[squid-users] Extreme Slow Resposne from Squid ( Test environment only 4 users at the moment)

[GIGO .]

>From the multiple instance setup using Squid 3stable25 i have shifted to 
>squid3stable1 packaged with ubuntu 8.04 LTS.However i am unable to understand 
>why its too much slow. Whats wrong please anybody help out.Is it something to 
>do with Operating system? Or initially Squid runs that much slow? I feel 
>helpless. Please guide me.
 
My Hardware:
Physical Server IBM 3650
Physical RAID 1 + A Volume Disk each of 73 GB size. currently i am doing 
caching on RAID1.
RAM 4GB
 
My Conf File:
 
visible_hostname squidLhr
unique_hostname squidDefault
pid_filename /var/run/squid3.pid
http_port 10.1.82.53:8080
icp_port 0
snmp_port 0
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_peer 10.1.82.205  parent 8080 0 default no-digest no-query
#cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query proxy-only 
no-delay use in the multiple setup
#temporarily Directive
never_direct allow all
#prefer_direct off use in the multiple setup while ponder on the above 
directive as well as it may not be needed with direct internet access.
cache_dir aufs /var/spool/squid3 1 32 320
coredump_dir /var/spool/squid3
cache_swap_low 75
cache_mem 100 MB
range_offset_limit 0 KB
maximum_object_size 4096 MB
minimum_object_size 0 KB
quick_abort_min 16 KB
cache_replacement_policy lru
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern . 0 20% 4320
#specific for youtube belowone
refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 % 
5259487
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#Define Local Network.
acl FcUsr src "/etc/squid3/FcUsr.conf"
acl PUsr src "/etc/squid3/PUsr.conf"
acl RUsr src "/etc/squid3/RUsr.conf"
#Define Local Servers
acl localServers dst 10.0.0.0/8
#Defining & allowing ports section
acl SSL_ports port 443  #https
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny request to unknown ports
http_access deny !Safe_ports
# Deny request to other than SSL ports
http_access deny CONNECT !SSL_ports
#Allow access from localhost
http_access allow localhost
# Local server should never be forwarded to neighbour/peers and they should 
never be cached.
always_direct allow localservers
cache deny LocalServers
# Windows Update Section...
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT FcUsr
http_access allow CONNECT wuCONNECT PUsr
http_access allow CONNECT wuCONNECT RUsr
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate all
http_access allow windowsupdate localhost
acl workinghours time MTWHF 09:00-12:59
acl workinghours time MTWHF 15:00-17:00
acl BIP dst "/etc/squid3/Blocked.conf"
Definitions for BlockingRules#
###Definition of MP3/MPEG
acl FTP proto FTP
acl MP3url urlpath_regex \.mp3(\?.*)?$
acl Movies rep_mime_type video/mpeg
acl MP3s rep_mime_type audio/mpeg
###Definition of Flash Video
acl deny_rep_mime_flashvideo rep_mime_type video/flv
###Definition of  Porn
acl Sex urlpath_regex sex
acl PornSites url_regex "/etc/squid3/pornlist"
Definition of YouTube.
## The videos come from several domains
acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com
###Definition of FaceBook
acl facebook_sites dstdomain .facebook.com
 Definition of MSN Messenger
acl msn urlpath_regex -i gateway.dll
acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com
acl msn1 req_mime_type application/x-msn-messenger
Definition of Skype
acl numeric_IPs url_regex 
^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype^
##Definition of Yahoo! Messenger
acl ym dst

[squid-users] TCP MISS 502

[Ivan .]

Man, Squid does my head in sometimes.

This error on Squid v2.6STABLE21, can't get the www.environment.gov.au site up..

1269582298.419 306252 10.xxx.xxx.xxx TCP_MISS/502 1442 GET
http://www.environment.gov.au/ - DIRECT/155.187.3.81 text/html [Host:
www.environment.gov.au\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows
NT 5.2; en-GB; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12\r\nAccept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language:
en-gb,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nProxy-Connection:
keep-alive\r\nCookie: tmib_res_layout=default-wide;
__utma=181583987.2132547050.1269488465.1269509672.1269569388.4;
__utmc=181583987;
__utmz=181583987.1269488465.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n]
[HTTP/1.0 502 Bad Gateway\r\nServer: squid\r\nDate: Fri, 26 Mar 2010
05:44:58 GMT\r\nContent-Type: text/html\r\nContent-Length:
1074\r\nExpires: Fri, 26 Mar 2010 05:44:58 GMT\r\nX-Squid-Error:
ERR_READ_ERROR 104\r\n\r]

But works fine from a Squid v3.0STABLE16

Thanks
Ivan

Re: [squid-users] Help with accelerated site

[Al - Image Hosting Services]

Hi,

Although you can't have apache and squid listening on port 80 on the same 
IP, you can have them both running on port 80 on the same machine. Just do 
this:


Change your apache config to:
"Listen 127.0.0.1:80"

Change your squid config to:
"cache_peer 127.0.0.1 parent 80 0 no-query originserver" 
"http_port 1.2.3.4:80 accel vhost"


Where 1.2.3.4 is, put your public IP.

-Al






On Thu, 25 Mar 2010, a...@gmail wrote:


Date: Thu, 25 Mar 2010 16:30:33 -
From: "a...@gmail" 
To: Ron Wheeler 
Cc: Amos Jeffries , squid-users@squid-cache.org
Subject: Re: [squid-users] Help with accelerated site

Hi All,
Thank you guys for your help
I have tried your suggestions,
Yes Ron I know that two programmes can't both listen on the same port at the 
same time
but I thought the Apache was essential for the Proxy server, so thanks for 
the suggestion,
I am including bits of my config here, because now I am getting "Access 
Denied" even from a local network:
Can you guys please take a look at it and see if you can spot what's causing 
the access denied.
note I have tried to allow everything and removed all the "deny" directives 
and yet it's still denies any access from my local network.
That is why I get so confused with Squid, I don't understand it's logic to be 
perfectly honest, and let me remind you that this config used to work just 
fine at least it used to allow access to the internet to all the clients on 
my local network.



#
# Other Access Controls
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl our_networks dst 192.168.1.0/32
acl our_sites dstdomain www.mysite.org
acl localnet src 10.0.0.0/8  # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
# acl localnet src 192.168.0.0/32 # RFC1918 possible internal network
acl localnet src 192.168.1.0/32  #Local Network
acl myaccelport port 80

# acl FTP proto FTP
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443  # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
#http_access deny manager
# http_access deny !Safe_ports
http_access allow localnet
#http_access deny all
# http_access allow intranet
# http_access deny all
http_access allow our_networks

icp_access allow localnet
#icp_access deny all
htcp_access allow localnet
#htcp_access deny all
http_acceess allow CONNECT
#http_access deny all
hosts_file /etc/hosts
visible_hostname proxy

http_port  3128

hierarchy_stoplist cgi-bin ?

cache_effective_user squid
access_log /usr/local/squid/var/logs/access.log squid
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
pid_filename /usr/local/squid/var/logs/squid.pid

refresh_pattern ^ftp:  1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern .  0 20% 4320

icp_port 3130
htcp_port 4827
# allow_underscore on

coredump_dir /usr/local/squid/var/cache


Can anyone see what's wrong with this config and if possible to point it out 
to me, your help would be much appreciated


Thanking you in advance
Regards
Adam

- Original Message - From: "Ron Wheeler" 


To: "a...@gmail" 
Cc: "Amos Jeffries" ; 
Sent: Thursday, March 25, 2010 1:58 AM
Subject: Re: [squid-users] Help with accelerated site



a...@gmail wrote:

Hello there,
Thanks for the reply Ron and Amos


Maybe my original e-mail wasn't clear a bit confusing I am sorry if I 
confused you


I have squid running on Machine A with let's say local ip 192.168.1.4
the backend server is running on machine B and ip address 192.168.1.3

Now, instead of getting the website that is located on Machine B 
192.168.1.3 which is listening on port 81 not 80.
I am getting the default Apache Page on the Proxy server Machine which is 
192.168.1.4


And I do have the vhost in my configuration
Well there are two apaches running on the two machines, the proxy machine 
and the web-server machine, except the web-server apache listens on port 
81, logically (technically) speaking it should work, but for some reason 
it doesn't.

I hope it makes more sense to you what I am trying to describe here


Very helpful.
You can not have apache listening for port 80 on 192.168.1.4 and Squid 
trying to do the same thing.

Only one process can have port 80.
You will very likely find a note in the squid logs that says something to 
the effect that squid can not bind to port 80.
If you shutdown apache on 192.168.1.4 and restart squid, your proxy will 
work (if the rest of the configuration is correct)
If you then try to start apache on 192.168.1.4 it will certainly complain 
loud

Re: [squid-users] reverse proxy question

[Al - Image Hosting Services]

Hi,

I just emailed "squid-users@squid-cache.org". I would think that they 
would use majordemo to forward the email to everyone on their "list". You 
are on their "list". So, I didn't have your email address, but I do now 
(because you emailed me directly).


To unsubscribe send a message to: 
squid-users-unsubscr...@squid-cache.org.


I hope this helps!

-Al





On Thu, 25 Mar 2010, b...@billfair.com wrote:


Date: Thu, 25 Mar 2010 17:54:21 -0500
From: b...@billfair.com
To: Al - Image Hosting Services 
Subject: Re: [squid-users] reverse proxy question

Can you tell me how you got my email? I want to stop receiving information 
about squid and can't seem to get unsubscribed.

Thanks,

Bill

b...@billfair.com

Auction!...the most accurate Price Discovery Mechanism today!

for upcoming auctions see www.billfair.com

785-887-6966 Desk Phone
800-887-6929 Anytime

Bill Fair and Company, Inc.
478 N. 1950 Rd.
Lecompton, KS 66050







On Mar 22, 2010, at 2:33 PM, Al - Image Hosting Services wrote:


Hi,

I have a reverse proxy setup. It has worked well except now the apache server 
is getting overloaded. I would like to change my load balancing so that I send 
all the dynamic content to one server like php to the apache server and all the 
static content like .gif, .jpg, .html to another webserver. Is there a way to 
do this and where is it documented? Also, could someone recommend a light 
weight server for static content?

Thanks,
Al

Re: [squid-users] TCP_MISS

[Amos Jeffries]

Rudolf Meijering wrote:

Hi,

access.log gives the following misses for gif files:

1269544961.348   4312 10.1.0.105 TCP_MISS/200 1431 GET
http://www.mymaties.com/portal/pls/portal/docs/1/591848.GIF -
DIRECT/146.232.128.112 image/gif
1269544996.893  39857 10.1.0.105 TCP_MISS/200 1542 GET
http://www.mymaties.com/portal/pls/portal/docs/1/590297.GIF -
DIRECT/146.232.128.112 image/gif
1269545005.696996 10.1.0.105 TCP_MISS/200 1078 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525965.GIF -
DIRECT/146.232.128.115 image/gif
1269545005.754   1053 10.1.0.105 TCP_MISS/200 1349 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525966.GIF -
DIRECT/146.232.128.115 image/gif
1269545005.804   1103 10.1.0.105 TCP_MISS/200 1078 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525967.GIF -
DIRECT/146.232.128.115 image/gif
1269545007.327   2627 10.1.0.105 TCP_MISS/200 940 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/526074.GIF -
DIRECT/146.232.128.115 image/gif
1269545010.443   5743 10.1.0.105 TCP_MISS/200 1099 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525968.GIF -
DIRECT/146.232.128.115 image/gif
1269545011.320   1837 10.1.0.105 TCP_MISS/200 11973 GET
http://www.mymaties.com/portal/pls/portal/docs/1/590297.GIF -
DIRECT/146.232.128.112 image/gif
1269545020.259793 10.1.0.105 TCP_MISS/200 1385 GET
http://www.mymaties.com/portal/pls/portal/docs/1/624561.GIF -
DIRECT/146.232.128.112 image/gif
1269545020.486995 10.1.0.105 TCP_MISS/200 865 GET
http://www.mymaties.com/portal/pls/portal/docs/1/19147.GIF -
DIRECT/146.232.128.112 image/gif
1269545022.480   3012 10.1.0.105 TCP_MISS/200 863 GET
http://www.mymaties.com/portal/pls/portal/docs/1/24073.GIF -
DIRECT/146.232.128.112 image/gif
1269545024.763504 10.1.0.105 TCP_REFRESH_UNMODIFIED/304 251 GET
http://www.sun.ac.za/newweb07/images/kennis_maroon.gif -
DIRECT/146.232.20.38 -
1269545024.856597 10.1.0.105 TCP_MISS/200 1373 GET
http://www.mymaties.com/portal/pls/portal/docs/1/590622.GIF -
DIRECT/146.232.128.112 image/gif
1269545026.455   2195 10.1.0.105 TCP_MISS/200 1093 GET
http://sun025.sun.ac.za/portal/pls/portal/docs/1/30912.GIF -
DIRECT/146.232.128.46 image/gif
1269545026.663   6169 10.1.0.105 TCP_MISS/304 311 GET
http://www.mymaties.com/images/FFtr.gif - DIRECT/146.232.128.112
text/html
1269545028.076   3789 10.1.0.105 TCP_MISS/200 1063 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525969.GIF -
DIRECT/146.232.128.115 image/gif
1269545028.355  18866 10.1.0.105 TCP_MISS/200 1431 GET
http://www.mymaties.com/portal/pls/portal/docs/1/591848.GIF -
DIRECT/146.232.128.112 image/gif
1269545028.435   4147 10.1.0.105 TCP_REFRESH_UNMODIFIED/304 251 GET
http://www.sun.ac.za/newweb07/images/bullet2.gif -
DIRECT/146.232.20.38 -
1269545029.107   4820 10.1.0.105 TCP_MISS/200 1055 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525972.GIF -
DIRECT/146.232.128.115 image/gif
1269545029.335   9869 10.1.0.105 TCP_MISS/200 865 GET
http://www.mymaties.com/portal/pls/portal/docs/1/24072.GIF -
DIRECT/146.232.128.112 image/gif
1269545029.723   5436 10.1.0.105 TCP_MISS/200 1059 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525970.GIF -
DIRECT/146.232.128.115 image/gif
1269545030.245   9982 10.1.0.105 TCP_MISS/304 311 GET
http://www.mymaties.com/images/FFtl.gif - DIRECT/146.232.128.112
text/html
1269545030.703  25944 10.1.0.105 TCP_MISS/304 311 GET
http://www.mymaties.com/images/pobtrans.gif - DIRECT/146.232.128.112
text/html

I have the following refresh patterns:
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern (cgi-bin|\?)0   0%  0
refresh_pattern windowsupdate.com/.*\.(cab|exe)(\?|$) 518400 100%
518400 reload-into-ims
refresh_pattern update.microsoft.com/.*\.(cab|exe)(\?|$) 518400 100%
518400 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe)(\?|$) 518400 100%
518400 reload-into-ims
refresh_pattern (Release|Package(.gz)*)$0   20% 2880
refresh_pattern \.deb$ 518400   100%518400 override-expire
refresh_pattern -i \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv)(\?|$)
161280 3000% 525948 override-expire reload-into-ims
refresh_pattern .   0   20% 4320

Any idea why there is so much misses? What could I do to improve the hit rates?


Some of those are responses to IMS requests. Which your rule forces 
reload requests to become.


Maybe the server is simply responding with 200 OKAY regardless of 
getting an IMS request.


Maybe the requests actually did have ? query strings. You placed your 
cactch-all dynamic content rules for preventing storage of badly 
controlled dynamic pages above the image caching rules.


Maybe several of your users favor Chrome. I've heard that browser sends 
no-cache header by default. Which results in middle proxies being unable 
to cache anything for improved access, and in fact degrade access for 
other browers.



Amos
--
Plea

[squid-users] Can someone check a site?

[Ivan .]

Hi,

Can someone running Squid v2.6 STABLE21 check this site for me?
http://www.usp.ac.fj

Nothing in the access.log to give me a hint as to where the issue is.

I can access it direct, but through Squid it just hangs there after
the inital TCP handshake?

[r...@proxy squid]# tcpdump -vvv host 144.120.8.2
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
65535 bytes
21:35:24.227005 IP (tos 0x0, ttl  64, id 7227, offset 0, flags [DF],
proto: TCP (6), length: 60) xxx.xxx.xxx.xxx.33151 >
belo.usp.ac.fj.http: S, cksum 0xb78a (correct),
2265843403:2265843403(0) win 5840 
21:35:24.488001 IP (tos 0x0, ttl  53, id 0, offset 0, flags [DF],
proto: TCP (6), length: 60) belo.usp.ac.fj.http >
xxx.xxx.xxx.xxx.33151: S, cksum 0x1a89 (correct),
2369822436:2369822436(0) ack 2265843404 win 5792 
21:35:24.488013 IP (tos 0x0, ttl  64, id 7228, offset 0, flags [DF],
proto: TCP (6), length: 52) xxx.xxx.xxx.xxx.33151 >
belo.usp.ac.fj.http: ., cksum 0x5ebb (correct), 1:1(0) ack 1 win 46

21:35:24.488077 IP (tos 0x0, ttl  64, id 7229, offset 0, flags [DF],
proto: TCP (6), length: 482) xxx.xxx.xxx.xxx.33151 >
belo.usp.ac.fj.http: P, cksum 0x15be (incorrect (-> 0x870c),
1:431(430) ack 1 win 46 
21:35:24.729001 IP (tos 0x0, ttl  53, id 63867, offset 0, flags [DF],
proto: TCP (6), length: 52) belo.usp.ac.fj.http >
xxx.xxx.xxx.xxx.33151: ., cksum 0x4401 (correct), 1:1(0) ack 431 win
6432 

thanks
Ivan

[squid-users] TCP_MISS

[Rudolf Meijering]

Hi,

access.log gives the following misses for gif files:

1269544961.348   4312 10.1.0.105 TCP_MISS/200 1431 GET
http://www.mymaties.com/portal/pls/portal/docs/1/591848.GIF -
DIRECT/146.232.128.112 image/gif
1269544996.893  39857 10.1.0.105 TCP_MISS/200 1542 GET
http://www.mymaties.com/portal/pls/portal/docs/1/590297.GIF -
DIRECT/146.232.128.112 image/gif
1269545005.696996 10.1.0.105 TCP_MISS/200 1078 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525965.GIF -
DIRECT/146.232.128.115 image/gif
1269545005.754   1053 10.1.0.105 TCP_MISS/200 1349 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525966.GIF -
DIRECT/146.232.128.115 image/gif
1269545005.804   1103 10.1.0.105 TCP_MISS/200 1078 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525967.GIF -
DIRECT/146.232.128.115 image/gif
1269545007.327   2627 10.1.0.105 TCP_MISS/200 940 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/526074.GIF -
DIRECT/146.232.128.115 image/gif
1269545010.443   5743 10.1.0.105 TCP_MISS/200 1099 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525968.GIF -
DIRECT/146.232.128.115 image/gif
1269545011.320   1837 10.1.0.105 TCP_MISS/200 11973 GET
http://www.mymaties.com/portal/pls/portal/docs/1/590297.GIF -
DIRECT/146.232.128.112 image/gif
1269545020.259793 10.1.0.105 TCP_MISS/200 1385 GET
http://www.mymaties.com/portal/pls/portal/docs/1/624561.GIF -
DIRECT/146.232.128.112 image/gif
1269545020.486995 10.1.0.105 TCP_MISS/200 865 GET
http://www.mymaties.com/portal/pls/portal/docs/1/19147.GIF -
DIRECT/146.232.128.112 image/gif
1269545022.480   3012 10.1.0.105 TCP_MISS/200 863 GET
http://www.mymaties.com/portal/pls/portal/docs/1/24073.GIF -
DIRECT/146.232.128.112 image/gif
1269545024.763504 10.1.0.105 TCP_REFRESH_UNMODIFIED/304 251 GET
http://www.sun.ac.za/newweb07/images/kennis_maroon.gif -
DIRECT/146.232.20.38 -
1269545024.856597 10.1.0.105 TCP_MISS/200 1373 GET
http://www.mymaties.com/portal/pls/portal/docs/1/590622.GIF -
DIRECT/146.232.128.112 image/gif
1269545026.455   2195 10.1.0.105 TCP_MISS/200 1093 GET
http://sun025.sun.ac.za/portal/pls/portal/docs/1/30912.GIF -
DIRECT/146.232.128.46 image/gif
1269545026.663   6169 10.1.0.105 TCP_MISS/304 311 GET
http://www.mymaties.com/images/FFtr.gif - DIRECT/146.232.128.112
text/html
1269545028.076   3789 10.1.0.105 TCP_MISS/200 1063 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525969.GIF -
DIRECT/146.232.128.115 image/gif
1269545028.355  18866 10.1.0.105 TCP_MISS/200 1431 GET
http://www.mymaties.com/portal/pls/portal/docs/1/591848.GIF -
DIRECT/146.232.128.112 image/gif
1269545028.435   4147 10.1.0.105 TCP_REFRESH_UNMODIFIED/304 251 GET
http://www.sun.ac.za/newweb07/images/bullet2.gif -
DIRECT/146.232.20.38 -
1269545029.107   4820 10.1.0.105 TCP_MISS/200 1055 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525972.GIF -
DIRECT/146.232.128.115 image/gif
1269545029.335   9869 10.1.0.105 TCP_MISS/200 865 GET
http://www.mymaties.com/portal/pls/portal/docs/1/24072.GIF -
DIRECT/146.232.128.112 image/gif
1269545029.723   5436 10.1.0.105 TCP_MISS/200 1059 GET
http://www.matiesalumni.net/portal/pls/portal/docs/1/525970.GIF -
DIRECT/146.232.128.115 image/gif
1269545030.245   9982 10.1.0.105 TCP_MISS/304 311 GET
http://www.mymaties.com/images/FFtl.gif - DIRECT/146.232.128.112
text/html
1269545030.703  25944 10.1.0.105 TCP_MISS/304 311 GET
http://www.mymaties.com/images/pobtrans.gif - DIRECT/146.232.128.112
text/html

I have the following refresh patterns:
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern (cgi-bin|\?)0   0%  0
refresh_pattern windowsupdate.com/.*\.(cab|exe)(\?|$) 518400 100%
518400 reload-into-ims
refresh_pattern update.microsoft.com/.*\.(cab|exe)(\?|$) 518400 100%
518400 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe)(\?|$) 518400 100%
518400 reload-into-ims
refresh_pattern (Release|Package(.gz)*)$0   20% 2880
refresh_pattern \.deb$ 518400   100%518400 override-expire
refresh_pattern -i \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv)(\?|$)
161280 3000% 525948 override-expire reload-into-ims
refresh_pattern .   0   20% 4320

Any idea why there is so much misses? What could I do to improve the hit rates?
-- 
Rudolf Meijering

[squid-users] Re: Re: Squid Kerb Auth Issue

[Markus Moeller]

Hi Nick,

   That looks alright, but I am wondering that because you share the HTTP 
AD entry with you samba host entry  a change by samba to the AD entry makes 
your HTTP keytab invalid.


Regards
Markus

BTW There is more documentation here 
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos


"Nick Cairncross"  wrote in message 
news:c7d130f3.1d842%nick.cairncr...@condenast.co.uk...

Markus,

kinit ncairncross
export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
net ads keytab CREATE
net ads keytab ADD HTTP
unset KRB5_KTNAME

The made sure the keytab is readable by the squid process owner e.g. chgrp 
squid /etc/squid/HTTP.keytab; chmod g+r /etc/squid/HTTP.keytab )


Is there another way to do this (or have I done it wrong)

Nick




On 24/03/2010 23:45, "Markus Moeller"  wrote:


How did you create the keytab ?

Markus

"Nick Cairncross"  wrote in message
news:c7ce8144.1d5e1%nick.cairncr...@condenast.co.uk...
Hi,

I'm concerned by a problem with my HTTP.keytab 'expiring'. My test base 
have

reported a problem to me that they are prompted repeatedly for an
unsatisfiable username and password. When I checked cache.log I noticed 
that

there was a KVNO mismatch being reported. I regenerated my keytab and all
was well again. However, I was worried by this so I looked back over my
emails and I noticed the same problem occurred 7 days ago (almost to the
hour). Does anyone have a suggestion as to what might have caused
this/things to check? There haven't been any AD changes.

Thanks,


Nick





** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is 
intended only for the addressee.  If you are not the intended addressee, any 
disclosure, copying or distribution by you is prohibited and may be 
unlawful.  Disclosure to any party other than the addressee, whether 
inadvertent or otherwise, is not intended to waive privilege or 
confidentiality.  Internet communications are not secure and therefore Conde 
Nast does not accept legal responsibility for the contents of this message. 
Any views or opinions expressed are those of the author.


Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900

Re: [squid-users] filter suggestion for 443

[Leonardo Carneiro - Veltrac]

Hi Donovan,

I felt in the same situation as you are and the only solution i've found 
is to do the task is at firewall level. If someone point a reasonable 
solution for a production environment i would be glad (i'll wait sslBump 
to reach stable).


donovan jeffrey j wrote:

Greetings

i have a transparent squid with squidguard. i have a case where i need 
to allow all connections to port 443 except somesite.com.


since Im not redirecting any 443 through squid. i guess i have to do 
it at the firewall level. unless someone could suggest a better way.


basically " http://www.somesite.com " is blocked, but " 
https://www.somesite.com " is not. Ive tried very hard to stay away 
from filtering on 443.

any insight would be helpful
tnx

-j

[squid-users] filter suggestion for 443

[donovan jeffrey j]

Greetings

i have a transparent squid with squidguard. i have a case where i need  
to allow all connections to port 443 except somesite.com.


since Im not redirecting any 443 through squid. i guess i have to do  
it at the firewall level. unless someone could suggest a better way.


basically " http://www.somesite.com " is blocked, but " https://www.somesite.com 
 " is not. Ive tried very hard to stay away from filtering on 443.

any insight would be helpful
tnx

-j

Re: [squid-users] Help with accelerated site

[a...@gmail]

Hi All,
Thank you guys for your help
I have tried your suggestions,
Yes Ron I know that two programmes can't both listen on the same port at the 
same time
but I thought the Apache was essential for the Proxy server, so thanks for 
the suggestion,
I am including bits of my config here, because now I am getting "Access 
Denied" even from a local network:
Can you guys please take a look at it and see if you can spot what's causing 
the access denied.
note I have tried to allow everything and removed all the "deny" directives 
and yet it's still denies any access from my local network.
That is why I get so confused with Squid, I don't understand it's logic to 
be perfectly honest, and let me remind you that this config used to work 
just fine at least it used to allow access to the internet to all the 
clients on my local network.



#
# Other Access Controls
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl our_networks dst 192.168.1.0/32
acl our_sites dstdomain www.mysite.org
acl localnet src 10.0.0.0/8  # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
# acl localnet src 192.168.0.0/32 # RFC1918 possible internal network
acl localnet src 192.168.1.0/32  #Local Network
acl myaccelport port 80

# acl FTP proto FTP
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443  # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
#http_access deny manager
# http_access deny !Safe_ports
http_access allow localnet
#http_access deny all
# http_access allow intranet
# http_access deny all
http_access allow our_networks

icp_access allow localnet
#icp_access deny all
htcp_access allow localnet
#htcp_access deny all
http_acceess allow CONNECT
#http_access deny all
hosts_file /etc/hosts
visible_hostname proxy

http_port  3128

hierarchy_stoplist cgi-bin ?

cache_effective_user squid
access_log /usr/local/squid/var/logs/access.log squid
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
pid_filename /usr/local/squid/var/logs/squid.pid

refresh_pattern ^ftp:  1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern .  0 20% 4320

icp_port 3130
htcp_port 4827
# allow_underscore on

coredump_dir /usr/local/squid/var/cache


Can anyone see what's wrong with this config and if possible to point it out 
to me, your help would be much appreciated


Thanking you in advance
Regards
Adam

- Original Message - 
From: "Ron Wheeler" 

To: "a...@gmail" 
Cc: "Amos Jeffries" ; 
Sent: Thursday, March 25, 2010 1:58 AM
Subject: Re: [squid-users] Help with accelerated site



a...@gmail wrote:

Hello there,
Thanks for the reply Ron and Amos


Maybe my original e-mail wasn't clear a bit confusing I am sorry if I 
confused you


I have squid running on Machine A with let's say local ip 192.168.1.4
the backend server is running on machine B and ip address 192.168.1.3

Now, instead of getting the website that is located on Machine B 
192.168.1.3 which is listening on port 81 not 80.
I am getting the default Apache Page on the Proxy server Machine which is 
192.168.1.4


And I do have the vhost in my configuration
Well there are two apaches running on the two machines, the proxy machine 
and the web-server machine, except the web-server apache listens on port 
81, logically (technically) speaking it should work, but for some reason 
it doesn't.

I hope it makes more sense to you what I am trying to describe here


Very helpful.
You can not have apache listening for port 80 on 192.168.1.4 and Squid 
trying to do the same thing.

Only one process can have port 80.
You will very likely find a note in the squid logs that says something to 
the effect that squid can not bind to port 80.
If you shutdown apache on 192.168.1.4 and restart squid, your proxy will 
work (if the rest of the configuration is correct)
If you then try to start apache on 192.168.1.4 it will certainly complain 
loudly about port 80 not being free.


If you want to use Apache on both 192.168.1.4 and 192.168.1.3 you need to 
set the apache on 192.168.1.4 to listen on port 81 and set squid to proxy 
to the apache on 192.168.1.4 and use apache's proxy and vhost features to 
reach 192.168.1.5 which can be set to listen on port 80.

This will support
browser=>Squid on 192.168.1.4 ==> Apache on 192.168.1.4:81 (vhost) 
==>Apache 192.168.1.3:80

That is a pretty common approach.

Ron




Thank you all for your help
Regards
Adam

- Original Message - From: "Amos Jeffries" 
To: 
Sent: Thursday, March 25, 2010 1:01 A

Re: [squid-users] Sending on Group names after Kerb LDAP look-up

[Nick Cairncross]

Amos,

Thanks for your help - you are right in that the connector has the ability to 
receive and manipulate ICAP, and using an NTLM authenticated user allows me to 
do the thing I need. All was nearly lost.

However, if I change to Kerberos authentication on my Squid then the connector 
breaks because it receives the user name as an UPN. Is it possible to send just 
the first part of the authenticated user (i.e. Username?) and not include the 
domain?

I read something interesting here: http://markmail.org/message/u3yoiykwkaykreoz 
about using string substitutions (%U, %N etc) Is this achievable with Squid? 
This could be the final piece in my puzzle...

Thanks,

Nick



On 24/03/2010 05:58, "Amos Jeffries"  wrote:

Nick Cairncross wrote:
> Hi All,
>
> Things seem to be going well with my Squid project so far; a combined
> Mac/Windows AD environment using Kerberos authentication with fall
> back of NTLM. I (hopefully) seem to be getting the hang of it! I've
> been trying out the Kerberos LDAP look up tool and have a couple of
> questions (I think the answers will be no..):
>
> - Is it possible to wrap up the matched group name(s) in the header
> as it gets sent onwards to my peer? I used to use the authentication

I don't think so.
  There is a lot of manipulation magic you can do with the ICAP or eCAP
interfaces that is not possible directly in Squid though.

The risk is breaking back-end services that can't handle the altered
header. Since you say below about already doing so, I assume this is a
non-risk for your network.

> agent that came from our A/V provider. This tool ran as a service and
> linked into our ISA. Once a user authenticated their group membership
> was forwarded along with their username to my peer (Scansafe). The
> problem is that it only does NTLM auth. It added the group
> (WINNT://[group]) into the header and then a rule base at the peer
> site could be set up based on group. Since I am using Kerberos I
> wondered whether it's possible to send the results of the Kerb LDAP
> auth? I already see the user on the peer as the Kerberos login. It
> would be great if I could include the group or groups...

You can do transparent login pass-thru to the peer (login=PASS). You can
log Squid-3.1 into the peer with kerberos credentials.
  But I do not think the Kerberos details get decoded to a
username/password for Squid to pass back as a pair.

>
> This is what I use currently: cache_peer proxy44.scansafe.net parent
> 8080 7 no-query no-digest no-netdb-exchange login=* (From
> http://www.hutsby.net/2008/03/apple-mac-osx-squid-and-scansafe.html)
>
> - Are there plans to integrate the lookup tool in future versions of
> Squid? I've enjoyed learning about compiling but.. just wondering..
>

No. Plans are for all network-specific adaptation to be done via
external helper processes.  The *CAP interfaces for add-on modules allow
all the adaptation extras to be plugged in as needed in a very powerful way.
  Check that AV tool, it likely has an ICAP interface Squid-3 can plug
into already.

Amos
--
Please be using
   Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
   Current Beta Squid 3.1.0.18


** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is 
intended only for the addressee.  If you are not the intended addressee, any 
disclosure, copying or distribution by you is prohibited and may be unlawful.  
Disclosure to any party other than the addressee, whether inadvertent or 
otherwise, is not intended to waive privilege or confidentiality.  Internet 
communications are not secure and therefore Conde Nast does not accept legal 
responsibility for the contents of this message.  Any views or opinions 
expressed are those of the author.

Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900

[squid-users] Multiple domain authentication and active directory group authentication

[senthilkumaar2021]

Hi All,

I am using squid2.7stable6 and my clients are windows machines.
I want to make squid to authenticate to two different active directory 
servers whether it is possible.
I am having different security groups in each active directory and i 
want to block websites on the basis of groups.

which authentication helper should be used for this.
please provide me a suitable solution.
Regards
senthil

Re: [squid-users] Re: Squid Kerb Auth Issue

[Nick Cairncross]

Markus,

kinit ncairncross
export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
net ads keytab CREATE
net ads keytab ADD HTTP
unset KRB5_KTNAME

The made sure the keytab is readable by the squid process owner e.g. chgrp 
squid /etc/squid/HTTP.keytab; chmod g+r /etc/squid/HTTP.keytab )

Is there another way to do this (or have I done it wrong)

Nick




On 24/03/2010 23:45, "Markus Moeller"  wrote:

> How did you create the keytab ?
>
> Markus
>
> "Nick Cairncross"  wrote in message
> news:c7ce8144.1d5e1%nick.cairncr...@condenast.co.uk...
> Hi,
>
> I'm concerned by a problem with my HTTP.keytab 'expiring'. My test base have
> reported a problem to me that they are prompted repeatedly for an
> unsatisfiable username and password. When I checked cache.log I noticed that
> there was a KVNO mismatch being reported. I regenerated my keytab and all
> was well again. However, I was worried by this so I looked back over my
> emails and I noticed the same problem occurred 7 days ago (almost to the
> hour). Does anyone have a suggestion as to what might have caused
> this/things to check? There haven't been any AD changes.
>
> Thanks,
>
>
> Nick
>
>
>

** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is 
intended only for the addressee.  If you are not the intended addressee, any 
disclosure, copying or distribution by you is prohibited and may be unlawful.  
Disclosure to any party other than the addressee, whether inadvertent or 
otherwise, is not intended to waive privilege or confidentiality.  Internet 
communications are not secure and therefore Conde Nast does not accept legal 
responsibility for the contents of this message.  Any views or opinions 
expressed are those of the author.

Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900

[squid-users] Regarding Ntlm authentication

[senthilkumaar2021]

Hi All,

I am using squid 2.7 stable7 and i configured ntlm authentication to 
authenticate against active directory

I followed steps as in wiki squid
The squid.conf is as follows
auth_param basic program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow AuthorizedUsers

When i set direct proxy in firefox it asks for a username and password 
.The initial windows has realm as "" when i give user name and password 
it asks again then  i select cancel means another window asks me a 
password in this realm is "The site says: "Squid proxy-caching web 
server" " when i give user name and password i can able to browse.
When i use the same in internet explorer it asks for password 
continuously but no success
Why two different prompt appear for user name and password  and why it 
is not working in IE.


Kindly help me

Regards
senthil

RE: [squid-users] After Running Multiple Instances my Squid speed/response is extremely slow.

[GIGO .]

Please I want to add information for my previous query. My previous setup with 
single instance was running fine.Another change is that i compiled my new setup 
with more options this time like enabling delay pools , cache digest and active 
directory authentication support. Is the below issue in any way related to this 
as well. Please your support is required.


> From: gi...@msn.com
> To: squid-users@squid-cache.org
> Date: Thu, 25 Mar 2010 11:31:01 +
> Subject: [squid-users] After Running Multiple Instances my Squid 
> speed/response is extremely slow.
>
>
> DearAll,
>
> Please help me on this as after setting up multiple instances on the same 
> server for (cache Directory fault tolerance myy squid speed/response is 
> extremely slow and even most of the sites keep on opening and opening. I am 
> failing to figure out whats wrong. Please guide me on this i am enclosing my 
> configuration files for your reference.
>
>
>
> Instance 1 with which all the users are connected:
>
>
> visible_hostname squidLhr
> unique_hostname squidMainProcess
> pid_filename /var/run/squid3main.pid
> http_port 8080
> icp_port 0
> snmp_port 3161
> access_log /var/logs/access.log
> cache_log /var/logs/cache.log
> cache_effective_user proxy
> cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query proxy-only 
> no-delay
>
> #temporarily Directive
> never_direct allow all
>
> prefer_direct off
> cache_dir aufs /var/spool/squid3 1 32 320
> coredump_dir /var/spool/squid3
> cache deny all
>
> acl localServers dst 10.0.0.0/8
> always_direct allow localservers
> cache deny LocalServers
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> http_access allow localhost
> acl FcUsr src "/etc/squid3/FcUsr.conf"
> acl PUsr src "/etc/squid3/PUsr.conf"
> acl RUsr src "/etc/squid3/RUsr.conf"
> acl BIP dst "/etc/squid3/Blocked.conf"
> acl CONNECT method CONNECT
> # Windows Update Section...
> acl windowsupdate dstdomain windowsupdate.microsoft.com
> acl windowsupdate dstdomain .update.microsoft.com
> acl windowsupdate dstdomain download.windowsupdate.com
> acl windowsupdate dstdomain redir.metaservices.microsoft.com
> acl windowsupdate dstdomain images.metaservices.microsoft.com
> acl windowsupdate dstdomain c.microsoft.com
> acl windowsupdate dstdomain www.download.windowsupdate.com
> acl windowsupdate dstdomain wustat.windows.com
> acl windowsupdate dstdomain crl.microsoft.com
> acl windowsupdate dstdomain sls.microsoft.com
> acl windowsupdate dstdomain productactivation.one.microsoft.com
> acl windowsupdate dstdomain ntservicepack.microsoft.com
> acl wuCONNECT dstdomain www.update.microsoft.com
> acl wuCONNECT dstdomain sls.microsoft.com
> http_access allow CONNECT wuCONNECT FcUsr
> http_access allow CONNECT wuCONNECT PUsr
> http_access allow CONNECT wuCONNECT RUsr
> http_access allow CONNECT wuCONNECT localhost
> http_access allow windowsupdate FcUsr
> http_access allow windowsupdate PUsr
> http_access allow windowsupdate RUsr
> http_access allow windowsupdate localhost
> #Defining & allowing ports section
> acl SSL_ports port 443 #https
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl manager proto cache_object
> http_access allow manager localhost
> http_access deny manager
> acl workinghours time MTWHF 09:00-12:59
> acl workinghours time MTWHF 15:00-17:00
> Definitions for BlockingRules#
> ###Definition of MP3/MPEG
> acl FTP proto FTP
> acl MP3url urlpath_regex \.mp3(\?.*)?$
> acl Movies rep_mime_type video/mpeg
> acl MP3s rep_mime_type audio/mpeg
>
> ###Definition of Flash Video
> acl deny_rep_mime_flashvideo rep_mime_type video/flv
> ###Definition of Porn
> acl Sex urlpath_regex sex
> acl PornSites url_regex "/etc/squid3/pornlist"
>
> Definition of YouTube.
> ## The videos come from several domains
> acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com
> ###Definition of FaceBook
> acl facebook_sites dstdomain .facebook.com
>
>  Definition of MSN Messenger
> acl msn urlpath_regex -i gateway.dll
> acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com
> acl msn1 req_mime_type application/x-msn-messenger
>
> Definition of Skype
> acl numeric_IPs url_regex 
> ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
> acl Skype_UA browser ^skype^
> ##Definition of Yahoo! Messenger
> acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com
> acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com
> acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com
> acl ym dstdomain .voice

[squid-users] After Running Multiple Instances my Squid speed/response is extremely slow.

[GIGO .]

DearAll,
 
Please help me on this as after setting up multiple instances on the same 
server for (cache Directory fault tolerance myy squid speed/response is 
extremely slow and even most of the sites keep on opening and opening. I am 
failing to figure out whats wrong. Please guide me on this i am enclosing my 
configuration files for your reference.
 
 
 
Instance 1 with which all the users are connected:
 
 
visible_hostname squidLhr
unique_hostname squidMainProcess
pid_filename /var/run/squid3main.pid
http_port 8080
icp_port 0
snmp_port 3161
access_log  /var/logs/access.log
cache_log /var/logs/cache.log
cache_effective_user proxy 
cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query proxy-only 
no-delay

#temporarily Directive
never_direct allow all
 
prefer_direct off
cache_dir aufs /var/spool/squid3 1 32 320
coredump_dir /var/spool/squid3
cache deny all

acl localServers dst 10.0.0.0/8
always_direct allow localservers
cache deny LocalServers
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
http_access allow localhost
acl FcUsr src "/etc/squid3/FcUsr.conf"
acl PUsr src "/etc/squid3/PUsr.conf"
acl RUsr src "/etc/squid3/RUsr.conf"
acl BIP dst "/etc/squid3/Blocked.conf"
acl CONNECT method CONNECT
# Windows Update Section...
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT FcUsr
http_access allow CONNECT wuCONNECT PUsr
http_access allow CONNECT wuCONNECT RUsr
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate FcUsr
http_access allow windowsupdate PUsr
http_access allow windowsupdate RUsr
http_access allow windowsupdate localhost
#Defining & allowing ports section
acl SSL_ports port 443  #https
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443  # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl manager proto cache_object
http_access allow manager localhost
http_access deny manager
acl workinghours time MTWHF 09:00-12:59
acl workinghours time MTWHF 15:00-17:00
Definitions for BlockingRules#
###Definition of MP3/MPEG
acl FTP proto FTP
acl MP3url urlpath_regex \.mp3(\?.*)?$
acl Movies rep_mime_type video/mpeg
acl MP3s rep_mime_type audio/mpeg

###Definition of Flash Video
acl deny_rep_mime_flashvideo rep_mime_type video/flv
###Definition of  Porn
acl Sex urlpath_regex sex
acl PornSites url_regex "/etc/squid3/pornlist"

Definition of YouTube.
## The videos come from several domains
acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com
###Definition of FaceBook
acl facebook_sites dstdomain .facebook.com

 Definition of MSN Messenger
acl msn urlpath_regex -i gateway.dll
acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com
acl msn1 req_mime_type application/x-msn-messenger

Definition of Skype
acl numeric_IPs url_regex 
^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype^
##Definition of Yahoo! Messenger
acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com
acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com
acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com
acl ym dstdomain .voice.yahoo.com
acl ymregex url_regex yupdater.yim ymsgr myspaceim
## Other protocols Yahoo!Messenger uses ??
acl ym dstdomain .skype.com .imvu.com
###Definition for Disallowing download of executables from web#
acl downloads url_regex "/etc/squid3/download.conf"
###Definiton of Torrentz
acl torrentSeeds urlpath_regex \.torrent(\?.*)?$
###Definition of Rapidshare###
acl dlSites dstdomain .rapidshare.com .rapidsharemegaupload.com .filespump.com
###-
http_access deny  PornSites
http_access deny Sex
#http_access deny RUsr PornSites 
#http_access deny PUsr PornSites #deny everyone porn sites 
#http_access deny RUsr Sex 
#http_access deny PUsr Sex 
http_access deny PUsr msnd 
http_access deny RUsr msnd 
http_access deny PUsr msn 
http_access deny RUsr 

Re: [squid-users] pinger? what for

[Amos Jeffries]

Luis Daniel Lucio Quiroz wrote:

Le Mercredi 24 Mars 2010 19:07:48, Amos Jeffries a écrit :

On Wed, 24 Mar 2010 18:28:53 -0600, Luis Daniel Lucio Quiroz

 wrote:

HI squids,

I did realize that in latest snapshoot 3.1 has pinger disabled.  I

wonder


to
know what for pinger is?

Squid uses it to securely do ICMP to measure distance to the possible
source servers of a request. Optimizing which peers get used for fastest
responses.
It was on for some extra testing on 3.1 betas, but is not yet installed
properly, so has been disabled temporarily again for the coming production
release.

Amos



ok, and installing with suid will be enoguht?


If by "suid" you meant "squid", then yes.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
  Current Beta Squid 3.1.0.18

Re: [squid-users] Squid redirection

[Amos Jeffries]

jayesh chavan wrote:

Hi,
I have written script which redirects my squid to local
apache.It works fine for FOLLOWING SCRIPT

#!c:/perl/bin/perl.exe
$|=1;
while (<>) {
s...@http://www.az@http://117.195.4.252@;
print;
 }

But whenever I use this script
#!c:/perl/bin/perl.exe
$|=1;
while (<>) {
s...@http://www.az@http://117.195.4.252//index.html@;
print;
   }

It doesnt work.I observed that this is happening due to redirect
program which is appending / at the end of rewritten url.It gives
error as:
   The requested URL
/index.html/ was not found on this server.
How to avoid that?


 * Squid passes the URL whole to the script
 * The redirect script does exactly what you program into it.
 * Squid uses exactly what the script outputs.


Your web browser is requesting:

   http://www.az.com/

http://117.195.4.252/ is a valid URL at the receiving server which is 
why the first one works.



If you were to request

  http://www.az.com/some.html

methinks that script will re-write it as:

  http://117.195.4.252//index.html/some.html

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
  Current Beta Squid 3.1.0.18

[squid-users] Including LAN IP in email header

[Dayo Adewunmi]

How do I set squid to always allow the user's LAN IP to be included
in outgoing email headers? Sometimes the LAN IP is there, sometimes it 
isn't.
And when it isn't, just the public IP is included in the "Received from" 
field.


Best regards

Dayo

Re: [squid-users] Cancelled downloads

[Marcello Romani]

Carlos Lopez ha scritto:

Hi,

I have the same situation with users on my site, they download many
BIG files and then cancel them, eventhough I set some delay pools so
they get bured, but the big files are kept by squid and the HD is
getting full.

Is there any solution to solve it, thru SQUID?.

Carlos



You should check the maximum_object_size directive.

--
Marcello Romani

[squid-users] Setting up adsense to work via a reverse proxy

[Greg McCarthy]

Has anyone tried something like this before.

Some background:

I have a web site setup which allows local and international users to
connect, but specially caters for local only bandwidth users in South
Africa (yes - we have such a thing here due to high bandwidth costs)

When users get capped they cannot access international sites but are
free to access local sites.

I would like to use googles adsense on  my page but as its a
international site, local users will not be able to load the adsense
ads since they
are capped - this causes the page to load up slowly while the code
waits to timeout.


What I thought about doing was pointing the adsense code to something
like adsense.mydomain.com which will be accessable via local
bandwidth, which I would then proxy the request to adsense.google.com
(using my international bandwidth)

>From my understanding of a reverse proxy I might be able to use a
squid reverse proxy to acomplish this.

I know its probably more of a question for the adsense forum, which
I've tried and so far no response. But does anything think is do-able?