhost http_access deny !Safe_ports http_access allow localnet http_access deny all icp_access allow localnet icp_access deny all ## Origin server cache_peer 127.0.0.1 parent 80 0 name=localweb max-conn=250 no-query no-netdb-exchange originserver http11 cache_peer_access localweb allow localnet cache_peer_access localweb deny all ## Sibling Caches # cache_peer [IP_OF_SIBLING_1] sibling 3128 3130 proxy-only cache_peer [IP_OF_SIBLING_2] sibling 3128 3130 proxy-only cache_peer [IP_OF_SIBLING_3] sibling 3128 3130 proxy-only cache_peer [IP_OF_SIBLING_4] sibling 3128 3130 proxy-only So.. I have a 'few' questions regarding my setup and how I might be able to improve on it. - Does the ICP sibling setup makes sense or will it limit the number of servers in the cluster? Or should this be redesigned to work with multiple parent caches instead of siblings? Or perhaps multicast ICP? Or I could try digests? - Would using 'icp_hit_stale' and 'allow-miss' improve hit-ratios between the shards? Is there a way to force a given Squid server to be the ONLY server storing a cached document (stale, fresh, or otherwise)? - Using this basic setup for about a month now and I am ge
Re: [squid-users] HTTPS connections through squid transparent
On Tue, 20 Oct 2009 18:09:04 -0600, Ryan Turnbull wrote: > Hello to all, > I'm going to ask a question that has probably been answered a > million times but what is one more. > > I'm trying to make a perfect squid configuration that allows > http/https connections. I would like to make it so users/devices do not > have to configure a proxy to be able to access the internet seamlessly. > I have had this working with the tranparent option on the http_port in > squid 3.0. However, as many users discovered, you CANNOT transparent > proxy https connections with squid/iptable rules, simply does not work. > HTTPS connection do work in squid, but you have to define the proxy in > the browser settings which is another problem altogether. And as much > as I wish https_port :port transparent cert= key= > doesn't work for anything other than your own https webservers. That is > it will NOT work for like your https connection to your bank or https > connection through to your webmail on your isp. > > So my question is, what is the best way to have internet protocol > traffic through squid without having to go to everyones browser and set > the proxy settings/allow all 443 traffic direct to internet. WPAD?? Web > page explaining how to set proxy?? This is absolutely driving me > nuts. please help! Yes. WPAD/PAC or not trying to funnel it through Squid at all. Amos
Re: [squid-users] squid 3.1.0.13 performance results ready - reverse proxy - (2.6.x vs 3.1.x) - need help
Thanks Amos. > Is this with the gzip feature already enabled? NO. gzip is not enabled in 3.1 and also client doesnt send accept-encoding. the request are typically the same that was sent to 2.6 version. > Is the web server agent sending chunked replies? NO > both could be noticeably slower as the entire object needs to be > re-formatted. > we have 32 GB, but we use only 50% of it. how much we could increase cache_mem ? also i will try heap LRU as you suggested for memory_replacement_policy. let me know, if you need any other options to try. I will run the test again and post some results to you. Ganesh On Tue, Oct 20, 2009 at 6:44 PM, Amos Jeffries wrote: > On Tue, 20 Oct 2009 13:43:05 -0400, GaneshKumar Natarajan > wrote: >> We wanted to evaluate 3.1.0.13 squid to move from our current squid >> version of 2.6.x ( stable 4 + few custom changes ) >> >> We did the following performance test from a Avalance setup. >> >> 1. preload objects in squid cache. >> 2. 3500 transactions/sec with 90-10 hit-miss ratio. >> 3. mean size of object 23 kb. >> 4. ran it for 30 minutes. ( 5 min ramp up to load 3500, 20 min with >> load 3500, 5 min to cool down ) >> >> Average response time Results we got. >> >> 2.6.x version = 22 milli second >> 3.1.0.13 = 274 milli second. ( the graph increases over period of > time... ) >> > > This is a bit strange. The other benchmarks I've seen (2.6STABLE5 vs > 3.0STABLE2) show a small lag increase of around 10% for small objects and a > large 10x decrease for MB sized objects. But not a 10x increase. This is > one of the first benchmarks received for 3.1 so its hard to say where its > coming from. > > Is this with the gzip feature already enabled? > Is the web server agent sending chunked replies? > both could be noticeably slower as the entire object needs to be > re-formatted. > > 3.1 does not yet do collapsed forwarding (planned for merge 3.2 if anyone > gets time), that might also be having an effect. > >> --- >> >> similarly, we did for large objects with 40 transaction/sec, mean >> object size 1.8 MB. >> 2.6.x => 91 ms, squid 3.1.0.13 => 109 ms. >> this is somewhat ok.. >> >> --- >> >> We wanted to move to 3.1.0.13 to make use of gzip+ecap feature and >> other 3.1 features, but this performance results is disappointing. >> The OS and squid.conf parameters for small file objects are typically >> the same for both 2.6 and 3.1 setup. >> [ to mention a few: cache_mem = 16 GB ( we have 32 GB max ), >> max_object_size_in_memory = 1 MB >> refer config file below ] >> >> Questions: >> 1. Is there any paramater am missing for 3.1 squid, which would help >> to improve performance for high loads? > > cache_mem would have been the key one. > >> >> 2. Or Is squid 3.1 really not ready yet for high load situations for >> small objects? Any performance related work going on, any >> dates/versions to expect ? > > Has not yet had serious testing for loads. I've only seen two quality > independent benchmarks since 2.5. > Adrian did a lot of benchmarking and tuning, then only plugged the results > back into 2.7, leaving 3.x out in the cold. > The 12-18 months of work for 3.2 is geared at pushing the bar up again > trying to surpass 2.7. > > >> am giving the squid.conf entries 3.1 (its the same for 2.6 also ). >> >> let me know, if you need any other details. >> >> Regards, >> Ganesh >> >> >> OS >> -- >> linux RH4 -release 8 >> Linux 2.6.9-89.ELsmp #1 SMP Mon Apr 20 10:33:05 EDT 2009 x86_64 x86_64 >> x86_64 GNU/Linux >> >> SQUID 3.1.0.13 Squid.conf entries for Small file objects >> >> >> (note: the following squid parameters were the same for 2.6 squid.) >> >> http_port 80 vhost vport=80 >> acl port80 port 80 >> icp_port 0 >> udp_incoming_address 0.0.0.0 >> udp_outgoing_address 255.255.255.255 >> icp_query_timeout 0 >> maximum_icp_query_timeout 2000 >> mcast_icp_query_timeout 2000 >> dead_peer_timeout 10 seconds >> hierarchy_stoplist cgi-bin ? >> acl QUERY urlpath_regex \? >> acl CGI urlpath_regex cgi-bin >> acl readCommunityString snmp_community icds-nms >> acl LMS src 192.168.2.4 >> snmp_access allow readCommunityString all >> acl apache rep_header Server ^Apache >> cache_swap_low 95 >> cache_swap_high 98 >> maximum_object_size 100 MB >> minimum_object_size 0 KB >> maximum_object_size_in_memory 1 MB > > The above may be limiting the 3.1 large object results. 3.1 no longer has > the huge object speed limitations that 2.x does, so this can be increased > provided the RAM can cope. > >> ipcache_size 2048 >> ipcache_low 95 >> ipcache_high 98 >> cache_replacement_policy lru >> memory_replacement_policy lru > > "heap" types are better here regardless of the squid version. > >> cache_log /squid/logs/cache.log >> cache_store_log none >> log_ip_on_direct on >> >> debug_options ALL,1 >> >> client_netmask 255.255.255.255 >> >> dns_timeout 10 seconds >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher:
[squid-users] HTTPS connections through squid transparent
Hello to all, I'm going to ask a question that has probably been answered a million times but what is one more. I'm trying to make a perfect squid configuration that allows http/https connections. I would like to make it so users/devices do not have to configure a proxy to be able to access the internet seamlessly. I have had this working with the tranparent option on the http_port in squid 3.0. However, as many users discovered, you CANNOT transparent proxy https connections with squid/iptable rules, simply does not work. HTTPS connection do work in squid, but you have to define the proxy in the browser settings which is another problem altogether. And as much as I wish https_port :port transparent cert= key= doesn't work for anything other than your own https webservers. That is it will NOT work for like your https connection to your bank or https connection through to your webmail on your isp. So my question is, what is the best way to have internet protocol traffic through squid without having to go to everyones browser and set the proxy settings/allow all 443 traffic direct to internet. WPAD?? Web page explaining how to set proxy?? This is absolutely driving me nuts. please help! -- *Ryan Turnbull* Network Administrator
Re: [squid-users] squid 3.1.0.13 performance results ready - reverse proxy - (2.6.x vs 3.1.x) - need help
On Tue, 20 Oct 2009 13:43:05 -0400, GaneshKumar Natarajan wrote: > We wanted to evaluate 3.1.0.13 squid to move from our current squid > version of 2.6.x ( stable 4 + few custom changes ) > > We did the following performance test from a Avalance setup. > > 1. preload objects in squid cache. > 2. 3500 transactions/sec with 90-10 hit-miss ratio. > 3. mean size of object 23 kb. > 4. ran it for 30 minutes. ( 5 min ramp up to load 3500, 20 min with > load 3500, 5 min to cool down ) > > Average response time Results we got. > > 2.6.x version = 22 milli second > 3.1.0.13 = 274 milli second. ( the graph increases over period of time... ) > This is a bit strange. The other benchmarks I've seen (2.6STABLE5 vs 3.0STABLE2) show a small lag increase of around 10% for small objects and a large 10x decrease for MB sized objects. But not a 10x increase. This is one of the first benchmarks received for 3.1 so its hard to say where its coming from. Is this with the gzip feature already enabled? Is the web server agent sending chunked replies? both could be noticeably slower as the entire object needs to be re-formatted. 3.1 does not yet do collapsed forwarding (planned for merge 3.2 if anyone gets time), that might also be having an effect. > --- > > similarly, we did for large objects with 40 transaction/sec, mean > object size 1.8 MB. > 2.6.x => 91 ms, squid 3.1.0.13 => 109 ms. > this is somewhat ok.. > > --- > > We wanted to move to 3.1.0.13 to make use of gzip+ecap feature and > other 3.1 features, but this performance results is disappointing. > The OS and squid.conf parameters for small file objects are typically > the same for both 2.6 and 3.1 setup. > [ to mention a few: cache_mem = 16 GB ( we have 32 GB max ), > max_object_size_in_memory = 1 MB > refer config file below ] > > Questions: > 1. Is there any paramater am missing for 3.1 squid, which would help > to improve performance for high loads? cache_mem would have been the key one. > > 2. Or Is squid 3.1 really not ready yet for high load situations for > small objects? Any performance related work going on, any > dates/versions to expect ? Has not yet had serious testing for loads. I've only seen two quality independent benchmarks since 2.5. Adrian did a lot of benchmarking and tuning, then only plugged the results back into 2.7, leaving 3.x out in the cold. The 12-18 months of work for 3.2 is geared at pushing the bar up again trying to surpass 2.7. >am giving the squid.conf entries 3.1 (its the same for 2.6 also ). > > let me know, if you need any other details. > > Regards, > Ganesh > > > OS > -- > linux RH4 -release 8 > Linux 2.6.9-89.ELsmp #1 SMP Mon Apr 20 10:33:05 EDT 2009 x86_64 x86_64 > x86_64 GNU/Linux > > SQUID 3.1.0.13 Squid.conf entries for Small file objects > > > (note: the following squid parameters were the same for 2.6 squid.) > > http_port 80 vhost vport=80 > acl port80 port 80 > icp_port 0 > udp_incoming_address 0.0.0.0 > udp_outgoing_address 255.255.255.255 > icp_query_timeout 0 > maximum_icp_query_timeout 2000 > mcast_icp_query_timeout 2000 > dead_peer_timeout 10 seconds > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex \? > acl CGI urlpath_regex cgi-bin > acl readCommunityString snmp_community icds-nms > acl LMS src 192.168.2.4 > snmp_access allow readCommunityString all > acl apache rep_header Server ^Apache > cache_swap_low 95 > cache_swap_high 98 > maximum_object_size 100 MB > minimum_object_size 0 KB > maximum_object_size_in_memory 1 MB The above may be limiting the 3.1 large object results. 3.1 no longer has the huge object speed limitations that 2.x does, so this can be increased provided the RAM can cope. > ipcache_size 2048 > ipcache_low 95 > ipcache_high 98 > cache_replacement_policy lru > memory_replacement_policy lru "heap" types are better here regardless of the squid version. > cache_log /squid/logs/cache.log > cache_store_log none > log_ip_on_direct on > > debug_options ALL,1 > > client_netmask 255.255.255.255 > > dns_timeout 10 seconds > refresh_pattern ^ftp: 144020% 10080 > refresh_pattern ^gopher:14400% 1440 > refresh_pattern . 1440100%1440ignore-reload > quick_abort_min -1 KB > quick_abort_max 16 KB > quick_abort_pct 95 > negative_ttl 1 minutes > positive_dns_ttl 1 hour > negative_dns_ttl 1 minute > range_offset_limit -1 MB > connect_timeout 5 seconds > peer_connect_timeout 5 seconds > read_timeout 60 seconds > request_timeout 10 seconds > persistent_request_timeout 10 minutes > pconn_timeout 120 seconds > shutdown_lifetime 30 seconds > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl SSL_ports port 443 563 > acl Safe_ports port 80 > acl OBJECT method OBJECT > acl CONNECT method CONNECT > acl PURGE method PURGE > acl Safe_methods method GET POST HEAD PUT > acl Safe_protos proto HTTP > http_access allow manager localhost1 > http_access
Re: [squid-users] ACL function problem
On Tue, 20 Oct 2009 21:14:31 +0500, "Asim Ahmed @ Folio3" wrote: > Hi all, > > I need help with apparently very basic question regarding ACL in squi: > I've my acl's written in a seperate file and I am including that file in > squid.conf. It reads as: > > acl BusinessHours time M T W H F 9:00-13:00 > acl BusinessHours time M T W H F 14:30-19:00 > Did you test on any day other than monday? The day spec does not contain spaces so I think Squid collapses that to: acl BusinessHours time M > ## Active Stream Format (Windows Media Player) > acl media rep_mime_type x-ms-asf > acl mediapr urlpath_regex \.(afx|asf)(\?.*)?$ > > ## Flash Video Format > acl media rep_mime_type video/flv video/x-flv > acl mediapr urlpath_regex \.flv(\?.*)?$ > > acl media rep_mime_type application/x-amf > > acl media rep_mime_type video/mp4 > acl mediapr urlpath_regex \.mp4(\?.*)?$ > > ## Flash General Media Scripts (Animation) > #acl media rep_mime_type application/x-shockwave-flash > #acl mediapr urlpath_regex \.swf(\?.*)?$ > > ## Others currently unknown > acl media rep_mime_type ms-hdr > acl media rep_mime_type x-fcs > > acl media rep_mime_type video/mov > acl mediapr urlpath_regex \.mov(\?.*)?$ > > acl media rep_mime_type video/wmv > acl mediapr urlpath_regex \.wmv(\?.*)?$ > > acl media rep_mime_type video/mpg > acl mediapr urlpath_regex \.mpg(\?.*)?$ > > acl media rep_mime_type video/rm > acl mediapr urlpath_regex \.rm(\?.*)?$ > > acl media rep_mime_type video/avi > acl mediapr urlpath_regex \.avi(\?.*)?$ > > acl media rep_mime_type video/vob > acl mediapr urlpath_regex \.vob(\?.*)?$ > > acl media rep_mime_type video/dv > acl mediapr urlpath_regex \.dv(\?.*)?$ > > acl media rep_mime_type video/3gp > acl mediapr urlpath_regex \.3gp(\?.*)?$ > > acl media rep_mime_type video/m1v > acl mediapr urlpath_regex \.m1v(\?.*)?$ > > acl media rep_mime_type video/m2v > acl mediapr urlpath_regex \.m2v(\?.*)?$ > > http_access deny mediapr BusinessHours > http_reply_access deny media BusinessHours > > The problem is that if I apply this BusinessHours ACL to any other ACL > that works, but here with last two lines it is not working and videos > containing these mime typs are always blocked instead of only during > business hours. Can anyone suggest any solution or point out any mistake > i m making?
Re: [squid-users] QUID stops responding intermittently.
On Tue, 20 Oct 2009 19:53:02 +0500, "Asim Ahmed @ Folio3" wrote: > - > > Hi all, > > I have installed Squid 3.0 STABLE on RHEL5. I am using it on conjunction 3.0STABLE what? there are now around 21 releases in circulation. > with Shorewall 4.4.2.2. I've tested that Shorewall is working fine on > machine. The problem is that SQUID stops responding intermittently. This > period ranges from minuts / hours / days. Some time it works absolutely > fine and at other times it just dies. Even "tail -f access.log" does not > show any activity at all. Internet stops working. > > Machine is Pentium D 2.0 GHz with 2 GB of RAM. Out of my squid.conf > through *grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'* is > > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 > acl localnet src 192.168.4.0/24 # RFC1918 possible internal network > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > acl BusinessHours time M T W H F 9:00-13:00 > acl BusinessHours time M T W H F 14:30-19:00 The above should have no spaces in the day specifier: MTWHF > acl BadSites dstdomain "/etc/squid/restricted_sites.list" > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny BadSites BusinessHours > http_access allow localnet > http_access deny all > icp_access allow localnet > icp_access deny all > htcp_access allow localnet > htcp_access deny all > reply_body_max_size 5 MB > http_port 46095 transparent > include /etc/squid/mediatypes.list > hierarchy_stoplist cgi-bin ? > cache_mem 256 MB > cache_dir ufs /var/spool/squid 16384 16 256 This is probably the cause. UFS file system is extremely slow. Also with >10GB the default garbage collection settings for 3.0 are too wide. Squid can block up while removing 5% of the cached files once an hour. I recommend setting: cache_dir aufs /var/spool/squid 16384 16 256 cache_swap_low 90 cache_swap_high 92 Also check cache.log for signs of squid dying. Restarting and reloading a large cache through slow disk IO systems can cause a few dozen seconds delay in request handling. please use the latest release available (there are current 'unofficial' packages for RHEL in the www.squid-cache.org binary downloads pages). > access_log /var/log/squid/access.log squid > refresh_pattern ^ftp: 144020% 10080 > refresh_pattern ^gopher:14400% 1440 > refresh_pattern (cgi-bin|\?)0 0% 0 > refresh_pattern . 0 20% 4320 > shutdown_lifetime 5 seconds > visible_hostname gateway.folio3.com > icp_port 3130 > coredump_dir /var/spool/squid > > Any help on where to look for the error and any remedy would be > appriciated. Amos
Re: [squid-users] 1024 file descriptors is good
Mariel Sebedio escreveu: Hi, I have a RHEL 5.4 with squid3.0STABLE19 and have a performance problems... My cache.log not report warning When I see in cachemgr.cgi I just have a 1024 File descriptors... if you're not getting the famous WARNING in your cache.log WARNING! Your cache is running out of filedescriptors then you really dont need to worry about 1024 FDs. That's now too much, but that's pretty enough for having a good number of simultaneos clients. Filedescriptors problems (running low on them) could give you some problems, but in any case you would see the warning on your logs. If you're not seeing it, then problem is not filedescriptor related. And if that's not filedescriptor related, raising it wont change anything. your performance problem is somewhere else . -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
[squid-users] List of mobile device regex for Microsoft OWA
Does anyone have a list of regex expressions for mobile devices that OWA would use? I've implemented a reverse proxy for OWA, and a majority of the phones are working fine with OWA (i.e. iPhone) but we get some cases where certain phones are not working (i.e. Nokia E71). I'm fairly sure it's because I have ACL's for allowing certain regex for phones. Here is what I have so far. acl exchange_urlpath_regex urlpath_regex -i /Microsoft-Server-ActiveSync* acl exchange_urlpath_regex urlpath_regex -i /rpc.* acl exchange_urlpath_regex urlpath_regex -i /exchange.* acl exchange_urlpath_regex urlpath_regex -i /exchweb.* acl exchange_urlpath_regex urlpath_regex -i /webmail.* acl exchange_urlpath_regex urlpath_regex -i /OMA.* acl exchange_urlpath_regex urlpath_regex -i /OWA.* - Nick
[squid-users] 1024 file descriptors is good
Hi, I have a RHEL 5.4 with squid3.0STABLE19 and have a performance problems... My cache.log not report warning When I see in cachemgr.cgi I just have a 1024 File descriptors... My ulimit -n is 1024, I need to modificated this and configure another time or I have a another options to increase the File descriptor for Squid3.0. I only fount diferente options for squid 2.7 or less Thanks -- Lic. Mariel Sebedio Division Computos y Sistemas Tel (02944)-445400 int 2307 INVAP S.E. - www.invap.com.ar
Re: [squid-users] Squid-2.6.5 SSL reverse proxy ?
tis 2009-10-20 klockan 23:47 +1100 skrev Stonie: > Henrik, > > Your help is much appreciated, I have the following after a restart: > > r...@squidvm:~# /etc/init.d/squid restart > Restarting Squid HTTP proxy: squidEnter PEM pass phrase: Right.. that won't work. IF using an encrypted SSL key then you need to start Squid in foreground mode. /usr/sbin/squid -NY or give Squid a program it can call to retreive the SSL key encryption passphrase. (see squid.conf) Or alternateively decrypt the SSL key to have it stored without a passphrase openssl rsa -in cert_key.pem -out cert_key_unencrypted.pem Regards Henrik
[squid-users] squid 3.1.0.13 performance results ready - reverse proxy - (2.6.x vs 3.1.x) - need help
We wanted to evaluate 3.1.0.13 squid to move from our current squid version of 2.6.x ( stable 4 + few custom changes ) We did the following performance test from a Avalance setup. 1. preload objects in squid cache. 2. 3500 transactions/sec with 90-10 hit-miss ratio. 3. mean size of object 23 kb. 4. ran it for 30 minutes. ( 5 min ramp up to load 3500, 20 min with load 3500, 5 min to cool down ) Average response time Results we got. 2.6.x version = 22 milli second 3.1.0.13 = 274 milli second. ( the graph increases over period of time... ) --- similarly, we did for large objects with 40 transaction/sec, mean object size 1.8 MB. 2.6.x => 91 ms, squid 3.1.0.13 => 109 ms. this is somewhat ok.. --- We wanted to move to 3.1.0.13 to make use of gzip+ecap feature and other 3.1 features, but this performance results is disappointing. The OS and squid.conf parameters for small file objects are typically the same for both 2.6 and 3.1 setup. [ to mention a few: cache_mem = 16 GB ( we have 32 GB max ), max_object_size_in_memory = 1 MB refer config file below ] Questions: 1. Is there any paramater am missing for 3.1 squid, which would help to improve performance for high loads? 2. Or Is squid 3.1 really not ready yet for high load situations for small objects? Any performance related work going on, any dates/versions to expect ? am giving the squid.conf entries 3.1 (its the same for 2.6 also ). let me know, if you need any other details. Regards, Ganesh OS -- linux RH4 -release 8 Linux 2.6.9-89.ELsmp #1 SMP Mon Apr 20 10:33:05 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux SQUID 3.1.0.13 Squid.conf entries for Small file objects (note: the following squid parameters were the same for 2.6 squid.) http_port 80 vhost vport=80 acl port80 port 80 icp_port 0 udp_incoming_address 0.0.0.0 udp_outgoing_address 255.255.255.255 icp_query_timeout 0 maximum_icp_query_timeout 2000 mcast_icp_query_timeout 2000 dead_peer_timeout 10 seconds hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex \? acl CGI urlpath_regex cgi-bin acl readCommunityString snmp_community icds-nms acl LMS src 192.168.2.4 snmp_access allow readCommunityString all acl apache rep_header Server ^Apache cache_swap_low 95 cache_swap_high 98 maximum_object_size 100 MB minimum_object_size 0 KB maximum_object_size_in_memory 1 MB ipcache_size 2048 ipcache_low 95 ipcache_high 98 cache_replacement_policy lru memory_replacement_policy lru cache_log /squid/logs/cache.log cache_store_log none log_ip_on_direct on debug_options ALL,1 client_netmask 255.255.255.255 dns_timeout 10 seconds refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 1440100%1440ignore-reload quick_abort_min -1 KB quick_abort_max 16 KB quick_abort_pct 95 negative_ttl 1 minutes positive_dns_ttl 1 hour negative_dns_ttl 1 minute range_offset_limit -1 MB connect_timeout 5 seconds peer_connect_timeout 5 seconds read_timeout 60 seconds request_timeout 10 seconds persistent_request_timeout 10 minutes pconn_timeout 120 seconds shutdown_lifetime 30 seconds acl manager proto cache_object acl localhost src 127.0.0.1/32 acl SSL_ports port 443 563 acl Safe_ports port 80 acl OBJECT method OBJECT acl CONNECT method CONNECT acl PURGE method PURGE acl Safe_methods method GET POST HEAD PUT acl Safe_protos proto HTTP http_access allow manager localhost1 http_access allow manager localhost http_access deny manager http_access allow Safe_methods http_access allow PURGE localhost1 http_access allow PURGE localhost http_access allow OBJECT localhost http_access allow OBJECT localhost1 http_access deny PURGE http_access deny OBJECT http_access deny !Safe_ports http_access deny !Safe_protos http_access deny CONNECT !SSL_ports http_access deny all http_reply_access allow all reply_header_max_size 20 KB cache_mgr webmaster cache_effective_user icds announce_host dummy.net announce_port 3131 forwarded_for on icp_hit_stale on cachemgr_passwd passw0rd info stats/objects client_db off maximum_single_addr_tries 1 snmp_port 161 offline_mode off uri_whitespace encode nonhierarchical_direct on prefer_direct off strip_query_terms off coredump_dir none redirector_bypass off client_persistent_connections on server_persistent_connections on cache_dir aufs /squid/cache0 158522 29 830 cache_dir aufs /squid/cache1 252949 29 830 cache_dir aufs /squid/cache2 252949 29 830 cache_dir aufs /squid/cache3 252949 29 830 cache_dir aufs /squid/cache4 252949 29 830 cache_dir aufs /squid/cache5 252949 29 830 request_body_max_size 100 KB request_header_max_size 8 KB minimum_expiry_time 0 seconds read_ahead_gap 400 KB cache_mem 16083 MB acl 1001 dstdomain www1.acm.com acl 1002 dstdomain www2.acm.com acl 1003 dstdomain www3.acm.com ... acl 1025 dstdomain www25.acm.com cache_peer xxx parent 8000 0 no-query originserver forceddomain=www.acm.com cache_peer_access 10.0.1.4 allow 1001 cache
Re: [squid-users] help on squid setup
Thanks guys,
I really apprecite your quick reply
i will try out your advices and check it out
and Mr Kaya u dont have to apologize at all . I should be indeed so
grateful to you that u spent your precious valuble time to read my mail n
to reply to it.
Thanks once again guys
regards
simon
> [...]
>>
>> I want to implement linux squid proxy server so that i have better
>> controls that is ( time based restrictions , ip based restrictions and
>> block certain web sites ) through squid ACLS
>>
>> I think i have to implement squid as a transparent proxy server with 2
>> lan cards on the squid server
>>
> [...]
>
> Hi Simon, you should be able to do all this from within the router if it
> is a fairly good one
>
> The Cisco 88x and 89x series definitely do this very well and as for the
> 88x are ADSL capable! The 89x can be plugged into an ADSL modem or even
> Metro Ethernet solution or alternately backup line.
>
> http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
> {for ACLs}
>
> Anyhow what I'm trying to say is that it should take off the load of
> adding extra machines and also reduce overall cost too.
>
> However if you must use a Squid solution then here are some places to
> start:
>
> http://www.visolve.com/squid/
>
> http://www.squid-cache.org/Doc/config/
>
> and some config examples here:
>
> http://wiki.squid-cache.org/ConfigExamples/
>
> apologies for not being able to help further, however I only use squid
> as reverse proxy in my network environment :-)
>
> Hope this gets you started though!
>
> Regards,
>
> Kaya
>
>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
--
Network ADMIN
-
KUWAIT MUNICIPALITY:
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
[squid-users] ACL function problem
Hi all, I need help with apparently very basic question regarding ACL in squi: I've my acl's written in a seperate file and I am including that file in squid.conf. It reads as: acl BusinessHours time M T W H F 9:00-13:00 acl BusinessHours time M T W H F 14:30-19:00 ## Active Stream Format (Windows Media Player) acl media rep_mime_type x-ms-asf acl mediapr urlpath_regex \.(afx|asf)(\?.*)?$ ## Flash Video Format acl media rep_mime_type video/flv video/x-flv acl mediapr urlpath_regex \.flv(\?.*)?$ acl media rep_mime_type application/x-amf acl media rep_mime_type video/mp4 acl mediapr urlpath_regex \.mp4(\?.*)?$ ## Flash General Media Scripts (Animation) #acl media rep_mime_type application/x-shockwave-flash #acl mediapr urlpath_regex \.swf(\?.*)?$ ## Others currently unknown acl media rep_mime_type ms-hdr acl media rep_mime_type x-fcs acl media rep_mime_type video/mov acl mediapr urlpath_regex \.mov(\?.*)?$ acl media rep_mime_type video/wmv acl mediapr urlpath_regex \.wmv(\?.*)?$ acl media rep_mime_type video/mpg acl mediapr urlpath_regex \.mpg(\?.*)?$ acl media rep_mime_type video/rm acl mediapr urlpath_regex \.rm(\?.*)?$ acl media rep_mime_type video/avi acl mediapr urlpath_regex \.avi(\?.*)?$ acl media rep_mime_type video/vob acl mediapr urlpath_regex \.vob(\?.*)?$ acl media rep_mime_type video/dv acl mediapr urlpath_regex \.dv(\?.*)?$ acl media rep_mime_type video/3gp acl mediapr urlpath_regex \.3gp(\?.*)?$ acl media rep_mime_type video/m1v acl mediapr urlpath_regex \.m1v(\?.*)?$ acl media rep_mime_type video/m2v acl mediapr urlpath_regex \.m2v(\?.*)?$ http_access deny mediapr BusinessHours http_reply_access deny media BusinessHours The problem is that if I apply this BusinessHours ACL to any other ACL that works, but here with last two lines it is not working and videos containing these mime typs are always blocked instead of only during business hours. Can anyone suggest any solution or point out any mistake i m making? -- Regards, Asim Ahmed Khan Email: aah...@folio3.com
RE: [squid-users] Squid Reverse Proxy help
Thank you Amos! That was it and I'm finally up and running. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, October 19, 2009 8:04 PM To: Jones, Keven Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid Reverse Proxy help On Mon, 19 Oct 2009 11:23:58 -0400, "Jones, Keven" wrote: > Need help with finalizing my config. This config is not working for > the 2nd server. Can Anyone see what I'm missing or have configured > incorreclty. > > img01.cprpt.com is caching but img02.cprpt.com will not. I had orginiall > forgotten the > 2nd cache_peer_access server_2 allow sites_server2 but this has been > added and still not working. > > This url should work as the images and directories exist: > > http://img02.cprpt.com/img/bvt/10002/ncrLogo_100909.gif > > > Thanks for looking at this for me! > > --- > Squid.conf: > > > http_port 80 accel defaultsite=img01.cprpt.com For multiple domains (virtual hosting) the "vhost" option is required here. Without it squid will assume everything is under the defaultsite. > cache_peer 172.19.23.91 parent 80 0 no-query originserver name=myAccel > cache_peer 172.19.23.92 parent 80 0 no-query originserver > name=server_2 > > acl all src 0.0.0.0/0.0.0.0 > acl our_sites dstdomain img01.cprpt.com acl sites_server_2 dstdomain > img02.cprpt.com > > http_access allow our_sites > http_access allow sites_server_2 > > cache_peer_access myAccel allow our_sites cache_peer_access server_2 > allow sites_server_2 > > cache_peer_access myAccel deny all > cache_peer_access server_2 deny all > > > visible_hostname bv-ic01 > > cache_dir ufs /data/spool/squid 100 16 256 > > cache_access_log /data/log/squid/access.log > > cache_log /data/log/squid/cache.log > > cache_store_log /data/log/squid/store.log
Re: [squid-users] Squid-3.1 behaving differently from 2.7.x?
* Ralf Hildebrandt : > * Matus UHLAR - fantomas : > > > so the problem was not "3.1 uses too many connections" but "2.7 drops > > connections when it should not". > > A bit funny ;) > > I made some more experiments and found out that the problem is between > the Squid in front of dansguardian. > > client -> squid_in_front -> dansguardian -> squid_behind -> Internet > > I was able to replace the squid 2.7.x "behind" dansguardian with a > 3.1.x version without negative impacts (except for frequent crashes). I increased the maximum number of dansguardian processes and found that squid3 would use 297 dansguardian processes, about 2.5 times the number 2.7.x would keep busy. Dunno if that's a good or bad sign. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
[squid-users] QUID stops responding intermittently.
- Hi all, I have installed Squid 3.0 STABLE on RHEL5. I am using it on conjunction with Shorewall 4.4.2.2. I've tested that Shorewall is working fine on machine. The problem is that SQUID stops responding intermittently. This period ranges from minuts / hours / days. Some time it works absolutely fine and at other times it just dies. Even "tail -f access.log" does not show any activity at all. Internet stops working. Machine is Pentium D 2.0 GHz with 2 GB of RAM. Out of my squid.conf through *grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'* is acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 192.168.4.0/24 # RFC1918 possible internal network acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl BusinessHours time M T W H F 9:00-13:00 acl BusinessHours time M T W H F 14:30-19:00 acl BadSites dstdomain "/etc/squid/restricted_sites.list" http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny BadSites BusinessHours http_access allow localnet http_access deny all icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all reply_body_max_size 5 MB http_port 46095 transparent include /etc/squid/mediatypes.list hierarchy_stoplist cgi-bin ? cache_mem 256 MB cache_dir ufs /var/spool/squid 16384 16 256 access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 shutdown_lifetime 5 seconds visible_hostname gateway.folio3.com icp_port 3130 coredump_dir /var/spool/squid Any help on where to look for the error and any remedy would be appriciated. -- Regards, Asim Ahmed Khan Email: aah...@folio3.com
Re: [squid-users] Squid-2.6.5 SSL reverse proxy ?
Henrik, Your help is much appreciated, I have the following after a restart: r...@squidvm:~# /etc/init.d/squid restart Restarting Squid HTTP proxy: squidEnter PEM pass phrase: . r...@squidvm:~# tail /var/log/messages Oct 20 07:43:36 squidvm -- MARK -- Oct 20 07:47:03 squidvm squid[7216]: Squid Parent: child process 7218 exited with status 0 Oct 20 07:47:13 squidvm (squid): Failed to acquire SSL private key '/root/fairgocarbon.key': error:0906406D:PEM routines:PEM_def_callback:problems getting password Oct 20 07:47:13 squidvm squid[7398]: Squid Parent: child process 7400 started The restart accepted the pass phrase without error? what am I doing wrong? Regards, Andrew. On Tue, Oct 20, 2009 at 10:05 AM, Henrik Nordstrom wrote: > tis 2009-10-20 klockan 07:45 +1100 skrev Stonie: >> Thanks for the reply Henrik, >> >> Still the same symptoms with those settings. >> >> I have tried both >> >> https_port my.external.ip:443 >> https_port my.external.ip:443 cert=/root/mysslsite.crt >> key=/root/mysslsite.key defaultsite=www.mysslsite.com.au vhost vport > > I meant the second (hence the dots). > >> the first fails with a "cant find cert" on startup, and the second has >> the same symptoms as with my original config. > > And no significant errors logged at startup or in cache.log? > > Regards > Henrik > > -- Interested in purchasing Australian produced carbon offsets? Visit www.fairgocarbon.com.au Please consider the environment before printing this email.
Re: [squid-users] Compiling squid 3.0 on AIX
Perry Smith wrote: Hi, I'm trying to build squid 3.0 on AIX 5.3 using GCC 4.3.1. It appears to forget to build many files. One example is src/cbdata.o Code related issues to squid-dev mailing list please. CC'd at a minimum. Anything that can be fed back into mainline for this is good. My link fails with: g++ -Werror -Wall -Wpointer-arith -Wwrite-strings -Wcomments -g -O2 -g -o cf_gen cf_gen.o debug.o time.o globals.o ./.libs/libsquid.a ./.libs/libauth.a -L/usr/local/lib -lstdc++ -L/usr/local/build/squid-3.0.S TABLE19/lib -lmiscutil -lm -lbind -lnsl -Wl,-blibpath:/usr/local/lib:/usr/local/lib/gcc/powerpc-ibm-aix5.3.0.0/4.3.1:/usr/local/lib/gcc/powerpc-ibm-aix5.3.0.0/4.3.1/../../..:/usr/lib:/lib ld: 0711-317 ERROR: Undefined symbol: .cbdataInternalLock(void const*) ld: 0711-317 ERROR: Undefined symbol: .cbdataInternalUnlock(void const*) ld: 0711-317 ERROR: Undefined symbol: .cbdataInternalFree(void*) ld: 0711-317 ERROR: Undefined symbol: .cbdataReferenceValid(void const*) ld: 0711-317 ERROR: Undefined symbol: .cbdataInternalAddType(cbdata_type, char const*, int, void (*)(void*)) ld: 0711-317 ERROR: Undefined symbol: .cbdataInternalAlloc(cbdata_type) ld: 0711-317 ERROR: Undefined symbol: .eventAdd(char const*, void (*)(void*), void*, double, int, bool) ld: 0711-317 ERROR: Undefined symbol: .commSetSelect ld: 0711-317 ERROR: Undefined symbol: .fd_close ld: 0711-317 ERROR: Undefined symbol: .fd_open ld: 0711-317 ERROR: Undefined symbol: .ipcache_nbgethostbyname ld: 0711-317 ERROR: Undefined symbol: .dlinkDelete ld: 0711-317 ERROR: Undefined symbol: .dlinkAddTail ld: 0711-317 ERROR: Undefined symbol: .fatalf ld: 0711-317 ERROR: Undefined symbol: .MemBuf::freeFunc() ld: 0711-317 ERROR: Undefined symbol: .cbdataInternalReferenceDoneValid(void**, void**) ld: 0711-317 ERROR: Undefined symbol: .fd_bytes ld: 0711-317 ERROR: Undefined symbol: .fdNFree ld: 0711-317 ERROR: Undefined symbol: .PconnPool::count(int) ld: 0711-317 ERROR: Undefined symbol: .comm_select ld: 0711-317 ERROR: Undefined symbol: .fatal_dump ld: 0711-317 ERROR: Undefined symbol: .fdAdjustReserved ld: 0711-317 ERROR: Undefined symbol: .commResetSelect ld: 0711-317 ERROR: Undefined symbol: .ipcacheMarkBadAddr ld: 0711-317 ERROR: Undefined symbol: .ipcacheMarkGoodAddr ld: 0711-317 ERROR: Undefined symbol: .netdbDeleteAddrNetwork ld: 0711-317 ERROR: Undefined symbol: .ipcacheCycleAddr ld: 0711-317 ERROR: Undefined symbol: .fatal ld: 0711-317 ERROR: Undefined symbol: .AuthUserHashPointer::AuthUserHashPointer(AuthUser*) ld: 0711-317 ERROR: Undefined symbol: .AuthUserHashPointer::user() const ld: 0711-317 ERROR: Undefined symbol: .aclCacheMatchFlush ld: 0711-317 ERROR: Undefined symbol: .dlinkNodeDelete ld: 0711-317 ERROR: Undefined symbol: .authenticateAuthUserInuse(AuthUser*) ld: 0711-317 ERROR: Undefined symbol: .HttpHeader::getStr(http_hdr_type) const ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. If I compile src/cbdata by hand and add it to the link line, the first few symbols become defined. It appears as if many files (cbdata being one of them) are not being compiled at all. Often with AIX, that can be caused by AIX's sed. I am using GNU's sed and GNU's make. And GNU's bash to process the configure. I'm fairly good at tracking this sort of thing down but I thought I would ask for any suggestions first. Looks a lot like the automake automatic dependencies failing to be done properly. libsquid.a pulls in an unfortunately large amount or dependencies and is not strictly needed anyway. Looks like libtool usually strips it out of the link. On a slightly related note, are you aware of any official package for AIX squid or squid-3 I can plunder for patches? this may be a known issue to the maintainer (if any). PS. we are looking for more OS to become build testers: http://wiki.squid-cache.org/BuildFarm :) Amos (Squid-3 maintainer) -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14
Re: [squid-users] help on squid setup
Benedict simon wrote: Dear All, I have used Squid before but im little confused on as how to implement squid on the following setup current setup as follows DSL router with a public Ip for the WAN ( connection to the ISP) lan ip address on dsl router is 192.168.1.254 local network 192.168.100.0/24 right now the clients have the gateway as 192.168.1.254 and they are able to access internet fine I want to implement linux squid proxy server so that i have better controls that is ( time based restrictions , ip based restrictions and block certain web sites ) through squid ACLS I think i have to implement squid as a transparent proxy server with 2 lan cards on the squid server apprecite if someone could advise me as how to go about the setup or some links which do explain about the setup i like to implement thanks and regards simon All the easy ways: http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers Alternatively plug the users switch into one NIC and the DSL box into the second NIC. Setup the squid box as a full router gateway between the two sides, it can then do whatever NAT interception you need for the "transparent" interception, or simply firewall access or software/people which do not use the proxy gateway. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14
Re: [squid-users] If used as transparent proxy, anyway to authenticate users?
Andres Salazar wrote: Hello, Squid user based authentication is a high advantage to placing access lists. Iam however forced to place squid as a transparent proxy but I need some kind of authentication for users passed to squid to manage the ACLs (specific allow lists, reply body size, etc) . Is there _any_ work arround (even if it is complex) that I can authenticate users with a transparent proxy? Perhaps with a captive portal that displays a single login page until authenticated and then somehow passing that authentication to squid so it gives them the allowed access? Best way is to use WPAD/PAC to 'transparently' and automatically configure the browser. http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers Second best is to add to the above a captive portal page which instructs users how to configure their browser for the proxy. After that, the complex way of side-band identification using an external_acl_type helper which returns "OK user=XX" when an identifiable machine is matched against a database of logged in users vs machines. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14
Re: [squid-users] help on squid setup
[...]
I want to implement linux squid proxy server so that i have better
controls that is ( time based restrictions , ip based restrictions and
block certain web sites ) through squid ACLS
I think i have to implement squid as a transparent proxy server with 2
lan cards on the squid server
[...]
Hi Simon, you should be able to do all this from within the router if it
is a fairly good one
The Cisco 88x and 89x series definitely do this very well and as for the
88x are ADSL capable! The 89x can be plugged into an ADSL modem or even
Metro Ethernet solution or alternately backup line.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
{for ACLs}
Anyhow what I'm trying to say is that it should take off the load of
adding extra machines and also reduce overall cost too.
However if you must use a Squid solution then here are some places to start:
http://www.visolve.com/squid/
http://www.squid-cache.org/Doc/config/
and some config examples here:
http://wiki.squid-cache.org/ConfigExamples/
apologies for not being able to help further, however I only use squid
as reverse proxy in my network environment :-)
Hope this gets you started though!
Regards,
Kaya
