Re: [squid-users] Re: Joomla DB authentication support hits Squid! :)
Le vendredi 28 mai 2010 01:22:57, Amos Jeffries a écrit : > Luis Daniel Lucio Quiroz wrote: > > Le jeudi 27 mai 2010 07:30:11, Amos Jeffries a écrit : > >> Luis Daniel Lucio Quiroz wrote: > >>> Le samedi 1 mai 2010 20:57:22, Amos Jeffries a écrit : > Luis Daniel Lucio Quiroz wrote: > > Le vendredi 23 avril 2010 00:20:13, Amos Jeffries a écrit : > >> Luis Daniel Lucio Quiroz wrote: > >>> Le jeudi 22 avril 2010 20:09:57, Amos Jeffries a écrit : > Luis Daniel Lucio Quiroz wrote: > > Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit : > >> HI all > >> > >> As a requirement of one client, he wants to use joomla user > >> database to let squid authenticate. > >> > >> I did patch squid_db_auth that Henrik has written in order to > >> support joomla hash conditions. > >> > >> I did add one usefull option to script > >> > >> --joomla > >> > >> in order to activate joomla hashing. Other options are > >> identical. Please test :) > >> > >> Ammos, I'd like if you can include this in 3.1.2 > > Mumble. > > How do other users feel about it? Useful enough to cross the > security bugs and regressions only freeze? > > >> LD > > > > I have a typo in > > my salt > > > > should be > > my $salt > > > > sorry > > Can you make the option --md5 instead please? > > Possibilities are not limited to Joomla and they may change > someday. > > The option needs to be added to the documentation sections of the > helper as well. > > Amos > >>> > >>> I dont get you about "cross the security", > >> > >> 3.1 is under feature freeze. Anything not a security fix or > >> regression needs to have some good reasons to be committed. > >> > >> I'm trying to stick to the freeze a little more with 3.1 than with > >> 3.0, to get back into the habit of it. Particularly since we look > >> like having a good foothold on the track for 12-month releases now. > >> > >>> what i did is that --joomla flag do diferent sql request and > >>> because joomla hass is like this: > >>> hash:salt > >>> i did split and compare. by default joomla uses md5 (i'm not a > >>> joomla master, i dont know when joomla uses other hashings) > >> > >> I intend to use this auth helper myself for other systems, and there > >> are others who ask about a DB helper occasionally. > >> > >> > >> Taking a better look at your changes ... > >> > >> The first one: db_conf = "block = 0" seems to be useless. All it > >> does is hard-code a different default value for the --cond option. > >> > >>For Joomla the squid.conf should instead contain: > >> --cond " block=0 " > >> > >> Which leaves the salted/non-salted hash change. > >> > >> Adding this: > >>--salt-delimiter D > >> > >> To configure character(s) between the hash and salt values. Will > >> not to lock people into the specific Joomla syntax of colon. There > >> are examples and tutorials out there for app design that use other > >> delimiters. > >> > >> Doing both of those changes Joomla would be configured with: > >>... --cond " block=0 " --salt-delimiter ":" > >>> > >>> if you want, latter i may add also --md5 to store md5 password, and > >>> --digest- auth to support diggest authentication :) but later > >>> jejeje > >> > >> Amos > > > > HI > > i've just update my patch to fit 3.1.2 > > > > > > I hope this could be included since it is based on todays snapshot. > > > > Regards, > > > > LD > > Thank you. > > You still have the --joomla flag. I thought you agreed to call it > something like the --salt and take the delim character ? > > Amos > >>> > >>> Amos + team, > >>> > >>> i was adding salt support and i realize of this line > >>> > >>> return 1 if crypt($password, $key) eq $key; > >>> > >>> as far as i know this is impossible, becausecrypt using a salt wont > >>> be eq to that key, > >>> because there are many scenarios i did let this line in my patch and > >>> add another to use static salt > >>> > >>> I also add a --sql option to let user specify complex querys. As i was > >>> needint it to work with an INNER JOIN. > >>> > >>> I hope you can review it. > >>> > >>> LD > >> > >> I have not found the need for --sql in my experience with complex > >> queries to this helper. The each of the options --usercol , --passcol, > >> --table and --cond can take whole snippets of SQL double-quoted. > >> > >> The rest of th
RE: [squid-users] Youtube -An error occured, please try again later
Hi Amos Yes the problems seems to be gone and it could be the reason thanks for explaining. regards, Bilal > Date: Mon, 31 May 2010 20:32:43 +1200 > From: squ...@treenet.co.nz > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Youtube -An error occured, please try again later > > GIGO . wrote: >> Hi henrik, >> >> Right now i don't have my access.log. (will share it with you after the >> weekend) However let me tell you that after setting the negative_ttl to 0. >> Apparently the problem was resolved. But i need to be sure about it. >> >> Do you think that this had resolved the problem? > > Quite probably. > > negative_ttl forces Squid to cache and provide ALL clients with the 4xx > or 5xx error page for a certain length of time. Even if it was only a > temporary issue due to a single client request failure. It's a manually > added DoS vulnerability to every Squid which uses it. > > It's rarely useful nowdays even for its original purpose of reducing 404 > flooding of backend servers. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.3 > _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] squid rewrite & squidguard
>2010-05-31 16:17:31 [2785] squidGuard 1.3 started (1275319051.335) >2010-05-31 16:17:31 [2785] squidGuard ready for requests (1275319051.340) >2010-05-31 16:17:31 [2785] source not found >2010-05-31 16:17:31 [2785] no ACL matching source, using default >http://proxy.cp.mydomain.com/block.html 192.168.6.66/- - - >2010-05-31 16:17:31 [2785] squidGuard stopped (1275319051.341) > >But when running within Squid, it does not seem to be taking it? Did I >miss anything in the squid.conf file ? I looked online and couldn't >spot any error. FWIW, there is a squidguard mailing list that is pretty helpful. Your problem is permissions almost certainly, you ran this and the db creation as root (or someone), so now the user that squid runs the rewriter as does not have any access privs to the log files and/or bl/db's... Check the first two directives in your conf, see who can write there. HTH, jlc
Re: [squid-users] url-rewrite PHP script issue under Ubuntu 10.04
Hi! Thanks Alexandre and Amos for your replies, together they pointed me into the right direction! Based on the the URLs sent by Alexandre, I edited the "/etc/php5/cli/php.ini" file and tested different values for "max_execution_time" and "max_input_time" but none changed the PHP's script behavior. Then, I remembered Amos mentioned a 60sec timeout. I saw my cache.log and yes there was an exactly 60sec delay after starting squid and the first Warning. So, I searched the "php.ini" for a similar value and found this directive: "default_socket_timeout". I changed it to 300sec and the Warnings started to show up accordingly. Then I changed it's value to "-1" and the warnings haven't shown up again! Squid doesn't complain anymore about my PHP-scripts, but I don't know if this change has secondary effects or any other consequences. I'll be monitoring them, but in any case I have the backup Perl-scripts. Thanks again!
Re: [squid-users] squid-3 seems to be leaking filedescriptors
mån 2010-05-31 klockan 19:40 +0200 skrev Ralf Hildebrandt: > http://dspace.mit.edu/bitstream/handle/1721.1/41645/219706931.pdf?sequence=1 Thanks, but we know very well where it is leaking. Just not why.. Regards Henrik
Re: [squid-users] squid-3 seems to be leaking filedescriptors
* Henrik Nordström : > mån 2010-05-31 klockan 19:19 +0200 skrev Ralf Hildebrandt: > > > It's easily worked around by restarting it once a week. Maybe it has > > something to do with my user of ICAP or is that bug (which #?) > > completely unrelated to ICAP? > > Seems unrelated to ICAP. > > Don't have the bug #, but should be easy to find. http://bugs.squid-cache.org/show_bug.cgi?id=2872 http://dspace.mit.edu/bitstream/handle/1721.1/41645/219706931.pdf?sequence=1 -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] squid-3 seems to be leaking filedescriptors
mån 2010-05-31 klockan 19:19 +0200 skrev Ralf Hildebrandt: > It's easily worked around by restarting it once a week. Maybe it has > something to do with my user of ICAP or is that bug (which #?) > completely unrelated to ICAP? Seems unrelated to ICAP. Don't have the bug #, but should be easy to find. Regards Henrik
Re: [squid-users] squid-3 seems to be leaking filedescriptors
* Henrik Nordström : > mån 2010-05-31 klockan 13:03 +0200 skrev Ralf Hildebrandt: > > By accident I discovered, that all of my 4 squid3 proxies see a steady > > increase in filedescriptor usage: > > Known bug. Cause not yet identified. Good. Bad. It's easily worked around by restarting it once a week. Maybe it has something to do with my user of ICAP or is that bug (which #?) completely unrelated to ICAP? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] squid-3 seems to be leaking filedescriptors
mån 2010-05-31 klockan 13:03 +0200 skrev Ralf Hildebrandt: > By accident I discovered, that all of my 4 squid3 proxies see a steady > increase in filedescriptor usage: Known bug. Cause not yet identified. Regards Henrik
[squid-users] squid rewrite & squidguard
Hello, I have Squid 3.1.3 running on a server very happily. I am trying to get squidguard to run with it. So at the top of the squid.conf file i put: url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf Then squidguard has: # # CONFIG FILE FOR SQUIDGUARD # dbhome /var/lib/squidguard logdir /var/log/squid dest ads { domainlist blacklists/ads/domains urllist blacklists/ads/urls } acl { default { pass!ads all redirect http://proxy.mydomain.com/block.html } } When running a local test, like: echo "http://www.cafzone.net 192.168.6.66/ - - GET" | squidGuard -c /etc/squid/squidguard.conf -d It works accordingly: 2010-05-31 16:17:31 [2785] squidGuard 1.3 started (1275319051.335) 2010-05-31 16:17:31 [2785] squidGuard ready for requests (1275319051.340) 2010-05-31 16:17:31 [2785] source not found 2010-05-31 16:17:31 [2785] no ACL matching source, using default http://proxy.cp.mydomain.com/block.html 192.168.6.66/- - - 2010-05-31 16:17:31 [2785] squidGuard stopped (1275319051.341) But when running within Squid, it does not seem to be taking it? Did I miss anything in the squid.conf file ? I looked online and couldn't spot any error. Thanks in advance, Steph
[squid-users] squid-3 seems to be leaking filedescriptors
By accident I discovered, that all of my 4 squid3 proxies see a steady increase in filedescriptor usage: http://www.arschkrebs.de/bugs/fd-leak.png Is this an error in my observation or is this a known problem? # dpkg -l |grep squid3 ii squid3 3.0.STABLE19-2 A full featured Web Proxy cache (HTTP proxy) ii squid3-common 3.0.STABLE19-2 A full featured Web Proxy cache (HTTP proxy) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
[squid-users] fail-safe and load balancing with reverse proxy
Hi List, I use a squid3-3.0.STABLE8 reverse proxy on a debian system. It makes forward queries to web server, which is accessible from 2 public ips. My peer config: --- cache_peer x.y.z.57 parent 80 0 no-query no-digest no-netdb-exchange originserver name=parent1 round-robin login=PASS weight=16 cache_peer a.b.c.118 parent 80 0 no-query no-digest no-netdb-exchange originserver name=parent2 round-robin login=PASS weight=1 --- I would like to do a fail-safe connection to the web server. It's working, but if one of the public ips isn't accessible, there is some Connection timed out (110) proxy message until the parent is detected as dead, while the proxy tries to query the offline parent. How can I eliminate this thing? Why squid doesn't resend the query to the another parent? I cannot set ICP queries while the parent is a simple web server. Is there a way to make better dead peer detection? Can I do this whith icmp queries? Best regards, László Király
Re: [squid-users] Youtube -An error occured, please try again later
GIGO . wrote: Hi henrik, Right now i don't have my access.log. (will share it with you after the weekend) However let me tell you that after setting the negative_ttl to 0. Apparently the problem was resolved. But i need to be sure about it. Do you think that this had resolved the problem? Quite probably. negative_ttl forces Squid to cache and provide ALL clients with the 4xx or 5xx error page for a certain length of time. Even if it was only a temporary issue due to a single client request failure. It's a manually added DoS vulnerability to every Squid which uses it. It's rarely useful nowdays even for its original purpose of reducing 404 flooding of backend servers. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
Re: [squid-users] cache_peer / always_direct / subnet
Andre Weidner wrote: Original-Nachricht Datum: Sat, 29 May 2010 00:24:13 +1200 Von: Amos Jeffries An: squid-users@squid-cache.org Betreff: Re: [squid-users] cache_peer / always_direct / subnet The dst ACL type requires Squid to resolve the requested domain IP on each test. Is there a workaround for this? Maybe another ACL that i currently don't think about? The normal configs use dstdomain type ACL which matche the domain name(s) being hosted on the local server. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
Re: [squid-users] File with zero size when using squid proxy
Le Wed, 12 May 2010 21:58:38 +0200, Henrik Nordström a écrit : > ons 2010-05-12 klockan 17:20 +0200 skrev Emmanuel Lesouef: > > Le Wed, 12 May 2010 23:10:00 +0800, > > Jeff Pang a écrit : > > > > > > > > How about upgrading squid to the latest version (2.7 or 3.1)? > > > > > > > Ouch... This is Debian Stable. And the server is part of a critical > > cluster... > > > > To summarize, it is not possible to upgrade to v3.1... > > At least set up a test proxy with newer Squid versions to identify if > it's an existing probem or an old problem which has already been > fixed. > > Regards > Henrik > FYI : the issue is fixed in 2.7.STABLE7-1~bpo50+1 Thanks for your help. -- Emmanuel Lesouef