Re: [squid-users] url_rewrite_concurrency
It's OK now.Thanks a lot~ 2010-4-8 12:15, Amos Jeffries wrote: On Thu, 08 Apr 2010 11:24:27 +0800, Gemmychen...@163.com wrote: Hi~ I have a squid running url_rewrite_program, but when I using url_rewrite_concurrency in squid.conf, rewrite failed. The access.log like that: 1270692467.083 0 127.0.0.1 TCP_MEM_HIT/200 29514 GET http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.9956639306 - NONE/- text/xml - Wget/1.10.2 (Red Hat modified) 1270692470.083 32 127.0.0.1 TCP_MISS/200 29507 GET http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.9956639 - DIRECT/119.167.214.28 text/xml - Wget/1.10.2 (Red Hat modified) 1270692476.604 32 127.0.0.1 TCP_MISS/200 29507 GET http://drag.g1d.net/%D3%C2%B4%B3%B6%E1%C3%FC%B5%BA.mp40drag?__0.99 - DIRECT/119.167.214.28 text/xml - Wget/1.10.2 (Red Hat modified) My squid.conf and rewrite_program as follows: acl rewriteurl url_regex -i ^http://drag.g1d.net/.*\.mp40drag\? url_rewrite_access deny !rewriteurl url_rewrite_program /home/squid/etc/redirect.pl url_rewrite_children 5 url_rewrite_concurrency 5 #!/usr/bin/perl -wl use strict; $|=1; while () { my ($uri,$client,$ident,$method) = ( ); ($uri, $client, $ident, $method) = split; if ($uri =~m#^(.*)(\?.*)#i) { my ($url,$strings) = ($1,$2); print $url\n; } else { print $uri\n; } } Is anything wrong? Yes. Concurrency is a slightly different helper protocol. Your helper does not understand it. http://wiki.squid-cache.org/Features/Redirectors#How_do_I_make_it_concurrent.3F Amos
Re: [squid-users] to Amos Jeffries,you said squid performance could be up to 300,000 rps in lab test.
wang.gao...@zte.com.cn wrote: I read this at the end of http://www.squid-cache.org/mail-archive/squid-users/201002/0795.html I want to use squid as a reverse proxy,so I am interested in the squid performance. Can you post a detailed result about this lab test? The test is a test about single machine or Cluster? The record of the aiCache is just 25,000 rps,so your record is very amazing. Can you give me some viewpoint about squid and aiCache? Thank you. As I said it was for a lab test and _very_ artificial. The 300K results was specifically from testing of the new accept() handler for Squid-3.1, since I was facing complaints it could not get more than 5 concurrent requests. The 3rps was achieved by fetching google front page image (non cacheable, ~4KB remote object). I achieved that by using Squid-3.1 with a RAM cache, fetching a single 1KB object pre-stored in memory, with very short headers on both reply and request. Using apachebench via the localhost interface (64KB RSS, almost zero network stack IO delay) at some high concurrency just below the cap point where Squid starts slowing from too many concurrent requests (I forget exactly what that is right now, maybe 400-500 concurrency?). It took a few trials and that was what ab reported, give or take a few Krps. As soon as any real networking is attached, ie fetching from a box next door, the rate drops to something around that 30Krps for the same artificial memory-cached small object. I suspect that is simply due to the kernel network stacks and buffering. With real remote objects and URL were added in, thus incurring more processing delays, it drops down to below 1Krps in line with the real benchmarks that are starting to appear for Squid. I guess, in theory Squid could process that many new requests in real use, but time to supply would be vastly inflated as transfer resources went into accepting new requests. The point was that lab tests produce a wide variety of results, depending on what is tested. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
Re: [squid-users] [Urgent] Please help : NAT + squid2.7 on ubuntu server 9.10 + cisco firewall (ASA5510)
Vichao Saenghiranwathana wrote: What I have done so far are 1. Connected squid transparent proxy server with ASA5510 via eth0 interface 2. Set up NAT at ASA5510 to map squid transparent proxy server(192.168.9.251) with the public ip (203.130.133.9) There should be no need for NAT on the ASA. Relevant packets get _routed_ down the WCCP tunnel to the Squid box where NAT happens. Squid outbound traffic gets the same handling any outbound traffic would (except pushing back down the wccp tunnel). 3. Configured eth0 interface eth0.0 -- 192.168.9.251 eth0.1 -- 203.130.133.9 4. Added wccp to squid.conf http_port 3128 transparent # ## 192.168.9.253 is ASA5510 wccp2_router 192.168.9.253 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 httpd_accel_no_pmtu_disc on 5. Used is following command modprobe ip_gre iptunnel add gre0 mode gre remote 192.168.9.253 local 192.168.9.251 dev eth0.0 ifconfig gre0 inet 192.168.9.251 netmask 255.255.255.0 up ip link set eth0 mtu 1400 ip link set gre0 mtu 1400 echo 1 /proc/sys/net/ipv4/ip_forward echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/conf/default/rp_filter echo 0 /proc/sys/net/ipv4/conf/all/rp_filter echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 /proc/sys/net/ipv4/conf/gre0/rp_filter iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 6. Cisco config wccp web-cache wccp interface inside web-cache redirect in This is my network diagram Network diagram : http://dl.dropbox.com/u/5966530/Network%20Diagram_small.jpg I would like to know if I missed some steps or I did something wrong. Your help will be greatly appreciated! Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
Re: [squid-users] Squid 3.1.1 and flash video scrubbing
David Robinson wrote: My range_offset_limit and quick_abort_* setting were all default. I tried setting range_offset_limit -1 - did not fix the problem quick_abort_min 0 and quick_abort_max 0 - did not fix the problem quick_abort_min -1 - did not fix the problem The type of urls its having problems with are like these, 1270696241.147 3691 172.16.16.199 TCP_MISS/200 3069898 GET http://server437.files.youporn.com/e4/flv/426677_Splash.flv?e=1273284436h=47ee1fbcb8d3ab05a06988683c2d94c1 - DIRECT/208.111.181.139 video/x-flv 1270696248.438 7293 172.16.16.199 TCP_MISS/200 1442091 GET http://server437.files.youporn.com/e4/flv/426677_Splash.flv?e=1273284436h=47ee1fbcb8d3ab05a06988683c2d94c1fs=4281434 - DIRECT/208.111.181.139 video/x-flv The first one is the initial video player loading the flv. This request works correctly and the video starts to download. The second URL is when I jump the video player slider ahead of the downloading video, note the fs=4281434 added to the url. Its this fs= parameter that changes the behavior of the download. You could wget the first url and a flv would download. Wgetting the second url keeps making wget retry even though the website sends back a 200 OK. I have this all setup in a lab so if you want tcpdumps I can provide them. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, April 07, 2010 8:36 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid 3.1.1 and flash video scrubbing On Wed, 7 Apr 2010 14:41:42 -0500, David Robinson drobin...@pavlovmedia.com wrote: I've started doing field tests of 3.1.1 and a interesting bug has showed up. If you try to jump ahead in a partially loaded video from youporn.com or redtube.com the flash player freezes and doesn't continue to download the video. With squid off, you would be able to jump to any part of the video and have it continue playing. I've tested this on 3.1.1, 3.1.0.14 and 3.1.0.15 and they all have the same behavior. I've also tested this on squid 2.7 and both sites work properly. Can some other users confirm this before I submit a bug report? Using squid 3.1.1 on Debian 5.0.1 2.6.30.10 kernel What range_offset_limit and quick_abort_* settings are you working with? Also, are you able to track down any info about what the requests hitting Squid are? headers, etc Amos Thanks. I've now replicated the behavior here, but it's baffling me as well. tcpdump shows the request going out to the Server and the reply coming back to Squid. strace shows a series of interleaved reads from the server and writes presumably to the client (me). But nothing comes out the other side of Squid. FWIW, the flash player and the server are somewhat broken and playing bad games with HTTP/1.1 Range requests. The fast-forward request goes out without any HTTP range information (just the fs=NNN parameter) and comes back with these broken headers: HTTP/1.0 200 OK Server: Apache Accept-Ranges: bytes Cache-Control: max-age=259200 X-Origin: oh9 Content-Type: video/x-flv Content-Range: bytes 4281434-10004477/10004478 Content-Length: 5723057 Age: 22208 Date: Thu, 08 Apr 2010 07:16:13 GMT Last-Modified: Tue, 06 Apr 2010 00:19:37 GMT Expires: Sun, 11 Apr 2010 01:06:05 GMT Connection: close The data content then starts with at least three bytes FLV which are not part of the original object and a bunch of data which is. It claims to be cacheable but isn't. If this range was merged into a previous ranges of the object, or even fetched from the a full copy of real object by any well behaved middleware proxy it would corrupt the media transfer. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
[squid-users] Squid ACL per-user basis
Hello, i'm using squid 2.6 Version 2.6.STABLE21 (provided with CentOS 5.x), using NTLM AUTH. Since I'm able to apply ACLs to Windows Groups, I'm just wondering if I can apply an ACL only to a single user. Should I need to create a group only for that user and apply an acl to that group or there's a different way? Thanks Here's my config (some comments are in italian): - http_port 8080 hierarchy_stoplist cgi-bin ? cache_mem 4 MB cache_swap_low 85 cache_swap_high 90 cache_dir ufs /var/spool/squid 100 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log pid_filename /var/run/squid.pid auth_param ntlm program /usr/lib64/squid/ntlm_auth DOMAIN/PDC # Hidden for privacy auth_param basic program /usr/lib64/squid/ntlm_auth DOMAIN/PDC # Hidden for privacy auth_param basic children 5 auth_param basic realm Squid Access auth_param basic credentialsttl 2 hours external_acl_type check-group ttl=0 concurrency=0 %LOGIN /usr/lib64/squid/wbinfo_group.pl acl all src 0.0.0.0/0.0.0.0 acl lan src 192.168.1.0/255.255.255.0 acl to_lan dst 192.168.1.0/255.255.255.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT acl QUERY urlpath_regex cgi-bin \? acl autenticati proxy_auth REQUIRED acl siti_blacklist url_regex /etc/squid/blacklist.txt acl siti_whitelist url_regex /etc/squid/whitelist.txt acl siti_limitati url_regex /etc/squid/limitati.txt acl titolari external check-group group1 acl dipendenti external check-group group2 acl limitati external check-group group3 # Things never to cache #no_cache deny QUERY # Enable this if you don't want any caching #no_cache deny all http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # Permettiamo l'accesso dal computer locale senza restrizioni http_access allow localhost # Permettiamo l'accesso dalla rete locale verso tutta la rete http_access allow to_lan lan # Permettiamo l'accesso dalla rete locale verso dei siti in whitelist http_access allow siti_whitelist lan # Accesso senza restrizioni per i titolari http_access allow titolari # I dipendenti possono visitare tutti i siti web ad eccezione # di quelli listati nel file di blacklist http_access allow !siti_blacklist dipendenti # Gli utenti limitati possono accedere solamente ad alcuni siti http_access allow siti_limitati limitati # Tutti gli altri accessi sono negati http_access deny !autenticati http_access deny all http_reply_access allow all acl FTP proto FTP always_direcache_mgr mana...@mylan.com cache_effective_user squid cache_effective_group squid # I have very little RAM, so I set this off. YMMV memory_pools on forwarded_for on #error_directory /etc/squid/errors coredump_dir /var/spool/squid # note 33,2 lets you see which acl allowed or denied debug_options ALL,1 33,2ct allow FTP --
Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients
Bilal, I'm working on much the same thing, with added Apple Mac just to complicate things. My aim is to create an SSO environment for all my Windows, OSX and nix machines. I want to use Kerberos as my primary authentication as IE7 and FF onwards are moving that way..but for my situation some browsers or applications do not support this and I must also use NTLM. However, Opera on my Macs seems to not like either and prefers Basic.. It's been a struggle to get each element to work but not impossible. I have found that all Negotiate/Kerberos supporting browsers have worked extremely well with the helper developed by Markus. Many of the authentication breaking elements have disappeared when compared to my Blue Coat and ISA experiences. Those machines joined to the domain using browsers that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass through credentials. Mac Safari relies on NTLM and prompts as such. Mac Opera prompts for Basic. Therefore if you're just Windows I would answer fairly confidently that your question 1 answer is Yes. Users not on the domain would be prompted for credentials. I haven't tested this and depending on which helper you are using (Samba or Squids) and whether you're joined to the domain I believe Negotiate should fall back to NTLM and work providing you supply a valid domain user/pass! So the answer to 2 would be 'depends..' :) As for the issue of not being to able to use Squid at all and taking into account what I said earlier, then yes there could be a scenario where Squid will not work for your users. However, it is less of a problem in just Windows. It's all about testing your various Windows configurations, apps and browsers until you are sure you have covered the conceivable setups of all your users. Finally, I have been struggling against an issue where my KVNO Keytab increments in AD and gets out of sync with the exported version making Squid un-useable until it's regenerated. Have you experienced this? Happy to discuss any of this off list or on. Cheers, Nick On 08/04/2010 04:06, GIGO . gi...@msn.com wrote: If i select negotiate/Kerberos as authentication protocol for my Squid on Linux and configure no FallBack Authentication.what would be the consequence ? 1. Isnt it that all of my users who have logged into Active Directory and where browser is supported will be able to use squid? 2. Only those users who will try to use squid from a workgroup giving their domain passoword (domainname/userid) will fail as there will be no fallback aviablable. 3. Is there any other scenario in which these users will not be able to use squid? I would be really thankful if you guide me further as i am failing to understand why a fallback authentication is necessary if it is. What could be the scenario when windows clients have no valid TGT even if they are login to the domain? I hope you can understand me and help me to clear my self. regards, Bilal Aslam To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Wed, 7 Apr 2010 20:17:20 +0100 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients Sorry I knew that but forgot to mention that I was talking about the Unix version. Thank you Markus Guido Serassio wrote in message news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc... Hi Markus, If you have a Windows client and the proxy send WWW-Proxy-Authorize: Negotiate the Windows client will try first to get a Kerberos ticket and if that succeeds sends a Negotiate response with a Kerberos token to the proxy. If the Windows client fails to get a Kerberos ticket the client will send a Negotiate response with a NTLM token to the proxy. Unfortunately there is yet no squid helper which can handle both a Negotiate/Kerberos response and a Negotiate/NTLM response (although maybe the samba ntlm helper can). So there is a fallback when you use Negotiate, but it has some caveats. This is not true when Squid is running on Windows: the Windows native Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM responses. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any
[squid-users] how to cache youtube
hey all great; does any one have successfully cached youtube. any pointer will be much appreciated. Thanks _ http://clk.atdmt.com/UKM/go/195013117/direct/01/ We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now
Re: [squid-users] how to cache youtube
On Thu, Apr 8, 2010 at 11:46 AM, sameer khan khanza...@hotmail.com wrote: hey all great; does any one have successfully cached youtube. any pointer will be much appreciated. Please see http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube -- /kinkie
RE: [squid-users] Re: Re: SSO with Active Directory-Squid Clients
Nick, Thank you so much for your support. I am now much confident about Negotiate/Kerberos and have just decided to jump into the real thing (as enough theory). As far as KVNo i have not experienced it yet(as not practically implemented) however i may too in due course and surely will share with you. Rather i will share my whole experience. regards, Bilal From: nick.cairncr...@condenast.co.uk To: gi...@msn.com; hua...@moeller.plus.com; squid-users@squid-cache.org Date: Thu, 8 Apr 2010 10:17:13 +0100 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients Bilal, I'm working on much the same thing, with added Apple Mac just to complicate things. My aim is to create an SSO environment for all my Windows, OSX and nix machines. I want to use Kerberos as my primary authentication as IE7 and FF onwards are moving that way..but for my situation some browsers or applications do not support this and I must also use NTLM. However, Opera on my Macs seems to not like either and prefers Basic.. It's been a struggle to get each element to work but not impossible. I have found that all Negotiate/Kerberos supporting browsers have worked extremely well with the helper developed by Markus. Many of the authentication breaking elements have disappeared when compared to my Blue Coat and ISA experiences. Those machines joined to the domain using browsers that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass through credentials. Mac Safari relies on NTLM and prompts as such. Mac Opera prompts for Basic. Therefore if you're just Windows I would answer fairly confidently that your question 1 answer is Yes. Users not on the domain would be prompted for credentials. I haven't tested this and depending on which helper you are using (Samba or Squids) and whether you're joined to the domain I believe Negotiate should fall back to NTLM and work providing you supply a valid domain user/pass! So the answer to 2 would be 'depends..' :) As for the issue of not being to able to use Squid at all and taking into account what I said earlier, then yes there could be a scenario where Squid will not work for your users. However, it is less of a problem in just Windows. It's all about testing your various Windows configurations, apps and browsers until you are sure you have covered the conceivable setups of all your users. Finally, I have been struggling against an issue where my KVNO Keytab increments in AD and gets out of sync with the exported version making Squid un-useable until it's regenerated. Have you experienced this? Happy to discuss any of this off list or on. Cheers, Nick On 08/04/2010 04:06, GIGO . wrote: If i select negotiate/Kerberos as authentication protocol for my Squid on Linux and configure no FallBack Authentication.what would be the consequence ? 1. Isnt it that all of my users who have logged into Active Directory and where browser is supported will be able to use squid? 2. Only those users who will try to use squid from a workgroup giving their domain passoword (domainname/userid) will fail as there will be no fallback aviablable. 3. Is there any other scenario in which these users will not be able to use squid? I would be really thankful if you guide me further as i am failing to understand why a fallback authentication is necessary if it is. What could be the scenario when windows clients have no valid TGT even if they are login to the domain? I hope you can understand me and help me to clear my self. regards, Bilal Aslam To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Wed, 7 Apr 2010 20:17:20 +0100 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients Sorry I knew that but forgot to mention that I was talking about the Unix version. Thank you Markus Guido Serassio wrote in message news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc... Hi Markus, If you have a Windows client and the proxy send WWW-Proxy-Authorize: Negotiate the Windows client will try first to get a Kerberos ticket and if that succeeds sends a Negotiate response with a Kerberos token to the proxy. If the Windows client fails to get a Kerberos ticket the client will send a Negotiate response with a NTLM token to the proxy. Unfortunately there is yet no squid helper which can handle both a Negotiate/Kerberos response and a Negotiate/NTLM response (although maybe the samba ntlm helper can). So there is a fallback when you use Negotiate, but it has some caveats. This is not true when Squid is running on Windows: the Windows native Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM responses. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware
Re: [squid-users] UDP errors after upgrade to 3.1.1
snip Second and probably more important. squid -d1x squid -k check shows squid: ERROR: No running copy squid -k rotate squid: ERROR: No running copy squid -k shutdown squid: ERROR: No running copy ps -ax | grep squid root# ps -ax | grep squid 29428 ?? 0:00.00 squid -d1x 29430 ?? 0:01.30 (squid) -d1x 29431 ?? 0:00.04 (squidGuard) -c /usr/local/squidGuard/squidGuard.conf snip helpers is there a new way to start stop ? Ouch, check if the squid.pid file also exists with the current Squid worker process PID (29430) inside it. no pid file in the 3.1.1 build. I check my other copies and they all made the PID file in /usr/local/squid/var/logs/squid.pid nothing is in my 3.1.1 cat: /usr/local/squid/var/logs/squid.pid: No such file or directory -k check maybe should not be doing that test anyway. But the others require a running Squid they can contact. Amos
RE: [squid-users] UDP errors after upgrade to 3.1.1
-Original Message- From: donovan jeffrey j [mailto:dono...@beth.k12.pa.us] Sent: Thursday, April 08, 2010 7:37 AM To: Amos Jeffries Cc: squid-users@squid-cache.org Subject: Re: [squid-users] UDP errors after upgrade to 3.1.1 snip no pid file in the 3.1.1 build. I check my other copies and they all made the PID file in /usr/local/squid/var/logs/squid.pid nothing is in my 3.1.1 cat: /usr/local/squid/var/logs/squid.pid: No such file or directory The machines I have installed 3.1.1 on want to place the pid file in /usr/local/squid/var/run/squid.pid Unfortunately the install doesn't appear to build that directory, simply do a mkdir /usr/local/squid/var/run (make sure its owned by your squid user). Then either kill and restart squid, or manually create a squid.pid file with the process id in it. Alternatively you could use the pid_filename directive to point it to another location.
Re: [squid-users] UDP errors after upgrade to 3.1.1
On Apr 8, 2010, at 9:12 AM, Dean Weimer wrote: -Original Message- From: donovan jeffrey j [mailto:dono...@beth.k12.pa.us] Sent: Thursday, April 08, 2010 7:37 AM To: Amos Jeffries Cc: squid-users@squid-cache.org Subject: Re: [squid-users] UDP errors after upgrade to 3.1.1 snip no pid file in the 3.1.1 build. I check my other copies and they all made the PID file in /usr/local/squid/var/logs/squid.pid nothing is in my 3.1.1 cat: /usr/local/squid/var/logs/squid.pid: No such file or directory The machines I have installed 3.1.1 on want to place the pid file in /usr/local/squid/var/run/squid.pid Unfortunately the install doesn't appear to build that directory, simply do a mkdir /usr/local/squid/var/run (make sure its owned by your squid user). Then either kill and restart squid, or manually create a squid.pid file with the process id in it. YAY! nc-106:var root# mkdir run nc-106:var root# chown squid:wheel run nc-106:var root# ls -la total 0 drwxr-xr-x 4 squid wheel 136 Apr 8 09:27 . drwxr-xr-x 11 root wheel 374 Apr 1 10:20 .. drwxr-xr-x 36 squid wheel 1224 Apr 8 08:55 logs drwxr-xr-x 2 squid wheel68 Apr 8 09:27 run nc-106:var root# cd run nc-106:run root# ls nc-106:run root# squid -d1x nc-106:run root# ls squid.pid nc-106:run root# cat squid.pid 36555 nc-106:run root# squid -k check no news is good news nc-106:run root# squid -k rotate snip logfileRotate: /usr/local/squid/var/logs/access.log nc-106:run root# squid -k shutdown snip Squid Cache (Version 3.1.1): Exiting normally. worked like a champ. I had to create the run directory, then all was happy. thanks dean -j
[squid-users] Address Network Report Sarg
Hi, Recently in my sarg report appeared an address 10.1.1.0 together my user list. 10.1.1.0 is my network address. I don’t understand why this entry appear. Anybody know how to solve this issue ? Att. Rafael Poch Vieira Palma INFRA-ESTRUTURA - T.I (44)3033-6300 - Ramal 6323 / Fax (44)3033-6303 raf...@db1.com.br http://www.db1.com.br Seja consciente, imprima este e-mail somente se necessário. O meio ambiente agradece.
[squid-users] Squid is unable to connect to local webservers
I've got a squid proxy running in transparent mode with an AUP on a public wireless network which is separated from our private network. We run a local webserver here and found that users get the AUP and cannot click past it when attempting to get to the local web server. Without using the proxy I can connect just fine to the web server from the squid server so I know they can see each other. Everything else works great. I tried setting up an ACL with localweb (seen in the config below) but that didn't allow it through. Weird thing is that when I try hitting the local web server, I don't see anything in the squid access.log file which makes be believe that squid isn't even seeing the traffic for some reason. squid config: # Credentials past their TTL are removed from memory #authenticate_ttl 0 seconds # TAG: acl #Recommended minimum configuration: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl to_localbox dst 192.168.80.5/32 acl localweb dst 84.8.132.1/32 follow_x_forwarded_for allow localhost acl_uses_indirect_client on delay_pool_uses_indirect_client on log_uses_indirect_client on external_acl_type session ttl=300 children=1 negative_ttl=0 concurrency=200 %SRC /usr/lib/squid/squid_sessi on -t 1800 acl session external session acl localnet src 192.168.80.0/23 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # TAG: http_access http_access allow localweb http_access allow to_localbox deny_info http://192.168.80.5/index.php?url=%s session http_access allow session http_access allow SSL_ports http_access allow CONNECT SSL_ports http_access deny !session http_access deny !Safe_ports
RE: [squid-users] Squid is unable to connect to local webservers
Another piece of information I just discovered... I use a wpad.dat file to assign the proxy to users. It works just fine except for the local servers. However, when I force the connection in the browser to the proxy with 8080 (dansguardian) then I can get to my local web servers. -Original Message- From: Johnson, S [mailto:sjohn...@edina.k12.mn.us] Sent: Thursday, April 08, 2010 9:50 AM To: squid-users@squid-cache.org Subject: [squid-users] Squid is unable to connect to local webservers I've got a squid proxy running in transparent mode with an AUP on a public wireless network which is separated from our private network. We run a local webserver here and found that users get the AUP and cannot click past it when attempting to get to the local web server. Without using the proxy I can connect just fine to the web server from the squid server so I know they can see each other. Everything else works great. I tried setting up an ACL with localweb (seen in the config below) but that didn't allow it through. Weird thing is that when I try hitting the local web server, I don't see anything in the squid access.log file which makes be believe that squid isn't even seeing the traffic for some reason. squid config: # Credentials past their TTL are removed from memory #authenticate_ttl 0 seconds # TAG: acl #Recommended minimum configuration: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl to_localbox dst 192.168.80.5/32 acl localweb dst 84.8.132.1/32 follow_x_forwarded_for allow localhost acl_uses_indirect_client on delay_pool_uses_indirect_client on log_uses_indirect_client on external_acl_type session ttl=300 children=1 negative_ttl=0 concurrency=200 %SRC /usr/lib/squid/squid_sessi on -t 1800 acl session external session acl localnet src 192.168.80.0/23 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # TAG: http_access http_access allow localweb http_access allow to_localbox deny_info http://192.168.80.5/index.php?url=%s session http_access allow session http_access allow SSL_ports http_access allow CONNECT SSL_ports http_access deny !session http_access deny !Safe_ports -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] [Urgent] Please help : NAT + squid2.7 on ubuntu server 9.10 + cisco firewall (ASA5510)
I still stunned. Can you explain more in deeper detail so I can understand what the problem is. I'm really appreciate it Vichao S On Thu, Apr 8, 2010 at 2:03 PM, Amos Jeffries squ...@treenet.co.nz wrote: Vichao Saenghiranwathana wrote: What I have done so far are 1. Connected squid transparent proxy server with ASA5510 via eth0 interface 2. Set up NAT at ASA5510 to map squid transparent proxy server(192.168.9.251) with the public ip (203.130.133.9) There should be no need for NAT on the ASA. Relevant packets get _routed_ down the WCCP tunnel to the Squid box where NAT happens. Squid outbound traffic gets the same handling any outbound traffic would (except pushing back down the wccp tunnel). 3. Configured eth0 interface eth0.0 -- 192.168.9.251 eth0.1 -- 203.130.133.9 4. Added wccp to squid.conf http_port 3128 transparent # ## 192.168.9.253 is ASA5510 wccp2_router 192.168.9.253 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 httpd_accel_no_pmtu_disc on 5. Used is following command modprobe ip_gre iptunnel add gre0 mode gre remote 192.168.9.253 local 192.168.9.251 dev eth0.0 ifconfig gre0 inet 192.168.9.251 netmask 255.255.255.0 up ip link set eth0 mtu 1400 ip link set gre0 mtu 1400 echo 1 /proc/sys/net/ipv4/ip_forward echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/conf/default/rp_filter echo 0 /proc/sys/net/ipv4/conf/all/rp_filter echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 /proc/sys/net/ipv4/conf/gre0/rp_filter iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 6. Cisco config wccp web-cache wccp interface inside web-cache redirect in This is my network diagram Network diagram : http://dl.dropbox.com/u/5966530/Network%20Diagram_small.jpg I would like to know if I missed some steps or I did something wrong. Your help will be greatly appreciated! Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
Re: [squid-users] Creating a kerberos Service Principal.
Hi Bilal, 1. ktpass and msktutil practically do the same, they create keytabs which include the keys that squid will need to decrypt the ticket it receives from the user. However ktpass only creates a file which you will then have to securely transfer to your proxy server so that squid can access it. Using msktutil on your proxy server, you can get the same keytab without having to transfer it. Thus, msktutil saves you some time and hassle. AFAIR both need Administrator rights, which means the account used for ktpass/msktutil needs to be a member of the Administrator group. 2. To answer this question, one would need more information about your network and your setup. Basically, mixing any other authentication method with Kerberos is not a good idea. That's because if the other method is insecure or less secure an attacker who gains access to a user's credentials will be able to impersonate that user against Kerberos and those be able to use ALL services that this user has access to. In any case DO NOT use basic auth with Kerberos in a public, set-up. That's a recipe for disaster. Digest auth and NTLM (v2) might be suitable but these are in fact less secure than Kerberos and thus not preferrable. One down-side to Kerberos is that it's an all-or-nothing service, either you use Kerberos and only Kerberos or you risk security breaches in any mixed situation. HTH Khaled 2010/4/6 GIGO . gi...@msn.com: Dear All, Please guide me in regard to SSO setup with Active Directory(No winbind/Samba). I have the following questions in this regard. 1. Creating a Kerberos service principal and keytab file that is used by the Squid what is the effective method? Difference between using Ktpass vs Msktutil package? What rights would i be required in Active Directory and if none then why so? 2. How to configure the fallback Authentication scheme if Kerberos fails? Ldap authentication using basic looks to be an option but isnt it less secure? is there a better approach possible. regards, Bilal Aslam _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
Re: [squid-users] Creating a kerberos Service Principal.
I forgot this link to an Example configuration: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos 2010/4/8 Khaled Blah khaled.b...@googlemail.com: Hi Bilal, 1. ktpass and msktutil practically do the same, they create keytabs which include the keys that squid will need to decrypt the ticket it receives from the user. However ktpass only creates a file which you will then have to securely transfer to your proxy server so that squid can access it. Using msktutil on your proxy server, you can get the same keytab without having to transfer it. Thus, msktutil saves you some time and hassle. AFAIR both need Administrator rights, which means the account used for ktpass/msktutil needs to be a member of the Administrator group. 2. To answer this question, one would need more information about your network and your setup. Basically, mixing any other authentication method with Kerberos is not a good idea. That's because if the other method is insecure or less secure an attacker who gains access to a user's credentials will be able to impersonate that user against Kerberos and those be able to use ALL services that this user has access to. In any case DO NOT use basic auth with Kerberos in a public, set-up. That's a recipe for disaster. Digest auth and NTLM (v2) might be suitable but these are in fact less secure than Kerberos and thus not preferrable. One down-side to Kerberos is that it's an all-or-nothing service, either you use Kerberos and only Kerberos or you risk security breaches in any mixed situation. HTH Khaled 2010/4/6 GIGO . gi...@msn.com: Dear All, Please guide me in regard to SSO setup with Active Directory(No winbind/Samba). I have the following questions in this regard. 1. Creating a Kerberos service principal and keytab file that is used by the Squid what is the effective method? Difference between using Ktpass vs Msktutil package? What rights would i be required in Active Directory and if none then why so? 2. How to configure the fallback Authentication scheme if Kerberos fails? Ldap authentication using basic looks to be an option but isnt it less secure? is there a better approach possible. regards, Bilal Aslam _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] Squid 2.7.8 + pfSense 'zero sized reply'
I'm running Squid 2.7.8 on pfSense 1.2.2. As of today, we get the 'zero sized reply' error when trying to load www.questgarden.com. It worked yesterday! (I rebooted the firewall this morning during an ISP outage - presumably that's when it broke). I can load the page thru curl, but not in a browser. Strange, eh? Any guidance is appreciated! Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School - Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School -- View this message in context: http://n4.nabble.com/Squid-2-7-8-pfSense-zero-sized-reply-tp1778352p1778352.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Creating a kerberos Service Principal.
BTW You do not need Administrator rights. You can set permission for different Groups on OUs for example for Unix Kerberos Admins. Markus Khaled Blah khaled.b...@googlemail.com wrote in message news:n2j4a3250ab1004080957id2f4a051xb31445428c62b...@mail.gmail.com... Hi Bilal, 1. ktpass and msktutil practically do the same, they create keytabs which include the keys that squid will need to decrypt the ticket it receives from the user. However ktpass only creates a file which you will then have to securely transfer to your proxy server so that squid can access it. Using msktutil on your proxy server, you can get the same keytab without having to transfer it. Thus, msktutil saves you some time and hassle. AFAIR both need Administrator rights, which means the account used for ktpass/msktutil needs to be a member of the Administrator group. 2. To answer this question, one would need more information about your network and your setup. Basically, mixing any other authentication method with Kerberos is not a good idea. That's because if the other method is insecure or less secure an attacker who gains access to a user's credentials will be able to impersonate that user against Kerberos and those be able to use ALL services that this user has access to. In any case DO NOT use basic auth with Kerberos in a public, set-up. That's a recipe for disaster. Digest auth and NTLM (v2) might be suitable but these are in fact less secure than Kerberos and thus not preferrable. One down-side to Kerberos is that it's an all-or-nothing service, either you use Kerberos and only Kerberos or you risk security breaches in any mixed situation. HTH Khaled 2010/4/6 GIGO . gi...@msn.com: Dear All, Please guide me in regard to SSO setup with Active Directory(No winbind/Samba). I have the following questions in this regard. 1. Creating a Kerberos service principal and keytab file that is used by the Squid what is the effective method? Difference between using Ktpass vs Msktutil package? What rights would i be required in Active Directory and if none then why so? 2. How to configure the fallback Authentication scheme if Kerberos fails? Ldap authentication using basic looks to be an option but isnt it less secure? is there a better approach possible. regards, Bilal Aslam _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] Re: Re: Re: SSO with Active Directory-Squid Clients
Hi Nick, Did you use samba to create the keytab. I have seen that if you use samba for more then squid (e.g. cifs, winbind, etc) it will update regularly the AD entry and key for the host/fqdn principal which is the same as for HTTP/fqdn. I usually use msktutil and create a second AD entry called short-hostname-HTTP to be independent of samba which usually uses short-hostname. Regards Markus Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message news:c7e35da9.1eb06%nick.cairncr...@condenast.co.uk... Bilal, I'm working on much the same thing, with added Apple Mac just to complicate things. My aim is to create an SSO environment for all my Windows, OSX and nix machines. I want to use Kerberos as my primary authentication as IE7 and FF onwards are moving that way..but for my situation some browsers or applications do not support this and I must also use NTLM. However, Opera on my Macs seems to not like either and prefers Basic.. It's been a struggle to get each element to work but not impossible. I have found that all Negotiate/Kerberos supporting browsers have worked extremely well with the helper developed by Markus. Many of the authentication breaking elements have disappeared when compared to my Blue Coat and ISA experiences. Those machines joined to the domain using browsers that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass through credentials. Mac Safari relies on NTLM and prompts as such. Mac Opera prompts for Basic. Therefore if you're just Windows I would answer fairly confidently that your question 1 answer is Yes. Users not on the domain would be prompted for credentials. I haven't tested this and depending on which helper you are using (Samba or Squids) and whether you're joined to the domain I believe Negotiate should fall back to NTLM and work providing you supply a valid domain user/pass! So the answer to 2 would be 'depends..' :) As for the issue of not being to able to use Squid at all and taking into account what I said earlier, then yes there could be a scenario where Squid will not work for your users. However, it is less of a problem in just Windows. It's all about testing your various Windows configurations, apps and browsers until you are sure you have covered the conceivable setups of all your users. Finally, I have been struggling against an issue where my KVNO Keytab increments in AD and gets out of sync with the exported version making Squid un-useable until it's regenerated. Have you experienced this? Happy to discuss any of this off list or on. Cheers, Nick On 08/04/2010 04:06, GIGO . gi...@msn.com wrote: If i select negotiate/Kerberos as authentication protocol for my Squid on Linux and configure no FallBack Authentication.what would be the consequence ? 1. Isnt it that all of my users who have logged into Active Directory and where browser is supported will be able to use squid? 2. Only those users who will try to use squid from a workgroup giving their domain passoword (domainname/userid) will fail as there will be no fallback aviablable. 3. Is there any other scenario in which these users will not be able to use squid? I would be really thankful if you guide me further as i am failing to understand why a fallback authentication is necessary if it is. What could be the scenario when windows clients have no valid TGT even if they are login to the domain? I hope you can understand me and help me to clear my self. regards, Bilal Aslam To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Wed, 7 Apr 2010 20:17:20 +0100 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients Sorry I knew that but forgot to mention that I was talking about the Unix version. Thank you Markus Guido Serassio wrote in message news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc... Hi Markus, If you have a Windows client and the proxy send WWW-Proxy-Authorize: Negotiate the Windows client will try first to get a Kerberos ticket and if that succeeds sends a Negotiate response with a Kerberos token to the proxy. If the Windows client fails to get a Kerberos ticket the client will send a Negotiate response with a NTLM token to the proxy. Unfortunately there is yet no squid helper which can handle both a Negotiate/Kerberos response and a Negotiate/NTLM response (although maybe the samba ntlm helper can). So there is a fallback when you use Negotiate, but it has some caveats. This is not true when Squid is running on Windows: the Windows native Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM responses. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW:
[squid-users] url_regex file format
Hi, What is the format of the regex file when defining an ACL based on regexes? Can I have comments in there? What is the -i option for? Also, what RE are supported? Thanks, Jean-Luc
[squid-users] Authentication logging
Hello, Using squid 2.7 stable 9, I have set the debug_options to 29,2 which logs authenticated users, e.g: user 'xxx' has been seen at a new IP address (11.22.33.44) However, is there a way I can log unsuccessful authentication attempts? I have increased the debug level to 6, but it still doesn't log authentication failures. Is this possible in the squid 3.x series? Thanks, John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
Re: [squid-users] Authentication logging
On Thu, 2010-04-08 at 21:43 +0100, John Horne wrote: Hello, Using squid 2.7 stable 9, I have set the debug_options to 29,2 which logs authenticated users, e.g: user 'xxx' has been seen at a new IP address (11.22.33.44) However, is there a way I can log unsuccessful authentication attempts? I have increased the debug level to 6, but it still doesn't log authentication failures. Is this possible in the squid 3.x series? Ha! I have just seen that someone else asked the same question a couple of days ago! I see that failures are logged as a 407 response (which I can see in our log files). Apologies for the list noise. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
RE: [squid-users] url_regex file format
-Original Message- From: Jean-Luc Wasmer [mailto:sq...@2010.jl.wasmer.ca] Sent: Thursday, April 08, 2010 1:02 PM Hi, What is the format of the regex file when defining an ACL based on regexes? Just a list of matches. E.g.: ^http://www\.google\.com #Allow access to Google # News sites ^http://news\.yahoo\.com ^http://news\.google\.com Can I have comments in there? Yes. What is the -i option for? Not case sensitive. It's like the -i flag for grep. Also, what RE are supported? The same as egrep / grep -E. Thanks, Jean-Luc -Dan
RE: [squid-users] url_regex file format
tor 2010-04-08 klockan 14:59 -0700 skrev Mellem, Dan: Also, what RE are supported? The same as egrep / grep -E. Which is also known as POSIX Extended Regex. Regards Henrik
Re: [squid-users] Squid 3.1.1 and flash video scrubbing
tor 2010-04-08 klockan 20:43 +1200 skrev Amos Jeffries: FWIW, the flash player and the server are somewhat broken and playing bad games with HTTP/1.1 Range requests. Which quite likely triggers confusion within Squid as the store/object interface is range aware. Has been issues there in the past, and quite likely is more issues.. Not 100% sure that response is technically broken, but it surely is an odd response. It claims to be cacheable but isn't. Why isn't it? If this range was merged into a previous ranges of the object, or even fetched from the a full copy of real object by any well behaved middleware proxy it would corrupt the media transfer. We don't know how the server would react on requests for the same URI but with Range header.. There is no Content-Location header in the response, so merging of responses with different url parameters MUST NOT be done by any HTTP agent (including proxies). Content-aware merging of the data is allowed, but that's outside HTTP. Regards Henrik
RE: [squid-users] how to cache youtube
thanks kinkie, but does it work ? any one experience with below link ? will be much appreciated for any help. thanks Date: Thu, 8 Apr 2010 11:48:35 +0200 Subject: Re: [squid-users] how to cache youtube From: gkin...@gmail.com To: khanza...@hotmail.com CC: squid-users@squid-cache.org On Thu, Apr 8, 2010 at 11:46 AM, sameer khan khanza...@hotmail.com wrote: hey all great; does any one have successfully cached youtube. any pointer will be much appreciated. Please see http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube -- /kinkie _ http://clk.atdmt.com/UKM/go/19780/direct/01/ Do you have a story that started on Hotmail? Tell us now
RE: [squid-users] Squid 3.1.1 and flash video scrubbing
Which quite likely triggers confusion within Squid as the store/object interface is range aware. Has been issues there in the past, and quite likely is more issues.. Is squid 2.7 Content-Range aware? Since these requests work in 2.7, is 2.7 just ignoring the range requests? -Original Message- From: Henrik Nordström [mailto:hen...@henriknordstrom.net] Sent: Thursday, April 08, 2010 5:32 PM To: Amos Jeffries Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid 3.1.1 and flash video scrubbing tor 2010-04-08 klockan 20:43 +1200 skrev Amos Jeffries: FWIW, the flash player and the server are somewhat broken and playing bad games with HTTP/1.1 Range requests. Which quite likely triggers confusion within Squid as the store/object interface is range aware. Has been issues there in the past, and quite likely is more issues.. Not 100% sure that response is technically broken, but it surely is an odd response. It claims to be cacheable but isn't. Why isn't it? If this range was merged into a previous ranges of the object, or even fetched from the a full copy of real object by any well behaved middleware proxy it would corrupt the media transfer. We don't know how the server would react on requests for the same URI but with Range header.. There is no Content-Location header in the response, so merging of responses with different url parameters MUST NOT be done by any HTTP agent (including proxies). Content-aware merging of the data is allowed, but that's outside HTTP. Regards Henrik
Re: [squid-users] Squid 3.1.1 and flash video scrubbing
The response to the request with the fs query arg is sending back a Content-Range header; http://redbot.org/?uri=http%3A%2F%2Fserver437.files.youporn.com%2Fe4%2Fflv%2F426677_Splash.flv%3Fe%3D1273284436%26h%3D47ee1fbcb8d3ab05a06988683c2d94c1%26fs%3D4281434 That's weird. On 08/04/2010, at 1:32 PM, David Robinson wrote: My range_offset_limit and quick_abort_* setting were all default. I tried setting range_offset_limit -1 - did not fix the problem quick_abort_min 0 and quick_abort_max 0 - did not fix the problem quick_abort_min -1 - did not fix the problem The type of urls its having problems with are like these, 1270696241.147 3691 172.16.16.199 TCP_MISS/200 3069898 GET http://server437.files.youporn.com/e4/flv/426677_Splash.flv?e=1273284436h=47ee1fbcb8d3ab05a06988683c2d94c1 - DIRECT/208.111.181.139 video/x-flv 1270696248.438 7293 172.16.16.199 TCP_MISS/200 1442091 GET http://server437.files.youporn.com/e4/flv/426677_Splash.flv?e=1273284436h=47ee1fbcb8d3ab05a06988683c2d94c1fs=4281434 - DIRECT/208.111.181.139 video/x-flv The first one is the initial video player loading the flv. This request works correctly and the video starts to download. The second URL is when I jump the video player slider ahead of the downloading video, note the fs=4281434 added to the url. Its this fs= parameter that changes the behavior of the download. You could wget the first url and a flv would download. Wgetting the second url keeps making wget retry even though the website sends back a 200 OK. I have this all setup in a lab so if you want tcpdumps I can provide them. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, April 07, 2010 8:36 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid 3.1.1 and flash video scrubbing On Wed, 7 Apr 2010 14:41:42 -0500, David Robinson drobin...@pavlovmedia.com wrote: I've started doing field tests of 3.1.1 and a interesting bug has showed up. If you try to jump ahead in a partially loaded video from youporn.com or redtube.com the flash player freezes and doesn't continue to download the video. With squid off, you would be able to jump to any part of the video and have it continue playing. I've tested this on 3.1.1, 3.1.0.14 and 3.1.0.15 and they all have the same behavior. I've also tested this on squid 2.7 and both sites work properly. Can some other users confirm this before I submit a bug report? Using squid 3.1.1 on Debian 5.0.1 2.6.30.10 kernel What range_offset_limit and quick_abort_* settings are you working with? Also, are you able to track down any info about what the requests hitting Squid are? headers, etc Amos -- Mark Nottingham m...@yahoo-inc.com
Re: [squid-users] Squid is unable to connect to local webservers
Johnson, S wrote: Another piece of information I just discovered... I use a wpad.dat file to assign the proxy to users. It works just fine except for the local servers. However, when I force the connection in the browser to the proxy with 8080 (dansguardian) then I can get to my local web servers. So something in your PAC file is broken. Probably a test of the destination server IP or an exception for local domains. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
Re: [squid-users] Squid 3.1.1 and flash video scrubbing
Henrik Nordström wrote: tor 2010-04-08 klockan 20:43 +1200 skrev Amos Jeffries: FWIW, the flash player and the server are somewhat broken and playing bad games with HTTP/1.1 Range requests. Which quite likely triggers confusion within Squid as the store/object interface is range aware. Has been issues there in the past, and quite likely is more issues.. Not 100% sure that response is technically broken, but it surely is an odd response. It claims to be cacheable but isn't. Why isn't it? I though Squid considered it a malformed 206 and uncachabled it. Does squid consider the reply a malformed 206 or a malformed 200? The extra bytes which exist in the body means we should be assuming its a malformed 200 with unusable range headers. If this range was merged into a previous ranges of the object, or even fetched from the a full copy of real object by any well behaved middleware proxy it would corrupt the media transfer. We don't know how the server would react on requests for the same URI but with Range header.. Server may or may not provide a real range or this same output. Regardless of that any client being smart and fetching the request as a range of the indicated range bytes from a full copy of the object will get different bytes from any intermediary than this reply contains. There is no Content-Location header in the response, so merging of responses with different url parameters MUST NOT be done by any HTTP agent (including proxies). Content-aware merging of the data is allowed, but that's outside HTTP. Ah. Thanks. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
RE: [squid-users] Re: Re: Re: SSO with Active Directory-Squid Clients
Hi Markus/Nick, I have chosen the following method of creating the keytab can you give me your advice/expereince regarding it. 1. I have created a user account for SPN in Active directory with password never expires and preauthentication not required checked. squidLhr-proxy Pwd: X C:\Program Files\Support Tools setspn -A HTTP/squidLhr-proxy.v.mcb.com.pk squidLhr-proxy Creating keytab: ktpass -out c:\squidLhr-proxy.keytab -princ HTTP/squidlhr-proxy.v.com...@myrealm.v.com.pk -mapUser V\squidLhr-proxy -mapOp set -pass * -crypto DES-CBC-MD5 -pType KRB_NT_PRINCIPAL regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Thu, 8 Apr 2010 20:08:10 +0100 Subject: [squid-users] Re: Re: Re: SSO with Active Directory-Squid Clients Hi Nick, Did you use samba to create the keytab. I have seen that if you use samba for more then squid (e.g. cifs, winbind, etc) it will update regularly the AD entry and key for the host/fqdn principal which is the same as for HTTP/fqdn. I usually use msktutil and create a second AD entry called -HTTP to be independent of samba which usually uses . Regards Markus Nick Cairncross wrote in message news:c7e35da9.1eb06%nick.cairncr...@condenast.co.uk... Bilal, I'm working on much the same thing, with added Apple Mac just to complicate things. My aim is to create an SSO environment for all my Windows, OSX and nix machines. I want to use Kerberos as my primary authentication as IE7 and FF onwards are moving that way..but for my situation some browsers or applications do not support this and I must also use NTLM. However, Opera on my Macs seems to not like either and prefers Basic.. It's been a struggle to get each element to work but not impossible. I have found that all Negotiate/Kerberos supporting browsers have worked extremely well with the helper developed by Markus. Many of the authentication breaking elements have disappeared when compared to my Blue Coat and ISA experiences. Those machines joined to the domain using browsers that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass through credentials. Mac Safari relies on NTLM and prompts as such. Mac Opera prompts for Basic. Therefore if you're just Windows I would answer fairly confidently that your question 1 answer is Yes. Users not on the domain would be prompted for credentials. I haven't tested this and depending on which helper you are using (Samba or Squids) and whether you're joined to the domain I believe Negotiate should fall back to NTLM and work providing you supply a valid domain user/pass! So the answer to 2 would be 'depends..' :) As for the issue of not being to able to use Squid at all and taking into account what I said earlier, then yes there could be a scenario where Squid will not work for your users. However, it is less of a problem in just Windows. It's all about testing your various Windows configurations, apps and browsers until you are sure you have covered the conceivable setups of all your users. Finally, I have been struggling against an issue where my KVNO Keytab increments in AD and gets out of sync with the exported version making Squid un-useable until it's regenerated. Have you experienced this? Happy to discuss any of this off list or on. Cheers, Nick On 08/04/2010 04:06, GIGO . wrote: If i select negotiate/Kerberos as authentication protocol for my Squid on Linux and configure no FallBack Authentication.what would be the consequence ? 1. Isnt it that all of my users who have logged into Active Directory and where browser is supported will be able to use squid? 2. Only those users who will try to use squid from a workgroup giving their domain passoword (domainname/userid) will fail as there will be no fallback aviablable. 3. Is there any other scenario in which these users will not be able to use squid? I would be really thankful if you guide me further as i am failing to understand why a fallback authentication is necessary if it is. What could be the scenario when windows clients have no valid TGT even if they are login to the domain? I hope you can understand me and help me to clear my self. regards, Bilal Aslam To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Wed, 7 Apr 2010 20:17:20 +0100 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients Sorry I knew that but forgot to mention that I was talking about the Unix version. Thank you Markus Guido Serassio wrote in message news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc... Hi Markus, If you have a Windows client and the proxy send WWW-Proxy-Authorize: Negotiate the Windows client will try first to get a Kerberos ticket and if that succeeds sends a Negotiate response with a Kerberos token to the proxy.
RE: [squid-users] Re: Creating a kerberos Service Principal.
Markus could not get you please can you elaborate a bit. thank you all! regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Thu, 8 Apr 2010 20:04:30 +0100 Subject: [squid-users] Re: Creating a kerberos Service Principal. BTW You do not need Administrator rights. You can set permission for different Groups on OUs for example for Unix Kerberos Admins. Markus Khaled Blah wrote in message news:n2j4a3250ab1004080957id2f4a051xb31445428c62b...@mail.gmail.com... Hi Bilal, 1. ktpass and msktutil practically do the same, they create keytabs which include the keys that squid will need to decrypt the ticket it receives from the user. However ktpass only creates a file which you will then have to securely transfer to your proxy server so that squid can access it. Using msktutil on your proxy server, you can get the same keytab without having to transfer it. Thus, msktutil saves you some time and hassle. AFAIR both need Administrator rights, which means the account used for ktpass/msktutil needs to be a member of the Administrator group. 2. To answer this question, one would need more information about your network and your setup. Basically, mixing any other authentication method with Kerberos is not a good idea. That's because if the other method is insecure or less secure an attacker who gains access to a user's credentials will be able to impersonate that user against Kerberos and those be able to use ALL services that this user has access to. In any case DO NOT use basic auth with Kerberos in a public, set-up. That's a recipe for disaster. Digest auth and NTLM (v2) might be suitable but these are in fact less secure than Kerberos and thus not preferrable. One down-side to Kerberos is that it's an all-or-nothing service, either you use Kerberos and only Kerberos or you risk security breaches in any mixed situation. HTH Khaled 2010/4/6 GIGO . : Dear All, Please guide me in regard to SSO setup with Active Directory(No winbind/Samba). I have the following questions in this regard. 1. Creating a Kerberos service principal and keytab file that is used by the Squid what is the effective method? Difference between using Ktpass vs Msktutil package? What rights would i be required in Active Directory and if none then why so? 2. How to configure the fallback Authentication scheme if Kerberos fails? Ldap authentication using basic looks to be an option but isnt it less secure? is there a better approach possible. regards, Bilal Aslam _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969 _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
Re: [squid-users] how to cache youtube
On Fri, Apr 9, 2010 at 12:32 AM, sameer khan khanza...@hotmail.com wrote: Please see http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube thanks kinkie, but does it work ? any one experience with below link ? will be much appreciated for any help. To the best of my knowledge, it does. The only way to be sure is by trying. -- /kinkie