[squid-users] Yahoo mail Display problem
Hi, I am running squid 2.5 on 5.4-RELEASE FreeBSD 5.4-RELEASE, since the number of years and was working very fine. Few days back i replaced my old windows 2003 DNS server and installed new server with windows server 2008 OS and configured DNS on it with the same IP address, since then i started to receive problem. Unable to determine IP address from host name xxx DNS server returned No Address Records This means Cache was unable to resolve host name present in the url check if the address is correct. Following the error I revisited the DNS configuration and found fine. after then i flushed the cache and recreated it using squid -z, assuming that it may help me out, but it didn't as after flushing the cache yahoo mail page started to appear scattered in the explorer. So can you please let me know why squid is behaving like this and how can i fix these issues? An early solution would be very helpful. Thanks and regards, .Goody.
RE: [squid-users] Re: Re: Creating a kerberos Service Principal.
Dear Markus/all, I am unable to create the keytab using mskutil please help me out i followed the following steps: 1. I created a OU and named it UnixOU 2. I created a group account in the UnixOU and named it as UnixAdmins 3. I make my windows account bilal_admin part of UnixAdmins group. 4. I set the settings of UnixOU to be managed by UnixAdmins. 5. Then i synch time of Squid Machine and Active directory. 6. My domain fully qualified domain name is v.local and netbios names is V. 7. My domain controller name is vdc (fqdn=vdc.v.local) 8. The following lines were changed in the krb5.conf while rest being untouched. [libdefaults] default_realm=V.LOCAL [realms] V.LOCAL = { kdc = vdc.v.local:88 admin_server = kerberos.example.com:749 (e.g this not changed does it matter at the step of creation of keytab) default_domain = example.com (unchanged) } The i run the following commands to create the keytab: kinit squidad...@v.local msktutil -c -b OU=unixPrincipals -s HTTP/v.local -h squidLhrTest.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/v.local --server vdc.v.local --verbose Output of the Command: -- init_password: Wiping the computer password structure -- finalize_exec: Determining user principal name -- finalize_exec: User Principal Name is: HTTP/v.lo...@v.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.mskt-3550krb5.conf -- get_krb5_context: Creating Kerberos Context -- try_machine_keytab: Using the local credential cache: /tmp/.mskt-3550krb5_ccache -- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab: Unable to authenticate using the local keytab -- try_ldap_connect: Connecting to LDAP server: vdc.v.local -- try_ldap_connect: Connecting to LDAP server: vdc.v.local SASL/GSSAPI authentication started SASL username: squidad...@v.local SASL SSF: 56 SASL installing layers -- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=local Warning: No DNS entry found for squidLhrTest.v.local -- get_short_hostname: Determined short hostname: squidLhrTest-v-local -- finalize_exec: SAM Account Name is: squid-http$ Updating all entries for squidLhrTest.v.local in the keytab /etc/squid/HTTP.keytab -- try_set_password: Attempting to reset computer's password -- ldap_check_account: Checking that a computer account for squid-http$ exists No computer account for squid-http found, creating a new one. Error: ldap_add_ext_s failed (Insufficient access) Error: ldap_check_account failed (No CSI structure available) Error: set_password failed -- krb5_cleanup: Destroying Kerberos Context -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure please help me resolving the issue. regards, Bilal Aslam To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Fri, 9 Apr 2010 08:10:19 +0100 Subject: [squid-users] Re: Re: Creating a kerberos Service Principal. Hi Bilal, I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I then create a Windows Group UnixAdministrators and add the Windows account of the UnixAdministrators to it. Finally I change the permissions on the OU=UnixPrincipals so that the members of the group UnixAdministrators have full rights (or limited rights ) for objects under this OU. Regards Markus GIGO . wrote in message news:snt134-w395b3433738667ded2186eb9...@phx.gbl... Markus could not get you please can you elaborate a bit. thank you all! regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Thu, 8 Apr 2010 20:04:30 +0100 Subject: [squid-users] Re: Creating a kerberos Service Principal. BTW You do not need Administrator rights. You can set permission for different Groups on OUs for example for Unix Kerberos Admins. Markus Khaled Blah wrote in message news:n2j4a3250ab1004080957id2f4a051xb31445428c62b...@mail.gmail.com... Hi Bilal, 1. ktpass and msktutil practically do the same, they create keytabs which include the keys that squid will need to decrypt the ticket it receives from the user. However ktpass only creates a file which you will then have to securely transfer to your proxy server so that squid can access it. Using msktutil on your proxy server, you can get the same keytab without having to transfer it. Thus, msktutil saves you some time and hassle. AFAIR both need Administrator rights, which means the account used for ktpass/msktutil needs to be a member of the Administrator group. 2. To answer this question, one would need more information about your network and your setup. Basically, mixing any other authentication method with Kerberos is not a good idea. That's because if the other method is insecure or
RE: [squid-users] squid.conf.documented instead of squid.conf?
Hello Amos, B) is it normal that now the /etc/squid3/squid.conf is not anymore a file, but a directory? No. It's a new bug in the Debian squid3-3.1.1-2 package. Hopefully Luigi can fix it again. I checked bug-reportings and there it is: BUG #577615 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577615) C) how can I extract the actual configuration from the running squid3? squidclient mgr:con...@password (catch-22: usually requires the password as configured in cachemgr_passwd in squid.conf) I'm getting error: The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: cache_object://localhost/con...@cachemgr Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. - Password is correct, because I can login via webinterface at http://172.16.16.221/cgi-bin/cachemgr3.cgi Any clues to go further? Thanks, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
[squid-users] Squid Cache crashes with FATAL: logfileWrite: /var/log/squid/access.log: (0) Success in cache.log
Hi there! Could anybody help to resolve this? Eventually approx 5:50 am Squid crashes. There is no crons at this time, log rotation set on monthly, and crash happens 2-3 times a week (not every day). File: cache.log 2010/04/15 03:26:42| NETDB state saved; 0 entries, 19 msec 2010/04/15 04:46:39| NETDB state saved; 0 entries, 22 msec 2010/04/15 05:50:52| storeDirWriteCleanLogs: Starting... 2010/04/15 05:50:52| WARNING: Closing open FD 24 2010/04/15 05:50:52| commSetEvents: epoll_ctl(EPOLL_CTL_DEL): failed on fd=24: ( 2010/04/15 05:50:52| WARNING: Closing open FD 27 2010/04/15 05:50:52| commSetEvents: epoll_ctl(EPOLL_CTL_DEL): failed on fd=27: ( 2010/04/15 05:50:52| Finished. Wrote 7124 entries. 2010/04/15 05:50:52| Took 0.0 seconds (263150.1 entries/sec). FATAL: logfileWrite: /var/log/squid/access.log: (0) Success Squid Cache (Version 2.6.STABLE5): Terminated abnormally. (squid)[0x8005] (squid)(fatal+0x2b)[0x800aaf6b] (squid)(fatalf+0x56)[0x800ab376] (squid)[0x80074c41] (squid)(logfileFlush+0x21)[0x80074c71] (squid)(accessLogLog+0x108)[0x80013d78] (squid)[0x8003583c] Squid log files placed on /, cache directory - on /usr. april:~ # df /dev/sda3 10325780 7751608 2049652 80% / /dev/sda4 24691380 3822028 19615080 17% /usr april:~ # ls -al /var/log/squid total 568728 drwxrwxrwx 2 squid nogroup 4096 Apr 15 06:00 . drwxr-xr-x 10 root root32768 Apr 10 04:00 .. -rw-r- 1 squid nogroup 46207873 Apr 15 11:54 access.log -rw-r- 1 squid nogroup 125324086 Dec 31 17:43 access.log-20100101 -rw-r- 1 squid nogroup 94770876 Feb 3 18:54 access.log-20100201 -rw-r- 1 squid nogroup 131900823 Mar 15 21:40 access.log-20100301 -rw-r- 1 squid nogroup 51326374 Apr 1 10:45 access.log-20100401 -rw-r- 1 squid nogroup 131888327 Mar 15 21:18 access.sav -rw-r- 1 squid nogroup298881 Apr 15 11:41 cache.log -rw-r--r-- 1 root root0 Apr 15 06:00 rcsquid.log Thanks. Vadim.
[squid-users] how to find out what options squid was compiled with
Hello everybody! Can't find answer to my simple question in google and yandex: how to find out what options squid binary was compiled with? Thank you!
Re: [squid-users] how to find out what options squid was compiled with
Hi, On Thu, Apr 15, Yury Kuryakov wrote: Hello everybody! Can't find answer to my simple question in google and yandex: how to find out what options squid binary was compiled with? yes, squid -v -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: [squid-users] how to find out what options squid was compiled with
В сообщении от Thursday 15 April 2010 12:00:42 Yury Kuryakov написал(а): Hello everybody! Can't find answer to my simple question in google and yandex: how to find out what options squid binary was compiled with? Thank you! squid -v WBR. smime.p7s Description: S/MIME cryptographic signature
[squid-users] RE: Trouble writing external acl helper
@Adnan Shahzad-2: I don't immediately see that this has anything to do with external acl helpers. I am not a squid expert, but I think if you want to accept all requests for http://irqa-pc/, then you could define an acl with acl irqa-pc url_regex ^http://irqa-pc/ and put http_access allow irqa-pc early on in the http_access section of the config file. If you want to accept requests to any URL with no dots in the domain component then you could probably use acl no_dots url_regex ^http://[^.]*/ http_access allow no_dots Others might be able to help with why you are getting so many requests for this destination -- perhaps start a new thread? -- View this message in context: http://n4.nabble.com/Trouble-writing-external-acl-helper-tp1839464p1866336.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] idnsSendQuery - Network is unreachable
Dear list, i had a very minimalistic reverse ssl config running with squid-3.0.STABLE25 hosted on an OpenBSD-4.6 (i386) box which essentially look like this : cache_peer 192.168.1.3 parent 4443 0 no-query originserver name=myAccel login=PASS ssl sslflags=DONT_VERIFY_PEER https_port 4443 accel cert=/etc/pki/cert.pem key=/etc/pki/cert.key defaultsite=MyFQDN:4443 The same config does not work with 3.1.1 anymore. I had to --disable-ipv6 like mentioned on http://www.mail-archive.com/squid-users@squid-cache.org/msg57495.html I actually have no IPv6 but I wonder why this does not work with 3.1.1 regards, Jan
Re: [squid-users] Re: Re: Creating a kerberos Service Principal.
Bilal, I think we're doing a similar thing here! See my post earlier about SPN. I think you need to be using the fqdn of the machine in the HTTP/ spn upn and not just the domain. Also check your DNS and host local host entries. E.g.: msktutil -c -b CN=COMPUTERS -s HTTP/squid1.[mydomain] -k /etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/squid1 --server dc1 -verbose Nick On 15/04/2010 07:22, GIGO . gi...@msn.com wrote: Dear Markus/all, I am unable to create the keytab using mskutil please help me out i followed the following steps: 1. I created a OU and named it UnixOU 2. I created a group account in the UnixOU and named it as UnixAdmins 3. I make my windows account bilal_admin part of UnixAdmins group. 4. I set the settings of UnixOU to be managed by UnixAdmins. 5. Then i synch time of Squid Machine and Active directory. 6. My domain fully qualified domain name is v.local and netbios names is V. 7. My domain controller name is vdc (fqdn=vdc.v.local) 8. The following lines were changed in the krb5.conf while rest being untouched. [libdefaults] default_realm=V.LOCAL [realms] V.LOCAL = { kdc = vdc.v.local:88 admin_server = kerberos.example.com:749 (e.g this not changed does it matter at the step of creation of keytab) default_domain = example.com (unchanged) } The i run the following commands to create the keytab: kinit squidad...@v.local msktutil -c -b OU=unixPrincipals -s HTTP/v.local -h squidLhrTest.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/v.local --server vdc.v.local --verbose Output of the Command: -- init_password: Wiping the computer password structure -- finalize_exec: Determining user principal name -- finalize_exec: User Principal Name is: HTTP/v.lo...@v.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.mskt-3550krb5.conf -- get_krb5_context: Creating Kerberos Context -- try_machine_keytab: Using the local credential cache: /tmp/.mskt-3550krb5_ccache -- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab: Unable to authenticate using the local keytab -- try_ldap_connect: Connecting to LDAP server: vdc.v.local -- try_ldap_connect: Connecting to LDAP server: vdc.v.local SASL/GSSAPI authentication started SASL username: squidad...@v.local SASL SSF: 56 SASL installing layers -- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=local Warning: No DNS entry found for squidLhrTest.v.local -- get_short_hostname: Determined short hostname: squidLhrTest-v-local -- finalize_exec: SAM Account Name is: squid-http$ Updating all entries for squidLhrTest.v.local in the keytab /etc/squid/HTTP.keytab -- try_set_password: Attempting to reset computer's password -- ldap_check_account: Checking that a computer account for squid-http$ exists No computer account for squid-http found, creating a new one. Error: ldap_add_ext_s failed (Insufficient access) Error: ldap_check_account failed (No CSI structure available) Error: set_password failed -- krb5_cleanup: Destroying Kerberos Context -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure please help me resolving the issue. regards, Bilal Aslam To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Fri, 9 Apr 2010 08:10:19 +0100 Subject: [squid-users] Re: Re: Creating a kerberos Service Principal. Hi Bilal, I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I then create a Windows Group UnixAdministrators and add the Windows account of the UnixAdministrators to it. Finally I change the permissions on the OU=UnixPrincipals so that the members of the group UnixAdministrators have full rights (or limited rights ) for objects under this OU. Regards Markus GIGO . wrote in message news:snt134-w395b3433738667ded2186eb9...@phx.gbl... Markus could not get you please can you elaborate a bit. thank you all! regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Thu, 8 Apr 2010 20:04:30 +0100 Subject: [squid-users] Re: Creating a kerberos Service Principal. BTW You do not need Administrator rights. You can set permission for different Groups on OUs for example for Unix Kerberos Admins. Markus Khaled Blah wrote in message news:n2j4a3250ab1004080957id2f4a051xb31445428c62b...@mail.gmail.com... Hi Bilal, 1. ktpass and msktutil practically do the same, they create keytabs which include the keys that squid will need to decrypt the ticket it receives from the user. However ktpass only creates a file which you will then have to securely transfer to your proxy server so that squid can access it. Using msktutil on your proxy server, you can get the same keytab without having to transfer it.
Re: [squid-users] how to find out what options squid was compiled with
From: Yury Kuryakov kuryu...@mail.ru Can't find answer to my simple question in google and yandex: how to find out what options squid binary was compiled with? Tried squid -v ? JD
RE: [squid-users] Re: Re: Creating a kerberos Service Principal.
Nick, I tried but with not much success. . No computer account for squid-http found, creating a new one. Error: ldap_add_ext_s failed (Insufficient access) Error: ldap_check_account failed (No CSI structure available) Error: set_password failed -- krb5_cleanup: Destroying Kerberos Context -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure ... regards, Bilal From: nick.cairncr...@condenast.co.uk To: gi...@msn.com; hua...@moeller.plus.com; squid-users@squid-cache.org Date: Thu, 15 Apr 2010 09:31:40 +0100 Subject: Re: [squid-users] Re: Re: Creating a kerberos Service Principal. Bilal, I think we're doing a similar thing here! See my post earlier about SPN. I think you need to be using the fqdn of the machine in the HTTP/ spn upn and not just the domain. Also check your DNS and host local host entries. E.g.: msktutil -c -b CN=COMPUTERS -s HTTP/squid1.[mydomain] -k /etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/squid1 --server dc1 -verbose Nick On 15/04/2010 07:22, GIGO . wrote: Dear Markus/all, I am unable to create the keytab using mskutil please help me out i followed the following steps: 1. I created a OU and named it UnixOU 2. I created a group account in the UnixOU and named it as UnixAdmins 3. I make my windows account bilal_admin part of UnixAdmins group. 4. I set the settings of UnixOU to be managed by UnixAdmins. 5. Then i synch time of Squid Machine and Active directory. 6. My domain fully qualified domain name is v.local and netbios names is V. 7. My domain controller name is vdc (fqdn=vdc.v.local) 8. The following lines were changed in the krb5.conf while rest being untouched. [libdefaults] default_realm=V.LOCAL [realms] V.LOCAL = { kdc = vdc.v.local:88 admin_server = kerberos.example.com:749 (e.g this not changed does it matter at the step of creation of keytab) default_domain = example.com (unchanged) } The i run the following commands to create the keytab: kinit squidad...@v.local msktutil -c -b OU=unixPrincipals -s HTTP/v.local -h squidLhrTest.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/v.local --server vdc.v.local --verbose Output of the Command: -- init_password: Wiping the computer password structure -- finalize_exec: Determining user principal name -- finalize_exec: User Principal Name is: HTTP/v.lo...@v.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.mskt-3550krb5.conf -- get_krb5_context: Creating Kerberos Context -- try_machine_keytab: Using the local credential cache: /tmp/.mskt-3550krb5_ccache -- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab: Unable to authenticate using the local keytab -- try_ldap_connect: Connecting to LDAP server: vdc.v.local -- try_ldap_connect: Connecting to LDAP server: vdc.v.local SASL/GSSAPI authentication started SASL username: squidad...@v.local SASL SSF: 56 SASL installing layers -- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=local Warning: No DNS entry found for squidLhrTest.v.local -- get_short_hostname: Determined short hostname: squidLhrTest-v-local -- finalize_exec: SAM Account Name is: squid-http$ Updating all entries for squidLhrTest.v.local in the keytab /etc/squid/HTTP.keytab -- try_set_password: Attempting to reset computer's password -- ldap_check_account: Checking that a computer account for squid-http$ exists No computer account for squid-http found, creating a new one. Error: ldap_add_ext_s failed (Insufficient access) Error: ldap_check_account failed (No CSI structure available) Error: set_password failed -- krb5_cleanup: Destroying Kerberos Context -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure please help me resolving the issue. regards, Bilal Aslam To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Fri, 9 Apr 2010 08:10:19 +0100 Subject: [squid-users] Re: Re: Creating a kerberos Service Principal. Hi Bilal, I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I then create a Windows Group UnixAdministrators and add the Windows account of the UnixAdministrators to it. Finally I change the permissions on the OU=UnixPrincipals so that the members of the group UnixAdministrators have full rights (or limited rights ) for objects under this OU. Regards Markus GIGO . wrote in message news:snt134-w395b3433738667ded2186eb9...@phx.gbl... Markus could not get you please can you elaborate a bit. thank you all! regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Thu, 8 Apr 2010 20:04:30 +0100 Subject:
[squid-users] Authentication in squid windows
dear frnds, i m looking forward to deploy squid on windows server 2003 for my wireless users. can some 1 help me in this case as i dnt want to make a domain because this will render the users unable to work on laptops out of the premises. other option is to make a username password file which can be more effective in my case. also i want to apply the acl of max download per day of 200 MB. help needed. bye
[squid-users] Unable to create keytab Msktutil ldap_set_option failed (local errror)
Dear All, Once again i failed to properly create keytab. Following is the detail of how i performed this task step No 1: i changed my krb5.conf file as follows; [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = V.LOCAL dns_lookup_realm = no dns_lookup_kdc = no ticket_lifetime = 24h forwardable = yes default_keytab_name= /etc/krb5.keytab ; for windows 2003 default_tgs_enctypes= rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes= rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes= rc4-hmac des-cbc-crc des-cbc-md5 [realms] V.LOCAL = { kdc = vdc.v.local:88 admin_server = vdc.v.local:749 default_domain = v.local } [domain_realm] .linux.home = V.LOCAL .v.local=V.LOCAL v.local=V.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Step 2: i tried to create the keytab as follows: kinit administra...@v.local msktutil -c -b CN=COMPUTERS -s HTTP/vdc.v.local -h squidLhrTest.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/vdc.v.local --server vdc.v.local --verbose However the following error: SASL/GSSAPI authentication started Error: ldap_set_option failed (Local error) Error: ldap_connect failed -- krb5_cleanup: Destroying Kerberos Context -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure My other settings are as follows: /etc/resolv.conf nameserver 10.1.82.51 # 10.1.82.51 is my domain controller and DNS server /etc/hosts file # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 squidLhrTest localhost.localdomain localhost 10.1.82.52 squidLhrTest.v.local ::1 localhost6.localdomain6 localhost6 however running the hostname --fqdn shows squidLhrTest only Please help me out and guide. regards, Bilal Aslam _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
Re: [squid-users] Unable to create keytab Msktutil ldap_set_option failed (local errror)
From: GIGO . gi...@msn.com ... KERBEROS / LDAP stuff ... Maybe you'd have more answers if you posted your kerberos/ldap questions on the kerberos/ldap mailing lists? JD
RE: [squid-users] Reverse Proxy Cluster Issues
Thanks Amos, removing hierarchy_stoplist solved my query-string issue. However, I'm not sure what you meant by removing cache/no_cache controls. I can't see any such operators in my squif.config file. Can you please elaborate more? Thanks again. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, April 14, 2010 6:17 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Reverse Proxy Cluster Issues On Wed, 14 Apr 2010 08:13:01 -0500, senad.ci...@thomsonreuters.com wrote: Hi, I am first time squid user and was wondering if could get some help. I tried to find answers to these questions on-line, but unsuccessfully... I have 2 squid boxes setup as reverse proxies in a cluster (they're using each other as siblings). On the backend I'm using single tomcat server that both squid boxes use to retrieve content. Squid version I'm using is 3.0. I'm running into couple issues: Issue #1: Whenever squid box receives request for url that contains querystring (e.g. - http://site1:8080/RSSSource/rss/feed?max=1) it does not contact sibling cache for that resource, but it retrieves it from the backend server right away. What's odd is that it works (sometimes...) when query string is not present (e.g. http://site1:8080/RSSSource/rss/feed). Issue #2: Let's say squidA receives request for some resource (e.g. http://site1:8080/RSSSource/rss/feed). If squidA doesn't have it in its cache, it will check if it's available from squidB. However, if squidA has expired version of that resource, it doesn't contact squidB but retrieves it directly from the backend server, which should not be the case (it should check if squidB had valid copy available), correct? Here are relevant squid.conf lines for one of the squids (everything else is unchanged, config for the second squid is the same except for sibling references): Nope. The relevant lines are hierarchy_stoplist (prevent peers being asked for query-string URLs). and cache/no_cache controls (prevent QUERY ACL matches being stored locally.) Both of which need to be removed from your config. Amos
[squid-users] External users from Child AD domain unable to use local Squid proxy
We are using Squid on windpow as a proxy and we are having an issue when users that come from a child domain to our office do not authenticate properly. Example: our domain is na.myworld.com and users from eu.myworld.com come to our office and do not authenticate correctly The log of the connection is below. 1271280071.727 47 172.23.5.54 TCP_DENIED/407 1766 GET http://www.yahoo.com/ - NONE/- text/html 1271280071.774 31 172.23.5.54 TCP_DENIED/407 2082 GET http://www.yahoo.com/ - NONE/- text/html 1271280099.086 27312 172.23.5.54 TCP_DENIED/403 1449 GET http://www.yahoo.com/ eu\vbonafe NONE/- text/html 1271280104.258 47 172.23.5.54 TCP_DENIED/407 1763 GET http://www.yahoo.es/ - NONE/- text/html 1271280104.289 31 172.23.5.54 TCP_DENIED/407 2079 GET http://www.yahoo.es/ - NONE/- text/html 1271280104.524 235 172.23.5.54 TCP_DENIED/403 1447 GET http://www.yahoo.es/ eu\vbonafe NONE/- text/html 1271280110.274 391 172.23.5.54 TCP_MISS/200 5128 GET http://www.google.com/ - DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html 1271280110.524 63 172.23.5.54 TCP_MISS/204 494 GET http://clients1.google.com/generate_204 - DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html 1271280110.649 157 172.23.5.54 TCP_MISS/204 434 GET http://www.google.com/csi? - DIRECT/72.14.204.103 text/html We have the below acl for users in the Ad global group external_acl_type AD_global_group ttl=120 %LOGIN c:/squid/libexec/mswin_check_ad_group.exe -G and another acl below that allows full access thru the squid proxy using an ad group acl InetAllow external AD_global_group CLW.Squid.Full any ideas
Re: [squid-users] Squid No Longer Compiles
From: Bradley, Stephen W. Mr. bradl...@muohio.edu gcc -DHAVE_CONFIG_H -I.. -I../include -I../src -I../include-Wall -Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wcomments -Werror -D_REENTRANT -Wall -g -O2 -MT util.o -MD -MP -MF .deps/util.Tpo -c -o util.o util.c cc1: warnings being treated as errors Any ideas? -Werror might be a bit too strong...? JD
[squid-users] Outsource error pages
Hello, I want to harmonize the error pages of my network. The error pages come from differents servers, and I want to centralize all the error pages on one shared platform. To do so, I would like outsource the error pages of Squid. More precisely, I would like outsource the ERR_ACCESS_DENIED page, by giving an URL, for example. deny info url acl is useful when we define acl, but when someone try a wrong url, the page which is displayed by default is ERR_ACCESS_DENIED. So, I can't use deny info for this. Thanks for the help Regards,
Re: [squid-users] ignore_expect_100
j...@destar.net wrote: Which version did ignore_expect_100 become available the whole 2.7 series or only after 2.7.Stable9? Thanks for the clarification, The whole 2.7 stable series have it. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
Re: [squid-users] Reverse Proxy Cluster Issues
senad.ci...@thomsonreuters.com wrote: Thanks Amos, removing hierarchy_stoplist solved my query-string issue. However, I'm not sure what you meant by removing cache/no_cache controls. I can't see any such operators in my squif.config file. Can you please elaborate more? Good. It's just a little bit of trash left over from very old configs which might have also been causing you issues. Amos Thanks again. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, April 14, 2010 6:17 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Reverse Proxy Cluster Issues On Wed, 14 Apr 2010 08:13:01 -0500, senad.ci...@thomsonreuters.com wrote: Hi, I am first time squid user and was wondering if could get some help. I tried to find answers to these questions on-line, but unsuccessfully... I have 2 squid boxes setup as reverse proxies in a cluster (they're using each other as siblings). On the backend I'm using single tomcat server that both squid boxes use to retrieve content. Squid version I'm using is 3.0. I'm running into couple issues: Issue #1: Whenever squid box receives request for url that contains querystring (e.g. - http://site1:8080/RSSSource/rss/feed?max=1) it does not contact sibling cache for that resource, but it retrieves it from the backend server right away. What's odd is that it works (sometimes...) when query string is not present (e.g. http://site1:8080/RSSSource/rss/feed). Issue #2: Let's say squidA receives request for some resource (e.g. http://site1:8080/RSSSource/rss/feed). If squidA doesn't have it in its cache, it will check if it's available from squidB. However, if squidA has expired version of that resource, it doesn't contact squidB but retrieves it directly from the backend server, which should not be the case (it should check if squidB had valid copy available), correct? Here are relevant squid.conf lines for one of the squids (everything else is unchanged, config for the second squid is the same except for sibling references): Nope. The relevant lines are hierarchy_stoplist (prevent peers being asked for query-string URLs). and cache/no_cache controls (prevent QUERY ACL matches being stored locally.) Both of which need to be removed from your config. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
[squid-users] Problem downloading file Greater then 2 GB
Hi, I'm using version 3.1.1 of Squid on a suse 10.2 server and I my users cannot download files greater then 2 GB. I saw some posting via Google but cannot find a solution for my problem Greetings
RE: [squid-users] ipcCreate error:
Hi Henrik, I created another setup but now again i am facing the ipccreate issue although i have copied the squid_kerb_auth from my compilation to /usr/libexec/squid by cp -r command and also i have pointed in squid.conf as auth_param negotiate program /usr/libexec/squid/squid_kerb_auth what could be the issue now? please help will be thankful. regards, Bilal From: hen...@henriknordstrom.net To: gi...@msn.com CC: squid-users@squid-cache.org Date: Wed, 14 Apr 2010 09:34:28 +0200 Subject: RE: [squid-users] ipcCreate error: ons 2010-04-14 klockan 04:47 + skrev GIGO .: Hi Henrik, Thank you this problem is resolved by placing the squid_kerb_auth in the libexec folder. Now i beleive that i also have to place any other helpers like squid_ldap_group in the same location to get it to work. Yes. if you have selinux enabled on the host then the security policy for squid restricts it to execute helpers in /usr/libexec/squid/ only. Which is a good thing in terms of security. Regards Henrik _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969