AW: [squid-users] Problem with IPv6 config when destination is dual-stacked (but everything works when destination is IPv4 or IPv6 only)
Amos, Henrik, "http_access allow to_ipv6 !to_ipv6" did work, squid now seems to work as required and can access both single (IPv4 or IPv6) and dual-stack (IPv4 and IPv6) destinations. I´m going to play with the configuration within the next days and post a summary of my findings, this may be evolved by the community into a guideline for early IPv6 adaptors of squid (although, as you already have written, some more discussion seems to be necessary). Thanks for your help so far! Stefan -Ursprüngliche Nachricht- Von: Amos Jeffries [mailto:squ...@treenet.co.nz] Gesendet: Freitag, 30. Oktober 2009 01:34 An: Moser, Stefan (SIDB) Cc: squid-users@squid-cache.org Betreff: Re: [squid-users] Problem with IPv6 config when destination is dual-stacked (but everything works when destination is IPv4 or IPv6 only) Moser, Stefan (SIDB) wrote: > Hi, > > we are testing with squid, latest beta, in a dual-stack > configuration: > > squid is running on SLES 11. Server has 1 interface card only, > configured with an IPv4 and IPv6 address, both running on standard > 3128 port. Server has true, native IPv4 and IPv6 internet > connectivity (no IPv6 tunnel broker, etc.). I have applied "IPv6 > magic ACLs" as described in > http://www.squid-cache.org/Doc/config/tcp_outgoing_address. Client > (latest Internet Explorer and Firefox) talks to squid via IPv4 and > IPv6 transport (that means, I enter an IPv4- or IPv6- address in > browser´s connection settings). > > > Now, what DOES work, is the following: > > 1. IPv4 transport from browser to squid, squid can access an IPv4 > only internet site (site has an A record only in DNS) 2. IPv4 > transport from browser to squid, squid accesses an IPv6 only internet > site (site has an record only in DNS) 3. IPv6 transport from > browser to squid, squid accesses an IPv4 only internet site (site has > an A record only in DNS) 4. IPv6 transport from browser to squid, > squid accesses an IPv6 only internet site (site has an record > only in DNS) > > So far, so good, this IPv4 / IPv6 bridging obviously works. > > Now, what does NOT work, is: > > 1. IPv4 transport from browser to squid, squid CANNOT access an > IPv4/IPv6 internet site (that means, a site that has both A and > in DNS and that is reachable via IPv6 and IPv4) 2. IPv6 transport > from browser to squid, squid CANNOT access an IPv4/IPv6 internet site > (that means, a site that has both A and in DNS and that is > reachable via IPv6 and IPv4) > > The cache log says (true IPv4 address removed for privacy reasons): > > 2009/10/28 15:59:46| commBind: Cannot bind socket FD 10 to address from my providers range>: (22) Invalid argument 2009/10/28 > 15:59:46| WARNING: Reset of FD 10 for range>:failed to bind: (22) Invalid argument > > > Has everybody encountered the same problem? Yes. The magic is not complete and has a point of failure. FWIW, crossover works perfectly for me without tcp_outgoing_addr. tcp_outgoing_addr is a "fast" category access control and cannot do the dst lookup on its own. The destination IP address needs to be forced by something earlier (http_access) for the magic to work. I'm working on a few ways to fix this. But for now try adding "http_access allow to_ipv6 !to_ipv6" to your config. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14
[squid-users] Re: acl aclname myip
Hi, Amos squid-3.0.STABLE18 is OK. but squid-3.1.0.14 ... Could you fix that ? Sincerely, -- Mikio Kishi On Sun, Oct 18, 2009 at 3:52 AM, Mikio Kishi wrote: > Hi, all > > I'd like to use "acl aclname myip" on squid-3.1.0.14 like the following. > > acl testmyip myip 1.1.1.1/32 > > But, the following error occurred. > > 2009/10/16 14:03:21| aclParseAclLine: Invalid ACL type 'myip' > > I guess that src/AclReg.cc needs the following line. > > ACL::Prototype ACLMyIP::RegistryProtoype(&ACLMyIP::RegistryEntry_, "myip"); > > What do you think ? > > Sincerely, > > -- > Mikio Kishi >
[squid-users] msn messenger login issue
I have configured squid-2.6 and Dansguardian 2.10.0.3 on RHEL5 for caching and web filtering for my office internet users. i m facing problems in loging into msn messenger, i have put acls in squid and msn ips in dansguardian exceptionsite list but still not getting msn messenger login, my squid acls for allowing msn messenger and dansguardian exceptionsite list is as under. Squid Acls (there is no acl in my squid.conf to block msn msgr) acl msn_mime req_mime_type -i ^application/x-msn-messenger$ acl msn_gw url_regex -i gateway.dll acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com http_access allow msn_mime http_access allow msn_gw http_access allow msnd DG exceptionsitelist 64.4.13.0/24 152.163.241.0/24 64.12.163.0/24 207.46.110.0/24 207.46.1.0/24 65.54.0.0/16 207.46.104.20 207.46.110.0 65.55.149.121 98.136.113.173 64.4.32.7 221.120.250.106 65.242.27.35 64.4.9.254 After doing all this i m still facing login issues with msn messenger whenever i try to login it shows error login failed, service temporarily unavailable, i have juniper firewall behind proxy which has any any policy for proxy server, proxy servers iptables are fine, transparent proxy disabled due to DG, here are my squid logs while i try to log into msn messenger 1257142473.253 2479 192.168.151.227 TCP_MISS/200 19905 CONNECT https://login.live.com:443 192.168.151.227 DEFAULT_PARENT/127.0.0.1 - 1257142492.357 438 192.168.151.227 TCP_MISS/200 0 POST http://gateway.messenger.hotmail.com...er.hotmail.com 192.168.151.227 DEFAULT_PARENT/127.0.0.1 - and my iptables are as under iptables -A INPUT --source 192.168.151.227 -p tcp --dport 22 -j ACCEPT iptables -A INPUT --source 192.168.151.98 -p tcp --dport 22 -j ACCEPT iptables -A INPUT --source 0/0 -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j DROP iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080 and Squid.conf SSL ports configurations are acl Safe_ports port 443 http_access deny CONNECT !SSL_ports I have took ur precious time, ur cooperation will be highly appreciated i have attached snapshots of msn msgr login errors. http://old.nabble.com/file/p26159990/msnmsgr.jpg http://old.nabble.com/file/p26159990/msnmsgr1.jpg -- View this message in context: http://old.nabble.com/msn-messenger-login-issue-tp26159990p26159990.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] WCCP
Ross Kovelman wrote: From: Amos Jeffries Date: Fri, 30 Oct 2009 14:08:23 +1300 Cc: "squid-users@squid-cache.org" Subject: Re: [squid-users] WCCP Ross Kovelman wrote: From: Amos Jeffries Date: Tue, 27 Oct 2009 12:17:12 +1300 To: Ross Kovelman Cc: "squid-users@squid-cache.org" Subject: Re: [squid-users] WCCP On Wed, 21 Oct 2009 12:20:00 -0400, Ross Kovelman wrote: From: Ross Kovelman Date: Mon, 19 Oct 2009 22:35:36 -0400 To: Amos Jeffries Cc: "squid-users@squid-cache.org" Subject: Re: [squid-users] WCCP From: Amos Jeffries Date: Tue, 20 Oct 2009 13:20:27 +1300 To: Ross Kovelman Cc: "squid-users@squid-cache.org" Subject: Re: [squid-users] WCCP On Mon, 19 Oct 2009 20:06:55 -0400, Ross Kovelman wrote: From: Amos Jeffries Date: Tue, 20 Oct 2009 12:40:02 +1300 To: Ross Kovelman Cc: "squid-users@squid-cache.org" Subject: Re: [squid-users] WCCP On Mon, 19 Oct 2009 18:26:18 -0400, Ross Kovelman wrote: From: Amos Jeffries Date: Tue, 20 Oct 2009 11:04:42 +1300 To: Ross Kovelman Cc: "squid-users@squid-cache.org" Subject: Re: [squid-users] WCCP On Mon, 19 Oct 2009 14:21:44 -0400, Ross Kovelman wrote: From: Amos Jeffries Ross Kovelman wrote: From: Amos Jeffries: Ross Kovelman wrote: I am going to be using WCCP. I did another reconfigure with the --enable WCCP option. How can I check that it is on and running? The next step I need to do is upgrade to version 2 since the Cisco only communicates on version 2. I tried to do the patch < upgrade patch but then I get a response with path to upgrade and I am not sure where the file is I need patch. There is zero need to patch for support WCCPv2. It's been built into Squid for many years now. Run "./configure --help". * If it lists "--disable-wccpv2" there is no need to do anything. * If it lists "--enable-wccpv2" , add that to your build options. * If it does not mention "wccpv2" at all upgrade your Squid version. Then setup squid.conf with the relevant wccp2_* options. http://www.squid-cache.org/Doc/config/ or the wiki example configs have details on those. Thanks again. Running the ./configure --help only says this: --disable-wccp Disable Web Cache Coordination V1 Protocol --disable-wccpv2Disable Web Cache Coordination V2 Protocol When I did the install I ran the ./configure --enable wccp option. I didn't say --enable-wccpv2, does this matter? I also have this in the config: wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 I am running Squid Web Proxy 2.7.STABLE5. Okay. Thats fine. The ./configure results mean that both WCCP versions are built into Squid by default unless you explicitly say --disable. Nothing extra needed to build them. The config options you have there are already WCCPv2-only options for Cisco. Nothing new needed there either. If thats not working its a config error somewhere. I am getting this in my cache log: Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 20. commBind: Cannot bind socket FD 21 to *:3128: (48) Address already in use Accepting proxy HTTP connections at 0.0.0.0, port 80, FD 21. commBind: Cannot bind socket FD 22 to *:80: (48) Address already in use http://wiki.squid-cache.org/SquidFaq/TroubleShooting#Cannot_bind_socket_FD_NN _ to_.2A:8080_.28125.29_Address_already_in_use I would suspect this as part of the problem. The WCCP router will be trying to contact whatever software is already running on port 3128, not the Squid you are starting with WCCP config. Accepting ICP messages at 0.0.0.0, port 3130, FD 22. WCCP Disabled. Accepting WCCPv2 messages on port 2048, FD 23. To answer your earlier question: the above two lines means WCCPv1 is disabled, WCCPv2 is being used. Initialising all WCCPv2 lists As from my other posting I need WCCP enabled but it is showing disabled. Any reason why? How can I resolve this. Below is my lines in config wccp2_router 192.168.16.1 wccp2_forwarding_method 1 wccp2_return_method 1 The above are only the config of how squid sends packets to the Cisco. WCCP requires configuration Cisco, the squid box OS and firewall, and routing tables. Any one of which could be the problem. The tutorials and troubleshooting info we have at present is a little spread out and disjointed. What how-to are you working from? Amos Amos, I just did a TCP dump and I think my problem is the GRE packet. It is being listed I think as unknown. Shouldn't squid be able to pick the packet up and open it? The Cisco sees squid and relays the information good but it is stopping at the squid box. Any ideas? I am just google'ing around no set how to. Okay. I've polished up our exemplar configs a little: http://wiki.squid-cache.org/Features/Wccp2 (some way to go though). There are four parts to WCCP systems: 1) WCCP capture and redirect 2) gre tunnel between the Cisco and Squid boxes 3) squid box firewall settings and NAT capture of received gre packets
Re: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1
NOGUES Jean-Marc (EURIWARE) wrote: Hi, I have upgraded our squid from 2.5 stable6 to 3.1.0.14 . This because many remote web servers want Microsoft connection oriented authentication and I 'have seen that squid 2.5 doesn't forward that kind of authentication. . Now using squid 3.1, my users can connect such web servers but there is still an issue.. From time to time , when uploading a file , users get a blank page and message "Request not yet fully sent" can be seen in cache.log file. Sniffing this (sniffer between proxy and web servers) I can see that, from time to time, servers are going on sending authentication requests although the user has been already authenticated (is it a normal behaviour ?). Yes this is _usually_ normal. HTTP being stateless the auth details need to be sent on every request, or the client will be re-challenged. I say "usually normal", because the client software should be aware of that requirement and send the auth for as many requests as needed in the session. What is NOT normal here is seeing repeated series of missing-auth requests followed by auth request from the same clients. This is a sign of either client software breakage, NAT, or missing keep-alive data in the requests. Persistent connections, aka keep-alive, is REQUIRED on both the client and server connections for NTLM based auth along with connection pinning to force stateless HTTP into stateful behavior between the client and server. So sometimes it happens that Squid receives an authentication request as it is still sending upload data to the server. This stops the upload and produces the message seen in cache.log Looks like you have hit a bug. Possibly the one people are struggling with at present where a connections auth credentials are dropped mid-session. Can you supply any more detailed trace of whats going on please? Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.14
Re: [squid-users] Squid & squid_session
Henrik Nordstrom wrote: mån 2009-11-02 klockan 16:07 + skrev Adam Binks: My question is, without using routed static IP's at each site, is it possible to have squid detect the different end users at each site ? Only if you figure out some other means of differentiating the users at the TCP/IP level. I don't. I had to get around this in the Treehouse wireless POP sites by carefully locating and purchasing only wireless devices that could bridge or route packets between the clients machines and gateway Squid box without involving NAT. This has placed great limits on the suppliers we can purchase from, and not exactly cheap pricing, but enables plug-n-play wireless captive portals to be setup relatively easily. ... and before you ask. No I'm not able to give out any further config info without a paid contract signing your sites up as Treehouse Networks POP ;) /shameless plug. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.14
Re: [squid-users] Squid 3.1 + mrtg
Henrik Nordstrom wrote: mån 2009-11-02 klockan 23:47 +1300 skrev Amos Jeffries: Make sure that the mib.txt you/mrtg are using came from the 3.1 source code. There have been major changes to the MIB numbering in 3.1. Hmm.. what kind of changes? MIB numbering should never change. Old numbers may cease to exists when their data sources go away and new number appear as new info gets published, but existing numbering should not change... Converting IPv4 address fields to IPv6+IPv4 shared trees... The client info table had cacheClientAddressType added as .1, cacheClientAddress shuffled to .2 ... which bumped all cacheClient* from .N to .N+1 The peering table had cachePeerIndex added as .1 and cacheClientAddressType added as .2 ... which bumped all cachePeer* from .N to .N+2 Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.14
Re: [squid-users] Squid 3.1 + mrtg
> Make sure that the mib.txt you/mrtg are using came from the 3.1 source code. > There have been major changes to the MIB numbering in 3.1. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 > Current Beta Squid 3.1.0.14 > Hi, thanx for the reply Yes I am using the mib.txt file which came with squid 3.1 only. I have installed it from the ports. Regards Babs
Re: [squid-users] Accelerator mode, select peer form request destination ip (feature request?)
tis 2009-11-03 klockan 11:26 +1300 skrev Amos Jeffries: > This requirement is met by adding a cache_peer directive for each back-end > Apache server. Then using cache_peer_access and ACL of the "myip" type > limiting the requests passed to each peer to be those received on the > matching input IP. But beware of cache pollution attacks when doing this approach. The urlgroup= http_port option of squid-2 allows the cache pollution problem to be solved by dividing the cache per http_port (urlgroup), but this is not yet available in Squid-3. Regards Henrik
Re: [squid-users] Squid & squid_session
mån 2009-11-02 klockan 16:07 + skrev Adam Binks: > My question is, without using routed static IP's at each site, is it > possible to have squid detect the different end users at each site ? Only if you figure out some other means of differentiating the users at the TCP/IP level. I don't. Regards Henrik
RE: [squid-users] Squid + WCCP + TProxy
mån 2009-11-02 klockan 09:23 -0500 skrev Roth, Joe: > I compiled 3.1.0.14 with the --enable-linux-netfilter option and > installed. > Is there any way for me to check that squid is properly enabling the > kernel option? The needed kernel option is enabled by iptables, not Squid. The compile + http_port options just tells Squid to query the kernel a little extra to get the actual address info. The actual intercept will work even without any of that, just that the result may not be entirely the expected.. REgards Henrik
Re: [squid-users] Squid 3.1 + mrtg
mån 2009-11-02 klockan 23:47 +1300 skrev Amos Jeffries: > Make sure that the mib.txt you/mrtg are using came from the 3.1 source > code. There have been major changes to the MIB numbering in 3.1. Hmm.. what kind of changes? MIB numbering should never change. Old numbers may cease to exists when their data sources go away and new number appear as new info gets published, but existing numbering should not change... Regards Henrik
Re: [squid-users] Squid Auth question for machines not belonging to a AD domain
mån 2009-11-02 klockan 23:42 +1300 skrev Amos Jeffries: > IME, I think sending the correct realm or domain in the NTLM or > Negotiate auth headers may prevent clients attempting auth with a known > mechanism if they are not part of the domain. If Microsoft had thought about using the required realm parameter in their NTLM and Negotiate over HTTP schemes maybe, but as it is now those two "smells like HTTP auth but is not" authentication schemes do not support realms and will probably never do. Regards Henrik
Re: [squid-users] jesred: regex
On Mon, 2 Nov 2009 15:19:42 +0100, "Riccardo Castellani" wrote: > In Debian Lenny I installed Jesred 1.2pl1.16 package and I can see "regex > RE > [RURL [ACCEL]]" doesn't accept ACCEL parameter; I think my package > (installed via aptitude) is just pre-compiled without "switch -DUSE_ACCEL". > File is /etc/jesred.rules and the unaccepted statements are contained in > this default file. > How Can I solve it ? 1) Contact the Debian package maintainer. 2) report a bug against the Debian package. 3) edit your config files to make it work. Amos
Re: [squid-users] FW: Strange site access problem
On Mon, 2 Nov 2009 17:04:25 -0500, "Meyerovich Aleksandr EH_NY" wrote: > P.S. > > To be more precise it's http://customers.reuters.com/home/default.aspx. > There's nothing in cache.log or access.log indicative of the problem. > The page just never finishes loading. I tried excluding aspx from being > cached, but it did not help. > > Anybody can help with this? The page snippet you pasted indicates a mega-URL of more than 1KB length. Big URL like this start to hit limits in various software. Squid-2.6 has a 4KB cap on URL length, so it is probably not that one. However if you use url_rewrite_program or redirect_program helpers they impose their own buffer limits on the length of data sent/received in the URL field. Amos > Thanks, > Alex Meyerovich > > -Original Message- > From: Meyerovich Aleksandr EH_NY > Sent: Monday, November 02, 2009 3:02 PM > To: 'squid-users@squid-cache.org' > Subject: Strange site access problem > > > > -Original Message- > From: Meyerovich Aleksandr EH_NY > Sent: Monday, November 02, 2009 1:22 PM > To: 'squid-users@squid-cache.org' > Subject: Strange site access problem > > > Hi, > > As I'm trying access a site though Squid 2.6 STABLE 17 and after long > loading I get this: > > > value="/wEPDwULLTIwMDM0Nzk3NTEPZBYCZg9kFgICBA9kFgICAQ9kFgICBQ8QDxYGHg1EY > XRhVGV4dEZpZWxkBQROYW1lHg5EYXRhVmFsdWVGaWVsZAUCSWQeC18hRGF0YUJvdW5kZ2QQF > VEUU2VsZWN0IGEgcHJvZHVjdC4uLi4WRGF0YSBCYWNrdXAgVW5pdCAoREJVKRJEZWFsaW5nI > G9uIFJldXRlcnMJT24gRGVtYW5kEVJldXRlcnMgMzAwMCBYdHJhKFJldXRlcnMgMzAwMCBYd > HJhIEhvc3RlZCBUZXJtaW5hbCBBY2Nlc3MaUmV1dGVycyAzMDAwIFh0cmEgTW9iaWxpdHkVU > mV1dGVycyBCcmlkZ2VTdGF0aW9uD1JldXRlcnMgQ2hhbm5lbA9SZXV0ZXJzIENvbm5lY3QZU > mV1dGVycyBDb25uZWN0IC0gU3RhdGlvbhhSZXV0ZXJzIERhdGEgRmVlZCBEaXJlY3QaUmV1d > GVycyBEYXRhU2NvcGUgRXF1aXRpZXMeUmV1dGVycyBEYXRhU2NvcGUgRml4ZWQgSW5jb21lG > FJldXRlcnMgRGF0YVNjb3BlIE9uc2l0ZRtSZXV0ZXJzIERhdGFTY29wZSBSZWFsLXRpbWUYU > mV1dGVycyBEYXRhU2NvcGUgU2VsZWN0HlJldXRlcnMgRGF0YVNjb3BlIFRpY2sgSGlzdG9ye > RRSZXV0ZXJzIERlYWwgVHJhY2tlchRSZXV0ZXJzIERlYWxpbmcgTGluaxJSZXV0ZXJzIEVjb > 1dpbiBQcm8fUm > > It's perfectly loading when bypassing the Squid. The site is > http://customers.reuters.com > > > Thanks a lot, > Alex Meyerovich > > > --- > The information contained in this e-mail message and any attached files > is intended only for the recipient(s) named above. If the reader of > this message is not the intended recipient or an agent responsible for > delivering it to the intended recipient(s), you are hereby notified that > you have received this document in error and that any review, > dissemination, distribution or copying of this message is strictly > prohibited. If you have received this communication in error, please > notify the sender immediately by mail, and delete the original message.
Re: [squid-users] Accelerator mode, select peer form request destination ip (feature request?)
You seem to have mixed up your view of the information passed versus the actions taken and what virtual hosting actually does. On Mon, 2 Nov 2009 21:22:33 +0100, Justo Alonso wrote: > Hi ! > I'm trying to setup an apache & squid in accelerator mode > configuration. You start by indicating that you are trying to configure a reverse proxy. > >I have the apache in Listen *:80 .. with many virtualhosts and many > namevirtualhosts (namevirtualhost *:80 too). I have the squid at > http_port 8080. Reverse-proxy do not work this way. I wonder if the many other meanings of the word "accelerator" have confused you. A reverse proxy is software talking to the client software pretending to be a web server, but sourcing the replies over network from a real web server elsewhere. The client will type http://example.com/ into their browser address bar. In your config that will take them directly to the apache. To make a reverse-proxy useful you move apache to some other port and place the proxy listening on port 80. Which then is configured to source the data from apache on its other port. So that when clients enter http://example.com/ into their browser address bar it will take them directly to the proxy. > >And now I want squid to make the request to the apache to same > destination ip that client requested example > > client request -> squid 10.0.0.1:8080 -> apache 10.0.0.1:80 > client rquest -> squid 10.0.0.2:8080 -> apache 10.0.0.2:80 You then indicate that you want Squid to make actual physical TCP links to different Apache. based on what the receiving Squid IP was. This has nothing to do with virtual hosting. This requirement is met by adding a cache_peer directive for each back-end Apache server. Then using cache_peer_access and ACL of the "myip" type limiting the requests passed to each peer to be those received on the matching input IP. > > I want to configure one http_port and a cache_peer by virtualhost ... > I need a global configuration ... all client requests redirected to > the same destination ip to diferent port. You then say that all these apache listening addresses are actually the same machine. cache_peer is designed to be a TCL link to a _single_ backend software. Virtual hosting has nothing to do with it. This is so low down as to be almost wire-level stuff. Reading between the lines I guess that you actually want Squid to pass the right information such that incoming requests are handled by the right virtualhost inside Apache correct? That is done correctly by having the right accelerator setup. Using http_port settings vhost, vport and defaultsite to alter the Host: header (virtualhost name) as applicable. The cache_peer forcedomain= option is also available, but that is for force-sending only a single virtualhost name to the Apache, opposite of what you want. By setting squid to listen on port 80 the clients software will be sending Squid the correct Host: header information as needed by apache to find the virtualhost. All you need to do is configure "http_port 80 accel vhost" and one single cache_peer line pointing at Apache, and it works. http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting > > Reading the documentation I can't find about this, and I'm trying to > add new option to cache_peer (same-dst-ip) .. if this boolean option > is set then this cache_peer don't get the host and get the destination > ip from request ... and open a connection to it on cache_peer port. > > What think you about this ?? comments ?? Maybe should I send this > question to squid-dev list ? > > thanks in advance, > justo Your description of 'same-dst-ip' seems to me to be you attempting to make squid a semi-transparent proxy instead of accelerator by opening security vulnerability CVE-2009-0801 for reverse-proxy (accelerator) configurations as well as interception-proxy configurations. This is a very bad idea. If you find the basic accelerator config I outlined above still is not workable for your specific needs then please get back to me on the details of why you think this option might still be needed. I'm working on fixes for the CVE and would like to make sure any such option fits with the solution and does not open new vulnerabilities. Amos
[squid-users] FW: Strange site access problem
P.S. To be more precise it's http://customers.reuters.com/home/default.aspx. There's nothing in cache.log or access.log indicative of the problem. The page just never finishes loading. I tried excluding aspx from being cached, but it did not help. Anybody can help with this? Thanks, Alex Meyerovich -Original Message- From: Meyerovich Aleksandr EH_NY Sent: Monday, November 02, 2009 3:02 PM To: 'squid-users@squid-cache.org' Subject: Strange site access problem -Original Message- From: Meyerovich Aleksandr EH_NY Sent: Monday, November 02, 2009 1:22 PM To: 'squid-users@squid-cache.org' Subject: Strange site access problem Hi, As I'm trying access a site though Squid 2.6 STABLE 17 and after long loading I get this: http://customers.reuters.com Thanks a lot, Alex Meyerovich --- The information contained in this e-mail message and any attached files is intended only for the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient(s), you are hereby notified that you have received this document in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this communication in error, please notify the sender immediately by mail, and delete the original message.
[squid-users] Accelerator mode, select peer form request destination ip (feature request?)
Hi ! I'm trying to setup an apache & squid in accelerator mode configuration. I have the apache in Listen *:80 .. with many virtualhosts and many namevirtualhosts (namevirtualhost *:80 too). I have the squid at http_port 8080. And now I want squid to make the request to the apache to same destination ip that client requested example client request -> squid 10.0.0.1:8080 -> apache 10.0.0.1:80 client rquest -> squid 10.0.0.2:8080 -> apache 10.0.0.2:80 I want to configure one http_port and a cache_peer by virtualhost ... I need a global configuration ... all client requests redirected to the same destination ip to diferent port. Reading the documentation I can't find about this, and I'm trying to add new option to cache_peer (same-dst-ip) .. if this boolean option is set then this cache_peer don't get the host and get the destination ip from request ... and open a connection to it on cache_peer port. What think you about this ?? comments ?? Maybe should I send this question to squid-dev list ? thanks in advance, justo
[squid-users] Strange site access problem
-Original Message- From: Meyerovich Aleksandr EH_NY Sent: Monday, November 02, 2009 1:22 PM To: 'squid-users@squid-cache.org' Subject: Strange site access problem Hi, As I'm trying access a site though Squid 2.6 STABLE 17 and after long loading I get this: http://customers.reuters.com Thanks a lot, Alex Meyerovich --- The information contained in this e-mail message and any attached files is intended only for the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient(s), you are hereby notified that you have received this document in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this communication in error, please notify the sender immediately by mail, and delete the original message.
[squid-users] Strange site access problem
Hi, As I'm trying access a site though Squid 2.6 STABLE 17 and after long loading I get this: http://customers.reuters.com Thanks a lot, Alex Meyerovich --- The information contained in this e-mail message and any attached files is intended only for the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient(s), you are hereby notified that you have received this document in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this communication in error, please notify the sender immediately by mail, and delete the original message.
[squid-users] Squid & squid_session
Hi All, Hopefully someone can help ! I am using squid Version 3.0.STABLE20 with squid_session. Squid_session config in squid.conf is as follows: external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %SRC /usr/local/squid/libexec/squid_session -t 360 acl session external session http_access deny !session deny_info http://some.url.com session I have some remote sites all using this squid server as a transparent proxy i.e. no config on the end users pc ! Now, the remote sites are all free wifi sites, so the wireless router has a routable static IP and then clients are assigned a 10.0.0.x private IP behind the wireless router. When the first user of the day connects to the free wifi service they a presented with the webpage as specified in deny_info however the second user to connect is allowed straight onto the internet! The page is only displayed again if the connection has not been used by anyone for 5+ mins however 6 people may all connect at the same time and only one of them will see the splash page! My question is, without using routed static IP's at each site, is it possible to have squid detect the different end users at each site ? Any help is greatly appreciated. Thanks in advance Adam
RE: [squid-users] Squid + WCCP + TProxy
I compiled 3.1.0.14 with the --enable-linux-netfilter option and installed. Everything starts and it is listening on 3129, however still nothing arrives. Is there any way for me to check that squid is properly enabling the kernel option? Thanks, --Joe -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Sunday, November 01, 2009 5:33 PM To: squid-users@squid-cache.org Subject: RE: [squid-users] Squid + WCCP + TProxy On Sun, 1 Nov 2009 17:02:52 -0500, "Roth, Joe" wrote: > A... I will upgrade on Mon. > > But will that also make a difference in the box itself seeing the > connections coming in on 3129? i.e. when I do a "netstat -an | grep 3129", > I see the box listening on 3129 but I do not see any connections on the > port. It makes a difference. The old TPROXYv2 used a kernel lookup similar to the way NAT does to figure out what the client and destination IPs were and use them. The new TPROXYv4 kernels send the IPs directly on the accept()'d connection without being asked. The IPs arrive in reverse order to usual ( local 'me' == real client IP, and remote 'client' == real client destination IP) and can cause unsuspecting software to go badly. The new Squid have to configure a special kernel option to indicate they can handle this type of warped IP operations safely before the kernel will permit connections to arrive. Amos > > Thanks for the response! > > --Joe > > > > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Sun 11/1/2009 4:37 PM > To: Roth, Joe > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] Squid + WCCP + TProxy > > > > On Sun, 1 Nov 2009 08:09:52 -0500, "Roth, Joe" > wrote: >> I followed the guide here to set up squid to do transparent cacheing > using >> wccpv2, and it works quite well. So I took the next step to use tproxy. >> >> I followed this page to introduce tproxy into the mix: >> >> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy >> >> The kernel is compiled with tproxy, as is iptables and squid 2.7Stable7. >> >> I have set up iptables, the ip rule and ip route according to the guide. >> >> I'm running Ubuntu with kernel 2.6.28, iptables 1.4.3, squid > 2.7.Stable7. >> >> For some reason the traffic never makes it to port 3129. Do I need to >> leave the iptables nat config for 3128 even though I am using tproxy? Am > I >> missing something here? > > The native TPROXY that comes in kernel 2.6.28 is TPROXYv4. > Support for that version of TPROXY is only in Squid-3.1 and later. > > Amos
[squid-users] jesred: regex
In Debian Lenny I installed Jesred 1.2pl1.16 package and I can see "regex RE [RURL [ACCEL]]" doesn't accept ACCEL parameter; I think my package (installed via aptitude) is just pre-compiled without "switch -DUSE_ACCEL". File is /etc/jesred.rules and the unaccepted statements are contained in this default file. How Can I solve it ? row example in jesred.rules is : # regex ^http://www.artuframe.com/partners/affiliates/banners.* http://141.44.30.2/images/dot.gif
Re: [squid-users] Squid 3.1 + mrtg
Babu Chaliyath wrote: Hi List, Struggling to get mrtg working with squid. No values shown in the mrtg graph. My System as follows OS Freebsd 7.2 Squid 3.1.0.14 Snmpwalk 5.4.2.1 mrtg 2.16.2 Squid snmp acls are working fine as I am getting results with following command #snmpwalk -m /usr/local/etc/squid/mib.txt -v2c -Cc -c public localhost:3401 .1.3.6.1.4.1.3495.1.1 But when I run mrtg I am getting following errors Unknown SNMP var cacheServerRequests at /usr/local/bin/mrtg line 2202 Unknown SNMP var cacheServerRequests at /usr/local/bin/mrtg line 2202 Unknown SNMP var cacheUptime at /usr/local/bin/mrtg line 2202 Unknown SNMP var cacheSoftware at /usr/local/bin/mrtg line 2202 Unknown SNMP var cacheVersionId Btw I am using the mrtg configurator downloaded from Adrian Chadd's squid blog. Available in < http://www.xenion.com.au/static/squid-mrtg-1.0.tar.gz > It would be great if any can help me out with some clues where I am going wrong. Regards Babs Make sure that the mib.txt you/mrtg are using came from the 3.1 source code. There have been major changes to the MIB numbering in 3.1. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.14
Re: [squid-users] Squid Auth question for machines not belonging to a AD domain
Markus Moeller wrote: Does anybody know how a Windows client determines the right authentication mechanism ? I have a case where most clients are on a Windows domain and squid_kerb_auth works fine. Now I have clients from visitors which have never been on the domain. Can I send to these clients a list of authentication mechanisms (e.g. Negotiate Digest Basic) ? If so would the client choose always Negotiate with NTLM ? Thank you Markus IIRC it's first-known mechanism from the list of headers received in line-order. Depends on the windows API or library the app is built against as to what is supported. The old API only does Basic or NTLM, the newer IE or .NET based libraries (I'm ot sure which) seem to do Negotiate as well. I suspect from the talk of deprecating NTLM that there is probably a new API in Vista++ which does or will do only Basic + Negotiate. Digest may fit in there too somehow. IME, I think sending the correct realm or domain in the NTLM or Negotiate auth headers may prevent clients attempting auth with a known mechanism if they are not part of the domain. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.14
[squid-users] Squid 3.1 + mrtg
Hi List, Struggling to get mrtg working with squid. No values shown in the mrtg graph. My System as follows OS Freebsd 7.2 Squid 3.1.0.14 Snmpwalk 5.4.2.1 mrtg 2.16.2 Squid snmp acls are working fine as I am getting results with following command #snmpwalk -m /usr/local/etc/squid/mib.txt -v2c -Cc -c public localhost:3401 .1.3.6.1.4.1.3495.1.1 But when I run mrtg I am getting following errors Unknown SNMP var cacheServerRequests at /usr/local/bin/mrtg line 2202 Unknown SNMP var cacheServerRequests at /usr/local/bin/mrtg line 2202 Unknown SNMP var cacheUptime at /usr/local/bin/mrtg line 2202 Unknown SNMP var cacheSoftware at /usr/local/bin/mrtg line 2202 Unknown SNMP var cacheVersionId Btw I am using the mrtg configurator downloaded from Adrian Chadd's squid blog. Available in < http://www.xenion.com.au/static/squid-mrtg-1.0.tar.gz > It would be great if any can help me out with some clues where I am going wrong. Regards Babs
[squid-users] Squid Auth question for machines not belonging to a AD domain
Does anybody know how a Windows client determines the right authentication mechanism ? I have a case where most clients are on a Windows domain and squid_kerb_auth works fine. Now I have clients from visitors which have never been on the domain. Can I send to these clients a list of authentication mechanisms (e.g. Negotiate Digest Basic) ? If so would the client choose always Negotiate with NTLM ? Thank you Markus
