RE: [squid-users] Squid 3.1.6 and transparent mode: HTTPS
Wps... I thought I already replied, but instead my mail was in the drafts folder :-/ So here I go: Hello Amos and thanks for your reply. [cut] > > 3) would I completely miss the traffic done in HTTPS in my > webalizer > > stats, if there'd be no way to have transparently proxied HTTPS > > requests? > > This is only a problems due to the "transparent". > > If you can discard the "transparent" part of the setup the > client browsers will send their HTTPS requests to Squid using > CONNECT method, which gives webalizer all the client IP and > destination domain details along with traffic sent/received > there. All thats missing is the particular files being fetched. OK, I've played around with this: I configured my own browser to use the proxy and watched the access.log file. I saw those CONNECT connections, and the fact that I'd miss the files being fetched, would be 100% ok for me. > Alternatives are to use firewall traffic accounting which can > just as easily be gathered. Such as which client IP is using > port 443 (HTTPS) to contact which external IPs and how much > traffic they sent/received. Of course, but then I would have the problem to "add" that info to my webalizer logs. Would there be any way to "sum it up" to all the proxied traffic? > > Ah, BTW: as I *do not* intend to cache HTTPS > traffic/requests, would it > > be easier to set up this sort of "logging/filtering"? > > What is easier depends on your network setup. I manage many different customer networks and there my primary goal is to avoid users being able to bypass my proxy (which I use to filter sites based on URLs). By using transparent mode, I have full control over network traffic: I can configure iptables and squid to do what I want them to. Actually, my users have discovered how to change proxy settings (even if configured by Windows Group Policies, because many are using alternative browsers like Firefox, Opera, and so on). So my countermeasure would be to use the transparent mode. My second goal (less important, but I want complete and precise data) is to have *all* the internet traffic showing up in webalizer reports: how to achieve both things? Kind regards and thanks for helping me out (and making me brainstorm a bit) ;-) Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
Re: [squid-users] PAC in Squid
On Sun, Oct 10, 2010 at 10:41:00PM +, Amos Jeffries wrote: > On Sun, 10 Oct 2010 08:19:44 -0700, "Edouard Zorrilla" > wrote: > > Thanks, > > > > How do I load this on the Squid machine ?., > > > > Thanks. > > It currently requires a web server to host the file and present it with > correct MiME type. File with extension .pac should be application/x-ns-proxy-autoconfig > You point the DHCP or DNS settings at the hosted location. > > Amos > -- Peter Benko
Re: [squid-users] PAC in Squid
On Sat, Oct 09, 2010 at 10:09:41PM -0700, Edouard Zorrilla wrote: > Hey Guys, > > Any good link to set up pac files so that I can use it with Squid Proxy ?., http://docsrv.sco.com/INT_Proxy/autoconf.htm http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/web-browser-auto-proxy-configuration.html Also please note that: - Firefox has problem with DNS resolution when using .pac file https://bugzilla.mozilla.org/show_bug.cgi?id=235853 - Java implements dnsResolve() in a wrong way (this function (or call to it) can occur in your .pac file). So be carefull when writing your .pac file. -- Peter Benko
Re: [squid-users] Re: TCP: too many of orphaned sockets
On 08/10/10 03:53, david robertson wrote: too many of orphaned sockets There is an interesting discussion about it here: http://forum.openvz.org/index.php?t=msg&goto=5768&; Sounds like a TCP stack setting needs to be raised but they do not say exactly which one in a clear manner. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2
Re: [squid-users] squid suddenly not forwarding requests
On 09/10/10 06:46, Matheus wrote: Hi people am honestly not good with Linux and squid but i love the two software. i have squid (ver 2.7) running on open suse11.2 on my box that is honestly not the best of specs. however while working somehow web pages stop displaying and yet when i try viewing the "tail -f /var/log/squid/access.log" i get the result well as if squid is very busy working. What do you mean by this? lots of things being logged? that would mean yes Squid is working... for somebody else. i have to run "rcsquid restart" to solve the problem but now this is every 10 minutes!! please gurus, help me here. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2
Re: [squid-users] Squid for android
meaningless maybe. Best regards, Sharl.Jimh.Tsin (From China) 2010/10/12 Jeff Peng : > That sounds an interesting idea. > > 2010/10/12 Luis Daniel Lucio Quiroz : >> Helo >> >> just wondering if someone has packe squid in android phones ARM5+ >> >
Re: [squid-users] Squid for android
That sounds an interesting idea. 2010/10/12 Luis Daniel Lucio Quiroz : > Helo > > just wondering if someone has packe squid in android phones ARM5+ >
[squid-users] Squid for android
Helo just wondering if someone has packe squid in android phones ARM5+
Re: [squid-users] Wccpv2 and Linux new kernel
On Mon, 11 Oct 2010 21:28:39 +0200, gael wrote: > Dear people ;-D > > I had tried during the whole week to setup a correct configuration of > Squid using WCCPv2 on a linux Debian with 2.6.35.7 (self compiled) > kernel based box. > > But unfortunatly, none of my research had been working. > > I got a couple of questions about this situation. > > First one: - ip_wccp seems to be deprecated from now on the 2.6.35 > kernel, your makefile require a config.h file which no longer exist on > Linux kernel (even on the sources). Do I have to use IP_GRE instead of > IP_WCCP? Yes. The module is now built and supplied with the mainstream kernels. > > Second one: - How could I monitor my GRE Tunnel? I'd try the followings > methods without any results: > > tcpdump -vX -i eth0 proto gre > --> Nothing appears, even if my Cisco router says it had seen and > connected the GRE Tunnel Is the tunnel connected to the right address? NOTE: What many of the Cisco devices call "router ID" and display as IP address is not always the IP it sends from. To troubleshoot, find all the IPs used by the router and make a GRE tunnel from the Linux box to each. tcpdump should show which one is working. > > tcpdump -vX -i gre0 > --> Nothing appears, even if my Cisco router says it had seen and > connected the GRE Tunnel Just the tunnel setup? or does it identify some packets arriving from Squid? this latter can be seen in the WCCP report section as connected peers or proxy servers. Amos
Re: [squid-users] RE: EXTERNAL: Re: [squid-users] Help configuring acl our_network rule
On Mon, 11 Oct 2010 07:09:57 -0400, "Bucci, David G" wrote: > Just curious, is there any performance impact to doing it that way vs. a > couple of CIDR specifications to cover the range? > > I wasn't aware an ACL would handle such syntax, and used multiple rules. It reduces the number of entries tested each run. So yes there is a small CPU savings. There is no difference at all if an individual list entry. The full pattern specs FWIW are "start-end/mask" with end and mask both being optional. Amos > > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Monday, October 11, 2010 6:17 AM > To: squid-users@squid-cache.org > Subject: EXTERNAL: Re: [squid-users] Help configuring acl our_network rule > > On 11/10/10 22:33, Hosting Studio Services - Domains wrote: >> Hello everyone, I'm new here. >> >> I'm running Squid 2.6 STABLE 21 version on my VPS . >> >> I need a little help configuring my Squid. >> >> I am using the acl_our network parameter to manually add my ISP dynamic >> IP address each time as I need my proxy (I'm the only one who needs it, >> no other users involved). >> >> I know that my provider has IPs ranging from >> >> 78.134.1.1 to 78.134.130.255 >> >> What should my acl our_network be so that that entire range of IP >> addresses is included and accepted as valid so that I don't have to >> manually edit the .conf file each time my dynamic IP changes? >> > > acl our_networks src 78.134.1.1-78.134.130.255 > > It's best to stick some form of authentication on it as well. > > Regular ISP networks are under constant scan from other users and > infections seeking ways to transmit themselves. If you open any port > with ISP-wide access permissions it's likely to be only a matter of > minutes before someone or something other than you is using it. > > Amos
[squid-users] R: [squid-users] Squid::Guard perl module announce
> About your classes > $sg->checkingroup($user, $group) > $sg->checkinwbgroup($user, $group) > > what about offer DB queries methods like Mysql or LDAP ? Contrary to unix or winbind group lookup, they will need some sort of configuration. Added to the todo list. Thank you.
[squid-users] Wccpv2 and Linux new kernel
Dear people ;-D I had tried during the whole week to setup a correct configuration of Squid using WCCPv2 on a linux Debian with 2.6.35.7 (self compiled) kernel based box. But unfortunatly, none of my research had been working. I got a couple of questions about this situation. First one: - ip_wccp seems to be deprecated from now on the 2.6.35 kernel, your makefile require a config.h file which no longer exist on Linux kernel (even on the sources). Do I have to use IP_GRE instead of IP_WCCP? Second one: - How could I monitor my GRE Tunnel? I'd try the followings methods without any results: tcpdump -vX -i eth0 proto gre --> Nothing appears, even if my Cisco router says it had seen and connected the GRE Tunnel tcpdump -vX -i gre0 --> Nothing appears, even if my Cisco router says it had seen and connected the GRE Tunnel Excuse me in advance for my bad english but I'm a froggies :-D
Re: [squid-users] could not parse headers from a disk structure!
> Important question - Landy, what > version of squid, and what OS, are > you running on? I'm running: /usr/local/squid/sbin/squid -v Squid Cache: Version 3.0.STABLE24 configure options: '--prefix=/usr/local/squid' '--sysconfdir=/etc/squid' '--enable-delay-pools' '--enable-kill-parent-hack' '--disable-htcp' '--enable-default-err-language=Spanish' '--enable-linux-netfilter' '--disable-ident-lookups' '--localstatedir=/var/log/squid3.1' '--enable-stacktraces' '--with-default-user=proxy' '--with-large-files' '--enable-icap-client' '--enable-async-io' '--enable-storeio=aufs' '--enable-removal-policies=heap,lru' '--with-maxfd=32768' On Debian : optimum-router:/# uname -a Linux optimum-router 2.6.26-2-686 #1 SMP Thu Aug 19 03:44:10 UTC 2010 i686 GNU/Linux optimum-router:/# cat /etc/debian_version 5.0.5
Re: [squid-users] could not parse headers from a disk structure!
> exponential decline as cleanup progresses. Are they > noticeably decreasing > already? They indeed have decreased. I think they're gone. > > > Things to consider that will impact this are: since you > last re-started > Squid has there been an OS kernel update? a squid binary > change? a libc > update? an ntp binary update (timestamp sizes)? a > filesystem change? crypto > library update (MD5)? > Any one of those could stay hidden on the system until a > restart of the > box or Squid brings up the new software linkages. > No, there hasnt been any changes. As I mentioned, I had a power outage which probably caused all that. For now everything looks like is back to normal. Thanks.
Re: [squid-users] PAC in Squid
On 10/10/2010 10:19 AM, Edouard Zorrilla wrote: Thanks, How do I load this on the Squid machine ?., Hi there I have been writting instructions for setting up a proxy pac script and a few methods for publishing it, I cover manual, semi automatic and full automatic proxy configuration, with some examples for wpad with dhcp and dns. http://tuxjm.net/docs/Manual_de_Instalacion_de_Servidor_Proxy_Web_con_Ubuntu_Server_y_Squid/ch06s05.html Best regards. Thanks. - Original Message - From: "Maurizio Marini" To: Sent: Sunday, October 10, 2010 8:03 AM Subject: Re: [squid-users] PAC in Squid On Sat, 9 Oct 2010 22:09:41 -0700 "Edouard Zorrilla" wrote: Any good link to set up pac files so that I can use it with Squid Proxy ?., http://findproxyforurl.com/ -- Compugraf
Re: [squid-users] Squid 3.1 with MRTG, Not able to get Graphs- squid upgraded to 3.1.8 ( Resolved at last)
Hi List, At last I could get the MRTG running with squid 3.1.8, though it took much time. Will be writing a howto soon regarding how to set up mrtg on FreeBSD. It was the SNMP_util.pm gave all the trouble as the port maintainers did some changes of merging. Those who are breaking head with mrtg kindly have p5-SNMP_Session port to be installed additionally and save the time. Hope that may help someone in future. Thank you so much to those took their valuable time to reply to my silly doubts and cleared and guided me. Regards Babs On 10/4/10, Babu Chaliyath wrote: >> It's well worth upgrading to 3.1.8. Many of the 3.1 betas had broken >> SNMP. >> >> Also check that the squid.mib being loaded came from the 3.1 install. >> >> We now have a full map of what the OID are and what versions they work >> for. You may find this useful: >> http://wiki.squid-cache.org/Features/Snmp#Squid_OIDs >> >> >> Amos >> -- >> Please be using >>Current Stable Squid 2.7.STABLE9 or 3.1.8 >>Beta testers wanted for 3.2.0.2 >> > > Hi List, > As suggested by Amos, I have upgraded the squid box to 3.1.8 and > everything is working fine except the graph part with mrtg. > mrtg version :mrtg-2.16.4 > > My mrtg.cfg is as below > > LoadMIBs: /usr/local/etc/mrtg/squid.mib > EnableIPv6: no > WorkDir: /usr/local/www/apache22/data > Options[_]: bits,growright > > Target[proxy-hit]: cacheHttpHits&cacheServerRequests:pub...@127.0.0.1:3401 > MaxBytes[proxy-hit]: 10 > Title[proxy-hit]: HTTP Hits > Suppress[proxy-hit]: y > LegendI[proxy-hit]: HTTP hits > LegendO[proxy-hit]: HTTP requests > Legend1[proxy-hit]: HTTP hits > Legend2[proxy-hit]: HTTP requests > YLegend[proxy-hit]: perminute > ShortLegend[proxy-hit]: req/min > Options[proxy-hit]: nopercent, perminute, dorelpercent, unknaszero, > growright, pngdate > #PNGTitle[proxy-hit]: Proxy Hits > > Target[proxy-srvkbinout]: > cacheServerInKb&cacheServerOutKb:pub...@127.0.0.1:3401 > MaxBytes[proxy-srvkbinout]: 76800 > Title[proxy-srvkbinout]: Cache Server Traffic In/Out > Suppress[proxy-srvkbinout]: y > LegendI[proxy-srvkbinout]: Traffic In > LegendO[proxy-srvkbinout]: Traffic Out > Legend1[proxy-srvkbinout]: Traffic In > Legend2[proxy-srvkbinout]: Traffic Out > YLegend[proxy-srvkbinout]: per minute > ShortLegend[proxy-srvkbinout]: b/min > kMG[proxy-srvkbinout]: k,M,G,T > kilo[proxy-srvkbinout]: 1024 > Options[proxy-srvkbinout]: nopercent, perminute, unknaszero, growright, > pngdate > > I have verified that squid snmp is working through the following command > > #snmpget -On -m /usr/local/etc/mrtg/squid.mib -v 2c -c public > 127.0.0.1:3401 cacheHttpHits cacheServerRequests cacheServerInKb > cacheServerOutKb cacheUptime CacheSoftware cacheVersionId > > This gives me results without any errors so snmp part of squid is > working fine I think > Now when I run mrtg I could see the following errors in mrtg.log file > > 010-10-04 12:37:33 -- Started mrtg with config > '/usr/local/etc/mrtg/mrtg.cfg' > 2010-10-04 12:37:33 -- Unknown SNMP var cacheHttpHits > at /usr/local/bin/mrtg line 2242 > 2010-10-04 12:37:33 -- Unknown SNMP var cacheServerRequests > at /usr/local/bin/mrtg line 2242 > 2010-10-04 12:37:33 -- Unknown SNMP var cacheUptime > at /usr/local/bin/mrtg line 2242 > 2010-10-04 12:37:33 -- Unknown SNMP var cacheSoftware > at /usr/local/bin/mrtg line 2242 > 2010-10-04 12:37:33 -- Unknown SNMP var cacheVersionId > at /usr/local/bin/mrtg line 2242 > 2010-10-04 12:37:33 -- Use of uninitialized value $ret[-2] in > concatenation (.) or string at /usr/local/bin/mrtg line 2261. > 2010-10-04 12:37:33 -- Use of uninitialized value $ret[-1] in > concatenation (.) or string at /usr/local/bin/mrtg line 2261. > 2010-10-04 12:37:33 -- Unknown SNMP var cacheServerInKb > at /usr/local/bin/mrtg line 2242 > 2010-10-04 12:37:33 -- Unknown SNMP var cacheServerOutKb > at /usr/local/bin/mrtg line 2242 > 2010-10-04 12:37:33 -- Unknown SNMP var cacheUptime > at /usr/local/bin/mrtg line 2242 > 2010-10-04 12:37:33 -- Unknown SNMP var cacheSoftware > at /usr/local/bin/mrtg line 2242 > 2010-10-04 12:37:33 -- Unknown SNMP var cacheVersionId > at /usr/local/bin/mrtg line 2242 > 2010-10-04 12:37:33 -- Use of uninitialized value $ret[-2] in > concatenation (.) or string at /usr/local/bin/mrtg line 2261. > 2010-10-04 12:37:33 -- Use of uninitialized value $ret[-1] in > concatenation (.) or string at /usr/local/bin/mrtg line 2261. > 2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR: > Target[proxy-hit][_IN_] ' $target->[0]{$mode} ' did not eval into > defined data > 2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR: > Target[proxy-hit][_OUT_] ' $target->[0]{$mode} ' did not eval into > defined data > 2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR: > Target[proxy-srvkbinout][_IN_] ' $target->[1]{$mode} ' did not eval > into defined data > 2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR: > Target[proxy-srvkbinout][_OUT_] ' $target->[1]{$mode} ' did not eval > into defined data > > All I could make out from these
[squid-users] RE: EXTERNAL: Re: [squid-users] Help configuring acl our_network rule
Just curious, is there any performance impact to doing it that way vs. a couple of CIDR specifications to cover the range? I wasn't aware an ACL would handle such syntax, and used multiple rules. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, October 11, 2010 6:17 AM To: squid-users@squid-cache.org Subject: EXTERNAL: Re: [squid-users] Help configuring acl our_network rule On 11/10/10 22:33, Hosting Studio Services - Domains wrote: > Hello everyone, I'm new here. > > I'm running Squid 2.6 STABLE 21 version on my VPS . > > I need a little help configuring my Squid. > > I am using the acl_our network parameter to manually add my ISP dynamic IP > address each time as I need my proxy (I'm the only one who needs it, no other > users involved). > > I know that my provider has IPs ranging from > > 78.134.1.1 to 78.134.130.255 > > What should my acl our_network be so that that entire range of IP addresses > is included and accepted as valid so that I don't have to manually edit the > .conf file each time my dynamic IP changes? > acl our_networks src 78.134.1.1-78.134.130.255 It's best to stick some form of authentication on it as well. Regular ISP networks are under constant scan from other users and infections seeking ways to transmit themselves. If you open any port with ISP-wide access permissions it's likely to be only a matter of minutes before someone or something other than you is using it. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2
Re: [squid-users] Help configuring acl our_network rule
On 11/10/10 22:33, Hosting Studio Services - Domains wrote: Hello everyone, I'm new here. I'm running Squid 2.6 STABLE 21 version on my VPS . I need a little help configuring my Squid. I am using the acl_our network parameter to manually add my ISP dynamic IP address each time as I need my proxy (I'm the only one who needs it, no other users involved). I know that my provider has IPs ranging from 78.134.1.1 to 78.134.130.255 What should my acl our_network be so that that entire range of IP addresses is included and accepted as valid so that I don't have to manually edit the .conf file each time my dynamic IP changes? acl our_networks src 78.134.1.1-78.134.130.255 It's best to stick some form of authentication on it as well. Regular ISP networks are under constant scan from other users and infections seeking ways to transmit themselves. If you open any port with ISP-wide access permissions it's likely to be only a matter of minutes before someone or something other than you is using it. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2
[squid-users] Help configuring acl our_network rule
Hello everyone, I'm new here. I'm running Squid 2.6 STABLE 21 version on my VPS . I need a little help configuring my Squid. I am using the acl_our network parameter to manually add my ISP dynamic IP address each time as I need my proxy (I'm the only one who needs it, no other users involved). I know that my provider has IPs ranging from 78.134.1.1 to 78.134.130.255 What should my acl our_network be so that that entire range of IP addresses is included and accepted as valid so that I don't have to manually edit the .conf file each time my dynamic IP changes? Thanks a lot. Fabio -- Saluti Cordiali, Fabio Gangarossa Responsabile Gestione Domini Computer Studio - Servizi "Hosting Studio" Fax Operazioni sui domini: +39 02 3919 5436 E-mail: doma...@hostingstudio.net Web: http://www.hostingstudio.net Informativa: Ai sensi del Codice in materia di protezione dei Dati Personali (D.L. 196/03) il contenuto di questa e-mail e degli eventuali allegati sono riservati e ad esclusivo uso del destinatario. Chiunque riceva questo messaggio per errore รจ pregato di distruggerlo e di contattare immediatamente il mittente. Si informa, inoltre, che la risposta alla presente, compresi eventuali allegati, potrebbero essere visionati, ai fini del disbrigo delle competenze lavorative, anche da altro personale addetto.