[squid-users] Problem with squid and RSS feeds
squid 2.7 STABLE4 Has anyone had problems with RSS feeds when using squid proxy? I bypassed the proxy server, opened the firewall and was able to access RSS feeds. When I put squid back in the loop, the RSS feeds are not returned. The access log entries looks like this: 1280813983.844 92 10.150.8.139 TCP_REFRESH_MISS/200 8086 GET http://feeds.news.com.au/public/rss/2.0/news_breaking_news_32.xml - DIRECT/202.7.172.45 application/xml 1280813987.004 1223 10.150.8.139 TCP_MISS/200 12586 GET http://xml.afl.com.au/rss.aspx? - DIRECT/61.9.170.51 text/xml 1280813994.130 4345 10.150.8.139 TCP_MISS/200 4290 GET http://www.dpi.nsw.gov.au/aboutus/news/recent-news/feed - DIRECT/148.145.11.3 text/xml Any help much appreciated. This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please delete it and notify the sender. Views expressed in this message are those of the individual sender, and are not necessarily the views of their organisation.
Re: [squid-users] Problem with squid and RSS feeds
tony.car...@industry.nsw.gov.au wrote: squid 2.7 STABLE4 Has anyone had problems with RSS feeds when using squid proxy? I bypassed the proxy server, opened the firewall and was able to access RSS feeds. When I put squid back in the loop, the RSS feeds are not returned. The access log entries looks like this: 1280813983.844 92 10.150.8.139 TCP_REFRESH_MISS/200 8086 GET http://feeds.news.com.au/public/rss/2.0/news_breaking_news_32.xml - DIRECT/202.7.172.45 application/xml 1280813987.004 1223 10.150.8.139 TCP_MISS/200 12586 GET http://xml.afl.com.au/rss.aspx? - DIRECT/61.9.170.51 text/xml 1280813994.130 4345 10.150.8.139 TCP_MISS/200 4290 GET http://www.dpi.nsw.gov.au/aboutus/news/recent-news/feed - DIRECT/148.145.11.3 text/xml Any help much appreciated. Those logs show successful (*/200) contents being returned to the requesting client from three servers. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5
Re: [squid-users] Vary object loop?
No, it's run like this: /usr/sbin/squid3 -N it is being restarted by runit (which requires the program to stay in the forground) Looks so from the log as Squid is silently restarted. Normally quite a bit of details is logged on a crash, but your logs is silent about any crashes just seeing restarts. Nothing is logged, yes. Just tell me how I should run squid3 and I will do so. The only stuff I found was in dmesg: Jul 29 14:06:45 proxy-cvk-1 kernel: [246614.212241] squid3[30725]: segfault at 4a038 ip 081b482e sp bf8f6d30 error 4 in squid3 (deleted)[8048000+29f000] Jul 29 14:31:19 proxy-cvk-1 kernel: [248088.513864] squid3[25909]: segfault at 6cf58 ip 081ab4be sp bfbd6ee0 error 4 in squid3[8048000+297000] Jul 31 03:00:32 proxy-cvk-1 kernel: [379441.515658] squid3[3603]: segfault at b9 ip 081a9186 sp bfee3e40 error 6 in squid3[8048000+297000] -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
[squid-users] Feasibility - Squid as user-specific SSL tunnel (poor-man's VPN)
Hi, all - about to play with an approach to something, and I was hoping to bounce the idea off people here - pls let me know if that's not strictly within bounds/intents of the mailing list (new here). This is close to the same concept as discussed here with a D.Veenker, in an exchange in April/2010 -- but not quite the same. Is it possible to use Squid to create an ssh-tunnel effect, including use of a client certificate? This would be to layer in SSL and client authentication, for applications and web servers for which (for reasons I won't go into here) it's not possible to reconfigure/recode to use SSL. Concept would be to run Squid as a reverse proxy on the server, configured to do 2-way SSL (and doing HTTP to the parent server); then also run Squid on the client in standard proxy mode, likewise configured for 2-way SSL, pointing at a user's certificate via sslproxy_client_key. Constraints I see are that multiple users couldn't be using the solution on the PC at the same time; and Squid would have to be restarted (or whatever the Windows equivalent of a squid -k reconfigure is, I still have to figure that out) to establish the tunnel. Does this seem feasible? Are there any potential gotchas that we should make sure we test early on, in attempting to achieve this? Thanks! David G. Bucci 301.240.4885 david.g.bu...@lmco.com
Re: [squid-users] Rewrite url and reverse proxy
From: senthilkumaar2021 senthilkumaar2...@gmail.com I have three web servers running at three different ip's (content in that are same) the server name is squid.example.com and squid is running as reverse proxy. Three web server ip's are 172.16.1.48,172.16.1.49.172.16.1.50. I used perl script as url_rewrite program which replaces the string other in the url as squid ie if url request is other.example.com it is rewrite as squid.example.com The url request which are rewrite by url_rewrite program has to be made only it reaches the 172.16.1.48 web server. The url requests that are not needed url rewrite are to be passed to 172.16.1.49 web server or 172.16.1.50 web server. Eg: the url request is squid.example.com which does not need url rewrite Maybe use acls with cache_peer_access instead of rewrites...? JD
[squid-users] Proxy registrations not allowed
Hello List, Does anyone know how to allow squid to use this website http://www.myuberspot.com As when I test, it seems to detect that I am running through a proxy and denies me to register with the error Proxy registrations not allowed I need a fix that should prevent any other websites on the internet using the same method of blocking. Any advise appreciated. Kind Regards, Etienne
RE: [squid-users] Proxy registrations not allowed
Try this - it may or may not help: header_access Via deny all header_access X-Forwarded-For deny all Martin -Original Message- From: Etienne Philip Pretorius [mailto:etien...@kingsley.co.za] Sent: Dienstag, 03. August 2010 11:52 To: SquidHelp Subject: [squid-users] Proxy registrations not allowed Hello List, Does anyone know how to allow squid to use this website http://www.myuberspot.com As when I test, it seems to detect that I am running through a proxy and denies me to register with the error Proxy registrations not allowed I need a fix that should prevent any other websites on the internet using the same method of blocking. Any advise appreciated. Kind Regards, Etienne This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp
Re: [squid-users] Feasibility - Squid as user-specific SSL tunnel (poor-man's VPN)
Bucci, David G wrote: Hi, all - about to play with an approach to something, and I was hoping to bounce the idea off people here - pls let me know if that's not strictly within bounds/intents of the mailing list (new here). This is close to the same concept as discussed here with a D.Veenker, in an exchange in April/2010 -- but not quite the same. Is it possible to use Squid to create an ssh-tunnel effect, including use of a client certificate? This would be to layer in SSL and client authentication, for applications and web servers for which (for reasons I won't go into here) it's not possible to reconfigure/recode to use SSL. Yes. I'd say Trivial, but the surrounding SSL parts of it are not that simple. Concept would be to run Squid as a reverse proxy on the server, configured to do 2-way SSL (and doing HTTP to the parent server); then also run Squid on the client in standard proxy mode, likewise configured for 2-way SSL, pointing at a user's certificate via sslproxy_client_key. As long as you control DNS for the website domain needing the HTTPS to make it point visitors to the domain at the Squid gateway. This is a normal https_port configuration (note the s). Constraints I see are that multiple users couldn't be using the solution on the PC at the same time; and Squid would have to be restarted (or whatever the Windows equivalent of a squid -k reconfigure is, I still have to figure that out) to establish the tunnel. Yes. This is introduced by the use of user-specific certificates. If you can get away from that (ie let Squid use a 'normal' default certificate) then this problem disappears and it is just multiple clients using a localhost Squid. Does this seem feasible? Are there any potential gotchas that we should make sure we test early on, in attempting to achieve this? One more comes to mind: client apps wanting Squid to perform the SSL wrapping need to send an absolute URL including protocol to Squid (ie https://example.com/some.file). They can do that over regular HTTP. Squid will handle the conversion to HTTPS once it gets such a URL. In the case where you have a small set of domains that are pre-known somehow there is an alternative setup which is much more in to a VPN than what you are currently thinking. Consider two squid setup as regular proxies: Squid C where the client apps connect and Squid S which does the final web server connection. Squid C gets configured with a parent cache_peer entry for Squid S with the SSL options. The domain names which require the HTTPS link are forced (via never_direct and cache_peer_access) to use the peer. Other requests are permitted to go direct and maybe denied access through the peer. That is it. Multiple users with per-user certificates just get multiple cache_peer entries (one per user certificate) for Squid S. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5
[squid-users] squid log only locahost
Hi All I use squid3.1.5 with dansguardian2.10 , clientsDansguardian-squid3 Squid log only 127.0.0.1 ,I enabled forwardfor parameter in dansguardian conf file as link http://contentfilter.futuragts.com/wiki/doku.php?id=log_file_analysis but still log 127.0.0.1, i want squid to be able to see the source address(of my clients) because I need to implement ACL's for some clients using there Ip's,can some help me to solve this ? thanks
[squid-users] Squid 3.1.6 is available
The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.1.6 release! This release brings a functionality bump for several operating systems and bug fixes over previous releases. * A update of the squid-cache.org packaging systems has occurred. This and later packages now support Libtool 2.2. We hit several compatibility issues in the process and hacks have had to be implemented to retain support for older Libtool on build systems. One small issue remains yet to be closed satisfactorily in the loadable-modules feature below eCAP. Limited support for IPv6 split-stack has been worked out. This means that users of MacOS X, OpenBSD and any others which forcibly disabled IPv6 due to lack of Squid support may enable as desired. IPv6 DNS and contact with IPv6 clients is fully operational. Contact with IPv6-enabled websites and several management protocols is partially supported although some special squid.conf alterations are needed. The Database-backed basic authentication helper has Joomla and MD5 support added with optional salting. Several other bugs have been resolved in this release: - Bug 2991: Wrong parameters to fcntl() in commSetCloseOnExec() - Bug 2975: chunked requests not supported after regular ones - Bug 2985: search scope for digest_ldap_auth didn't work - Bug 2963: Stop ignoring --with-valgrind-debug failures - Bug 2885: AIX support: several fixes - Bug 2651: crash handling NULL write callback - Fix: 32-bit overflow in reported bytes received from next hop - Fixed several memory leaks related to Range requests - Fixed SASL helper build checks - Updated error page translations Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.1/RELEASENOTES.html if and when you are ready to make the switch to Squid-3.1 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.1/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.1/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
Re: [squid-users] Squid 3.1.6 is available
Thanks! But these resolved bugs are missing from the chang log: - Bug 2985: search scope for digest_ldap_auth didn't work - Bug 2963: Stop ignoring --with-valgrind-debug failures - Bug 2885: AIX support: several fixes - Bug 2651: crash handling NULL write callback there are no reference to them in http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_6.html is there any problem with them? On Tue, Aug 3, 2010 at 16:44, Amos Jeffries squ...@treenet.co.nz wrote: The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.1.6 release! This release brings a functionality bump for several operating systems and bug fixes over previous releases. * A update of the squid-cache.org packaging systems has occurred. This and later packages now support Libtool 2.2. We hit several compatibility issues in the process and hacks have had to be implemented to retain support for older Libtool on build systems. One small issue remains yet to be closed satisfactorily in the loadable-modules feature below eCAP. Limited support for IPv6 split-stack has been worked out. This means that users of MacOS X, OpenBSD and any others which forcibly disabled IPv6 due to lack of Squid support may enable as desired. IPv6 DNS and contact with IPv6 clients is fully operational. Contact with IPv6-enabled websites and several management protocols is partially supported although some special squid.conf alterations are needed. The Database-backed basic authentication helper has Joomla and MD5 support added with optional salting. Several other bugs have been resolved in this release: - Bug 2991: Wrong parameters to fcntl() in commSetCloseOnExec() - Bug 2975: chunked requests not supported after regular ones - Bug 2985: search scope for digest_ldap_auth didn't work - Bug 2963: Stop ignoring --with-valgrind-debug failures - Bug 2885: AIX support: several fixes - Bug 2651: crash handling NULL write callback - Fix: 32-bit overflow in reported bytes received from next hop - Fixed several memory leaks related to Range requests - Fixed SASL helper build checks - Updated error page translations Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.1/RELEASENOTES.html if and when you are ready to make the switch to Squid-3.1 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.1/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.1/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
[squid-users] upgrade
I currently have squid 2.6 running on centos - they haven't updated = their repository yet. WIll upgrading to 3.1.6 have any performance enhancements? Can I leave the existing cache in place and config files or will they be = overwritten during the make commands?
Re: [squid-users] upgrade
Centos meh. their repo's are so far behind they think they are in front. It's better to upgrade. Since I upgraded things started working properly, like external ACLs with ldap_groups in Active Directory. No more problems for me. Can I leave the existing cache in place and config files or I trashed my existing cache, so I would not know if it will work. Don't compile it from SRC ... get the src RPM e.g yum install rpm-build openjade linuxdoc-tools openldap-devel pam-devel openssl-devel httpd rpm-devel wget http://www.jur-linux.com/rpms/el-updates/5Client/SRPMS/squid-3.1.0.15-2.el5.src.rpm rpm -ivh squid-3.1.0.15-2.el5.src.rpm rpmbuild -bb squid.spec All the best to you :) ciao/Riaan On 03/08/2010 14:44, J. Webster wrote: I currently have squid 2.6 running on centos - they haven't updated = their repository yet. WIll upgrading to 3.1.6 have any performance enhancements? Can I leave the existing cache in place and config files or will they be = overwritten during the make commands? NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
Re: [squid-users] Vary object loop?
* Ralf Hildebrandt ralf.hildebra...@charite.de: Just tell me how I should run squid3 and I will do so. The only stuff I found was in dmesg: Jul 29 14:06:45 proxy-cvk-1 kernel: [246614.212241] squid3[30725]: segfault at 4a038 ip 081b482e sp bf8f6d30 error 4 in squid3 (deleted)[8048000+29f000] Jul 29 14:31:19 proxy-cvk-1 kernel: [248088.513864] squid3[25909]: segfault at 6cf58 ip 081ab4be sp bfbd6ee0 error 4 in squid3[8048000+297000] Jul 31 03:00:32 proxy-cvk-1 kernel: [379441.515658] squid3[3603]: segfault at b9 ip 081a9186 sp bfee3e40 error 6 in squid3[8048000+297000] I'm running squid3 in gdb now, as shown on http://wiki.squid-cache.org/SquidFaq/BugReporting First alternative is to start Squid under the contol of GDB -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
[squid-users] Squid 3.2.0.1 beta is available
The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.2.0.1 beta release! This new 3.2 series of Squid brings useful new features and changes providing improved stability over earlier release series. More detailed descriptions of the major new features are available in the release notes and wiki: http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html http://wiki.squid-cache.org/Squid-3.2 Detailed lists of the ./configure build and squid.conf changes can also be found in the release notes. This code is released as beta for wider testing purposes and potential use. There are several background changes we still hope to incorporate before production release. However there are no more planned major alterations to the existing ./configure options or squid.conf options. All users looking at testing with this release series need to be aware of the naming changes made to the Squid helpers. This affects both the build options and the configuration of nearly all helpers. see the release notes. High performance users will want to start looking at the initial SMP multi-process support, logging and helper on-demand features. Reverse-Proxy / Content Delivery users will want to look at the Surrogate/1.0 protocol support which is on and advertised as of this release and the peer login changes. Captive portal users will want to look into the changes with EUI/MAC support along with deny_info and additional ERR_AGENT_* templates available. Users suffering with authentication resource leakages or crashes in the earlier Squid-3.x series will want to look at upgrading to this release. There has been a major stability upgrade to the authentication systems in 3.2. Including a looking-glass report of current and recently logged-in users. Users with url_rewrite helpers performing simple tasks need to look at deny_info which can now be templated to replace the crude re-writing with true HTTP protocol compliant redirection. Users having trouble with the TPROXY feature combined with third-party programs such as DansGuardian will want to look at the TPROXY changes in this release. Users having trouble with bandwidth management and partial requests will want to look at the ACL support now available for range_offset_limit. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html if and when you are ready to make the switch to Squid-3.2 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.2/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.2/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
RE: [squid-users] Squid 3.1.5.1 --disable-ipv6 possibly not working?
The Base system still has IPv6 support; however some of the Bind DNS servers I am using do not, which causes a server failure when attempting to do an IPV6 name resolution request. This was causing some problems with configuring a parent server by DNS name on some other systems that are now in production. Disabling IPv6 in squid fixed those problems, I figured the 3.1.6 would be out before I was ready to put this system in production use and thought doing its configuration and testing with the 3.1.5.1 wouldn't hurt until then. Guess I could have waited one more day to start testing and I wouldn't have run into this problem, 3.1.6 is compiling on this system now. Thanks, Dean Weimer Network Administrator Orscheln Management Co -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, August 02, 2010 6:51 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid 3.1.5.1 --disable-ipv6 possibly not working? On Mon, 2 Aug 2010 15:25:49 -0500, Dean Weimer dwei...@orscheln.com wrote: I just built a new proxy server running FreeBSD 7.3 and Squid 3.1.5.1 compile with the following options. snip Yes the 3.1.5.1 package has some IPv6 bugs in IPv4-only systems. Thus the .1 (beta status). These have been resolved to the best of my knowledge in the followup 3.1.6 package which is available now. If you were using --disable-ipv6 for reasons of custom kernel builds with stack customization or IPv6 being disabled in the system and failovers not working, those problems have also fixed in the 3.1.6 package. Amos
Re: [squid-users] Squid 3.1.6 is available
Isaac NickAein wrote: Thanks! But these resolved bugs are missing from the chang log: - Bug 2985: search scope for digest_ldap_auth didn't work - Bug 2963: Stop ignoring --with-valgrind-debug failures - Bug 2885: AIX support: several fixes - Bug 2651: crash handling NULL write callback there are no reference to them in http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_6.html Thank you for noticing. They are in the log with a few more as 3.1.5.1 which was bundled between the stable releases for some extra testing to make sure the big changes worked for 3.1.6. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
Re: [squid-users] upgrade
Riaan Nolan wrote: Centos meh. their repo's are so far behind they think they are in front. It's better to upgrade. Since I upgraded things started working properly, like external ACLs with ldap_groups in Active Directory. No more problems for me. Can I leave the existing cache in place and config files or I trashed my existing cache, so I would not know if it will work. Don't compile it from SRC ... get the src RPM e.g yum install rpm-build openjade linuxdoc-tools openldap-devel pam-devel openssl-devel httpd rpm-devel wget http://www.jur-linux.com/rpms/el-updates/5Client/SRPMS/squid-3.1.0.15-2.el5.src.rpm rpm -ivh squid-3.1.0.15-2.el5.src.rpm rpmbuild -bb squid.spec Looks like they have 3.1.4 in there too. Either one. All the best to you :) ciao/Riaan On 03/08/2010 14:44, J. Webster wrote: I currently have squid 2.6 running on centos - they haven't updated = their repository yet. WIll upgrading to 3.1.6 have any performance enhancements? Over 2.6 definitely. A small bit in speed, and a LOT in HTTP/1.1 protocol support which amounts to streamlining and bandwidth. Can I leave the existing cache in place and config files or will they be = overwritten during the make commands? Only existing binaries and documentation gets replaced. Existing cache is not touched until squid starts. Then some pieces get upgraded during normal operation. Existing config is not touched, new config files should get added as/if needed. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5
Re: [squid-users] squid log only locahost
salah khater wrote: Hi All I use squid3.1.5 with dansguardian2.10 , clientsDansguardian-squid3 Squid log only 127.0.0.1 ,I enabled forwardfor parameter in dansguardian conf file as link http://contentfilter.futuragts.com/wiki/doku.php?id=log_file_analysis but still log 127.0.0.1, i want squid to be able to see the source address(of my clients) because I need to implement ACL's for some clients using there Ip's,can some help me to solve this ? thanks Have you added the follow_x_forwarded_for allow localhost to Squid? Without that Squid will not use the content of X-Forwarded-For. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5
[squid-users] Limiting upload speed
Hi I just had someone max out my bandwidth with an upload. How do I slow down upload speeds in squid 2.6.18-1ubuntu3? Thanks Dayo
Re: [squid-users] upgrade
So, I could just do yum upgrade squid? -- From: Amos Jeffries squ...@treenet.co.nz Sent: Tuesday, August 03, 2010 10:00 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] upgrade Riaan Nolan wrote: Centos meh. their repo's are so far behind they think they are in front. It's better to upgrade. Since I upgraded things started working properly, like external ACLs with ldap_groups in Active Directory. No more problems for me. Can I leave the existing cache in place and config files or I trashed my existing cache, so I would not know if it will work. Don't compile it from SRC ... get the src RPM e.g yum install rpm-build openjade linuxdoc-tools openldap-devel pam-devel openssl-devel httpd rpm-devel wget http://www.jur-linux.com/rpms/el-updates/5Client/SRPMS/squid-3.1.0.15-2.el5.src.rpm rpm -ivh squid-3.1.0.15-2.el5.src.rpm rpmbuild -bb squid.spec Looks like they have 3.1.4 in there too. Either one. All the best to you :) ciao/Riaan On 03/08/2010 14:44, J. Webster wrote: I currently have squid 2.6 running on centos - they haven't updated = their repository yet. WIll upgrading to 3.1.6 have any performance enhancements? Over 2.6 definitely. A small bit in speed, and a LOT in HTTP/1.1 protocol support which amounts to streamlining and bandwidth. Can I leave the existing cache in place and config files or will they be = overwritten during the make commands? Only existing binaries and documentation gets replaced. Existing cache is not touched until squid starts. Then some pieces get upgraded during normal operation. Existing config is not touched, new config files should get added as/if needed. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5
Re: [squid-users] Vary object loop?
Jul 29 14:06:45 proxy-cvk-1 kernel: [246614.212241] squid3[30725]: segfault at 4a038 ip 081b482e sp bf8f6d30 error 4 in squid3 (deleted)[8048000+29f000] Jul 29 14:31:19 proxy-cvk-1 kernel: [248088.513864] squid3[25909]: segfault at 6cf58 ip 081ab4be sp bfbd6ee0 error 4 in squid3[8048000+297000] Jul 31 03:00:32 proxy-cvk-1 kernel: [379441.515658] squid3[3603]: segfault at b9 ip 081a9186 sp bfee3e40 error 6 in squid3[8048000+297000] I'm running squid3 in gdb now, as shown on http://wiki.squid-cache.org/SquidFaq/BugReporting First alternative is to start Squid under the contol of GDB Seems to be an elusive Heisenbug, so far no crashes :( a watched kettle never boils -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
[squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' (from 1 to 2) is not supported and ignored
dear squid list, i'd like to use the new 'worker' feature in squid-3.2 According to http://www.squid-cache.org/Versions/v3/3.2/cfgman/workers.html default is to have only one 'worker'. Now I'd like to have at least two workers. Unfortunately it doesn't work squid[32350]: WARNING: Changing 'workers' (from 1 to 2) is not supported and ignored What am I doing wrong ? Any new compile option I ignored ? --- Jan
[squid-users] RE: EXTERNAL: Re: [squid-users] Feasibility - Squid as user-specific SSL tunnel (poor-man's V
Thank you for replying! Couple clarifications - the solution IS for a known small set of domains, and all calls to those domains can have the solution applied. The apps involved, we can't add SSL support in (don't ask, the answer is frustrating), and we likewise can't change the apps to send https:// URLs over HTTP. So the thought was they would use their existing HTTP URLs for the calls, and we would intercept and convert to HTTPS (with the same base URL) at the PC-hosted Squid proxy (URL rewriter?). Unfortunately, we can't send a client redirect, the software involved doesn't support SSL. So the rewriter would have to rewrite to SSL (is this supported?), so that Squid processes it as an SSL URL, including using the client certificate, on the way out. Then, the reverse proxy on the server would have to use just HTTP to get to its parent (that part is standard, right?) All of that said -- your solution that uses the server's Squid as a cache-peer seems like it would work, and is very elegant. I'm confused, though -- the server side proxy would be configured as a regular proxy, not a reverse? I don't get that. Wouldn't it have to be a reverse, in order to forward the call on to the real web server? These are web service calls, they'll never actually be in cache. And if so, would that solution still work, using the server proxy in reverse proxy mode as a cache-peer? -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Tuesday, August 03, 2010 7:39 AM To: squid-users@squid-cache.org Subject: EXTERNAL: Re: [squid-users] Feasibility - Squid as user-specific SSL tunnel (poor-man's V Bucci, David G wrote: Hi, all - about to play with an approach to something, and I was hoping to bounce the idea off people here - pls let me know if that's not strictly within bounds/intents of the mailing list (new here). This is close to the same concept as discussed here with a D.Veenker, in an exchange in April/2010 -- but not quite the same. Is it possible to use Squid to create an ssh-tunnel effect, including use of a client certificate? This would be to layer in SSL and client authentication, for applications and web servers for which (for reasons I won't go into here) it's not possible to reconfigure/recode to use SSL. Yes. I'd say Trivial, but the surrounding SSL parts of it are not that simple. Concept would be to run Squid as a reverse proxy on the server, configured to do 2-way SSL (and doing HTTP to the parent server); then also run Squid on the client in standard proxy mode, likewise configured for 2-way SSL, pointing at a user's certificate via sslproxy_client_key. As long as you control DNS for the website domain needing the HTTPS to make it point visitors to the domain at the Squid gateway. This is a normal https_port configuration (note the s). Constraints I see are that multiple users couldn't be using the solution on the PC at the same time; and Squid would have to be restarted (or whatever the Windows equivalent of a squid -k reconfigure is, I still have to figure that out) to establish the tunnel. Yes. This is introduced by the use of user-specific certificates. If you can get away from that (ie let Squid use a 'normal' default certificate) then this problem disappears and it is just multiple clients using a localhost Squid. Does this seem feasible? Are there any potential gotchas that we should make sure we test early on, in attempting to achieve this? One more comes to mind: client apps wanting Squid to perform the SSL wrapping need to send an absolute URL including protocol to Squid (ie https://example.com/some.file). They can do that over regular HTTP. Squid will handle the conversion to HTTPS once it gets such a URL. In the case where you have a small set of domains that are pre-known somehow there is an alternative setup which is much more in to a VPN than what you are currently thinking. Consider two squid setup as regular proxies: Squid C where the client apps connect and Squid S which does the final web server connection. Squid C gets configured with a parent cache_peer entry for Squid S with the SSL options. The domain names which require the HTTPS link are forced (via never_direct and cache_peer_access) to use the peer. Other requests are permitted to go direct and maybe denied access through the peer. That is it. Multiple users with per-user certificates just get multiple cache_peer entries (one per user certificate) for Squid S. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5
Re: [squid-users] upgrade
From: J. Webster webster_j...@hotmail.com I currently have squid 2.6 running on centos - they haven't updated their repository yet. WIll upgrading to 3.1.6 have any performance enhancements? Can I leave the existing cache in place and config files or will they be overwritten during the make commands? Check that your setup is not using 2.x only features... Not all squid 2.x features have been ported to 3.x yet. http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html And I am not sure 3.x has better perfs yet. JD
Re: [squid-users] How does Squid prevent stampeding during a cache miss?
Thank you Henrik. I have one last question concerning stale-while-revalidate, as the docs don't seem to answer it. Say you set stale-while-revalidate to something like 30 minutes. Once validation occurs, does squid continue to serve the stale content for 30 minutes (even though the object has infact been updated), or will all new requests immediately be served the new, updated object? 2010/8/2 Henrik Nordström hen...@henriknordstrom.net: sön 2010-08-01 klockan 11:52 -0400 skrev david robertson: On Sun, Aug 1, 2010 at 1:12 AM, Amos Jeffries squ...@treenet.co.nz wrote: If stampeeding is a worry the stale-if-error and stale-while-revalidate Cache-Control: options would also be useful (sent from the origin web server). These are supported by 2.7. Question - why aren't these options documented anywhere? Also, why can't we set this in squid itself, rather than messing with Cache-Control headers? You can override them from squid.conf as well. But it's recommended to use Cache-Control if possible as this places the configuration where it really belongs and can best be controlled at the desired detail. http://www.squid-cache.org/Versions/v2/2.7/cfgman/refresh_pattern.html Regards Henrik
[squid-users] Squid3 not working after update or reinstall
I run a Squid 3 server that is acting as a web filter. It worked fine on Etch. The system stopped working properly due to two of the three SATA cables being bad. Before I figured that out, I tried doing updates. Since Etch updates were no longer available, I did a distupgrade to Lenny. Immediately, Squid stopped working properly. It would take up to two and a half minutes for it to respond to a web request and add it to the access.log. This was using the same configuration file that it was using before the update. After I found the hardware problem, I did a clean install of Lenny. I used the basic squid.conf like I did on the previous system, only changing it to add my ACLs and because it wasn't saving an access.log to the default location unless I uncommented the path directive. Now, it won't respond to a request at all. Forwarding is enabled and the firewall seems to be set up correctly. I also specified the listening address with http_port ipaddress:3128. This is Squid Version 3.0.STABLE8. Here is my firewall configuration followed by my squid.conf: # Generated by iptables-save v1.4.2 on Tue Aug 3 12:15:22 2010 *nat :PREROUTING ACCEPT [1069181:101812985] :POSTROUTING ACCEPT [5783:405174] :OUTPUT ACCEPT [11868:1177883] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 COMMIT # Completed on Tue Aug 3 12:15:22 2010 # Generated by iptables-save v1.4.2 on Tue Aug 3 12:15:22 2010 *filter :INPUT DROP [966:104230] :FORWARD DROP [604:51901] :OUTPUT DROP [7:852] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -m limit --limit 49/min -j LOG --log-prefix iptables DENY: --log-level 7 -A INPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 3128 -j ACCEPT -A OUTPUT -p tcp -m tcp -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --dport 67 -j ACCEPT -A OUTPUT -p udp -m udp --dport 631 -j ACCEPT COMMIT acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl god src /etc/squid3/god acl tomdean src /etc/squid3/tomdean acl tomdeansites dstdomain /etc/squid3/tomdeansites acl adpsubnet src 206.94.237.160/27 acl mgr src /etc/squid3/mgr acl limited src /etc/squid3/limited acl good dstdomain /etc/squid3/good.hosts acl bad dstdomain /etc/squid3/bad.hosts acl badip dst /etc/squid3/bad.ip acl goodip dst /etc/squid3/good.ip acl idiot src /etc/squid3/idiot acl nickl src 192.168.1.182 acl gregsommers src 192.168.1.170 acl proxies url_regex -i /etc/squid3/proxies http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access allow adpsubnet http_access allow god http_access deny idiot http_access allow good http_access allow goodip http_access allow mgr http_access allow tomdean tomdeansites http_access allow limited good http_access deny proxies http_access deny limited http_access deny bad http_access allow all http_access allow localhost http_access deny all icp_access deny all htcp_access deny all http_port 192.168.1.206:3128 hierarchy_stoplist cgi-bin ? access_log /var/log/squid3/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 coredump_dir /var/spool/squid3 -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid3-not-working-after-update-or-reinstall-tp2312182p2312182.html Sent from the Squid -
[squid-users] Re: Squid3 not working after update or reinstall
Sorry for the double post. I got an email saying the first was rejected. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid3-not-working-after-update-or-reinstall-tp2312182p2312186.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] possible OT: squidGuard, LDAP and FreeBSD ports..
Does anyone know if this combination works? It seems the FreeBSD port (with ldap enabled) does not actually build an ldap enabled squidguard.. Clues appreciated.
[squid-users] Crash with backtrace, was: Re: [squid-users] Vary object loop?
Seems to be an elusive Heisenbug, so far no crashes :( a watched kettle never boils Actually two consecutive crashes GNU gdb (GDB) 7.1-ubuntu Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as i486-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/squid3...Reading symbols from /usr/lib/debug/usr/sbin/squid3...done. done. [Thread debugging using libthread_db enabled] 2010/08/03 16:00:08| Starting Squid Cache version 3.1.6 for i486-pc-linux-gnu... 2010/08/03 16:00:08| Process ID 30412 2010/08/03 16:00:08| With 4096 file descriptors available 2010/08/03 16:00:08| Initializing IP Cache... 2010/08/03 16:00:08| DNS Socket created at [::], FD 8 2010/08/03 16:00:08| DNS Socket created at 0.0.0.0, FD 9 2010/08/03 16:00:08| Adding domain charite.de from /etc/resolv.conf 2010/08/03 16:00:08| Adding nameserver 127.0.0.1 from /etc/resolv.conf 2010/08/03 16:00:08| Adding nameserver 141.42.2.22 from /etc/resolv.conf 2010/08/03 16:00:08| Adding nameserver 141.42.3.33 from /etc/resolv.conf 2010/08/03 16:00:08| Unlinkd pipe opened on FD 14 2010/08/03 16:00:08| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2010/08/03 16:00:08| Store logging disabled 2010/08/03 16:00:08| Swap maxSize 1536 + 16384 KB, estimated 1922048 objects 2010/08/03 16:00:08| Target number of buckets: 96102 2010/08/03 16:00:08| Using 131072 Store buckets 2010/08/03 16:00:08| Max Mem size: 16384 KB 2010/08/03 16:00:08| Max Swap size: 1536 KB 2010/08/03 16:00:08| Version 1 of swap file with LFS support detected... 2010/08/03 16:00:08| Rebuilding storage in /squid-cache (DIRTY) 2010/08/03 16:00:08| Using Least Load store dir selection 2010/08/03 16:00:08| Set Current Directory to /tmp 2010/08/03 16:00:08| Loaded Icons. 2010/08/03 16:00:08| Accepting HTTP connections at [::]:8080, FD 19. 2010/08/03 16:00:08| Accepting ICP messages at [::]:3130, FD 20. 2010/08/03 16:00:08| Accepting HTCP messages on port 4827, FD 21. 2010/08/03 16:00:08| Accepting SNMP messages on [::]:3401, FD 22. 2010/08/03 16:00:08| WARNING: Peer looks like this host 2010/08/03 16:00:08| Ignoring Sibling proxy-cvk-1.charite.de/8080/3130 2010/08/03 16:00:08| Squid modules loaded: 0 2010/08/03 16:00:08| Adaptation support is on 2010/08/03 16:00:08| Ready to serve requests. 2010/08/03 16:00:08| Store rebuilding is 0.49% complete 2010/08/03 16:00:16| Done reading /squid-cache swaplog (839909 entries) 2010/08/03 16:00:16| Finished rebuilding storage from disk. 2010/08/03 16:00:16|741065 Entries scanned 2010/08/03 16:00:16| 0 Invalid entries. 2010/08/03 16:00:16| 0 With invalid flags. 2010/08/03 16:00:16|642221 Objects loaded. 2010/08/03 16:00:16| 0 Objects expired. 2010/08/03 16:00:16| 98844 Objects cancelled. 2010/08/03 16:00:16| 0 Duplicate URLs purged. 2010/08/03 16:00:16| 0 Swapfile clashes avoided. 2010/08/03 16:00:16| Took 7.40 seconds (86811.52 objects/sec). 2010/08/03 16:00:16| Beginning Validation Procedure 2010/08/03 16:00:17| 262144 Entries Validated so far. 2010/08/03 16:00:17| 524288 Entries Validated so far. 2010/08/03 16:00:17| 786432 Entries Validated so far. 2010/08/03 16:00:17| Completed Validation Procedure 2010/08/03 16:00:17| Validated 1284449 Entries 2010/08/03 16:00:17| store_swap_size = 14178572 2010/08/03 16:00:17| storeLateRelease: released 0 objects 2010/08/03 16:00:17| Configuring Sibling proxy-cbf-1.charite.de/8080/3130 2010/08/03 16:00:17| Configuring Sibling proxy-cvk-2.charite.de/8080/3130 2010/08/03 16:00:17| Configuring Sibling proxy-cbf-2.charite.de/8080/3130 2010/08/03 16:04:49| could not parse headers from on disk structure! 2010/08/03 16:04:49| varyEvaluateMatch: Oops. Not a Vary object on second attempt, 'http://js.web.de/home/js/20100622/flashdetection.js' 'accept-encoding=gzip,deflate, user-agent=Mozilla%2F5.0%20(Windows%3B%20U%3B%20Windows%20NT%205.1%3B%20de%3B%20rv%3A1.9.2.8)%20Gecko%2F20100722%20Firefox%2F3.6.8%20(%20.NET%20CLR%203.5.30729)' 2010/08/03 16:04:49| clientProcessHit: Vary object loop! 2010/08/03 16:05:20| could not parse headers from on disk structure! 2010/08/03 16:05:20| varyEvaluateMatch: Oops. Not a Vary object on second attempt, 'http://js.web.de/home/js/20100622/flashdetection.js' 'accept-encoding=gzip,deflate, user-agent=Mozilla%2F5.0%20(Windows%3B%20U%3B%20Windows%20NT%205.1%3B%20de%3B%20rv%3A1.9.2.8)%20Gecko%2F20100722%20Firefox%2F3.6.8%20(%20.NET%20CLR%203.5.30729)' 2010/08/03 16:05:20| clientProcessHit: Vary object loop! 2010/08/03 16:13:43| ctx: enter level 0: 'http://adman.in.gr/gbanner/?1280844823322|259/728x90?245503:?/' 2010/08/03 16:13:43| WARNING: unparseable
[squid-users] squid 3.1.6 icap problem
Hi guys, Today I wanted to upgrade from Squid 3.1.5 to Squid 3.1.6, but unfortunately I ran into a few problems, one of them was an icap problem (1), the other one is related to IPv6 (2) I suppose. I am running RHEL5.5 64 Bit with a lot of RAM and a lot of CPUs. (1) essential ICAP service is down after an options fetch failure I don't have that problem with the same configuration file and squid 3.1.5, it occured after upgrading to 3.1.6 and icap does not work. Kind of a showstopper, I don't have any logs yet, I am just curious if anybody else can reproduce that? (I know it is difficult without further details) (2) comm_open: socket failure: (97) Address family not supported by protocol I read that this is related to IPv6, so I tried to compile squid 3.1.6 with --disable-ipv6, but it did not change anything at all. I have to debug these two problems tomorrow in more detail, are there any ideas yet? I would appreciate any response, thanks regards
Re: [squid-users] How does Squid prevent stampeding during a cache miss?
tis 2010-08-03 klockan 12:11 -0400 skrev david robertson: Thank you Henrik. I have one last question concerning stale-while-revalidate, as the docs don't seem to answer it. Say you set stale-while-revalidate to something like 30 minutes. Once validation occurs, does squid continue to serve the stale content for 30 minutes (even though the object has infact been updated), or will all new requests immediately be served the new, updated object? Squid always gives the latest known object from cache. Regards Henrik
Re: [squid-users] Vary object loop?
mån 2010-08-02 klockan 22:34 +0200 skrev Ralf Hildebrandt: Looks so from the log as Squid is silently restarted. Normally quite a bit of details is logged on a crash, but your logs is silent about any crashes just seeing restarts. Nothing is logged, yes. The only silent restart case without -C that I know of is if hitting the magic 2GB file limitation when running a 32-bit Squid without large file support. But I suppose that if you have other OS based limiations such as limits/quota on CPU usage etc then similar conditions may occur if hitting those. Regards Henrik
Re: [squid-users] Vary object loop?
* Henrik Nordström hen...@henriknordstrom.net: mån 2010-08-02 klockan 22:34 +0200 skrev Ralf Hildebrandt: Looks so from the log as Squid is silently restarted. Normally quite a bit of details is logged on a crash, but your logs is silent about any crashes just seeing restarts. Nothing is logged, yes. The only silent restart case without -C that I know of is if hitting the magic 2GB file limitation when running a 32-bit Squid without large file support. This is very unlikely, since my box has only 2GB. But, alas, see my recent backtrace. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] Vary object loop?
tis 2010-08-03 klockan 20:02 +0200 skrev Ralf Hildebrandt: The only silent restart case without -C that I know of is if hitting the magic 2GB file limitation when running a 32-bit Squid without large file support. This is very unlikely, since my box has only 2GB. You only have 2GB of disk storage? But, alas, see my recent backtrace. Where? Regards Henrik
[squid-users] Re: squid 3.1.6 icap problem
On Tue, 03 Aug 2010 19:30:55 +0200, John Doe wrote: Today I wanted to upgrade from Squid 3.1.5 to Squid 3.1.6, but unfortunately I ran into a few problems, one of them was an icap problem (1), the other one is related to IPv6 (2) I suppose. I am running RHEL5.5 64 Bit with a lot of RAM and a lot of CPUs. [..] (2) comm_open: socket failure: (97) Address family not supported by protocol I read that this is related to IPv6, so I tried to compile squid 3.1.6 with --disable-ipv6, but it did not change anything at all. I can confirm the second problem - same error message. I also had built 3.1.5 with --disable-ipv6 (on Gentoo, with the appropriate USE flag) and had no problems with it, but according to the changelog 3.1.6 now does detection at runtime and this does not fully work any more. In my case I could use squid from a WinXP client with Firefox (configured to explicitly force IPv4 addresses), but not with a Firefox Twitter plugin - which seems to use Firefox' proxy settings, but apparently not the enforcement (?). I have no idea why, but not using the the proxy or reverting to 3.1.5 fixed things. And no, it was not a temporary false positive ;) Holger
[squid-users] Allow External Site.
Hi All- I have a user who is trying to get to the following site: https://gcsdskyward.org:444/scripts/wsisa.dll/WService=wsFam/fwemnu01.w I have Squid 2.7. I am not trying to deny access to any web site-I am using squid to track web site usage. With this in mind I have done very little modification to the squid.conf file. What did I accidently change, or what do I need to change to allow the above link to work? I have attempted to put in an acl-below is just one of many attempts. #acl Geneseo Schools acl gs dstdomain https://gcsdskyward.org:444/scripts/wsisa.dll/WService=wsFam/fwemnu01.w http_access allow gs Thanks Craig United Way of the Quad Cities Area
Re: [squid-users] Allow External Site.
Craig wrote: Hi All- I have a user who is trying to get to the following site: https://gcsdskyward.org:444/scripts/wsisa.dll/WService=wsFam/fwemnu01.w This is a https service running on a non standar port, did you noticed the TCP_DENIED in your access log? I have Squid 2.7. I am not trying to deny access to any web site-I am using squid to track web site usage. With this in mind I have done very little modification to the squid.conf file. What did I accidently change, or what do I need to change to allow the above link to work? Squid by default only allow https using the CONNECT method for the ports defined in SSL_Ports, which by default is 443, so you need to add 444 to that ACL. I have attempted to put in an acl-below is just one of many attempts. #acl Geneseo Schools acl gs dstdomain https://gcsdskyward.org:444/scripts/wsisa.dll/WService=wsFam/fwemnu01.w http_access allow gs Thanks Craig United Way of the Quad Cities Area -- Jorge Armando Medina Computación Gráfica de México Web: http://www.e-compugraf.com Tel: 55 51 40 72, Ext: 124 Email: jmed...@e-compugraf.com GPG Key: 1024D/28E40632 2007-07-26 GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632
Re: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' (from 1 to 2) is not supported and ignored
On Tue, 3 Aug 2010 16:51:30 +0200, Zeller, Jan \(ID\) jan.zel...@id.unibe.ch wrote: dear squid list, i'd like to use the new 'worker' feature in squid-3.2 According to http://www.squid-cache.org/Versions/v3/3.2/cfgman/workers.html default is to have only one 'worker'. Now I'd like to have at least two workers. Unfortunately it doesn't work squid[32350]: WARNING: Changing 'workers' (from 1 to 2) is not supported and ignored What am I doing wrong ? Any new compile option I ignored ? It looks like that message only occurs on a reconfigure. Does -k restart after the config change work? Amos
Re: [squid-users] Re: squid 3.1.6 icap problem
On Tue, 03 Aug 2010 21:11:37 +0200, Holger Hoffstaette holger.hoffstae...@googlemail.com wrote: On Tue, 03 Aug 2010 19:30:55 +0200, John Doe wrote: Today I wanted to upgrade from Squid 3.1.5 to Squid 3.1.6, but unfortunately I ran into a few problems, one of them was an icap problem (1), the other one is related to IPv6 (2) I suppose. I am running RHEL5.5 64 Bit with a lot of RAM and a lot of CPUs. [..] (2) comm_open: socket failure: (97) Address family not supported by protocol I read that this is related to IPv6, so I tried to compile squid 3.1.6 with --disable-ipv6, but it did not change anything at all. I can confirm the second problem - same error message. I also had built 3.1.5 with --disable-ipv6 (on Gentoo, with the appropriate USE flag) and had no problems with it, but according to the changelog 3.1.6 now does detection at runtime and this does not fully work any more. In 3.1.6 with --disable-ipv6 the detection is disabled and the result fixed at off. The core of the code may still pass around IPv6 addresses from raw URLs or config settings etc. It looks like this is another spot of the code not being selective of its socket addresses. In my case I could use squid from a WinXP client with Firefox (configured to explicitly force IPv4 addresses), but not with a Firefox Twitter plugin - which seems to use Firefox' proxy settings, but apparently not the enforcement (?). I have no idea why, but not using the the proxy or reverting to 3.1.5 fixed things. And no, it was not a temporary false positive ;) I'm going to need some system and transaction details to understand this one. What is the squid.conf settings please? What does netstat say about the Squid ports? a trace immediately after one such failed transaction showing the port details which failed would be great (probably a random TCP link in TIME_WAIT state). What URL was being attempted which fails? What does that domain name resolve to from the squid box? (both and A) Amos
Re: [squid-users] Re: squid 3.1.6 icap problem
On Wed, 04 Aug 2010 03:16:37 +, Amos Jeffries squ...@treenet.co.nz wrote: On Tue, 03 Aug 2010 21:11:37 +0200, Holger Hoffstaette holger.hoffstae...@googlemail.com wrote: On Tue, 03 Aug 2010 19:30:55 +0200, John Doe wrote: Today I wanted to upgrade from Squid 3.1.5 to Squid 3.1.6, but unfortunately I ran into a few problems, one of them was an icap problem (1), the other one is related to IPv6 (2) I suppose. I am running RHEL5.5 64 Bit with a lot of RAM and a lot of CPUs. [..] (2) comm_open: socket failure: (97) Address family not supported by protocol I read that this is related to IPv6, so I tried to compile squid 3.1.6 with --disable-ipv6, but it did not change anything at all. I can confirm the second problem - same error message. I also had built 3.1.5 with --disable-ipv6 (on Gentoo, with the appropriate USE flag) and had no problems with it, but according to the changelog 3.1.6 now does detection at runtime and this does not fully work any more. In 3.1.6 with --disable-ipv6 the detection is disabled and the result fixed at off. The core of the code may still pass around IPv6 addresses from raw URLs or config settings etc. It looks like this is another spot of the code not being selective of its socket addresses. In my case I could use squid from a WinXP client with Firefox (configured to explicitly force IPv4 addresses), but not with a Firefox Twitter plugin - which seems to use Firefox' proxy settings, but apparently not the enforcement (?). I have no idea why, but not using the the proxy or reverting to 3.1.5 fixed things. And no, it was not a temporary false positive ;) I'm going to need some system and transaction details to understand this one. What is the squid.conf settings please? What does netstat say about the Squid ports? a trace immediately after one such failed transaction showing the port details which failed would be great (probably a random TCP link in TIME_WAIT state). What URL was being attempted which fails? What does that domain name resolve to from the squid box? (both and A) Amos Um, I just found this part of ICAP opening a v6 socket without checking the requirements. This may help both of you: http://treenet.co.nz/projects/squid/patches/squid-3.1.6-icap-default-socket.patch Note: there is a lot of design still needed to make the split-stack default something reasonable for general use. Amos
