[squid-users] reply_body_max_size
I want to block any file on the "external network" (internet) with size bigger then 512 MB and do not block that for internal network. tried that way: acl internal_network dstdomain xxx.xxx.xxx.xxx reply_body_max_size 512 MB !internal_network and acl internal_network src xxx.xxx.xxx.xxx reply_body_max_size 512 MB !internal_network but doesnt work. -- = > Gerson "fserve" Barreiros > aka. fserve / gbs at irc.freenode.org > Launchpad: https://launchpad.net/~fserve > Linux registered user #299560 =
Re: [squid-users] Enforce caching expired object
Try use offline_mode on -- = > Gerson "fserve" Barreiros > aka. fserve / gbs at irc.freenode.org > Launchpad: https://launchpad.net/~fserve > Linux registered user #299560 =
RE: [squid-users] Tproxy4+squid: ebtables wiki
On Tue, 10 Nov 2009 14:50:47 -0800 (PST), Marko Kotar wrote: > I have a same problem on 2.6.27-7 modified by Cavium kernel. > I patched with patches found on wt6 kernel or something(i've tried also > with 2.6.26 and 2.6.25 patches)... > As per the squid wiki documentation. Kernel 2.6._28_ is the minimal kernel with working TPROXYv4 support. The later ones up to 2.6.30 are preferable due to various bug fixes in iptables handling. The patches available for older kernels appear not to have received the re-write which the final code got when audited by the netfilter kernel people. Squid tproxy handling was significantly re-written to cope wit the changes. I'm not surprised by any failures on patched kernels. > I would really glad if someone gets a solution so we can use new kernel > because old one with tproxy2 doest work on newer hardware. > Solution: use an even newer kernel. Amos
Re: [squid-users] Tproxy4+squid: ebtables wiki
Another thing: Did you compile squid with netfilter configure option? Did you set TPROXY on the port? --- On Mon, 11/9/09, Irvan Adrian K wrote: > From: Irvan Adrian K > Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki > To: squid-users@squid-cache.org > Date: Monday, November 9, 2009, 12:48 PM > So, What the solution for these > threads ? because i'm in the same trouble to make > TPROXY4 work in UBUNTU 9.10 Server > > I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, > ebtables 2.0.9, and until now, following the manual in > http://wiki.squid-cache.org, like this : > > ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp > --ip-dport 80 > -j redirect --redirect-target DROP > ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp > --ip-sport 80 -j > redirect --redirect-target DROP > > cd /proc/sys/net/bridge/ > for i in * > do > echo 0 > $i > done > unset i > > echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter > echo 1 > /proc/sys/net/ipv4/ip_forward > > iptables are: > iptables -t mangle -N DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > iptables -t mangle -A PREROUTING -p tcp -m socket -j > DIVERT > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j > TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 > > squid configuration is default, except > acl allow all > > After following like above, the iptables counter was > increasing redirecting to TPROXY, but there was nothing > in the squid, i can't open anything.. > > But if i change the ebtables --redirect-target ACCEPT, the > connection running, but the packet just bridged nothing came > to Squid, just like nothing on there.. > > There some one can give the clue, thanks in advance.. > > R > > > > Kernel 2.6.30.8, Squid 3.1.0.14, iptables 1.4.3.1, ebtables > 2.0.9 > > Marko Kotar wrote: > > Just curious which kernel version are u using? > > > > --- On Thu, 10/29/09, Dan > wrote: > > > From: Dan > Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki > To: "Marko Kotar" > Cc: squid-users@squid-cache.org > Date: Thursday, October 29, 2009, 5:24 PM > Those are the same ebtable and > > iptable rules that I am using except that I use DROP. If it > is working for you then that is great. :) As for why > > it works that way I don't know. When I use ACCEPT > the > traffic is bridged through and not redirected to squid. > > Thanks, > > Irvan Adrian > > Marko Kotar wrote: > > Ok > My ebtable rules are(without -i option): > ebtables -t broute -A BROUTING -p ipv4 > --ip-proto tcp > > --ip-dport 80 -j redirect --redirect-target ACCEPT > > ebtables -t broute -A BROUTING -p > ipv4 > > --ip-proto tcp --ip-sport 80 -j redirect --redirect-target > ACCEPT > > This might be the different: > Bridge is up and it is having an ip > address. Ethernet > > interfaces are up but not having any ip address asigned. > > ifconfig eth0 up promisc > ... > bridge interface is configured with > dhclient: > dhclient3 br0 > > This rules are for the routing; > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table > 100 > And: > echo 0 > > /proc/sys/net/ipv4/conf/lo/rp_filter > echo 1 > > /proc/sys/net/ipv4/ip_forward > > iptables are: > iptables -t mangle -N DIVERT > iptables -t mangle -A DIVERT -j MARK > --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > iptables -t mangle -A PREROUTING -p tcp > -m socket -j > > DIVERT > > iptables -t mangle -A PREROUTING -p tcp > --dport 80 -j > > TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 > > squid configuration is default, except > acl allow all > and port is set to the same address as in > iptables, > > and having TPROXY set. > > I am using: 2.6.28-16-server x86_64 > ubuntu, default or > > compiled ebtables v2.0.9-1 (June 2009), compiled iptables > v1.4.5, > > Squid Cache: Version 3.1.0.14 > configure options: > '--enable-linux-netfilter' > > --with-squid=/home/marko/src/squid-3.1.0.14 > --enable-ltdl-convenience > > configured ony with additional > linux-netfilter flag > > I've used various network > configurations: > -virtual computer using VmBox with > virtual interface > > in the linux bridge on guest pc. > > -computer with two interfaces. > -double bridged vmbox: two virtual > machines: first > > having 2 virtual interfaces. birdged and having sqiud. > second virtual pc being client with one virtual interface. > one interface of first was bridged on guest computer to > external interface, other two were bridged together. > > Drop didn't work in any of them, accept > was tested > > only in first. > > i think thats all the settings i > have. > > > --- On Wed, 10/28/09, Dan > > wrote: > > From: Dan > Subject: Re: [squid-users] > Tproxy4+squid: ebtables > > wiki > > To: "Marko Kotar" , >
RE: [squid-users] Tproxy4+squid: ebtables wiki
I have a same problem on 2.6.27-7 modified by Cavium kernel. I patched with patches found on wt6 kernel or something(i've tried also with 2.6.26 and 2.6.25 patches)... Packets are getting on the TPROXY rule but but nothing happens. Application stays on listen() as there were no connection coming. If I put this port as ordinary proxy it goes through the port. If I don't use ebtables rules packets, which should go to TPROXY, go through only if application is running. I though of possible problems: -setsockopt doesn't work as it should(possible endian issue but it cant be in this case). -endian issues on port number of socket accept(not possible) -wrong listen address(listen address any=0.0.0.0? probably yes) -there are 2 dst ports in skb buffer it could be wrong one because of patch -route.c is messed up(tryed to copy route.c from 28 kernel but same result) -there is some problem with second dst ip address if there is one and it gets blocked somehow or first is used instead of second. I would really glad if someone gets a solution so we can use new kernel because old one with tproxy2 doest work on newer hardware. Marko --- On Mon, 11/9/09, Roth, Joe wrote: > From: Roth, Joe > Subject: RE: [squid-users] Tproxy4+squid: ebtables wiki > To: "Irvan Adrian K" , "Amos Jeffries" > > Cc: squid-users@squid-cache.org > Date: Monday, November 9, 2009, 3:22 PM > So it sounds like this is a problem > with ubuntu 9.10 in general? I am > running the server version as well, everything looks to be > compiled > properly, dmesg shows TPROXY starting, squid shoq IP > spoofing to be > starting as well. > > -Original Message- > From: Irvan Adrian K [mailto:ir...@grahamedia.net.id] > > Sent: Monday, November 09, 2009 8:46 AM > To: Amos Jeffries > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki > > Dear Mr Amos, thanks for your respond, very helpfull.. > > Amos Jeffries wrote: > > Irvan Adrian K wrote: > >> So, What the solution for these threads ? > because i'm in the same > >> trouble to make TPROXY4 work in UBUNTU 9.10 > Server > >> > > > > Explicit "Server" release or normal? I have recently > found that the > > kernel for normal Ubuntu is missing some routing > features needed on a > > end box pretending to be a server. > Server release distribution of UBUNTU 9.10, not desktop > one.. as you > know that UBUNTU have several type of distribution : > server, desktop, > etc.., and as we analyze that UBUNTU Server > not differ than Debian, and have complete support for > TPROXY built in, > without recompile : > > xt_tcpudp > 2780 2 > nf_nat > 17808 2 iptable_nat,ipt_REDIRECT > nf_conntrack_ipv4 13352 3 > iptable_nat,nf_nat > xt_MARK > 1884 2 > xt_socket > 2556 2 > nf_conntrack > 67608 4 > iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket > xt_TPROXY > 1948 2 > nf_defrag_ipv4 1756 > 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY > nf_tproxy_core 2428 > 2 xt_socket,xt_TPROXY,[permanent] > x_tables > 16544 10 > ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIREC > T,xt_MARK,xt_socket,xt_TPROXY > > >> I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables > 1.4.5, ebtables > >> 2.0.9, and until now, following the manual in > >> http://wiki.squid-cache.org, like this : > >> > >> ebtables -t broute -I BROUTING -p ipv4 > --ip-proto tcp --ip-dport 80 > >> -j redirect --redirect-target DROP > >> ebtables -t broute -I BROUTING -p ipv4 --ip-proto > tcp --ip-sport 80 > -j > >> redirect --redirect-target DROP > >> > >> cd /proc/sys/net/bridge/ > >> for i in * > >> do > >> echo 0 > $i > >> done > >> unset i > >> > >> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter > >> echo 1 > /proc/sys/net/ipv4/ip_forward > >> > >> iptables are: > >> iptables -t mangle -N DIVERT > >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 > >> iptables -t mangle -A DIVERT -j ACCEPT > >> iptables -t mangle -A PREROUTING -p tcp -m socket > -j DIVERT > >> iptables -t mangle -A PREROUTING -p tcp --dport 80 > -j TPROXY > >> --tproxy-mark 0x1/0x1 --on-port 3129 > >> > >> squid configuration is default, except > >> acl allow all > >> > >> After following like above, the iptables counter > was increasing > >> redirecting to TPROXY, but there was nothing > >> in the squid, i can't open anything.. > >> > >> But if i change the ebtables --redirect-target > ACCEPT, the connection > > >> running, but the packet just bridged nothing came > to Squid, just like > > >> nothing on there.. > > > > Yes. That is why they are "DROP". In BROUTING it means > something like; > > > DROP off the bridge into the routing code, vs ACCEPT > over the bridge. > Yes, we look that, after adding --redirect-target DROP at > ebtables, > counter at iptables -j TPROXY increase, like this one : > > 12830 3896K DIVERT tcp > -- * * > 0.0.0.0/0 > > 0.0.0.0/
Re: [squid-users] Squid icap preview problem
On Tue, 10 Nov 2009 08:02:49 -0800 (PST), akinf wrote: > I configured squid to enable icap preview in squid.conf like below, squid > sends me options request and > i include preview also in repsonse, but squid does not send me preview > header and no previewing occurs. > Logs are outlined below, could you please help? > > icap_enable on > icap_send_client_ip on > icap_preview_enable on > icap_preview_size 0 You expect to pass zero bytes of preview and see it? -1 == no preview, otherwise it's a fixed byte size. It can be overridden by the ICAP OPTIONS response, but your OPTIONS response says "Preview: 0" which I take it means 0 bytes again. Amos > > icap_service service_1 reqmod_precache 0 icap://localhost:1344/tt > adaptation_service_set service_set_1 service_1 > adaptation_access service_set_1 allow all > > icap_service service_2 respmod_precache 0 icap://localhost:1344/tt > adaptation_service_set service_set_2 service_2 > adaptation_access service_set_2 allow all > > > > 2009-11-10 17:25:17,481 DEBUG [ReadWriteDispatcherImpl-Thread-1] > SelectableSocketEndpoint read 67 bytes on > java.nio.channels.SocketChannel[connected local=/127.0.0.1:1344 > remote=/127.0.0.1:34802]: > 4f 50 54 49 4f 4e 53 20 69 63 61 70 3a 2f 2f 6c OPTIONS icap://l > > 0010 6f 63 61 6c 68 6f 73 74 3a 31 33 34 34 2f 74 74 ocalhost :1344/tt > 0020 20 49 43 41 50 2f 31 2e 30 0d 0a 48 6f 73 74 3aICAP/1. 0..Host: > 0030 20 6c 6f 63 61 6c 68 6f 73 74 3a 31 33 34 34 0dlocalho st:1344. > 0040 0a 0d 0a ... > > > > [connected local=/127.0.0.1:1344 remote=/127.0.0.1:34802]: > 49 43 41 50 2f 31 2e 30 20 32 30 30 20 6f 6b 0d ICAP/1.0 200 ok. > 0010 0a 4f 70 74 4d 6f 63 6b 31 3a 20 76 31 0d 0a 4f .OptMock 1: v1..O > 0020 70 74 4d 6f 63 6b 32 3a 20 76 32 0d 0a 4f 70 74 ptMock2: v2..Opt > 0030 69 6f 6e 73 2d 54 54 4c 3a 20 33 36 30 30 30 0d ions-TTL : 36000. > 0040 0a 53 65 72 76 69 63 65 2d 49 44 3a 20 74 6f 74 .Service -ID: tot > 0050 6f 0d 0a 4d 6f 63 6b 2d 48 65 61 64 65 72 3a 20 o..Mock- Header: > 0060 6d 6f 63 6b 2d 76 61 6c 75 65 0d 0a 4d 65 74 68 mock-val ue..Meth > 0070 6f 64 73 3a 20 52 45 51 4d 4f 44 2c 20 52 45 53 ods: REQ MOD, RES > 0080 50 4d 4f 44 0d 0a 50 72 65 76 69 65 77 3a 20 PMOD..Pr eview: > 0090 30 0d 0a 45 6e 63 61 70 73 75 6c 61 74 65 64 3a 0..Encap sulated: > 00a0 20 6e 75 6c 6c 2d 62 6f 64 79 3d 30 0d 0a 0d 0anull-bo dy=0 > > -Thread-2] ReadWriteDispatcherImpl handled 0 job(s) > 2009-11-10 17:25:17,539 DEBUG [ReadWriteDispatcherImpl-Thread-2] > ReadWriteDispatcherImpl read ready on > java.nio.channels.SocketChannel[connected local=/127.0.0.1:1344 > remote=/127.0.0.1:50751] > 2009-11-10 17:25:17,540 DEBUG [ReadWriteDispatcherImpl-Thread-2] > SelectableSocketEndpoint read 584 bytes on > java.nio.channels.SocketChannel[connected local=/127.0.0.1:1344 > remote=/127.0.0.1:50751]: > 52 45 51 4d 4f 44 20 69 63 61 70 3a 2f 2f 6c 6f REQMOD i cap://lo > 0010 63 61 6c 68 6f 73 74 3a 31 33 34 34 2f 74 74 20 calhost: 1344/tt > 0020 49 43 41 50 2f 31 2e 30 0d 0a 48 6f 73 74 3a 20 ICAP/1.0 ..Host: > 0030 6c 6f 63 61 6c 68 6f 73 74 3a 31 33 34 34 0d 0a localhos t:1344.. > 0040 44 61 74 65 3a 20 54 75 65 2c 20 31 30 20 4e 6f Date: Tu e, 10 No > 0050 76 20 32 30 30 39 20 31 35 3a 32 35 3a 31 37 20 v 2009 1 5:25:17 > 0060 47 4d 54 0d 0a 45 6e 63 61 70 73 75 6c 61 74 65 GMT..Enc apsulate > 0070 64 3a 20 72 65 71 2d 68 64 72 3d 30 2c 20 6e 75 d: req-h dr=0, nu > 0080 6c 6c 2d 62 6f 64 79 3d 34 30 33 0d 0a 41 6c 6c ll-body= 403..All > 0090 6f 77 3a 20 32 30 34 0d 0a 58 2d 43 6c 69 65 6e ow: 204. .X-Clien > 00a0 74 2d 49 50 3a 20 31 30 2e 35 32 2e 34 33 2e 32 t-IP: 10 .52.43.2 > 00b0 35 0d 0a 0d 0a 47 45 54 20 68 74 74 70 3a 2f 2f 5GET http:// > 00c0 77 77 77 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 www.sahi binden.c > 00d0 6f 6d 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f om/ HTTP /1.1..Ho > 00e0 73 74 3a 20 77 77 77 2e 73 61 68 69 62 69 6e 64 st: www. sahibind > 00f0 65 6e 2e 63 6f 6d 0d 0a 41 63 63 65 70 74 3a 20 en.com.. Accept: > 0100 74 65 78 74 2f 68 74 6d 6c 2c 61 70 70 6c 69 63 text/htm l,applic > 0110 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 2c ation/xh tml+xml, > 0120 74 65 78 74 2f 63 73 73 2c 20 2a 2f 2a 0d 0a 41 text/css , */*..A > 0130 63 63 65 70 74 2d 43 68 61 72 73 65 74 3a 20 69 ccept-Ch arset: i > 0140 73 6f 2d 38 38 35 39 2d 31 2c 20 75 74 66 2d 38 so-8859- 1, utf-8 > 0150 3b 20 71 3d 30 2e 37 2c 20 2a 3b 20 71 3d 30 2e ; q=0.7, *; q=0. > 0160 37 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 7..Accep t-Encodi > 0170 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 ng: gzip , deflat > 0180 65 2c 20 78 2d 67 7a 69 70 2c 20 69 64 65 6e 74 e, x-gzi p, ident > 0190 69 74 79 3b 20 71 3d 30 2e 39 0d 0a 41 63 63 65 ity; q=0 .9..Acce > 01a0 70 74 2d 4c 61 6e 67
Re: [squid-users] User-Agent change
On Tue, 10 Nov 2009 12:08:50 -0500, Eddys Diaz Cuesta wrote: > How can i change user agent to all petitions passing by the proxy I > setup for my small LAN. I want that, no matter what browser the users > use to surf-the-web, it report mozilla firefox 2.x or some other. > > Please, I'm sorry for my bad English, I'm from Cuba and speak mainly in > Spanish. > > Thanks in advance. request_header_access (or header_access in Squid-2) and header_replace options. These require Squid to be built with --enable-http-violations so that it can break HTTP protocol and change protocol information it's not really allowed to touch. Amos
Re: [squid-users] Squid3-Debian Lenny Transparent proxy not working with HTTPS
On Tue, 10 Nov 2009 10:21:04 -0500, "John Czerwinski" wrote: > I have configured a Squid3 proxy server on Debian using WCCP to a Cisco > 2821 router (via GRE tunnel). Regular HTTP traffic works just fine. > Anytime I try to connect to HTTPS, it times out. Open port 443 on the firewall to let HTTPS out. HTTPS cannot be intercepted. It was created as a security protocol explicitly to prevent interception attacks on network traffic (aka WCCP, NAT interception, wire tapping, etc). > > I've compiled Squid with --enable-ssl. This merely lets Squid use SSL operations when clients explicitly configured to use the proxy request it to make https:// connections. It also enables TLS in some auth helpers. It's of very little use in a purely intercepting proxy. > > The squid configuration is as follows: > > > > # Squid3 Configuration > # > # > # > # Cisco Router at 10.50.40.1 > # GRE tunnel to Ciso Router at 10.50.1.1 > # > # Local Squid3 server > # name: wwifi-atl-squid1 > # IP: 10.50.40.100 > # WCCPv2 (Transparent mode) > # > > visible_hostname wwifi-atl-squid1 > # cache_effective_user squid squid > http_port 10.50.40.100:3128 transparent Not a good idea. It's better security to have the port number being something random that only you, Squid and the Squid box firewall know. The private port may also be firewalled in the mangle table INPUT chain to prevent people connecting directly to it from outside. > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY Drop the above. > acl apache rep_header Server ^Apache > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 Add here: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > > > > > # Access Control List Definitions > acl localnet src 10.50.10.0/24 10.50.20.0/24 10.50.30.0/24 10.50.40.0/24 > 10.50.100.0/24 10.50.201.0/24 > > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 Add here: acl to_localhost dst 0.0.0.0/8 > acl SSL_ports port 443 563 # https, snews > acl SSL_ports port 873# rsync > acl Safe_ports port 80# http > acl Safe_ports port 21# ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70# gopher > acl Safe_ports port 210# wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280# http-mgmt > acl Safe_ports port 488# gss-http > acl Safe_ports port 591# filemaker > acl Safe_ports port 777# multiling http > acl Safe_ports port 631# cups > acl Safe_ports port 873# rsync > acl Safe_ports port 901# SWAT > acl purge method PURGE Unless you are actually using PURGE its best not to define it. Simply doing the above turns on all the PURGE handling components and makes Squid hold extra cache indexes etc, wasting a lot of memory. > acl CONNECT method CONNECT > > # http allows/denies > always_direct allow all > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access allow localnet > http_reply_access allow all > icp_access allow all > Amos
Re: [squid-users] Time-based oddity that I can't quite nail down...
tis 2009-11-10 klockan 14:01 -0800 skrev Kurt Buff: > > Browsing on the proxy without using the proxy is the same as going via > > the proxy in terms of networking.. > Yes. > > But currently all users on the network are forced through squid to > browse the web. Which is relevant to the case of browsing directly from the proxy server host how? > I'm opening an exception in the firewall this evening so that I can > turn off the proxy settings on my workstation and go to the firewall > directly. I'll turn off the proxy settings for FireFox so that I can > compare performance against IE, which will be using squid. Testing from another host than the proxy itself is interesting, but not conclusive regarding if the problem is Squid or something else.. > If I get anything like normal response times FF, but not in IE, I'll > have evidence that it's squid. If they both have really crappy times > loading, then it's something else, and I'll be that much further ahead > in troubleshooting. The first is not a valid conclusion due to the large differences networking wise how the requests is sent. There is just too many other things that can go wrong, and very often is. Testing on a workstation not using the proxy compared to a workstation using the proxy will honestly not tell you anything, except if that also fails then you know you can completely rule out it's anything related to the proxy. If the workstation going direct works fine then you are pretty much still at the same square in terms of testing, still not knowing if it's Squid, the server Squid runs on, the tested web site, firewalls going bad, broken routers (currently having a fight with a such case where a router randomly messes with TCP traffic in certain flows but icmp works). By testing by running a browser on the proxy server itself you can identify if the problem is Squid or something outside Squid. If the test where you run a browser directly on the Squid server host works fine when going direct but fails when going via Squid on the same host then you know it's most likely a Squid issue and you should file a Squid bug report. If the test where you run a browser directly on the Squid server host shows the same problems when not using the proxy then you know it's something outside Squid, and you need to continue searching a bit to find the culpit, which could be any of - Problem with the Squid server host (bad cables, bad drivers, problem in duplex negotiation, bad operating system, etc..) - Problem triggered by differences in the TCP/IP capabilities of the Squid server host. This is for example a very common problem when Squid is running on Linux hosts as the linux TCP/IP stack is far more evolved than Windows and often triggers problems in other equipment such as firewalls, routers etc causing very bad response times, partially loaded pages etc. Regards Henrik
RE: [squid-users] Reverse proxy, SSL cert for each cache peer
On Tue, 10 Nov 2009 09:43:42 -0500, Nick Duda wrote: > Ok, let me rephrase my question, can someone help me out with my config > then? Is this correct? > > http_port 80 accel vhost > https_port 443 accel vhost cert=/path/to/cert1.pem > key=/path/to//server1.key > > cache_peer www1.server.com parent 80 0 no-query originserver name=www1_http > cache_peer www2.server.com parent 443 0 no-query originserver ssl > name=www2_ssl sslflags=DONT_VERIFY_PEER cert=/path/to/cert2.pem > key=/path/to/server2.key > cache_peer www3.server.com parent 443 0 no-query originserver ssl > name=ww3_ssl sslflags=DONT_VERIFY_PEER cert=/path/to/cert3.pem > key=/path/to/server3.key > > acl acl_www1http dstdomain www1.server.com > acl acl_www2ssl dstdomain www2.server.com > acl acl_www3ssl dstdomain www3.server.com > > cache_peer_access defaultwww allow acl_www1http > cache_peer_access ssl2 allow acl_www2ssl > cache_peer_access ssl3 allow acl_www3ssl The cache_peer names above don't match the ones used in cache_peer name=XX. Other than that is looks right to me. Amos > > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Monday, November 09, 2009 5:45 PM > To: Nick Duda > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] Reverse proxy, SSL cert for each cache peer > > On Mon, 9 Nov 2009 13:41:42 -0500, Nick Duda wrote: >> Can someone point me to how I can setup squid, to listen on port 443 and >> depending on the URL being asked, to use a certain cache peer with a >> certain SSL cert? I've been doing this for just one cache peer, using by >> just using the cert= key= options on the https_port directive. Can they > be >> used on the cache_peer also? >> >> - Nick > > Yes. > http://www.squid-cache.org/Doc/config/cache_peer > > ... and the config examples in the wiki. > > Amos
Re: [squid-users] FW: Can not force IE 7 to use HTTP 1.1 through Squid
On Tue, 10 Nov 2009 07:03:34 -0500, "Sheahan, John" wrote: > While troubleshooting an internet problem using a sniffer, I noticed that > when end users use our Squid proxy server, the client always uses HTTP 1.0 > only and never HTTP 1.1. > I double checked and the advanced settings in my browser (IE 7) are set to > force HTTP 1.1 whenever possible and when using a proxy but this isn't > happening. > > When I remove the proxy from the equation and go straight out to the > internet, the clients always use HTTP 1.1. > > Is this a limitation with Squid? Yes. Squid is HTTP/1.0 software with various upgrades to handle 1.1, though not quite enough to be allowed to advertise it safely. Squid-2.7 was given some config options which can turn on advertising of HTTP/1.1 to servers and test for problems. However this has known issues whenever the client and Server attempt to use REQUIRED HTTP/1.1 features which Squid cannot handle (requests with Expect: headers being the biggest common one). We have done more towards HTTP/1.1 support for Squid-3.1, but have not made the options to advertise it available. Hopefully someone will have time to add the missing feature support one day. There is a downloadable checklist spreadsheet of HTTTP/1.1 features at http://wiki.squid-cache.org/Features/HTTP11 if you want to compare Squid capabilities with your needs. Amos
Re: [squid-users] Time-based oddity that I can't quite nail down...
On Tue, Nov 10, 2009 at 13:50, Henrik Nordstrom wrote: > tis 2009-11-10 klockan 07:01 -0800 skrev Kurt Buff: > >> I'm going to try that this evening. I'll post the results back here. >> It took a bit of convincing to get approval to open the firewall for >> browsing without the proxy. > > Browsing on the proxy without using the proxy is the same as going via > the proxy in terms of networking.. > > Regards > Henrik Yes. But currently all users on the network are forced through squid to browse the web. I'm opening an exception in the firewall this evening so that I can turn off the proxy settings on my workstation and go to the firewall directly. I'll turn off the proxy settings for FireFox so that I can compare performance against IE, which will be using squid. Even with the differences between IE and FF rendering pages, it should be very obvious if squid is the issue, because the page load times were anywhere from 30+ seconds to minutes to load all pages. If I get anything like normal response times FF, but not in IE, I'll have evidence that it's squid. If they both have really crappy times loading, then it's something else, and I'll be that much further ahead in troubleshooting. Kurt
Re: [squid-users] Time-based oddity that I can't quite nail down...
tis 2009-11-10 klockan 07:01 -0800 skrev Kurt Buff: > I'm going to try that this evening. I'll post the results back here. > It took a bit of convincing to get approval to open the firewall for > browsing without the proxy. Browsing on the proxy without using the proxy is the same as going via the proxy in terms of networking.. Regards Henrik
[squid-users] Good statistics/monitoring web app?
Can I get some recommendations on a good web-application/script for monitoring my cache? I know there's the included cgi script, but I'm looking for something more robust and more user friendly. I guess some of the key things I'm looking for is an overview of what's in the cache (like total number of files, total size), and being able to get cache info on a specific resource, like whether or not it's cached, how long it's been cached, when it will expire, etc. A nice pretty user interface would be a plus (I'm a visual person). Thanks, -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net
[squid-users] problems with squid_ldap_auth
Hi, I've been trying to get squid_ldap_auth to work on a debian lenny box here using the packaged squid, which is as follows: gavi...@muinnamuice:~$ sudo squid -v Squid Cache: Version 2.7.STABLE3 configure options: '--prefix=/usr' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid' '--datadir=/usr/share/squid' '--enable-async-io' '--with-pthreads' '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter' '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp' '--enable-delay-pools' '--enable-htcp' '--enable-cache-digests' '--enable-underscores' '--enable-referer-log' '--enable-useragent-log' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-carp' '--enable-follow-x-forwarded-for' '--with-large-files' '--with-maxfd=65536' 'i386-debian-linux' 'build_alias=i386-debian-linux' 'host_alias=i386-debian-linux' 'target_alias=i386-debian-linux' 'CFLAGS=-Wall -g -O2' 'LDFLAGS=' 'CPPFLAGS=' I've been following a set of tutorials such as http://www.grolmsnet.de/kerbtut/ http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/ http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos I've set up the key tab, created on the windows server and trasnferred over and all seems to be working: gavi...@muinnamuice:~$ sudo -u proxy kinit -V -k -t /etc/squid/squid_muinnamuice.krb5keytab SQUID/muinnamuice.staff.gcd...@staff.gcd.ie Authenticated to Kerberos v5 gavi...@muinnamuice:~$ klist -e Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: SQUID/muinnamuice.staff.gcd...@staff.gcd.ie Valid starting ExpiresService principal 11/10/09 18:00:57 11/11/09 00:40:57 krbtgt/staff.gcd...@staff.gcd.ie Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 Kerberos 4 ticket cache: /tmp/tkt1000 klist: You have no tickets cached gavi...@muinnamuice:~$ kvno SQUID/muinnamuice.staff.gcd...@staff.gcd.ie SQUID/muinnamuice.staff.gcd...@staff.gcd.ie: kvno = 3 However, using IE8 which requires ldap auth, authentication seems to be failing. Below is the outout with debug level 3 in squid. 2009/11/10 18:23:31| Parser: retval 1: from 0->40: method 0->2; url 4->29; version 31->39 (1/1) 2009/11/10 18:23:31| Parser: retval 1: from 0->40: method 0->2; url 4->29; version 31->39 (1/1) 2009/11/10 18:23:31| squid_kerb_auth: Got 'YR YIIF9wYGKwYBBQUCoIIF6zCCBeegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBbEEggWtYIIFqQYJKoZIhvcSAQICAQBuggWYMIIFlKADAgEFoQMCAQ6iBwMFACCjggSGYYIEgjCCBH6gAwIBBaEOGwxTVEFGRi5HQ0QuSUWiKzApoAMCAQKhIjAgGwRIVFRQGxhtdWlubmFtdWljZS5zdGFmZi5nY2QuaWWjggQ4MIIENKADAgEXoQMCAQKiggQmBIIEIlFvkWb8/ir66BtS/JRa4PkFzvR933EJLhmawTrp1zUPylFzUyBx7RitmQvcNTZ4ZI8Pre1MKsGeRzKUcbZBGD6q1dMga1npFmLz7oIVwIjXiFo+uVD9t8ZI+OhnaIC4mnWR3Zsavas5e5bbwRYclTkx7j3OCbJcZzlGwjOjTu0n7EAkbQhBt7QeHMDsAOk/M1UfwY+Gtrx9W89+2sxqScsProjv2lPKCr/u4QyK9T1jG2QrP8ImjSDZG+3MAmjjpenxwC/VFRPNVAC1SR4U1gqeYKONT3IYLdYnZkfusHxBpVSJ7oHhfUMNXlKe9nah2lCDDoMgvnw2pxvskxguQ45yQ19YWMRY3LG1MOIXQLWO+b+tcJuB1DE/7XIQiwBTXwjTWfJg8dkB9pmQKuDIG6giLWaHboUQ/hH4jrVZetXAq9fbP2slyzikerBLSVu0N8sKgdNJXZWgkelwsXBqXkHbiwvZXupkrMuqHybNrMUCfszU5Ifuew5fzrO7v93saFl6Qv19zqzCH54TCczURkZtqFpSIcqqRVHwA/pT+xfr2lx6Tpg4AjJ4rqzuXrut/qJzCtrBS7StpkIzn1FEsrhYWvLHXKv69AEmAE9d+B33J/pWzUMPZ7XhycSq7Ay+pUKyAz6t2mf0y5bOFSBn7N2SNLKFIV4TaClmMwMX7VIk3+Kaf7f6v6j77H9E7XBcLZrfqXRnRRXljRArC661ETxTaeMm90f5fVzIxD1AqQLlbasu6AZ+7zBSiJZflzkqHWINPWxeU/VqvNggjQor6uKlJz0l2gipyBSjuLoi/HVA8da3Eu6XPyx4oP4APAHE/Cyvx83E4mBlZeEy9dJMk5dWmX3Bnr1qEeN+o5BjuzbQRlI2uWYZEy3TjFl4TpduJ4XO6DcUXGtN6Fg2UxWZrs7tvc8vhBy4Twq/tYO69yCnYkJLI1DzqEk2joyZh33j3KwYqA5VHbqve3gsj+9Ft+XIlpxdkJ2JEYB7Dq50qekyv1ozvo4wr9aGI3E7HTij4wUJP10HRxg3tFQs8rWdZT2r08Zon0xlLPXta5rTGzj99Dn63TB9E1YA6Q0obfZIE+uylhXj3cK/T4q09RfJiojE/T9BQiTG6HVvrvQm+RHwlPsa+6yZqp6oBODfDNHOH2iGBYGl//SNjpZAt6B2RsMItdHS/Q1v/JRJD3+xZUwWm8kspJMUWr+sPm0BpEQtykjQhcJBdLMpFFCJlL7tGYhHzEb92hnuMIZwRoL0JROH+kGxahmkHI+Oj6sCeewfxWxGgKAO5aV8gSjJTJaVlWJGk6s6KQ/onjmAKsfzcXY83ZZSuQ9LjJbIP4Gf99jJOeZEW44x8W+X6yevJPDiFeXxkBanWUAwJF5q+4vPeD9LbOHnZ0L7Px3WBO9fjTyC1yYxpIH0MIHxoAMCAReigekEgeZ2GzgZue9olCJji0cIUE6we4nigI5cLAr8Xm4GFisky95FyvuSmKdYzFk53Q3VsSuLOcG0e5y3Z4QeT0dFr0UtF9qmX5jGYOWfrIzEduuiTXpdwi3J4gbQokTcVyhv8T8t99SSooI0nbKsR9sEVHYfvCdpbb64dN0asBX3IBmsdRVOCdyuzlBnT4X7Jz6YS09Fo+IL2ixM6XD9VrNHWi5BaSsrZBo0g4ghGw8g/7M7gvX3Osgo0fyzVGINlBZISlQhIOKdS9MrI8EtWtgrIDMaqZ
Re: [squid-users] Squid 3.1 + mrtg
Hey Thanx Henrik, And Amos, Yes Definitely I can test them for sure. I here to do any help I can offer Regards Babs On Mon, Nov 9, 2009 at 11:13 AM, Amos Jeffries wrote: > Babu Chaliyath wrote: >>> >>> Converting IPv4 address fields to IPv6+IPv4 shared trees... >>> >>> The client info table had cacheClientAddressType added as .1, >>> cacheClientAddress shuffled to .2 >>> ... which bumped all cacheClient* from .N to .N+1 >>> >>> The peering table had cachePeerIndex added as .1 and >>> cacheClientAddressType >>> added as .2 >>> ... which bumped all cachePeer* from .N to .N+2 >>> >>> Amos >> >> Now thats all going above my head as far as mrtg setup for the squid >> 3.1 is concerned. Can U guys tell me where and what changes I need to >> make it working? >> Sorry for this but I couldnt get much idea from these. >> >> Regards >> Babs > > Um, I think the best way to go forward is for us to fix this ASAP. > Are you able to test patches if I do the code? > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 > Current Beta Squid 3.1.0.14 >
[squid-users] User-Agent change
How can i change user agent to all petitions passing by the proxy I setup for my small LAN. I want that, no matter what browser the users use to surf-the-web, it report mozilla firefox 2.x or some other. Please, I'm sorry for my bad English, I'm from Cuba and speak mainly in Spanish. Thanks in advance.
[squid-users] Squid icap preview problem
I configured squid to enable icap preview in squid.conf like below, squid sends me options request and i include preview also in repsonse, but squid does not send me preview header and no previewing occurs. Logs are outlined below, could you please help? icap_enable on icap_send_client_ip on icap_preview_enable on icap_preview_size 0 icap_service service_1 reqmod_precache 0 icap://localhost:1344/tt adaptation_service_set service_set_1 service_1 adaptation_access service_set_1 allow all icap_service service_2 respmod_precache 0 icap://localhost:1344/tt adaptation_service_set service_set_2 service_2 adaptation_access service_set_2 allow all 2009-11-10 17:25:17,481 DEBUG [ReadWriteDispatcherImpl-Thread-1] SelectableSocketEndpoint read 67 bytes on java.nio.channels.SocketChannel[connected local=/127.0.0.1:1344 remote=/127.0.0.1:34802]: 4f 50 54 49 4f 4e 53 20 69 63 61 70 3a 2f 2f 6c OPTIONS icap://l 0010 6f 63 61 6c 68 6f 73 74 3a 31 33 34 34 2f 74 74 ocalhost :1344/tt 0020 20 49 43 41 50 2f 31 2e 30 0d 0a 48 6f 73 74 3aICAP/1. 0..Host: 0030 20 6c 6f 63 61 6c 68 6f 73 74 3a 31 33 34 34 0dlocalho st:1344. 0040 0a 0d 0a ... [connected local=/127.0.0.1:1344 remote=/127.0.0.1:34802]: 49 43 41 50 2f 31 2e 30 20 32 30 30 20 6f 6b 0d ICAP/1.0 200 ok. 0010 0a 4f 70 74 4d 6f 63 6b 31 3a 20 76 31 0d 0a 4f .OptMock 1: v1..O 0020 70 74 4d 6f 63 6b 32 3a 20 76 32 0d 0a 4f 70 74 ptMock2: v2..Opt 0030 69 6f 6e 73 2d 54 54 4c 3a 20 33 36 30 30 30 0d ions-TTL : 36000. 0040 0a 53 65 72 76 69 63 65 2d 49 44 3a 20 74 6f 74 .Service -ID: tot 0050 6f 0d 0a 4d 6f 63 6b 2d 48 65 61 64 65 72 3a 20 o..Mock- Header: 0060 6d 6f 63 6b 2d 76 61 6c 75 65 0d 0a 4d 65 74 68 mock-val ue..Meth 0070 6f 64 73 3a 20 52 45 51 4d 4f 44 2c 20 52 45 53 ods: REQ MOD, RES 0080 50 4d 4f 44 0d 0a 50 72 65 76 69 65 77 3a 20 PMOD..Pr eview: 0090 30 0d 0a 45 6e 63 61 70 73 75 6c 61 74 65 64 3a 0..Encap sulated: 00a0 20 6e 75 6c 6c 2d 62 6f 64 79 3d 30 0d 0a 0d 0anull-bo dy=0 -Thread-2] ReadWriteDispatcherImpl handled 0 job(s) 2009-11-10 17:25:17,539 DEBUG [ReadWriteDispatcherImpl-Thread-2] ReadWriteDispatcherImpl read ready on java.nio.channels.SocketChannel[connected local=/127.0.0.1:1344 remote=/127.0.0.1:50751] 2009-11-10 17:25:17,540 DEBUG [ReadWriteDispatcherImpl-Thread-2] SelectableSocketEndpoint read 584 bytes on java.nio.channels.SocketChannel[connected local=/127.0.0.1:1344 remote=/127.0.0.1:50751]: 52 45 51 4d 4f 44 20 69 63 61 70 3a 2f 2f 6c 6f REQMOD i cap://lo 0010 63 61 6c 68 6f 73 74 3a 31 33 34 34 2f 74 74 20 calhost: 1344/tt 0020 49 43 41 50 2f 31 2e 30 0d 0a 48 6f 73 74 3a 20 ICAP/1.0 ..Host: 0030 6c 6f 63 61 6c 68 6f 73 74 3a 31 33 34 34 0d 0a localhos t:1344.. 0040 44 61 74 65 3a 20 54 75 65 2c 20 31 30 20 4e 6f Date: Tu e, 10 No 0050 76 20 32 30 30 39 20 31 35 3a 32 35 3a 31 37 20 v 2009 1 5:25:17 0060 47 4d 54 0d 0a 45 6e 63 61 70 73 75 6c 61 74 65 GMT..Enc apsulate 0070 64 3a 20 72 65 71 2d 68 64 72 3d 30 2c 20 6e 75 d: req-h dr=0, nu 0080 6c 6c 2d 62 6f 64 79 3d 34 30 33 0d 0a 41 6c 6c ll-body= 403..All 0090 6f 77 3a 20 32 30 34 0d 0a 58 2d 43 6c 69 65 6e ow: 204. .X-Clien 00a0 74 2d 49 50 3a 20 31 30 2e 35 32 2e 34 33 2e 32 t-IP: 10 .52.43.2 00b0 35 0d 0a 0d 0a 47 45 54 20 68 74 74 70 3a 2f 2f 5GET http:// 00c0 77 77 77 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 www.sahi binden.c 00d0 6f 6d 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f om/ HTTP /1.1..Ho 00e0 73 74 3a 20 77 77 77 2e 73 61 68 69 62 69 6e 64 st: www. sahibind 00f0 65 6e 2e 63 6f 6d 0d 0a 41 63 63 65 70 74 3a 20 en.com.. Accept: 0100 74 65 78 74 2f 68 74 6d 6c 2c 61 70 70 6c 69 63 text/htm l,applic 0110 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 2c ation/xh tml+xml, 0120 74 65 78 74 2f 63 73 73 2c 20 2a 2f 2a 0d 0a 41 text/css , */*..A 0130 63 63 65 70 74 2d 43 68 61 72 73 65 74 3a 20 69 ccept-Ch arset: i 0140 73 6f 2d 38 38 35 39 2d 31 2c 20 75 74 66 2d 38 so-8859- 1, utf-8 0150 3b 20 71 3d 30 2e 37 2c 20 2a 3b 20 71 3d 30 2e ; q=0.7, *; q=0. 0160 37 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 7..Accep t-Encodi 0170 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 ng: gzip , deflat 0180 65 2c 20 78 2d 67 7a 69 70 2c 20 69 64 65 6e 74 e, x-gzi p, ident 0190 69 74 79 3b 20 71 3d 30 2e 39 0d 0a 41 63 63 65 ity; q=0 .9..Acce 01a0 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 74 72 3b pt-Langu age: tr; 01b0 71 3d 31 2e 30 2c 65 6e 3b 71 3d 30 2e 35 2c 66 q=1.0,en ;q=0.5,f 01c0 72 3b 71 3d 30 2e 35 2c 64 65 3b 71 3d 30 2e 35 r;q=0.5, de;q=0.5 01d0 2c 69 74 3b 71 3d 30 2e 35 2c 6e 6c 3b 71 3d 30 ,it;q=0. 5,nl;q=0 01e0 2e 35 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 .5..User -Agent: 01f0 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 53 79 6d Mozilla/ 5.0 (Sym 0200 62 69 61 6e 4f 53 2f 39 2e 31 3b 20 55 3
[squid-users] Squid3-Debian Lenny Transparent proxy not working with HTTPS
I have configured a Squid3 proxy server on Debian using WCCP to a Cisco 2821 router (via GRE tunnel). Regular HTTP traffic works just fine. Anytime I try to connect to HTTPS, it times out. I've compiled Squid with --enable-ssl. The squid configuration is as follows: # Squid3 Configuration # # # # Cisco Router at 10.50.40.1 # GRE tunnel to Ciso Router at 10.50.1.1 # # Local Squid3 server # name: wwifi-atl-squid1 # IP: 10.50.40.100 # WCCPv2 (Transparent mode) # visible_hostname wwifi-atl-squid1 # cache_effective_user squid squid http_port 10.50.40.100:3128 transparent hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 # Access Control List Definitions acl localnet src 10.50.10.0/24 10.50.20.0/24 10.50.30.0/24 10.50.40.0/24 10.50.100.0/24 10.50.201.0/24 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873# rsync acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl Safe_ports port 631# cups acl Safe_ports port 873# rsync acl Safe_ports port 901# SWAT acl purge method PURGE acl CONNECT method CONNECT # http allows/denies always_direct allow all http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow localnet http_reply_access allow all icp_access allow all debug_options ALL,1 # Following options are for transparent mode wccp2_router 10.50.40.1 wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service standard 0 wccp2_address 10.50.40.100
Re: [squid-users] Time-based oddity that I can't quite nail down...
On Tue, Nov 10, 2009 at 03:14, Henrik Nordstrom wrote: > sön 2009-11-08 klockan 19:23 -0800 skrev Kurt Buff: >> Thanks for looking at it, and if you have any more thoughts, I'd love >> to hear them. > > Have you tried browsing from the proxy server but without using Squid? > > Regards > Henrik I'm going to try that this evening. I'll post the results back here. It took a bit of convincing to get approval to open the firewall for browsing without the proxy. Kurt
RE: [squid-users] Reverse proxy, SSL cert for each cache peer
Ok, let me rephrase my question, can someone help me out with my config then? Is this correct? http_port 80 accel vhost https_port 443 accel vhost cert=/path/to/cert1.pem key=/path/to//server1.key cache_peer www1.server.com parent 80 0 no-query originserver name=www1_http cache_peer www2.server.com parent 443 0 no-query originserver ssl name=www2_ssl sslflags=DONT_VERIFY_PEER cert=/path/to/cert2.pem key=/path/to/server2.key cache_peer www3.server.com parent 443 0 no-query originserver ssl name=ww3_ssl sslflags=DONT_VERIFY_PEER cert=/path/to/cert3.pem key=/path/to/server3.key acl acl_www1http dstdomain www1.server.com acl acl_www2ssl dstdomain www2.server.com acl acl_www3ssl dstdomain www3.server.com cache_peer_access defaultwww allow acl_www1http cache_peer_access ssl2 allow acl_www2ssl cache_peer_access ssl3 allow acl_www3ssl http_access allow acl_www1http http_access allow acl_www2ssl http_access allow acl_www3ssl http_access deny all -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, November 09, 2009 5:45 PM To: Nick Duda Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Reverse proxy, SSL cert for each cache peer On Mon, 9 Nov 2009 13:41:42 -0500, Nick Duda wrote: > Can someone point me to how I can setup squid, to listen on port 443 and > depending on the URL being asked, to use a certain cache peer with a > certain SSL cert? I've been doing this for just one cache peer, using by > just using the cert= key= options on the https_port directive. Can they be > used on the cache_peer also? > > - Nick Yes. http://www.squid-cache.org/Doc/config/cache_peer ... and the config examples in the wiki. Amos
Re: [squid-users] 1024 file descriptors is good
Thanks I found it this solution and in this moment works very well for increase the max-descriptors. The original problem was in my firewall, in this moment I have the proxy with Squid 3.0STABLE19 on RHEL5.4 works Ok. Thanks for all. Luis Daniel Lucio Quiroz wrote: Le mardi 20 octobre 2009 16:04:16, Leonardo Rodrigues a écrit : Mariel Sebedio escreveu: Hi, I have a RHEL 5.4 with squid3.0STABLE19 and have a performance problems... My cache.log not report warning When I see in cachemgr.cgi I just have a 1024 File descriptors... if you're not getting the famous WARNING in your cache.log WARNING! Your cache is running out of filedescriptors then you really dont need to worry about 1024 FDs. That's now too much, but that's pretty enough for having a good number of simultaneos clients. Filedescriptors problems (running low on them) could give you some problems, but in any case you would see the warning on your logs. If you're not seeing it, then problem is not filedescriptor related. And if that's not filedescriptor related, raising it wont change anything. your performance problem is somewhere else . I did fix that with this method: /etc/security/limits.conf: * - nofile 131072 and configure with --with-filedescriptors=8192 numbers are just a try, but you must set both of them higher than 1024. After that I get this error rid. LD -- Lic. Mariel Sebedio Division Computos y Sistemas Tel (02944)-445400 int 2307 INVAP S.E. - www.invap.com.ar
[squid-users] FW: Can not force IE 7 to use HTTP 1.1 through Squid
While troubleshooting an internet problem using a sniffer, I noticed that when end users use our Squid proxy server, the client always uses HTTP 1.0 only and never HTTP 1.1. I double checked and the advanced settings in my browser (IE 7) are set to force HTTP 1.1 whenever possible and when using a proxy but this isn't happening. When I remove the proxy from the equation and go straight out to the internet, the clients always use HTTP 1.1. Is this a limitation with Squid? Thanks
Re: [squid-users] Time-based oddity that I can't quite nail down...
sön 2009-11-08 klockan 19:23 -0800 skrev Kurt Buff: > Thanks for looking at it, and if you have any more thoughts, I'd love > to hear them. Have you tried browsing from the proxy server but without using Squid? Regards Henrik
Re: [squid-users] Priority of http over https traffic
squid squid wrote: <4af3fec8.3000...@treenet.co.nz> Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Hi, Thank you for the reply. WOuld like to know if the treating of all requests are equal is the same across all version of squid??? Regards. In general yes. In practice, each version has differing levels of resource usage by certain requests GET vs POST, memory-sourced vs disk-sourced, vs network sourced. PURGE has not altered significantly since 2.5 AFAIK. * The cache_dir handling does differ between storage types (ufs, aufs, diskd, coss) rather than Squid version. * Some releases of Squid-2.7 have differences in what PURGE does dues to Vary: header handling. Amos Date: Fri, 6 Nov 2009 23:47:36 +1300 From: squ...@treenet.co.nz CC: squid-users@squid-cache.org Subject: Re: [squid-users] Priority of http over https traffic squid squid wrote: Hi, Currently I am running Squid Version 2.7 Stable 4 on a Linux ES3 box with 2.5GB RAM. Basically there is no caching configured on the squid apps and it is being used like a middle man between client and web/apps servers which has both http and https transaction Would like to know does squid application give higher priority for http transaction as compared to https transaction??? That is to say, a client who access http traffic will get serve by squid apps first and client who access https traffic will get server later. No it does not. All requests are equal. This can be manually changed by using delay_pools to limit available bandwidth to certain requests. Kindly also advise is there any way to have detailed logging for https connection passing thru squid cause the current log only capture "CONNECT xxx.xxx.com:443" which does not show the actual status of the transaction. Not in Squid-2. What you see logged _is_ the entire connection data available to Squid-2. Squid-3.1 can go deeper with SslBump, but requires administrative control over the encryption certificates on the client machine to do so. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.14 _ New Windows 7: Find the right PC for you. Learn more. http://windows.microsoft.com/shop -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.14
RE: [squid-users] Priority of http over https traffic
<4af3fec8.3000...@treenet.co.nz> Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Hi, Thank you for the reply. WOuld like to know if the treating of all requests are equal is the same across all version of squid??? Regards. > Date: Fri, 6 Nov 2009 23:47:36 +1300 > From: squ...@treenet.co.nz > CC: squid-users@squid-cache.org > Subject: Re: [squid-users] Priority of http over https traffic > > squid squid wrote: >> Hi, >> >> >> >> Currently I am running Squid Version 2.7 Stable 4 on a Linux ES3 box >> with 2.5GB RAM. >> >> >> >> Basically there is no caching configured on the squid apps and it is >> being used like a middle man between client and web/apps servers >> which has both http and https transaction >> >> >> >> Would like to know does squid application give higher priority for >> http transaction as compared to https transaction??? That is to say, >> a client who access http traffic will get serve by squid apps first >> and client who access https traffic will get server later. >> > > No it does not. All requests are equal. > > This can be manually changed by using delay_pools to limit available > bandwidth to certain requests. > >> >> >> Kindly also advise is there any way to have detailed logging for >> https connection passing thru squid cause the current log only >> capture "CONNECT xxx.xxx.com:443" which does not show the actual >> status of the transaction. > > Not in Squid-2. What you see logged _is_ the entire connection data > available to Squid-2. > > Squid-3.1 can go deeper with SslBump, but requires administrative > control over the encryption certificates on the client machine to do so. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 > Current Beta Squid 3.1.0.14 _ New Windows 7: Find the right PC for you. Learn more. http://windows.microsoft.com/shop
Re: [squid-users] squid not being rotated
On 09.11.09 04:47, goody goody wrote: > i have observed that since a few days my squid cache logs are not being > rotated even when i try to rotate through manual squid -k rotate command. > so pls guide me how can i resolve this problem. i am runngind squid 2.7 on > freebsd 7. what is your logfile_rotate value? If it's 0, squid only reopens log files and expects other program(s) to rotate them instead. Can squid manipulate files in its logging directory? See cache's logfile (set by cache_log) to see what happens when you issue the rotate command... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
