RE: [squid-users] Squid 3.1.6 and transparent mode: HTTPS

2010-10-11 Thread Boniforti Flavio
Wps... I thought I already replied, but instead my mail was in the
drafts folder :-/ So here I go:

Hello Amos and thanks for your reply.

[cut]

> > 3) would I completely miss the traffic done in HTTPS in my 
> webalizer 
> > stats, if there'd be no way to have transparently proxied HTTPS 
> > requests?
> 
> This is only a problems due to the "transparent".
> 
> If you can discard the "transparent" part of the setup the 
> client browsers will send their HTTPS requests to Squid using 
> CONNECT method, which gives webalizer all the client IP and 
> destination domain details along with traffic sent/received 
> there. All thats missing is the particular files being fetched.

OK, I've played around with this: I configured my own browser to use the
proxy and watched the access.log file. I saw those CONNECT connections,
and the fact that I'd miss the files being fetched, would be 100% ok for
me.

> Alternatives are to use firewall traffic accounting which can 
> just as easily be gathered. Such as which client IP is using 
> port 443 (HTTPS) to contact which external IPs and how much 
> traffic they sent/received.

Of course, but then I would have the problem to "add" that info to my
webalizer logs. Would there be any way to "sum it up" to all the proxied
traffic?

> > Ah, BTW: as I *do not* intend to cache HTTPS 
> traffic/requests, would it
> > be easier to set up this sort of "logging/filtering"?
> 
> What is easier depends on your network setup.

I manage many different customer networks and there my primary goal is
to avoid users being able to bypass my proxy (which I use to filter
sites based on URLs).
By using transparent mode, I have full control over network traffic: I
can configure iptables and squid to do what I want them to. Actually, my
users have discovered how to change proxy settings (even if configured
by Windows Group Policies, because many are using alternative browsers
like Firefox, Opera, and so on). So my countermeasure would be to use
the transparent mode.
My second goal (less important, but I want complete and precise data) is
to have *all* the internet traffic showing up in webalizer reports: how
to achieve both things?

Kind regards and thanks for helping me out (and making me brainstorm a
bit) ;-)

Flavio Boniforti

PIRAMIDE INFORMATICA SAGL
Via Ballerini 21
6600 Locarno
Switzerland
Phone: +41 91 751 68 81
Fax: +41 91 751 69 14
URL: http://www.piramide.ch
E-mail: fla...@piramide.ch 


Re: [squid-users] PAC in Squid

2010-10-11 Thread Peter Benko
On Sun, Oct 10, 2010 at 10:41:00PM +, Amos Jeffries wrote:
> On Sun, 10 Oct 2010 08:19:44 -0700, "Edouard Zorrilla"
>  wrote:
> > Thanks,
> > 
> > How do I load this on the Squid machine ?.,
> > 
> > Thanks.
> 
> It currently requires a web server to host the file and present it with
> correct MiME type.
File with extension .pac should be
application/x-ns-proxy-autoconfig
> You point the DHCP or DNS settings at the hosted location.
> 
> Amos
> 

-- 
Peter Benko


Re: [squid-users] PAC in Squid

2010-10-11 Thread Peter Benko
On Sat, Oct 09, 2010 at 10:09:41PM -0700, Edouard Zorrilla wrote:
> Hey Guys,
>  
> Any good link to set up pac files so that I can use it with Squid Proxy ?.,
http://docsrv.sco.com/INT_Proxy/autoconf.htm
http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/web-browser-auto-proxy-configuration.html

Also please note that:
- Firefox has problem with DNS resolution when using .pac file
  https://bugzilla.mozilla.org/show_bug.cgi?id=235853

- Java implements dnsResolve() in a wrong way (this function (or call to
  it) can occur in your .pac file).

So be carefull when writing your .pac file.

-- 
Peter Benko


Re: [squid-users] Re: TCP: too many of orphaned sockets

2010-10-11 Thread Amos Jeffries

On 08/10/10 03:53, david robertson wrote:

too many of orphaned sockets


There is an interesting discussion about it here: 
http://forum.openvz.org/index.php?t=msg&goto=5768&;


Sounds like a TCP stack setting needs to be raised but they do not say 
exactly which one in a clear manner.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.8
  Beta testers wanted for 3.2.0.2


Re: [squid-users] squid suddenly not forwarding requests

2010-10-11 Thread Amos Jeffries

On 09/10/10 06:46, Matheus wrote:

Hi people am honestly not good with Linux and squid but i love the two
software. i have squid (ver 2.7) running on open suse11.2 on my box
that is honestly not the best of specs. however while working somehow
web pages stop displaying and yet when i try viewing the "tail -f
/var/log/squid/access.log" i get the result well as if squid is very
busy working.


What do you mean by this? lots of things being logged? that would mean 
yes Squid is working... for somebody else.



i have to run "rcsquid restart" to solve the problem but
now this is every 10 minutes!! please gurus, help me here.



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.8
  Beta testers wanted for 3.2.0.2


Re: [squid-users] Squid for android

2010-10-11 Thread Sharl.Jimh.Tsin
meaningless maybe.

Best regards,
Sharl.Jimh.Tsin (From China)



2010/10/12 Jeff Peng :
> That sounds an interesting idea.
>
> 2010/10/12 Luis Daniel Lucio Quiroz :
>> Helo
>>
>> just wondering if someone has packe squid in android phones ARM5+
>>
>


Re: [squid-users] Squid for android

2010-10-11 Thread Jeff Peng
That sounds an interesting idea.

2010/10/12 Luis Daniel Lucio Quiroz :
> Helo
>
> just wondering if someone has packe squid in android phones ARM5+
>


[squid-users] Squid for android

2010-10-11 Thread Luis Daniel Lucio Quiroz
Helo

just wondering if someone has packe squid in android phones ARM5+


Re: [squid-users] Wccpv2 and Linux new kernel

2010-10-11 Thread Amos Jeffries
On Mon, 11 Oct 2010 21:28:39 +0200, gael  wrote:
> Dear people ;-D
> 
> I had tried during the whole week to setup a correct configuration of
> Squid using WCCPv2 on a linux Debian with 2.6.35.7 (self compiled)
> kernel based box.
> 
> But unfortunatly, none of my research had been working.
> 
> I got a couple of questions about this situation.
> 
> First one: - ip_wccp seems to be deprecated from now on the 2.6.35
> kernel, your makefile require a config.h file which no longer exist on
> Linux kernel (even on the sources). Do I have to use IP_GRE instead of
> IP_WCCP?

Yes. The module is now built and supplied with the mainstream kernels.

> 
> Second one: - How could I monitor my GRE Tunnel? I'd try the followings
> methods without any results:
> 
> tcpdump -vX -i eth0 proto gre
> --> Nothing appears, even if my Cisco router says it had seen and
> connected the GRE Tunnel

Is the tunnel connected to the right address?

NOTE: What many of the Cisco devices call "router ID" and display as IP
address is not always the IP it sends from. To troubleshoot, find all the
IPs used by the router and make a GRE tunnel from the Linux box to each.
tcpdump should show which one is working.

> 
> tcpdump -vX -i gre0
> --> Nothing appears, even if my Cisco router says it had seen and
> connected the GRE Tunnel

Just the tunnel setup? or does it identify some packets arriving from
Squid? this latter can be seen in the WCCP report section as connected
peers or proxy servers.

Amos


Re: [squid-users] RE: EXTERNAL: Re: [squid-users] Help configuring acl our_network rule

2010-10-11 Thread Amos Jeffries
On Mon, 11 Oct 2010 07:09:57 -0400, "Bucci, David G"
 wrote:
> Just curious, is there any performance impact to doing it that way vs. a
> couple of CIDR specifications to cover the range?
> 
> I wasn't aware an ACL would handle such syntax, and used multiple rules.

It reduces the number of entries tested each run. So yes there is a small
CPU savings.

There is no difference at all if an individual list entry. The full
pattern specs FWIW are "start-end/mask" with end and mask both being
optional.

Amos

>  
> -Original Message-
> From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
> Sent: Monday, October 11, 2010 6:17 AM
> To: squid-users@squid-cache.org
> Subject: EXTERNAL: Re: [squid-users] Help configuring acl our_network
rule
> 
> On 11/10/10 22:33, Hosting Studio Services - Domains wrote:
>> Hello everyone, I'm new here.
>>
>> I'm running Squid 2.6 STABLE 21 version on my VPS .
>>
>> I need a little help configuring my Squid.
>>
>> I am using the acl_our network parameter to manually add my ISP dynamic
>> IP address each time as I need my proxy (I'm the only one who needs it,
>> no other users involved).
>>
>> I know that my provider has IPs ranging from
>>
>> 78.134.1.1 to 78.134.130.255
>>
>> What should my acl our_network be so that that entire range of IP
>> addresses is included and accepted as valid so that I don't have to
>> manually edit the .conf file each time my dynamic IP changes?
>>
> 
> acl our_networks src 78.134.1.1-78.134.130.255
> 
> It's best to stick some form of authentication on it as well.
> 
> Regular ISP networks are under constant scan from other users and 
> infections seeking ways to transmit themselves. If you open any port 
> with ISP-wide access permissions it's likely to be only a matter of 
> minutes before someone or something other than you is using it.
> 
> Amos


[squid-users] R: [squid-users] Squid::Guard perl module announce

2010-10-11 Thread Squid at Iotti dot Biz
> About your classes
> $sg->checkingroup($user, $group)
> $sg->checkinwbgroup($user, $group)
> 
> what about offer DB queries methods like Mysql or LDAP  ?

Contrary to unix or winbind group lookup, they will need some sort of
configuration. Added to the todo list. Thank you.



[squid-users] Wccpv2 and Linux new kernel

2010-10-11 Thread gael
Dear people ;-D

I had tried during the whole week to setup a correct configuration of
Squid using WCCPv2 on a linux Debian with 2.6.35.7 (self compiled)
kernel based box.

But unfortunatly, none of my research had been working.

I got a couple of questions about this situation.

First one: - ip_wccp seems to be deprecated from now on the 2.6.35
kernel, your makefile require a config.h file which no longer exist on
Linux kernel (even on the sources). Do I have to use IP_GRE instead of
IP_WCCP?

Second one: - How could I monitor my GRE Tunnel? I'd try the followings
methods without any results:

tcpdump -vX -i eth0 proto gre
--> Nothing appears, even if my Cisco router says it had seen and
connected the GRE Tunnel

tcpdump -vX -i gre0
--> Nothing appears, even if my Cisco router says it had seen and
connected the GRE Tunnel

Excuse me in advance for my bad english but I'm a froggies :-D



Re: [squid-users] could not parse headers from a disk structure!

2010-10-11 Thread Landy Landy

> Important question - Landy, what
> version of squid, and what OS, are
> you running on?

I'm running:


/usr/local/squid/sbin/squid -v
Squid Cache: Version 3.0.STABLE24
configure options:  '--prefix=/usr/local/squid' '--sysconfdir=/etc/squid' 
'--enable-delay-pools' '--enable-kill-parent-hack' '--disable-htcp' 
'--enable-default-err-language=Spanish' '--enable-linux-netfilter' 
'--disable-ident-lookups' '--localstatedir=/var/log/squid3.1' 
'--enable-stacktraces' '--with-default-user=proxy' '--with-large-files' 
'--enable-icap-client' '--enable-async-io' '--enable-storeio=aufs' 
'--enable-removal-policies=heap,lru' '--with-maxfd=32768'

On Debian :

optimum-router:/# uname -a
Linux optimum-router 2.6.26-2-686 #1 SMP Thu Aug 19 03:44:10 UTC 2010 i686 
GNU/Linux
optimum-router:/# cat /etc/debian_version
5.0.5



  


Re: [squid-users] could not parse headers from a disk structure!

2010-10-11 Thread Landy Landy
> exponential decline as cleanup progresses. Are they
> noticeably decreasing
> already?

They indeed have decreased. I think they're gone. 

>
> 
> Things to consider that will impact this are: since you
> last re-started
> Squid has there been an OS kernel update? a squid binary
> change? a libc
> update? an ntp binary update (timestamp sizes)? a
> filesystem change? crypto
> library update (MD5)?
>  Any one of those could stay hidden on the system until a
> restart of the
> box or Squid brings up the new software linkages.
> 

No, there hasnt been any changes. As I mentioned, I had a power outage which 
probably caused all that.

For now everything looks like is back to normal.

Thanks.


  


Re: [squid-users] PAC in Squid

2010-10-11 Thread Jorge Armando Medina

On 10/10/2010 10:19 AM, Edouard Zorrilla wrote:

Thanks,

How do I load this on the Squid machine ?.,



Hi there

I have been writting instructions for setting up a proxy pac script and 
a few methods for publishing it, I cover manual, semi automatic and full 
automatic proxy configuration, with some examples for wpad with dhcp and 
dns.


http://tuxjm.net/docs/Manual_de_Instalacion_de_Servidor_Proxy_Web_con_Ubuntu_Server_y_Squid/ch06s05.html

Best regards.

Thanks.

- Original Message - From: "Maurizio Marini"

To: 
Sent: Sunday, October 10, 2010 8:03 AM
Subject: Re: [squid-users] PAC in Squid



On Sat, 9 Oct 2010 22:09:41 -0700
"Edouard Zorrilla"  wrote:


Any good link to set up pac files so that I can use it with Squid
Proxy ?.,


http://findproxyforurl.com/









--
Compugraf


Re: [squid-users] Squid 3.1 with MRTG, Not able to get Graphs- squid upgraded to 3.1.8 ( Resolved at last)

2010-10-11 Thread Babu Chaliyath
Hi List,
At last I could get the MRTG running with squid 3.1.8, though it took
much time. Will be writing a howto soon regarding how to set up mrtg
on FreeBSD.
It was the SNMP_util.pm gave all the trouble as the port maintainers
did some changes of merging. Those who are breaking head with mrtg
kindly have p5-SNMP_Session port to be installed additionally and save
the time.
Hope that may help someone in future.

Thank you so much to those took their valuable time to reply to my
silly doubts and cleared and guided me.

Regards
Babs

On 10/4/10, Babu Chaliyath  wrote:
>> It's well worth upgrading to 3.1.8. Many of the 3.1 betas had broken
>> SNMP.
>>
>> Also check that the squid.mib being loaded came from the 3.1 install.
>>
>> We now have a full map of what the OID are and what versions they work
>> for. You may find this useful:
>> http://wiki.squid-cache.org/Features/Snmp#Squid_OIDs
>>
>>
>> Amos
>> --
>> Please be using
>>Current Stable Squid 2.7.STABLE9 or 3.1.8
>>Beta testers wanted for 3.2.0.2
>>
>
> Hi List,
> As suggested by Amos, I have upgraded the squid box to 3.1.8 and
> everything is working fine except the graph part with mrtg.
> mrtg version :mrtg-2.16.4
>
> My mrtg.cfg is as below
>
> LoadMIBs: /usr/local/etc/mrtg/squid.mib
> EnableIPv6: no
> WorkDir: /usr/local/www/apache22/data
> Options[_]: bits,growright
>
> Target[proxy-hit]: cacheHttpHits&cacheServerRequests:pub...@127.0.0.1:3401
> MaxBytes[proxy-hit]: 10
> Title[proxy-hit]: HTTP Hits
> Suppress[proxy-hit]: y
> LegendI[proxy-hit]: HTTP hits
> LegendO[proxy-hit]: HTTP requests
> Legend1[proxy-hit]: HTTP hits
> Legend2[proxy-hit]: HTTP requests
> YLegend[proxy-hit]: perminute
> ShortLegend[proxy-hit]: req/min
> Options[proxy-hit]: nopercent, perminute, dorelpercent, unknaszero,
> growright, pngdate
> #PNGTitle[proxy-hit]: Proxy Hits
>
> Target[proxy-srvkbinout]:
> cacheServerInKb&cacheServerOutKb:pub...@127.0.0.1:3401
> MaxBytes[proxy-srvkbinout]: 76800
> Title[proxy-srvkbinout]: Cache Server Traffic In/Out
> Suppress[proxy-srvkbinout]: y
> LegendI[proxy-srvkbinout]: Traffic In
> LegendO[proxy-srvkbinout]: Traffic Out
> Legend1[proxy-srvkbinout]: Traffic In
> Legend2[proxy-srvkbinout]: Traffic Out
> YLegend[proxy-srvkbinout]: per minute
> ShortLegend[proxy-srvkbinout]: b/min
> kMG[proxy-srvkbinout]: k,M,G,T
> kilo[proxy-srvkbinout]: 1024
> Options[proxy-srvkbinout]: nopercent, perminute, unknaszero, growright,
> pngdate
>
> I have verified that squid snmp is working through the following command
>
> #snmpget -On -m /usr/local/etc/mrtg/squid.mib -v 2c -c public
> 127.0.0.1:3401 cacheHttpHits cacheServerRequests cacheServerInKb
> cacheServerOutKb cacheUptime CacheSoftware cacheVersionId
>
> This gives me results without any errors so snmp part of squid is
> working fine I think
> Now when I run mrtg I could see the following errors in mrtg.log file
>
> 010-10-04 12:37:33 -- Started mrtg with config
> '/usr/local/etc/mrtg/mrtg.cfg'
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheHttpHits
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheServerRequests
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheUptime
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheSoftware
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheVersionId
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Use of uninitialized value $ret[-2] in
> concatenation (.) or string at /usr/local/bin/mrtg line 2261.
> 2010-10-04 12:37:33 -- Use of uninitialized value $ret[-1] in
> concatenation (.) or string at /usr/local/bin/mrtg line 2261.
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheServerInKb
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheServerOutKb
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheUptime
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheSoftware
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheVersionId
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Use of uninitialized value $ret[-2] in
> concatenation (.) or string at /usr/local/bin/mrtg line 2261.
> 2010-10-04 12:37:33 -- Use of uninitialized value $ret[-1] in
> concatenation (.) or string at /usr/local/bin/mrtg line 2261.
> 2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR:
> Target[proxy-hit][_IN_] ' $target->[0]{$mode} ' did not eval into
> defined data
> 2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR:
> Target[proxy-hit][_OUT_] ' $target->[0]{$mode} ' did not eval into
> defined data
> 2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR:
> Target[proxy-srvkbinout][_IN_] ' $target->[1]{$mode} ' did not eval
> into defined data
> 2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR:
> Target[proxy-srvkbinout][_OUT_] ' $target->[1]{$mode} ' did not eval
> into defined data
>
> All I could make out from these

[squid-users] RE: EXTERNAL: Re: [squid-users] Help configuring acl our_network rule

2010-10-11 Thread Bucci, David G
Just curious, is there any performance impact to doing it that way vs. a couple 
of CIDR specifications to cover the range?

I wasn't aware an ACL would handle such syntax, and used multiple rules.
 
-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Monday, October 11, 2010 6:17 AM
To: squid-users@squid-cache.org
Subject: EXTERNAL: Re: [squid-users] Help configuring acl our_network rule

On 11/10/10 22:33, Hosting Studio Services - Domains wrote:
> Hello everyone, I'm new here.
>
> I'm running Squid 2.6 STABLE 21 version on my VPS .
>
> I need a little help configuring my Squid.
>
> I am using the acl_our network parameter to manually add my ISP dynamic IP 
> address each time as I need my proxy (I'm the only one who needs it, no other 
> users involved).
>
> I know that my provider has IPs ranging from
>
> 78.134.1.1 to 78.134.130.255
>
> What should my acl our_network be so that that entire range of IP addresses 
> is included and accepted as valid so that I don't have to manually edit the 
> .conf file each time my dynamic IP changes?
>

acl our_networks src 78.134.1.1-78.134.130.255

It's best to stick some form of authentication on it as well.

Regular ISP networks are under constant scan from other users and 
infections seeking ways to transmit themselves. If you open any port 
with ISP-wide access permissions it's likely to be only a matter of 
minutes before someone or something other than you is using it.

Amos
-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.8
   Beta testers wanted for 3.2.0.2


Re: [squid-users] Help configuring acl our_network rule

2010-10-11 Thread Amos Jeffries

On 11/10/10 22:33, Hosting Studio Services - Domains wrote:

Hello everyone, I'm new here.

I'm running Squid 2.6 STABLE 21 version on my VPS .

I need a little help configuring my Squid.

I am using the acl_our network parameter to manually add my ISP dynamic IP 
address each time as I need my proxy (I'm the only one who needs it, no other 
users involved).

I know that my provider has IPs ranging from

78.134.1.1 to 78.134.130.255

What should my acl our_network be so that that entire range of IP addresses is 
included and accepted as valid so that I don't have to manually edit the .conf 
file each time my dynamic IP changes?



acl our_networks src 78.134.1.1-78.134.130.255

It's best to stick some form of authentication on it as well.

Regular ISP networks are under constant scan from other users and 
infections seeking ways to transmit themselves. If you open any port 
with ISP-wide access permissions it's likely to be only a matter of 
minutes before someone or something other than you is using it.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.8
  Beta testers wanted for 3.2.0.2


[squid-users] Help configuring acl our_network rule

2010-10-11 Thread Hosting Studio Services - Domains
Hello everyone, I'm new here.

I'm running Squid 2.6 STABLE 21 version on my VPS .

I need a little help configuring my Squid.

I am using the acl_our network parameter to manually add my ISP dynamic IP 
address each time as I need my proxy (I'm the only one who needs it, no other 
users involved).

I know that my provider has IPs ranging from

78.134.1.1 to 78.134.130.255

What should my acl our_network be so that that entire range of IP addresses is 
included and accepted as valid so that I don't have to manually edit the .conf 
file each time my dynamic IP changes?

Thanks a lot.

Fabio

-- 

Saluti Cordiali,

Fabio Gangarossa
Responsabile Gestione Domini
Computer Studio - Servizi "Hosting Studio"
Fax Operazioni sui domini: +39 02 3919 5436
E-mail: doma...@hostingstudio.net
Web: http://www.hostingstudio.net


Informativa:
Ai sensi del Codice in materia di protezione dei Dati Personali (D.L. 196/03) 
il contenuto di questa e-mail e degli eventuali allegati sono riservati e ad 
esclusivo uso del destinatario. Chiunque riceva questo messaggio per errore รจ 
pregato di distruggerlo e di contattare immediatamente il mittente.
Si informa, inoltre, che la risposta alla presente, compresi eventuali 
allegati, potrebbero essere visionati, ai fini del disbrigo delle competenze 
lavorative, anche da altro personale addetto.