Re: [squid-users] configure: WARNING: Cannot find necessary Linux kernel (Netfilter) header files
From: Wong Fei Young > I got error to configure Squid (either 3.1.1 or 3.1.3) below. > I used the old (OpenSuSE stock) linux-kernel-headers RPM 2.6.31. Please > advise me what I > should do to enable Intercepting Proxy. Personaly, I have 2 different netfilter.h on my CentOS... # ll /usr/include/linux/netfilter.h /usr/src/kernels/2.6.18-164.15.1.el5-i686/include/linux/netfilter.h -rw-r--r-- 1 root root 817 Mar 17 16:24 /usr/include/linux/netfilter.h -rw-r--r-- 1 root root 10871 Mar 17 16:28 /usr/src/kernels/2.6.18-164.15.1.el5-i686/include/linux/netfilter.h # rpm -qf /usr/include/linux/netfilter.h kernel-headers-2.6.18-164.15.1.el5 # rpm -qf /usr/src/kernels/2.6.18-164.15.1.el5-i686/include/linux/netfilter.h kernel-devel-2.6.18-164.15.1.el5 JD
Re: [squid-users] SSH not working With Squid3.0
Hi there, I have tried with iptable to forward requests it didn't work I am trying now with the linksys router not working either for the internal gateway yes Basically I have three backend machines I can only access the proxy machine's SSH even if I try internally to access the other machine's SSH servers the connection is refused But the gateway is on the router I am using my ISP's gateway not the Squid's machine I am forwarding other ports via my router, such as IRC ports etc.. it's working fine but when I forward to SSH ports the connection is refused. Any other suggestions pleaase? Regards Adam
Re: [squid-users] SSH not working With Squid3.0
From: "a...@gmail" > even if I try internally to access the other machine's SSH >servers the connection is refused Fix that first... Searched why it is refused? And why do you say it is squid fault? JD
[squid-users] Squid 2.7 without signature
Hi, Due a security reasons, I would like my default page error without the squid signature. I already could custom my error page and display it but I don't know how to remove the signature of page bottom. Is it possible? The best I could make was a short signature using %s tag. Regards, Marcus D -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Why is it evil? --> http://www.georgedillon.com/web/html_email_is_evil.shtml
[squid-users] Re: squid_ldap_auth
Thanks for the reply. So even if I get this ACL working they would have to authenticate whenever a new browser window is launched? If that's the case I'll have to go back to NTLM, which I didn't want to do since it's being phased out. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-ldap-auth-tp2126169p2130862.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: squid_ldap_auth
burbankmarc wrote: Thanks for the reply. So even if I get this ACL working they would have to authenticate whenever a new browser window is launched? If that's the case I'll have to go back to NTLM, which I didn't want to do since it's being phased out. This is where the password managers built into current browsers do their job. The credentials get stored there cross-session. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
[squid-users] elapsed time
Hello, Can anyone explain me in some more detail what the elapsed time in the squid access log exactly means? I found some definitions: duration The elapsed time considers how many milliseconds the transaction busied the cache. It differs in interpretation between TCP and UDP: For HTTP this is basically the time from having received the request to when Squid finishes sending the last byte of the response. The most important question is, what may keeps squid so busy, that I get sometimes numbers higher thant 1000 ms? With reverse proxies I see such answers even with cache hits and relative small files Georg
[squid-users] Best policy to allow only proxy surfing
Hello everybody. I've set up a proxy at a customers' site and set up an ACL to block some domains (first of all facebook.com). Now some clever users have discovered that they can use foreing external proxies to avoid filtering. What I was thinking to do, is to enable on my firewall LAN-->WAN *only* my proxy's IP address, but the question is: how would I have to proceed, as the client PCs still could be set their proxy settings?! Kind regards, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] Best policy to allow only proxy surfing
Remove the default gateway so nobody can get to the internet unless they go through the proxy. I've had my network set that for 9 years and nobody has ever noticed. Jason ..·><º> > -Original Message- > From: Boniforti Flavio [mailto:fla...@piramide.ch] > Sent: Wednesday, May 05, 2010 11:21 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Best policy to allow only proxy surfing > > > Hello everybody. > > I've set up a proxy at a customers' site and set up an ACL to > block some > domains (first of all facebook.com). > > Now some clever users have discovered that they can use > foreing external > proxies to avoid filtering. > > What I was thinking to do, is to enable on my firewall > LAN-->WAN *only* > my proxy's IP address, but the question is: how would I have > to proceed, > as the client PCs still could be set their proxy settings?! > > Kind regards, > Flavio Boniforti > > PIRAMIDE INFORMATICA SAGL > Via Ballerini 21 > 6600 Locarno > Switzerland > Phone: +41 91 751 68 81 > Fax: +41 91 751 69 14 > URL: http://www.piramide.ch > E-mail: fla...@piramide.ch > This message has been scanned for malware by Websense. www.websense.com
Re: [squid-users] make squid-3.1.1
Hi, this problem is solved, completely something on my side as expected: It seems that my first try to download and compile the cvs of squid_kerb_auth had compromised the make with squid3.1.1. Even after make clean. I installed a fresh debian lenny and this time compiling squid with the helpers worked fine. thankyou, Lieven Henrik Nordström wrote: ons 2010-04-28 klockan 18:46 +0200 skrev lieven: squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm ../../../lib/libmiscutil.a(base64.o):(.rodata+0x0): multiple definition of `base64_code' base64.o:(.rodata+0x0): first defined here Try this: echo >helpers/negotiate_auth/squid_kerb_auth/base64.c Appears that file is duplicate and colliding with the same from within the main parts of the Squid source tree. Regards Henrik -- Please Visit us at V-ICT-OR shopt IT 25 May 2010 - De Montil - Affligem Lieven De Puysseleir BA N.V. - http://www.ba.be Dalemhof 28, 3000 Leuven tel: 0032 (0)16 29 80 45 <>
[squid-users] Anacron log entries
Hi This probably isn't a squid issue - but ever since I installed and set-up squid, my system is sending me mail at log rotate time like: /etc/cron.daily/logrotate: 2010/05/05 07:35:20.152| aclParseUserList: parsing user list 2010/05/05 07:35:20.152| aclParseUserList: parsing user list 2010/05/05 07:35:20.206| ACL::Prototype::~Prototype: TODO: unregister me 2010/05/05 07:35:20.206| ACL::Prototype:: And so on for 50 odd lines. I can't find anything in /etc/cron.daily/logrotate or in /etc/cron.daily/0anacron or in /etc/cron.daily/ or in /var/log/ that would cause this - and Google also seems never to have heard of it. Is this something I've done wrong? Simon
RE: [squid-users] Peer cache behavior with expired objects
>I'm experimenting with 2 Squid 3.1.3 instances in reverse proxy mode. >They are configured to be peers of each other using ICP. I'm not using >digests. When a cached resource has not yet expired, each instance will >successfully contact the other to retrieve the resource. However, when >the resource is expired, no attempt is made to contact the peer. I'm >trying to determine if that behavior can be changed. >My question is, is there a way to configure Squid so that it will >contact its peers when asked for an expired resource? I'm interested in >doing this to reduce the number of requests that make their way to the >backend servers. If a peer has a fresh copy, I'd like that one to be >used instead of sending the request to the backend. >From the lack of responses, I'm guessing this isn't a commonly asked question. Would anyone be able direct me to a location in the Squid source code where I could try to find this myself? Or perhaps if there is documentation on this that I missed I'd appreciate that as well. Thanks, Paul
Re: [squid-users] Best policy to allow only proxy surfing
On May 5, 2010, at 9:21 AM, Boniforti Flavio wrote: > Now some clever users have discovered that they can use foreing external > proxies to avoid filtering. > > What I was thinking to do, is to enable on my firewall LAN-->WAN *only* > my proxy's IP address, but the question is: how would I have to proceed, > as the client PCs still could be set their proxy settings?! I'm currently working on a replaceThePIXwithLinux project. What I'm hoping to do is: This will be the *only* way out of the LAN. This is to be enforced with pieces of wire. If they can get into the wiFi next door, I don't have a solution for that yet. This box will transparently proxy HTTP by intercepting port 80 (and 443??) and forwarding it to 3128. Squid will be running on the gateway / filter / firewall. Aside from a few ports (SMTP, POP3, IMAP, DNS, etc. on the DMZ), the LAN won't be able to go anywhere. Except for me, of course; I can go anywhere... Don't know if this is going to work, but if it does, rules similar to these may solve your problem. With no proxy whinage. -- Glenn English g...@slsware.com
RE: [squid-users] Best policy to allow only proxy surfing
Hy Glenn [cut] > Aside from a few ports (SMTP, POP3, IMAP, DNS, etc. on the > DMZ), the LAN won't be able to go anywhere. Except for me, of > course; I can go anywhere... > > > Don't know if this is going to work, but if it does, rules > similar to these may solve your problem. With no proxy whinage. This *is* going to work, I did such setups too, some years ago. The fact is, that similar solutions require some more intervention, because (as you might know) every day a new software/tool/internet application needs to be used (and it is FOR SURE that it HAS to be used, for working purposes, not for joke)... This would mean, adding rules from time to time... Good luck, but still I confess that I *may be* switching to this your suggestion too! ;-) Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] Best policy to allow only proxy surfing
> Remove the default gateway so nobody can get to the internet > unless they go through the proxy. I've had my network set > that for 9 years and nobody has ever noticed. Well... This could be a solution I may consider... In fact, the remote office uses VPN to connect to the HQ and to surf the web... They *do not* need anything on their internet connection... Email is also being sent via Exchange Server, VPN'ed... Mmhhh... I'll draw a schema and will do some brainstorming about this... Cheers, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
Re: [squid-users] Illegal character in hostname '!host!'
On Tue, May 4, 2010 at 4:14 PM, Amos Jeffries wrote: > On Tue, 4 May 2010 11:17:18 -0700, Tory M Blue wrote: >> I'm seeing this error on occasion and trying to figure out how to >> capture what is causing it. >> >> 2010/05/04 11:06:03| urlParse: Illegal character in hostname '!host!' >> >> >> !host!. >> >> I've thought maybe it was actually in a URI but I've added access >> logging with urlpath_regex -i \!host and nothing is matching. > > urlpath_regex matches the path+filename+query portion of the URL. > > Try with url_regex. > >> >> Is the !host! possibly internal to squid? > > No. > >> >> How do I go about capturing and figuring this out? > > If the url_regex does not capture it debug_options 84,9 will display all > the headers going through squid. > > debug_options 23,3 will show the higher level URL parse and what its being > split into. > > Amos Thanks Amos (catching the reply late). Odd that the added debug is not functioning, I've tried debug_options ALL,1 23,3 84,9 And I don't get more than the ALL,1 information 2010/05/05 09:08:05| urlParse: Illegal character in hostname '!host!' And my access.log acl HTTP-SUSPECT url_regex \!host works with a generated bogus url: 1272997513.724 1 10.40.9.132 TCP_MISS/404 589 GET http://cache01.gc.sv.domain.net/!host! - FIRST_UP_PARENT/apps.domain.net text/html So I'm capturing if it's in the url, but I'm till getting the illegal character, in cache.log but nothing in access.log. So I'm missing or not capturing something. Very odd that my debug does not seem to be working however :) Tory
Re: [squid-users] Best policy to allow only proxy surfing
On May 5, 2010, at 9:54 AM, Boniforti Flavio wrote: >> Don't know if this is going to work, but if it does, rules >> similar to these may solve your problem. With no proxy whinage. > > This *is* going to work Thanks for that. Now I know that if it doesn't, it's my implementation, not the design... > I did such setups too, some years ago. The fact > is, that similar solutions require some more intervention, because (as > you might know) every day a new software/tool/internet application needs > to be used (and it is FOR SURE that it HAS to be used, for working > purposes, not for joke)... This would mean, adding rules from time to > time... It would indeed. One of the delights (IMHO) of iptables is local chains. My packet filter will have special chains for stuff. So when a new rule LAN to NET rule is needed, "iptables -A LANtNET -p <...> --dport <...> -j ALLOW" is all that's needed. Actually, that'd go into the shell script that builds the filter. > Good luck, but still I confess that I *may be* switching to this your > suggestion too! ;-) Use default deny and break up the logic into chains (within reason). Makes things a lot easier to maintain. Did for me, anyway. -- Glenn English g...@slsware.com
[squid-users] Microsoft Updates
Hello everybody At our school we are using squid 2.7 stable on a Debian Lenny machine. Users are authenticated via an Active Directory. Users without Authentication are denied Internet access. Unfortunately we have some Windows Desktops, which are trying to pull their updates, without using the Credentials of the users Domain-Logon. These updates were consequently denied. Therefore we wanted to add exceptions to always allow connections to the Microsoft update sites. This is how I tried to implement this, by putting the following lines at the top of our squid.conf: acl windowsupdate dstdomain .microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate2 dst 89.202.157.135 acl windowsupdate2 dst 89.202.157.136 acl windowsupdate2 dst 89.202.157.137 acl windowsupdate2 dst 89.202.157.138 acl windowsupdate2 dst 89.202.157.139 acl windowsupdate dstdomain .eset.com acl windowsupdate dstdomain microsoftwga.112.207.net acl windowsupdate dstdomain .msft.net acl CONNECT method CONNECT acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com acl localnet src 172.16.0.0/12 acl localhost src 127.0.0.1/32 http_access allow CONNECT wuCONNECT localnet http_access allow CONNECT wuCONNECT localhost http_reply_access allow CONNECT wuCONNECT localnet http_reply_access allow CONNECT wuCONNECT localhost http_access allow windowsupdate localnet http_access allow windowsupdate localhost http_reply_access allow windowsupdate localnet http_reply_access allow windowsupdate localhost Unfortunately its not working. It would be great, if anybody had some hints why this is not working, or if anybody has a working configuration himself. Any help is appreciated. Thank you very much Benedikt
Re: [squid-users] Slightly OT: Configuring a router for Squid.
Hi! On Tue, May 4, 2010 at 1:47 AM, Dave Coventry wrote: > On 4 May 2010 05:21, Jose Ildefonso Camargo Tolosa > wrote: >> >> Some questions: >> >> 1. How is your network currently configured: static IPs, dhcp, if >> dhcp, is the dlink router your dhcp server? > > Yes. The DLink allocates IP addresses on the network. The Squid box is > set to .5 static IP Ok. > >> 2. What is the goal of the proxy server?: access control >> (restrictions, authentication), cache, other. > > All of the above. We have clients who want to access the net through > their laptops, so configuring the clients' machines is not really > desirable and, obviously for them we are not interested in their > browsing habits. However, we want to place some restrictions on staff. > This is not an absolute requirement, though, although if the staff > are abusing bandwidth, we'd like to know about it. Ok, if you are interested in "access control", it is a must that you have to avoid direct Internet access, more on this later. > >> 3. Who provides the DNS service? is the dlink router? is another server? > > No, it'll be the ISP who provide the DNS. Ok, so, you could, in theory, add an internal DNS zone, right? (because is doesn't currently exists). Now, and off-topic question: do you have a "domain" on your network, or just have a "workgroup" (I'm assuming you have Windows computers for your staff). > >> 4. How is the wireless part of the router being used? office >> computers, some laptops, some of the "boss's" gadgets, other. > > Yes, the DLink has 4 wired ports one of which goes to the Squid Box > and the others to local machines. Other staff desktops and laptops > connect wirelessly and guests connect with laptops. Ok, guests=clients ie, persons not part of the company, right? > > The boss does like his gadgets, though... Yeah, all the bosses like their gadgets > >> Depending on these answers, there are one or more options for you. > > That would be nice. Ok, I'll wait these final answers. > > ;) > > ~Dave >
Re: [squid-users] Slightly OT: Configuring a router for Squid.
Thanks for the help, Jose. On 5 May 2010 18:46, Jose Ildefonso Camargo Tolosa wrote: > Ok, so, you could, in theory, add an internal DNS zone, right? > (because is doesn't currently exists). Now, and off-topic question: > do you have a "domain" on your network, or just have a "workgroup" > (I'm assuming you have Windows computers for your staff). Yes. I'm sure I can set up t DNS on the Debian box. I'm not sure what a Domain is, but, yes, I have a windows 'Workgroup'. All computers (except mine) are windows machines. There is a chance that the Guest computers might have Linux (or Mac), but I would imagine that the bulk would be Windows. > Ok, guests=clients ie, persons not part of the company, right? Correct. > Yeah, all the bosses like their gadgets :)
[squid-users] squid_kerb_auth received type 1 NTLM token
Dear list, I have currently a problem where it seems that my clients, webbrowsers firefox 3.5 and IE8 only seem to return NTLM tokens as authentication instead of kerberos. This is the error in the cache log from squid: ... squid_kerb_auth: WARNING: received type 1 NTLM token authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' ... squid has been configured like this: ./configure --enable-negotiate-auth-helpers=squid_kerb_auth --enable-stacktraces --prefix=/opt/squid-3.1.3 make and make install went fine. the squid box is a cleanly installed debian lenny i386. Squid itself seems to run fine, I can browse through it. Then my goal to use kerberos authentication fails with the error above. in my krb5.conf I have the following info in my realm: kdc = xxx.xxx.xxx.xxx admin_server = xxx.xxx.xxx.xxx these are the libdefaults: [libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_kdc = no dns_lookup_realm = no default_keytab_name = /etc/HTTP.keytab ticket_lifetime = 24h the /etc/HTTP.keytab file is like this: -rw-r- 1 squid squid 532 2010-05-05 20:58 /etc/HTTP.keytab squid is running as user "squid" First I got a kerberos ticket with: kinit administrator I can see a krbtgt ticket with klist. I'm trying to authenticate against a windows 2008 dc and I used msktutil like this: msktutil -c -b "CN=COMPUTERS" -s HTTP/domain.local -h domain.local -k /etc/HTTP.keytab --computer-name squid3-proxy --upn HTTP/domain.local --server ad2008srvr.domain.local --verbose --enctypes 28 The squid config file is quiete basic. (only relevant parts here - I think) auth_param negotiate program /opt/squid-3.1.3/sbin/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive on acl AUTHENTICATED proxy_auth REQUIRED http_access allow AUTHENTICATED DNS seems to work alright, the AD server is used for dns and has a working A and PTR record for the squid3-proxy.domain.local server because the A and PTR lookups return the correct results when run from the server and from the clients. Is there anybody out there who can help me troubleshoot this problem? I found tutorials where the keytab file is created on the windows server but that's not necessary if I use the msktutil, right? thanks a lot. I'v been trying to get this to work for some time now. cheers, Lieven
Re: [squid-users] SSH not working With Squid3.0
Hi, Yes I have searched why but could not find why not in the log not anywhere else. Tried with Iptables, with router same thing. How do I know? Ok if I shut down the proxy machine and completely remove it from the network and try again absolutely no problems in connecting to all my ssh servers but when I run the proxy server, the problem comes back how about that? I know it is the proxy server, what I don't know is why? Any ideas please? Thanks - Original Message - From: "John Doe" To: Sent: Wednesday, May 05, 2010 12:40 PM Subject: Re: [squid-users] SSH not working With Squid3.0 From: "a...@gmail" even if I try internally to access the other machine's SSH servers the connection is refused Fix that first... Searched why it is refused? And why do you say it is squid fault? JD
[squid-users] Re: squid_kerb_auth received type 1 NTLM token
Can you get a wireshark capture of port 53 (dns) and port 88(kerberos) and port 3128(squid) from your client machine when you try to surf ? Can you also install kerbtray from microsoft to list tickets in your clients kerberos cache ? Regards Markus "Lieven" wrote in message news:4be1d106.7090...@ba.be... Dear list, I have currently a problem where it seems that my clients, webbrowsers firefox 3.5 and IE8 only seem to return NTLM tokens as authentication instead of kerberos. This is the error in the cache log from squid: ... squid_kerb_auth: WARNING: received type 1 NTLM token authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' ... squid has been configured like this: ./configure --enable-negotiate-auth-helpers=squid_kerb_auth --enable-stacktraces --prefix=/opt/squid-3.1.3 make and make install went fine. the squid box is a cleanly installed debian lenny i386. Squid itself seems to run fine, I can browse through it. Then my goal to use kerberos authentication fails with the error above. in my krb5.conf I have the following info in my realm: kdc = xxx.xxx.xxx.xxx admin_server = xxx.xxx.xxx.xxx these are the libdefaults: [libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_kdc = no dns_lookup_realm = no default_keytab_name = /etc/HTTP.keytab ticket_lifetime = 24h the /etc/HTTP.keytab file is like this: -rw-r- 1 squid squid 532 2010-05-05 20:58 /etc/HTTP.keytab squid is running as user "squid" First I got a kerberos ticket with: kinit administrator I can see a krbtgt ticket with klist. I'm trying to authenticate against a windows 2008 dc and I used msktutil like this: msktutil -c -b "CN=COMPUTERS" -s HTTP/domain.local -h domain.local -k /etc/HTTP.keytab --computer-name squid3-proxy --upn HTTP/domain.local --server ad2008srvr.domain.local --verbose --enctypes 28 The squid config file is quiete basic. (only relevant parts here - I think) auth_param negotiate program /opt/squid-3.1.3/sbin/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive on acl AUTHENTICATED proxy_auth REQUIRED http_access allow AUTHENTICATED DNS seems to work alright, the AD server is used for dns and has a working A and PTR record for the squid3-proxy.domain.local server because the A and PTR lookups return the correct results when run from the server and from the clients. Is there anybody out there who can help me troubleshoot this problem? I found tutorials where the keytab file is created on the windows server but that's not necessary if I use the msktutil, right? thanks a lot. I'v been trying to get this to work for some time now. cheers, Lieven
Re: [squid-users] Squid 2.7 without signature
It requires patching the source; see errorpage.c, look for 'ERR_SQUID_SIGNATURE'. I'd support making it possible to suppress this (or turn it into an HTML comment, as I've done) via configuration. Cheers, On 05/05/2010, at 10:14 PM, marcus wrote: > Hi, > > Due a security reasons, I would like my default page error without the squid > signature. > I already could custom my error page and display it but I don't know how to > remove the signature of page bottom. > > Is it possible? The best I could make was a short signature using %s tag. > > Regards, > Marcus D > > > -- > () ascii ribbon campaign - against html e-mail > /\ www.asciiribbon.org - against proprietary attachments > > Why is it evil? --> http://www.georgedillon.com/web/html_email_is_evil.shtml -- Mark Nottingham m...@yahoo-inc.com
Re: [squid-users] SSH not working With Squid3.0
Are you trying to do SSH to the servers using their FQDN? Or IP Address? Regards HASSAN On Thu, May 6, 2010 at 02:31, a...@gmail wrote: > > Hi, > Yes I have searched why but could not find why not in the log not anywhere > else. > > Tried with Iptables, with router same thing. > How do I know? > Ok if I shut down the proxy machine and completely remove it from the network > and try again absolutely no problems in connecting to all my ssh servers > but when I run the proxy server, the problem comes back how about that? > > I know it is the proxy server, what I don't know is why? > Any ideas please? > Thanks > - Original Message - From: "John Doe" > To: > Sent: Wednesday, May 05, 2010 12:40 PM > Subject: Re: [squid-users] SSH not working With Squid3.0 > > >> From: "a...@gmail" >>> >>> even if I try internally to access the other machine's SSH >>> servers the connection is refused >> >> Fix that first... Searched why it is refused? >> And why do you say it is squid fault? >> >> JD >> >> >> > >
Re: [squid-users] elapsed time
On Wed, 05 May 2010 16:42:49 +0200, Georg Höllrigl wrote: > Hello, > > Can anyone explain me in some more detail what the elapsed time in the > squid access log exactly means? > > I found some definitions: > > duration The elapsed time considers how many milliseconds the transaction > busied the cache. It > differs in interpretation between TCP and UDP: > For HTTP this is basically the time from having received the request to > when Squid finishes sending > the last byte of the response. > > The most important question is, what may keeps squid so busy, that I get > sometimes numbers higher > thant 1000 ms? With reverse proxies I see such answers even with cache > hits and relative small files I think usually DNS lag, followed by TTL to the remote server for reads/writes, checking ACL lists (helpers and regex!), Disk I/O swapping, etc. Other big requests happening in parallel and flooding the event queues with I/O can also have some speed impact. The Measurement Factory and sponsors have added some extra DNS and timeout logging metrics to the most recent Squid-3 to display how much time is spent in the remote-delay areas. So admin can see how much is local delay and how much is unavoidably added by remote systems. The new metrics about which parts of HTTP request sequence get timed may be available in Squid-2.7, I'm not sure if they got accepted in from the 2.HEAD staging code. Amos
Re: [squid-users] configure: WARNING: Cannot find necessary Linux kernel (Netfilter) header files
From: Wong Fei Young I got error to configure Squid (either 3.1.1 or 3.1.3) below. I used the old (OpenSuSE stock) linux-kernel-headers RPM 2.6.31. Please advise me what I should do to enable Intercepting Proxy. Personaly, I have 2 different netfilter.h on my CentOS... # ll /usr/include/linux/netfilter.h /usr/src/kernels/2.6.18-164.15.1.el5-i686/include/linux/netfilter.h -rw-r--r-- 1 root root 817 Mar 17 16:24 /usr/include/linux/netfilter.h -rw-r--r-- 1 root root 10871 Mar 17 16:28 /usr/src/kernels/2.6.18-164.15.1.el5-i686/include/linux/netfilter.h # rpm -qf /usr/include/linux/netfilter.h kernel-headers-2.6.18-164.15.1.el5 # rpm -qf /usr/src/kernels/2.6.18-164.15.1.el5-i686/include/linux/netfilter.h kernel-devel-2.6.18-164.15.1.el5 John, After installing gcc-c++ the problem has gone. And Squid could be installed and run very well as usual. Wong.
Re: [squid-users] Slightly OT: Configuring a router for Squid.
Ok. What I understood: 1. You are using the same Wireless link for both: your office and your guests <--- if so, that's a bad idea. 2. You have no Domain Controller on your network. 3. You have no DNS on your network. 4. You need to implement access restrictions for you internal network, but not for you guests (so, you have an "open wireless AP" that is used for your customers). I would suggest: Internet DLink ADSL router -- Linux box with 2 network cards --- Your internal network -- maybe a second wireless ap. This way, you will allow your guests to access Internet (direct), but not to your internal network (which is always a bad idea: virus and stuff). Also, you will be able to enforce access restrictions for your internal network. The "second wireless ap" is needed only if you need wireless access to your internal network, and that one should, at least, have WPA2-PSK with a long key, and that key should be changed at least once every two months, and ideally should be configured with WPA2 with RADIUS. In the Linux box you put: + Squid. + Linux firewall. + DHCP + Internal DNS + Web server for wpad. Maybe, other interesting services for your internal network, but that would be really off-topic. This is not the only option, there are several others, but I find this one more "secure", because it separates your guests from your internal network. I hope this helps, Ildefonso Camargo On Wed, May 5, 2010 at 1:14 PM, Dave Coventry wrote: > Thanks for the help, Jose. > > On 5 May 2010 18:46, Jose Ildefonso Camargo Tolosa > wrote: >> Ok, so, you could, in theory, add an internal DNS zone, right? >> (because is doesn't currently exists). Now, and off-topic question: >> do you have a "domain" on your network, or just have a "workgroup" >> (I'm assuming you have Windows computers for your staff). > > Yes. I'm sure I can set up t DNS on the Debian box. > > I'm not sure what a Domain is, but, yes, I have a windows 'Workgroup'. > All computers (except mine) are windows machines. There is a chance > that the Guest computers might have Linux (or Mac), but I would > imagine that the bulk would be Windows. > >> Ok, guests=clients ie, persons not part of the company, right? > > Correct. > >> Yeah, all the bosses like their gadgets > :) >
Re: [squid-users] Illegal character in hostname '!host!'
On Wed, 5 May 2010 09:21:09 -0700, Tory M Blue wrote: > On Tue, May 4, 2010 at 4:14 PM, Amos Jeffries wrote: >> On Tue, 4 May 2010 11:17:18 -0700, Tory M Blue wrote: >>> I'm seeing this error on occasion and trying to figure out how to >>> capture what is causing it. >>> >>> 2010/05/04 11:06:03| urlParse: Illegal character in hostname '!host!' >>> >>> >>> !host!. >>> >>> I've thought maybe it was actually in a URI but I've added access >>> logging with urlpath_regex -i \!host and nothing is matching. >> >> urlpath_regex matches the path+filename+query portion of the URL. >> >> Try with url_regex. >> >>> >>> Is the !host! possibly internal to squid? >> >> No. >> >>> >>> How do I go about capturing and figuring this out? >> >> If the url_regex does not capture it debug_options 84,9 will display all >> the headers going through squid. >> >> debug_options 23,3 will show the higher level URL parse and what its >> being >> split into. >> >> Amos > > Thanks Amos (catching the reply late). > > Odd that the added debug is not functioning, I've tried > > debug_options ALL,1 23,3 84,9 > > > And I don't get more than the ALL,1 information > > 2010/05/05 09:08:05| urlParse: Illegal character in hostname '!host!' > > And my access.log > > acl HTTP-SUSPECT url_regex \!host > > works with a generated bogus url: > > 1272997513.724 1 10.40.9.132 TCP_MISS/404 589 GET > http://cache01.gc.sv.domain.net/!host! - > FIRST_UP_PARENT/apps.domain.net text/html > > So I'm capturing if it's in the url, but I'm till getting the illegal > character, in cache.log but nothing in access.log. So I'm missing or > not capturing something. > > Very odd that my debug does not seem to be working however :) > > Tory Is there a later "debug_options ALL,1" somewhere? They can be multiple. Amos
Re: [squid-users] Microsoft Updates
On Wed, 05 May 2010 18:46:18 +0200, b1 wrote: > Hello everybody > > At our school we are using squid 2.7 stable on a Debian Lenny machine. > Users are authenticated via an Active Directory. Users without > Authentication are denied Internet access. > > Unfortunately we have some Windows Desktops, which are trying to pull > their updates, without using the Credentials of the users Domain-Logon. > These updates were consequently denied. Therefore we wanted to add > exceptions to always allow connections to the Microsoft update sites. > This is how I tried to implement this, by putting the following lines at > the top of our squid.conf: > > acl windowsupdate dstdomain .microsoft.com > acl windowsupdate dstdomain download.windowsupdate.com > acl windowsupdate dstdomain wustat.windows.com > acl windowsupdate2 dst 89.202.157.135 > acl windowsupdate2 dst 89.202.157.136 > acl windowsupdate2 dst 89.202.157.137 > acl windowsupdate2 dst 89.202.157.138 > acl windowsupdate2 dst 89.202.157.139 > acl windowsupdate dstdomain .eset.com > acl windowsupdate dstdomain microsoftwga.112.207.net > acl windowsupdate dstdomain .msft.net > > acl CONNECT method CONNECT > acl wuCONNECT dstdomain www.update.microsoft.com > acl wuCONNECT dstdomain sls.microsoft.com > > acl localnet src 172.16.0.0/12 > acl localhost src 127.0.0.1/32 > > http_access allow CONNECT wuCONNECT localnet > http_access allow CONNECT wuCONNECT localhost > http_reply_access allow CONNECT wuCONNECT localnet > http_reply_access allow CONNECT wuCONNECT localhost > http_access allow windowsupdate localnet > http_access allow windowsupdate localhost > http_reply_access allow windowsupdate localnet > http_reply_access allow windowsupdate localhost > > Unfortunately its not working. It would be great, if anybody had some > hints why this is > not working, or if anybody has a working configuration himself. > Works for me. Order is very important though when mixing with auth. To avoid auth the whole set needs to be in the config file before the first http_access line which uses auth. I also note your addition of a "windowsupdate2" ACL. If that is some local WSUS server it needs it's own copy of the each WU *_access line to be treated the same as regular WU. Amos
