Re: [squid-users] SMP Scalability
On Tue, 25 May 2010 07:21:40 +0930, Kingsley Foreman wrote: > Hi Guys, > > Just wondering how the progress for SMP Scalability is going. > > Its ETA is May 2010, according to the page > http://wiki.squid-cache.org/Features/SmpScale > > > Kingsley The top layer restructuring is underway and progressing. Though I don't think it's going to make that particular expected ETA. Cleanup for the other layers has also taking some great steps forward this month. Though there is a long way yet to go. If you are interested enough, sponsorship for extra dev time would be very welcome. Contact Alex at The Measurement Factory. Amos
Re: [squid-users] Squid3 on ubuntu 10.4 problem using acl whitelist in external file
On Mon, 24 May 2010 11:44:06 -0700 (PDT), MM Gillon wrote: > First I am new at working with networks. Most of the IT staff were > downsized last year including the administrator. I am a database > programmer. I like ubuntu and have an ubuntu database server. I am trying > to use an ubuntu server as a squid proxy so that Windows workstations on a > manufacturing floor can only go to company web sites on a whitelist. I am > manually configuring the workstations to go to this proxy server. Squid3 > loads okay without error messages. I know it is seeing the whitelist.txt > file because I get an error if the file is not present. However SQUID will > not allow any addresses to load even those in the white list. Below is my > squid.conf and my whitelist.txt file. The message in the Squid log is > below. The message on the browser screen confirms that squid is blocking > the address. I tried the same software and configuration on ubuntu 8.04 and > had the same issues. Thank you. > I know it is a bit late and you already have a working solution. But here is my 2c on your config... > > 1274724540.610193 192.168.100.9 TCP_DENIED/403 2710 GET > http://www.unicef.org/ - NONE/- text/html > > > > #whitelist.txt > .gov > .sheepguardingllama.com > .org > .chromalloy.com > > #squid.conf > #Recommended minimum configuration: > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 > acl localnet src 192.168.100.0/255.255.255.0, 192.168.101.0/255.255.255.0 comma in the above is not valid squid.conf syntax. And CIDR is preferred. That line should be: acl localnet src 192.168.100.0/24 192.168.101.0/24 > acl SSL_ports port 443 > acl Safe_ports port 80# http > acl Safe_ports port 21# ftp > acl Safe_ports port 443# https > acl Safe_ports port 70# gopher > acl Safe_ports port 210# wais > acl Safe_ports port 1025-65535# unregistered ports > acl Safe_ports port 280# http-mgmt > acl Safe_ports port 488# gss-http > acl Safe_ports port 591# filemaker > acl Safe_ports port 777# multiling http > > acl CONNECT method CONNECT > > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > > http_access deny to_localhost > icp_access deny all > htcp_access deny all > > http_port 3128 > hierarchy_stoplist cgi-bin ? > access_log /var/log/squid3/access.log squid > > #We recommend you to use the following two lines. > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY The above QUERY lines are now obsolete. Use the refresh_pattern mentioned below. > > #Suggested default: > refresh_pattern ^ftp:144020%10080 > refresh_pattern ^gopher:14400%1440 Add this pattern right here in the sequence: refresh_pattern -i (/cgi-bin/|\?) 0 0 % 0 > refresh_pattern .020%4320 > # Leave coredumps in the first cache dir > coredump_dir /var/spool/squid3 > > acl whitelist dstdomain "/etc/squid3/whitelist.txt" > > http_access deny !localnet > http_access deny !whitelist > http_access deny all Alternative to the way you have now: # Allow localnet machines to whitelisted sites http_access allow localnet whitelist # block all other access http_access deny all This is a better alternative to just "http_access allow whitelist" which would permit external people to visit the whitelisted sites as well as internal machines. Amos
Re: [squid-users] NF getsockopt(SO_ORIGINAL_DST) fail ed: (92) Protocol not available
On Mon, 24 May 2010 14:12:01 +, sameer khan wrote: > Hi > > i am getting this in my cache.log, what this error mean ? is there any > misconfiguration ? > > > clientNatLookup: NF getsockopt(SO_ORIGINAL_DST) failed: (92) Protocol not > available > > > My settup > > <*> Squid Cache: Version 2.7.STABLE6 > configure options: '--enable-async-io' '--enable-icmp' '--enable-snmp' > '--enable-cache-digests' '--enable-follow-x-forwarded-for' > '--enable-storeio=aufs,ufs,null,diskd,coss' > '--enable-removal-policies=heap,lru' '--with-maxfd=65535' > '--disable-ident-lookups' '--enable-truncate' '--enable-linux-tproxy' > '--enable-linux-netfilter' '--enable-large-cache-files' > > <*> Kernel 2.6.31.13 > > <*> Debain lenny 5.04 > > machine is setup in bridge mode, with ip configured on br0 interface. > > any help will be much appreciated. This message means that Squid received a request but the kernel has no NAT tracking information about it's IP address. In Squid-2.7 it appears on some requests if configuring both the "troxy" and the "transparent" modes on the same port, or receiving normal proxy traffic directly on a "transparent" flagged port. Amos
[squid-users] SMP Scalability
Hi Guys, Just wondering how the progress for SMP Scalability is going. Its ETA is May 2010, according to the page http://wiki.squid-cache.org/Features/SmpScale Kingsley
RE: [squid-users] Squid3 on ubuntu 10.4 problem using acl whitelist in external file
That works! Thank you so much, you've made my day. *** *** *** *** *** *** *** *** *** *** Margaret G. --- On Mon, 5/24/10, James Zuelow wrote: > From: James Zuelow > Subject: RE: [squid-users] Squid3 on ubuntu 10.4 problem using acl whitelist > in external file > To: "squid-users@squid-cache.org" > Date: Monday, May 24, 2010, 12:43 PM > > > > -Original Message- > > From: MM Gillon [mailto:margare...@yahoo.com] > > > Sent: Monday, 24 May, 2010 11:38 > > To: James Zuelow > > Subject: RE: [squid-users] Squid3 on ubuntu 10.4 > problem > > using acl whitelist in external file > > > > Hi James, > > I made the changes you suggested, restarted Squid, and > now > > nothing is being blocked. > > *** *** *** *** *** *** *** *** *** *** > > Margaret G. > > > > > > Hmm. OK. That's my fault as I wasn't paying > attention to the localnet line. > > Take out the `http_access allow localnet`. > > What that part is doing is allowing any traffic from your > local network through the proxy. > > If you remove that line, only traffic going to your > whitelist will be allowed. > > Or, you could return that entry back to the old one of > `http_access deny !localnet` if you're worried about traffic > from other than your local network getting through your > proxy. > > James
RE: [squid-users] Squid3 on ubuntu 10.4 problem using acl whitelist in external file
> -Original Message- > From: MM Gillon [mailto:margare...@yahoo.com] > Sent: Monday, 24 May, 2010 11:38 > To: James Zuelow > Subject: RE: [squid-users] Squid3 on ubuntu 10.4 problem > using acl whitelist in external file > > Hi James, > I made the changes you suggested, restarted Squid, and now > nothing is being blocked. > *** *** *** *** *** *** *** *** *** *** > Margaret G. > > Hmm. OK. That's my fault as I wasn't paying attention to the localnet line. Take out the `http_access allow localnet`. What that part is doing is allowing any traffic from your local network through the proxy. If you remove that line, only traffic going to your whitelist will be allowed. Or, you could return that entry back to the old one of `http_access deny !localnet` if you're worried about traffic from other than your local network getting through your proxy. James
RE: [squid-users] Squid3 on ubuntu 10.4 problem using acl whitelist in external file
Hi James, I made the changes you suggested, restarted Squid, and now nothing is being blocked. *** *** *** *** *** *** *** *** *** *** Margaret G. --- On Mon, 5/24/10, James Zuelow wrote: > From: James Zuelow > Subject: RE: [squid-users] Squid3 on ubuntu 10.4 problem using acl whitelist > in external file > To: "squid-users@squid-cache.org" > Date: Monday, May 24, 2010, 12:06 PM > > > > -Original Message- > > From: MM Gillon [mailto:margare...@yahoo.com] > > > Sent: Monday, 24 May, 2010 10:44 > > To: squid-users@squid-cache.org > > Subject: [squid-users] Squid3 on ubuntu 10.4 problem > using > > acl whitelist in external file > > > > > > > http_access deny !localnet > > http_access deny !whitelist > > http_access deny all > > > > > > I might be wrong here, but it looks like you're not > actually allowing anything. > > Deny not localnet > Deny not whitelist > Deny all (which would include both localnet and > whitelist) > > > Try: > > http_access allow localnet > http_access allow whitelist > http_access deny all > > (I never use the "deny not" logic, as I like things nice > and plain and it seems to get people in trouble.) > > James
RE: [squid-users] Squid3 on ubuntu 10.4 problem using acl whitelist in external file
> -Original Message- > From: MM Gillon [mailto:margare...@yahoo.com] > Sent: Monday, 24 May, 2010 10:44 > To: squid-users@squid-cache.org > Subject: [squid-users] Squid3 on ubuntu 10.4 problem using > acl whitelist in external file > > > http_access deny !localnet > http_access deny !whitelist > http_access deny all > > I might be wrong here, but it looks like you're not actually allowing anything. Deny not localnet Deny not whitelist Deny all (which would include both localnet and whitelist) Try: http_access allow localnet http_access allow whitelist http_access deny all (I never use the "deny not" logic, as I like things nice and plain and it seems to get people in trouble.) James
[squid-users] Squid3 on ubuntu 10.4 problem using acl whitelist in external file
First I am new at working with networks. Most of the IT staff were downsized last year including the administrator. I am a database programmer. I like ubuntu and have an ubuntu database server. I am trying to use an ubuntu server as a squid proxy so that Windows workstations on a manufacturing floor can only go to company web sites on a whitelist. I am manually configuring the workstations to go to this proxy server. Squid3 loads okay without error messages. I know it is seeing the whitelist.txt file because I get an error if the file is not present. However SQUID will not allow any addresses to load even those in the white list. Below is my squid.conf and my whitelist.txt file. The message in the Squid log is below. The message on the browser screen confirms that squid is blocking the address. I tried the same software and configuration on ubuntu 8.04 and had the same issues. Thank you. 1274724540.610193 192.168.100.9 TCP_DENIED/403 2710 GET http://www.unicef.org/ - NONE/- text/html #whitelist.txt .gov .sheepguardingllama.com .org .chromalloy.com #squid.conf #Recommended minimum configuration: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 192.168.100.0/255.255.255.0, 192.168.101.0/255.255.255.0 acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny to_localhost icp_access deny all htcp_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? access_log /var/log/squid3/access.log squid #We recommend you to use the following two lines. acl QUERY urlpath_regex cgi-bin \? cache deny QUERY #Suggested default: refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern .020%4320 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid3 acl whitelist dstdomain "/etc/squid3/whitelist.txt" http_access deny !localnet http_access deny !whitelist http_access deny all
[squid-users] Re: ntlm_auth problems
On Mon, May 24, 2010 at 10:52 AM, Terry wrote: > Hello, > > I am trying to get ntlm_auth to work in my squid-2.6.STABLE21-6.el5 > installation on RHEL 5.4. Samba is samba-common-3.0.33-3.15.el5_4. > Here's my relevant config: > > > auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 5 > auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 5 hours > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl NTLMUsers proxy_auth REQUIRED > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow NTLMUsers > http_access deny all > > > Using IE or Firefox, I am presented with an authentication dialog box. > I attempt to authenticate and it fails. In the logs, I see only > this: > > 1274715773.285 1 10.98.1.122 TCP_DENIED/407 1813 GET > http://google.com/ - NONE/- text/html > > > I am able to authenticate fine manually: > [r...@omajelut01 ~]# ntlm_auth --username=john --domain=DOMAIN1 > password: > NT_STATUS_OK: Success (0x0) > > Where am I going wrong here? > Sorry to reply to my own post but I wanted to get this out there. Is this related to samba 3.0? I see this related post: http://marc.info/?l=squid-users&m=127331202712656&w=2 Thanks!
[squid-users] ntlm_auth problems
Hello, I am trying to get ntlm_auth to work in my squid-2.6.STABLE21-6.el5 installation on RHEL 5.4. Samba is samba-common-3.0.33-3.15.el5_4. Here's my relevant config: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 5 hours acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl NTLMUsers proxy_auth REQUIRED http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow NTLMUsers http_access deny all Using IE or Firefox, I am presented with an authentication dialog box. I attempt to authenticate and it fails. In the logs, I see only this: 1274715773.285 1 10.98.1.122 TCP_DENIED/407 1813 GET http://google.com/ - NONE/- text/html I am able to authenticate fine manually: [r...@omajelut01 ~]# ntlm_auth --username=john --domain=DOMAIN1 password: NT_STATUS_OK: Success (0x0) Where am I going wrong here?
[squid-users] NF getsockopt(SO_ORIGINAL_DST) failed: (92) Protocol not available
Hi i am getting this in my cache.log, what this error mean ? is there any misconfiguration ? clientNatLookup: NF getsockopt(SO_ORIGINAL_DST) failed: (92) Protocol not available My settup <*> Squid Cache: Version 2.7.STABLE6 configure options: '--enable-async-io' '--enable-icmp' '--enable-snmp' '--enable-cache-digests' '--enable-follow-x-forwarded-for' '--enable-storeio=aufs,ufs,null,diskd,coss' '--enable-removal-policies=heap,lru' '--with-maxfd=65535' '--disable-ident-lookups' '--enable-truncate' '--enable-linux-tproxy' '--enable-linux-netfilter' '--enable-large-cache-files' <*> Kernel 2.6.31.13 <*> Debain lenny 5.04 machine is setup in bridge mode, with ip configured on br0 interface. any help will be much appreciated. thanks in advance _ http://clk.atdmt.com/UKM/go/19780/direct/01/ Do you have a story that started on Hotmail? Tell us now
[squid-users] squid ssl and keystores
Hi all, I'm using 3.0.STABLE8 with ssl suport on a debian 5 box. I got squid working flawlessly with a couple of apache ssl websites but now I have to get it working with tomcat/ssl which uses a Java KeyStore file. I had a look in the archives for the word keystore and found nothing so here I am. Does anyone have any experience with this? Can it be done and if so, where is the documentation for it? ;) Any help would be appreciated. Kind regards, -Ed
[squid-users] Daily per MAC addr bandwidth caps
Hi Is it possible to set daily bandwidth caps in squid, and automatically deny access to a MAC address when that limit has been reached? Thanks Dayo
Re: [squid-users] Squid 3.1 rejecting connections after few thousands requests
> Wow. Sure thats hits/sec and not hits/minute? > The 'extreme' setups of Squid-2.7 only reached 990req/sec. I'm running squid3.0 on Dell R300 servers with 4x2.8GHz Intel Xeons and 12GB of ram. On production servers I'm getting max 1500hits/s. With 2500hits/s I have seen that some in access.log, in elapsed column that some requests were closed after 6 seconds and average was something like ~300ms. It's not acceptable for me. Most requests on production servers are closed in less than 1ms. >FWIW; the only other occurrence of this particular "Select loop Error" >reported in recent years was found to be due to broken NIC drivers. >The behaviour sounds very much like some such bug has been hit, or maybe a >limit on the open ports per IP. I will search for something about nic drivers on FreeBSD maillists. As I said before squid3.0 was running fine for few hours, everytime I launched squid3.1 it lasted only few seconds. There is no firewall configured on this machine. Could anyone give me some pointers about debugging newest squid to see what is causing that squid immediately closes connections?
Re: [squid-users] Runcache script- Lot of confusion
lör 2010-05-22 klockan 14:11 + skrev GIGO .: > Please guide about runcache script behaviour uptil now i have only > understood this that this script will check and autorestart squid in > case of failure. Yes, but so does the builtin service monitor. RunCache is generally not recommended these days. Even removed from the Squid distribution. A sample init.d script is in contrib/squid.rc. You can also find suitable squid init.d scripts in nearly every free OS distribution by looking at their squid package. Regards Henrik
Re: [squid-users] Squid 3.1 rejecting connections after few thousands requests
mån 2010-05-24 klockan 00:47 +1200 skrev Amos Jeffries: > I mean the "ExtremeCarpFrontend" configuration examples. > 990rps was simply the limit reached on the testing hardware. There may > be hardware able to go faster already. Or a reverse proxy with high memory hit ratio on slower hardware. Regards Henrik
