Re: [squid-users] Squid pops up password dialog when remote site is not reachable
I also noticed that this only happens in Firefox, IE does perform as expected. Could be an issue about FF, thank you. --- On Wed, 4/7/10, Henrik Nordström wrote: > From: Henrik Nordström > Subject: Re: [squid-users] Squid pops up password dialog when remote site is > not reachable > To: "Ayhan Molla" > Cc: squid-users@squid-cache.org > Date: Wednesday, April 7, 2010, 1:29 AM > mån 2010-04-05 klockan 23:28 -0700 > skrev Ayhan Molla: > > Hi, > > I only modified the helper line as follows: > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > > > > and added the following two statements, the rest of > the file is unchanged. > > > > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM > YOUR CLIENTS > > acl authenticated proxy_auth REQUIRED > > http_access allow authenticated > > No idea then. > > What doeas access.log say? > > Regards > Henrik > >
[squid-users] -Hi-
http://sites.google.com/site/fr6rfg8/utur1x
Re: [squid-users] Testing squid performance
From: b1 > Do you know any tools which request many sites in > a short period of time, measuring the avarage load > time, etc?? Maybe gather a few thousands URLs (each pointing to a *different* domain to avoid DOSing them) and lauch n recursive wgets in parallel... Or setup your own test webserver(s) and use apache bench. JD
[squid-users] squid 3.1.1 bug
Hello all. Squid 3.1.1 utilizing cpu (near 100%) when client using CONNECT & hitting delay pool. How to reproduce: 1. Install squid 3.1.1 2. Add delay pool to specific host. 3. Using CONNECT to download any file from this host. 4. See cpu utilization on proxy when download in progress. Below is my config: [config_start] cache_effective_user nobody access_log /var/log/squid/access.log cache_store_log /var/log/squid/store.log cache_log /var/log/squid/cache.log debug_options ALL,2 # # Recommended minimum configuration: # acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localhost src ::1/128 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl to_localhost dst ::1/128 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines #tested machine acl im src 172.16.7.101 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # http_access allow im # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #delay pool for "im" acl delay_pools 1 delay_class 1 1 delay_access 1 allow im delay_access 1 deny all delay_parameters 1 64000/64000 [config_end] top reports: 87.7 4.5 0:24.82 squid 87.7% is the cpu utilization here cache.log: 2010/04/07 14:52:33.009| The request CONNECT www.squid-cache.org:80 is ALLOWED, because it matched 'im' 2010/04/07 14:52:33.009| client_side_request.cc(547) clientAccessCheck2: No adapted_http_access configuration. 2010/04/07 14:52:33.009| The request CONNECT www.squid-cache.org:80 is ALLOWED, because it matched 'im' 2010/04/07 14:53:06.302| commHandleWrite: FD 16: write failure: (104) Connection reset by peer. 2010/04/07 14:53:06.302| TunnelStateData::Connection::error: FD 16: read/write failure: (104) Connection reset by peer 2010/04/07 14:53:06.303| ConnStateData::swanSong: FD 16 Some additional info about system: [r...@test-ha SPECS]# arch x86_64 [r...@test-ha SPECS]# cat /etc/redhat-release CentOS release 5.4 (Final) [r...@test-ha SPECS]# squid -v Squid Cache: Version 3.1.1 configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib64/squid' '--loc
[squid-users] Multicast
Hi Consider a situation where many squid are running and it is necessary to establish caching hierarchy among all squid servers. If parent sibling cache_peer option is used it is necessary to define all squid server in cache_peer option of all running squid servers. whether it is possible to specify all the available squid caching servers in cache_peer options as single entry using multicast ip. If i want to configure multicast in squid means what are the steps to be followed to configure squid as multicast server and multicast client Kindly educate me on the multicast option in squid Regards senthil
Re: [squid-users] squid 3.1.1 bug
fedorischev wrote: Hello all. Squid 3.1.1 utilizing cpu (near 100%) when client using CONNECT & hitting delay pool. How to reproduce: 1. Install squid 3.1.1 2. Add delay pool to specific host. 3. Using CONNECT to download any file from this host. 4. See cpu utilization on proxy when download in progress. Below is my config: [config_start] cache_effective_user nobody access_log /var/log/squid/access.log cache_store_log /var/log/squid/store.log cache_log /var/log/squid/cache.log debug_options ALL,2 # # Recommended minimum configuration: # acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localhost src ::1/128 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl to_localhost dst ::1/128 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines #tested machine acl im src 172.16.7.101 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # http_access allow im # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #delay pool for "im" acl delay_pools 1 delay_class 1 1 delay_access 1 allow im delay_access 1 deny all delay_parameters 1 64000/64000 [config_end] top reports: 87.7 4.5 0:24.82 squid 87.7% is the cpu utilization here cache.log: 2010/04/07 14:52:33.009| The request CONNECT www.squid-cache.org:80 is ALLOWED, because it matched 'im' 2010/04/07 14:52:33.009| client_side_request.cc(547) clientAccessCheck2: No adapted_http_access configuration. 2010/04/07 14:52:33.009| The request CONNECT www.squid-cache.org:80 is ALLOWED, because it matched 'im' 2010/04/07 14:53:06.302| commHandleWrite: FD 16: write failure: (104) Connection reset by peer. 2010/04/07 14:53:06.302| TunnelStateData::Connection::error: FD 16: read/write failure: (104) Connection reset by peer 2010/04/07 14:53:06.303| ConnStateData::swanSong: FD 16 Some additional info about system: [r...@test-ha SPECS]# arch x86_64 [r...@test-ha SPECS]# cat /etc/redhat-release CentOS release 5.4 (Final) [r...@test-ha SPECS]# squid -v Squid Cache: Version 3.1.1 configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib64/squid'
Re: [squid-users] Yet another IMAP support request
> > On 05.04.10 10:03, Sabyasachi Ruj wrote: > > > Well, I have implemented the client which can connect to IMAP via > > > squid. You just need to use "CONNECT" method of HTTP protocol. > > > If you see FileZilla, it can also connect to SFTP via squid. > On Tue, Apr 6, 2010 at 2:08 PM, Matus UHLAR - fantomas > wrote: > > can you at least answer my question, why do you "need" it? do you have > > admins that do not allow IMAP connections from your network, and/or refuse > > to install anything but squid? On 06.04.10 14:38, Sabyasachi Ruj wrote: > Because of the same reason why FileZilla, Skype, or many such software > need it. We are writing a software which connects to mailbox using > IMAP. And many users have reported that they can connect to Internet > only using a proxy. Most of them are using "squid". So you actually do NOT need squid to support IMAP. What you want is your IMAP client to be able to use HTTP proxy through CONNECT requests, also known as tunnelling through HTTP proxy. That is what all the software mentioned above does. Squid does NOT support anything but HTTP(s) on server side. There's no need for IMAP support in squid because that has nothing to do with IMAP, that's just tunnelling. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. LSD will make your ECS screen display 16.7 million colors
Fwd: [squid-users] Fwd: Squid 2.7 with NTLM auth
I have tried the below lines and it works but I would prefer to get it working using the allowed_ip.txt file. In that case we can just add ip address to allow through the proxy instead of making additional acls. acl goto_meeting dst 216.115.208.0/20 216.219.112.0/20 66.151.158.0/24 66.151.150.160/27 66.151.115.128/26 64.74.80.0/24 202.173.24.0/21 67.217.64.0/19 78.108.112.0/20 68.64.0.0/19 206.183.100.0/22 http_access allow goto_meeting Any ideas? On Tue, Apr 6, 2010 at 03:48, Amos Jeffries wrote: > > Milan wrote: >> >> We are Squid ported for windows and are experiencing issue with one >> particular service. GotoMeeting, GotoAssist, GotoWebinar(Citrix) We >> are unable to get users connected unless we add the individual IP >> Address of the servers individually: >> >> 216.115.208.0 / 20 >> 216.219.112.0 / 20 >> 66.151.158.0 / 24 >> 66.151.150.160 / 27 >> 66.151.115.128 / 26 >> 64.74.80.0 / 24 >> 202.173.24.0 / 21 >> 67.217.64.0 / 19 >> 78.108.112.0 / 20 >> 68.64.0.0 / 19 >> 206.183.100.0 / 22 >> >> The full list is above and there is no way we are typing individual >> IPs. We tried putting CIDR notation in the allowed_ip.txt but the it >> does not like that. Any advice on how to setup with the least >> administrative effort? We are kind of new to SQUID. Thanks for your >> advice. > > There is no such thing as "allowed_ips.txt" in Squid. I assume you have > followed some how-to tutorial. > > ... what does squid.conf contain? (without the # comment lines) > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.1
Re: [squid-users] Fwd: Squid 2.7 with NTLM auth
On Apr 7, 2010, at 10:53 AM, Milan wrote: > I have tried the below lines and it works but I would prefer to get it > working using the allowed_ip.txt file. In that case we can just add ip > address to allow through the proxy instead of making additional acls. > > acl goto_meeting dst 216.115.208.0/20 216.219.112.0/20 66.151.158.0/24 > 66.151.150.160/27 66.151.115.128/26 64.74.80.0/24 202.173.24.0/21 > 67.217.64.0/19 78.108.112.0/20 68.64.0.0/19 206.183.100.0/22 > > http_access allow goto_meeting > > > Any ideas? acl foo src 10.0.0.0/255.255.0.0 proxy_auth REQUIRED acl bar proxy_auth luke yoda darth joe acl acl myNet src 11.0.0.0/255.255.0.0 http_access allow foo http_access allow bar http_access allow myNet http_access deny all i could be wrong,.. never tried it before. -j
[squid-users] R: [squid-users] Re: Re: SSO with Active Directory-Squid Clients
Hi Markus, > If you have a Windows client and the proxy send WWW-Proxy-Authorize: > Negotiate the Windows client will try first to get a Kerberos ticket and > if that succeeds sends a Negotiate response with a Kerberos token to the > proxy. > If the Windows client fails to get a Kerberos ticket the client will send > a Negotiate response with a NTLM token to the proxy. Unfortunately there > is yet no squid helper which can handle both a Negotiate/Kerberos response > and a Negotiate/NTLM response (although maybe the samba ntlm helper can). > So there is a fallback when you use Negotiate, but it has some caveats. This is not true when Squid is running on Windows: the Windows native Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM responses. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it
Re: [squid-users] Squid pops up password dialog when remote site is not reachable
Hi All, I know that many people on many different situations including myself are having serious issues with the FF3 ++ especially with Java applets and many other environments. I have programs running with IE 6,7,8 Safari, FF2.0 Opera, Chrome etc.. but not with FF3.0 and later. So it could well be a Firefox issue, I am not saying that for sure but it could well be. Try with FF2 and see if it works then you'll know for sure that it's to do with FF3 and the new generation plugins or something in the core of FF3. I hope that helps Regards Adam - Original Message - From: "Ayhan Molla" To: "Henrik Nordström" Cc: Sent: Wednesday, April 07, 2010 10:09 AM Subject: Re: [squid-users] Squid pops up password dialog when remote site is not reachable I also noticed that this only happens in Firefox, IE does perform as expected. Could be an issue about FF, thank you. --- On Wed, 4/7/10, Henrik Nordström wrote: From: Henrik Nordström Subject: Re: [squid-users] Squid pops up password dialog when remote site is not reachable To: "Ayhan Molla" Cc: squid-users@squid-cache.org Date: Wednesday, April 7, 2010, 1:29 AM mån 2010-04-05 klockan 23:28 -0700 skrev Ayhan Molla: > Hi, > I only modified the helper line as follows: > auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > > and added the following two statements, the rest of the file is unchanged. > > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > acl authenticated proxy_auth REQUIRED > http_access allow authenticated No idea then. What doeas access.log say? Regards Henrik
[squid-users] Problem with name based virtual hosts
Hello, I've a problem with a squid as accl for one apache with different name based virtual hosts. It seems that squid doesn't request the apache with the right http host as send by the client. I can check this on a second IP address with is direct bound to apache. Using the bypass works, using via squid accl calls the "main" vhost. See the config below. When I call one of the "dstdomain" hosts I always get a request to www.domain.de on apache. Does anybody now what I doing wrong? Is there somewhere a switch missing to pass the original hostname? squid.conf - logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log combined cache_dir ufs /var/cache/squid102416 256 visible_hostnamewww.domain.de http_port 123.123.123.123:80 accel defaultsite=www.domain.de http_port 123.123.123.123:8080 accel defaultsite=www.domain.de https_port 123.123.123.123:443 accel defaultsite=www.domain.de cert=/home/httpd/vhosts/domain.de/ssl/www.domain.de.crt key=/home/httpd/vhosts/domain.de/ssl/www.domain.de.key cache_peer 127.0.0.1 parent 80 0 no-query originservername=myAccel1 login=PROXYPASS cache_peer 127.0.0.1 parent 80800 no-query originservername=myAccel2 cache_peer 127.0.0.1 parent 443 0 no-query originservername=myAccel3 ssl sslflags=DONT_VERIFY_PEER acl our_sites dstdomain www.domain.de acl our_sites dstdomain sbwc.domain.de acl our_sites dstdomain dereferer.domain.de acl our_sites dstdomain images.domain.de acl our_sites dstdomain .home.domain.de acl our_sites dstdomain .domain-home.de acl our_sites dstdomain shop.domain.de acl out_sites dstdomain stats.domain.de http_access allow our_sites http_access denyall acl port80 myport 80 acl port443 myport 443 acl port8080myport 8080 acl dir urlpath_regex ^/web cache_peer_access myAccel1denydir cache_peer_access myAccel1denyport8080 cache_peer_access myAccel1denyport443 cache_peer_access myAccel3denyport8080 cache_peer_access myAccel2allow port8080 cache_peer_access myAccel2allow dir cache_peer_access myAccel2denyall - Kind regards, Andreas Müller
Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients
Sorry I knew that but forgot to mention that I was talking about the Unix version. Thank you Markus "Guido Serassio" wrote in message news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc... Hi Markus, If you have a Windows client and the proxy send WWW-Proxy-Authorize: Negotiate the Windows client will try first to get a Kerberos ticket and if that succeeds sends a Negotiate response with a Kerberos token to the proxy. If the Windows client fails to get a Kerberos ticket the client will send a Negotiate response with a NTLM token to the proxy. Unfortunately there > is yet no squid helper which can handle both a Negotiate/Kerberos response and a Negotiate/NTLM response (although maybe the samba ntlm helper can). > So there is a fallback when you use Negotiate, but it has some caveats. This is not true when Squid is running on Windows: the Windows native Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM responses. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it
[squid-users] Re: Negotiate/NTLM Authentication a safer option then Negotiate/Kerberos??
Hi Bilal, When you use Negotiate you can not control if the client uses Negotiate/Kerberos or Negotiate/NTLM. You have to use pure NTLM as the auth option to guarantee NTLM. Regards Markus "GIGO ." wrote in message news:snt134-w53ecc1acc0c9b74476d649b9...@phx.gbl... Hi All, In our environment currently we are using ISA server with userbased authentication. we are using windows 2003 Active Directory and almost all of the users are using Windows based OS. We want to seemlessly migrate our users to Squid. I have not yet reached to any conlusion despite lot of studies/efforts/Squid Support. I would like you people to guide me in detail please. If Negotiate/kerberos has a limitation in squid that it has only one fallback scheme and that is Basic/Ldap. Then isnt it a safe option to use netgotiate/NTLM if all users belonged to Microsoft Active Directory only? As every logged-in domain user will always possess a valid NTLM token even if it dont have a valid kerberos token. So this scheme will not require any Fallback authentication mechanism to be defined.I would probably be needing to enumerate Active directory users through some mechanism(which i am not sure about at this moment) to get this scheme working. Am i right? please guide in detail. Another thing which is confusing is that if alike kerberos NTLM token(and hence users credentials) will automatically passed to squid and user never requires a need to explicitly give password. Am i right? What will happen if the user is not logged into the domain but on a workstation that is part of workgroup. I assume that in that case a password popup screen will appear and user will give his/her credentials in domainname/user format and that will work? regards, Bilal Aslam _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] Squid 3.1.1 and flash video scrubbing
I've started doing field tests of 3.1.1 and a interesting bug has showed up. If you try to jump ahead in a partially loaded video from youporn.com or redtube.com the flash player freezes and doesn't continue to download the video. With squid off, you would be able to jump to any part of the video and have it continue playing. I've tested this on 3.1.1, 3.1.0.14 and 3.1.0.15 and they all have the same behavior. I've also tested this on squid 2.7 and both sites work properly. Can some other users confirm this before I submit a bug report? Using squid 3.1.1 on Debian 5.0.1 2.6.30.10 kernel
[squid-users] SQUID 3.0.STABLE24 : NTLM+SAMBA/WINBINDD BH Helper detected protocol error
Dear I have installed samba + winbidd on the Squid computer and configure it has PDC squid is compiled has : Squid Cache: Version 3.0.STABLE24 configure options: '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid3' '--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-gnuregex' '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for' '--with-maxfd=32000' '--with-large-files' '--disable-dlmalloc' '--with-pthreads' '--enable-esi' '--enable-storeio=aufs,diskd,ufs' '--with-aufs-threads=10' '--with-maxfd=16384' '--enable-useragent-log' '--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl' '--enable-basic-auth-helpers=LDAP' '--enable-truncate' '--enable-linux-netfilter' '--enable-auth=basic,digest,ntlm' '--enable-digest-auth-helpers=ldap,password' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-basic-auth-helpers=LDAP,MSNT,multi-domain-NTLM,SMB' '--enable-ntlm-auth-helpers=SMB,no_check' '--with-default-user=squid' '--enable-icap-client' '--enable-cache-digests' '--enable-icap-support' '--enable-poll' '--enable-epoll' '--enable-async-io' '--enable-delay-pools' '--enable-ssl' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions' NTLM events in debug mode are : ntlm-auth[18942](ntlm_auth.c:444): sending 'BH Helper detected protocol error' to squid ntlm-auth[18942](ntlm_auth.c:287): managing request ntlm-auth[18942](ntlm_auth.c:293): ntlm authenticator. Got 'david.touzeau 54321' from Squid ntlm-auth[18942](ntlm_auth.c:444): sending 'BH Helper detected protocol error' to squid ntlm-auth[18942](ntlm_auth.c:287): managing request ntlm-auth[18942](ntlm_auth.c:293): ntlm authenticator. Got 'david.touzeau 54321' from Squid ntlm-auth[18942](ntlm_auth.c:444): sending 'BH Helper detected protocol error' to squid ntlm-auth[18942](ntlm_auth.c:287): managing request ntlm-auth[18942](ntlm_auth.c:293): ntlm authenticator. Got 'david.touzeau 54321' from Squid ntlm-auth[18942](ntlm_auth.c:444): sending 'BH Helper detected protocol error' to squid Here it is my squid conf auth_param ntlm program /usr/lib/squid3/ntlm_auth -d WORKGROUP/debian503-http auth_param basic program /usr/lib/squid3/ntlm_auth -d WORKGROUP/debian503-http auth_param ntlm children 5 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server #- NTLM ACL settings acl ntlm_users proxy_auth REQUIRED has smb.conf is [global] workgroup=WORKGROUP netbios name=debian503-http server string=%h server disable netbios=no How can i resolve it ? Best regards
Re: [squid-users] Problem with name based virtual hosts
On Wed, 7 Apr 2010 20:48:22 +0200, Andreas Müller wrote: > Hello, > > I've a problem with a squid as accl for one apache with different name > based > virtual hosts. > > It seems that squid doesn't request the apache with the right http host as > send by the client. I can check this on a second IP address with is direct > bound to apache. Using the bypass works, using via squid accl calls the > "main" vhost. > > See the config below. When I call one of the "dstdomain" hosts I always get > a request to www.domain.de on apache. > > Does anybody now what I doing wrong? Is there somewhere a switch missing to > pass the original hostname? You require the "vhost" option on the accel http_port lines. Amos
Re: [squid-users] SQUID 3.0.STABLE24 : NTLM+SAMBA/WINBINDD BH Helper detected protocol error
On Wed, 07 Apr 2010 22:44:02 +0200, David Touzeau wrote: > Dear > > I have installed samba + winbidd on the Squid computer and configure it > has PDC > > squid is compiled has : > Squid Cache: Version 3.0.STABLE24 > configure options: '--prefix=/usr' '--includedir=/include' > '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' > '--localstatedir=/var' '--libexecdir=/lib/squid3' > '--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.' > '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' > '--mandir=/usr/share/man' '--enable-gnuregex' > '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for' > '--with-maxfd=32000' '--with-large-files' '--disable-dlmalloc' > '--with-pthreads' '--enable-esi' '--enable-storeio=aufs,diskd,ufs' > '--with-aufs-threads=10' '--with-maxfd=16384' '--enable-useragent-log' > '--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl' > '--enable-basic-auth-helpers=LDAP' '--enable-truncate' > '--enable-linux-netfilter' '--enable-auth=basic,digest,ntlm' > '--enable-digest-auth-helpers=ldap,password' > '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' > '--enable-basic-auth-helpers=LDAP,MSNT,multi-domain-NTLM,SMB' > '--enable-ntlm-auth-helpers=SMB,no_check' '--with-default-user=squid' > '--enable-icap-client' '--enable-cache-digests' '--enable-icap-support' > '--enable-poll' '--enable-epoll' '--enable-async-io' > '--enable-delay-pools' '--enable-ssl' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe > -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions' > > > > NTLM events in debug mode are : > > ntlm-auth[18942](ntlm_auth.c:444): sending 'BH Helper detected protocol > error' to squid > ntlm-auth[18942](ntlm_auth.c:287): managing request > ntlm-auth[18942](ntlm_auth.c:293): ntlm authenticator. Got > 'david.touzeau 54321' from Squid > ntlm-auth[18942](ntlm_auth.c:444): sending 'BH Helper detected protocol > error' to squid > ntlm-auth[18942](ntlm_auth.c:287): managing request > ntlm-auth[18942](ntlm_auth.c:293): ntlm authenticator. Got > 'david.touzeau 54321' from Squid > ntlm-auth[18942](ntlm_auth.c:444): sending 'BH Helper detected protocol > error' to squid > ntlm-auth[18942](ntlm_auth.c:287): managing request > ntlm-auth[18942](ntlm_auth.c:293): ntlm authenticator. Got > 'david.touzeau 54321' from Squid > ntlm-auth[18942](ntlm_auth.c:444): sending 'BH Helper detected protocol > error' to squid > > Here it is my squid conf > > auth_param ntlm program /usr/lib/squid3/ntlm_auth -d > WORKGROUP/debian503-http > auth_param basic program /usr/lib/squid3/ntlm_auth -d > WORKGROUP/debian503-http > auth_param ntlm children 5 > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > #- NTLM ACL settings > acl ntlm_users proxy_auth REQUIRED > > has smb.conf is > > [global] > workgroup=WORKGROUP > netbios name=debian503-http > server string=%h server > disable netbios=no > > > How can i resolve it ? Try the ntlm_auth helper provided by Samba. The squid one does not do full NTLM. Amos
Re: [squid-users] Squid 3.1.1 and flash video scrubbing
On Wed, 7 Apr 2010 14:41:42 -0500, David Robinson wrote: > I've started doing field tests of 3.1.1 and a interesting bug has showed > up. If you try to jump ahead in a partially loaded video from youporn.com > or redtube.com the flash player freezes and doesn't continue to download > the video. With squid off, you would be able to jump to any part of the > video and have it continue playing. I've tested this on 3.1.1, 3.1.0.14 and > 3.1.0.15 and they all have the same behavior. I've also tested this on > squid 2.7 and both sites work properly. > > Can some other users confirm this before I submit a bug report? > > Using squid 3.1.1 on Debian 5.0.1 2.6.30.10 kernel What range_offset_limit and quick_abort_* settings are you working with? Also, are you able to track down any info about what the requests hitting Squid are? headers, etc Amos
Re: [squid-users] UDP errors after upgrade to 3.1.1
On Wed, 7 Apr 2010 09:48:10 -0400, BASDarchive wrote: > On Apr 6, 2010, at 3:08 AM, Amos Jeffries wrote: > >> donovan jeffrey j wrote: >>> Greetings >>> compiled 3.1.1 on 2 OSX machines, both running 10.5.8 one is >>> transparent the and the other is straight up. >>> build went fine. no errors. >>> fired up squid ( squid -d1x ) >>> clients connected but as soon as a request for a site came through I >>> got a ton of these on both systems; >>> 2010/04/01 10:38:48| idnsSendQuery: FD 6: sendto: (22) Invalid argument >>> 2010/04/01 10:38:56| comm_udp_sendto: FD 6, (family=2) 209.96.96.2:53: >>> (22) Invalid argument >>> here is my previous build: >>> Version 3.0.STABLE24 >>> configure options: '--enable-async-io' '--enable-icmp' >>> '--enable-delay-pools' '--disable-htcp' '--enable-ssl' >>> '--enable-ipfw-transparent' '--enable-snmp' '--enable-underscores' >>> '--enable-basic-auth-helpers=NCSA,LDAP,getpwnam' >>> i quickly flipped back to my previous build until I can figure out what >>> changed. >>> -jeff >> >> MacOSX is one of the OS where IPv6 support is not available in Squid >> 3.1. Build with --disable-ipv6 for now on that OS. >> >> Sorry about that, I am working on it in the background but have been >> held up by other bugs. Time permitting it might work in 3.2. >> >> Amos > > Hi amos, > > just recompiled, 2 things so far. > > when I was done i did a " squid -v " > Squid Cache: Version 3.1.1 > configure options: '--enable-icmp' '--enable-storeio=diskd,ufs,aufs' > '--enable-delay-pools' '--disable-htcp' '--enable-ssl' > '--enable-ipfw-transparent' '--enable-snmp' '--enable-underscores' > '--enable-basic-auth-helpers=NCSA,LDAP,getpwnam' '--disable-ipv6' > --with-squid=/usr/local/src/squid-3.1.1 --enable-ltdl-convenience > > > what is this section ? --with-squid=/usr/local/src/squid-3.1.1 > --enable-ltdl-convenience , I did not set these options. I'm not sure what > ltdl-convenience is. --with-squid is an autoconf internal parameter added so that certain helpers with sub-configure scripts can be built against the squid source code. --enable-ltdl-convenience is part of the libtool automatics to allow dynamically loadable libraries. eCAP etc require it and some other libraries make use of it when present for a smaller binary. > > Second and probably more important. > squid -d1x > squid -k check shows " squid: ERROR: No running copy " > squid -k rotate " squid: ERROR: No running copy " > squid -k shutdown " squid: ERROR: No running copy " > > ps -ax | grep squid > root# ps -ax | grep squid > 29428 ?? 0:00.00 squid -d1x > 29430 ?? 0:01.30 (squid) -d1x > 29431 ?? 0:00.04 (squidGuard) -c > /usr/local/squidGuard/squidGuard.conf > > is there a new way to start stop ? > Ouch, check if the squid.pid file also exists with the current Squid worker process PID (29430) inside it. "-k check" maybe should not be doing that test anyway. But the others require a running Squid they can contact. Amos
[squid-users] Logging failed authentication requests
Hi, We're running Squid version 2.6. In our configuration, some URLs require proxy authentication so we use the squid_ldap_auth helper with basic auth. Everything works fine. We would like to log any password failures, including the source IP address, to track down password guessers. The failure could be logged to access.log or to another log. Only successful requests are logged currently. Is there any way to log authentication failures? I've been digging through acl.c, authenticate.c, and client_side.c to see if there's something in there, but I'm not familiar with the source. I could log from the helper but only the username and password are available to it. Just in case any of this is helpful, here are a few lines from the config: emulate_httpd_log on auth_param basic program /usr/local/squid/libexec/multi_auth access_log /usr/local/squid/var/logs/access.log acl authenticated proxy_auth REQUIRED (other ACLs) http_access allow no_auth http_access allow no_auth_dst http_access allow no_auth_regex http_access deny wireless http_access allow authenticated http_access deny all Thank you, -Dan
Re: [squid-users] Logging failed authentication requests
On Wed, 07 Apr 2010 19:12:53 -0700, "Mellem, Dan" wrote: > Hi, > > We're running Squid version 2.6. In our configuration, some URLs require > proxy authentication so we use the squid_ldap_auth helper with basic > auth. Everything works fine. > > We would like to log any password failures, including the source IP > address, to track down password guessers. The failure could be logged to > access.log or to another log. Only successful requests are logged > currently. Is there any way to log authentication failures? They _are_ logged by default. Reply status codes 401 and 407 in access.log are failed www-server and proxy authentication attempts respectively which were re-challenged. Other denials will be logged with other 4xx codes. > > I've been digging through acl.c, authenticate.c, and client_side.c to > see if there's something in there, but I'm not familiar with the source. > I could log from the helper but only the username and password are > available to it. > > Just in case any of this is helpful, here are a few lines from the > config: > > emulate_httpd_log on > auth_param basic program /usr/local/squid/libexec/multi_auth > access_log /usr/local/squid/var/logs/access.log > acl authenticated proxy_auth REQUIRED > (other ACLs) > http_access allow no_auth > http_access allow no_auth_dst > http_access allow no_auth_regex > http_access deny wireless > http_access allow authenticated > http_access deny all > Problem: None of your ACL involve denial based on auth credentials. Therefore bad auth credentials will never be challenged, only the general access denied will ever happen. So ... non-working credentials may show up in the access.log as a 404/403 status with NONE/- for the source information. Amos
RE: [squid-users] Re: Re: SSO with Active Directory-Squid Clients
If i select negotiate/Kerberos as authentication protocol for my Squid on Linux and configure no FallBack Authentication.what would be the consequence ? 1. Isnt it that all of my users who have logged into Active Directory and where browser is supported will be able to use squid? 2. Only those users who will try to use squid from a workgroup giving their domain passoword (domainname/userid) will fail as there will be no fallback aviablable. 3. Is there any other scenario in which these users will not be able to use squid? I would be really thankful if you guide me further as i am failing to understand why a fallback authentication is necessary if it is. What could be the scenario when windows clients have no valid TGT even if they are login to the domain? I hope you can understand me and help me to clear my self. regards, Bilal Aslam > To: squid-users@squid-cache.org > From: hua...@moeller.plus.com > Date: Wed, 7 Apr 2010 20:17:20 +0100 > Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients > > Sorry I knew that but forgot to mention that I was talking about the Unix > version. > > Thank you > Markus > > "Guido Serassio" wrote in message > news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc... > Hi Markus, > >> If you have a Windows client and the proxy send WWW-Proxy-Authorize: >> Negotiate the Windows client will try first to get a Kerberos ticket > and >> if that succeeds sends a Negotiate response with a Kerberos token to > the >> proxy. >> If the Windows client fails to get a Kerberos ticket the client will > send >> a Negotiate response with a NTLM token to the proxy. Unfortunately > there> is yet no squid helper which can handle both a > Negotiate/Kerberos response >> and a Negotiate/NTLM response (although maybe the samba ntlm helper > can).> So there is a fallback when you use Negotiate, but it has some > caveats. > > This is not true when Squid is running on Windows: the Windows native > Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM > responses. > > Regards > > > Guido Serassio > Acme Consulting S.r.l. > Microsoft Gold Certified Partner > VMware Professional Partner > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY > Tel. : +39.011.9530135 Fax. : +39.011.9781115 > Email: guido.seras...@acmeconsulting.it > WWW: http://www.acmeconsulting.it > > _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
[squid-users] Multicast
Hi What is the use of multicast option in squid ? How to configure squid to multicast messages and receive multicast messages? In order to configure multicast whether any configuration is needed in other than squid Regards senthil
[squid-users] url_rewrite_concurrency
Hi~ I have a squid running url_rewrite_program, but when I using "url_rewrite_concurrency" in squid.conf, rewrite failed. The access.log like that: 1270692467.083 0 127.0.0.1 TCP_MEM_HIT/200 29514 GET http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.9956639306 - NONE/- text/xml "-" "Wget/1.10.2 (Red Hat modified)" 1270692470.083 32 127.0.0.1 TCP_MISS/200 29507 GET http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.9956639 - DIRECT/119.167.214.28 text/xml "-" "Wget/1.10.2 (Red Hat modified)" 1270692476.604 32 127.0.0.1 TCP_MISS/200 29507 GET http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.99 - DIRECT/119.167.214.28 text/xml "-" "Wget/1.10.2 (Red Hat modified)" My squid.conf and rewrite_program as follows: acl rewriteurl url_regex -i ^http://drag.g1d.net/.*\.mp40drag\? url_rewrite_access deny !rewriteurl url_rewrite_program /home/squid/etc/redirect.pl url_rewrite_children 5 url_rewrite_concurrency 5 #!/usr/bin/perl -wl use strict; $|=1; while (<>) { my ($uri,$client,$ident,$method) = ( ); ($uri, $client, $ident, $method) = split; if ($uri =~m#^(.*)(\?.*)#i) { my ($url,$strings) = ($1,$2); print "$url\n"; } else { print "$uri\n"; } } Is anything wrong?
RE: [squid-users] Squid 3.1.1 and flash video scrubbing
My range_offset_limit and quick_abort_* setting were all default. I tried setting range_offset_limit -1 - did not fix the problem quick_abort_min 0 and quick_abort_max 0 - did not fix the problem quick_abort_min -1 - did not fix the problem The type of urls its having problems with are like these, 1270696241.147 3691 172.16.16.199 TCP_MISS/200 3069898 GET http://server437.files.youporn.com/e4/flv/426677_Splash.flv?e=1273284436&h=47ee1fbcb8d3ab05a06988683c2d94c1 - DIRECT/208.111.181.139 video/x-flv 1270696248.438 7293 172.16.16.199 TCP_MISS/200 1442091 GET http://server437.files.youporn.com/e4/flv/426677_Splash.flv?e=1273284436&h=47ee1fbcb8d3ab05a06988683c2d94c1&fs=4281434 - DIRECT/208.111.181.139 video/x-flv The first one is the initial video player loading the flv. This request works correctly and the video starts to download. The second URL is when I jump the video player slider ahead of the downloading video, note the fs=4281434 added to the url. Its this fs= parameter that changes the behavior of the download. You could wget the first url and a flv would download. Wgetting the second url keeps making wget retry even though the website sends back a 200 OK. I have this all setup in a lab so if you want tcpdumps I can provide them. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, April 07, 2010 8:36 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid 3.1.1 and flash video scrubbing On Wed, 7 Apr 2010 14:41:42 -0500, David Robinson wrote: > I've started doing field tests of 3.1.1 and a interesting bug has showed > up. If you try to jump ahead in a partially loaded video from youporn.com > or redtube.com the flash player freezes and doesn't continue to download > the video. With squid off, you would be able to jump to any part of the > video and have it continue playing. I've tested this on 3.1.1, 3.1.0.14 and > 3.1.0.15 and they all have the same behavior. I've also tested this on > squid 2.7 and both sites work properly. > > Can some other users confirm this before I submit a bug report? > > Using squid 3.1.1 on Debian 5.0.1 2.6.30.10 kernel What range_offset_limit and quick_abort_* settings are you working with? Also, are you able to track down any info about what the requests hitting Squid are? headers, etc Amos
Re: [squid-users] Multicast
On Thu, 08 Apr 2010 08:49:07 +0530, senthilkumaar2021 wrote: > Hi > > What is the use of multicast option in squid ? > > How to configure squid to multicast messages and receive multicast > messages? > > In order to configure multicast whether any configuration is needed in > other than squid > http://wiki.squid-cache.org/Features/MultiCast Amos
Re: [squid-users] Multicast
Thank you very much I found the following option to be configured in squid to send multicast icp queries cache_peer 224.9.9.9 multicast 0 3130 ttl=64 224.9.9.9 is a sample multicast group address. whether 224.9.9.9 is a ip of squid? Inorder to use 224.9.9.9 or any other address does any configuration to be made in our network other than squid Regards senthil Amos Jeffries wrote: On Thu, 08 Apr 2010 08:49:07 +0530, senthilkumaar2021 wrote: Hi What is the use of multicast option in squid ? How to configure squid to multicast messages and receive multicast messages? In order to configure multicast whether any configuration is needed in other than squid http://wiki.squid-cache.org/Features/MultiCast Amos
Re: [squid-users] url_rewrite_concurrency
On Thu, 08 Apr 2010 11:24:27 +0800, Gemmy wrote: > Hi~ > I have a squid running url_rewrite_program, but when I using > "url_rewrite_concurrency" in squid.conf, rewrite failed. The access.log > like that: > > 1270692467.083 0 127.0.0.1 TCP_MEM_HIT/200 29514 GET > http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.9956639306 > - NONE/- text/xml "-" "Wget/1.10.2 (Red Hat modified)" > 1270692470.083 32 127.0.0.1 TCP_MISS/200 29507 GET > http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.9956639 > - DIRECT/119.167.214.28 text/xml "-" "Wget/1.10.2 (Red Hat modified)" > 1270692476.604 32 127.0.0.1 TCP_MISS/200 29507 GET > http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.99 - > DIRECT/119.167.214.28 text/xml "-" "Wget/1.10.2 (Red Hat modified)" > > My squid.conf and rewrite_program as follows: > > acl rewriteurl url_regex -i ^http://drag.g1d.net/.*\.mp40drag\? > url_rewrite_access deny !rewriteurl > url_rewrite_program /home/squid/etc/redirect.pl > url_rewrite_children 5 > url_rewrite_concurrency 5 > > #!/usr/bin/perl -wl > use strict; > $|=1; > while (<>) > { > my ($uri,$client,$ident,$method) = ( ); > ($uri, $client, $ident, $method) = split; > > if ($uri =~m#^(.*)(\?.*)#i) > { > my ($url,$strings) = ($1,$2); > print "$url\n"; > } > else >{ > print "$uri\n"; >} > } > > Is anything wrong? Yes. Concurrency is a slightly different helper protocol. Your helper does not understand it. http://wiki.squid-cache.org/Features/Redirectors#How_do_I_make_it_concurrent.3F Amos
Re: [squid-users] Multicast
On Thu, 08 Apr 2010 09:42:41 +0530, senthilkumaar2021 wrote: > Thank you very much > > I found the following option to be configured in squid to send > multicast icp queries > > cache_peer 224.9.9.9 multicast 0 3130 ttl=64 > > > 224.9.9.9 is a sample multicast group address. > > whether 224.9.9.9 is a ip of squid? > > Inorder to use 224.9.9.9 or any other address does any configuration to > be made in our network other than squid The network must support multicast. Both the boxes the squid run on, and routers, and firewalls. I think thats all. Amos
[squid-users] [Urgent] Please help : NAT + squid2.7 on ubuntu server 9.10 + cisco firewall (ASA5510)
What I have done so far are 1. Connected squid transparent proxy server with ASA5510 via eth0 interface 2. Set up NAT at ASA5510 to map squid transparent proxy server(192.168.9.251) with the public ip (203.130.133.9) 3. Configured eth0 interface eth0.0 --> 192.168.9.251 eth0.1 --> 203.130.133.9 4. Added wccp to squid.conf http_port 3128 transparent # ## 192.168.9.253 is ASA5510 wccp2_router 192.168.9.253 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 httpd_accel_no_pmtu_disc on 5. Used is following command modprobe ip_gre iptunnel add gre0 mode gre remote 192.168.9.253 local 192.168.9.251 dev eth0.0 ifconfig gre0 inet 192.168.9.251 netmask 255.255.255.0 up ip link set eth0 mtu 1400 ip link set gre0 mtu 1400 echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 6. Cisco config wccp web-cache wccp interface inside web-cache redirect in This is my network diagram Network diagram : http://dl.dropbox.com/u/5966530/Network%20Diagram_small.jpg I would like to know if I missed some steps or I did something wrong. Your help will be greatly appreciated! Regards. Vichao S
[squid-users] to Amos Jeffries,you said squid performance could be up to 300,000 rps in lab test.
I read this at the end of http://www.squid-cache.org/mail-archive/squid-users/201002/0795.html I want to use squid as a reverse proxy,so I am interested in the squid performance. Can you post a detailed result about this lab test? The test is a test about single machine or Cluster? The record of the aiCache is just 25,000 rps,so your record is very amazing. Can you give me some viewpoint about squid and aiCache? Thank you. ZTE Information Security Notice: The information contained in this mail is solely property of the sender's organization. This mail communication is confidential. Recipients named above are obligated to maintain secrecy and are not permitted to disclose the contents of this communication to others. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. Any views expressed in this message are those of the individual sender. This message has been scanned for viruses and Spam by ZTE Anti-Spam system.
RE: [squid-users] Logging failed authentication requests
Hi, Thanks for your response. Please see below. >From: Amos Jeffries [mailto:squ...@treenet.co.nz] >Sent: Wednesday, April 07, 2010 7:33 PM >On Wed, 07 Apr 2010 19:12:53 -0700, "Mellem, Dan" >> access.log or to another log. Only successful requests are logged >> currently. Is there any way to log authentication failures? > >They _are_ logged by default. >Reply status codes 401 and 407 in access.log are failed www-server and >proxy authentication attempts respectively which were >re-challenged. Other >denials will be logged with other 4xx codes. I do a: tail -f access.log | fgrep '' and only get responses for allowed traffic. I also don't have any 407s at all in the log. You said the logging is on by default. Is there a way to it off or to turn on debugging that would show where it's getting dropped? >> Just in case any of this is helpful, here are a few lines from the >> config: >> >> emulate_httpd_log on >> auth_param basic program /usr/local/squid/libexec/multi_auth >> access_log /usr/local/squid/var/logs/access.log >> acl authenticated proxy_auth REQUIRED >> (other ACLs) >> http_access allow no_auth >> http_access allow no_auth_dst >> http_access allow no_auth_regex >> http_access deny wireless >> http_access allow authenticated >> http_access deny all > >Problem: None of your ACL involve denial based on auth credentials. >Therefore bad auth credentials will never be challenged, only >the general >access denied will ever happen. >So ... non-working credentials may show up in the access.log >as a 404/403 >status with NONE/- for the source information. If I type the wrong password, I get re-prompted for authentication again. I get the normal: GET 407 Proxy Authentication Required GET w/Proxy-Authorization: Basic (wrong password) 407 Proxy Authentication Required GET w/Proxy-Authorization: Basic (right password) 200 OK I'm not sure what I'd need to specifically deny if authentication fails. Do you have an example? The Squid faq http://wiki.squid-cache.org/Features/Authentication suggests something like: auth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd acl foo proxy_auth REQUIRED http_access allow foo http_access deny all and that's what I have. It also talks about adding a deny with a negated group if there's some point where they need to change authentication, but, the way I'm reading the FAQ, it doesn't look like the deny is usually needed. Thanks again, -Dan
Re: [squid-users] url_rewrite_concurrency
It's OK now.Thanks a lot~ 2010-4-8 12:15, Amos Jeffries wrote: On Thu, 08 Apr 2010 11:24:27 +0800, Gemmy wrote: Hi~ I have a squid running url_rewrite_program, but when I using "url_rewrite_concurrency" in squid.conf, rewrite failed. The access.log like that: 1270692467.083 0 127.0.0.1 TCP_MEM_HIT/200 29514 GET http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.9956639306 - NONE/- text/xml "-" "Wget/1.10.2 (Red Hat modified)" 1270692470.083 32 127.0.0.1 TCP_MISS/200 29507 GET http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.9956639 - DIRECT/119.167.214.28 text/xml "-" "Wget/1.10.2 (Red Hat modified)" 1270692476.604 32 127.0.0.1 TCP_MISS/200 29507 GET http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.99 - DIRECT/119.167.214.28 text/xml "-" "Wget/1.10.2 (Red Hat modified)" My squid.conf and rewrite_program as follows: acl rewriteurl url_regex -i ^http://drag.g1d.net/.*\.mp40drag\? url_rewrite_access deny !rewriteurl url_rewrite_program /home/squid/etc/redirect.pl url_rewrite_children 5 url_rewrite_concurrency 5 #!/usr/bin/perl -wl use strict; $|=1; while (<>) { my ($uri,$client,$ident,$method) = ( ); ($uri, $client, $ident, $method) = split; if ($uri =~m#^(.*)(\?.*)#i) { my ($url,$strings) = ($1,$2); print "$url\n"; } else { print "$uri\n"; } } Is anything wrong? Yes. Concurrency is a slightly different helper protocol. Your helper does not understand it. http://wiki.squid-cache.org/Features/Redirectors#How_do_I_make_it_concurrent.3F Amos
Re: [squid-users] to Amos Jeffries,you said squid performance could be up to 300,000 rps in lab test.
wang.gao...@zte.com.cn wrote: I read this at the end of http://www.squid-cache.org/mail-archive/squid-users/201002/0795.html I want to use squid as a reverse proxy,so I am interested in the squid performance. Can you post a detailed result about this lab test? The test is a test about single machine or Cluster? The record of the aiCache is just 25,000 rps,so your record is very amazing. Can you give me some viewpoint about squid and aiCache? Thank you. As I said it was for a lab test and _very_ artificial. The 300K results was specifically from testing of the new accept() handler for Squid-3.1, since I was facing complaints it could not get more than 5 concurrent requests. The 3rps was achieved by fetching google front page image (non cacheable, ~4KB remote object). I achieved that by using Squid-3.1 with a RAM cache, fetching a single 1KB object pre-stored in memory, with very short headers on both reply and request. Using apachebench via the localhost interface (64KB RSS, almost zero network stack IO delay) at some high concurrency just below the cap point where Squid starts slowing from too many concurrent requests (I forget exactly what that is right now, maybe 400-500 concurrency?). It took a few trials and that was what ab reported, give or take a few Krps. As soon as any real networking is attached, ie fetching from a box next door, the rate drops to something around that 30Krps for the same artificial memory-cached small object. I suspect that is simply due to the kernel network stacks and buffering. With real remote objects and URL were added in, thus incurring more processing delays, it drops down to below 1Krps in line with the real benchmarks that are starting to appear for Squid. I guess, in theory Squid could process that many new requests in real use, but time to supply would be vastly inflated as transfer resources went into accepting new requests. The point was that lab tests produce a wide variety of results, depending on what is tested. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1