Re: [squid-users] SQUID3: Access denied connecting to one site
>> Alexandr Dmitriev wrote: >>> Ok, the headers are broken, but there is a way to make squid ignore >>> them? >>> About ssl - they also have another domain www.airbaltic.com which is >>> not accessible either. > 22.04.2010 8:29, Amos Jeffries пишет: >> Part of the point was that they are not even headers at all. >> >> Squid does not do anything with body data but pump through. The HTML >> code bits are just some other bytes of body data to Squid. On 22.04.10 12:29, Alexandr Dmitriev wrote: > So, any chance to bypass it? not without modifying the content externally, on the server or the ICAP module. However, as it was stated, it does not cause your problem wince squid does not care about the transferred content. Note that directive was designed so the HTTP server could parse it and provide as headers. Squid does not do this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
Re: [squid-users] make squid-3.1.1
Thank you Henrik. I just tried your suggestion and emptied the base64.c file. It did solve one problem but a new one arises. I took following actions: make clean ./configure make and now it stops like this: gcc -g -O2 -Wall -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -Wl,-R/usr/lib -L/usr/lib -lgssapi -lheimntlm -lkrb5 -L../../../lib -o squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm squid_kerb_auth.o: In function `main': /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:374: undefined reference to `ska_base64_decode_len' /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:379: undefined reference to `ska_base64_decode' /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:429: undefined reference to `ska_base64_encode_len' /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:437: undefined reference to `ska_base64_encode_len' /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:437: undefined reference to `ska_base64_encode' collect2: ld returned 1 exit status make[5]: *** [squid_kerb_auth] Error 1 make[5]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[3]: *** [all] Error 2 make[3]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/software/squid-3.1.1/helpers' make: *** [all-recursive] Error 1 Maybe I can just compile the squid_kerb_auth helper and install the rest of squid3 with apt-get. I already tried downloading the squid_kerb_auth from the cvs (sourceforge project) but couldn't get it to configure. Here, when I go into the squid_kerb_auth folder, at least the configure works. Sorry if this sounds gibberish, I'm not a programmer. thanks for your help. Lieven Henrik Nordström wrote: ons 2010-04-28 klockan 18:46 +0200 skrev lieven: squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm ../../../lib/libmiscutil.a(base64.o):(.rodata+0x0): multiple definition of `base64_code' base64.o:(.rodata+0x0): first defined here Try this: echo >helpers/negotiate_auth/squid_kerb_auth/base64.c Appears that file is duplicate and colliding with the same from within the main parts of the Squid source tree. Regards Henrik -- Please Visit us at V-ICT-OR shopt IT 25 May 2010 - De Montil - Affligem Lieven De Puysseleir BA N.V. - http://www.ba.be Dalemhof 28, 3000 Leuven tel: 0032 (0)16 29 80 45 <>
Re: [squid-users] Getting Source-IP
> On Thu, Apr 22, 2010 at 8:57 PM, Andreas Müller wrote: > > So I thought that the is an option to inject custom headers into the > > request. But if this is not possible than I have to do the best out of > > X_FORWARDED_FOR. On 22.04.10 21:31, Jeff Pang wrote: > From my experience, never much believe X_FORWARDED_FOR. Only trust to what was set up by your servers in X_FORWARDED_FOR. The technique is well documented in squid's config file, however you apparently need to use it on webserver and not in squid. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm.
Re: [squid-users] wedged (newbie question)
> On Thu, Apr 22, 2010 at 10:55 PM, Glenn English wrote: > > Squid started taking a very long time to supply web pages. Switching > > Firefox to 'no proxy' worked, so I restarted squid. All better now > > (proxy back on). Do I need to set up a cron job to restart squid every > > few weeks? On 22.04.10 22:59, Jeff Pang wrote: > I don't think so. > You may watch cache.log to see what happened at that time. > But rotating logs with crontab is fine. I think the most probably reason is that squid started using either too much of memory that could cause the machine swapping, see http://wiki.squid-cache.org/SquidFaq/SquidMemory Or maybe is used too much of disk space that could cause disk i/o sloweness - many filesystems tend to slow down when filled too much, and having more space filles with data of course causes the disk to be more accessed. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol.
Re: [squid-users] Squid not redirecting to squidGuard
Landy Landy wrote: Hello all. I've been trying to get squidguard to work but, I'm having a problem: I noticed is squid is not redirecting any traffic to squidguard. When I do a dry-run with squidGuard: echo "http://www.playboy.com - - GET" | /usr/local/squidGuard/bin/squidGuard -c /usr/local/squidGuard/test.conf -d It seems to work 2010-05-02 20:21:54 [2072] New setting: dbhome: /usr/local/squidGuard/db/BL 2010-05-02 20:21:54 [2072] New setting: logdir: /usr/local/squidGuard/log 2010-05-02 20:21:54 [2072] init domainlist /usr/local/squidGuard/db/BL/porn/domains 2010-05-02 20:21:54 [2072] loading dbfile /usr/local/squidGuard/db/BL/porn/domains.db 2010-05-02 20:21:54 [2072] init urllist /usr/local/squidGuard/db/BL/porn/urls 2010-05-02 20:21:54 [2072] loading dbfile /usr/local/squidGuard/db/BL/porn/urls.db 2010-05-02 20:21:54 [2072] squidGuard 1.4 started (1272846114.931) 2010-05-02 20:21:54 [2072] squidGuard ready for requests (1272846114.935) 2010-05-02 20:21:54 [2072] source not found 2010-05-02 20:21:54 [2072] no ACL matching source, using default http://172.16.0.1:8080/splash/ -/- - GET 2010-05-02 20:21:55 [2072] squidGuard stopped (1272846115.002) It gets redirected to http://172.16.0.1:8080/splash/ But when I use it with squid: url_rewrite_children 5 url_rewrite_program /usr/local/squidGuard/bin/squidGuard -d -c /usr/local/squidGuard/test.conf redirector_bypass on The logs show that is running: 2010/05/02 20:11:22| helperOpenServers: Starting 5/5 'squidGuard' processes 2010-05-02 20:11:22 [2041] New setting: dbhome: /usr/local/squidGuard/db/BL 2010-05-02 20:11:22 [2041] New setting: logdir: /usr/local/squidGuard/log 2010-05-02 20:11:22 [2041] init domainlist /usr/local/squidGuard/db/BL/porn/domains 2010-05-02 20:11:22 [2041] loading dbfile /usr/local/squidGuard/db/BL/porn/domains.db 2010-05-02 20:11:22 [2041] init urllist /usr/local/squidGuard/db/BL/porn/urls 2010-05-02 20:11:22 [2041] loading dbfile /usr/local/squidGuard/db/BL/porn/urls.db 2010-05-02 20:11:22 [2041] squidGuard 1.4 started (1272845482.937) 2010-05-02 20:11:22 [2041] squidGuard ready for requests (1272845482.940) This is 1/5... 2010-05-02 20:11:22 [2042] New setting: dbhome: /usr/local/squidGuard/db/BL 2010-05-02 20:11:22 [2042] New setting: logdir: /usr/local/squidGuard/log 2010-05-02 20:11:22 [2042] init domainlist /usr/local/squidGuard/db/BL/porn/domains 2010-05-02 20:11:22 [2042] loading dbfile /usr/local/squidGuard/db/BL/porn/domains.db 2010-05-02 20:11:22 [2042] init urllist /usr/local/squidGuard/db/BL/porn/urls 2010-05-02 20:11:22 [2042] loading dbfile /usr/local/squidGuard/db/BL/porn/urls.db 2010-05-02 20:11:22 [2042] squidGuard 1.4 started (1272845482.955) 2010-05-02 20:11:22 [2042] squidGuard ready for requests (1272845482.967) ... 2/5... 2010-05-02 20:11:22 [2043] New setting: dbhome: /usr/local/squidGuard/db/BL 2010-05-02 20:11:22 [2043] New setting: logdir: /usr/local/squidGuard/log 2010-05-02 20:11:22 [2043] init domainlist /usr/local/squidGuard/db/BL/porn/domains 2010-05-02 20:11:22 [2043] loading dbfile /usr/local/squidGuard/db/BL/porn/domains.db 2010-05-02 20:11:22 [2043] init urllist /usr/local/squidGuard/db/BL/porn/urls 2010-05-02 20:11:22 [2043] loading dbfile /usr/local/squidGuard/db/BL/porn/urls.db 2010-05-02 20:11:22 [2043] squidGuard 1.4 started (1272845482.971) 2010-05-02 20:11:22 [2043] squidGuard ready for requests (1272845482.974) ... 3/5 ... no information about SG instances 4/5 or 5/5 or what happened during your failed test request when they were all running. Also, try setting "debug_options 84,9 " to get a view of what lines are being passed in and real back from the helpers. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
Re: [squid-users] Authentication Reverse Proxy
GIGO . wrote: Hi, What is the behaviour/mechanism of authentication if using squid proxy for both as forward proxy and reverse proxy. I have successfully setup it for a forward proxy using the Helper files by Markus and the following tutorial; http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos Now comming in my mind two scenarios. One is that squid is being used for authentication and the second one is that web server is providing the authenticaiton/authorization and squid is just forwarding the requests to the web server? Please guide/suggest/comment about it. Requests arriving in the reverse-proxy port uses WWW-Auth identical to a origin web server. Ignoring any Proxy-Auth headers. Requests arriving in the forward-proxy port use Proxy-Auth like a proper proxy. Passing WWW-Auth headers through untouched. These are separate mechanisms and can exist side by side in HTTP headers for separate use by middle proxies and origin server. However what my pan is that I want that web server(outlookwebacess) should be the one taking care of auhentication part and squid should simply have given the role of forwarder. However i am not sure which approach to adopt and what are any special configurations that are required? what are the implications of each approach? The cache_peer login=PASS logics are smart enough to pass WWW-Auth/Proxy-Auth on in the right way relative to the originserver setting. Note: That OWA is quite sensitive to the traffic sent to it. Deviating from the recommended config example leads most times to trouble: http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
Re: [squid-users] make squid-3.1.1
lieven wrote: Thank you Henrik. I just tried your suggestion and emptied the base64.c file. It did solve one problem but a new one arises. I took following actions: make clean ./configure make and now it stops like this: Maybe I can just compile the squid_kerb_auth helper and install the rest of squid3 with apt-get. I already tried downloading the squid_kerb_auth from the cvs (sourceforge project) but couldn't get it to configure. Here, when I go into the squid_kerb_auth folder, at least the configure works. Sorry if this sounds gibberish, I'm not a programmer. Well done then. Perfect code-speak. ;) thanks for your help. Lieven Henrik Nordström wrote: ons 2010-04-28 klockan 18:46 +0200 skrev lieven: squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm ../../../lib/libmiscutil.a(base64.o):(.rodata+0x0): multiple definition of `base64_code' base64.o:(.rodata+0x0): first defined here Try this: echo >helpers/negotiate_auth/squid_kerb_auth/base64.c Appears that file is duplicate and colliding with the same from within the main parts of the Squid source tree. Henrik, The file is bundled with the source as Marcus modified version of base64.c, it has a slightly nicer implementation of encode/decode but it seems some of the symbols were not prefixed with ska_ like they needed. Not sure yet why it passed all our build farm tests. Lieven, In helpers/negotiate_auth/squid_kerb_auth/base64.c as provided with the sources remove the line with "base64_code = " and a list of alphabet characters. You may also need to remove some of the lines next to it if they also clash ('multiple definition of') on following "make". You do not have to "make clean" and "configure" for these changes, just "make" should find the .c changes fine. I expect that will get it building for you. PS: If you can list any other 'multiple definition of' you get while doing that we can see about cleaning up the squid code for future builds. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
[squid-users] OpenBSD 4.6: Squid 3.1.3 compilation error (patch attached)
Hello! I'm getting some error when compiling Squid 3.1.3 on OpenBSD 4.6 due to a redefinition of FD_SETSIZE in compat/fdsetsize.h. Patch attached which fixed this for me. Greetings, Matthias Fix redefinition error for FD_SETSIZE on OpenBSD 4.6. --- compat/fdsetsize.h.orig Mon May 3 12:56:05 2010 +++ compat/fdsetsize.h Mon May 3 12:59:49 2010 @@ -71,6 +71,7 @@ /* Increase FD_SETSIZE if SQUID_MAXFD is bigger */ #if CHANGE_FD_SETSIZE && SQUID_MAXFD > DEFAULT_FD_SETSIZE +#undef FD_SETSIZE #define FD_SETSIZE SQUID_MAXFD #endif
Re: [squid-users] client_lifetime
Ivan . wrote: Hi I chain from two internal Clearswift appliances to a Squid box in a DMZ. I have noticed quite a few WARNING: Closing client connection due to lifetime timeout The client_lifetime is set at default, but I was wondering if I should stretch that right out to 365 days or alike, seeing as all my connections to the Squid proxy come from two IP addresses only? This is entirely up to you. There are protocol conditions about some cases which require early closure. Squid confirms in those regards. This option only determines what happens when the connection is being unused for some various time period. I'm a little fuzzy on whether the timeout is from initial open or last use. If you have say 10 open links to each parent 8 being used weekly or more and the 9th and 10th only get used once a month under some rare peak. The expected behaviour for setting it to 15 days or so would release the two (#9 and #10) FD after 15 days of non-use. FD are release every reconfigure or restart. So this only ensures no idleness on very long-running proxies. Any other parameters that I should tune in this sort of setup? Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
Re: [squid-users] OpenBSD 4.6: Squid 3.1.3 compilation error (patch attached)
Silamael wrote: Hello! I'm getting some error when compiling Squid 3.1.3 on OpenBSD 4.6 due to a redefinition of FD_SETSIZE in compat/fdsetsize.h. Patch attached which fixed this for me. Greetings, Matthias Thanks for the thought, but... Code in Squid is NOT permitted to include system headers before the FD_* compat code. Kernel defines will be allocated with incompatible size and overflows happen. Can you provide a full compiler trace of the clash so we can fix the include sequence? Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
Re: [squid-users] Squid not redirecting to squidGuard
> I'm not sure you should use redirector_bypass on, > turn it off. > If that doesnt works, then: I had it turned off before and it still didn't work. > Just to be 100% sure, add this line > url_rewrite_access allow all Looks like this did it. Thanks. Now I have to make sure it really works since I'm blocking some lan's machine from using the internet. Thank you very much.
Re: [squid-users] OpenBSD 4.6: Squid 3.1.3 compilation error (patch attached)
On 05/03/2010 02:04 PM, Amos Jeffries wrote: > Silamael wrote: >> Hello! >> >> I'm getting some error when compiling Squid 3.1.3 on OpenBSD 4.6 due to >> a redefinition of FD_SETSIZE in compat/fdsetsize.h. >> Patch attached which fixed this for me. >> >> Greetings, >> Matthias >> > > Thanks for the thought, but... > > Code in Squid is NOT permitted to include system headers before the > FD_* compat code. Kernel defines will be allocated with incompatible > size and overflows happen. > > Can you provide a full compiler trace of the clash so we can fix the > include sequence? > > Amos No problem. Here you are. -- Matthias Making all in smbval cc -DHAVE_CONFIG_H -I/ports/www/squid3/w-squid3/squid-3.1.3 -I/ports/www/squid3/w-squid3/squid-3.1.3/include -I/ports/www/squid3/w-squid3/squid-3.1.3/src -I../../../../include -I/ports/www/squid3/w-squid3/squid-3.1.3/helpers/ntlm_auth/smb_lm/smbval -g -I/usr/local/include -DDEFAULT_SQUID_ERROR_DIR=\"/usr/local/share/squid/errors\" -Wall -Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wcomments -Werror -O2 -pipe -MT valid.o -MD -MP -MF .deps/valid.Tpo -c -o valid.o /ports/www/squid3/w-squid3/squid-3.1.3/helpers/ntlm_auth/smb_lm/smbval/valid.c mv -f .deps/valid.Tpo .deps/valid.Po cc -DHAVE_CONFIG_H -I/ports/www/squid3/w-squid3/squid-3.1.3 -I/ports/www/squid3/w-squid3/squid-3.1.3/include -I/ports/www/squid3/w-squid3/squid-3.1.3/src -I../../../../include -I/ports/www/squid3/w-squid3/squid-3.1.3/helpers/ntlm_auth/smb_lm/smbval -g -I/usr/local/include -DDEFAULT_SQUID_ERROR_DIR=\"/usr/local/share/squid/errors\" -Wall -Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wcomments -Werror -O2 -pipe -MT session.o -MD -MP -MF .deps/session.Tpo -c -o session.o /ports/www/squid3/w-squid3/squid-3.1.3/helpers/ntlm_auth/smb_lm/smbval/session.c In file included from /ports/www/squid3/w-squid3/squid-3.1.3/compat/compat.h:34, from /ports/www/squid3/w-squid3/squid-3.1.3/include/config.h:58, from /ports/www/squid3/w-squid3/squid-3.1.3/include/util.h:37, from /ports/www/squid3/w-squid3/squid-3.1.3/helpers/ntlm_auth/smb_lm/smbval/std-includes.h:27, from /ports/www/squid3/w-squid3/squid-3.1.3/helpers/ntlm_auth/smb_lm/smbval/session.c:33: /ports/www/squid3/w-squid3/squid-3.1.3/compat/fdsetsize.h:74:1: "FD_SETSIZE" redefined In file included from /usr/include/sys/types.h:224, from /usr/include/stdlib.h:41, from /ports/www/squid3/w-squid3/squid-3.1.3/helpers/ntlm_auth/smb_lm/smbval/session.c:27: /usr/include/sys/select.h:47:1: this is the location of the previous definition *** Error code 1 Stop in /ports/www/squid3/w-squid3/build-i386/helpers/ntlm_auth/smb_lm/smbval (line 92 of /usr/share/mk/sys.mk). *** Error code 1 Stop in /ports/www/squid3/w-squid3/build-i386/helpers/ntlm_auth/smb_lm (line 418 of Makefile). *** Error code 1 Stop in /ports/www/squid3/w-squid3/build-i386/helpers/ntlm_auth (line 311 of Makefile). *** Error code 1 Stop in /ports/www/squid3/w-squid3/build-i386/helpers (line 306 of Makefile). *** Error code 1 Stop in /ports/www/squid3/w-squid3/build-i386 (line 366 of Makefile). *** Error code 1 Stop in /ports/www/squid3 (line 2189 of /usr/ports/infrastructure/mk/bsd.port.mk).
[squid-users] SSH not working With Squid3.0
Hello All, I have posted this already but haven't seen any reply I am using Squid3.0 Only one SSH account works in my entire netwoirk, I can only access the SSH that is running on the same machine as the Squid Despite the fact I forward requets to all other SSH servers in my network absolutely no access whatsoever Before I installed Squid3.0 I could access every host's ssh server, but not since no matter what I do I simply cannot access the back end SSH servers Does anyone knows of any secret way of working around this please, as it's not very practical not to be able to access the other machines remotely Any ideas of what I need to do please? I can't think of anything more, I have allowed the access to those ports on my Squid config on my linkSys router but impossible to connect to the server Any help would be much appreciated Regards Adam
[squid-users] Peer cache behavior with expired objects
Hi, I'm experimenting with 2 Squid 3.1.1 instances in reverse proxy mode. They are configured to be peers of each other using ICP. I'm not using digests. When a cached resource has not yet expired, each instance will successfully contact the other to retrieve the resource. However, when the resource is expired, no attempt is made to contact the peer. I'm trying to determine if that behavior can be changed. My question is, is there a way to configure Squid so that it will contact its peers when asked for an expired resource? I'm interested in doing this to reduce the number of requests that make their way to the backend servers. If a peer has a fresh copy, I'd like that one to be used instead of sending the request to the backend. I wasn't able to find a definitive answer to this question via the documentation, or searching the list. Thanks for your time, Paul
Re: [squid-users] SSH not working With Squid3.0
2010/5/3 a...@gmail : > Hello All, > > I have posted this already but haven't seen any reply > > I am using Squid3.0 > Only one SSH account works in my entire netwoirk, I can only access the SSH > that is running on the same machine as the Squid > Despite the fact I forward requets to all other SSH servers in my network > absolutely no access whatsoever > > Before I installed Squid3.0 I could access every host's ssh server, but not > since no matter what I do I simply cannot access the back end SSH servers > > You use squid as the gateway proxy, is it? squid can't proxy for a SSH connection, you need something like iptables to setup a NAT for that. -- Tech support agent in China http://duxieweb.com/
Re: [squid-users] OpenBSD 4.6: Squid 3.1.3 compilation error (patch attached)
On 05/03/2010 02:04 PM, Amos Jeffries wrote: > Thanks for the thought, but... > > Code in Squid is NOT permitted to include system headers before the > FD_* compat code. Kernel defines will be allocated with incompatible > size and overflows happen. > > Can you provide a full compiler trace of the clash so we can fix the > include sequence? > > Amos Hello Amos, Here i have another patch fixing the include file ordering for the ntlm_auth helper. Not sure if this is the best patch but it works for me. -- Matthias Fix include order to ensure that FD_SETSIZE from the compat/fdsetsize.h is set before it is set by sys/select.h (included by stdlib.h). --- helpers/ntlm_auth/smb_lm/smbval/rfcnb-util.c.orig Mon May 3 16:17:35 2010 +++ helpers/ntlm_auth/smb_lm/smbval/rfcnb-util.cMon May 3 16:21:23 2010 @@ -23,12 +23,11 @@ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -#include -#include - #include "std-includes.h" #include "rfcnb-priv.h" #include "rfcnb-util.h" +#include +#include #include "rfcnb-io.h" #include --- helpers/ntlm_auth/smb_lm/smbval/session.c.orig Sun May 2 12:47:07 2010 +++ helpers/ntlm_auth/smb_lm/smbval/session.c Mon May 3 16:20:53 2010 @@ -23,9 +23,6 @@ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -#include -#include - int RFCNB_errno = 0; int RFCNB_saved_errno = 0; #define RFCNB_ERRNO @@ -34,6 +31,8 @@ #include #include "rfcnb-priv.h" #include "rfcnb-util.h" +#include +#include #include "rfcnb-io.h" #include "rfcnb.h"
Re: [squid-users] SSH not working With Squid3.0
From: "a...@gmail" > Before I installed Squid3.0 I could access every host's > ssh server, but not since no matter what I do I simply cannot access the back > end SSH servers First, it would help if you described your configuration... Only problem I could guess is that you intercept ALL (ssh included) traffic and redirect it to the squid server... is that the case? JD
[squid-users] redirect from http to https with url_rewrite
I know St. Peter won't call your name, squid-users! I have the redirector to rewrite arbitrary url to the https url. I use redirector feature for this and everything is just fine with HTTP/302 feature use or with rewriting to the same but http url either. Rewrite is as follows ( in the case of any http url ): http://any.host.name/any/path?etc=eteras to this: https://some.my.predefined.host/many/my?never=minds so the scheme is like this: me_the_client-http-my_squid-https-my_web_server Everything is fine if I use http instead the https to my_web_server or if I use the '302:url' feature on the redirector program. What I want is: the squid to be the https client to my_web_server AND me (the client) to be unaware of seeing the other URL than I requested from my_squid. Is it possible? By far this is not the 'accelerator' case and neither those 'deny access' case because deny_info looks like isn't able to take its info from Perl, right? I get the same error with 2.7 and 3.0: 'Connection to ip.ad.dr.ess ( of my_web_server ) failed. The system returned: (92) Protocol error'. Looks to me that Squid requests for HTTP at the HTTPS port? ERR_CONNECT_FAIL is on the access.log and the rewritten URLs just work. Thanks a lot. 73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627) -- http://vereshagin.org
RE: [squid-users] Squid3 and authenticating users SASL/MYSQL
> From: Amos Jeffries > Sent: Saturday, May 01, 2010 2:16 AM > > Finally, I opted for editing basic_db_auth (I would have opened it > up even if I didn't need to change the @PERL@ and when I saw the my > options in there, I figured that would be easiest route). However - > and this may not be related, I'm getting a seg fault. > > > > If you realy want to go that way, the "my" bit is only their > definition. > options are set later on after the documetation text. Actually, I found that you can totally edit the definition block to fit the vagaries of one's particular DB. It's working like a charm! Thanks! > > /etc/init.d/squid3: line 32: 19094 Segmentation fault start- > stop-daemon --quiet --start --pidfile $PIDFILE --exec $DAEMON -- > $SQUID_ARGS > failed! > > > > I'd guess the "helper crashing too fast" which happens when the > helpers > die on their own startup. Thanks - this was because I'd followed the example in the file where the path was /usr/lib/squid3/libexec/auth* but in fact all the auth files (and where I'd logically placed the one I downloaded) were to be found in /usr/lib/squid3/ I have one other problem - I run webmin, and the port is 1 - I added this to the SSL_ports, but I'm still getting this error: [03/May/2010 20:46:14] 38.104.167.6 squiduser "CONNECT www.example.net:1 HTTP/1.1" 503 0 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9 (.NET CLR 3.5.30729)" TCP_MISS:DIRECT And then nothing loads. Prior to adding it to SSL_ports, I was getting a you're connecting to a proxy that isn't serving pages error, so I'm pretty sure adding it to the SSL ports was right - but what have I done wrong? Thanks! Simon
[squid-users] If not modified since is causing near-hits
Hello, Please excuse the newbie. I checked most of the search engines on squid pages and could not find what I was looking for. Though it may be because I did not use the correct keywords. So we have a large set of squid boxes sitting in front of some slow running code. The data is mostly static, so we use squid as a proxy and it caches the data. The TTL on the cache for now is 1 week or more, and so we are saving the backend/origin from being pounded and love it!!! However, we are seeing a large number of near-hit instead of pure hits. For us a near-hit is equal to a miss, because it caches the cache (L1 and L2) to go to the origin/backend. We are using HTCP to clear the cache when there is a change (much like wikipedia does), so we can trust that our L2 is as close to fresh as possible. So: 1) Since we can guarantee that the L2 will have the latest information, is there a way to ignore the "if-not-modified" header? 2) is there a way to declare the L2 cache as the origin-server instead of just a parent cache - not a great approach, but need to mitigate going to the origin if the L2 has a hit? 3) is there a utility to update the timestamp of the cached objects. Thanks, David
Re: [squid-users] Web client not capable of SSL
Well, I'm almost there. My config now looks like this ... --- http_port 8080 http_access allow all cache_peer www.binsearch.info sibling 443 0 no-query default ssl sslflags=DONT_VERIFY_DOMAIN proxy-only acl binsearch dstdomain www.binsearch.info never_direct allow binsearch cache_peer_access www.binsearch.info allow all --- This is just a test, since I still have to add the client certificate and, as you may understand, I will not get me in all of this for the binsearch.info website. So, it's all for testing purposes. For some reason this config gives security errors. This is the page I will see in the browser. --- ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://www.binsearch.info/ The following error was encountered: * Unable to forward this request at this time. This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that: * The cache administrator does not allow this cache to make direct connections to origin servers, and * All configured parent caches are currently unreachable. Your cache administrator is webmaster. Generated Mon, 03 May 2010 01:33:02 GMT by localhost (squid/3.0.STABLE8) --- All other domains I browse are working perfectly. It might have something to do with the never_direct setting. When I remove that section everything is working smoothly. What am I doing wrong here? Did I miss something? Thanks in advance, Dj. Henrik Nordström wrote: sön 2010-05-02 klockan 13:43 +0200 skrev D.Veenker: My web client is not capable of SSL and definitely no client certificates. - Can Squid do all the SSL-work in a transparent way, including the client cerificates? Yes. - How does the config look like? Depends, but based on your later response it can be done two ways a) Via a cache_peer for the site in question, using the ssl and originserver options, and port 443 instead of 80. You can also specify the client certificate here. In addition to cache_peer you also need to specify never_direct for this site to force Squid to always use the cache_peer. b) By using an url rewriter helper to rewrite the request to https:// instead of http://. But gets a little messier to configure which client certificate Squid should use here as there is only a global setting and not per requested site like when using cache_peer. - Do a need to recompile Squid with --enalble-ssl? Yes. Your Squid needs native SSL support to be able to wrap HTTP requests in SSL. Tunnel mode is not sufficient for this. Regards Henrik
[squid-users] Slightly OT: Configuring a router for Squid.
I need to add a proxy server to our office network. The router/modem is a DLink G604T and I want all requests for Internet access to be re rerouted to a Debian box with Squid Installed. How do I set this up? I notice that the Router has an advanced option called 'Routing' which defines the Routing table. Options are: Destination: Netmask: Gateway: Connection: I take it that the Destination is the Proxy Server (192.168.1.5), the netmask will be 255.255.255.0 I'm not sure what the Gateway will be, and I presume I accept the default for connection, which is Pvc0. Or am I going in the wrong direction entirely?
Re: [squid-users] Web client not capable of SSL
mån 2010-05-03 klockan 22:34 +0200 skrev D.Veenker: > cache_peer www.binsearch.info sibling 443 0 no-query default ssl > sslflags=DONT_VERIFY_DOMAIN proxy-only That should be a parent, and you also need the originserver flag. cache_peer www.binsearch.info parent 443 0 originserver no-query default ssl sslflags=DONT_VERIFY_DOMAIN proxy-only Use of proxy-only is optional. Depends on if you want Squid to cache responses from this server or not.. I would not use this option here and instead limit caching via the cache directive if needed. Regards Henrik
Re: [squid-users] Slightly OT: Configuring a router for Squid.
Dave Coventry wrote: > I need to add a proxy server to our office network. > > The router/modem is a DLink G604T and I want all requests for Internet > access to be re rerouted to a Debian box with Squid Installed. > Im afraid this cannot be achieved with simple static routes, you need to setup a interceptor proxy so outgoing http traffic is intercepted by your router and then transparent redirec it to your squid box. If you alrewady have a debian box with squid I recommend to setup a firewall on it with two interfaces and use it as your default gateway, this way you can use transparent proxy. For more information read the wiki page: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy Best regards > How do I set this up? > > I notice that the Router has an advanced option called 'Routing' which > defines the Routing table. > > Options are: > > Destination: > Netmask: > Gateway: > Connection: > > I take it that the Destination is the Proxy Server (192.168.1.5), the > netmask will be 255.255.255.0 > > I'm not sure what the Gateway will be, and I presume I accept the > default for connection, which is Pvc0. > > Or am I going in the wrong direction entirely? > -- Jorge Armando Medina Computación Gráfica de México Web: http://www.e-compugraf.com Tel: 55 51 40 72, Ext: 124 Email: jmed...@e-compugraf.com GPG Key: 1024D/28E40632 2007-07-26 GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632 signature.asc Description: OpenPGP digital signature
Re: [squid-users] Slightly OT: Configuring a router for Squid.
Le lundi 3 mai 2010 17:11:00, Jorge Armando Medina a écrit : > Dave Coventry wrote: > > I need to add a proxy server to our office network. > > > > The router/modem is a DLink G604T and I want all requests for Internet > > access to be re rerouted to a Debian box with Squid Installed. > > Im afraid this cannot be achieved with simple static routes, you need to > setup a interceptor proxy so outgoing http traffic is intercepted by > your router and then transparent redirec it to your squid box. > > If you alrewady have a debian box with squid I recommend to setup a > firewall on it with two interfaces and use it as your default gateway, > this way you can use transparent proxy. > > For more information read the wiki page: > http://wiki.squid-cache.org/SquidFaq/InterceptionProxy > > Best regards > > > How do I set this up? > > > > I notice that the Router has an advanced option called 'Routing' which > > defines the Routing table. > > > > Options are: > > > > Destination: > > Netmask: > > Gateway: > > Connection: > > > > I take it that the Destination is the Proxy Server (192.168.1.5), the > > netmask will be 255.255.255.0 > > > > I'm not sure what the Gateway will be, and I presume I accept the > > default for connection, which is Pvc0. > > > > Or am I going in the wrong direction entirely? as far as i understand, he has a 24 bit network, .5 is his proxy .1 (or whater number) his router do you need to proxy all so there are your possibilities: 1. If you have your own internal dns or winbugs domain, use wpad 2. configure by hand all your browsers 3. if you want transparent proxy you need advanced arp poissoning :) jejeje or my professional services :P Regards, LD
Re: [squid-users] OpenBSD 4.6: Squid 3.1.3 compilation error (patch attached)
On Mon, May 03, 2010 at 05:08:29PM +0200, Silamael wrote: > Fix include order to ensure that FD_SETSIZE from the compat/fdsetsize.h is set > before it is set by sys/select.h (included by stdlib.h). > To be strictly correct about this, the problem is really an OpenBSD one. There should not be an order dependence on the inclusion of system headers. You could try logging it as a bug on OpenBSD - good luck with that. -- Brett Lymn "Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer."
Re: [squid-users] Web client not capable of SSL
Hi! On Sun, May 2, 2010 at 7:13 AM, D.Veenker wrote: > My web client is not capable of SSL and definitely no client certificates. Ok I *have* to ask, I can't help it, it is my nature I have to ask this: what web client is this, that doesn't support SSL? (https). Sorry for the "off-topic" question. Sincerely, Ildefonso.
Re: [squid-users] Slightly OT: Configuring a router for Squid.
On Mon, 3 May 2010 17:52:19 -0500, Luis Daniel Lucio Quiroz wrote: > Le lundi 3 mai 2010 17:11:00, Jorge Armando Medina a écrit : >> Dave Coventry wrote: >> > I need to add a proxy server to our office network. >> > >> > The router/modem is a DLink G604T and I want all requests for Internet >> > access to be re rerouted to a Debian box with Squid Installed. >> >> Im afraid this cannot be achieved with simple static routes, you need to >> setup a interceptor proxy so outgoing http traffic is intercepted by >> your router and then transparent redirec it to your squid box. >> >> If you alrewady have a debian box with squid I recommend to setup a >> firewall on it with two interfaces and use it as your default gateway, >> this way you can use transparent proxy. >> >> For more information read the wiki page: >> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy >> >> Best regards >> >> > How do I set this up? >> > >> > I notice that the Router has an advanced option called 'Routing' which >> > defines the Routing table. >> > >> > Options are: >> > >> > Destination: >> > Netmask: >> > Gateway: >> > Connection: >> > >> > I take it that the Destination is the Proxy Server (192.168.1.5), the >> > netmask will be 255.255.255.0 >> > >> > I'm not sure what the Gateway will be, and I presume I accept the >> > default for connection, which is Pvc0. >> > >> > Or am I going in the wrong direction entirely? > > as far as i understand, he has a 24 bit network, > .5 is his proxy > .1 (or whater number) his router > > do you need to proxy all so there are your possibilities: > > 1. If you have your own internal dns or winbugs domain, use wpad > 2. configure by hand all your browsers > 3. if you want transparent proxy you need advanced arp poissoning :) > jejeje > or my professional services :P > > Regards, > > LD For small/medium sized LAN I find it easier to set the DLink to its DMZ zone and setup the squid box as a router. Amos
Re: [squid-users] Slightly OT: Configuring a router for Squid.
Hi! On Mon, May 3, 2010 at 5:11 PM, Dave Coventry wrote: > I need to add a proxy server to our office network. > > The router/modem is a DLink G604T and I want all requests for Internet > access to be re rerouted to a Debian box with Squid Installed. > > How do I set this up? Some questions: 1. How is your network currently configured: static IPs, dhcp, if dhcp, is the dlink router your dhcp server? 2. What is the goal of the proxy server?: access control (restrictions, authentication), cache, other. 3. Who provides the DNS service? is the dlink router? is another server? 4. How is the wireless part of the router being used? office computers, some laptops, some of the "boss's" gadgets, other. Depending on these answers, there are one or more options for you. Sincerely, Ildefonso Camargo
Re: [squid-users] Slightly OT: Configuring a router for Squid.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/03/2010 09:33 PM, Amos Jeffries wrote: > On Mon, 3 May 2010 17:52:19 -0500, Luis Daniel Lucio Quiroz > wrote: >> Le lundi 3 mai 2010 17:11:00, Jorge Armando Medina a écrit : >>> Dave Coventry wrote: I need to add a proxy server to our office network. The router/modem is a DLink G604T and I want all requests for > Internet access to be re rerouted to a Debian box with Squid Installed. >>> >>> Im afraid this cannot be achieved with simple static routes, you need > to >>> setup a interceptor proxy so outgoing http traffic is intercepted by >>> your router and then transparent redirec it to your squid box. >>> >>> If you alrewady have a debian box with squid I recommend to setup a >>> firewall on it with two interfaces and use it as your default gateway, >>> this way you can use transparent proxy. >>> >>> For more information read the wiki page: >>> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy >>> >>> Best regards >>> How do I set this up? I notice that the Router has an advanced option called 'Routing' > which defines the Routing table. Options are: Destination: Netmask: Gateway: Connection: I take it that the Destination is the Proxy Server (192.168.1.5), the netmask will be 255.255.255.0 I'm not sure what the Gateway will be, and I presume I accept the default for connection, which is Pvc0. Or am I going in the wrong direction entirely? >> >> as far as i understand, he has a 24 bit network, >> .5 is his proxy >> .1 (or whater number) his router >> >> do you need to proxy all so there are your possibilities: >> >> 1. If you have your own internal dns or winbugs domain, use wpad >> 2. configure by hand all your browsers >> 3. if you want transparent proxy you need advanced arp poissoning :) >> jejeje >> or my professional services :P >> >> Regards, >> >> LD > > For small/medium sized LAN I find it easier to set the DLink to its DMZ > zone and setup the squid box as a router. > > Amos You are right Amos, that was my last option in the setup I was working last week, but in that case the router was cisco. - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvfoeEACgkQxXSEIijkBjLjNQCbBOVbZsRTIG+dMlCIVN90ip3n UD8AnjRSjeTzRdMTPl7/vM/j5WCf17BT =vpdz -END PGP SIGNATURE-
Re: [squid-users] If not modified since is causing near-hits
On Mon, 3 May 2010 13:28:21 -0700, David Raccah wrote: > Hello, > > Please excuse the newbie. I checked most of the search engines on > squid pages and could not find what I was looking for. Though it may > be because I did not use the correct keywords. > > So we have a large set of squid boxes sitting in front of some slow > running code. The data is mostly static, so we use squid as a proxy > and it caches the data. The TTL on the cache for now is 1 week or > more, and so we are saving the backend/origin from being pounded and > love it!!! However, we are seeing a large number of near-hit instead > of pure hits. For us a near-hit is equal to a miss, because it caches > the cache (L1 and L2) to go to the origin/backend. We are using HTCP > to clear the cache when there is a change (much like wikipedia does), > so we can trust that our L2 is as close to fresh as possible. > > So: > > 1) Since we can guarantee that the L2 will have the latest > information, is there a way to ignore the "if-not-modified" header? > Depends on where it is being generated and exactly which if the If-* header it is. (there is no if-not-modified header). > 2) is there a way to declare the L2 cache as the origin-server instead > of just a parent cache - not a great approach, but need to mitigate > going to the origin if the L2 has a hit? Yes. Setting "originserver" on the parent cache_peer. However I think ICP/HTCP are not sent to origin servers. > > 3) is there a utility to update the timestamp of the cached objects. Maybe the squidpurge tool. I have not yet looked at it closely. Amos
Re: [squid-users] Web client not capable of SSL
No problem at all. We are developing an application consuming a SOAP-service. The application is build in 4th dimension (www.4d.com). It's a database platform with a pretty extensive coding language. To be honest it is possible to use SSL, but not in combination with client certificates. Additionally, I want to be able to do some extensive SSL option settings, which is not possible in 4D. (Version, do/do not verify server certificate, etc.) Secondly, I'd like to sniffer data between 4d and Squid for debug purposes. So, I'd like the 4D-app to connect to the SOAP-service through Squid and let Squid do all the SSL work. Maybe we need some extra options to get this singing and dancing, but I guess this is the best way start. Greetz, Dj Jose Ildefonso Camargo Tolosa wrote: Hi! On Sun, May 2, 2010 at 7:13 AM, D.Veenker wrote: My web client is not capable of SSL and definitely no client certificates. Ok I *have* to ask, I can't help it, it is my nature I have to ask this: what web client is this, that doesn't support SSL? (https). Sorry for the "off-topic" question. Sincerely, Ildefonso.
Re: [squid-users] OpenBSD 4.6: Squid 3.1.3 compilation error (patch attached)
On 05/04/2010 01:42 AM, Brett Lymn wrote: > On Mon, May 03, 2010 at 05:08:29PM +0200, Silamael wrote: > >> Fix include order to ensure that FD_SETSIZE from the compat/fdsetsize.h is >> set >> before it is set by sys/select.h (included by stdlib.h). >> > > To be strictly correct about this, the problem is really an OpenBSD > one. There should not be an order dependence on the inclusion of > system headers. You could try logging it as a bug on OpenBSD - good > luck with that. > No, i dont think thats an OpenBSD only problem. The ordering of include files in this authentication helper always would first include the system headers - also on Linux, MacOS X, whatever - and then redefine FD_SETSIZE with some own value given to configure. In my opinion this compiler warning will be happen on most systems except the ones for which compat/fdsetsize.h has some hacks to prevent setting FD_SETSIZE. -- Matthias
Re: [squid-users] Slightly OT: Configuring a router for Squid.
Thanks to everybody for the assistance. 2010/5/4 Jorge Armando Medina : > Im afraid this cannot be achieved with simple static routes, you need to > setup a interceptor proxy so outgoing http traffic is intercepted by > your router and then transparent redirec it to your squid box. Yes, I rather thought I was on the wrong track for this. I couldn't see any other option for rerouting the LAN traffic through the Proxy though. > If you alrewady have a debian box with squid I recommend to setup a > firewall on it with two interfaces and use it as your default gateway, > this way you can use transparent proxy. The modem/router is wireless, too, so I guess we'll need to turn off the wireless and buy another WAP. > For more information read the wiki page: > http://wiki.squid-cache.org/SquidFaq/InterceptionProxy Thanks. I'll check it out. ~ Dave
Re: [squid-users] Slightly OT: Configuring a router for Squid.
On 4 May 2010 05:21, Jose Ildefonso Camargo Tolosa wrote: > > Some questions: > > 1. How is your network currently configured: static IPs, dhcp, if > dhcp, is the dlink router your dhcp server? Yes. The DLink allocates IP addresses on the network. The Squid box is set to .5 static IP > 2. What is the goal of the proxy server?: access control > (restrictions, authentication), cache, other. All of the above. We have clients who want to access the net through their laptops, so configuring the clients' machines is not really desirable and, obviously for them we are not interested in their browsing habits. However, we want to place some restrictions on staff. This is not an absolute requirement, though, although if the staff are abusing bandwidth, we'd like to know about it. > 3. Who provides the DNS service? is the dlink router? is another server? No, it'll be the ISP who provide the DNS. > 4. How is the wireless part of the router being used? office > computers, some laptops, some of the "boss's" gadgets, other. Yes, the DLink has 4 wired ports one of which goes to the Squid Box and the others to local machines. Other staff desktops and laptops connect wirelessly and guests connect with laptops. The boss does like his gadgets, though... > Depending on these answers, there are one or more options for you. That would be nice. ;) ~Dave
[squid-users] TIME_WAIT state
Hi I see allot of TIME_WAIT states when I run netstat -n. I imagine that this points to some tcp parameters not quite tuned correctly. Anyone have some kernel tcp tuning parameters for a Squid proxy running on RH EL5 pushing around 30Mbs? Thanks Ivan
[squid-users] logrotate squid files
I need to rotate these log files for Squid: store.log access.log cache.log rewrite.log (jesred log) redirect.log(jesred log) What's the suitable command (to insert among postrotate and endscript) for telling both to Squid and to Jesred to write again in .log files ? 1) test ! -e /var/run/squid.pid || /usr/sbin/squid -k rotate 2) /bin/kill -HUP `cat /var/run/squid.pid 2> /dev/null` 2> /dev/null || true 3) invoke-rc.d squid reload > /dev/null I used 2) command where I send 'hang up' signal to Squid. I want to be sure "all 5 log file" can rotate ! What do you think about 1) 2) 3) commands ? What's the better ?
Re: [squid-users] If not modified since is causing near-hits
Thanks for the help. I typed incorrectly. Essentially, we have crawlers coming to our webpage, and they are using the if-modified-since header. The system is designed in a classic L1/L2 architecture. The L1 is primarily a router and the L2 boxes contain the disk and memory cache. If the data is not found on the L2, the L2 calls the origin server, which is slow-ish. Based on the squid mgr info, most of the requests which reach the L2 squid ave the If-Modified-Since header. If the value that is being passed is older than the one in the cache, L2 will respond with a TCP_HIT. This is the happy path. But if the value that is being passed in is equal to the one in the cache (when the same robot comes back a few days later and is checking for updates), the L2 goes to the origin server. So the question is, can we set the configuration in some way, to intrinsically trust the cache, and thereby ignore the If-Modified-Since header, and use what is local? Of course, if there is no actual hit, then go to the origin server. Thanks! On Mon, May 3, 2010 at 9:42 PM, Amos Jeffries wrote: > On Mon, 3 May 2010 13:28:21 -0700, David Raccah wrote: >> Hello, >> >> Please excuse the newbie. I checked most of the search engines on >> squid pages and could not find what I was looking for. Though it may >> be because I did not use the correct keywords. >> >> So we have a large set of squid boxes sitting in front of some slow >> running code. The data is mostly static, so we use squid as a proxy >> and it caches the data. The TTL on the cache for now is 1 week or >> more, and so we are saving the backend/origin from being pounded and >> love it!!! However, we are seeing a large number of near-hit instead >> of pure hits. For us a near-hit is equal to a miss, because it caches >> the cache (L1 and L2) to go to the origin/backend. We are using HTCP >> to clear the cache when there is a change (much like wikipedia does), >> so we can trust that our L2 is as close to fresh as possible. >> >> So: >> >> 1) Since we can guarantee that the L2 will have the latest >> information, is there a way to ignore the "if-not-modified" header? >> > > Depends on where it is being generated and exactly which if the If-* > header it is. > (there is no if-not-modified header). > > >> 2) is there a way to declare the L2 cache as the origin-server instead >> of just a parent cache - not a great approach, but need to mitigate >> going to the origin if the L2 has a hit? > > Yes. Setting "originserver" on the parent cache_peer. > However I think ICP/HTCP are not sent to origin servers. > >> >> 3) is there a utility to update the timestamp of the cached objects. > > Maybe the squidpurge tool. I have not yet looked at it closely. > > > Amos >