[squid-users] hostname not determined automatically
I'm using the same squid3.conf on 4 proxies with differenz hostnames. Back with 2.7 I didn't have to set visible_hostname explicitly. Squid would just use the hostname of the machine it was running on. With squid-3.0.STABLE19 all the error pages contain localhost instead of the machine's hostname: "Erzeugt am Thu, 06 May 2010 07:26:42 GMT von localhost (squid/3.0.STABLE19)" # hostname -a proxy-cvk-1 So what's wrong here? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] hostname not determined automatically
2010/5/6 Ralf Hildebrandt : > I'm using the same squid3.conf on 4 proxies with differenz hostnames. > Back with 2.7 I didn't have to set > visible_hostname > explicitly. Squid would just use the hostname of the machine it was > running on. > from my experience with squid-3.x, you need to set visible_hostname in squid.conf distinctly. -- Tech support agent in China http://duxieweb.com/
Re: [squid-users] hostname not determined automatically
* Jeff Pang : > 2010/5/6 Ralf Hildebrandt : > > I'm using the same squid3.conf on 4 proxies with differenz hostnames. > > Back with 2.7 I didn't have to set > > visible_hostname > > explicitly. Squid would just use the hostname of the machine it was > > running on. > > > > from my experience with squid-3.x, you need to set visible_hostname in > squid.conf distinctly. Indeed this is the case. I read Matus Uhlars similar bug reports :( -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] SSH not working With Squid3.0
I have tried to use their FQDN, have tried using their IP Addresses, have tried locally connection refused whichever way I do it's the same problem. Regards Adam - Original Message - From: "Nyamul Hassan" To: "Squid Users" Sent: Thursday, May 06, 2010 1:18 AM Subject: Re: [squid-users] SSH not working With Squid3.0 Are you trying to do SSH to the servers using their FQDN? Or IP Address? Regards HASSAN On Thu, May 6, 2010 at 02:31, a...@gmail wrote: Hi, Yes I have searched why but could not find why not in the log not anywhere else. Tried with Iptables, with router same thing. How do I know? Ok if I shut down the proxy machine and completely remove it from the network and try again absolutely no problems in connecting to all my ssh servers but when I run the proxy server, the problem comes back how about that? I know it is the proxy server, what I don't know is why? Any ideas please? Thanks - Original Message - From: "John Doe" To: Sent: Wednesday, May 05, 2010 12:40 PM Subject: Re: [squid-users] SSH not working With Squid3.0 From: "a...@gmail" even if I try internally to access the other machine's SSH servers the connection is refused Fix that first... Searched why it is refused? And why do you say it is squid fault? JD
Re: [squid-users] SSH not working With Squid3.0
From: "a...@gmail" > Yes I have searched why but could not find why not in the log not > anywhere else. > Tried with Iptables, with router same thing. > How do I know? > Ok if I shut down the proxy machine and completely remove it from the > network and try again absolutely no problems in connecting to all my ssh > serversbut when I run the proxy server, the problem comes back how about > that? > I know it is the proxy server, what I don't know is why? ok, so it is not a squid problem, but a server problem... Tried ssh -v (or -vv, -vvv)? What's the denied message in sshd logs? If you don't describe your setup (topology, routing, iptables rules...), we can barely try to guess... JD
Re: [squid-users] SSH not working With Squid3.0
Is their IP reachable from the host your are trying to access SSH? Regards HASSAN On Thu, May 6, 2010 at 14:51, a...@gmail wrote: > > I have tried to use their FQDN, have tried using their IP Addresses, have > tried locally > connection refused whichever way I do it's the same problem. > Regards > Adam > - Original Message - From: "Nyamul Hassan" > To: "Squid Users" > Sent: Thursday, May 06, 2010 1:18 AM > Subject: Re: [squid-users] SSH not working With Squid3.0 > > > Are you trying to do SSH to the servers using their FQDN? Or IP Address? > > Regards > HASSAN > > > > On Thu, May 6, 2010 at 02:31, a...@gmail wrote: >> >> Hi, >> Yes I have searched why but could not find why not in the log not anywhere >> else. >> >> Tried with Iptables, with router same thing. >> How do I know? >> Ok if I shut down the proxy machine and completely remove it from the >> network and try again absolutely no problems in connecting to all my ssh >> servers >> but when I run the proxy server, the problem comes back how about that? >> >> I know it is the proxy server, what I don't know is why? >> Any ideas please? >> Thanks >> - Original Message - From: "John Doe" >> To: >> Sent: Wednesday, May 05, 2010 12:40 PM >> Subject: Re: [squid-users] SSH not working With Squid3.0 >> >> >>> From: "a...@gmail" even if I try internally to access the other machine's SSH servers the connection is refused >>> >>> Fix that first... Searched why it is refused? >>> And why do you say it is squid fault? >>> >>> JD >>> >>> >>> >> >> > >
[squid-users] High latency through squid
Hello, I have problem with latest squid versions. Problem is high latency through squid. Numion.com surfspeed give 2x better results without squid ( I tested squid with and without cache_dir option) Server config: 8GB of RAM, Intel(R) Core(TM)2 Duo CPU E6850 @ 3.00GHz 3x 40GB WD Raptor My SQUID config: access_log /var/log/squid/access.log squid acl bad url_regex "/etc/squid/bad.url acl baza_danych src xx.xx.xx.xx/32 acl CONNECT method CONNECT acl localhost src 127.0.0.1/32 xx.xx.xx.xx/32 acl manager proto cache_object acl our_networks src xx.xx.xx.xx/24 xx.xx.xx.xx/24 xx.xx.xx.xx/24 xx.xx.xx.xx/24 10.0.0.0/8 acl purge method PURGE acl QUERY urlpath_regex cgi-bin \? acl QUERY urlpath_regex cgi-bin \? acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 21 # ftp acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 443 # https acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 70 # gopher acl Safe_ports port 777 # multiling http acl Safe_ports port 80 # http acl Safe_ports port 901 # SWAT acl SSL_ports port 443 acl to_localhost dst 127.0.0.0/8 acl zabronione dstdomain www.pogodynka.pl www.google.pl www.google.com buffered_logs on cache deny QUERY cache deny QUERY cache deny zabronione cache_dir aufs /var/cache/squid/dysk1 8000 16 256 cache_dir aufs /var/cache/squid/dysk2 8000 16 256 cache_dir aufs /var/cache/squid/dysk3 8000 16 256 cache_log /var/log/squid/cache.log cache_mem 3500 MB cache_mgr ad...@abp.pl cache_replacement_policy lru cache_store_log none cache_swap_high 97 cache_swap_low 92 client_db off coredump_dir none error_directory /usr/share/squid/errors/pl forwarded_for on half_closed_clients on hierarchy_stoplist cgi-bin ? http_access allow manager our_networks http_access allow our_networks http_access allow purge localhost http_access deny all http_access deny bad http_access deny CONNECT !SSL_ports http_access deny localhost http_access deny manager localhost http_access deny purge http_access deny !Safe_ports http_port 82.160.202.14:3128 transparent icp_access allow all logfile_rotate 30 maximum_object_size 3 KB maximum_object_size_in_memory 128 KB max_open_disk_fds 32768 memory_pools off memory_replacement_policy lru p
[squid-users] Increasing File Descriptors
I can't seem to get increase the number above 32768 no matter what I do. Ulimit during compile, sysctl.conf and everything else but no luck. I have about 5,000 users on a 400mbit connection. Steve RHEL5 64bit with Squid 3.1.1
Re: [squid-users] Increasing File Descriptors
worked for me http://paulgoscicki.com/archives/2007/01/squid-warning-your-cache-is-running-out-of-filedescriptors/ no recompile necessary On Thu, May 6, 2010 at 7:13 PM, Bradley, Stephen W. Mr. wrote: > I can't seem to get increase the number above 32768 no matter what I do. > > Ulimit during compile, sysctl.conf and everything else but no luck. > > > I have about 5,000 users on a 400mbit connection. > > Steve > > RHEL5 64bit with Squid 3.1.1
Re: [squid-users] High latency through squid
Tomasz wrote: Hello, I have problem with latest squid versions. Which "latest"? 'tis very flexible. Problem is high latency through squid. Numion.com surfspeed give 2x better results without squid ( I tested squid with and without cache_dir option) Server config: 8GB of RAM, Intel(R) Core(TM)2 Duo CPU E6850 @ 3.00GHz 3x 40GB WD Raptor My SQUID config: access_log /var/log/squid/access.log squid acl bad url_regex "/etc/squid/bad.url acl baza_danych src xx.xx.xx.xx/32 acl CONNECT method CONNECT acl localhost src 127.0.0.1/32 xx.xx.xx.xx/32 acl manager proto cache_object acl our_networks src xx.xx.xx.xx/24 xx.xx.xx.xx/24 xx.xx.xx.xx/24 xx.xx.xx.xx/24 10.0.0.0/8 acl purge method PURGE acl QUERY urlpath_regex cgi-bin \? acl QUERY urlpath_regex cgi-bin \? acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 21 # ftp acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 443 # https acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 70 # gopher acl Safe_ports port 777 # multiling http acl Safe_ports port 80 # http acl Safe_ports port 901 # SWAT acl SSL_ports port 443 acl to_localhost dst 127.0.0.0/8 acl zabronione dstdomain www.pogodynka.pl www.google.pl www.google.com buffered_logs on cache deny QUERY cache deny QUERY cache deny zabronione cache_dir aufs /var/cache/squid/dysk1 8000 16 256 cache_dir aufs /var/cache/squid/dysk2 8000 16 256 cache_dir aufs /var/cache/squid/dysk3 8000 16 256 cache_log /var/log/squid/cache.log cache_mem 3500 MB cache_mgr ad...@abp.pl cache_replacement_policy lru cache_store_log none cache_swap_high 97 cache_swap_low 92 client_db off coredump_dir none error_directory /usr/share/squid/errors/pl forwarded_for on half_closed_clients on hierarchy_stoplist cgi-bin ? http_access allow manager our_networks http_access allow our_networks http_access allow purge localhost http_access deny all http_access deny bad http_access deny CONNECT !SSL_ports http_access deny localhost http_access deny manager localhost http_access deny purge http_access deny !Safe_ports http_port 82.160.202.14:3128 transparent icp_access allow all logfile_rotate 30 maximum_object_size 3 KB maximum_object_size_in_memory 128 KB max_open_disk_fds 32768 memory_pools off memory_replac
Re: [squid-users] High latency through squid
Dnia czwartek 06 maj 2010 o 11:26:56 Amos Jeffries napisał(a): > Tomasz wrote: > > Hello, > > I have problem with latest squid versions. > > Which "latest"? > 'tis very flexible. 3.0+ and 3.1+ Few months ago I used squid 2.7. Regards, -- Tomasz
Re: [squid-users] High latency through squid
For forward proxy configuration, Squid 2.7 still offers the best overall performance. Regards HASSAN 2010/5/6 Tomasz : > Dnia czwartek 06 maj 2010 o 11:26:56 Amos Jeffries napisał(a): >> Tomasz wrote: >> > Hello, >> > I have problem with latest squid versions. >> >> Which "latest"? >> 'tis very flexible. > 3.0+ and 3.1+ > > Few months ago I used squid 2.7. > > Regards, > -- > Tomasz > >
Re: [squid-users] High latency through squid
Dnia czwartek 06 maj 2010 o 11:39:08 napisałeś: > For forward proxy configuration, Squid 2.7 still offers the best > overall performance. > So I should back to Squid 2.7 for transparent forward proxy configuration best performance? Regards, -- Tomasz
Re: [squid-users] SSH not working With Squid3.0
Hi, Yes, I can ping their IPs They are reachable internally and externally The reason I am asking here hoping that someone had a similar problem in the past who might be able to help Or perhaps something I need to do with the Squid's config in order to successfully reach these SSH servers. Logically speaking, Squid should not interfer with SSH connections, should it? But in my case I know it does. The only SSH I can access internally or externally is the SSH server that is running on the same box as Squid Regards Adam - Original Message - From: "Nyamul Hassan" To: "Squid Users" Sent: Thursday, May 06, 2010 10:01 AM Subject: Re: [squid-users] SSH not working With Squid3.0 Is their IP reachable from the host your are trying to access SSH? Regards HASSAN On Thu, May 6, 2010 at 14:51, a...@gmail wrote: I have tried to use their FQDN, have tried using their IP Addresses, have tried locally connection refused whichever way I do it's the same problem. Regards Adam - Original Message - From: "Nyamul Hassan" To: "Squid Users" Sent: Thursday, May 06, 2010 1:18 AM Subject: Re: [squid-users] SSH not working With Squid3.0 Are you trying to do SSH to the servers using their FQDN? Or IP Address? Regards HASSAN On Thu, May 6, 2010 at 02:31, a...@gmail wrote: Hi, Yes I have searched why but could not find why not in the log not anywhere else. Tried with Iptables, with router same thing. How do I know? Ok if I shut down the proxy machine and completely remove it from the network and try again absolutely no problems in connecting to all my ssh servers but when I run the proxy server, the problem comes back how about that? I know it is the proxy server, what I don't know is why? Any ideas please? Thanks - Original Message - From: "John Doe" To: Sent: Wednesday, May 05, 2010 12:40 PM Subject: Re: [squid-users] SSH not working With Squid3.0 From: "a...@gmail" even if I try internally to access the other machine's SSH servers the connection is refused Fix that first... Searched why it is refused? And why do you say it is squid fault? JD
Re: [squid-users] SSH not working With Squid3.0
Ok I'll try and describe it the best I can. I have a router LinkSys/Cisco This is how it goes: Internet > [ISP-Modem] (LocalNetwork ) Local Network > Machine1 Machine2 Machine3 Machine4 Machine5 Machine6 Machine1 = SQUID3.0 Machine2= Mail-Server Machine3= Webserver1 Machine4= Webserver2 Machine5=DSN server Machine6= Other services (Chat server) And 3 Windows Clients In All There are 9 Machines I can access these machines except via SSH Even though I have forwarded requests to each machine's SSH port Now for the errors When I try internally to connect to any of the SSH servers I get this error Let's say the only accessible SSH is the one running on the Squid's machine it has a port number , ok? Now if I want to ssh machine 192.168.1.3 on port 2224 ssh 192.168.1.3 2224 I get the following connect to host 192.168.1.3 port : Connection refused Do you see what I mean even though I do specify the port number of the machine which in this case is the port 2224 But I get the error message replying with the Squid's port number , and that is regardless from which machine I am trying to send the SSH request And from outside I get "Network Error Connection refused" if I try with putty for example: But if I turn off Squid's machine and unplug it from the network, I have absolutely no problem accessing these servers. Very strange Regards Adam - Original Message - From: "John Doe" To: Sent: Thursday, May 06, 2010 9:55 AM Subject: Re: [squid-users] SSH not working With Squid3.0 From: "a...@gmail" Yes I have searched why but could not find why not in the log not anywhere else. Tried with Iptables, with router same thing. How do I know? Ok if I shut down the proxy machine and completely remove it from the network and try again absolutely no problems in connecting to all my ssh serversbut when I run the proxy server, the problem comes back how about that? I know it is the proxy server, what I don't know is why? ok, so it is not a squid problem, but a server problem... Tried ssh -v (or -vv, -vvv)? What's the denied message in sshd logs? If you don't describe your setup (topology, routing, iptables rules...), we can barely try to guess... JD
Re: [squid-users] Squid 2.7 without signature
On Wednesday 05 May 2010 19:31:37 you wrote: > It requires patching the source; see errorpage.c, look for > 'ERR_SQUID_SIGNATURE'. > I running squid in Debian Lenny system. I made my squid installation from debian repositories, not source files. So, I didn't found errorpage.c and ERR_SQUID_SIGNATURE file. > I'd support making it possible to suppress this (or turn it into an HTML > comment, as I've done) via configuration. > How? Anyway, At moment, showing my squid version for my clients isn't a big deal. BTW, a upgrade to squid3 fix it. Doesn't it? > Cheers, Thanks for reply. > > On 05/05/2010, at 10:14 PM, marcus wrote: > > Hi, > > > > Due a security reasons, I would like my default page error without the > > squid signature. > > I already could custom my error page and display it but I don't know how > > to remove the signature of page bottom. > > > > Is it possible? The best I could make was a short signature using %s tag. > > > > Regards, > > Marcus D > > -- > Mark Nottingham m...@yahoo-inc.com
RE: [squid-users] Best policy to allow only proxy surfing
Hello Glenn, [cut] > > Good luck, but still I confess that I *may be* switching to > this your > > suggestion too! ;-) > > Use default deny and break up the logic into chains (within > reason). Makes things a lot easier to maintain. Did for me, anyway. glad to share some thoughts... We will eventually re-discuss issues on this list ;-) Regards, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
Re: [squid-users] SSH not working With Squid3.0
From: "a...@gmail" > Internet > [ISP-Modem] (LocalNetwork ) > Local Network > Machine1 Machine2 Machine3 Machine4 Machine5 Machine6 > Machine1 = SQUID3.0 > Machine2= Mail-Server > ... > I can access these machines except via SSH > Even though I have forwarded requests to each machine's SSH port Forwarded requests? We were talking about local sshing... right? Why would you forward, how, and from where to where? Are you talking about ssh from the Internet to the local network, through the firewall? I did ask if local ssh was working... Is it? If you go on a local machine and try to ssh to another local machine, does it work? > Do you see what I mean even though I do specify the port number > of the machine which in this case is the port 2224 > But I get the error message replying with the Squid's port number , > and that is regardless from which machine I am trying to send the SSH request No, I don't understand how this squid server would magicaly capture all the packets... If from machine A I try to ssh to machine B, the packet will go to machine B directly. Unless I am wrong, it will only go through the gateway if the target IP network is different. We still miss information, like routing, forwarding rules, etc... try to follow the packets routes. Maybe you will need to look at tcpdumps... JD
Re: [squid-users] SSH not working With Squid3.0
But if I turn off Squid's machine and unplug it from the network, I have absolutely no problem accessing these servers. What happens if you just shutdown the squid service? Does the strange behavior remain or vanish? JC
Re: [squid-users] SSH not working With Squid3.0
- Original Message - From: "John Doe" To: Sent: Thursday, May 06, 2010 3:04 PM Subject: Re: [squid-users] SSH not working With Squid3.0 From: "a...@gmail" Internet > [ISP-Modem] (LocalNetwork ) Local Network > Machine1 Machine2 Machine3 Machine4 Machine5 Machine6 Machine1 = SQUID3.0 Machine2= Mail-Server ... I can access these machines except via SSH Even though I have forwarded requests to each machine's SSH port Forwarded requests? We were talking about local sshing... right? Why would you forward, how, and from where to where? Are you talking about ssh from the Internet to the local network, through the firewall? I did ask if local ssh was working... Is it? If you go on a local machine and try to ssh to another local machine, does it work? I was talking about both from the internet and the local Network I did explain that from the local if I do ssh 192.168.1.6 on port 2224 I get the error message ssh host 192.168.1.6 port connection refused And the port is the port of the machine on which the proxy server runs it doesn't matter from which machine I am trying to ssh another machine I get the same error message: As if my entire network is locked into one ssh port and that is the ssh which also runs the router Do you see what I mean even though I do specify the port number of the machine which in this case is the port 2224 But I get the error message replying with the Squid's port number , and that is regardless from which machine I am trying to send the SSH request No, I don't understand how this squid server would magicaly capture all the packets... If from machine A I try to ssh to machine B, the packet will go to machine B directly. Unless I am wrong, it will only go through the gateway if the target IP network is different. We still miss information, like routing, forwarding rules, etc... try to follow the packets routes. Maybe you will need to look at tcpdumps... Yes normally when you ssh a machine internally you don't need rerouting or forwarding I am not saying I have forwarded the internal requests, I forwarded requests coming from the internet for instance using clients such as putty etc.. But no connection is allowed either internally or externally. I hope that helps JD Regards Adam
[squid-users] squid in load balanced wccpv2 configuration
Hi, all, In a nutshell, I am trying to install squid as a third proxy to alleviate some pressure from our two Bluecoat proxies into a currently working wccpv2 configuration. We now have 5000+ users. My current squid configuration works perfectly fine in explicit mode. The problem I am having, is that squid can't seem to join the wccp service groups. I've tried the configuration examples from http://wiki.squid-cache.org/ConfigExamples/ to no avail. We have two Cisco 6513's in our core and we are using wccp to load balance between the proxies. I'm posting my sanitized configs hoping someone can shed some light on this and show me what my squid.conf, iptables and network interfaces should look like. I would also appreciate any recommended settings for memory and disk use based on the hardware spec I am posting. This server will be dedicated to squid. Server: cat /etc/redhat-release Fedora release 12 (Constantine) rpm -qa squid squid-3.1.1-1.fc12.i686 4 x Intel(R) Xeon(R) CPU 5160 @ 3.00GHz free -m total Mem: 7991 600 Gig on /var ip tunnel add wccp1 mode gre remote x.x.0.1 local x.x.1.77 dev eth0 ifconfig wccp1 inet x.x.1.76 netmask 255.255.255.192 up ifconfig eth0 inet addr:x.x.1.77 Bcast:x.x.1.127 Mask:255.255.255.192 wccp1 inet addr:x.x.1.76 P-t-P:x.x.1.76 Mask:255.255.255.192 iptables: echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter iptables -F -t nat iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 80 -j DNAT --to-destination x.x.1.77:5 iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 20 -j DNAT --to-destination x.x.1.77:20 iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 21 -j DNAT --to-destination x.x.1.77:21 iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 443 -j DNAT --to-destination x.x.1.77:443 iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 1755 -j DNAT --to-destination x.x.1.77:1755 iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 7070 -j DNAT --to-destination x.x.1.77:7070 from server: ping -c 4 x.x.0.1 PING x.x.0.1 (x.x.0.1) 56(84) bytes of data. 64 bytes from x.x.0.1: icmp_seq=1 ttl=255 time=0.396 ms 64 bytes from x.x.0.1: icmp_seq=2 ttl=255 time=0.363 ms 64 bytes from x.x.0.1: icmp_seq=3 ttl=255 time=0.298 ms 64 bytes from x.x.0.1: icmp_seq=4 ttl=255 time=0.283 ms ping -c 4 x.x.0.2 PING x.x.0.2 (x.x.0.2) 56(84) bytes of data. 64 bytes from x.x.0.2: icmp_seq=1 ttl=255 time=3.20 ms 64 bytes from x.x.0.2: icmp_seq=2 ttl=255 time=3.06 ms 64 bytes from x.x.0.2: icmp_seq=3 ttl=255 time=3.33 ms 64 bytes from x.x.0.2: icmp_seq=4 ttl=255 time=3.19 ms squid.conf: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localhost src ::1/128 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl to_localhost dst ::1/128 acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl localnet src x.x.0.0/16 # Our network acl SSL_ports port 443 # SSL acl SSL_ports port 8082 # Bluecoat administration acl SSL_ports port 9443 # Websense administration acl SSL_ports port 81 # alternate https acl SSL_ports port 81 # alternate http acl Safe_ports port 80 # http acl Safe_ports port 20 # ftp acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 8080# Alternate http acl Safe_ports port 8000# Alternate http acl Safe_ports port 7070# Streaming acl CONNECT method CONNECT acl donotscan dstdomain .yahoo.com acl donotscan dstdomain .google.com acl donotscan dstdomain .microsoft.com http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_port x.x.1.77:5 transparent vport=80 http_port x.x.1.77:443 transparent vport=443 http_port x.x.1.77:20 transparent vport=20 http_port x.x.1.77:21 transparent vport=21 http_port x.x.1.77:1755 transparent vport=1755 http_port x.x.1.77:7070 transparent vport=7070 hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20
[squid-users] TCP_MISS/000 0 POST
Hi, I have a TCP_MISS 000 error being reported for users in the 172.16.0.0 subnet attempting to upload files to a particular internet site. I understand that 000 indicates that the request has been aborted before it could complete? The exact error is: TCP_MISS/000 0 POST http://[domain removed ]/fileuploads? - DIRECT/domain removed I have also tried sending direct via the Squid to no avail - if I bypass the Squid entirely it works ok. Any help gratefully received! Nick --- My squid conf is: http_port vh-squid1:8080 auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 40 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours cache_peer [upstreamserver] parent 8080 0 no-query proxy-only no-digest default icap_enable on icap_preview_enable on icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_client_username_encode on icap_service ss reqmod_precache 0 icap://localhost/ssreqmod icap_class c1 ss icap_access c1 allow all access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log useragent_log /var/log/squid/useragent.log delay_pools 1 delay_class 1 4 delay_parameters 1 -1/-1 -1/-1 -1/-1 400/400 acl Java_jvm browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt" acl iTunes browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_APPLE.txt" acl MSNMessenger browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_MSN.txt" acl AuthenticatedUsers proxy_auth REQUIRED acl URL_ALLOWDstDomains dstdomain "/etc/squid/ACL/URL/URL_ALLOWDstDomains.txt" acl CNP_172SUBNETS src 172.16.0.0/255.255.0.0 acl CNP_SERVERSUBNETS src 172.16.10.0/255.255.255.0 acl StopDirectIP url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ acl IP_MSNMessenger src "/etc/squid/ACL/IPADDRESSES/IP_MSNMESSENGER.txt" acl SENDDIRECT_DstDomains dstdomain "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt" acl SENDDIRECT_IPAddresses src "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt" acl IP_CONNECTALLOW src "/etc/squid/ACL/IPADDRESSES/IP_CONNECTALLOW.txt" acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080# http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl RTMP_ports port 1935# RTMP acl CONNECT method CONNECT acl POST method POST http_access deny !Safe_ports http_access deny MSNMessenger CNP_172SUBNETS !IP_MSNMESSENGER http_access deny StopDirectIP !IP_CONNECTALLOW http_access deny CONNECT !SSL_Ports !CNP_172SUBNETS http_access deny POST !SSL_Ports !RTMP_ports !CNP_172SUBNETS http_access deny iTunes !CNP_172SUBNETS http_access deny Java_jvm !CNP_172SUBNETS http_access allow CONNECT CNP_172SUBNETS http_access allow POST CNP_172SUBNETS http_access allow iTunes CNP_172SUBNETS http_access allow Java_jvm CNP_172SUBNETS http_access allow URL_ALLOWDstDomains http_access allow AuthenticatedUsers always_direct allow SENDDIRECT_DstDomains always_direct allow SENDDIRECT_IPAddresses http_access allow localhost delay_access 1 allow AuthenticatedUsers !CNP_SERVERSUBNETS delay_access 1 deny all http_access deny to_localhost never_direct allow all snmp_access deny CNP_172SUBNETS cache deny all http_access deny all ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] SSH not working With Squid3.0
Even though I have forwarded requests to each machine's SSH port What exactly does that mean? Yes normally when you ssh a machine internally you don't need rerouting or forwarding I am not saying I have forwarded the internal requests, I forwarded requests coming from the internet for instance using clients such as putty etc.. But no connection is allowed either internally or externally. Well, you can forward the official SSH port 22 only once to one of the internal machines. I am pretty sure there is some error in your port forwarding setup. To prove this, try to stop squid (not the whole server, just the squid process) and re-check ssh access. If the problems remain, you have an error in your firewalling/forwarding/gateway setup. JC
RE: [squid-users] Increasing File Descriptors
Unfortunately won't work for me above 32768. I have the ulimit in the startup script and that works okay but I need more the 32768. :-( -Original Message- From: Ivan . [mailto:ivan...@gmail.com] Sent: Thursday, May 06, 2010 5:17 AM To: Bradley, Stephen W. Mr. Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Increasing File Descriptors worked for me http://paulgoscicki.com/archives/2007/01/squid-warning-your-cache-is-running-out-of-filedescriptors/ no recompile necessary On Thu, May 6, 2010 at 7:13 PM, Bradley, Stephen W. Mr. wrote: > I can't seem to get increase the number above 32768 no matter what I do. > > Ulimit during compile, sysctl.conf and everything else but no luck. > > > I have about 5,000 users on a 400mbit connection. > > Steve > > RHEL5 64bit with Squid 3.1.1
Re: [squid-users] Increasing File Descriptors
Do this: ulimit -Hn If the values is 32768 that's your current kernel/sys max value and you're stuck. If it's more than 32768 (and my RHEL 5.3 box says 65536) then you should be able to increase up to that value. Unless there's an internal signed 16-bit int involved in FD tracking inside the Squid code then something curious is happening... However - I'm curious as to why you'd need that many. I've had top end systems with Squid clusters running with compiles of 16k file descriptors and only ever really used 4-5k. What are you doing that you need more than 32k? -george On Thu, May 6, 2010 at 10:32 AM, Bradley, Stephen W. Mr. wrote: > Unfortunately won't work for me above 32768. > > I have the ulimit in the startup script and that works okay but I need more > the 32768. > > :-( > > > > -Original Message- > From: Ivan . [mailto:ivan...@gmail.com] > Sent: Thursday, May 06, 2010 5:17 AM > To: Bradley, Stephen W. Mr. > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] Increasing File Descriptors > > worked for me > > http://paulgoscicki.com/archives/2007/01/squid-warning-your-cache-is-running-out-of-filedescriptors/ > > no recompile necessary > > > On Thu, May 6, 2010 at 7:13 PM, Bradley, Stephen W. Mr. > wrote: >> I can't seem to get increase the number above 32768 no matter what I do. >> >> Ulimit during compile, sysctl.conf and everything else but no luck. >> >> >> I have about 5,000 users on a 400mbit connection. >> >> Steve >> >> RHEL5 64bit with Squid 3.1.1 > -- -george william herbert george.herb...@gmail.com
Re: [squid-users] Increasing File Descriptors
He needs more FDs because this single box is handling 5000 users over a 400mbps connection. We run around 2,000 users on generic hardware, and have seen FDs as high as 20k. We use CentOS 5 and the following guide is a good place to increase the FD limit: http://www.cyberciti.biz/faq/linux-increase-the-maximum-number-of-open-files/ The command "cat /proc/sys/fs/file-max" shows how many maximum FDs your OS can handle. After you've made sure that your OS is doing your desired FD limit, please re-run Squid. Squid shows how many FDs it is configured for in its "General Runtime Information" (mgr:info in cli) from the CacheMgr interface. If this still shows lower than the OS limit you just saw earlier, then you might need to recompile Squid with the '--with-maxfd=' flag set during "./configure" As a side note, if you are using Squid as a forward proxy, you might have better results with Squid 2.7x. Regards HASSAN On Fri, May 7, 2010 at 00:53, George Herbert wrote: > > Do this: > > ulimit -Hn > > If the values is 32768 that's your current kernel/sys max value and > you're stuck. > > If it's more than 32768 (and my RHEL 5.3 box says 65536) then you > should be able to increase up to that value. Unless there's an > internal signed 16-bit int involved in FD tracking inside the Squid > code then something curious is happening... > > However - I'm curious as to why you'd need that many. I've had top > end systems with Squid clusters running with compiles of 16k file > descriptors and only ever really used 4-5k. What are you doing that > you need more than 32k? > > > -george > > On Thu, May 6, 2010 at 10:32 AM, Bradley, Stephen W. Mr. > wrote: > > Unfortunately won't work for me above 32768. > > > > I have the ulimit in the startup script and that works okay but I need more > > the 32768. > > > > :-( > > > > > > > > -Original Message- > > From: Ivan . [mailto:ivan...@gmail.com] > > Sent: Thursday, May 06, 2010 5:17 AM > > To: Bradley, Stephen W. Mr. > > Cc: squid-users@squid-cache.org > > Subject: Re: [squid-users] Increasing File Descriptors > > > > worked for me > > > > http://paulgoscicki.com/archives/2007/01/squid-warning-your-cache-is-running-out-of-filedescriptors/ > > > > no recompile necessary > > > > > > On Thu, May 6, 2010 at 7:13 PM, Bradley, Stephen W. Mr. > > wrote: > >> I can't seem to get increase the number above 32768 no matter what I do. > >> > >> Ulimit during compile, sysctl.conf and everything else but no luck. > >> > >> > >> I have about 5,000 users on a 400mbit connection. > >> > >> Steve > >> > >> RHEL5 64bit with Squid 3.1.1 > > > > > > -- > -george william herbert > george.herb...@gmail.com >
Re: [squid-users] Squid 2.7 without signature
marcus wrote: On Wednesday 05 May 2010 19:31:37 you wrote: It requires patching the source; see errorpage.c, look for 'ERR_SQUID_SIGNATURE'. I running squid in Debian Lenny system. I made my squid installation from debian repositories, not source files. So, I didn't found errorpage.c and ERR_SQUID_SIGNATURE file. I'd support making it possible to suppress this (or turn it into an HTML comment, as I've done) via configuration. How? The old way " suppress_httpd_version on" turns off display for the details of exact Squid release version without loosing the other valuable timestamp+source info in the footer/signature. Anyway, At moment, showing my squid version for my clients isn't a big deal. BTW, a upgrade to squid3 fix it. Doesn't it? squid3 package in Lenny is 3.0. Which has the same behaviour as 2.7. The squid3 package (3.1) in Unstable (and Squeeze in a week or so hopefully) allows configurable CSS control of the whole page. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
[squid-users] transparent redirect and http 302 redirects
Hi there - I have a somewhat unusual project that's structured similar to the upside-down-ternet http://www.ex-parrot.com/pete/upside-down-ternet.html In my case, we're looking for text patterns in html pages, then replacing some text, saving the modified text locally (the same machine runs squid and nginx), and then issuing the redirect for that modified file. This basically works - but there is some strange behavior on google pages. Some images are broken and then clicking on a result gets you another broken page, while a google URL remains in the address bar. I have a simpler example that I think illustrates the issue: I use a little custom php script for quicklinks that I can add as a search engine in FIrefox. It just takes a string like "g yreka" and issues a 302 redirect to a google search for yreka. Note that "yreka" is a string of interest for the squid redirector program. This doesn't happen with other strings that the redirector does not act upon. (That said, the redirector script isn't looking at the text in the URL, it's grabbing the page that was requested, and searching for the text there.) Without using the proxy, the request/response headers look like this: GET /?unicmd=g+yreka HTTP/1.1 HTTP/1.1 302 Found Date: Tue, 13 Apr 2010 05:15:43 GMT Server: Apache X-Powered-By: PHP/5.2.11 Location: http://www.google.com/search?q=yreka When running through the proxy, it looks like this: GET /?unicmd=g+yreka HTTP/1.1 HTTP/1.0 200 OK Server: nginx/0.7.62 Date: Tue, 13 Apr 2010 05:21:10 GMT Content-Type: text/html Content-Length: 17865 Last-Modified: Tue, 13 Apr 2010 05:21:10 GMT Accept-Ranges: bytes X-Cache: MISS from jefferson X-Cache-Lookup: HIT from jefferson:3128 Via: 1.1 jefferson:3128 (squid/2.7.STABLE6) Connection: keep-alive Proxy-Connection: keep-alive In my browser, I still see the ?unicmd=g+yreka URL - but the page is the modified google results page. Hope the question is clear, apologies for the long first message. If you're wondering why I would be doing such a thing, the project is described here: http://ethanmiller.name/projects/virtual_state_jefferson/ Thanks, - Ethan Miller
