Re: [squid-users] url_rewrite_concurrency

[Gemmy]

It's OK now.Thanks a lot~

2010-4-8 12:15, Amos Jeffries wrote:

On Thu, 08 Apr 2010 11:24:27 +0800, Gemmychen...@163.com  wrote:
   

Hi~
  I have a squid running url_rewrite_program, but when I using
url_rewrite_concurrency in squid.conf, rewrite failed. The access.log
like that:

1270692467.083  0 127.0.0.1 TCP_MEM_HIT/200 29514 GET

 

http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.9956639306
   

- NONE/- text/xml - Wget/1.10.2 (Red Hat modified)
1270692470.083 32 127.0.0.1 TCP_MISS/200 29507 GET
http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.9956639
- DIRECT/119.167.214.28 text/xml - Wget/1.10.2 (Red Hat modified)
1270692476.604 32 127.0.0.1 TCP_MISS/200 29507 GET
http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.99 -
DIRECT/119.167.214.28 text/xml - Wget/1.10.2 (Red Hat modified)

  My squid.conf and rewrite_program as follows:

acl rewriteurl url_regex -i ^http://drag.g1d.net/.*\.mp40drag\?
url_rewrite_access deny !rewriteurl
url_rewrite_program /home/squid/etc/redirect.pl
url_rewrite_children 5
url_rewrite_concurrency 5

#!/usr/bin/perl -wl
use strict;
$|=1;
while ()
{
   my ($uri,$client,$ident,$method) = ( );
  ($uri, $client, $ident, $method) = split;

   if ($uri =~m#^(.*)(\?.*)#i)
  {
   my ($url,$strings) = ($1,$2);
   print $url\n;
  }
  else
{
  print $uri\n;
}
}

Is anything wrong?
 

Yes. Concurrency is a slightly different helper protocol. Your helper does
not understand it.
http://wiki.squid-cache.org/Features/Redirectors#How_do_I_make_it_concurrent.3F

Amos

   

Re: [squid-users] to Amos Jeffries,you said squid performance could be up to 300,000 rps in lab test.

[Amos Jeffries]

wang.gao...@zte.com.cn wrote:
I read this at the end of 
http://www.squid-cache.org/mail-archive/squid-users/201002/0795.html
I want to use squid as a reverse proxy,so I am interested in the squid 
performance.

Can you post a detailed result about this lab test?
The test is a test about single machine or Cluster?
The record of the aiCache is just 25,000 rps,so your record is very 
amazing.

Can you give me some viewpoint about squid and aiCache?
Thank you.



As I said it was for a lab test and _very_ artificial. The 300K results 
was specifically from testing of the new accept() handler for Squid-3.1, 
since I was facing complaints it could not get more than 5 concurrent 
requests.
The 3rps was achieved by fetching google front page image (non 
cacheable, ~4KB remote object).


I achieved that by using Squid-3.1 with a RAM cache, fetching a single 
1KB object pre-stored in memory, with very short headers on both reply 
and request. Using apachebench via the localhost interface (64KB RSS, 
almost zero network stack IO delay) at some high concurrency just below 
the cap point where Squid starts slowing from too many concurrent 
requests (I forget exactly what that is right now, maybe 400-500 
concurrency?). It took a few trials and that was what ab reported, give 
or take a few Krps.


As soon as any real networking is attached, ie fetching from a box next 
door, the rate drops to something around that 30Krps for the same 
artificial memory-cached small object. I suspect that is simply due to 
the kernel network stacks and buffering.


With real remote objects and URL were added in, thus incurring more 
processing delays, it drops down to below 1Krps in line with the real 
benchmarks that are starting to appear for Squid.


I guess, in theory Squid could process that many new requests in real 
use, but time to supply would be vastly inflated as transfer resources 
went into accepting new requests.


The point was that lab tests produce a wide variety of results, 
depending on what is tested.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.1

Re: [squid-users] [Urgent] Please help : NAT + squid2.7 on ubuntu server 9.10 + cisco firewall (ASA5510)

[Amos Jeffries]

Vichao Saenghiranwathana wrote:

What I have done so far are
1. Connected squid transparent proxy server with ASA5510 via eth0 interface

2. Set up NAT at ASA5510 to map squid transparent proxy
server(192.168.9.251) with the public ip (203.130.133.9)



There should be no need for NAT on the ASA. Relevant packets get 
_routed_ down the WCCP tunnel to the Squid box where NAT happens.


Squid outbound traffic gets the same handling any outbound traffic would 
(except pushing back down the wccp tunnel).




3. Configured eth0 interface
eth0.0 -- 192.168.9.251
eth0.1 -- 203.130.133.9

4. Added wccp to squid.conf
http_port 3128 transparent
# ## 192.168.9.253 is ASA5510
wccp2_router 192.168.9.253
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
httpd_accel_no_pmtu_disc on

5. Used is following command
modprobe ip_gre
iptunnel add gre0 mode gre remote 192.168.9.253 local 192.168.9.251 dev eth0.0
ifconfig gre0 inet 192.168.9.251 netmask 255.255.255.0 up
ip link set eth0 mtu 1400
ip link set gre0 mtu 1400
echo 1  /proc/sys/net/ipv4/ip_forward
echo 0  /proc/sys/net/ipv4/tcp_window_scaling
echo 0  /proc/sys/net/ipv4/conf/default/rp_filter
echo 0  /proc/sys/net/ipv4/conf/all/rp_filter
echo 0  /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0  /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0  /proc/sys/net/ipv4/conf/gre0/rp_filter
iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j
REDIRECT --to-port 3128

6. Cisco config
wccp web-cache
wccp interface inside web-cache redirect in

This is my network diagram
Network diagram : http://dl.dropbox.com/u/5966530/Network%20Diagram_small.jpg

I would like to know if I missed some steps or I did something wrong.

Your help will be greatly appreciated!



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.1

Re: [squid-users] Squid 3.1.1 and flash video scrubbing

[Amos Jeffries]

David Robinson wrote:

My range_offset_limit and quick_abort_* setting were all default.

I tried setting range_offset_limit -1   - did not fix the problem

quick_abort_min 0 and quick_abort_max 0  -  did not fix the problem

quick_abort_min -1 -  did not fix the problem


The type of urls its having problems with are like these,


1270696241.147   3691 172.16.16.199 TCP_MISS/200 3069898 GET 
http://server437.files.youporn.com/e4/flv/426677_Splash.flv?e=1273284436h=47ee1fbcb8d3ab05a06988683c2d94c1
 - DIRECT/208.111.181.139 video/x-flv
1270696248.438   7293 172.16.16.199 TCP_MISS/200 1442091 GET 
http://server437.files.youporn.com/e4/flv/426677_Splash.flv?e=1273284436h=47ee1fbcb8d3ab05a06988683c2d94c1fs=4281434
 - DIRECT/208.111.181.139 video/x-flv

The first one is the initial video player loading the flv. This request works correctly and the video starts to download. 


The second URL is when I jump the video player slider ahead of the downloading 
video, note the fs=4281434 added to the url.

Its this fs= parameter that changes the behavior of the download. You could 
wget the first url and a flv would download. Wgetting the second url keeps 
making wget retry even though the website sends back a 200 OK.

I have this all setup in a lab so if you want tcpdumps I can provide them.
 


-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Wednesday, April 07, 2010 8:36 PM

To: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid 3.1.1 and flash video scrubbing

On Wed, 7 Apr 2010 14:41:42 -0500, David Robinson
drobin...@pavlovmedia.com wrote:

I've started doing field tests of 3.1.1 and a interesting bug has showed
up. If you try to jump ahead in a partially loaded video from

youporn.com

or redtube.com the flash player freezes and doesn't continue to download
the video. With squid off, you would be able to jump to any part of the
video and have it continue playing. I've tested this on 3.1.1, 3.1.0.14

and

3.1.0.15 and they all have the same behavior.  I've also tested this on
squid 2.7 and both sites work properly.

Can some other users confirm this before I submit a bug report?

Using squid 3.1.1 on Debian 5.0.1  2.6.30.10 kernel


What range_offset_limit and quick_abort_* settings are you working with?

Also, are you able to track down any info about what the requests hitting
Squid are? headers, etc

Amos


Thanks. I've now replicated the behavior here, but it's baffling me as well.
tcpdump shows the request going out to the Server and the reply coming 
back to Squid.
strace shows a series of interleaved reads from the server and writes 
presumably to the client (me).

But nothing comes out the other side of Squid.


FWIW, the flash player and the server are somewhat broken and playing 
bad games with HTTP/1.1 Range requests.


The fast-forward request goes out without any HTTP range information 
(just the fs=NNN parameter) and comes back with these broken headers:


HTTP/1.0 200 OK
Server: Apache
Accept-Ranges: bytes
Cache-Control: max-age=259200
X-Origin: oh9
Content-Type: video/x-flv
Content-Range: bytes 4281434-10004477/10004478
Content-Length: 5723057
Age: 22208
Date: Thu, 08 Apr 2010 07:16:13 GMT
Last-Modified: Tue, 06 Apr 2010 00:19:37 GMT
Expires: Sun, 11 Apr 2010 01:06:05 GMT
Connection: close

The data content then starts with at least three bytes FLV which are 
not part of the original object and a bunch of data which is.


It claims to be cacheable but isn't.  If this range was merged into a 
previous ranges of the object, or even fetched from the a full copy of 
real object by any well behaved middleware proxy it would corrupt the 
media transfer.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.1

[squid-users] Squid ACL per-user basis

[CASALI COMPUTERS - Michele Brodoloni]

Hello,
i'm using squid 2.6 Version 2.6.STABLE21 (provided with CentOS 5.x), using NTLM 
AUTH.
Since I'm able to apply ACLs to Windows Groups, I'm just wondering if I can 
apply an ACL only to a single user.
Should I need to create a group only for that user and apply an acl to that 
group or there's a different way?

Thanks

Here's my config (some comments  are in italian):
-
http_port 8080
hierarchy_stoplist cgi-bin ?
cache_mem 4 MB
cache_swap_low 85
cache_swap_high 90
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
pid_filename /var/run/squid.pid
auth_param ntlm program /usr/lib64/squid/ntlm_auth DOMAIN/PDC # Hidden for 
privacy
auth_param basic program /usr/lib64/squid/ntlm_auth DOMAIN/PDC # Hidden for 
privacy
auth_param basic children 5
auth_param basic realm Squid Access
auth_param basic credentialsttl 2 hours
external_acl_type check-group ttl=0 concurrency=0 %LOGIN 
/usr/lib64/squid/wbinfo_group.pl
acl all src 0.0.0.0/0.0.0.0
acl lan src 192.168.1.0/255.255.255.0
acl to_lan dst 192.168.1.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin \?

acl autenticati proxy_auth REQUIRED
acl siti_blacklist url_regex /etc/squid/blacklist.txt
acl siti_whitelist url_regex /etc/squid/whitelist.txt
acl siti_limitati url_regex /etc/squid/limitati.txt
acl titolari external check-group group1
acl dipendenti external check-group group2
acl limitati external check-group group3

# Things never to cache
#no_cache deny QUERY
# Enable this if you don't want any caching
#no_cache deny all

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Permettiamo l'accesso dal computer locale senza restrizioni
http_access allow localhost

# Permettiamo l'accesso dalla rete locale verso tutta la rete
http_access allow to_lan lan
# Permettiamo l'accesso dalla rete locale verso dei siti in whitelist
http_access allow siti_whitelist lan

# Accesso senza restrizioni per i titolari
http_access allow titolari

# I dipendenti possono visitare tutti i siti web ad eccezione
# di quelli listati nel file di blacklist
http_access allow !siti_blacklist dipendenti

# Gli utenti limitati possono accedere solamente ad alcuni siti
http_access allow siti_limitati limitati

# Tutti gli altri accessi sono negati
http_access deny !autenticati
http_access deny all

http_reply_access allow all

acl FTP proto FTP
always_direcache_mgr mana...@mylan.com
cache_effective_user squid
cache_effective_group squid

# I have very little RAM, so I set this off. YMMV
memory_pools on
forwarded_for on
#error_directory /etc/squid/errors
coredump_dir /var/spool/squid

# note 33,2 lets you see which acl allowed or denied
debug_options ALL,1 33,2ct allow FTP
--

Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients

[Nick Cairncross]

Bilal,

I'm working on much the same thing, with added Apple Mac just to complicate 
things. My aim is to create an SSO environment for all my Windows, OSX and nix 
machines. I want to use Kerberos as my primary authentication as IE7 and FF 
onwards are moving that way..but for my situation some browsers or applications 
do not support this and I must also use NTLM.  However, Opera on my Macs seems 
to not like either and prefers Basic.. It's been a struggle to get each element 
to work but not impossible.

I have found that all Negotiate/Kerberos supporting browsers have worked 
extremely well with the helper developed by Markus. Many of the authentication 
breaking elements have disappeared when compared to my Blue Coat and ISA 
experiences. Those machines joined to the domain using browsers that support 
Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass through 
credentials. Mac Safari relies on NTLM and prompts as such. Mac Opera prompts 
for Basic. Therefore if you're just Windows I would answer fairly confidently 
that your question 1 answer is Yes.

Users not on the domain would be prompted for credentials. I haven't tested 
this and depending on which helper you are using (Samba or Squids) and whether 
you're joined to the domain I believe Negotiate should fall back to NTLM and 
work providing you supply a valid domain user/pass! So the answer to 2 would be 
'depends..' :)

As for the issue of not being to able to use Squid at all and taking into 
account what I said earlier, then yes there could be a scenario where Squid 
will not work for your users. However, it is less of a problem in just Windows. 
It's all about testing your various Windows configurations, apps and browsers 
until you are sure you have covered the conceivable setups of all your users.
Finally, I have been struggling against an issue where my KVNO Keytab 
increments in AD and gets out of sync with the exported version making Squid 
un-useable until it's regenerated. Have you experienced this? Happy to discuss 
any of this off list or on.

Cheers,
Nick



On 08/04/2010 04:06, GIGO . gi...@msn.com wrote:



If i select negotiate/Kerberos as authentication protocol for my Squid on Linux 
and configure no FallBack Authentication.what would be the consequence ?



1. Isnt it that all of my users who have logged into Active Directory and where 
browser is supported will be able to use squid?



2. Only those users who will try to use squid from a workgroup giving their 
domain passoword (domainname/userid) will fail as there will be no fallback 
aviablable.



3. Is there any other scenario in which these users will not be able to use 
squid?



I would be really thankful if you guide me further as i am failing to 
understand why a fallback authentication is necessary if it is. What could be 
the scenario when windows clients have no valid TGT even if they are login to 
the domain? I hope you can understand me and help me to clear my self.


regards,

Bilal Aslam










 To: squid-users@squid-cache.org
 From: hua...@moeller.plus.com
 Date: Wed, 7 Apr 2010 20:17:20 +0100
 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients

 Sorry I knew that but forgot to mention that I was talking about the Unix
 version.

 Thank you
 Markus

 Guido Serassio wrote in message
 news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc...
 Hi Markus,

 If you have a Windows client and the proxy send WWW-Proxy-Authorize:
 Negotiate the Windows client will try first to get a Kerberos ticket
 and
 if that succeeds sends a Negotiate response with a Kerberos token to
 the
 proxy.
 If the Windows client fails to get a Kerberos ticket the client will
 send
 a Negotiate response with a NTLM token to the proxy. Unfortunately
 there is yet no squid helper which can handle both a
 Negotiate/Kerberos response
 and a Negotiate/NTLM response (although maybe the samba ntlm helper
 can). So there is a fallback when you use Negotiate, but it has some
 caveats.

 This is not true when Squid is running on Windows: the Windows native
 Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM
 responses.

 Regards


 Guido Serassio
 Acme Consulting S.r.l.
 Microsoft Gold Certified Partner
 VMware Professional Partner
 Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
 Tel. : +39.011.9530135 Fax. : +39.011.9781115
 Email: guido.seras...@acmeconsulting.it
 WWW: http://www.acmeconsulting.it


_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969


** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is 
intended only for the addressee.  If you are not the intended addressee, any 
disclosure, copying or distribution by you is prohibited and may be unlawful.  
Disclosure to any 

[squid-users] how to cache youtube

[sameer khan]

hey all great;

does any one have successfully cached youtube. any pointer will be much 
appreciated.

Thanks

  
_
http://clk.atdmt.com/UKM/go/195013117/direct/01/
We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now

Re: [squid-users] how to cache youtube

[Kinkie]

On Thu, Apr 8, 2010 at 11:46 AM, sameer khan khanza...@hotmail.com wrote:

 hey all great;

 does any one have successfully cached youtube. any pointer will be much 
 appreciated.

Please see http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube

-- 
/kinkie

RE: [squid-users] Re: Re: SSO with Active Directory-Squid Clients

[GIGO .]

Nick,
 
Thank you so much for your support. I am now much confident about 
Negotiate/Kerberos and have just decided to jump into the real thing (as enough 
theory). As far as KVNo i have not experienced it yet(as not practically 
implemented) however i may too in due course and surely will share with you. 
Rather i will share my whole experience. 
 
regards,
 
Bilal
 
 
 
 



 From: nick.cairncr...@condenast.co.uk
 To: gi...@msn.com; hua...@moeller.plus.com; squid-users@squid-cache.org
 Date: Thu, 8 Apr 2010 10:17:13 +0100
 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients

 Bilal,

 I'm working on much the same thing, with added Apple Mac just to complicate 
 things. My aim is to create an SSO environment for all my Windows, OSX and 
 nix machines. I want to use Kerberos as my primary authentication as IE7 and 
 FF onwards are moving that way..but for my situation some browsers or 
 applications do not support this and I must also use NTLM. However, Opera on 
 my Macs seems to not like either and prefers Basic.. It's been a struggle to 
 get each element to work but not impossible.

 I have found that all Negotiate/Kerberos supporting browsers have worked 
 extremely well with the helper developed by Markus. Many of the 
 authentication breaking elements have disappeared when compared to my Blue 
 Coat and ISA experiences. Those machines joined to the domain using browsers 
 that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass 
 through credentials. Mac Safari relies on NTLM and prompts as such. Mac Opera 
 prompts for Basic. Therefore if you're just Windows I would answer fairly 
 confidently that your question 1 answer is Yes.

 Users not on the domain would be prompted for credentials. I haven't tested 
 this and depending on which helper you are using (Samba or Squids) and 
 whether you're joined to the domain I believe Negotiate should fall back to 
 NTLM and work providing you supply a valid domain user/pass! So the answer to 
 2 would be 'depends..' :)

 As for the issue of not being to able to use Squid at all and taking into 
 account what I said earlier, then yes there could be a scenario where Squid 
 will not work for your users. However, it is less of a problem in just 
 Windows. It's all about testing your various Windows configurations, apps and 
 browsers until you are sure you have covered the conceivable setups of all 
 your users.
 Finally, I have been struggling against an issue where my KVNO Keytab 
 increments in AD and gets out of sync with the exported version making Squid 
 un-useable until it's regenerated. Have you experienced this? Happy to 
 discuss any of this off list or on.

 Cheers,
 Nick



 On 08/04/2010 04:06, GIGO . wrote:



 If i select negotiate/Kerberos as authentication protocol for my Squid on 
 Linux and configure no FallBack Authentication.what would be the consequence ?



 1. Isnt it that all of my users who have logged into Active Directory and 
 where browser is supported will be able to use squid?



 2. Only those users who will try to use squid from a workgroup giving their 
 domain passoword (domainname/userid) will fail as there will be no fallback 
 aviablable.



 3. Is there any other scenario in which these users will not be able to use 
 squid?



 I would be really thankful if you guide me further as i am failing to 
 understand why a fallback authentication is necessary if it is. What could be 
 the scenario when windows clients have no valid TGT even if they are login to 
 the domain? I hope you can understand me and help me to clear my self.


 regards,

 Bilal Aslam









 
 To: squid-users@squid-cache.org
 From: hua...@moeller.plus.com
 Date: Wed, 7 Apr 2010 20:17:20 +0100
 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients

 Sorry I knew that but forgot to mention that I was talking about the Unix
 version.

 Thank you
 Markus

 Guido Serassio wrote in message
 news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc...
 Hi Markus,

 If you have a Windows client and the proxy send WWW-Proxy-Authorize:
 Negotiate the Windows client will try first to get a Kerberos ticket
 and
 if that succeeds sends a Negotiate response with a Kerberos token to
 the
 proxy.
 If the Windows client fails to get a Kerberos ticket the client will
 send
 a Negotiate response with a NTLM token to the proxy. Unfortunately
 there is yet no squid helper which can handle both a
 Negotiate/Kerberos response
 and a Negotiate/NTLM response (although maybe the samba ntlm helper
 can). So there is a fallback when you use Negotiate, but it has some
 caveats.

 This is not true when Squid is running on Windows: the Windows native
 Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM
 responses.

 Regards


 Guido Serassio
 Acme Consulting S.r.l.
 Microsoft Gold Certified Partner
 VMware 

Re: [squid-users] UDP errors after upgrade to 3.1.1

[donovan jeffrey j]

 snip
 
 Second and probably more important.
 squid -d1x
 squid -k check shows  squid: ERROR: No running copy 
 squid -k rotate  squid: ERROR: No running copy 
 squid -k shutdown  squid: ERROR: No running copy 
 
 ps -ax | grep squid
 root# ps -ax | grep squid
 29428 ?? 0:00.00 squid -d1x
 29430 ?? 0:01.30 (squid) -d1x
 29431 ?? 0:00.04 (squidGuard) -c
 /usr/local/squidGuard/squidGuard.conf
 snip helpers
 
 is there a new way to start stop ?
 
 
 Ouch, check if the squid.pid file also exists with the current Squid
 worker process PID (29430) inside it.

no pid file in the 3.1.1 build.

I check my other copies and they all made the PID file in 
/usr/local/squid/var/logs/squid.pid
nothing is in my 3.1.1

cat: /usr/local/squid/var/logs/squid.pid: No such file or directory



 -k check maybe should not be doing that test anyway. But the others
 require a running Squid they can contact.
 
 Amos
 

RE: [squid-users] UDP errors after upgrade to 3.1.1

[Dean Weimer]

-Original Message-
From: donovan jeffrey j [mailto:dono...@beth.k12.pa.us] 
Sent: Thursday, April 08, 2010 7:37 AM
To: Amos Jeffries
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] UDP errors after upgrade to 3.1.1


snip

no pid file in the 3.1.1 build.

I check my other copies and they all made the PID file in
/usr/local/squid/var/logs/squid.pid
nothing is in my 3.1.1

cat: /usr/local/squid/var/logs/squid.pid: No such file or directory

The machines I have installed 3.1.1 on want to place the pid file in
/usr/local/squid/var/run/squid.pid

Unfortunately the install doesn't appear to build that directory, simply
do a mkdir /usr/local/squid/var/run (make sure its owned by your squid
user).  Then either kill and restart squid, or manually create a
squid.pid file with the process id in it.

Alternatively you could use the pid_filename directive to point it to
another location.

Re: [squid-users] UDP errors after upgrade to 3.1.1

[donovan jeffrey j]

On Apr 8, 2010, at 9:12 AM, Dean Weimer wrote:

 -Original Message-
 From: donovan jeffrey j [mailto:dono...@beth.k12.pa.us] 
 Sent: Thursday, April 08, 2010 7:37 AM
 To: Amos Jeffries
 Cc: squid-users@squid-cache.org
 Subject: Re: [squid-users] UDP errors after upgrade to 3.1.1
 
 
 snip
 
 no pid file in the 3.1.1 build.
 
 I check my other copies and they all made the PID file in
 /usr/local/squid/var/logs/squid.pid
 nothing is in my 3.1.1
 
 cat: /usr/local/squid/var/logs/squid.pid: No such file or directory
 
 The machines I have installed 3.1.1 on want to place the pid file in
 /usr/local/squid/var/run/squid.pid
 
 Unfortunately the install doesn't appear to build that directory, simply
 do a mkdir /usr/local/squid/var/run (make sure its owned by your squid
 user).  Then either kill and restart squid, or manually create a
 squid.pid file with the process id in it.


YAY!
nc-106:var root# mkdir run
nc-106:var root# chown squid:wheel run

nc-106:var root# ls -la
total 0
drwxr-xr-x   4 squid  wheel   136 Apr  8 09:27 .
drwxr-xr-x  11 root   wheel   374 Apr  1 10:20 ..
drwxr-xr-x  36 squid  wheel  1224 Apr  8 08:55 logs
drwxr-xr-x   2 squid  wheel68 Apr  8 09:27 run
nc-106:var root# cd run
nc-106:run root# ls
nc-106:run root# squid -d1x
nc-106:run root# ls
squid.pid
nc-106:run root# cat squid.pid
36555
nc-106:run root# squid -k check
no news is good news 
nc-106:run root# squid -k rotate
snip logfileRotate: /usr/local/squid/var/logs/access.log
nc-106:run root# squid -k shutdown
snip  Squid Cache (Version 3.1.1): Exiting normally.


worked like a champ.
I had to create the  run  directory, then all was happy.

thanks dean
-j

[squid-users] Address Network Report Sarg

[Rafael Poch || DB1 Informática]

Hi, 

Recently in my sarg report appeared an address 10.1.1.0 together my user list. 
10.1.1.0 is my network address. I don’t understand why this entry appear.

Anybody know how to solve this issue ?

Att.
  
Rafael Poch Vieira Palma
INFRA-ESTRUTURA - T.I
(44)3033-6300 - Ramal 6323 / Fax (44)3033-6303
raf...@db1.com.br
http://www.db1.com.br
 Seja consciente, imprima este e-mail somente se necessário. O meio ambiente 
agradece.

[squid-users] Squid is unable to connect to local webservers

[Johnson, S]

I've got a squid proxy running in transparent mode with an AUP on a public 
wireless network which is separated from our private network.  We run a local 
webserver here and found that users get the AUP and cannot click past it when 
attempting to get to the local web server.

Without using the proxy I can connect just fine to the web server from the 
squid server so I know they can see each other.

Everything else works great.

I tried setting up an ACL with localweb (seen in the config below) but that 
didn't allow it through.

Weird thing is that when I try hitting the local web server, I don't see 
anything in the squid access.log file which makes be believe that squid isn't 
even seeing the traffic for some reason.

squid config:

# Credentials past their TTL are removed from memory
#authenticate_ttl 0 seconds

#  TAG: acl
#Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl to_localbox dst 192.168.80.5/32
acl localweb dst 84.8.132.1/32


follow_x_forwarded_for allow localhost
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on


external_acl_type session ttl=300 children=1 negative_ttl=0  concurrency=200 
%SRC /usr/lib/squid/squid_sessi
on -t 1800

acl session external session

acl localnet src 192.168.80.0/23 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#  TAG: http_access
http_access allow localweb
http_access allow to_localbox
deny_info http://192.168.80.5/index.php?url=%s session
http_access allow session
http_access allow SSL_ports
http_access allow CONNECT SSL_ports
http_access deny !session
http_access deny !Safe_ports

RE: [squid-users] Squid is unable to connect to local webservers

[Johnson, S]

Another piece of information I just discovered... I use a wpad.dat file to 
assign the proxy to users.  It works just fine except for the local servers.  
However, when I force the connection in the browser to the proxy with 8080 
(dansguardian) then I can get to my local web servers.

-Original Message-
From: Johnson, S [mailto:sjohn...@edina.k12.mn.us] 
Sent: Thursday, April 08, 2010 9:50 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Squid is unable to connect to local webservers

I've got a squid proxy running in transparent mode with an AUP on a public 
wireless network which is separated from our private network.  We run a local 
webserver here and found that users get the AUP and cannot click past it when 
attempting to get to the local web server.

Without using the proxy I can connect just fine to the web server from the 
squid server so I know they can see each other.

Everything else works great.

I tried setting up an ACL with localweb (seen in the config below) but that 
didn't allow it through.

Weird thing is that when I try hitting the local web server, I don't see 
anything in the squid access.log file which makes be believe that squid isn't 
even seeing the traffic for some reason.

squid config:

# Credentials past their TTL are removed from memory
#authenticate_ttl 0 seconds

#  TAG: acl
#Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl to_localbox dst 192.168.80.5/32
acl localweb dst 84.8.132.1/32


follow_x_forwarded_for allow localhost
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on


external_acl_type session ttl=300 children=1 negative_ttl=0  concurrency=200 
%SRC /usr/lib/squid/squid_sessi
on -t 1800

acl session external session

acl localnet src 192.168.80.0/23 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#  TAG: http_access
http_access allow localweb
http_access allow to_localbox
deny_info http://192.168.80.5/index.php?url=%s session
http_access allow session
http_access allow SSL_ports
http_access allow CONNECT SSL_ports
http_access deny !session
http_access deny !Safe_ports


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: [squid-users] [Urgent] Please help : NAT + squid2.7 on ubuntu server 9.10 + cisco firewall (ASA5510)

[Vichao Saenghiranwathana]

I still stunned. Can you explain more in deeper detail so I can
understand what the problem is.

I'm really appreciate it
Vichao S

On Thu, Apr 8, 2010 at 2:03 PM, Amos Jeffries squ...@treenet.co.nz wrote:

 Vichao Saenghiranwathana wrote:

 What I have done so far are
 1. Connected squid transparent proxy server with ASA5510 via eth0 interface

 2. Set up NAT at ASA5510 to map squid transparent proxy
 server(192.168.9.251) with the public ip (203.130.133.9)


 There should be no need for NAT on the ASA. Relevant packets get _routed_ 
 down the WCCP tunnel to the Squid box where NAT happens.

 Squid outbound traffic gets the same handling any outbound traffic would 
 (except pushing back down the wccp tunnel).


 3. Configured eth0 interface
 eth0.0 -- 192.168.9.251
 eth0.1 -- 203.130.133.9

 4. Added wccp to squid.conf
 http_port 3128 transparent
 # ## 192.168.9.253 is ASA5510
 wccp2_router 192.168.9.253
 wccp2_forwarding_method 1
 wccp2_return_method 1
 wccp2_assignment_method 1
 httpd_accel_no_pmtu_disc on

 5. Used is following command
 modprobe ip_gre
 iptunnel add gre0 mode gre remote 192.168.9.253 local 192.168.9.251 dev 
 eth0.0
 ifconfig gre0 inet 192.168.9.251 netmask 255.255.255.0 up
 ip link set eth0 mtu 1400
 ip link set gre0 mtu 1400
 echo 1  /proc/sys/net/ipv4/ip_forward
 echo 0  /proc/sys/net/ipv4/tcp_window_scaling
 echo 0  /proc/sys/net/ipv4/conf/default/rp_filter
 echo 0  /proc/sys/net/ipv4/conf/all/rp_filter
 echo 0  /proc/sys/net/ipv4/conf/eth0/rp_filter
 echo 0  /proc/sys/net/ipv4/conf/lo/rp_filter
 echo 0  /proc/sys/net/ipv4/conf/gre0/rp_filter
 iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j
 REDIRECT --to-port 3128

 6. Cisco config
 wccp web-cache
 wccp interface inside web-cache redirect in

 This is my network diagram
 Network diagram : http://dl.dropbox.com/u/5966530/Network%20Diagram_small.jpg

 I would like to know if I missed some steps or I did something wrong.

 Your help will be greatly appreciated!


 Amos
 --
 Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.1

Re: [squid-users] Creating a kerberos Service Principal.

[Khaled Blah]

Hi Bilal,

1. ktpass and msktutil practically do the same, they create keytabs
which include the keys that squid will need to decrypt the ticket it
receives from the user. However ktpass only creates a file which you
will then have to securely transfer to your proxy server so that squid
can access it. Using msktutil on your proxy server, you can get the
same keytab without having to transfer it. Thus, msktutil saves you
some time and hassle. AFAIR both need Administrator rights, which
means the account used for ktpass/msktutil needs to be a member of the
Administrator group.

2. To answer this question, one would need more information about your
network and your setup. Basically, mixing any other authentication
method with Kerberos is not a good idea. That's because if the other
method is insecure or less secure an attacker who gains access to a
user's credentials will be able to impersonate that user against
Kerberos and those be able to use ALL services that this user has
access to. In any case DO NOT use basic auth with Kerberos in a
public, set-up. That's a recipe for disaster. Digest auth and NTLM
(v2) might be suitable but these are in fact less secure than Kerberos
and thus not preferrable. One down-side to Kerberos is that it's an
all-or-nothing service, either you use Kerberos and only Kerberos or
you risk security breaches in any mixed situation.

HTH

Khaled

2010/4/6 GIGO . gi...@msn.com:

 Dear All,

 Please guide me in regard to SSO setup with Active Directory(No 
 winbind/Samba). I have the following questions in this regard.



 1.  Creating a Kerberos service principal and keytab file that is used by the 
 Squid what is the effective method? Difference between using Ktpass vs 
 Msktutil package? What rights would i be required in Active Directory and if 
 none then why so?






 2. How to configure the fallback Authentication scheme if Kerberos fails? 
 Ldap authentication using basic looks to be an option but isnt it less 
 secure? is there a better approach possible.




 regards,

 Bilal Aslam
 _
 Hotmail: Powerful Free email with security by Microsoft.
 https://signup.live.com/signup.aspx?id=60969

Re: [squid-users] Creating a kerberos Service Principal.

[Khaled Blah]

I forgot this link to an Example configuration:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

2010/4/8 Khaled Blah khaled.b...@googlemail.com:
 Hi Bilal,

 1. ktpass and msktutil practically do the same, they create keytabs
 which include the keys that squid will need to decrypt the ticket it
 receives from the user. However ktpass only creates a file which you
 will then have to securely transfer to your proxy server so that squid
 can access it. Using msktutil on your proxy server, you can get the
 same keytab without having to transfer it. Thus, msktutil saves you
 some time and hassle. AFAIR both need Administrator rights, which
 means the account used for ktpass/msktutil needs to be a member of the
 Administrator group.

 2. To answer this question, one would need more information about your
 network and your setup. Basically, mixing any other authentication
 method with Kerberos is not a good idea. That's because if the other
 method is insecure or less secure an attacker who gains access to a
 user's credentials will be able to impersonate that user against
 Kerberos and those be able to use ALL services that this user has
 access to. In any case DO NOT use basic auth with Kerberos in a
 public, set-up. That's a recipe for disaster. Digest auth and NTLM
 (v2) might be suitable but these are in fact less secure than Kerberos
 and thus not preferrable. One down-side to Kerberos is that it's an
 all-or-nothing service, either you use Kerberos and only Kerberos or
 you risk security breaches in any mixed situation.

 HTH

 Khaled

 2010/4/6 GIGO . gi...@msn.com:

 Dear All,

 Please guide me in regard to SSO setup with Active Directory(No 
 winbind/Samba). I have the following questions in this regard.



 1.  Creating a Kerberos service principal and keytab file that is used by 
 the Squid what is the effective method? Difference between using Ktpass vs 
 Msktutil package? What rights would i be required in Active Directory and if 
 none then why so?






 2. How to configure the fallback Authentication scheme if Kerberos fails? 
 Ldap authentication using basic looks to be an option but isnt it less 
 secure? is there a better approach possible.




 regards,

 Bilal Aslam
 _
 Hotmail: Powerful Free email with security by Microsoft.
 https://signup.live.com/signup.aspx?id=60969

[squid-users] Squid 2.7.8 + pfSense 'zero sized reply'

[Luke Jaeger]

I'm running Squid 2.7.8 on pfSense 1.2.2.

As of today, we get the 'zero sized reply' error when trying to load
www.questgarden.com.
It worked yesterday! (I rebooted the firewall this morning during an ISP
outage - presumably that's when it broke).

I can load the page thru curl, but not in a browser.

Strange, eh? Any guidance is appreciated!

Luke Jaeger | Technology Coordinator
Pioneer Valley Performing Arts Charter Public School

-
Luke Jaeger | Technology Coordinator
Pioneer Valley Performing Arts Charter Public School
-- 
View this message in context: 
http://n4.nabble.com/Squid-2-7-8-pfSense-zero-sized-reply-tp1778352p1778352.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: Creating a kerberos Service Principal.

[Markus Moeller]

BTW You do not need Administrator rights. You can set permission for 
different Groups on OUs for example for Unix Kerberos Admins.


Markus

Khaled Blah khaled.b...@googlemail.com wrote in message 
news:n2j4a3250ab1004080957id2f4a051xb31445428c62b...@mail.gmail.com...

Hi Bilal,

1. ktpass and msktutil practically do the same, they create keytabs
which include the keys that squid will need to decrypt the ticket it
receives from the user. However ktpass only creates a file which you
will then have to securely transfer to your proxy server so that squid
can access it. Using msktutil on your proxy server, you can get the
same keytab without having to transfer it. Thus, msktutil saves you
some time and hassle. AFAIR both need Administrator rights, which
means the account used for ktpass/msktutil needs to be a member of the
Administrator group.


2. To answer this question, one would need more information about your
network and your setup. Basically, mixing any other authentication
method with Kerberos is not a good idea. That's because if the other
method is insecure or less secure an attacker who gains access to a
user's credentials will be able to impersonate that user against
Kerberos and those be able to use ALL services that this user has
access to. In any case DO NOT use basic auth with Kerberos in a
public, set-up. That's a recipe for disaster. Digest auth and NTLM
(v2) might be suitable but these are in fact less secure than Kerberos
and thus not preferrable. One down-side to Kerberos is that it's an
all-or-nothing service, either you use Kerberos and only Kerberos or
you risk security breaches in any mixed situation.

HTH

Khaled

2010/4/6 GIGO . gi...@msn.com:


Dear All,

Please guide me in regard to SSO setup with Active Directory(No 
winbind/Samba). I have the following questions in this regard.




1. Creating a Kerberos service principal and keytab file that is used by 
the Squid what is the effective method? Difference between using Ktpass vs 
Msktutil package? What rights would i be required in Active Directory and 
if none then why so?







2. How to configure the fallback Authentication scheme if Kerberos fails? 
Ldap authentication using basic looks to be an option but isnt it less 
secure? is there a better approach possible.





regards,

Bilal Aslam
_
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969

[squid-users] Re: Re: Re: SSO with Active Directory-Squid Clients

[Markus Moeller]

Hi Nick,

 Did you use samba to create the keytab. I have seen that if you use samba 
for more then squid (e.g. cifs, winbind, etc) it will update regularly the 
AD entry and key for the host/fqdn principal which is the same as for 
HTTP/fqdn. I usually use msktutil and create a second AD entry called 
short-hostname-HTTP to be independent of samba which usually uses 
short-hostname.


Regards
Markus

Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message 
news:c7e35da9.1eb06%nick.cairncr...@condenast.co.uk...

Bilal,

I'm working on much the same thing, with added Apple Mac just to complicate 
things. My aim is to create an SSO environment for all my Windows, OSX and 
nix machines. I want to use Kerberos as my primary authentication as IE7 and 
FF onwards are moving that way..but for my situation some browsers or 
applications do not support this and I must also use NTLM.  However, Opera 
on my Macs seems to not like either and prefers Basic.. It's been a struggle 
to get each element to work but not impossible.


I have found that all Negotiate/Kerberos supporting browsers have worked 
extremely well with the helper developed by Markus. Many of the 
authentication breaking elements have disappeared when compared to my Blue 
Coat and ISA experiences. Those machines joined to the domain using browsers 
that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass 
through credentials. Mac Safari relies on NTLM and prompts as such. Mac 
Opera prompts for Basic. Therefore if you're just Windows I would answer 
fairly confidently that your question 1 answer is Yes.


Users not on the domain would be prompted for credentials. I haven't tested 
this and depending on which helper you are using (Samba or Squids) and 
whether you're joined to the domain I believe Negotiate should fall back to 
NTLM and work providing you supply a valid domain user/pass! So the answer 
to 2 would be 'depends..' :)


As for the issue of not being to able to use Squid at all and taking into 
account what I said earlier, then yes there could be a scenario where Squid 
will not work for your users. However, it is less of a problem in just 
Windows. It's all about testing your various Windows configurations, apps 
and browsers until you are sure you have covered the conceivable setups of 
all your users.
Finally, I have been struggling against an issue where my KVNO Keytab 
increments in AD and gets out of sync with the exported version making Squid 
un-useable until it's regenerated. Have you experienced this? Happy to 
discuss any of this off list or on.


Cheers,
Nick



On 08/04/2010 04:06, GIGO . gi...@msn.com wrote:



If i select negotiate/Kerberos as authentication protocol for my Squid on 
Linux and configure no FallBack Authentication.what would be the consequence 
?




1. Isnt it that all of my users who have logged into Active Directory and 
where browser is supported will be able to use squid?




2. Only those users who will try to use squid from a workgroup giving their 
domain passoword (domainname/userid) will fail as there will be no fallback 
aviablable.




3. Is there any other scenario in which these users will not be able to use 
squid?




I would be really thankful if you guide me further as i am failing to 
understand why a fallback authentication is necessary if it is. What could 
be the scenario when windows clients have no valid TGT even if they are 
login to the domain? I hope you can understand me and help me to clear my 
self.



regards,

Bilal Aslam











To: squid-users@squid-cache.org
From: hua...@moeller.plus.com
Date: Wed, 7 Apr 2010 20:17:20 +0100
Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients

Sorry I knew that but forgot to mention that I was talking about the Unix
version.

Thank you
Markus

Guido Serassio wrote in message
news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc...
Hi Markus,


If you have a Windows client and the proxy send WWW-Proxy-Authorize:
Negotiate the Windows client will try first to get a Kerberos ticket

and

if that succeeds sends a Negotiate response with a Kerberos token to

the

proxy.
If the Windows client fails to get a Kerberos ticket the client will

send

a Negotiate response with a NTLM token to the proxy. Unfortunately

there is yet no squid helper which can handle both a
Negotiate/Kerberos response

and a Negotiate/NTLM response (although maybe the samba ntlm helper

can). So there is a fallback when you use Negotiate, but it has some
caveats.

This is not true when Squid is running on Windows: the Windows native
Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM
responses.

Regards


Guido Serassio
Acme Consulting S.r.l.
Microsoft Gold Certified Partner
VMware Professional Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.seras...@acmeconsulting.it
WWW: 

[squid-users] url_regex file format

[Jean-Luc Wasmer]

Hi,

What is the format of the regex file when defining an ACL based on regexes?
Can I have comments in there?
What is the -i option for?

Also, what RE are supported?

Thanks,
Jean-Luc

[squid-users] Authentication logging

[John Horne]

Hello,

Using squid 2.7 stable 9, I have set the debug_options to 29,2 which
logs authenticated users, e.g:

   user 'xxx' has been seen at a new IP address (11.22.33.44)

However, is there a way I can log unsuccessful authentication attempts?
I have increased the debug level to 6, but it still doesn't log
authentication failures. Is this possible in the squid 3.x series?



Thanks,

John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001

Re: [squid-users] Authentication logging

[John Horne]

On Thu, 2010-04-08 at 21:43 +0100, John Horne wrote:
 Hello,
 
 Using squid 2.7 stable 9, I have set the debug_options to 29,2 which
 logs authenticated users, e.g:
 
user 'xxx' has been seen at a new IP address (11.22.33.44)
 
 However, is there a way I can log unsuccessful authentication attempts?
 I have increased the debug level to 6, but it still doesn't log
 authentication failures. Is this possible in the squid 3.x series?
 
Ha! I have just seen that someone else asked the same question a couple
of days ago! I see that failures are logged as a 407 response (which I
can see in our log files).

Apologies for the list noise.



John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001

RE: [squid-users] url_regex file format

[Mellem, Dan]

-Original Message-
From: Jean-Luc Wasmer [mailto:sq...@2010.jl.wasmer.ca] 
Sent: Thursday, April 08, 2010 1:02 PM

Hi,

What is the format of the regex file when defining an ACL 
based on regexes?

Just a list of matches. E.g.:

^http://www\.google\.com  #Allow access to Google
# News sites
^http://news\.yahoo\.com
^http://news\.google\.com



Can I have comments in there?
Yes. 

What is the -i option for?

Not case sensitive. It's like the -i flag for grep.


Also, what RE are supported?

The same as egrep / grep -E.



Thanks,
Jean-Luc


-Dan

RE: [squid-users] url_regex file format

[Henrik Nordström]

tor 2010-04-08 klockan 14:59 -0700 skrev Mellem, Dan:

 Also, what RE are supported?
 
 The same as egrep / grep -E.

Which is also known as POSIX Extended Regex.

Regards
Henrik

Re: [squid-users] Squid 3.1.1 and flash video scrubbing

[Henrik Nordström]

tor 2010-04-08 klockan 20:43 +1200 skrev Amos Jeffries:

 FWIW, the flash player and the server are somewhat broken and playing 
 bad games with HTTP/1.1 Range requests.

Which quite likely triggers confusion within Squid as the store/object
interface is range aware. Has been issues there in the past, and quite
likely is more issues..

Not 100% sure that response is technically broken, but it surely is an
odd response.

 It claims to be cacheable but isn't. 

Why isn't it? 

  If this range was merged into a 
 previous ranges of the object, or even fetched from the a full copy of 
 real object by any well behaved middleware proxy it would corrupt the 
 media transfer.

We don't know how the server would react on requests for the same URI
but with Range header..

There is no Content-Location header in the response, so merging of
responses with different url parameters MUST NOT be done by any HTTP
agent (including proxies). Content-aware merging of the data is allowed,
but that's outside HTTP.

Regards
Henrik

RE: [squid-users] how to cache youtube

[sameer khan]

thanks kinkie,
 
but does it work ? any one experience with below link ? will be much appreciated
for any help.
 
 
thanks
 
 Date: Thu, 8 Apr 2010 11:48:35 +0200
 Subject: Re: [squid-users] how to cache youtube
 From: gkin...@gmail.com
 To: khanza...@hotmail.com
 CC: squid-users@squid-cache.org
 
 On Thu, Apr 8, 2010 at 11:46 AM, sameer khan khanza...@hotmail.com wrote:

 hey all great;

 does any one have successfully cached youtube. any pointer will be much 
 appreciated.
 
 Please see http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube
 
 -- 
 /kinkie
  
_
http://clk.atdmt.com/UKM/go/19780/direct/01/
Do you have a story that started on Hotmail? Tell us now

RE: [squid-users] Squid 3.1.1 and flash video scrubbing

[David Robinson]

 Which quite likely triggers confusion within Squid as the store/object
 interface is range aware. Has been issues there in the past, and quite
 likely is more issues..

Is squid 2.7 Content-Range aware? Since these requests work in 2.7, is 2.7 just 
ignoring the range requests?

-Original Message-
From: Henrik Nordström [mailto:hen...@henriknordstrom.net] 
Sent: Thursday, April 08, 2010 5:32 PM
To: Amos Jeffries
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid 3.1.1 and flash video scrubbing

tor 2010-04-08 klockan 20:43 +1200 skrev Amos Jeffries:

 FWIW, the flash player and the server are somewhat broken and playing 
 bad games with HTTP/1.1 Range requests.

Which quite likely triggers confusion within Squid as the store/object
interface is range aware. Has been issues there in the past, and quite
likely is more issues..

Not 100% sure that response is technically broken, but it surely is an
odd response.

 It claims to be cacheable but isn't. 

Why isn't it? 

  If this range was merged into a 
 previous ranges of the object, or even fetched from the a full copy of 
 real object by any well behaved middleware proxy it would corrupt the 
 media transfer.

We don't know how the server would react on requests for the same URI
but with Range header..

There is no Content-Location header in the response, so merging of
responses with different url parameters MUST NOT be done by any HTTP
agent (including proxies). Content-aware merging of the data is allowed,
but that's outside HTTP.

Regards
Henrik

Re: [squid-users] Squid 3.1.1 and flash video scrubbing

[Mark Nottingham]

The response to the request with the fs query arg is sending back a 
Content-Range header;

  
http://redbot.org/?uri=http%3A%2F%2Fserver437.files.youporn.com%2Fe4%2Fflv%2F426677_Splash.flv%3Fe%3D1273284436%26h%3D47ee1fbcb8d3ab05a06988683c2d94c1%26fs%3D4281434

That's weird. 


On 08/04/2010, at 1:32 PM, David Robinson wrote:

 My range_offset_limit and quick_abort_* setting were all default.
 
 I tried setting range_offset_limit -1   - did not fix the problem
 
 quick_abort_min 0 and quick_abort_max 0  -  did not fix the problem
 
 quick_abort_min -1 -  did not fix the problem
 
 
 The type of urls its having problems with are like these,
 
 
 1270696241.147   3691 172.16.16.199 TCP_MISS/200 3069898 GET 
 http://server437.files.youporn.com/e4/flv/426677_Splash.flv?e=1273284436h=47ee1fbcb8d3ab05a06988683c2d94c1
  - DIRECT/208.111.181.139 video/x-flv
 1270696248.438   7293 172.16.16.199 TCP_MISS/200 1442091 GET 
 http://server437.files.youporn.com/e4/flv/426677_Splash.flv?e=1273284436h=47ee1fbcb8d3ab05a06988683c2d94c1fs=4281434
  - DIRECT/208.111.181.139 video/x-flv
 
 The first one is the initial video player loading the flv. This request works 
 correctly and the video starts to download. 
 
 The second URL is when I jump the video player slider ahead of the 
 downloading video, note the fs=4281434 added to the url.
 
 Its this fs= parameter that changes the behavior of the download. You could 
 wget the first url and a flv would download. Wgetting the second url keeps 
 making wget retry even though the website sends back a 200 OK.
 
 I have this all setup in a lab so if you want tcpdumps I can provide them.
 
 
 -Original Message-
 From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
 Sent: Wednesday, April 07, 2010 8:36 PM
 To: squid-users@squid-cache.org
 Subject: Re: [squid-users] Squid 3.1.1 and flash video scrubbing
 
 On Wed, 7 Apr 2010 14:41:42 -0500, David Robinson
 drobin...@pavlovmedia.com wrote:
 I've started doing field tests of 3.1.1 and a interesting bug has showed
 up. If you try to jump ahead in a partially loaded video from
 youporn.com
 or redtube.com the flash player freezes and doesn't continue to download
 the video. With squid off, you would be able to jump to any part of the
 video and have it continue playing. I've tested this on 3.1.1, 3.1.0.14
 and
 3.1.0.15 and they all have the same behavior.  I've also tested this on
 squid 2.7 and both sites work properly.
 
 Can some other users confirm this before I submit a bug report?
 
 Using squid 3.1.1 on Debian 5.0.1  2.6.30.10 kernel
 
 What range_offset_limit and quick_abort_* settings are you working with?
 
 Also, are you able to track down any info about what the requests hitting
 Squid are? headers, etc
 
 Amos

--
Mark Nottingham   m...@yahoo-inc.com

Re: [squid-users] Squid is unable to connect to local webservers

[Amos Jeffries]

Johnson, S wrote:

Another piece of information I just discovered... I use a wpad.dat file to 
assign the proxy to users.  It works just fine except for the local servers.  
However, when I force the connection in the browser to the proxy with 8080 
(dansguardian) then I can get to my local web servers.



So something in your PAC file is broken.
Probably a test of the destination server IP or an exception for local 
domains.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.1

Re: [squid-users] Squid 3.1.1 and flash video scrubbing

[Amos Jeffries]

Henrik Nordström wrote:

tor 2010-04-08 klockan 20:43 +1200 skrev Amos Jeffries:

FWIW, the flash player and the server are somewhat broken and playing 
bad games with HTTP/1.1 Range requests.


Which quite likely triggers confusion within Squid as the store/object
interface is range aware. Has been issues there in the past, and quite
likely is more issues..

Not 100% sure that response is technically broken, but it surely is an
odd response.

It claims to be cacheable but isn't. 


Why isn't it? 


I though Squid considered it a malformed 206 and uncachabled it.

Does squid consider the reply a malformed 206 or a malformed 200?

The extra bytes which exist in the body means we should be assuming its 
a malformed 200 with unusable range headers.




 If this range was merged into a 
previous ranges of the object, or even fetched from the a full copy of 
real object by any well behaved middleware proxy it would corrupt the 
media transfer.


We don't know how the server would react on requests for the same URI
but with Range header..


Server may or may not provide a real range or this same output.

Regardless of that any client being smart and fetching the request as a 
range of the indicated range bytes from a full copy of the object will 
get different bytes from any intermediary than this reply contains.




There is no Content-Location header in the response, so merging of
responses with different url parameters MUST NOT be done by any HTTP
agent (including proxies). Content-aware merging of the data is allowed,
but that's outside HTTP.


Ah. Thanks.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.1

RE: [squid-users] Re: Re: Re: SSO with Active Directory-Squid Clients

[GIGO .]

Hi Markus/Nick,
 
I have chosen the following method of creating the keytab can you give me your 
advice/expereince regarding it.

1. I have created a user account for SPN in Active directory with password 
never expires and preauthentication not required checked.
 
squidLhr-proxy
Pwd: X

C:\Program Files\Support Tools
setspn -A HTTP/squidLhr-proxy.v.mcb.com.pk squidLhr-proxy
 
Creating keytab:
ktpass -out c:\squidLhr-proxy.keytab -princ 
HTTP/squidlhr-proxy.v.com...@myrealm.v.com.pk -mapUser V\squidLhr-proxy -mapOp 
set -pass * -crypto DES-CBC-MD5 -pType KRB_NT_PRINCIPAL
 

regards,
 
Bilal 
 
 
 
 
 
 


 To: squid-users@squid-cache.org
 From: hua...@moeller.plus.com
 Date: Thu, 8 Apr 2010 20:08:10 +0100
 Subject: [squid-users] Re: Re: Re: SSO with Active Directory-Squid Clients

 Hi Nick,

 Did you use samba to create the keytab. I have seen that if you use samba
 for more then squid (e.g. cifs, winbind, etc) it will update regularly the
 AD entry and key for the host/fqdn principal which is the same as for
 HTTP/fqdn. I usually use msktutil and create a second AD entry called
 -HTTP to be independent of samba which usually uses
 .

 Regards
 Markus

 Nick Cairncross wrote in message
 news:c7e35da9.1eb06%nick.cairncr...@condenast.co.uk...
 Bilal,

 I'm working on much the same thing, with added Apple Mac just to complicate
 things. My aim is to create an SSO environment for all my Windows, OSX and
 nix machines. I want to use Kerberos as my primary authentication as IE7 and
 FF onwards are moving that way..but for my situation some browsers or
 applications do not support this and I must also use NTLM. However, Opera
 on my Macs seems to not like either and prefers Basic.. It's been a struggle
 to get each element to work but not impossible.

 I have found that all Negotiate/Kerberos supporting browsers have worked
 extremely well with the helper developed by Markus. Many of the
 authentication breaking elements have disappeared when compared to my Blue
 Coat and ISA experiences. Those machines joined to the domain using browsers
 that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass
 through credentials. Mac Safari relies on NTLM and prompts as such. Mac
 Opera prompts for Basic. Therefore if you're just Windows I would answer
 fairly confidently that your question 1 answer is Yes.

 Users not on the domain would be prompted for credentials. I haven't tested
 this and depending on which helper you are using (Samba or Squids) and
 whether you're joined to the domain I believe Negotiate should fall back to
 NTLM and work providing you supply a valid domain user/pass! So the answer
 to 2 would be 'depends..' :)

 As for the issue of not being to able to use Squid at all and taking into
 account what I said earlier, then yes there could be a scenario where Squid
 will not work for your users. However, it is less of a problem in just
 Windows. It's all about testing your various Windows configurations, apps
 and browsers until you are sure you have covered the conceivable setups of
 all your users.
 Finally, I have been struggling against an issue where my KVNO Keytab
 increments in AD and gets out of sync with the exported version making Squid
 un-useable until it's regenerated. Have you experienced this? Happy to
 discuss any of this off list or on.

 Cheers,
 Nick



 On 08/04/2010 04:06, GIGO . wrote:



 If i select negotiate/Kerberos as authentication protocol for my Squid on
 Linux and configure no FallBack Authentication.what would be the consequence
 ?



 1. Isnt it that all of my users who have logged into Active Directory and
 where browser is supported will be able to use squid?



 2. Only those users who will try to use squid from a workgroup giving their
 domain passoword (domainname/userid) will fail as there will be no fallback
 aviablable.



 3. Is there any other scenario in which these users will not be able to use
 squid?



 I would be really thankful if you guide me further as i am failing to
 understand why a fallback authentication is necessary if it is. What could
 be the scenario when windows clients have no valid TGT even if they are
 login to the domain? I hope you can understand me and help me to clear my
 self.


 regards,

 Bilal Aslam









 
 To: squid-users@squid-cache.org
 From: hua...@moeller.plus.com
 Date: Wed, 7 Apr 2010 20:17:20 +0100
 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients

 Sorry I knew that but forgot to mention that I was talking about the Unix
 version.

 Thank you
 Markus

 Guido Serassio wrote in message
 news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc...
 Hi Markus,

 If you have a Windows client and the proxy send WWW-Proxy-Authorize:
 Negotiate the Windows client will try first to get a Kerberos ticket
 and
 if that succeeds sends a Negotiate response with a Kerberos token to
 the
 proxy.
 

RE: [squid-users] Re: Creating a kerberos Service Principal.

[GIGO .]

Markus could not get you please can you elaborate a bit.
 
 
thank you all!
 
regards,
 
Bilal


 To: squid-users@squid-cache.org
 From: hua...@moeller.plus.com
 Date: Thu, 8 Apr 2010 20:04:30 +0100
 Subject: [squid-users] Re: Creating a kerberos Service Principal.

 BTW You do not need Administrator rights. You can set permission for
 different Groups on OUs for example for Unix Kerberos Admins.

 Markus

 Khaled Blah wrote in message
 news:n2j4a3250ab1004080957id2f4a051xb31445428c62b...@mail.gmail.com...
 Hi Bilal,

 1. ktpass and msktutil practically do the same, they create keytabs
 which include the keys that squid will need to decrypt the ticket it
 receives from the user. However ktpass only creates a file which you
 will then have to securely transfer to your proxy server so that squid
 can access it. Using msktutil on your proxy server, you can get the
 same keytab without having to transfer it. Thus, msktutil saves you
 some time and hassle. AFAIR both need Administrator rights, which
 means the account used for ktpass/msktutil needs to be a member of the
 Administrator group.


 2. To answer this question, one would need more information about your
 network and your setup. Basically, mixing any other authentication
 method with Kerberos is not a good idea. That's because if the other
 method is insecure or less secure an attacker who gains access to a
 user's credentials will be able to impersonate that user against
 Kerberos and those be able to use ALL services that this user has
 access to. In any case DO NOT use basic auth with Kerberos in a
 public, set-up. That's a recipe for disaster. Digest auth and NTLM
 (v2) might be suitable but these are in fact less secure than Kerberos
 and thus not preferrable. One down-side to Kerberos is that it's an
 all-or-nothing service, either you use Kerberos and only Kerberos or
 you risk security breaches in any mixed situation.

 HTH

 Khaled

 2010/4/6 GIGO . :

 Dear All,

 Please guide me in regard to SSO setup with Active Directory(No
 winbind/Samba). I have the following questions in this regard.



 1. Creating a Kerberos service principal and keytab file that is used by
 the Squid what is the effective method? Difference between using Ktpass vs
 Msktutil package? What rights would i be required in Active Directory and
 if none then why so?






 2. How to configure the fallback Authentication scheme if Kerberos fails?
 Ldap authentication using basic looks to be an option but isnt it less
 secure? is there a better approach possible.




 regards,

 Bilal Aslam
 _
 Hotmail: Powerful Free email with security by Microsoft.
 https://signup.live.com/signup.aspx?id=60969

 
_
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969

Re: [squid-users] how to cache youtube

[Kinkie]

On Fri, Apr 9, 2010 at 12:32 AM, sameer khan khanza...@hotmail.com wrote:

 Please see http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube

 thanks kinkie,

 but does it work ? any one experience with below link ? will be much 
 appreciated
 for any help.

To the best of my knowledge, it does. The only way to be sure is by trying.


-- 
/kinkie