Re: [squid-users] Re: Joomla DB authentication support hits Squid! :)

2010-05-31 Thread Luis Daniel Lucio Quiroz 
Le vendredi 28 mai 2010 01:22:57, Amos Jeffries a écrit :
> Luis Daniel Lucio Quiroz wrote:
> > Le jeudi 27 mai 2010 07:30:11, Amos Jeffries a écrit :
> >> Luis Daniel Lucio Quiroz wrote:
> >>> Le samedi 1 mai 2010 20:57:22, Amos Jeffries a écrit :
>  Luis Daniel Lucio Quiroz wrote:
> > Le vendredi 23 avril 2010 00:20:13, Amos Jeffries a écrit :
> >> Luis Daniel Lucio Quiroz wrote:
> >>> Le jeudi 22 avril 2010 20:09:57, Amos Jeffries a écrit :
>  Luis Daniel Lucio Quiroz wrote:
> > Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit 
:
> >> HI all
> >> 
> >> As a requirement of one client, he wants to use joomla user
> >> database to let squid authenticate.
> >> 
> >> I did patch squid_db_auth that Henrik has written in order to
> >> support joomla hash conditions.
> >> 
> >> I did add one usefull option to script
> >> 
> >> --joomla
> >> 
> >> in order to activate joomla hashing.  Other options are
> >> identical. Please test :)
> >> 
> >> Ammos, I'd like if you can include this in 3.1.2
>  
>  Mumble.
>  
>  How do other users feel about it? Useful enough to cross the
>  security bugs and regressions only freeze?
>  
> >> LD
> > 
> > I have a typo in
> > my salt
> > 
> > should be
> > my $salt
> > 
> > sorry
>  
>  Can you make the option --md5 instead please?
>  
>    Possibilities are not limited to Joomla and they may change
>    someday.
>  
>  The option needs to be added to the documentation sections of the
>  helper as well.
>  
>  Amos
> >>> 
> >>> I dont get you about "cross the security",
> >> 
> >> 3.1 is under feature freeze. Anything not a security fix or
> >> regression needs to have some good reasons to be committed.
> >> 
> >> I'm trying to stick to the freeze a little more with 3.1 than with
> >> 3.0, to get back into the habit of it. Particularly since we look
> >> like having a good foothold on the track for 12-month releases now.
> >> 
> >>> what i did is that --joomla flag do diferent sql request and
> >>> because joomla hass is like this:
> >>> hash:salt
> >>> i did split and compare.  by default joomla uses md5 (i'm not a
> >>> joomla master, i dont know when joomla uses other hashings)
> >> 
> >> I intend to use this auth helper myself for other systems, and there
> >> are others who ask about a DB helper occasionally.
> >> 
> >> 
> >> Taking a better look at your changes ...
> >> 
> >> The first one: db_conf = "block = 0"  seems to be useless. All it
> >> does is hard-code a different default value for the --cond option.
> >> 
> >>For Joomla the squid.conf should instead contain:
> >>   --cond " block=0 "
> >> 
> >> Which leaves the salted/non-salted hash change.
> >> 
> >> Adding this:
> >>--salt-delimiter D
> >> 
> >> To configure character(s) between the hash and salt values.  Will
> >> not to lock people into the specific Joomla syntax of colon.  There
> >> are examples and tutorials out there for app design that use other
> >> delimiters.
> >> 
> >> Doing both of those changes Joomla would be configured with:
> >>... --cond " block=0 "  --salt-delimiter ":"
> >>> 
> >>> if you want, latter i may add also --md5 to store md5 password, and
> >>> --digest- auth to support diggest authentication :) but later
> >>> jejeje
> >> 
> >> Amos
> > 
> > HI
> > i've just update my patch to fit 3.1.2
> > 
> > 
> > I hope this could be included since it is based on todays snapshot.
> > 
> > Regards,
> > 
> > LD
>  
>  Thank you.
>  
>  You still have the --joomla flag. I thought you agreed to call it
>  something like the --salt and take the delim character ?
>  
>  Amos
> >>> 
> >>> Amos + team,
> >>> 
> >>> i was adding salt support and i realize of this line
> >>> 
> >>>  return 1 if crypt($password, $key) eq $key;
> >>> 
> >>> as far as i know this is impossible, becausecrypt using a salt wont
> >>> be eq to that key,
> >>> because there are many scenarios i did let this line in my patch and
> >>> add another to use static salt
> >>> 
> >>> I also add a --sql option to let user specify complex querys.  As i was
> >>> needint it to work with an INNER JOIN.
> >>> 
> >>> I hope you can review it.
> >>> 
> >>> LD
> >> 
> >> I have not found the need for --sql in my experience with complex
> >> queries to this helper. The each of the options --usercol , --passcol,
> >> --table and --cond can take whole snippets of SQL double-quoted.
> >> 
> >> The rest of th

RE: [squid-users] Youtube -An error occured, please try again later

2010-05-31 Thread GIGO . 

Hi Amos
 
 
Yes the problems seems to be gone and it could be the reason thanks for 
explaining.
 
regards,
 
Bilal
 
 
 
 



> Date: Mon, 31 May 2010 20:32:43 +1200
> From: squ...@treenet.co.nz
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] Youtube -An error occured, please try again later
>
> GIGO . wrote:
>> Hi henrik,
>>
>> Right now i don't have my access.log. (will share it with you after the 
>> weekend) However let me tell you that after setting the negative_ttl to 0. 
>> Apparently the problem was resolved. But i need to be sure about it.
>>
>> Do you think that this had resolved the problem?
>
> Quite probably.
>
> negative_ttl forces Squid to cache and provide ALL clients with the 4xx
> or 5xx error page for a certain length of time. Even if it was only a
> temporary issue due to a single client request failure. It's a manually
> added DoS vulnerability to every Squid which uses it.
>
> It's rarely useful nowdays even for its original purpose of reducing 404
> flooding of backend servers.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.3 
>   
_
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969

RE: [squid-users] squid rewrite & squidguard

2010-05-31 Thread Joseph L. Casale 
>2010-05-31 16:17:31 [2785] squidGuard 1.3 started (1275319051.335)
>2010-05-31 16:17:31 [2785] squidGuard ready for requests (1275319051.340)
>2010-05-31 16:17:31 [2785] source not found
>2010-05-31 16:17:31 [2785] no ACL matching source, using default
>http://proxy.cp.mydomain.com/block.html 192.168.6.66/- - -
>2010-05-31 16:17:31 [2785] squidGuard stopped (1275319051.341)
>
>But when running within Squid, it does not seem to be taking it? Did I
>miss anything in the squid.conf file ? I looked online and couldn't
>spot any error.

FWIW, there is a squidguard mailing list that is pretty helpful.

Your problem is permissions almost certainly, you ran this and the
db creation as root (or someone), so now the user that squid runs
the rewriter as does not have any access privs to the log files
and/or bl/db's...

Check the first two directives in your conf, see who can write
there.

HTH,
jlc

Re: [squid-users] url-rewrite PHP script issue under Ubuntu 10.04

2010-05-31 Thread Horacio H. 
Hi!

Thanks Alexandre and Amos for your replies, together they pointed me
into the right direction!

Based on the the URLs sent by Alexandre, I edited the
"/etc/php5/cli/php.ini" file and tested different values for
"max_execution_time" and "max_input_time" but none changed the PHP's
script behavior.  Then, I remembered Amos mentioned a 60sec timeout. I
saw my cache.log and yes there was an exactly 60sec delay after
starting squid and the first Warning. So, I searched the "php.ini" for
a similar value and found this directive: "default_socket_timeout". I
changed it to 300sec and the Warnings started to show up accordingly.
Then I changed it's value to "-1" and the warnings haven't shown up
again!

Squid doesn't complain anymore about my PHP-scripts, but I don't know
if this change has secondary effects or any other consequences.  I'll
be monitoring them, but in any case I have the backup Perl-scripts.

Thanks again!

Re: [squid-users] squid-3 seems to be leaking filedescriptors

2010-05-31 Thread Henrik Nordström 
mån 2010-05-31 klockan 19:40 +0200 skrev Ralf Hildebrandt:

> http://dspace.mit.edu/bitstream/handle/1721.1/41645/219706931.pdf?sequence=1

Thanks, but we know very well where it is leaking. Just not why..

Regards
Henrik

Re: [squid-users] squid-3 seems to be leaking filedescriptors

2010-05-31 Thread Ralf Hildebrandt 
* Henrik Nordström :
> mån 2010-05-31 klockan 19:19 +0200 skrev Ralf Hildebrandt:
> 
> > It's easily worked around by restarting it once a week. Maybe it has
> > something to do with my user of ICAP or is that bug (which #?)
> > completely unrelated to ICAP?
> 
> Seems unrelated to ICAP.
> 
> Don't have the bug #, but should be easy to find.

http://bugs.squid-cache.org/show_bug.cgi?id=2872

http://dspace.mit.edu/bitstream/handle/1721.1/41645/219706931.pdf?sequence=1

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: [squid-users] squid-3 seems to be leaking filedescriptors

2010-05-31 Thread Henrik Nordström 
mån 2010-05-31 klockan 19:19 +0200 skrev Ralf Hildebrandt:

> It's easily worked around by restarting it once a week. Maybe it has
> something to do with my user of ICAP or is that bug (which #?)
> completely unrelated to ICAP?

Seems unrelated to ICAP.

Don't have the bug #, but should be easy to find.

Regards
Henrik

Re: [squid-users] squid-3 seems to be leaking filedescriptors

2010-05-31 Thread Ralf Hildebrandt 
* Henrik Nordström :
> mån 2010-05-31 klockan 13:03 +0200 skrev Ralf Hildebrandt:
> > By accident I discovered, that all of my 4 squid3 proxies see a steady
> > increase in filedescriptor usage:
> 
> Known bug. Cause not yet identified.

Good. Bad.

It's easily worked around by restarting it once a week. Maybe it has
something to do with my user of ICAP or is that bug (which #?)
completely unrelated to ICAP?

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: [squid-users] squid-3 seems to be leaking filedescriptors

2010-05-31 Thread Henrik Nordström 
mån 2010-05-31 klockan 13:03 +0200 skrev Ralf Hildebrandt:
> By accident I discovered, that all of my 4 squid3 proxies see a steady
> increase in filedescriptor usage:

Known bug. Cause not yet identified.

Regards
Henrik

[squid-users] squid rewrite & squidguard

2010-05-31 Thread FRLinux 
Hello, I have Squid 3.1.3 running on a server very happily. I am
trying to get squidguard to  run with it.

So at the top of the squid.conf file i put:

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf

Then squidguard has:

#
# CONFIG FILE FOR SQUIDGUARD
#

dbhome /var/lib/squidguard
logdir /var/log/squid


dest ads {
domainlist  blacklists/ads/domains
urllist blacklists/ads/urls
}

acl {
default {
pass!ads all
redirect http://proxy.mydomain.com/block.html
}
}

When running a local test, like: echo "http://www.cafzone.net
192.168.6.66/ - - GET" | squidGuard -c /etc/squid/squidguard.conf -d
It works accordingly:

2010-05-31 16:17:31 [2785] squidGuard 1.3 started (1275319051.335)
2010-05-31 16:17:31 [2785] squidGuard ready for requests (1275319051.340)
2010-05-31 16:17:31 [2785] source not found
2010-05-31 16:17:31 [2785] no ACL matching source, using default
http://proxy.cp.mydomain.com/block.html 192.168.6.66/- - -
2010-05-31 16:17:31 [2785] squidGuard stopped (1275319051.341)

But when running within Squid, it does not seem to be taking it? Did I
miss anything in the squid.conf file ? I looked online and couldn't
spot any error.

Thanks in advance,
Steph

[squid-users] squid-3 seems to be leaking filedescriptors

2010-05-31 Thread Ralf Hildebrandt 
By accident I discovered, that all of my 4 squid3 proxies see a steady
increase in filedescriptor usage:

http://www.arschkrebs.de/bugs/fd-leak.png

Is this an error in my observation or is this a known problem?

# dpkg -l |grep squid3
ii  squid3  3.0.STABLE19-2 A full featured Web 
Proxy cache (HTTP proxy)
ii  squid3-common   3.0.STABLE19-2 A full featured Web 
Proxy cache (HTTP proxy)

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

[squid-users] fail-safe and load balancing with reverse proxy

2010-05-31 Thread Király László 
Hi List,

I use a squid3-3.0.STABLE8 reverse proxy on a debian system.
It makes forward queries to web server, which is accessible from 2 public ips.

My peer config:
---
cache_peer x.y.z.57 parent 80 0 no-query no-digest no-netdb-exchange
originserver name=parent1 round-robin login=PASS weight=16
cache_peer a.b.c.118 parent 80 0 no-query no-digest no-netdb-exchange
originserver name=parent2 round-robin login=PASS weight=1
---

I would like to do a fail-safe connection to the web server.

It's working, but if one of the public ips isn't accessible, there is some
Connection timed out (110) proxy message until the parent is detected as dead,
while the proxy tries to query the offline parent.

How can I eliminate this thing?
Why squid doesn't resend the query to the another parent?

I cannot set ICP queries while the parent is a simple web server.
Is there a way to make better dead peer detection?

Can I do this whith icmp queries?


Best regards,
László Király

Re: [squid-users] Youtube -An error occured, please try again later

2010-05-31 Thread Amos Jeffries 

GIGO . wrote:

Hi henrik,
 
Right now i don't have my access.log. (will share it with you after the weekend) However let me tell you that after setting the negative_ttl to 0. Apparently the problem was resolved. But i need to be sure about it.
 
Do you think that this had resolved the problem?


Quite probably.

negative_ttl forces Squid to cache and provide ALL clients with the 4xx 
or 5xx error page for a certain length of time. Even if it was only a 
temporary issue due to a single client request failure. It's a manually 
added DoS vulnerability to every Squid which uses it.


It's rarely useful nowdays even for its original purpose of reducing 404 
flooding of backend servers.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.3

Re: [squid-users] cache_peer / always_direct / subnet

2010-05-31 Thread Amos Jeffries 

Andre Weidner wrote:

 Original-Nachricht 

Datum: Sat, 29 May 2010 00:24:13 +1200
Von: Amos Jeffries 
An: squid-users@squid-cache.org
Betreff: Re: [squid-users] cache_peer / always_direct / subnet



The dst ACL type requires Squid to resolve the requested domain IP on 
each test.



Is there a workaround for this? Maybe another ACL that i currently don't think 
about?


The normal configs use dstdomain type ACL which matche the domain 
name(s) being hosted on the local server.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.3

Re: [squid-users] File with zero size when using squid proxy

2010-05-31 Thread Emmanuel Lesouef 
Le Wed, 12 May 2010 21:58:38 +0200,
Henrik Nordström  a écrit :

> ons 2010-05-12 klockan 17:20 +0200 skrev Emmanuel Lesouef:
> > Le Wed, 12 May 2010 23:10:00 +0800,
> > Jeff Pang  a écrit :
> > 
> > > 
> > > How about upgrading squid to the latest version (2.7 or 3.1)?
> > > 
> > 
> > Ouch... This is Debian Stable. And the server is part of a critical
> > cluster...
> > 
> > To summarize, it is not possible to upgrade to v3.1...
> 
> At least set up a test proxy with newer Squid versions to identify if
> it's an existing probem or an old problem which has already been
> fixed.
> 
> Regards
> Henrik
> 

FYI : the issue is fixed in 2.7.STABLE7-1~bpo50+1

Thanks for your help.

-- 
Emmanuel Lesouef