[squid-users] Extreme Slow Resposne from Squid ( Test environment only 4 users at the moment)
>From the multiple instance setup using Squid 3stable25 i have shifted to >squid3stable1 packaged with ubuntu 8.04 LTS.However i am unable to understand >why its too much slow. Whats wrong please anybody help out.Is it something to >do with Operating system? Or initially Squid runs that much slow? I feel >helpless. Please guide me. My Hardware: Physical Server IBM 3650 Physical RAID 1 + A Volume Disk each of 73 GB size. currently i am doing caching on RAID1. RAM 4GB My Conf File: visible_hostname squidLhr unique_hostname squidDefault pid_filename /var/run/squid3.pid http_port 10.1.82.53:8080 icp_port 0 snmp_port 0 access_log /var/log/squid3/access.log squid cache_log /var/log/squid3/cache.log cache_peer 10.1.82.205 parent 8080 0 default no-digest no-query #cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query proxy-only no-delay use in the multiple setup #temporarily Directive never_direct allow all #prefer_direct off use in the multiple setup while ponder on the above directive as well as it may not be needed with direct internet access. cache_dir aufs /var/spool/squid3 1 32 320 coredump_dir /var/spool/squid3 cache_swap_low 75 cache_mem 100 MB range_offset_limit 0 KB maximum_object_size 4096 MB minimum_object_size 0 KB quick_abort_min 16 KB cache_replacement_policy lru refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 #specific for youtube belowone refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 % 5259487 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 #Define Local Network. acl FcUsr src "/etc/squid3/FcUsr.conf" acl PUsr src "/etc/squid3/PUsr.conf" acl RUsr src "/etc/squid3/RUsr.conf" #Define Local Servers acl localServers dst 10.0.0.0/8 #Defining & allowing ports section acl SSL_ports port 443 #https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny request to unknown ports http_access deny !Safe_ports # Deny request to other than SSL ports http_access deny CONNECT !SSL_ports #Allow access from localhost http_access allow localhost # Local server should never be forwarded to neighbour/peers and they should never be cached. always_direct allow localservers cache deny LocalServers # Windows Update Section... acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com http_access allow CONNECT wuCONNECT FcUsr http_access allow CONNECT wuCONNECT PUsr http_access allow CONNECT wuCONNECT RUsr http_access allow CONNECT wuCONNECT localhost http_access allow windowsupdate all http_access allow windowsupdate localhost acl workinghours time MTWHF 09:00-12:59 acl workinghours time MTWHF 15:00-17:00 acl BIP dst "/etc/squid3/Blocked.conf" Definitions for BlockingRules# ###Definition of MP3/MPEG acl FTP proto FTP acl MP3url urlpath_regex \.mp3(\?.*)?$ acl Movies rep_mime_type video/mpeg acl MP3s rep_mime_type audio/mpeg ###Definition of Flash Video acl deny_rep_mime_flashvideo rep_mime_type video/flv ###Definition of Porn acl Sex urlpath_regex sex acl PornSites url_regex "/etc/squid3/pornlist" Definition of YouTube. ## The videos come from several domains acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com ###Definition of FaceBook acl facebook_sites dstdomain .facebook.com Definition of MSN Messenger acl msn urlpath_regex -i gateway.dll acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com acl msn1 req_mime_type application/x-msn-messenger Definition of Skype acl numeric_IPs url_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443 acl Skype_UA browser ^skype^ ##Definition of Yahoo! Messenger acl ym dst
[squid-users] TCP MISS 502
Man, Squid does my head in sometimes. This error on Squid v2.6STABLE21, can't get the www.environment.gov.au site up.. 1269582298.419 306252 10.xxx.xxx.xxx TCP_MISS/502 1442 GET http://www.environment.gov.au/ - DIRECT/155.187.3.81 text/html [Host: www.environment.gov.au\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-gb,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nProxy-Connection: keep-alive\r\nCookie: tmib_res_layout=default-wide; __utma=181583987.2132547050.1269488465.1269509672.1269569388.4; __utmc=181583987; __utmz=181583987.1269488465.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n] [HTTP/1.0 502 Bad Gateway\r\nServer: squid\r\nDate: Fri, 26 Mar 2010 05:44:58 GMT\r\nContent-Type: text/html\r\nContent-Length: 1074\r\nExpires: Fri, 26 Mar 2010 05:44:58 GMT\r\nX-Squid-Error: ERR_READ_ERROR 104\r\n\r] But works fine from a Squid v3.0STABLE16 Thanks Ivan
Re: [squid-users] Help with accelerated site
Hi, Although you can't have apache and squid listening on port 80 on the same IP, you can have them both running on port 80 on the same machine. Just do this: Change your apache config to: "Listen 127.0.0.1:80" Change your squid config to: "cache_peer 127.0.0.1 parent 80 0 no-query originserver" "http_port 1.2.3.4:80 accel vhost" Where 1.2.3.4 is, put your public IP. -Al On Thu, 25 Mar 2010, a...@gmail wrote: Date: Thu, 25 Mar 2010 16:30:33 - From: "a...@gmail" To: Ron Wheeler Cc: Amos Jeffries , squid-users@squid-cache.org Subject: Re: [squid-users] Help with accelerated site Hi All, Thank you guys for your help I have tried your suggestions, Yes Ron I know that two programmes can't both listen on the same port at the same time but I thought the Apache was essential for the Proxy server, so thanks for the suggestion, I am including bits of my config here, because now I am getting "Access Denied" even from a local network: Can you guys please take a look at it and see if you can spot what's causing the access denied. note I have tried to allow everything and removed all the "deny" directives and yet it's still denies any access from my local network. That is why I get so confused with Squid, I don't understand it's logic to be perfectly honest, and let me remind you that this config used to work just fine at least it used to allow access to the internet to all the clients on my local network. # # Other Access Controls # acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl our_networks dst 192.168.1.0/32 acl our_sites dstdomain www.mysite.org acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network # acl localnet src 192.168.0.0/32 # RFC1918 possible internal network acl localnet src 192.168.1.0/32 #Local Network acl myaccelport port 80 # acl FTP proto FTP acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost #http_access deny manager # http_access deny !Safe_ports http_access allow localnet #http_access deny all # http_access allow intranet # http_access deny all http_access allow our_networks icp_access allow localnet #icp_access deny all htcp_access allow localnet #htcp_access deny all http_acceess allow CONNECT #http_access deny all hosts_file /etc/hosts visible_hostname proxy http_port 3128 hierarchy_stoplist cgi-bin ? cache_effective_user squid access_log /usr/local/squid/var/logs/access.log squid cache_log /usr/local/squid/var/logs/cache.log cache_store_log /usr/local/squid/var/logs/store.log pid_filename /usr/local/squid/var/logs/squid.pid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 icp_port 3130 htcp_port 4827 # allow_underscore on coredump_dir /usr/local/squid/var/cache Can anyone see what's wrong with this config and if possible to point it out to me, your help would be much appreciated Thanking you in advance Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" Cc: "Amos Jeffries" ; Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Very helpful. You can not have apache listening for port 80 on 192.168.1.4 and Squid trying to do the same thing. Only one process can have port 80. You will very likely find a note in the squid logs that says something to the effect that squid can not bind to port 80. If you shutdown apache on 192.168.1.4 and restart squid, your proxy will work (if the rest of the configuration is correct) If you then try to start apache on 192.168.1.4 it will certainly complain loud
Re: [squid-users] reverse proxy question
Hi, I just emailed "squid-users@squid-cache.org". I would think that they would use majordemo to forward the email to everyone on their "list". You are on their "list". So, I didn't have your email address, but I do now (because you emailed me directly). To unsubscribe send a message to: squid-users-unsubscr...@squid-cache.org. I hope this helps! -Al On Thu, 25 Mar 2010, b...@billfair.com wrote: Date: Thu, 25 Mar 2010 17:54:21 -0500 From: b...@billfair.com To: Al - Image Hosting Services Subject: Re: [squid-users] reverse proxy question Can you tell me how you got my email? I want to stop receiving information about squid and can't seem to get unsubscribed. Thanks, Bill b...@billfair.com Auction!...the most accurate Price Discovery Mechanism today! for upcoming auctions see www.billfair.com 785-887-6966 Desk Phone 800-887-6929 Anytime Bill Fair and Company, Inc. 478 N. 1950 Rd. Lecompton, KS 66050 On Mar 22, 2010, at 2:33 PM, Al - Image Hosting Services wrote: Hi, I have a reverse proxy setup. It has worked well except now the apache server is getting overloaded. I would like to change my load balancing so that I send all the dynamic content to one server like php to the apache server and all the static content like .gif, .jpg, .html to another webserver. Is there a way to do this and where is it documented? Also, could someone recommend a light weight server for static content? Thanks, Al
Re: [squid-users] TCP_MISS
Rudolf Meijering wrote: Hi, access.log gives the following misses for gif files: 1269544961.348 4312 10.1.0.105 TCP_MISS/200 1431 GET http://www.mymaties.com/portal/pls/portal/docs/1/591848.GIF - DIRECT/146.232.128.112 image/gif 1269544996.893 39857 10.1.0.105 TCP_MISS/200 1542 GET http://www.mymaties.com/portal/pls/portal/docs/1/590297.GIF - DIRECT/146.232.128.112 image/gif 1269545005.696996 10.1.0.105 TCP_MISS/200 1078 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525965.GIF - DIRECT/146.232.128.115 image/gif 1269545005.754 1053 10.1.0.105 TCP_MISS/200 1349 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525966.GIF - DIRECT/146.232.128.115 image/gif 1269545005.804 1103 10.1.0.105 TCP_MISS/200 1078 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525967.GIF - DIRECT/146.232.128.115 image/gif 1269545007.327 2627 10.1.0.105 TCP_MISS/200 940 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/526074.GIF - DIRECT/146.232.128.115 image/gif 1269545010.443 5743 10.1.0.105 TCP_MISS/200 1099 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525968.GIF - DIRECT/146.232.128.115 image/gif 1269545011.320 1837 10.1.0.105 TCP_MISS/200 11973 GET http://www.mymaties.com/portal/pls/portal/docs/1/590297.GIF - DIRECT/146.232.128.112 image/gif 1269545020.259793 10.1.0.105 TCP_MISS/200 1385 GET http://www.mymaties.com/portal/pls/portal/docs/1/624561.GIF - DIRECT/146.232.128.112 image/gif 1269545020.486995 10.1.0.105 TCP_MISS/200 865 GET http://www.mymaties.com/portal/pls/portal/docs/1/19147.GIF - DIRECT/146.232.128.112 image/gif 1269545022.480 3012 10.1.0.105 TCP_MISS/200 863 GET http://www.mymaties.com/portal/pls/portal/docs/1/24073.GIF - DIRECT/146.232.128.112 image/gif 1269545024.763504 10.1.0.105 TCP_REFRESH_UNMODIFIED/304 251 GET http://www.sun.ac.za/newweb07/images/kennis_maroon.gif - DIRECT/146.232.20.38 - 1269545024.856597 10.1.0.105 TCP_MISS/200 1373 GET http://www.mymaties.com/portal/pls/portal/docs/1/590622.GIF - DIRECT/146.232.128.112 image/gif 1269545026.455 2195 10.1.0.105 TCP_MISS/200 1093 GET http://sun025.sun.ac.za/portal/pls/portal/docs/1/30912.GIF - DIRECT/146.232.128.46 image/gif 1269545026.663 6169 10.1.0.105 TCP_MISS/304 311 GET http://www.mymaties.com/images/FFtr.gif - DIRECT/146.232.128.112 text/html 1269545028.076 3789 10.1.0.105 TCP_MISS/200 1063 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525969.GIF - DIRECT/146.232.128.115 image/gif 1269545028.355 18866 10.1.0.105 TCP_MISS/200 1431 GET http://www.mymaties.com/portal/pls/portal/docs/1/591848.GIF - DIRECT/146.232.128.112 image/gif 1269545028.435 4147 10.1.0.105 TCP_REFRESH_UNMODIFIED/304 251 GET http://www.sun.ac.za/newweb07/images/bullet2.gif - DIRECT/146.232.20.38 - 1269545029.107 4820 10.1.0.105 TCP_MISS/200 1055 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525972.GIF - DIRECT/146.232.128.115 image/gif 1269545029.335 9869 10.1.0.105 TCP_MISS/200 865 GET http://www.mymaties.com/portal/pls/portal/docs/1/24072.GIF - DIRECT/146.232.128.112 image/gif 1269545029.723 5436 10.1.0.105 TCP_MISS/200 1059 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525970.GIF - DIRECT/146.232.128.115 image/gif 1269545030.245 9982 10.1.0.105 TCP_MISS/304 311 GET http://www.mymaties.com/images/FFtl.gif - DIRECT/146.232.128.112 text/html 1269545030.703 25944 10.1.0.105 TCP_MISS/304 311 GET http://www.mymaties.com/images/pobtrans.gif - DIRECT/146.232.128.112 text/html I have the following refresh patterns: refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern windowsupdate.com/.*\.(cab|exe)(\?|$) 518400 100% 518400 reload-into-ims refresh_pattern update.microsoft.com/.*\.(cab|exe)(\?|$) 518400 100% 518400 reload-into-ims refresh_pattern download.microsoft.com/.*\.(cab|exe)(\?|$) 518400 100% 518400 reload-into-ims refresh_pattern (Release|Package(.gz)*)$0 20% 2880 refresh_pattern \.deb$ 518400 100%518400 override-expire refresh_pattern -i \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv)(\?|$) 161280 3000% 525948 override-expire reload-into-ims refresh_pattern . 0 20% 4320 Any idea why there is so much misses? What could I do to improve the hit rates? Some of those are responses to IMS requests. Which your rule forces reload requests to become. Maybe the server is simply responding with 200 OKAY regardless of getting an IMS request. Maybe the requests actually did have ? query strings. You placed your cactch-all dynamic content rules for preventing storage of badly controlled dynamic pages above the image caching rules. Maybe several of your users favor Chrome. I've heard that browser sends no-cache header by default. Which results in middle proxies being unable to cache anything for improved access, and in fact degrade access for other browers. Amos -- Plea
[squid-users] Can someone check a site?
Hi, Can someone running Squid v2.6 STABLE21 check this site for me? http://www.usp.ac.fj Nothing in the access.log to give me a hint as to where the issue is. I can access it direct, but through Squid it just hangs there after the inital TCP handshake? [r...@proxy squid]# tcpdump -vvv host 144.120.8.2 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 21:35:24.227005 IP (tos 0x0, ttl 64, id 7227, offset 0, flags [DF], proto: TCP (6), length: 60) xxx.xxx.xxx.xxx.33151 > belo.usp.ac.fj.http: S, cksum 0xb78a (correct), 2265843403:2265843403(0) win 5840 21:35:24.488001 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) belo.usp.ac.fj.http > xxx.xxx.xxx.xxx.33151: S, cksum 0x1a89 (correct), 2369822436:2369822436(0) ack 2265843404 win 5792 21:35:24.488013 IP (tos 0x0, ttl 64, id 7228, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.xxx.33151 > belo.usp.ac.fj.http: ., cksum 0x5ebb (correct), 1:1(0) ack 1 win 46 21:35:24.488077 IP (tos 0x0, ttl 64, id 7229, offset 0, flags [DF], proto: TCP (6), length: 482) xxx.xxx.xxx.xxx.33151 > belo.usp.ac.fj.http: P, cksum 0x15be (incorrect (-> 0x870c), 1:431(430) ack 1 win 46 21:35:24.729001 IP (tos 0x0, ttl 53, id 63867, offset 0, flags [DF], proto: TCP (6), length: 52) belo.usp.ac.fj.http > xxx.xxx.xxx.xxx.33151: ., cksum 0x4401 (correct), 1:1(0) ack 431 win 6432 thanks Ivan
[squid-users] TCP_MISS
Hi, access.log gives the following misses for gif files: 1269544961.348 4312 10.1.0.105 TCP_MISS/200 1431 GET http://www.mymaties.com/portal/pls/portal/docs/1/591848.GIF - DIRECT/146.232.128.112 image/gif 1269544996.893 39857 10.1.0.105 TCP_MISS/200 1542 GET http://www.mymaties.com/portal/pls/portal/docs/1/590297.GIF - DIRECT/146.232.128.112 image/gif 1269545005.696996 10.1.0.105 TCP_MISS/200 1078 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525965.GIF - DIRECT/146.232.128.115 image/gif 1269545005.754 1053 10.1.0.105 TCP_MISS/200 1349 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525966.GIF - DIRECT/146.232.128.115 image/gif 1269545005.804 1103 10.1.0.105 TCP_MISS/200 1078 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525967.GIF - DIRECT/146.232.128.115 image/gif 1269545007.327 2627 10.1.0.105 TCP_MISS/200 940 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/526074.GIF - DIRECT/146.232.128.115 image/gif 1269545010.443 5743 10.1.0.105 TCP_MISS/200 1099 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525968.GIF - DIRECT/146.232.128.115 image/gif 1269545011.320 1837 10.1.0.105 TCP_MISS/200 11973 GET http://www.mymaties.com/portal/pls/portal/docs/1/590297.GIF - DIRECT/146.232.128.112 image/gif 1269545020.259793 10.1.0.105 TCP_MISS/200 1385 GET http://www.mymaties.com/portal/pls/portal/docs/1/624561.GIF - DIRECT/146.232.128.112 image/gif 1269545020.486995 10.1.0.105 TCP_MISS/200 865 GET http://www.mymaties.com/portal/pls/portal/docs/1/19147.GIF - DIRECT/146.232.128.112 image/gif 1269545022.480 3012 10.1.0.105 TCP_MISS/200 863 GET http://www.mymaties.com/portal/pls/portal/docs/1/24073.GIF - DIRECT/146.232.128.112 image/gif 1269545024.763504 10.1.0.105 TCP_REFRESH_UNMODIFIED/304 251 GET http://www.sun.ac.za/newweb07/images/kennis_maroon.gif - DIRECT/146.232.20.38 - 1269545024.856597 10.1.0.105 TCP_MISS/200 1373 GET http://www.mymaties.com/portal/pls/portal/docs/1/590622.GIF - DIRECT/146.232.128.112 image/gif 1269545026.455 2195 10.1.0.105 TCP_MISS/200 1093 GET http://sun025.sun.ac.za/portal/pls/portal/docs/1/30912.GIF - DIRECT/146.232.128.46 image/gif 1269545026.663 6169 10.1.0.105 TCP_MISS/304 311 GET http://www.mymaties.com/images/FFtr.gif - DIRECT/146.232.128.112 text/html 1269545028.076 3789 10.1.0.105 TCP_MISS/200 1063 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525969.GIF - DIRECT/146.232.128.115 image/gif 1269545028.355 18866 10.1.0.105 TCP_MISS/200 1431 GET http://www.mymaties.com/portal/pls/portal/docs/1/591848.GIF - DIRECT/146.232.128.112 image/gif 1269545028.435 4147 10.1.0.105 TCP_REFRESH_UNMODIFIED/304 251 GET http://www.sun.ac.za/newweb07/images/bullet2.gif - DIRECT/146.232.20.38 - 1269545029.107 4820 10.1.0.105 TCP_MISS/200 1055 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525972.GIF - DIRECT/146.232.128.115 image/gif 1269545029.335 9869 10.1.0.105 TCP_MISS/200 865 GET http://www.mymaties.com/portal/pls/portal/docs/1/24072.GIF - DIRECT/146.232.128.112 image/gif 1269545029.723 5436 10.1.0.105 TCP_MISS/200 1059 GET http://www.matiesalumni.net/portal/pls/portal/docs/1/525970.GIF - DIRECT/146.232.128.115 image/gif 1269545030.245 9982 10.1.0.105 TCP_MISS/304 311 GET http://www.mymaties.com/images/FFtl.gif - DIRECT/146.232.128.112 text/html 1269545030.703 25944 10.1.0.105 TCP_MISS/304 311 GET http://www.mymaties.com/images/pobtrans.gif - DIRECT/146.232.128.112 text/html I have the following refresh patterns: refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern windowsupdate.com/.*\.(cab|exe)(\?|$) 518400 100% 518400 reload-into-ims refresh_pattern update.microsoft.com/.*\.(cab|exe)(\?|$) 518400 100% 518400 reload-into-ims refresh_pattern download.microsoft.com/.*\.(cab|exe)(\?|$) 518400 100% 518400 reload-into-ims refresh_pattern (Release|Package(.gz)*)$0 20% 2880 refresh_pattern \.deb$ 518400 100%518400 override-expire refresh_pattern -i \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv)(\?|$) 161280 3000% 525948 override-expire reload-into-ims refresh_pattern . 0 20% 4320 Any idea why there is so much misses? What could I do to improve the hit rates? -- Rudolf Meijering
[squid-users] Re: Re: Squid Kerb Auth Issue
Hi Nick, That looks alright, but I am wondering that because you share the HTTP AD entry with you samba host entry a change by samba to the AD entry makes your HTTP keytab invalid. Regards Markus BTW There is more documentation here http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos "Nick Cairncross" wrote in message news:c7d130f3.1d842%nick.cairncr...@condenast.co.uk... Markus, kinit ncairncross export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab net ads keytab CREATE net ads keytab ADD HTTP unset KRB5_KTNAME The made sure the keytab is readable by the squid process owner e.g. chgrp squid /etc/squid/HTTP.keytab; chmod g+r /etc/squid/HTTP.keytab ) Is there another way to do this (or have I done it wrong) Nick On 24/03/2010 23:45, "Markus Moeller" wrote: How did you create the keytab ? Markus "Nick Cairncross" wrote in message news:c7ce8144.1d5e1%nick.cairncr...@condenast.co.uk... Hi, I'm concerned by a problem with my HTTP.keytab 'expiring'. My test base have reported a problem to me that they are prompted repeatedly for an unsatisfiable username and password. When I checked cache.log I noticed that there was a KVNO mismatch being reported. I regenerated my keytab and all was well again. However, I was worried by this so I looked back over my emails and I noticed the same problem occurred 7 days ago (almost to the hour). Does anyone have a suggestion as to what might have caused this/things to check? There haven't been any AD changes. Thanks, Nick ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] filter suggestion for 443
Hi Donovan, I felt in the same situation as you are and the only solution i've found is to do the task is at firewall level. If someone point a reasonable solution for a production environment i would be glad (i'll wait sslBump to reach stable). donovan jeffrey j wrote: Greetings i have a transparent squid with squidguard. i have a case where i need to allow all connections to port 443 except somesite.com. since Im not redirecting any 443 through squid. i guess i have to do it at the firewall level. unless someone could suggest a better way. basically " http://www.somesite.com " is blocked, but " https://www.somesite.com " is not. Ive tried very hard to stay away from filtering on 443. any insight would be helpful tnx -j
[squid-users] filter suggestion for 443
Greetings i have a transparent squid with squidguard. i have a case where i need to allow all connections to port 443 except somesite.com. since Im not redirecting any 443 through squid. i guess i have to do it at the firewall level. unless someone could suggest a better way. basically " http://www.somesite.com " is blocked, but " https://www.somesite.com " is not. Ive tried very hard to stay away from filtering on 443. any insight would be helpful tnx -j
Re: [squid-users] Help with accelerated site
Hi All, Thank you guys for your help I have tried your suggestions, Yes Ron I know that two programmes can't both listen on the same port at the same time but I thought the Apache was essential for the Proxy server, so thanks for the suggestion, I am including bits of my config here, because now I am getting "Access Denied" even from a local network: Can you guys please take a look at it and see if you can spot what's causing the access denied. note I have tried to allow everything and removed all the "deny" directives and yet it's still denies any access from my local network. That is why I get so confused with Squid, I don't understand it's logic to be perfectly honest, and let me remind you that this config used to work just fine at least it used to allow access to the internet to all the clients on my local network. # # Other Access Controls # acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl our_networks dst 192.168.1.0/32 acl our_sites dstdomain www.mysite.org acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network # acl localnet src 192.168.0.0/32 # RFC1918 possible internal network acl localnet src 192.168.1.0/32 #Local Network acl myaccelport port 80 # acl FTP proto FTP acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost #http_access deny manager # http_access deny !Safe_ports http_access allow localnet #http_access deny all # http_access allow intranet # http_access deny all http_access allow our_networks icp_access allow localnet #icp_access deny all htcp_access allow localnet #htcp_access deny all http_acceess allow CONNECT #http_access deny all hosts_file /etc/hosts visible_hostname proxy http_port 3128 hierarchy_stoplist cgi-bin ? cache_effective_user squid access_log /usr/local/squid/var/logs/access.log squid cache_log /usr/local/squid/var/logs/cache.log cache_store_log /usr/local/squid/var/logs/store.log pid_filename /usr/local/squid/var/logs/squid.pid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 icp_port 3130 htcp_port 4827 # allow_underscore on coredump_dir /usr/local/squid/var/cache Can anyone see what's wrong with this config and if possible to point it out to me, your help would be much appreciated Thanking you in advance Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" Cc: "Amos Jeffries" ; Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Very helpful. You can not have apache listening for port 80 on 192.168.1.4 and Squid trying to do the same thing. Only one process can have port 80. You will very likely find a note in the squid logs that says something to the effect that squid can not bind to port 80. If you shutdown apache on 192.168.1.4 and restart squid, your proxy will work (if the rest of the configuration is correct) If you then try to start apache on 192.168.1.4 it will certainly complain loudly about port 80 not being free. If you want to use Apache on both 192.168.1.4 and 192.168.1.3 you need to set the apache on 192.168.1.4 to listen on port 81 and set squid to proxy to the apache on 192.168.1.4 and use apache's proxy and vhost features to reach 192.168.1.5 which can be set to listen on port 80. This will support browser=>Squid on 192.168.1.4 ==> Apache on 192.168.1.4:81 (vhost) ==>Apache 192.168.1.3:80 That is a pretty common approach. Ron Thank you all for your help Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Thursday, March 25, 2010 1:01 A
Re: [squid-users] Sending on Group names after Kerb LDAP look-up
Amos, Thanks for your help - you are right in that the connector has the ability to receive and manipulate ICAP, and using an NTLM authenticated user allows me to do the thing I need. All was nearly lost. However, if I change to Kerberos authentication on my Squid then the connector breaks because it receives the user name as an UPN. Is it possible to send just the first part of the authenticated user (i.e. Username?) and not include the domain? I read something interesting here: http://markmail.org/message/u3yoiykwkaykreoz about using string substitutions (%U, %N etc) Is this achievable with Squid? This could be the final piece in my puzzle... Thanks, Nick On 24/03/2010 05:58, "Amos Jeffries" wrote: Nick Cairncross wrote: > Hi All, > > Things seem to be going well with my Squid project so far; a combined > Mac/Windows AD environment using Kerberos authentication with fall > back of NTLM. I (hopefully) seem to be getting the hang of it! I've > been trying out the Kerberos LDAP look up tool and have a couple of > questions (I think the answers will be no..): > > - Is it possible to wrap up the matched group name(s) in the header > as it gets sent onwards to my peer? I used to use the authentication I don't think so. There is a lot of manipulation magic you can do with the ICAP or eCAP interfaces that is not possible directly in Squid though. The risk is breaking back-end services that can't handle the altered header. Since you say below about already doing so, I assume this is a non-risk for your network. > agent that came from our A/V provider. This tool ran as a service and > linked into our ISA. Once a user authenticated their group membership > was forwarded along with their username to my peer (Scansafe). The > problem is that it only does NTLM auth. It added the group > (WINNT://[group]) into the header and then a rule base at the peer > site could be set up based on group. Since I am using Kerberos I > wondered whether it's possible to send the results of the Kerb LDAP > auth? I already see the user on the peer as the Kerberos login. It > would be great if I could include the group or groups... You can do transparent login pass-thru to the peer (login=PASS). You can log Squid-3.1 into the peer with kerberos credentials. But I do not think the Kerberos details get decoded to a username/password for Squid to pass back as a pair. > > This is what I use currently: cache_peer proxy44.scansafe.net parent > 8080 7 no-query no-digest no-netdb-exchange login=* (From > http://www.hutsby.net/2008/03/apple-mac-osx-squid-and-scansafe.html) > > - Are there plans to integrate the lookup tool in future versions of > Squid? I've enjoyed learning about compiling but.. just wondering.. > No. Plans are for all network-specific adaptation to be done via external helper processes. The *CAP interfaces for add-on modules allow all the adaptation extras to be plugged in as needed in a very powerful way. Check that AV tool, it likely has an ICAP interface Squid-3 can plug into already. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18 ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
[squid-users] Multiple domain authentication and active directory group authentication
Hi All, I am using squid2.7stable6 and my clients are windows machines. I want to make squid to authenticate to two different active directory servers whether it is possible. I am having different security groups in each active directory and i want to block websites on the basis of groups. which authentication helper should be used for this. please provide me a suitable solution. Regards senthil
Re: [squid-users] Re: Squid Kerb Auth Issue
Markus, kinit ncairncross export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab net ads keytab CREATE net ads keytab ADD HTTP unset KRB5_KTNAME The made sure the keytab is readable by the squid process owner e.g. chgrp squid /etc/squid/HTTP.keytab; chmod g+r /etc/squid/HTTP.keytab ) Is there another way to do this (or have I done it wrong) Nick On 24/03/2010 23:45, "Markus Moeller" wrote: > How did you create the keytab ? > > Markus > > "Nick Cairncross" wrote in message > news:c7ce8144.1d5e1%nick.cairncr...@condenast.co.uk... > Hi, > > I'm concerned by a problem with my HTTP.keytab 'expiring'. My test base have > reported a problem to me that they are prompted repeatedly for an > unsatisfiable username and password. When I checked cache.log I noticed that > there was a KVNO mismatch being reported. I regenerated my keytab and all > was well again. However, I was worried by this so I looked back over my > emails and I noticed the same problem occurred 7 days ago (almost to the > hour). Does anyone have a suggestion as to what might have caused > this/things to check? There haven't been any AD changes. > > Thanks, > > > Nick > > > ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
[squid-users] Regarding Ntlm authentication
Hi All, I am using squid 2.7 stable7 and i configured ntlm authentication to authenticate against active directory I followed steps as in wiki squid The squid.conf is as follows auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl AuthorizedUsers proxy_auth REQUIRED http_access allow AuthorizedUsers When i set direct proxy in firefox it asks for a username and password .The initial windows has realm as "" when i give user name and password it asks again then i select cancel means another window asks me a password in this realm is "The site says: "Squid proxy-caching web server" " when i give user name and password i can able to browse. When i use the same in internet explorer it asks for password continuously but no success Why two different prompt appear for user name and password and why it is not working in IE. Kindly help me Regards senthil
RE: [squid-users] After Running Multiple Instances my Squid speed/response is extremely slow.
Please I want to add information for my previous query. My previous setup with single instance was running fine.Another change is that i compiled my new setup with more options this time like enabling delay pools , cache digest and active directory authentication support. Is the below issue in any way related to this as well. Please your support is required. > From: gi...@msn.com > To: squid-users@squid-cache.org > Date: Thu, 25 Mar 2010 11:31:01 + > Subject: [squid-users] After Running Multiple Instances my Squid > speed/response is extremely slow. > > > DearAll, > > Please help me on this as after setting up multiple instances on the same > server for (cache Directory fault tolerance myy squid speed/response is > extremely slow and even most of the sites keep on opening and opening. I am > failing to figure out whats wrong. Please guide me on this i am enclosing my > configuration files for your reference. > > > > Instance 1 with which all the users are connected: > > > visible_hostname squidLhr > unique_hostname squidMainProcess > pid_filename /var/run/squid3main.pid > http_port 8080 > icp_port 0 > snmp_port 3161 > access_log /var/logs/access.log > cache_log /var/logs/cache.log > cache_effective_user proxy > cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query proxy-only > no-delay > > #temporarily Directive > never_direct allow all > > prefer_direct off > cache_dir aufs /var/spool/squid3 1 32 320 > coredump_dir /var/spool/squid3 > cache deny all > > acl localServers dst 10.0.0.0/8 > always_direct allow localservers > cache deny LocalServers > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 > http_access allow localhost > acl FcUsr src "/etc/squid3/FcUsr.conf" > acl PUsr src "/etc/squid3/PUsr.conf" > acl RUsr src "/etc/squid3/RUsr.conf" > acl BIP dst "/etc/squid3/Blocked.conf" > acl CONNECT method CONNECT > # Windows Update Section... > acl windowsupdate dstdomain windowsupdate.microsoft.com > acl windowsupdate dstdomain .update.microsoft.com > acl windowsupdate dstdomain download.windowsupdate.com > acl windowsupdate dstdomain redir.metaservices.microsoft.com > acl windowsupdate dstdomain images.metaservices.microsoft.com > acl windowsupdate dstdomain c.microsoft.com > acl windowsupdate dstdomain www.download.windowsupdate.com > acl windowsupdate dstdomain wustat.windows.com > acl windowsupdate dstdomain crl.microsoft.com > acl windowsupdate dstdomain sls.microsoft.com > acl windowsupdate dstdomain productactivation.one.microsoft.com > acl windowsupdate dstdomain ntservicepack.microsoft.com > acl wuCONNECT dstdomain www.update.microsoft.com > acl wuCONNECT dstdomain sls.microsoft.com > http_access allow CONNECT wuCONNECT FcUsr > http_access allow CONNECT wuCONNECT PUsr > http_access allow CONNECT wuCONNECT RUsr > http_access allow CONNECT wuCONNECT localhost > http_access allow windowsupdate FcUsr > http_access allow windowsupdate PUsr > http_access allow windowsupdate RUsr > http_access allow windowsupdate localhost > #Defining & allowing ports section > acl SSL_ports port 443 #https > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > acl manager proto cache_object > http_access allow manager localhost > http_access deny manager > acl workinghours time MTWHF 09:00-12:59 > acl workinghours time MTWHF 15:00-17:00 > Definitions for BlockingRules# > ###Definition of MP3/MPEG > acl FTP proto FTP > acl MP3url urlpath_regex \.mp3(\?.*)?$ > acl Movies rep_mime_type video/mpeg > acl MP3s rep_mime_type audio/mpeg > > ###Definition of Flash Video > acl deny_rep_mime_flashvideo rep_mime_type video/flv > ###Definition of Porn > acl Sex urlpath_regex sex > acl PornSites url_regex "/etc/squid3/pornlist" > > Definition of YouTube. > ## The videos come from several domains > acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com > ###Definition of FaceBook > acl facebook_sites dstdomain .facebook.com > > Definition of MSN Messenger > acl msn urlpath_regex -i gateway.dll > acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com > acl msn1 req_mime_type application/x-msn-messenger > > Definition of Skype > acl numeric_IPs url_regex > ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443 > acl Skype_UA browser ^skype^ > ##Definition of Yahoo! Messenger > acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com > acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com > acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com > acl ym dstdomain .voice
[squid-users] After Running Multiple Instances my Squid speed/response is extremely slow.
DearAll, Please help me on this as after setting up multiple instances on the same server for (cache Directory fault tolerance myy squid speed/response is extremely slow and even most of the sites keep on opening and opening. I am failing to figure out whats wrong. Please guide me on this i am enclosing my configuration files for your reference. Instance 1 with which all the users are connected: visible_hostname squidLhr unique_hostname squidMainProcess pid_filename /var/run/squid3main.pid http_port 8080 icp_port 0 snmp_port 3161 access_log /var/logs/access.log cache_log /var/logs/cache.log cache_effective_user proxy cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query proxy-only no-delay #temporarily Directive never_direct allow all prefer_direct off cache_dir aufs /var/spool/squid3 1 32 320 coredump_dir /var/spool/squid3 cache deny all acl localServers dst 10.0.0.0/8 always_direct allow localservers cache deny LocalServers acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 http_access allow localhost acl FcUsr src "/etc/squid3/FcUsr.conf" acl PUsr src "/etc/squid3/PUsr.conf" acl RUsr src "/etc/squid3/RUsr.conf" acl BIP dst "/etc/squid3/Blocked.conf" acl CONNECT method CONNECT # Windows Update Section... acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com http_access allow CONNECT wuCONNECT FcUsr http_access allow CONNECT wuCONNECT PUsr http_access allow CONNECT wuCONNECT RUsr http_access allow CONNECT wuCONNECT localhost http_access allow windowsupdate FcUsr http_access allow windowsupdate PUsr http_access allow windowsupdate RUsr http_access allow windowsupdate localhost #Defining & allowing ports section acl SSL_ports port 443 #https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl manager proto cache_object http_access allow manager localhost http_access deny manager acl workinghours time MTWHF 09:00-12:59 acl workinghours time MTWHF 15:00-17:00 Definitions for BlockingRules# ###Definition of MP3/MPEG acl FTP proto FTP acl MP3url urlpath_regex \.mp3(\?.*)?$ acl Movies rep_mime_type video/mpeg acl MP3s rep_mime_type audio/mpeg ###Definition of Flash Video acl deny_rep_mime_flashvideo rep_mime_type video/flv ###Definition of Porn acl Sex urlpath_regex sex acl PornSites url_regex "/etc/squid3/pornlist" Definition of YouTube. ## The videos come from several domains acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com ###Definition of FaceBook acl facebook_sites dstdomain .facebook.com Definition of MSN Messenger acl msn urlpath_regex -i gateway.dll acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com acl msn1 req_mime_type application/x-msn-messenger Definition of Skype acl numeric_IPs url_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443 acl Skype_UA browser ^skype^ ##Definition of Yahoo! Messenger acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com acl ym dstdomain .voice.yahoo.com acl ymregex url_regex yupdater.yim ymsgr myspaceim ## Other protocols Yahoo!Messenger uses ?? acl ym dstdomain .skype.com .imvu.com ###Definition for Disallowing download of executables from web# acl downloads url_regex "/etc/squid3/download.conf" ###Definiton of Torrentz acl torrentSeeds urlpath_regex \.torrent(\?.*)?$ ###Definition of Rapidshare### acl dlSites dstdomain .rapidshare.com .rapidsharemegaupload.com .filespump.com ###- http_access deny PornSites http_access deny Sex #http_access deny RUsr PornSites #http_access deny PUsr PornSites #deny everyone porn sites #http_access deny RUsr Sex #http_access deny PUsr Sex http_access deny PUsr msnd http_access deny RUsr msnd http_access deny PUsr msn http_access deny RUsr
Re: [squid-users] pinger? what for
Luis Daniel Lucio Quiroz wrote: Le Mercredi 24 Mars 2010 19:07:48, Amos Jeffries a écrit : On Wed, 24 Mar 2010 18:28:53 -0600, Luis Daniel Lucio Quiroz wrote: HI squids, I did realize that in latest snapshoot 3.1 has pinger disabled. I wonder to know what for pinger is? Squid uses it to securely do ICMP to measure distance to the possible source servers of a request. Optimizing which peers get used for fastest responses. It was on for some extra testing on 3.1 betas, but is not yet installed properly, so has been disabled temporarily again for the coming production release. Amos ok, and installing with suid will be enoguht? If by "suid" you meant "squid", then yes. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18
Re: [squid-users] Squid redirection
jayesh chavan wrote: Hi, I have written script which redirects my squid to local apache.It works fine for FOLLOWING SCRIPT #!c:/perl/bin/perl.exe $|=1; while (<>) { s...@http://www.az@http://117.195.4.252@; print; } But whenever I use this script #!c:/perl/bin/perl.exe $|=1; while (<>) { s...@http://www.az@http://117.195.4.252//index.html@; print; } It doesnt work.I observed that this is happening due to redirect program which is appending / at the end of rewritten url.It gives error as: The requested URL /index.html/ was not found on this server. How to avoid that? * Squid passes the URL whole to the script * The redirect script does exactly what you program into it. * Squid uses exactly what the script outputs. Your web browser is requesting: http://www.az.com/ http://117.195.4.252/ is a valid URL at the receiving server which is why the first one works. If you were to request http://www.az.com/some.html methinks that script will re-write it as: http://117.195.4.252//index.html/some.html Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18
[squid-users] Including LAN IP in email header
How do I set squid to always allow the user's LAN IP to be included in outgoing email headers? Sometimes the LAN IP is there, sometimes it isn't. And when it isn't, just the public IP is included in the "Received from" field. Best regards Dayo
Re: [squid-users] Cancelled downloads
Carlos Lopez ha scritto: Hi, I have the same situation with users on my site, they download many BIG files and then cancel them, eventhough I set some delay pools so they get bured, but the big files are kept by squid and the HD is getting full. Is there any solution to solve it, thru SQUID?. Carlos You should check the maximum_object_size directive. -- Marcello Romani
[squid-users] Setting up adsense to work via a reverse proxy
Has anyone tried something like this before. Some background: I have a web site setup which allows local and international users to connect, but specially caters for local only bandwidth users in South Africa (yes - we have such a thing here due to high bandwidth costs) When users get capped they cannot access international sites but are free to access local sites. I would like to use googles adsense on my page but as its a international site, local users will not be able to load the adsense ads since they are capped - this causes the page to load up slowly while the code waits to timeout. What I thought about doing was pointing the adsense code to something like adsense.mydomain.com which will be accessable via local bandwidth, which I would then proxy the request to adsense.google.com (using my international bandwidth) >From my understanding of a reverse proxy I might be able to use a squid reverse proxy to acomplish this. I know its probably more of a question for the adsense forum, which I've tried and so far no response. But does anything think is do-able?