Re: [squid-users] squid performance - requests per second
I have seem the page(http://wiki.squid-cache.org/KnowledgeBase/Benchmarks), and want to ask a question about the RPS. My LVS tell me that the ActiveConn number of one squid is more than 200,000;the netstat command tell me the established connection number is 6;but the RPS from squidclient is only 110. Who can teach me the difference between them? Tks. 2010-3-29 14:00, Amos Jeffries wrote: guest01 wrote: Hi guys, I am sorry if this is a question which has been asked for many times, but I did not find any actual question concerning the performance of recent versions of squid. We are trying to replace a commercial product with squid servers on 64bit linux servers (most likely red hat 5). At the moment, we have a peak of about 6000 requests per second, which is really a lot. How many requests can one single squid server handle? I am just talking about caching, we also have icap servers and different forms of authentication. What are your experiences? How many requests can you handle with which hardware? A raw guess would be ok. thanks, best regards http://www.google.co.nz/search?q=squid+performance http://www.google.co.nz/search?q=squid+benchmark http://wiki.squid-cache.org/KnowledgeBase/Benchmarks Amos
Re: [squid-users] Reverse and SSL cert
Thanks Jakob for your reply. As usual I do not agree with digital certificate. :-) (in theory and with yours help) My goal is demonstrate wich is possible to use squid for reverse proxy instead of ISA or TMG and write an article on my blog. I would get this topology: Squid as reverse proxy for exchange 2010 owa and activesync. Exchange 2010 have a certificate released from my internal CA. I am following this example config: http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess On real world: I must configure or request a new certificate to my internal CA for squid reverse proxy or install the same certificate of exchange? tnx -- From: Jakob Curdes j...@info-systems.de Sent: Wednesday, March 31, 2010 11:59 PM To: Squid Mailing List squid-users@squid-cache.org Cc: Andrea Gallazzi andrea.galla...@live.com Subject: Re: [squid-users] Reverse and SSL cert Is the certificate the same of exchange ? (if yes) The same certificate will installed on squid and on exchange? How to make the .pem certificate for squid? You need to tell us more about your setup. Probably you want to terminate a SSL connection on the reverse-proxy and forward the request to an internal server that happens to run SSL. In this case the certificate the the external client will get is the one configured in the https_port directive. For the second SSL connection (presumably to Exchange) you need a second certificate, which is defined in the cache_peer directive. This cert is just used to identify squid the the exchange server. Another problem arises: if we are talking about OWA or RPCvia HTTP access to exchange, you need to make sure that the domain for the requests is the same all the time, i.e. the external client is requesting owa.domain.com which you are forwarding, say, to exchange.company.local. You must make sure that the these two domains map to one in DNS, otherwise the requests will fail. Plus the certificates need to reflect this ... there are commercial certificates where you can enter two different domain names into one cert.Look for Subject Alternative Names (SAN) certificates. You can use such a cert on squid and the exchange server. Remark, not sure if it applies: If using Outlook as RPCvia HTTPS client, you will have trouble with self-signed certs. Outlook does not display a warning but just rejects the connection unless a self-signed cert has been accepted into the certificate store of the operating system e.g. by going through an IE certificate dialogue. HTH, Jakob Curdes
Re: [squid-users] Reverse and SSL cert
Andrea Gallazzi schrieb: Thanks Jakob for your reply. As usual I do not agree with digital certificate. :-) Not sure what you mean here? Squid as reverse proxy for exchange 2010 owa and activesync. Exchange 2010 have a certificate released from my internal CA. That is exactly the setup I was referring to. We are running such setups. My previous mail tried to elaborate what is necessary to get this going certificate-wise. I am following this example config: http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess On real world: I must configure or request a new certificate to my internal CA for squid reverse proxy or install the same certificate of exchange? That depends on your DNS setup. A certificate is normally valid for exactly one hostname. If the Exchange server and the external access resolve to an identical hostname (which you can only achieve with a so-called split DNS entry), then you can use one certificate. Otherwise you need two or a cert that covers both names as mentioned. The internal one can be a self-signed cert, for the external one self-signed certificates are possible but that means that you have to take great care when configuring the clients. JC
Re: [squid-users] TPROXY Routing
Make sure you have setup triangle routing correctly. your squid act as bridge ? or act as router/gateway with dual interface ethernet ? or standalone server with single ethernet. option 1 and 2, doesn't need routing setup, traffic incoming and outgoing must hit the squid box. But for option 3, you should setup your router to make sure outgoing traffic to port 80 should hit the squid first, and forward to internet, and the reply traffic from internet should come back to squid box before forwarded to client. 2010/4/1 Kurt Sandstrom sandma...@gmail.com: I have the following in startup ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 The ouput of ip route show table 100: local default dev lo scope host One other thing is strange, my PREROUTING rules in mangle don't load in my script. I have to manually add them. Timing issue perhaps? Startup script loded from rc.local: echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 /proc/sys/net/ipv4/ip_forward iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 $i done unset i ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 2010/3/31 Henrik Nordström hen...@henriknordstrom.net: ons 2010-03-31 klockan 09:47 -0700 skrev Kurt Sandstrom: I have been unable to get TPROXY working correctly with squid. I have used the steps in http://wiki.squid-cache.org/Features/Tproxy4 and re checked everything. I did not see your routing setup in the data you dumped. Without the routing configured then TPROXY won't intercept, just route like normal.. http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration Regards Henrik
[squid-users] Log a nt user without ntln login.
Does anyone know if it possible to just log the nt user without them actually logging in? I'm being told that ntlm is a performance hog. I need to be able to log the user. Ip won't work cause were proxying term servers and want to track the user and what sites they go to. Sent from my PDA please excuse any typos.
[squid-users] ACL NCSA and user
Hi, Can I prevent to access only some web site at only some user ? i.e. user1 can only go on www.website1.com user2 can only go on www.website2.com user1 and user2 was authenticated by nsca. thank you
RE: [squid-users] cache_peer using DNS name
I don't have IPv6 capability, but on this test system I just did a quick install and Squid does have the default IPv6 setup as does the O/S (FreeBSD 7.2). I will recompile with --disable-ipv6 and see if the problem goes away. Not sure if they have a record for the hostname, I get a server fail response when trying against the DNS servers I have configured on the system. The Bind DNS servers I am hitting do have IPv6 disabled. I have recompiled Squid with the --disable-ipv6 option and set my cache_peer line back to the domain name. I will let you know if this resolves the problem, after the new configuration is running long enough to know. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, March 31, 2010 5:17 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] cache_peer using DNS name Henrik Nordström wrote: ons 2010-03-31 klockan 14:41 -0500 skrev Dean Weimer: I found it listed in 3.0PRE3 bugs, here is the link that I found, it is listed as fixed. And it is fixed. That was a typo which made Squid always use the name= instead of the host when figuring out how to connect to the peer. Obvious error, and long time gone (fixed in 2003, long before 3.0 was released in 2007). Does the peer have records and you have no IPv6 connectivity? This looks like one of the effects of our failover bug. Compounded by the fact the peer name is looked up so often. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
[squid-users] UDP errors after upgrade to 3.1.1
Greetings compiled 3.1.1 on 2 OSX machines, both running 10.5.8 one is transparent the and the other is straight up. build went fine. no errors. fired up squid ( squid -d1x ) clients connected but as soon as a request for a site came through I got a ton of these on both systems; 2010/04/01 10:38:48| idnsSendQuery: FD 6: sendto: (22) Invalid argument 2010/04/01 10:38:56| comm_udp_sendto: FD 6, (family=2) 209.96.96.2:53: (22) Invalid argument here is my previous build: Version 3.0.STABLE24 configure options: '--enable-async-io' '--enable-icmp' '--enable- delay-pools' '--disable-htcp' '--enable-ssl' '--enable-ipfw- transparent' '--enable-snmp' '--enable-underscores' '--enable-basic- auth-helpers=NCSA,LDAP,getpwnam' i quickly flipped back to my previous build until I can figure out what changed. -jeff
[squid-users] Performance of ntlm_auth vs squid_ldap_auth
Anyone have any info on ntlm_auth vs squid_ldap_auth? I'm being told that ntlm_auth is a performance killer. Basically I just need to be able to log the NT users and looking for the fastest way to do that. thanks -- Kevin Blackwell
Re: [squid-users] TPROXY Routing
It is set up with 2 nics as a bridge. The routing I was refering to is only internal to the box.. ie through iptables On Thu, Apr 1, 2010 at 5:09 AM, johan firdianto johanfi...@gmail.com wrote: Make sure you have setup triangle routing correctly. your squid act as bridge ? or act as router/gateway with dual interface ethernet ? or standalone server with single ethernet. option 1 and 2, doesn't need routing setup, traffic incoming and outgoing must hit the squid box. But for option 3, you should setup your router to make sure outgoing traffic to port 80 should hit the squid first, and forward to internet, and the reply traffic from internet should come back to squid box before forwarded to client. 2010/4/1 Kurt Sandstrom sandma...@gmail.com: I have the following in startup ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 The ouput of ip route show table 100: local default dev lo scope host One other thing is strange, my PREROUTING rules in mangle don't load in my script. I have to manually add them. Timing issue perhaps? Startup script loded from rc.local: echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 /proc/sys/net/ipv4/ip_forward iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 $i done unset i ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 2010/3/31 Henrik Nordström hen...@henriknordstrom.net: ons 2010-03-31 klockan 09:47 -0700 skrev Kurt Sandstrom: I have been unable to get TPROXY working correctly with squid. I have used the steps in http://wiki.squid-cache.org/Features/Tproxy4 and re checked everything. I did not see your routing setup in the data you dumped. Without the routing configured then TPROXY won't intercept, just route like normal.. http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration Regards Henrik
[squid-users] delay on session acceptance with AUP redirection
I've got one of my squid/dansguardian boxes configured for transparent proxy using an UAP to authorize the connection. What happens is the AUP shows, the user clicks on the accept link (which is just a URL forward to where they were originally going) then it drops them right back into the AUP. A session was never being created for the user (or so I thought). In the logs I can see the 302 denied show which causes the redirection: 01/Apr/2010,14:38:53, 0,192.168.80.245,TCP_DENIED/302,421,GET,http://www.yahoo.com/,-,NONE/-,text/html This should be easy to troubleshoot, however in working on this issue I discovered that if I click on the Accept AUP policy link 3 or 4 times then it eventually gives me the green light and sets up a session for me. Then browsing from there on out is ok. I thought I had the problem resolved a few times but discovered that it wasn't after a few other people tried it out. This is my squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl to_localbox dst 192.168.80.5/32 acl mywebserver dst 34.8.132.1/32 # this is my local web server follow_x_forwarded_for allow localhost acl_uses_indirect_client on delay_pool_uses_indirect_client on log_uses_indirect_client on external_acl_type session ttl=300 children=20 negative_ttl=10 concurrency=200 %SRC /usr/lib/squid/squid_session -t 1800 acl session external session acl localnet src 192.168.80.0/23 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # TAG: http_access http_access allow mywebserver http_access allow to_localbox deny_info http://192.168.80.5/index.php?url=%s session http_access allow session http_access deny !session http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports
Re: [squid-users] TPROXY Routing
tor 2010-04-01 klockan 11:10 -0700 skrev Kurt Sandstrom: It is set up with 2 nics as a bridge. The routing I was refering to is only internal to the box.. ie through iptables bridge... haven't tried TPROXY in bridge mode, only router mode. Due to the complexity involved I would recomment you first try TPROXY in router mode, then move on to extend it to bridge mode. And remember that you need to divert the return traffic as well in the bridge or it won't work. Regards Henrik
Re: [squid-users] Reverse and SSL cert
tor 2010-04-01 klockan 11:11 +0200 skrev Andrea Gallazzi: On real world: I must configure or request a new certificate to my internal CA for squid reverse proxy or install the same certificate of exchange? Either way works, as long as the clients accept the certificate used by Squid and your Squid accepts the certificate use by OWA Exchange. Regards Henrik
Re: [squid-users] Memory usage for squid via mallinfo Total in use: 100%
ons 2010-03-31 klockan 16:04 -0500 skrev Kevin Blackwell: Should i be concerned about Total in use: 3539 KB 96%? No. The % is % of the total memory the Squid process has reserved from the OS, not the maximum possible. Contrary to intuition the situation where one should worry about this % is if it becomes very low, as that's a sign that the malloc implementation do not manage free heap space in a good manner for Squid.. Regards Henrik
RE: [squid-users] cache_peer using DNS name
tor 2010-04-01 klockan 09:53 -0500 skrev Dean Weimer: I don't have IPv6 capability, but on this test system I just did a quick install and Squid does have the default IPv6 setup as does the O/S (FreeBSD 7.2). I will recompile with --disable-ipv6 and see if the problem goes away. Not sure if they have a record for the hostname, I get a server fail response when trying against the DNS servers I have configured on the system. Or are you saying you get a server failure response if you try to look up records for the peer, but A lookups works fine? Regards Henrik
RE: [squid-users] cache_peer using DNS name
I have not ran into the problem since disabling the IPv6 this morning, using the DNS name for the chace_peer with the name= option set on the line. Looks like you got it right Amos, thanks a bunch for your help. Dean -Original Message- From: Dean Weimer [mailto:dwei...@orscheln.com] Sent: Thursday, April 01, 2010 9:54 AM To: Amos Jeffries; squid-users@squid-cache.org Subject: RE: [squid-users] cache_peer using DNS name I don't have IPv6 capability, but on this test system I just did a quick install and Squid does have the default IPv6 setup as does the O/S (FreeBSD 7.2). I will recompile with --disable-ipv6 and see if the problem goes away. Not sure if they have a record for the hostname, I get a server fail response when trying against the DNS servers I have configured on the system. The Bind DNS servers I am hitting do have IPv6 disabled. I have recompiled Squid with the --disable-ipv6 option and set my cache_peer line back to the domain name. I will let you know if this resolves the problem, after the new configuration is running long enough to know. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, March 31, 2010 5:17 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] cache_peer using DNS name Henrik Nordström wrote: ons 2010-03-31 klockan 14:41 -0500 skrev Dean Weimer: I found it listed in 3.0PRE3 bugs, here is the link that I found, it is listed as fixed. And it is fixed. That was a typo which made Squid always use the name= instead of the host when figuring out how to connect to the peer. Obvious error, and long time gone (fixed in 2003, long before 3.0 was released in 2007). Does the peer have records and you have no IPv6 connectivity? This looks like one of the effects of our failover bug. Compounded by the fact the peer name is looked up so often. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
Re: [squid-users] delay on session acceptance with AUP redirection
tor 2010-04-01 klockan 15:02 -0500 skrev Johnson, S: external_acl_type session ttl=300 children=20 negative_ttl=10 concurrency=200 %SRC /usr/lib/squid/squid_session -t 1800 There should only be one children for squid_session. Having more than 1 children will give confusing results as each child keeps it's own session database. Also you want a much lover negative_ttl, or the user need to wait for 10 seconds before clicking the accept button. Regards Henrik
Re: [squid-users] TPROXY Routing
The bridging is working just not redirecting to the squid. I can see the counters increment for port 80 but nothing on the squid side. 2010/4/1 Henrik Nordström hen...@henriknordstrom.net: tor 2010-04-01 klockan 11:10 -0700 skrev Kurt Sandstrom: It is set up with 2 nics as a bridge. The routing I was refering to is only internal to the box.. ie through iptables bridge... haven't tried TPROXY in bridge mode, only router mode. Due to the complexity involved I would recomment you first try TPROXY in router mode, then move on to extend it to bridge mode. And remember that you need to divert the return traffic as well in the bridge or it won't work. Regards Henrik
Re: [squid-users] Performance behind proxy
ons 2010-03-31 klockan 19:45 -0300 skrev Guido Marino Lorenzutti: NTLM kills performance. I have the same problem. Any ideas are welcome. IP based auth cache available in Squid-2.7 and pending to be ported to Squid-3. http://www.squid-cache.org/Doc/config/authenticate_ip_shortcircuit_access/ http://www.squid-cache.org/Doc/config/authenticate_ip_shortcircuit_ttl/ Regards Henrik
Re: [squid-users] Re: ACL All Error
Please file a bug report http://bugs.squid-cache.org/ ons 2010-03-31 klockan 01:19 -0700 skrev Kurt Sandstrom: UPDATE! It seems to only happen when the --disable-ipv6 option is used during compile, perhaps the default acl handler for IPV4 needs a bit of love... doesn't seem the same as the one included as default. On Wed, Mar 31, 2010 at 1:00 AM, Kurt Sandstrom sandma...@gmail.com wrote: Ok I have an issue here... Compiled Squid Squid Cache: Version 3.1.1 configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid3' '--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-follow-x-forwarded-for' '--enable-auth=basic' '--enable-external-acl-helpers=ip_user' '--with-filedescriptors=65536' '--with-default-user=proxy' '--enable-epoll' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' --with-squid=/home/myuser/squid-3.1.1 --enable-ltdl-convenience and keep getting an error: squid -X FATAL: Bungled Default Configuration line 8: miss_access allow all Using the default squid.conf: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network # Have Added and removed with the same issue # acl all src 0.0.0.0/0.0.0.0 # acl all src 0.0.0.0/0 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? coredump_dir /var/cache refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 Details of error: 2010/03/31 00:51:02.160| ACL::Prototype::Registered: invoked for type src 2010/03/31 00:51:02.160| ACL::Prototype::Registered:yes 2010/03/31 00:51:02.160| ACL::FindByName 'all' 2010/03/31 00:51:02.160| ACL::FindByName found no match 2010/03/31 00:51:02.160| aclParseAclLine: Creating ACL 'all' 2010/03/31 00:51:02.160| ACL::Prototype::Factory: cloning an object for type 'src' 2010/03/31 00:51:02.160| aclIpParseIpData: all 2010/03/31 00:51:02.160| aclIpParseIpData: magic 'all' found. 2010/03/31 00:51:02.160| aclParseAclList: looking for ACL name 'all' 2010/03/31 00:51:02.160| ACL::FindByName 'all' 2010/03/31 00:51:02.160| ACL::FindByName found no match 2010/03/31 00:51:02.160| aclParseAclList: ACL name 'all' not found. 2010/03/31 00:51:02.160| leave_suid: PID 27212 called FATAL: Bungled Default Configuration line 8: miss_access allow all I have tried squid -X -f /etc/squid3/squid.conf to verify that I'm using the right config Any Ideas?
RE: [squid-users] cache_peer using DNS name
Good, now please file a bug report recording your findings. http://bugs.squid-cache.org/ tor 2010-04-01 klockan 15:37 -0500 skrev Dean Weimer: Yes that is correct. Just before seeing this I sent another message, with IPv6 disabled I am not having any problems using the DNS name and the name= option. -Original Message- From: Henrik Nordström [mailto:hen...@henriknordstrom.net] Sent: Thursday, April 01, 2010 3:35 PM To: Dean Weimer Cc: Amos Jeffries; squid-users@squid-cache.org Subject: RE: [squid-users] cache_peer using DNS name tor 2010-04-01 klockan 09:53 -0500 skrev Dean Weimer: I don't have IPv6 capability, but on this test system I just did a quick install and Squid does have the default IPv6 setup as does the O/S (FreeBSD 7.2). I will recompile with --disable-ipv6 and see if the problem goes away. Not sure if they have a record for the hostname, I get a server fail response when trying against the DNS servers I have configured on the system. Or are you saying you get a server failure response if you try to look up records for the peer, but A lookups works fine? Regards Henrik
Re: [squid-users] TPROXY Routing
tor 2010-04-01 klockan 13:43 -0700 skrev Kurt Sandstrom: The bridging is working just not redirecting to the squid. I can see the counters increment for port 80 but nothing on the squid side. TPROXY has some quite peculiar requirements, and the combination with bridgeing makes those even more complex. And is why I ask that you first verify your TPROXY setup in routing mode before trying the same in bridge mode. It's simply about isolating why things do not work for you instead of trying to guess if it's the bridge-iptables integration, ebtables, iptables TPROXY rules, routing, or whatever.. Regards Henrik
[squid-users] Bind9 and squid3.0
Hi All, Hope you're all ok Just a quick question When I run my dns tools to check my zones and check_zone , works When I pinkg my domain name it works But when I use Dig it doesn't The reason I am asking is because before I installed Squid the dig command used to work just fine Any ideas or suggestions please or if you know of ways around this? Your help will be much appreciated I have checked here in the mailing list archives nothing came up on the subject If I did miss it, than I apologise Regards Adam
Re: [squid-users] TPROXY Routing
PLEASE HELP! I have been to the squid site and unsubscribed to every list, I have asked Henrick several times with no answer. And STILL I get these emails about your business. Won't one of you PLEASE tell ne how to get off of your mailing list? Bill 785-887-6966 www.billfair.com On Apr 1, 2010, at 3:28 PM, Henrik Nordström hen...@henriknordstrom.net wrote: tor 2010-04-01 klockan 11:10 -0700 skrev Kurt Sandstrom: It is set up with 2 nics as a bridge. The routing I was refering to is only internal to the box.. ie through iptables bridge... haven't tried TPROXY in bridge mode, only router mode. Due to the complexity involved I would recomment you first try TPROXY in router mode, then move on to extend it to bridge mode. And remember that you need to divert the return traffic as well in the bridge or it won't work. Regards Henrik
Re: [squid-users] Bind9 and squid3.0
tor 2010-04-01 klockan 21:50 +0100 skrev a...@gmail: The reason I am asking is because before I installed Squid the dig command used to work just fine Installing squid do not change how bind operates in any manner. The only possible change is that Squid maybe exercises that bind a bit more.. Regards Henrik
[squid-users] ACL feature
Can I prevent to access only one web site at only some user ? i.e. user1 can only go on www.website1.com user2 can only go on www.website2.com user1 and user2 was authenticated by ncsa.
Re: [squid-users] Performance behind proxy
I know, But the problem with that is I have 30 users on a term server. Trying to track who's going where. Sent from my PDA please excuse any typos. On Apr 1, 2010, at 3:44 PM, Henrik Nordström hen...@henriknordstrom.net wrote: ons 2010-03-31 klockan 19:45 -0300 skrev Guido Marino Lorenzutti: NTLM kills performance. I have the same problem. Any ideas are welcome. IP based auth cache available in Squid-2.7 and pending to be ported to Squid-3. http://www.squid-cache.org/Doc/config/authenticate_ip_shortcircuit_access/ http://www.squid-cache.org/Doc/config/ authenticate_ip_shortcircuit_ttl/ Regards Henrik
RE: [squid-users] Intermittent connections patch
hi, i have little background in squid so i cant really describe how each of the features of squid should perform when told to run while in offline mode or in disconnected mode. im sorry i didnt see the reply in the wad of messages i get from squidusers which is why i was a little late in replying. i sent a message to another mail address and got this reply from henrik: Found that patch in the internet archive.. http://web.archive.org/web/20030816133415/www.anthill.echidna.id.au/~dancer/patches/squid-tristate-offline-patch-1.0.txt This is my earlier response: http://www.mail-archive.com/squid-...@squid-cache.org/msg02171.html Regards Henrik amos, my first message was not sent to squidusers, so i am sending again. CB. _ Looking for a new home? With all the latest places, searching has never been easier. http://clk.atdmt.com/NMN/go/157631292/direct/01/
RE: [squid-users] delay on session acceptance with AUP redirection
Thank you! -Original Message- From: Henrik Nordström [mailto:hen...@henriknordstrom.net] Sent: Thursday, April 01, 2010 3:41 PM To: Johnson, S Cc: squid-users@squid-cache.org Subject: Re: [squid-users] delay on session acceptance with AUP redirection tor 2010-04-01 klockan 15:02 -0500 skrev Johnson, S: external_acl_type session ttl=300 children=20 negative_ttl=10 concurrency=200 %SRC /usr/lib/squid/squid_session -t 1800 There should only be one children for squid_session. Having more than 1 children will give confusing results as each child keeps it's own session database. Also you want a much lover negative_ttl, or the user need to wait for 10 seconds before clicking the accept button. Regards Henrik -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] Cache size is decreasing
Is it ok if i set digest_generation to off? we are not using any cache peers ... On Wed, Mar 31, 2010 at 9:44 PM, Mr. Issa(*) xnix...@gmail.com wrote: /dev/sdc1 1.8T 339G 1.4T 20% /cache1 /dev/sdd1 1.8T 333G 1.4T 20% /cache2 pr0xySRV:~# more /etc/squid/squid.conf |grep cache_swap_high ; more /etc/squid/squid.conf |grep cache_swap_low cache_swap_high 95 cache_swap_low 94 it didnt even reach 60% of its usage This appeared after upgrading from Stable7 to Stable9 So what could be the reason? On Mon, Mar 29, 2010 at 8:31 AM, Amos Jeffries squ...@treenet.co.nz wrote: Mr. Issa(*) wrote: Dear mates, I hope you enjoy your weekend... :) I did compile/install Squid2.7Stable9 and i noticed something /dev/sdc1 1.8T 355G 1.4T 21% /cache1 /dev/sdd1 1.8T 352G 1.4T 21% /cache2 the /cache1 cache2 dirs where 370G each.. suddenly they are decreasing and the servers load is approximately high What could cause that? Well, I guess the server load is caused by all the work needed to remove the items from cache. Items being removed from cache wholesale like this is usually caused by one of the garbage collection limits being reached. cache_swap_high / cache_swap_low http://www.squid-cache.org/Doc/config/cache_swap_high/ NP: the large cache disclaimer applies to anyone with around 10GB or more of cached data. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18
[squid-users] AUP issues; proxy to local network host issues
Ok, I've almost got everything working right but I've run into one last issue. I've got an AUP set for my users to accept before they go out to the internet. This works great for all but one thing. Any time I try to hit one of my local web servers that share the public address range of the squid proxy, the browser session does not get initialized and I cannot get past my AUP page. In addition, the logs for squid do not show any connection attempts so it's like the squid isn't even seeing the connection. If I go to any other web site, the AUP comes up and I can click through it. If I try to go back to any of the local web servers after the session is started I get the AUP page again and I cannot get past it. Has anyone seen this or have an idea on what is going on? Thanks Scott
Re: [squid-users] ACL feature
user1 can only go on www.website1.com user2 can only go on www.website2.com user1 and user2 was authenticated by ncsa. This link could help you: http://blogdeaitor.wordpress.com/2008/11/04/squid-rewrite-program/ Carlos. ¡Obtén la mejor experiencia en la web! Descarga gratis el nuevo Internet Explorer 8. http://downloads.yahoo.com/ieak8/?l=e1
[squid-users] Squid not caching
Hi, My squid is not caching anything.My squid config file contains: acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access allow localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access deny all icp_access allow localnet icp_access allow all http_port 8080 cache_peer 192.168.7.236 sibling 8080 0 weight=10 cache_peer 192.168.7.253 parent 3128 0 no-digest default access_log c:/squid/var/logs/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname localhost icp_port 3130 nonhierarchical_direct off acl lnet src 0.0.0.0/0.0.0.0 never_direct deny all coredump_dir c:/squid/var/cache Regards, Jayesh
