Re: [squid-users] fail-safe and load balancing with reverse proxy
Dear Amos and Dean, Thank you for your answers. I think, these timeout settings only reduces the failed attempts but doesn't solve the problem. Is there a correct solution for full fail-safe peer selection? In my opinion I do this with ICP queries. Can I do perfect fail-safe peer selection with two proxies between ICP? reverse-proxy -- proxy with 2 ips -- web server Best regards, László Király -- Original Message --- From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thu, 03 Jun 2010 02:10:33 +1200 Subject: Re: [squid-users] fail-safe and load balancing with reverse proxy Dean Weimer wrote: Try using peer_connect_timeout You can lower the time out so it fails over faster. Thanks, Dean Weimer Network Administrator Orscheln Management Co -Original Message- From: Király László [mailto:k...@mail.madalbal.hu] Sent: Wednesday, June 02, 2010 3:14 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] fail-safe and load balancing with reverse proxy Okay, I compile a brand new 3.1.4 squid with --icmp-enable option. I added also to the squid.conf: --- pinger_program /usr/local/squid/libexec/pinger query_icmp on test_reachability on --- It didn't help. :S Hi List, I use a squid3-3.0.STABLE8 reverse proxy on a debian system. It makes forward queries to web server, which is accessible from 2 public ips. My peer config: --- cache_peer x.y.z.57 parent 80 0 no-query no-digest no-netdb-exchange originserver name=parent1 round-robin login=PASS weight=16 cache_peer a.b.c.118 parent 80 0 no-query no-digest no-netdb-exchange originserver name=parent2 round-robin login=PASS weight=1 --- I would like to do a fail-safe connection to the web server. It's working, but if one of the public ips isn't accessible, there is some Connection timed out (110) proxy message until the parent is detected as dead, while the proxy tries to query the offline parent. How can I eliminate this thing? Why squid doesn't resend the query to the another parent? I cannot set ICP queries while the parent is a simple web server. Is there a way to make better dead peer detection? Can I do this whith icmp queries? Best regards, László Király --- End of Original Message --- 3.1 also brings in the cache_peer options connect-timeout and connect-fail-limit to set per-peer how long to wait for TCP connections to failover and how many attempts to allow before declaring it dead. Note: ICMP and NetDB is used to detect the closest source when multiple are available. Not the live/dead status of a peer. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4 --- End of Original Message ---
Re: [squid-users] url-rewrite PHP script issue under Ubuntu 10.04
That was a good find! Amos, does that indeed help? It would be nice to know. Regards HASSAN On Tue, Jun 1, 2010 at 03:10, Horacio H. pokehor...@gmail.com wrote: Hi! Thanks Alexandre and Amos for your replies, together they pointed me into the right direction! Based on the the URLs sent by Alexandre, I edited the /etc/php5/cli/php.ini file and tested different values for max_execution_time and max_input_time but none changed the PHP's script behavior. Then, I remembered Amos mentioned a 60sec timeout. I saw my cache.log and yes there was an exactly 60sec delay after starting squid and the first Warning. So, I searched the php.ini for a similar value and found this directive: default_socket_timeout. I changed it to 300sec and the Warnings started to show up accordingly. Then I changed it's value to -1 and the warnings haven't shown up again! Squid doesn't complain anymore about my PHP-scripts, but I don't know if this change has secondary effects or any other consequences. I'll be monitoring them, but in any case I have the backup Perl-scripts. Thanks again!
[squid-users] COSS as partition
from this wiki - http://wiki.squid-cache.org/Features/CyclicObjectStorageSystem squid 2.7.9 coss as partition on freebsd7.2 still has issues? or this is specific to coss as partiion only. configured with '--enable-storeio=coss,aufs' \ '--with-pthreads' \ '--with-aio' \ got error 2010/06/03 18:20:50| storeCossCompletePendingReloc: got failure (-1) FATAL: Received Segment Violation...dying. but if configure with '--enable-coss-aio-ops' \ '--enable-storeio=coss,aufs' \ '--with-pthreads' \ '--with-aio' \ another error 2010/06/03 20:25:57| Rebuilding COSS storage in /dev/ad1 (DIRTY) Bad system call
Re: [squid-users] FTP authenticated using explorer 8
On Tue, 01 Jun 2010 17:21:58 +0200 Henrik Nordström hen...@henriknordstrom.net wrote: The official standard is ftp://user:passw...@host/ Oh, I know! :) The problem starts to become a bit more complex when the user field contains @ (common practice) and/or the password contains chars like : / @ (not frequent though I stumbled in one of them). The standard URL-Encoded escape (%hex) seems to confuse some browsers... Regards thanks, luciano. -- /\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL/ E-MAIL: posthams...@sublink.sublink.org / \ AND POSTINGS/ WWW: http://www.mannucci.ORG/
Re: [squid-users] FTP authenticated using explorer 8
On Wed, 02 Jun 2010 00:31:17 + Amos Jeffries squ...@treenet.co.nz wrote: The official standard is ftp://user:passw...@host/ How well browsers supports other forms varies greatly between browsers. Also varies between Squid. 3.1+ will run the HTTP authentication stuff for Basic auth when FTP needs a login and one is not provided as above. Ok, I'll have a go with 3.1.4, then. I hope the squid.conf file is not too different from the 2.7 one... Many thanks, luciano. -- /\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL/ E-MAIL: posthams...@sublink.sublink.org / \ AND POSTINGS/ WWW: http://www.mannucci.ORG/
RE: [squid-users] Accessing OWA or Sharepoint through Squid 3.1.0.17
I thought it should just work... I tried the connection-auth=on and I still have the same issue... I have http_port 3128 transparent, but now says http_port 3128 transparent connection-auth=on I'm really scrambling to figure this out; do you have any additional ideas? thanks! -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Tuesday, June 01, 2010 6:29 PM To: squid-users@squid-cache.org Subject: RE: [squid-users] Accessing OWA or Sharepoint through Squid 3.1.0.17 On Tue, 1 Jun 2010 11:25:35 -0500, Johnson, S sjohn...@edina.k12.mn.us wrote: More information based on the searches I've done... I'm using transparent mode on the squid proxy (without auth). Well, I've got an AUP page set up for the users to agree to but no LDAP/AD/NTLM auth is being performed on this proxy. You said you had port 80 and port 443 configured with the proxy. This does match you above statement that it's working transparent. Or did you mean some other meaning of the word transparent than NAT interception? However, I tried the other squid proxy with ntlm_auth and it works a-ok. I'm really drawing a blank here... Stretching for a long-shot you could try with explicit connection-auth=on flag to the http_port line. Though. Middle-ware proxies really should just work with these. The only special config is needed to reverse-proxy OWA. Amos -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] Help configuring Squid with Kerberos authentication to access Skype service
Hello All I've setup a Squid proxy server according to the following guidelines http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp as my previous proxy version (on a completely different hardware platform) used NTLM authentication which does not work out of the box with W7 / W2008 The above URL install proceeded fine and authenticated users are able to browse sites with no apparent issues. I should add that Squid also uses Websense to provide filtering according to AD groups which also works. However when we try and authenticate to the Skype service sites we get failures. In my Skype configuration I am manually specifying the proxy server using the fqdn with the port through which access is to go (same as the squid proxy host) My squid.conf file is thus auth_param negotiate program /opt/squid-3.0/sbin/squid_kerb_auth -d -s HTTP/http-proxy-fqdn auth_param negotiate children 10 auth_param negotiate keep_alive on external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-3.0/sbin/squid_kerb_ldap -d -g SQUID_USERS acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 # acl localnet src network1/24 acl localnet src network2/24 acl localnet src network3/24 # acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl AUTHENTICATED proxy_auth REQUIRED acl LDAP_GROUP_CHECK external SQUID_KERB_LDAP http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS #http_access allow localnet http_access allow LDAP_GROUP_CHECK http_access deny all icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all http_port 8080 hierarchy_stoplist cgi-bin ? cache_dir ufs /var/cache/squid-3.0 100 16 256 access_log /var/log/squid-3.0/access.log squid cache_log /var/log/squid-3.0/cache.log cache_store_log /var/log/squid-3.0/store.log logfile_rotate 10 pid_filename /var/run/squid-3.0.pid debug_options ALL,1 url_rewrite_program /opt/Websense/bin/WsRedtor url_rewrite_children 30 refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user squid cache_effective_group squid icp_port 3130 coredump_dir /var/cache/squid-3.0 redirector_bypass off My krb5.conf file is [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = CHILD.DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h # For Windows XP: default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 # For Windows 2007: # default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 # default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 # permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 forwardable = yes [realms] CHILD.DOMAIN.COM = { kdc = xxx.xxx.xxx.xxx:88 admin_server = xxx.xxx.xxx.xxx:7491 default_domain = child.domain.com } [domain_realm] .child.domain.com = CHILD.DOMAIN.COM child.domain.com = CHILD.DOMAIN.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } When browsing sites the access.log reflects 1275588052.233419 172.17.192.244 TCP_REFRESH_UNMODIFIED/304 670 GET http://www.mail-archive.com/images/msg-top2.png hfr...@child.domain.com DIRECT/72.52.77.3 - 1275588052.266452 172.17.192.244 TCP_REFRESH_UNMODIFIED/304 671 GET http://www.mail-archive.com/images/msg-left.jpg hfr...@child.domain.com DIRECT/72.52.77.3 - 1275588055.273 1 172.17.192.244 TCP_IMS_HIT/304 276 GET http://www.mail-archive.com/favicon.ico hfr...@child.domain.com NONE/- image/x-icon Now when I start up Skype and watch the access.log I get 1275588304.779 0 172.17.192.244 TCP_DENIED/407 1895 CONNECT 173.168.7.102:443 - NONE/- text/html 1275588304.781 1 172.17.192.244 TCP_DENIED/407 1895 CONNECT 178.34.74.211:443 - NONE/- text/html 1275588304.781 1 172.17.192.244 TCP_DENIED/407 1898 CONNECT 70.253.110.236:443 - NONE/-
Re: [squid-users] WCCP with HTTPS
ons 2010-06-02 klockan 19:01 -0300 skrev Rangel, Luciano: Hello Dears, I am wanting to use WCCP with HTTPS port in squid and switch cisco. Someone could send me how to do that? If intercepting HTTPS then you need to redirect this to an https_port, and install the proxy certificate as a trusted CA in all client browsers, and accept that even with the trusted CA most browsers will complain loudly about SSL security violations. Regards Henrik
Re: [squid-users] ldap auth question
ons 2010-06-02 klockan 19:20 -0300 skrev Gerardo Herzig: ProxyUsers entry for the user foo is: UniqueMember: uid=foo,ou=Managers,o=Company UniqueMember: uid=anotherfoo,ou=Sales,o=Company 1) Is there a way to test if the user foo is part of the ProxyUsers group? Yes. But you must also tell squid_ldap_group how to find the user object based on the login foo. See the -F argument. If you are using squid_ldap_auth then -F should be set to the same as you use for -f in squid_ldap_auth. squid_ldap_group -b o=company -F ((uid=%s)(objectClass=person)) -f ((cn=%g)(uniqueMember=%u)) ... 2) It is possible to tell squid_ldap_group to look for uid=foo in Manager AND Sales, and if there is one try to use it? Like if the filter could be (uid=foo) _AND_ (ou=Managers _OR_ ou=Sales)? Yes, but why? Regards Henrik
[squid-users] public squid proxy
Hi, Is there a publicly hosted squid proxy against which I can do NTLM authentication. Regards, Prashant
[squid-users] Re: Help configuring Squid with Kerberos authentication to access Skype service
The question is: Does Skype support Negotiate as an authentication scheme ? If not you need something like a local proxy. I have a POC version here https://sourceforge.net/projects/squidkerbauth/files/squidkerberizer/squid_kerberizer-1.0.1/client_kerb_auth.zip/download or http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerberizer/ Regards Markus Fryer, Huw hfr...@photronics.com wrote in message news:8428e62680b457449bfa2317024b0a0563d949d...@smf1-phoxm-01.photronics.com... Hello All I've setup a Squid proxy server according to the following guidelines http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp as my previous proxy version (on a completely different hardware platform) used NTLM authentication which does not work out of the box with W7 / W2008 The above URL install proceeded fine and authenticated users are able to browse sites with no apparent issues. I should add that Squid also uses Websense to provide filtering according to AD groups which also works. However when we try and authenticate to the Skype service sites we get failures. In my Skype configuration I am manually specifying the proxy server using the fqdn with the port through which access is to go (same as the squid proxy host) My squid.conf file is thus auth_param negotiate program /opt/squid-3.0/sbin/squid_kerb_auth -d -s HTTP/http-proxy-fqdn auth_param negotiate children 10 auth_param negotiate keep_alive on external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-3.0/sbin/squid_kerb_ldap -d -g SQUID_USERS acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 # acl localnet src network1/24 acl localnet src network2/24 acl localnet src network3/24 # acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl AUTHENTICATED proxy_auth REQUIRED acl LDAP_GROUP_CHECK external SQUID_KERB_LDAP http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS #http_access allow localnet http_access allow LDAP_GROUP_CHECK http_access deny all icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all http_port 8080 hierarchy_stoplist cgi-bin ? cache_dir ufs /var/cache/squid-3.0 100 16 256 access_log /var/log/squid-3.0/access.log squid cache_log /var/log/squid-3.0/cache.log cache_store_log /var/log/squid-3.0/store.log logfile_rotate 10 pid_filename /var/run/squid-3.0.pid debug_options ALL,1 url_rewrite_program /opt/Websense/bin/WsRedtor url_rewrite_children 30 refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user squid cache_effective_group squid icp_port 3130 coredump_dir /var/cache/squid-3.0 redirector_bypass off My krb5.conf file is [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = CHILD.DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h # For Windows XP: default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 # For Windows 2007: # default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 # default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 # permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 forwardable = yes [realms] CHILD.DOMAIN.COM = { kdc = xxx.xxx.xxx.xxx:88 admin_server = xxx.xxx.xxx.xxx:7491 default_domain = child.domain.com } [domain_realm] .child.domain.com = CHILD.DOMAIN.COM child.domain.com = CHILD.DOMAIN.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } When browsing sites the access.log reflects 1275588052.233419 172.17.192.244 TCP_REFRESH_UNMODIFIED/304 670 GET http://www.mail-archive.com/images/msg-top2.png hfr...@child.domain.com DIRECT/72.52.77.3 - 1275588052.266452 172.17.192.244 TCP_REFRESH_UNMODIFIED/304 671 GET http://www.mail-archive.com/images/msg-left.jpg hfr...@child.domain.com DIRECT/72.52.77.3 - 1275588055.273
Re: [squid-users] public squid proxy
tor 2010-06-03 klockan 12:28 -0700 skrev Prashant K.S: Is there a publicly hosted squid proxy against which I can do NTLM authentication. Not that I know of. Why? Regards Henrik
Re: [squid-users] ldap auth question
Henrik Nordström wrote: ons 2010-06-02 klockan 19:20 -0300 skrev Gerardo Herzig: ProxyUsers entry for the user foo is: UniqueMember: uid=foo,ou=Managers,o=Company UniqueMember: uid=anotherfoo,ou=Sales,o=Company 1) Is there a way to test if the user foo is part of the ProxyUsers group? Yes. But you must also tell squid_ldap_group how to find the user object based on the login foo. See the -F argument. If you are using squid_ldap_auth then -F should be set to the same as you use for -f in squid_ldap_auth. squid_ldap_group -b o=company -F ((uid=%s)(objectClass=person)) -f ((cn=%g)(uniqueMember=%u)) ... 2) It is possible to tell squid_ldap_group to look for uid=foo in Manager AND Sales, and if there is one try to use it? Like if the filter could be (uid=foo) _AND_ (ou=Managers _OR_ ou=Sales)? Yes, but why? Hi Henrik. Thanks for the answer. Well, question 2) is not well writed (sory english is not my native language) Here is the pseucode for the kind of filter i ment to write: (cn=%g _AND_ ou _IN_ (Manager, Sales) _AND_ (uniqueMember=%u)) That is: It does not matter if the uniqueMember of ProxyUsers group is uid=foo,ou=Managers,o=Company or uid=foo,ou=Salues,o=Company Im sory if im not being clear, but i hope you get the idea. Thanks Henrik for your time! Gerardo
[squid-users] cache_object denied
Dear all i would like to use squidclient in order to get informations from squid 3.1.4 but squid does not want to accept connexions: mail - - [03/Jun/2010:19:03:05 -0400] GET cache_object://127.0.0.1/info HTTP/1.0 407 3451 TCP_DENIED:NONE mail - - [03/Jun/2010:19:03:05 -0400] GET cache_object://127.0.0.1/counters HTTP/1.0 407 3467 TCP_DENIED:NONE here is is my config , what's wrong ? : auth_param basic program /usr/lib/squid3/squid_ldap_auth -b dc=my-domain,dc=com -D cn=admin,dc=my-domain,dc=com -w * -f ((objectClass=userAccount)(uid=%s)) -v 3 -h 127.0.0.1 #- GLOBAL external_acl_type ldap_group %LOGIN /usr/lib/squid3/squid_ldap_group -D cn=admin,dc=my-domain,dc=com -w ** -b dc=my-domain,dc=com -f ((objectClass=posixGroup)(gidNumber=%a)(memberUid=%v)) -S -v 3 -h 127.0.0.1 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server acl ldapauth proxy_auth REQUIRED http_access allow ldapauth auth_param basic credentialsttl 2 hour authenticate_ttl 1 hour authenticate_ip_ttl 60 seconds acl malware_block_list url_regex -i /etc/squid3/malwares.acl acl blockedsites url_regex /etc/squid3/squid-block.acl acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/32 acl CONNECT method CONNECT acl manager proto cache_object acl office_network src 192.168.1.0/24 acl group_password external ldap_group acl Safe_ports port 80 #http acl Safe_ports port 21 #ftp acl Safe_ports port 22 #ssh acl Safe_ports port 443 563 #https, snews acl Safe_ports port 1863#msn acl Safe_ports port 70 #gopher acl Safe_ports port 210 #wais acl Safe_ports port 1025-65535 #unregistered ports acl Safe_ports port 280 #http-mgmt acl Safe_ports port 488 #gss-http acl Safe_ports port 591 #filemaker acl Safe_ports port 777 #multiling http acl Safe_ports port 631 #cups acl Safe_ports port 873 #rsync acl Safe_ports port 901 #SWAT# http_access allow localhost http_access allow manager localhost http_access deny malware_block_list http_access deny blockedsites http_access allow ldapauth http_access allow group_password http_access allow office_network http_access deny !Safe_ports http_access deny all best regards
Re: [squid-users] public squid proxy
Hi Henrik, I have a NTLM client which I have to test against a squid proxy. Regards, Prashant - Original Message From: Henrik Nordström hen...@henriknordstrom.net To: Prashant K.S ksprash...@yahoo.com Cc: squid-users@squid-cache.org Sent: Fri, 4 June, 2010 1:48:26 AM Subject: Re: [squid-users] public squid proxy tor 2010-06-03 klockan 12:28 -0700 skrev Prashant K.S: Is there a publicly hosted squid proxy against which I can do NTLM authentication. Not that I know of. Why? Regards Henrik
[squid-users] Exclude OPTIONS requests from icap_log
Hi, How do you exclude the OPTIONS requests sent by squid from being logged in icap_log? I tried to use the method acl but it only works on http headers. Thanks. -- Sean Austin C. Critica Electronics and Communications Engineer +639224059055
[squid-users] possible SYN flooding on port 3128. Sending cookies
Dear All, I could see a lot of instances of the following message in the system log of Fedora 12 running Squid-2.7STABLE9: Jun 4 11:11:39 cache kernel: possible SYN flooding on port 3128. Sending cookies. Is the system really under SYN flood attack? I tried running this command: netstat -nat | grep ESTABLISHED | awk '$31 {print $3 $5 $6;}' | sort -n and saw that some users are using so many ESTABLISHED connections such as below: ... 70800 202.79.27.22:59085 ESTABLISHED 75016 202.79.27.22:59853 ESTABLISHED 75024 202.79.27.22:59971 ESTABLISHED 77632 202.79.27.22:63075 ESTABLISHED 87568 202.79.27.22:61407 ESTABLISHED 89384 202.79.27.22:59511 ESTABLISHED 92152 202.79.26.194:1591 ESTABLISHED 92376 202.79.27.22:61169 ESTABLISHED 99144 202.79.27.22:63753 ESTABLISHED 104120 119.15.94.182:28632 ESTABLISHED ... I'm running this Squid box for an ISP of around 250 users. Is it safe to ignore this? Despite those the message in the log, Squid seems to run fine. Is there any tweak to get rid of the message? Thanks in advance for any comments. Regards, Khem
[squid-users] Request for your recommendation for ISP setup
Dear All, First, please bear with me for the lengthy message. I'm really in need of help from your expertise regarding a good, robust, high-performance forward-proxy Squid setup for ISP customers. I am running an ISP with around 500 customers. I've been using a single Squid machine to do forward proxy for the customers to cache the Web contents and thus save some costly bandwidth. The single Squid machine has the following hardware specs roughly: - RAM: 16GB - CPU: 2 of 3 GHz Intel XEON CPUs - Hard drive: 4 x 300GB SCSI drives I use Squid-2.7STABLE9 on Fedora 12. Right now, I allow only half of the customers (around 250 users) to use this forward proxy machine and I notice that, the 16GB memory is used up easily in 3 hours after Squid's startup. I would like to know how can tweak that box for better performance than it has now. Or is it reaching the limit already? Please find in the attached files for the Squid configuration, and cache info utilization. I am also thinking of running 2 Squid machines as cache peers: one being a child and the other a parent. For that setup, I would like to have the child peer to do caching for local customers and redirect any outside (Internet) destinations to the parent peer, which will not cache anything. May I have your inputs on this setup: is it correct and does it follow the best practice? If it does, may I have some guidances/pointers on this from those who had set up similar scenario before? Hope for your kind advice. Many thanks best regards, Khem # cat /etc/squid/squid.conf ### Port Config: http_port 127.0.0.1:3128 http_port 192.168.24.26:3128 transparent icp_port 3130 ### WCCP2 Config: wccp2_router 192.168.24.25 wccp2_address 192.168.24.26 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 password=123_cp ### Performance Related Config: hierarchy_stoplist cgi-bin ? forwarded_for on half_closed_clients off persistent_request_timeout 2 minutes max_filedescriptors 65536 max_open_disk_fds 65536 relaxed_header_parser on reload_into_ims on quick_abort_min 0 KB quick_abort_max 0 KB client_lifetime 15 minutes read_timeout 5 minutes request_timeout 1 minutes extension_methods NICK ie_refresh on ignore_expect_100 on vary_ignore_expire on cache_mem 6 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA ipcache_size 2048 ipcache_low 98 ipcache_high 99 memory_pools off pipeline_prefetch on httpd_accel_no_pmtu_disc on httpd_suppress_version_string on ### Cache Config: cache_dir aufs /cache1 18 32 256 cache_dir aufs /cache2 18 32 256 cache_dir aufs /cache3 18 32 256 cache_effective_user squid cache_effective_group squid cache_swap_low 98 cache_swap_high 99 cache_replacement_policy heap LFUDA request_header_max_size 2048 KB minimum_object_size 512 bytes maximum_object_size 5 GB negative_ttl 0 seconds negative_dns_ttl 1 second ### ACL Config: acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl cachehost src 192.168.24.26 acl to_cachehost dst 192.168.24.26 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl localnet src 192.168.24.0/255.255.248.0 172.18.80.0/255.255.240.0 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access allow localhost ### http_access allow cachehost http_access deny to_cachehost http_access allow localnet ### http_access deny all icp_access deny all acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server ^Apache broken_vary_encoding allow apache coredump_dir /var/log/squid error_directory /etc/squid/errors/English cache_store_log none pid_filename /var/run/squid.pid log_fqdn off log_icp_queries off logfile_rotate 1 ### Caching Videos: YouTube, Google, and others: acl store_rewrite_list urlpath_regex \/(get_video\?|videodownload\?|videoplayback.*id) acl store_rewrite_list urlpath_regex \/ads\? acl store_rewrite_list urlpath_regex \.(mp2|mp3|mid|midi|mp[234]|wav|ram|ra|rm|au|3gp|m4r|m4a)\? acl store_rewrite_list urlpath_regex \.(mpg|mpeg|mp4|m4v|mov|avi|asf|wmv|wma|dat|flv|swf)\? acl store_rewrite_list urlpath_regex \.(jpeg|jpg|jpe|jp2|gif|tiff?|pcx|png|bmp|pic|ico)\? acl store_rewrite_list_web url_regex ^http:\/\/([A-Za-z-]+[0-9]+)*\.[A-Za-z]*\.[A-Za-z]* acl store_rewrite_list_web_CDN url_regex ^http:\/\/[a-z]+[0-9]\.google\.com doubleclick\.net acl store_rewrite_list_path urlpath_regex \.(mp2|mp3|mid|midi|mp[234]|wav|ram|ra|rm|au|3gp|m4r|m4a)$ acl