Re: FW: [squid-users] Youtube -An error occured, please try again later
Maurizio Marini wrote: On Fri, 28 May 2010 06:15:32 + "GIGO ." wrote: My store.logs are following A. Because people read from top to bottom. Q. Why should I not top post? Ah, fun... you know. sdrawkcab daer lla tnac ew so please dont posting above the reference what is top posting? and my favourite: (can be read by both top and bottom posters. :) top posting. why do people still do it? how can people still do it? such a worrysome activity reading upwards
Re: [squid-users] Re: Joomla DB authentication support hits Squid! :)
Luis Daniel Lucio Quiroz wrote: Le jeudi 27 mai 2010 07:30:11, Amos Jeffries a écrit : Luis Daniel Lucio Quiroz wrote: Le samedi 1 mai 2010 20:57:22, Amos Jeffries a écrit : Luis Daniel Lucio Quiroz wrote: Le vendredi 23 avril 2010 00:20:13, Amos Jeffries a écrit : Luis Daniel Lucio Quiroz wrote: Le jeudi 22 avril 2010 20:09:57, Amos Jeffries a écrit : Luis Daniel Lucio Quiroz wrote: Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit : HI all As a requirement of one client, he wants to use joomla user database to let squid authenticate. I did patch squid_db_auth that Henrik has written in order to support joomla hash conditions. I did add one usefull option to script --joomla in order to activate joomla hashing. Other options are identical. Please test :) Ammos, I'd like if you can include this in 3.1.2 Mumble. How do other users feel about it? Useful enough to cross the security bugs and regressions only freeze? LD I have a typo in my salt should be my $salt sorry Can you make the option --md5 instead please? Possibilities are not limited to Joomla and they may change someday. The option needs to be added to the documentation sections of the helper as well. Amos I dont get you about "cross the security", 3.1 is under feature freeze. Anything not a security fix or regression needs to have some good reasons to be committed. I'm trying to stick to the freeze a little more with 3.1 than with 3.0, to get back into the habit of it. Particularly since we look like having a good foothold on the track for 12-month releases now. what i did is that --joomla flag do diferent sql request and because joomla hass is like this: hash:salt i did split and compare. by default joomla uses md5 (i'm not a joomla master, i dont know when joomla uses other hashings) I intend to use this auth helper myself for other systems, and there are others who ask about a DB helper occasionally. Taking a better look at your changes ... The first one: db_conf = "block = 0" seems to be useless. All it does is hard-code a different default value for the --cond option. For Joomla the squid.conf should instead contain: --cond " block=0 " Which leaves the salted/non-salted hash change. Adding this: --salt-delimiter D To configure character(s) between the hash and salt values. Will not to lock people into the specific Joomla syntax of colon. There are examples and tutorials out there for app design that use other delimiters. Doing both of those changes Joomla would be configured with: ... --cond " block=0 " --salt-delimiter ":" if you want, latter i may add also --md5 to store md5 password, and --digest- auth to support diggest authentication :) but later jejeje Amos HI i've just update my patch to fit 3.1.2 I hope this could be included since it is based on todays snapshot. Regards, LD Thank you. You still have the --joomla flag. I thought you agreed to call it something like the --salt and take the delim character ? Amos Amos + team, i was adding salt support and i realize of this line return 1 if crypt($password, $key) eq $key; as far as i know this is impossible, becausecrypt using a salt wont be eq to that key, because there are many scenarios i did let this line in my patch and add another to use static salt I also add a --sql option to let user specify complex querys. As i was needint it to work with an INNER JOIN. I hope you can review it. LD I have not found the need for --sql in my experience with complex queries to this helper. The each of the options --usercol , --passcol, --table and --cond can take whole snippets of SQL double-quoted. The rest of the patch is accepted. Will be in Squid-3.1.4. If anyone is interested in further improvements to this helper; Loading the parameters from a secure file instead of having the SQL snippets and DSN login visible on the command line would be useful. Amos OK, no problem i was realizing because complex select are more than JOINS, such as UNIONS or SELECTS inside SELECTS but not problem. Can you post then how will be so i can patch rpms :) LD 3.1.4 is due out this Sunday. Oh, Henrik had a question about why "use strict" was removed? Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
Re: FW: [squid-users] Youtube -An error occured, please try again later
On Fri, 28 May 2010 06:15:32 + "GIGO ." wrote: > > My store.logs are following A. Because people read from top to bottom. Q. Why should I not top post?
FW: [squid-users] Youtube -An error occured, please try again later
My store.logs are following 1275025642.358 SWAPOUT 00 8152 04FD0DB17EE9789F06B1386F1D6CDA4D 200 1275025483 1234793502 1275047700 video/x-flv 5142132/5142132 GET http://r8.ts-bru5.c.youtube.com/videoplayback?ip=0.0.0.0&sparams=id%2Cexpire%2Cip%2Cipbits%2Citag%2Calgorithm%2Cburst%2Cfactor%2Coc%3AU0dWSlBPVl9FSkNNNl9ISVpB&fexp=907111&algorithm=throttle-factor&itag=34&ipbits=0&burst=40&sver=3&expire=1275048000&key=yt1&signature=538993A5EE74B6B699669E1D6A89F101C061148B.D937688FE5C5DD2447558E4AB677F51AF69E8A4E&factor=1.25&id=8190a1a6ed3647ed&redirect_counter=1&st=ts 1275025600.989 RELEASE -1 85FE590AE3CDAB37631292367AE052AA 200 1275025644-1 41629446 text/xml 66/66 GET http://www.youtube.com/set_awesome?feature=related&video_id=gZChpu02R-0&el=detailpage&l=125.84&w=0.8026064844246662&plid=AASHoQDhJ0Nv8M8p&t=vjVQa1PpcFO19wc78YvxNbP1S8x1t9MmvNUKqqI8EHk= 1275025495.423 RELEASE -1 E52CA19FA8D0AFC4DD582D9D0B53745B 204 1275025538-1 41629446 text/html 0/0 GET http://www.youtube.com/player_204?rt=63.047&shost=v12.lscache8.c.youtube.com&v=m336FlPPbEw&plid=AASHoQCBv-E--QW6&fv=WIN%2010,0,45,2&fmt=5&el=detailpage&scoville=1&ec=100&fexp=907111&event=streamingerror 1275025495.109 RELEASE -1 6B918E2BFCBE3D4B485CF5E1CE53DE7D 504 -1-1-1 text/html 4230/4230 GET http://v12.lscache8.c.youtube.com/videoplayback?ip=0.0.0.0&sparams=id%2Cexpire%2Cip%2Cipbits%2Citag%2Calgorithm%2Cburst%2Cfactor%2Coc%3AU0dWSlBPVl9FSkNNNl9ISVpB&fexp=907111&algorithm=throttle-factor&itag=5&ipbits=0&burst=40&sver=3&expire=1275048000&key=yt1&signature=7AF53A87CCB5E0C654C6BE521682B95A981A3A1F.D5A310DFCDF9C4061F378070ACEBDAAE0FA71050&factor=1.25&id=9b7dfa1653cf6c4c&; 1275025494.782 RELEASE -1 36400B0F0D0E460A97CBBDA20D9D13FF 504 -1-1-1 text/html 4230/4230 GET http://v12.lscache8.c.youtube.com/generate_204?ip=0.0.0.0&sparams=id%2Cexpire%2Cip%2Cipbits%2Citag%2Calgorithm%2Cburst%2Cfactor%2Coc%3AU0dWSlBPVl9FSkNNNl9ISVpB&fexp=907111&algorithm=throttle-factor&itag=5&ipbits=0&burst=40&sver=3&expire=1275048000&key=yt1&signature=7AF53A87CCB5E0C654C6BE521682B95A981A3A1F.D5A310DFCDF9C4061F378070ACEBDAAE0FA71050&factor=1.25&id=9b7dfa1653cf6c4c 1275025447.415 RELEASE -1 1C82FB35508E2A7C1628DE606EB7B4AB 204 1275025490-1 41629446 text/html 0/0 GET http://www.youtube.com/player_204?rt=15.015&shost=v12.lscache8.c.youtube.com&v=m336FlPPbEw&plid=AASHoQCBv-E--QW6&fv=WIN%2010,0,45,2&fmt=5&el=detailpage&scoville=1&ec=102&fexp=907111&event=streamingerror > From: gi...@msn.com > To: squid-users@squid-cache.org > Date: Fri, 28 May 2010 05:33:08 + > Subject: [squid-users] Youtube -An error occured, please try again later > > > Hi all, > > For some of my youtube videos i am getting the following error. > > > "An error occured, please try again later". > > > I have confirmed that this only occur when squid is being used. find below > the relevant information in this regard. > > cache_dir aufs /cachedisk1/var/spool/squid 5 128 256 > cache_mem 1000 MB > range_offset_limit -1 KB > maximum_object_size 4194304 KB > maximum_object_size_in_memory 1024 KB > minimum_object_size 10 KB > quick_abort_min -1 KB > > #specific for youtube custom refreshpatterns belowones > refresh_pattern -i (get_video\?|videoplayback\?|videodownload\?) 5259487 > % 5259487 override-expire ignore-reload > refresh_pattern ^http://*.youtube.com/.* 720 100% 4320 > refresh_pattern -i \.flv$ 10080 90% 99 ignore-no-cache override-expire > ignore-private > refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|mpg|swf|x-flv)$ 43200 90% > 432000 override-expire ignore-no-cache ignore-private > > acl store_rewrite_list urlpath_regex > \/(get_video\?|videodownload\?|videoplayback.*id) > acl video urlpath_regex > \.((mpeg|ra?m|avi|mp(g|e|4)|mov|divx|asf|qt|wmv|m\dv|rv|vob|asx|ogm|flv|3gp)(\?.*)?)$ > (get_video\?|videoplayback\?|videodownload\?|\.flv(\?.*)?) > storeurl_rewrite_children 1 > storeurl_rewrite_concurrency 10 > > The storeurl.pl script i am using is by: > # by chudy_fernan...@yahoo.com > # Updates at > http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube/Discussion > I also have applied the bug fix (src/client_side.c) > > > > Now what is causing this error to occur? And how to resolve it > > > > > > thanking you > > & > regards, > > Bilal > > _ > Hotmail: Powerful Free email with security by Microsoft. > https://signup.live.com/signup.aspx?id=60969 > _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] Youtube -An error occured, please try again later
Hi all, For some of my youtube videos i am getting the following error. "An error occured, please try again later". I have confirmed that this only occur when squid is being used. find below the relevant information in this regard. cache_dir aufs /cachedisk1/var/spool/squid 5 128 256 cache_mem 1000 MB range_offset_limit -1 KB maximum_object_size 4194304 KB maximum_object_size_in_memory 1024 KB minimum_object_size 10 KB quick_abort_min -1 KB #specific for youtube custom refreshpatterns belowones refresh_pattern -i (get_video\?|videoplayback\?|videodownload\?) 5259487 % 5259487 override-expire ignore-reload refresh_pattern ^http://*.youtube.com/.* 720 100% 4320 refresh_pattern -i \.flv$ 10080 90% 99 ignore-no-cache override-expire ignore-private refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|mpg|swf|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-private acl store_rewrite_list urlpath_regex \/(get_video\?|videodownload\?|videoplayback.*id) acl video urlpath_regex \.((mpeg|ra?m|avi|mp(g|e|4)|mov|divx|asf|qt|wmv|m\dv|rv|vob|asx|ogm|flv|3gp)(\?.*)?)$ (get_video\?|videoplayback\?|videodownload\?|\.flv(\?.*)?) storeurl_rewrite_children 1 storeurl_rewrite_concurrency 10 The storeurl.pl script i am using is by: # by chudy_fernan...@yahoo.com # Updates at http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube/Discussion I also have applied the bug fix (src/client_side.c) Now what is causing this error to occur? And how to resolve it thanking you & regards, Bilal _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Squid3 HA-LB Cluster
tor 2010-05-27 klockan 23:49 +0200 skrev Tóth Tibor Péter: > May I ask to see what's inside of your proxy.pac to do the fail over between > the hosts ? return "proxya; proxyb; " Works well if proxya starts to reject requests, but you will get a bit of delays if proxya is not responding at all (i.e. turned off). Regards Henrik
Re: [squid-users] Solaris build leaking memory
tor 2010-05-27 klockan 13:21 -0700 skrev David Raccah: > Hello All, > > We have a Solaris build of 3.0 stable 25 and it leaks kernel memory > till it hits 25 or so GB and then dumps. Kernel or user memory? A process can not leak kernel memory. Regards Henrik
Re: [squid-users] Google SSL searches
tor 2010-05-27 klockan 15:35 -0400 skrev Dave Burkholder: > Is there some way to specify via a Squid ACL that requests via port 443 to > google.com are blocked, but requests to google.com via port 80 are allowed? acl https port 443 acl google dstdomain google.com http_access deny https google Regards Henrik
RE: [squid-users] Squid3 HA-LB Cluster
Hello! May I ask to see what's inside of your proxy.pac to do the fail over between the hosts ? We also use the pac file, but at the moment only to bypass access for our own servers, so the clients wont go to the proxy then to an internal server, then back to proxy, then to the client again. How do you configure the failover in side of the proxy.pac I have no clue. Thanks, Tibby From: Sakhi Louw [mailto:sak...@gmail.com] Sent: Thursday, May 27, 2010 9:07 PM To: Tóth Tibor Péter Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid3 HA-LB Cluster 2010/5/27 Tóth Tibor Péter Hello! I would like to set up two squid nodes to cache our public internet usage for client PCs. I was thinking to set up squid and use Heartbeat on the servers to have an active/passive cluster in case of one of the servers stops. But why would I have two squid nodes running while one of it smoking from work, and the other just watching ?? I would like to put both nodes to work and somehow get a cluster set up as well, so in case one node is down then the internet would be still available trough the other node. Any help would be apprechiated! Thanks! I use a proxy pac file for fail over it works better. -- Sakhi Louw
[squid-users] Solaris build leaking memory
Hello All, We have a Solaris build of 3.0 stable 25 and it leaks kernel memory till it hits 25 or so GB and then dumps. Squid is clearly leaking memory. We have tried malloc, dlmalloc and neither seem to work. So does anyone know the proper and successful way to build 3.0 on Solaris? The Solaris we run is Open Solaris x86_64 version 5.10. Thanks, David
[squid-users] Google SSL searches
Im using Squid in standard proxy mode with Dansguardian content filtering. So the recent news that Google is doing SSL encryption on their search results wasnt good news to me. http://www.osnews.com/story/23358/Google_Launches_Encrypted_Search_Beta I want to limit searches to clear text only so that Dansguardian can do its content filtering magic, and my first thought was to do this: acl sslgoogle url_regex https://www.google.com http_access deny sslgoogle But the url_regex doesnt work as the URL seems to be encrypted already. The ACL below blocks the whole site, including Gmail, Docs, Apps, etc. acl sslgoogle dstdomain .google.com http_access deny sslgoogle Is there some way to specify via a Squid ACL that requests via port 443 to google.com are blocked, but requests to google.com via port 80 are allowed? Thanks, Dave
RE: [squid-users] Running Multiple instances and reporting confusion.
tor 2010-05-27 klockan 18:38 + skrev GIGO .: > Related to my earlier query regarding how to handle reports with > multiple instances. The problem was that inst1access.log though track > client activities correctly however give incorrect information > regarding the in-cache returned objects.As the caching part is instead > being done by Instance-2. So the SARG reports (parsing of > inst1access.log) wrongly depicts about objects returned from the > cache. Any reason why not run the reports on instance-2 logs? > Now i just thought an idea that may be pointing to the same cache will > solve the problem if instance 1 has no-store option set. Please read > below and guide me i would be thankful Two Squid processes can not share the same cache_dir, not even with one in read-only mode. Regards Henirk
Re: [squid-users] Squid3 HA-LB Cluster
tor 2010-05-27 klockan 15:37 +0200 skrev Tóth Tibor Péter: > But why would I have two squid nodes running while one of it smoking > from work, and the other just watching ?? > I would like to put both nodes to work and somehow get a cluster set > up as well, so in case one node is down then the internet would be > still available trough the other node. I usually do this by setting up an LVS (ldirectord) in HA, directing traffic to both nodes. Regards Henrik
RE: [squid-users] Running Multiple instances and reporting confusion.
Hi Amos, Related to my earlier query regarding how to handle reports with multiple instances. The problem was that inst1access.log though track client activities correctly however give incorrect information regarding the in-cache returned objects.As the caching part is instead being done by Instance-2. So the SARG reports (parsing of inst1access.log) wrongly depicts about objects returned from the cache. Now i just thought an idea that may be pointing to the same cache will solve the problem if instance 1 has no-store option set. Please read below and guide me i would be thankful # INSTANCE-2 Cache directory setup of the instance that is doing the caching/fetching part --- cache_dir aufs /cachedisk1/var/spool/squid 5 128 256 coredump_dir /cachedisk1/var/spool/squid cache_mem 1000 MB range_offset_limit -1 KB maximum_object_size 4194304 KB maximum_object_size_in_memory 1024 KB quick_abort_min -1 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF # INSTANCE-1 Cache Directory setup Thought of the instance that is user facing - cache_peer 127.0.0.1 parent 1975 0 default no-digest no-query proxy-only prefer_direct off # point to the directory of instance 1? cache_dir aufs /cachedisk1/var/spool/squid 5 128 256 no-store cache_dir aufs /var/spool/squid 1 16 256 coredump_dir /var/spool/squid cache_replacement_policy heap GDSF 1. Is it possible for 1 instance to point to the cache directory of other insance in read only mode? 2. My original intention for multiple instances was to cache directory failover? However if the setup above mentioned is possible then would the setup will remain faulttolerant or failing of /cachedisk1 now will terminate both the instances and it is no longer faulttolerant? regards, Bilal > Date: Sat, 22 May 2010 02:18:51 +1200 > From: squ...@treenet.co.nz > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Running Multiple instances and reporting confusion. > > GIGO . wrote: >> Hi all, >> >> I am running multiple instances of squid on the same machine. One >> instance is taking the clients request and forwarding to its parent >> peer at 127.0.0.1. All is going well. However there is a confusion >> related to reporting through sarg. To capture the client activity >> sarge is parsing the access.log file of the instance i.e user facing >> which is correct. However obvioulsy it is depicting a wrong in-cache >> out-cache figures as this value should be instead of the instance >> which is managing/doing caching. >> >> Is there a way/trick to manage this? Is it possible that a cache_hit >> from a parent cache be recorded as in-cache in the child? >> > > The parent cache with the hier_code ACL type may be able to log only the > requests that did not get sent to the child. > > The child cache using follow_x_forwarded_for trusting the parent proxy > and log_uses_indirect_client should be able to log the remote client IP > which connected to the parent with its received requests. > > Combining the parent and child proxies logs line-wise for analysis > should then give you the result you want. > > That combination is a bit tricky though, since we have only just added > TCP reliable logging to Squid-3.2. UDP logging is available for 2.7 and > 3.1, but may result in some lost records under high load. With either of > those methods you just need a daemon to receive the log traffic and > store it in the one file. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.3 > _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
[squid-users] Re: Squid3 HA-LB Cluster
On 2010-05-27, Amos Jeffries wrote: > > To use both you probably want to advertise both proxy IPs in the DNS > results of a name you call the cluster. The client browser can do its > own failover with several IPs when it knows. I wouldn´t trust clients to handle the failover. Would be better to have two "floating" IP-addresses that each is sticking to a different node in normal operation, but that can fail over to the other node in failure or when you want to take one node out of production. Then you do round-robin-dns over these two ip-addresses, and have a HA-LB cluster. I used to use Heartbeat for such configurations also, but have recently converted to using ucarp instead. It´s *much* easier to use, and understand than Heartbeat. > The squid can be setup as cache_peer siblings to share objects. -jf
Re: [squid-users] Re: Joomla DB authentication support hits Squid! :)
Le jeudi 27 mai 2010 07:30:11, Amos Jeffries a écrit : > Luis Daniel Lucio Quiroz wrote: > > Le samedi 1 mai 2010 20:57:22, Amos Jeffries a écrit : > >> Luis Daniel Lucio Quiroz wrote: > >>> Le vendredi 23 avril 2010 00:20:13, Amos Jeffries a écrit : > Luis Daniel Lucio Quiroz wrote: > > Le jeudi 22 avril 2010 20:09:57, Amos Jeffries a écrit : > >> Luis Daniel Lucio Quiroz wrote: > >>> Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit : > HI all > > As a requirement of one client, he wants to use joomla user > database to let squid authenticate. > > I did patch squid_db_auth that Henrik has written in order to > support joomla hash conditions. > > I did add one usefull option to script > > --joomla > > in order to activate joomla hashing. Other options are identical. > Please test :) > > Ammos, I'd like if you can include this in 3.1.2 > >> > >> Mumble. > >> > >> How do other users feel about it? Useful enough to cross the > >> security bugs and regressions only freeze? > >> > LD > >>> > >>> I have a typo in > >>> my salt > >>> > >>> should be > >>> my $salt > >>> > >>> sorry > >> > >> Can you make the option --md5 instead please? > >> > >> Possibilities are not limited to Joomla and they may change > >> someday. > >> > >> The option needs to be added to the documentation sections of the > >> helper as well. > >> > >> Amos > > > > I dont get you about "cross the security", > > 3.1 is under feature freeze. Anything not a security fix or regression > needs to have some good reasons to be committed. > > I'm trying to stick to the freeze a little more with 3.1 than with > 3.0, to get back into the habit of it. Particularly since we look > like having a good foothold on the track for 12-month releases now. > > > what i did is that --joomla flag do diferent sql request and because > > joomla hass is like this: > > hash:salt > > i did split and compare. by default joomla uses md5 (i'm not a > > joomla master, i dont know when joomla uses other hashings) > > I intend to use this auth helper myself for other systems, and there > are others who ask about a DB helper occasionally. > > > Taking a better look at your changes ... > > The first one: db_conf = "block = 0" seems to be useless. All it does > is hard-code a different default value for the --cond option. > > For Joomla the squid.conf should instead contain: > --cond " block=0 " > > Which leaves the salted/non-salted hash change. > > Adding this: > --salt-delimiter D > > To configure character(s) between the hash and salt values. Will not > to lock people into the specific Joomla syntax of colon. There are > examples and tutorials out there for app design that use other > delimiters. > > Doing both of those changes Joomla would be configured with: > ... --cond " block=0 " --salt-delimiter ":" > > > > if you want, latter i may add also --md5 to store md5 password, and > > --digest- auth to support diggest authentication :) but later jejeje > > Amos > >>> > >>> HI > >>> i've just update my patch to fit 3.1.2 > >>> > >>> > >>> I hope this could be included since it is based on todays snapshot. > >>> > >>> Regards, > >>> > >>> LD > >> > >> Thank you. > >> > >> You still have the --joomla flag. I thought you agreed to call it > >> something like the --salt and take the delim character ? > >> > >> Amos > > > > Amos + team, > > > > i was adding salt support and i realize of this line > > > > return 1 if crypt($password, $key) eq $key; > > > > as far as i know this is impossible, becausecrypt using a salt wont > > be eq to that key, > > because there are many scenarios i did let this line in my patch and add > > another to use static salt > > > > I also add a --sql option to let user specify complex querys. As i was > > needint it to work with an INNER JOIN. > > > > I hope you can review it. > > > > LD > > I have not found the need for --sql in my experience with complex > queries to this helper. The each of the options --usercol , --passcol, > --table and --cond can take whole snippets of SQL double-quoted. > > The rest of the patch is accepted. Will be in Squid-3.1.4. > > If anyone is interested in further improvements to this helper; >Loading the parameters from a secure file instead of having the SQL > snippets and DSN login visible on the command line would be useful. > > Amos OK, no problem i was realizing because complex select are more than JOINS, such as UNIONS or SELECTS inside SELECT
RE: [squid-users] problem 2 squid version 3.1.3 X-Authenticated-User
tor 2010-05-27 klockan 17:35 +0200 skrev Gabriele Gabriele: > Somebody know if exist one patch for add some field at the Header? like > X-Authenticated-User?? What is wrong with using the standard basic authentication header as used by login=*:password? Regards Henrik
RE: [squid-users] problem 2 squid version 3.1.3 X-Authenticated-User
Somebody know if exist one patch for add some field at the Header? like X-Authenticated-User?? Or somebody know if is possible enable X-Authenticated-User from the source or using header_replace ?? thanks > From: hen...@henriknordstrom.net > To: squ...@treenet.co.nz > CC: squid-users@squid-cache.org > Date: Thu, 27 May 2010 13:21:47 +0200 > Subject: Re: [squid-users] problem 2 squid version 3.1.3 X-Authenticated-User > > tor 2010-05-27 klockan 22:51 +1200 skrev Amos Jeffries: > >> Logging in to two different proxies simultaneously with one action is >> quite hard. > > And is why we have the login=*:password alternative if the goal is to > forward the username. Works if the parent is not accessed directly by > clients. > > Regards > Henrik > _ MSN ti offre esattamente quello che cerchi: il tuo browser personale http://www.pimpit.it/ie8msn/
Re: [squid-users] Squid3 HA-LB Cluster
Tóth Tibor Péter wrote: Hello! I would like to set up two squid nodes to cache our public internet usage for client PCs. I was thinking to set up squid and use Heartbeat on the servers to have an active/passive cluster in case of one of the servers stops. But why would I have two squid nodes running while one of it smoking from work, and the other just watching ?? I would like to put both nodes to work and somehow get a cluster set up as well, so in case one node is down then the internet would be still available trough the other node. Any help would be apprechiated! Thanks! To use both you probably want to advertise both proxy IPs in the DNS results of a name you call the cluster. The client browser can do its own failover with several IPs when it knows. The squid can be setup as cache_peer siblings to share objects. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
[squid-users] Squid3 HA-LB Cluster
Hello! I would like to set up two squid nodes to cache our public internet usage for client PCs. I was thinking to set up squid and use Heartbeat on the servers to have an active/passive cluster in case of one of the servers stops. But why would I have two squid nodes running while one of it smoking from work, and the other just watching ?? I would like to put both nodes to work and somehow get a cluster set up as well, so in case one node is down then the internet would be still available trough the other node. Any help would be apprechiated! Thanks!
Re: [squid-users] Re: Joomla DB authentication support hits Squid! :)
Luis Daniel Lucio Quiroz wrote: Le samedi 1 mai 2010 20:57:22, Amos Jeffries a écrit : Luis Daniel Lucio Quiroz wrote: Le vendredi 23 avril 2010 00:20:13, Amos Jeffries a écrit : Luis Daniel Lucio Quiroz wrote: Le jeudi 22 avril 2010 20:09:57, Amos Jeffries a écrit : Luis Daniel Lucio Quiroz wrote: Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit : HI all As a requirement of one client, he wants to use joomla user database to let squid authenticate. I did patch squid_db_auth that Henrik has written in order to support joomla hash conditions. I did add one usefull option to script --joomla in order to activate joomla hashing. Other options are identical. Please test :) Ammos, I'd like if you can include this in 3.1.2 Mumble. How do other users feel about it? Useful enough to cross the security bugs and regressions only freeze? LD I have a typo in my salt should be my $salt sorry Can you make the option --md5 instead please? Possibilities are not limited to Joomla and they may change someday. The option needs to be added to the documentation sections of the helper as well. Amos I dont get you about "cross the security", 3.1 is under feature freeze. Anything not a security fix or regression needs to have some good reasons to be committed. I'm trying to stick to the freeze a little more with 3.1 than with 3.0, to get back into the habit of it. Particularly since we look like having a good foothold on the track for 12-month releases now. what i did is that --joomla flag do diferent sql request and because joomla hass is like this: hash:salt i did split and compare. by default joomla uses md5 (i'm not a joomla master, i dont know when joomla uses other hashings) I intend to use this auth helper myself for other systems, and there are others who ask about a DB helper occasionally. Taking a better look at your changes ... The first one: db_conf = "block = 0" seems to be useless. All it does is hard-code a different default value for the --cond option. For Joomla the squid.conf should instead contain: --cond " block=0 " Which leaves the salted/non-salted hash change. Adding this: --salt-delimiter D To configure character(s) between the hash and salt values. Will not to lock people into the specific Joomla syntax of colon. There are examples and tutorials out there for app design that use other delimiters. Doing both of those changes Joomla would be configured with: ... --cond " block=0 " --salt-delimiter ":" if you want, latter i may add also --md5 to store md5 password, and --digest- auth to support diggest authentication :) but later jejeje Amos HI i've just update my patch to fit 3.1.2 I hope this could be included since it is based on todays snapshot. Regards, LD Thank you. You still have the --joomla flag. I thought you agreed to call it something like the --salt and take the delim character ? Amos Amos + team, i was adding salt support and i realize of this line return 1 if crypt($password, $key) eq $key; as far as i know this is impossible, becausecrypt using a salt wont be eq to that key, because there are many scenarios i did let this line in my patch and add another to use static salt I also add a --sql option to let user specify complex querys. As i was needint it to work with an INNER JOIN. I hope you can review it. LD I have not found the need for --sql in my experience with complex queries to this helper. The each of the options --usercol , --passcol, --table and --cond can take whole snippets of SQL double-quoted. The rest of the patch is accepted. Will be in Squid-3.1.4. If anyone is interested in further improvements to this helper; Loading the parameters from a secure file instead of having the SQL snippets and DSN login visible on the command line would be useful. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
[squid-users] Re: squid ssl forward proxy (+ authentication) ?
On 2010-05-27, Henrik Nordström wrote: >> >> Authentication? no. > > Yes, if the client is using a certificate for authentication purposes. > > If the provided client certificate have an emailAddress attribute then > this is used as the user identity at least for log purposes. We already have lots of OpenVPN users, with client certs and use the cn of the cert to assign which networks they have access to. All certs have the emailAddress attribute as well. Full VPN is a bit overkill for the users that only needs to access a few internal webservers, so I'm wondering if we can utilize the same public key infrastructure to give access trough a squid proxy, and use squid acl's to controle what they get access to based on preferably cn, but emailAddress is probably OK too. Do you think this sounds feasable? Has anybody done something similar, and might care to share their config ? -jf
Re: [squid-users] problem 2 squid version 3.1.3 X-Authenticated-User
tor 2010-05-27 klockan 22:51 +1200 skrev Amos Jeffries: > Logging in to two different proxies simultaneously with one action is > quite hard. And is why we have the login=*:password alternative if the goal is to forward the username. Works if the parent is not accessed directly by clients. Regards Henrik
Re: [squid-users] squid ssl forward proxy (+ authentication) ?
tor 2010-05-27 klockan 22:58 +1200 skrev Amos Jeffries: > > Also, could the proxy authentication then be utilizing client > > certificates instead of username/password ? > > Authentication? no. Yes, if the client is using a certificate for authentication purposes. If the provided client certificate have an emailAddress attribute then this is used as the user identity at least for log purposes. Regards Henrik
Re: [squid-users] problem 2 squid version 3.1.3 X-Authenticated-User
Gabriele Gabriele wrote: The Authentication in only on the internal proxy, in the external I need to have IP of the client and the username for some acl. So you said. I understand that is what you have now which is not working. So I think I need this information on the Header. It's bad security to leak things like usernames out to the general world, so there is no easy way to pass them on. The header you receive these things on needs to be explicitly requested by the auth_param configuration. You might be lucky with the specific cache_peer login=PASS setting on proxy1 since there is somewhat of a trust relationship between squid and its cache_peers. A slightly bigger holdup is likely to be that without authentication configured at proxy2 it will not even read the authentication headers to get the username out. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
Re: [squid-users] Problem with Rapidshare
tor 2010-05-27 klockan 10:52 +0700 skrev Khemara Lyn: > My Squid box cannot connect to rapidshare server anymore; we always get > the error of "connection to [some ip] failed" "(110) Connection timed out". Sounds like you got blacklisted, or alternatively running into one of the TCP issues like ECN or Windows Scaling. > Did anyone ever encounter this before? Not with rapidshare. > Could it be that, they block/blacklist our Squidbox's IP? How can I > resolve this? Using TPROXY may solve the blacklisting, if that's the problem. Regards Henrik
Re: [squid-users] squid ssl forward proxy (+ authentication) ?
Jan-Frode Myklebust wrote: Does squid support being configured as an encrypted (SSL) proxy, where the connection between client and proxy go over SSL to avoid f.ex. sniffing of the proxy password and other non-https traffic ? Squid supports it. The https_port directive can be configured just like http_port but with SSL certificates etc. The blocker problem is that client browsers do not support it. Also, could the proxy authentication then be utilizing client certificates instead of username/password ? Authentication? no. Authorization? maybe. There are some ACL types that can authorize or deny based on client certificate fields. Of course you can still do full normal proxy authentication inside the SSL encrypted requests. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
RE: [squid-users] problem 2 squid version 3.1.3 X-Authenticated-User
The Authentication in only on the internal proxy, in the external I need to have IP of the client and the username for some acl. So I think I need this information on the Header. > Date: Thu, 27 May 2010 22:51:53 +1200 > From: squ...@treenet.co.nz > To: squid-users@squid-cache.org > Subject: Re: [squid-users] problem 2 squid version 3.1.3 X-Authenticated-User > > Gabriele Gabriele wrote: >> Hi to all, this is my first time here, >> I need an help to configure my >> squid 3.1.3 >> I show you my problem: >> I have 2 squid proxy, one is >> internal end one is external, the external is cache_peer for the >> internal. On the internal squid I have the ntlm authentication, > > bit hard to understand that text does it mean this? > > Client --NTLM--> Proxy 1 --> Proxy 2 --> Internet > > >> So I >> have to pass from the internal to external the client ip source and the >> username of the authenticated user. >> >> By: >> "forwarded_for on >> follow_x_forwarded_for >> allow all" > > ... by opening an Extremely unsafe security hole... > >> in squid.conf I succes to send the Client ip source in >> the header from internal to external >> But I'm not able to send by >> header the "X-Authenticated-User" to the external. ( I hope > > Yes. It's an ICAP special header. > >> X-Authenticathed-User is the right way ) >> I can't use ICAP, so some > > Yes ICAP is not the right technology. > >> body can help me? >> thanks >> > > To pass the client IP securely between the proxies you need to configure > this: > > Proxy 1 squid.conf: > > forwarded_for on > > > Proxy 2 squid.conf: > > acl proxy1 src > > follow_x_forwarded-for allow proxy1 > follow_x_forwarded-for deny all > > > > Logging in to two different proxies simultaneously with one action is > quite hard. > > Instead you can setup the authentication at proxy2 and use the > cache_peer login=PASS option at proxy1. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.3 _ MSN ti offre esattamente quello che cerchi: il tuo browser personale http://www.pimpit.it/ie8msn/
Re: [squid-users] delay pool still slowing down with no-delay
Amos Jeffries wrote: Hendrik Voigtlaender wrote: Dear list, I am using delay pools to slow down download when all parents are down and the child has to fetch the content itself via backup line. When troubleshooting low download rates I figured that the delay pools are slowing down transfer rates even when no-delay is set in the parent definition. Disabled delay pools as a workaround - everything is fast and fine. Yes, the request is definitely going via parent. child OS is debian etch/lenny with squid installed from repository, parents are debian lenny dto. squid from debian repository. same effect on childs running lenny and etch. This setup worked fine for ages! Any ideas? Does sound like a bug. We will need to know the actual release number of Squid you are using. Assuming you do have the latest package, that still leaves Etch as 3.0.PRE5 and Lenny as one of 3.0.STABLE8, 3.0.STABLE19 or 3.1.3-2 depending on the repository used. Amos (Resend with cc squid-users) Hi, I am using squid2: stockpackages named 2.6.5-6etch5 and 2.7.STABLE3-4.1lenny1 Regards, Hendrik
Re: [squid-users] problem 2 squid version 3.1.3 X-Authenticated-User
Gabriele Gabriele wrote: Hi to all, this is my first time here, I need an help to configure my squid 3.1.3 I show you my problem: I have 2 squid proxy, one is internal end one is external, the external is cache_peer for the internal. On the internal squid I have the ntlm authentication, bit hard to understand that text does it mean this? Client --NTLM--> Proxy 1 --> Proxy 2 --> Internet So I have to pass from the internal to external the client ip source and the username of the authenticated user. By: "forwarded_for on follow_x_forwarded_for allow all" ... by opening an Extremely unsafe security hole... in squid.conf I succes to send the Client ip source in the header from internal to external But I'm not able to send by header the "X-Authenticated-User" to the external. ( I hope Yes. It's an ICAP special header. X-Authenticathed-User is the right way ) I can't use ICAP, so some Yes ICAP is not the right technology. body can help me? thanks To pass the client IP securely between the proxies you need to configure this: Proxy 1 squid.conf: forwarded_for on Proxy 2 squid.conf: acl proxy1 src follow_x_forwarded-for allow proxy1 follow_x_forwarded-for deny all Logging in to two different proxies simultaneously with one action is quite hard. Instead you can setup the authentication at proxy2 and use the cache_peer login=PASS option at proxy1. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
[squid-users] problem 2 squid version 3.1.3 X-Authenticated-User
Hi to all, this is my first time here, I need an help to configure my squid 3.1.3 I show you my problem: I have 2 squid proxy, one is internal end one is external, the external is cache_peer for the internal. On the internal squid I have the ntlm authentication, So I have to pass from the internal to external the client ip source and the username of the authenticated user. By: "forwarded_for on follow_x_forwarded_for allow all" in squid.conf I succes to send the Client ip source in the header from internal to external But I'm not able to send by header the "X-Authenticated-User" to the external. ( I hope X-Authenticathed-User is the right way ) I can't use ICAP, so some body can help me? thanks If thi problem was already discussed, where can I find it? thanks _ Spazio gratis di 25 Gigabyte per archiviare ciò che vuoi http://www.windowslive.it/skyDrive.aspx
Re: [squid-users] errors on some youtube videos
Hi, I encountered the same thing before. My solution was to apply the patched as mentioned at the end of this page: http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube/Discussion?highlight=%28ConfigExamples%2FIntercept%29|%28ConfigExamples%2FAuthenticate%29|%28ConfigExamples%2FChat%29|%28ConfigExamples%2FStreams%29|%28ConfigExamples%2FReverse%29|%28ConfigExamples%2FStrange%29 HTH, Khem On 05/27/2010 12:51 PM, Guillaume 4 wrote: Hi there I'm using a squid proxy with a youtube rewrite module to cache the vids.It's working ~fine except for *some* vids that won't load. When trying to view the vids, youtube says : "An error occurred, please try again later." This isn't really relevant, but in the store.log, here what I get : 1274876139.777 RELEASE -1 2171EABA7915771683088F05E4A343B1 204 1274875723-1 41629446 text/html 0/0 GET http://www.youtube.com/player_204?el=detailpage&fv=LNX%2010,1,53,22&scoville=1&ec=100&fexp=902919&plid=AASHfiKGfwfeoAfQ&rt=0.246&event=streamingerror&v=dk6Yu2BRC6g&fmt=34 1274876269.468 RELEASE -1 D0C3CF82B3C1E75EFFBBA2C475D7DEBE 204 1274875853-1 41629446 text/html 0/0 GET http://www.youtube.com/player_204?el=detailpage&fv=LNX%2010,1,53,22&scoville=1&ec=100&fexp=902919&plid=AASHfiKGfwfeoAfQ&rt=129.896&event=streamingerror&v=dk6Yu2BRC6g&fmt=34 When I remove the store_url_rewrite part into the squid.conf, it does works fine. Note this is only happening to *some* vids, the rest is woking fine and being cached properly. Here's my store_url_rewrite script : #!/usr/bin/perl$|=1;while (<>) {@X = split;$x = $X[0];$_ = $X[1]; # compatibility from old cached get_video?video_idif (m/^http:\/\/([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com).*?(videoplayback\?id=.*?|video_id=.*?)\&(.*?)/) {$z = $2; $z =~ s/video_id=/get_video?video_id=/;print $x . "http://video-srv.youtube.com.SQUIDINTERNAL/"; . $z . "\n"; # youtube HD itag=22} elsif (m/^http:\/\/([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com).*?\&(itag=22).*?\&(id=[a-zA-Z0-9]*)/) {print $x . "http://video-srv.youtube.com.SQUIDINTERNAL/"; . $2 . "&" . $3 . "\n"; # youtube Normal screen always HD itag 35, Normal screen never HD itag 34, itag=18<--normal?} elsif (m/^http:\/\/([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com).*?\&(itag=[0-9]*).*?\&(id=[a-zA-Z0-9]*)/) {print $x . "http://video-srv.youtube.com.SQUIDINTERNAL/"; . $3 . "\n"; } else {print $x . $_ . "\n";}} I really don't know where to search at the moment, any suggestion will be more than welcome! :) Thanks in advance,Guillaume _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
Re: [squid-users] [Fwd: Daily per MAC addr bandwidth caps]
Dayo Adewunmi wrote: Nobody? Hi Is it possible to set daily bandwidth caps in squid, and automatically deny access to a MAC address when that limit has been reached? Thanks No. Squid does not yet support quotas. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
[squid-users] [Fwd: Daily per MAC addr bandwidth caps]
Nobody? Original Message Subject:Daily per MAC addr bandwidth caps Date: Mon, 24 May 2010 10:59:52 +0100 From: Dayo Adewunmi Reply-To: contactd...@gmail.com To: squid-users@squid-cache.org Hi Is it possible to set daily bandwidth caps in squid, and automatically deny access to a MAC address when that limit has been reached? Thanks Dayo
[squid-users] squid ssl forward proxy (+ authentication) ?
Does squid support being configured as an encrypted (SSL) proxy, where the connection between client and proxy go over SSL to avoid f.ex. sniffing of the proxy password and other non-https traffic ? Also, could the proxy authentication then be utilizing client certificates instead of username/password ? -jf
Re: [squid-users] OAFIID:GNOME
From: squidACL > I have a big problem when I strat fedora give me this three error > message : > please if you have any idea i will be thankful This is the squid mailing list, ask the fedora mailing list... JD
[squid-users] OAFIID:GNOME
Hi I have a big problem when I strat fedora give me this three error message : The panel has encountered a problem loading: Would you like to delete the applet from your configuration? The panel has encountered a problem loading: Would you like to delete the applet from your configuration? The panel has encountered a problem loading: Would you like to delete the applet from your configuration? please if you have any idea i will be thankful Thank you -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/OAFIID-GNOME-tp2232741p2232741.html Sent from the Squid - Users mailing list archive at Nabble.com.