Re: [squid-users] Squid 2.7stable7 and ESPN3

[Eric Vance]

I have also had this issue.  I was able to get the headers both going
through squid and not.  I noticed a few key differences (but skip to
the end because I found the offending difference).

Request Header without Squid:

**
GET http://broadband.espn.go.com/espn3/auth/userData?format=json&page=index
HTTP/1.1
Host: broadband.espn.go.com
Connection: keep-alive
Referer: http://espn.go.com/espn3/index
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=C2085447-B5B5-4B68-9A02-97B9BEB8AC0C; userAB=C;
ESPN360beta=betaSet;
DE2=KioqOyoqKjtyZXNlcnZlZDticm9hZGJhbmQ7NTs0OzQ7MDswMDAuMDAwOzAwMDAuMDAwOzk5OTs1MzgzOzM0MDM7MDsqKjs=;
CRBLM=CBLM-001:; DS=PzswOz87; CRBLM_LAST_UPDATE=1291054796;
s_vi=[CS]v1|2679F7630516263D-6198C0083F11[CE];
espnAffiliate=invalid;

s_pers=%20s_c24%3D1291061231070%7C1385669231070%3B%20s_c24_s%3DLess%2520than%25201%2520day%7C1291063031070%3B%20s_gpv_pn%3Despn3%253Ainvalid%253Aindex%7C1291063031109%3B
***

Request header after Squid:

***
GET /espn3/auth/userData?format=json&page=index
HTTP/1.0
Host: broadband.espn.go.com
Referer: http://espn.go.com/espn3/index
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.5
  17.44 Safari/534.7
Accept-Encoding: identity
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=C2085447-B5B5-4B68-9A02-97B9BEB8AC0C; userAB=C;
ESPN360beta=betaSet;
DE2=KioqOyoqKjtyZXNlcnZlZDticm9hZGJhbmQ7NTs0OzQ7MDswMDAuMDAwOzAwMDAuMDAwOzk5OTs1MzgzOzM0MDM7MDsqKjs=;
CRBLM=CBLM-001:; DS=PzswOz87; CRBLM_LAST_UPDATE=1291054796;
s_vi=[CS]v1|2679F7630516263D-6198C0083F11[CE];
espnAffiliate=invalid;
broadbandAccess=espn3-false%2Cnetworks-false;
s_pers=%20s_c24%3D1291092114183%7C1385700114183%3B%20s_c24_s%3DLess%2520than%25201%2520day%7C1291093914183%3B%20s_gpv_pn%3Despn3%253Ainvalid%253Aindex%7C1291093914212%3B;
lang=en; 
s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D16%3B;
PREF=f2=800;
Via: 1.0 ph:3128 (squid/2.7.STABLE9)
X-Forwarded-For: 127.0.0.1
Cache-Control: max-age=259200
Connection: keep-alive
***

I manually issued this request changing one thing at a time until I
found the breaking item.  When I removed this line from the Squid
version the response came back without the redirect (and I assume
would then work correctly):

X-Forwarded-For: 127.0.0.1

So, I guess the questions are:
1.  Is this line necessary?
2.  Can it safely be removed?
3.  How can it be removed?

Thanks,

Eric

RE: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' (from 1 to 2) is not supported and ignored

[Ming Fu]

The cache_dir setting in the if..else ..endif does not seem to take effect.
Squid -z does create the cache subdirectory without issue, but the squid seems 
to use the default cache directory as if didn't see the if statement.

= squid.conf
workers 2
if ${process_number} = 1
cache_dir aufs /usr/local/squid/var/a 500 16 256
else
cache_dir aufs /usr/local/squid/var/b 500 16 256
endif
==

=logs=== 
2010/11/29 15:23:56 kid1| Starting Squid Cache version 3.2.0.3 for 
amd64-unknown-freebsd8.1...
2010/11/29 15:23:56 kid1| Set Current Directory to /usr/local/squid/var/cache
2010/11/29 15:23:58 kid1| basic/basicScheme.cc(64) done: Basic authentication 
Schema Detached.
2010/11/29 15:23:58 kid3| basic/basicScheme.cc(64) done: Basic authentication 
Schema Detached.
2010/11/29 15:27:04 kid3| Starting Squid Cache version 3.2.0.3 for 
amd64-unknown-freebsd8.1...
2010/11/29 15:27:04 kid2| Starting Squid Cache version 3.2.0.3 for 
amd64-unknown-freebsd8.1...
2010/11/29 15:27:04 kid1| Starting Squid Cache version 3.2.0.3 for 
amd64-unknown-freebsd8.1...
2010/11/29 15:27:04 kid3| Set Current Directory to /usr/local/squid/var/cache
2010/11/29 15:27:04 kid1| Set Current Directory to /usr/local/squid/var/cache
2010/11/29 15:27:04 kid2| Set Current Directory to /usr/local/squid/var/cache
FATAL: kid2 registration timed out
Squid Cache (Version 3.2.0.3): Terminated abnormally.
CPU Usage: 0.024 seconds = 0.016 user + 0.008 sys
Maximum Resident Size: 10312 KB
Page faults with physical i/o: 0
FATAL: kid1 registration timed out
Squid Cache (Version 3.2.0.3): Terminated abnormally.
CPU Usage: 0.024 seconds = 0.012 user + 0.012 sys
Maximum Resident Size: 10524 KB
Page faults with physical i/o: 0

Ming


-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: November-29-10 9:08 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' 
(from 1 to 2) is not supported and ignored

On 30/11/10 02:41, Ming Fu wrote:
> Hi Henrik,
>
> Thanks for point out that I need to use the if..else--endif statement, 
> however, I can't find the condition macros for the if to test.
>
> For example,
>
> If "first worker"
> Cache_dir here ...
> Else
> Cache_dir there ...
> Endif
>
> How do I say the "first worker"?

if ${process_number} = 1
...
else
...
endif


Another method if you want a cache_dir for each is to have a numbered 
subdirectory for each worker:

   cache_dir aufs /var/cache/${process_number} ...

Then squid -z to create as usual. Just remember that this will take up N 
times the configured directory size.

Amos
-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.9
   Beta testers wanted for 3.2.0.3

Re: [squid-users] squid-3.1 client POST buffering

[Oguz Yilmaz]

Graham,

This is the best explanation I have seen about ongoing upload problem
in proxy chains where squid is one part of the chain.

On our systems, we use Squid 3.0.STABLE25. Before squid a
dansguardian(DG) proxy exist to filter. Results of my tests:

1-
DG+Squid 2.6.STABLE12: No problem of uploading
DG+Squid 3.0.STABLE25: Problematic
DG+Squid 3.1.8: Problematic
DG+Squid 3.2.0.2: Problematic

2- We have mostly prıblems with the sites with web based upload status
viewers. Like rapidshare, youtube etc...

3- If Squid is the only proxy, no problem of uploading.

4- ead_ahead_gap 16 KB does not resolv the problem


Dear Developers,

Can you propose some other workarounds for us to test? The problem is
encountered with most active sites of the net, unfortunately.


Best Regards,

--
Oguz YILMAZ


On Thu, Nov 25, 2010 at 6:36 PM, Graham Keeling  wrote:
>
> Hello,
>
> I have upgraded to squid-3.1 recently, and found a change of behaviour.
> I have been using dansguardian in front of squid.
>
> It appears to be because squid now buffers uploaded POST data slightly
> differently.
> In versions < 3.1, it would take some data, send it through to the website,
> and then ask for some more.
> In 3.1 version, it appears to take as much from the client as it can without
> waiting for what it has already got to be uploaded to the website.
>
> This means that dansguardian quickly uploads all the data into squid, and
> then waits for a reply, which is a long time in coming because squid still
> has to upload everything to the website.
> And then dansguardian times out on squid after two minutes.
>
>
> I noticed the following squid configuration option. Perhaps what I need is
> a similar thing for buffering data sent from the client.
>
> #  TAG: read_ahead_gap  buffer-size
> #       The amount of data the cache will buffer ahead of what has been
> #       sent to the client when retrieving an object from another server.
> #Default:
> # read_ahead_gap 16 KB
>
> Comments welcome!
>
> Graham.
>

[squid-users] test post ::please delete::

[donovan jeffrey j]

testing for bounces
-j

Re: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' (from 1 to 2) is not supported and ignored

[Amos Jeffries]

On 30/11/10 02:41, Ming Fu wrote:

Hi Henrik,

Thanks for point out that I need to use the if..else--endif statement, however, 
I can't find the condition macros for the if to test.

For example,

If "first worker"
Cache_dir here ...
Else
Cache_dir there ...
Endif

How do I say the "first worker"?


if ${process_number} = 1
...
else
...
endif


Another method if you want a cache_dir for each is to have a numbered 
subdirectory for each worker:


  cache_dir aufs /var/cache/${process_number} ...

Then squid -z to create as usual. Just remember that this will take up N 
times the configured directory size.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3

RE: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' (from 1 to 2) is not supported and ignored

[Ming Fu]

Hi Henrik,

Thanks for point out that I need to use the if..else--endif statement, however, 
I can't find the condition macros for the if to test.

For example,

If "first worker"
Cache_dir here ...
Else
Cache_dir there ...
Endif

How do I say the "first worker"?

Ming

-Original Message-
From: Henrik Nordström [mailto:hen...@henriknordstrom.net] 
Sent: November-27-10 4:34 AM
To: Ming Fu
Cc: squid-users@squid-cache.org; Squid Developers
Subject: RE: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' 
(from 1 to 2) is not supported and ignored

fre 2010-11-26 klockan 21:08 + skrev Ming Fu:
> Ktrace shown that the bind failed because it try to open unix socket in 
> /usr/local/squid/var/run and it does not have the permission. So it is easy 
> to fix.
> 
> After the permission is corrected, I run into other problem, here is the log 
> snip:
> 
> 2010/11/26 20:55:35 kid2| Starting Squid Cache version 3.2.0.3 for 
> amd64-unknown-freebsd8.1...
> 2010/11/26 20:55:35 kid3| Starting Squid Cache version 3.2.0.3 for 
> amd64-unknown-freebsd8.1...
> 2010/11/26 20:55:35 kid1| Starting Squid Cache version 3.2.0.3 for 
> amd64-unknown-freebsd8.1...
> 2010/11/26 20:55:35 kid3| Set Current Directory to /usr/local/squid/var/cache
> 2010/11/26 20:55:35 kid2| Set Current Directory to /usr/local/squid/var/cache
> 2010/11/26 20:55:35 kid1| Set Current Directory to /usr/local/squid/var/cache

Each worker need their own cache location.

http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss2.1

Regards
Henrik

[squid-users] Squid doubts......

[Ajith P.T]

Sir,
   Can we give download quota to each user per day in squid
3.0(Windows version)? If i can do with squid 3.0, Please guide me, how
to do? i need to authenticate windows 2008 domain users in squid


-- 
With Best Regards,



Ajith P.T
Project Manager
E&S Consultants L.L.C,
P.O.Box 46548, Code 640016,Fahaheel, Kuwait.
email- aj...@ensconsultants
Phone +965 9921,99094633
www.ensconsultants.com || www.enaskw.com
ENAS General Trading & Contracting Co.

[squid-users] Squid 2.6 (centos 5.5) ntlm active directory

[JC Putter]

I have I am running squid 2.6 stable 21 on Centos 5.5 the box is
authenticated using winbind to the active directory domain

Wbinfo -t tells me that the RPC call was successful and everything is
working well, my ntlm SSO is working with chrome,ff,ie6,ie7 and ie8 on
windows xp,windows vista

My only problem is Windows 7 with IE8 (FF,Chrome Works 100%)

When is user accesses normal http pages with Windows 7 and IE8 everything
works but as soon as they try to access HTTPS sites the browser refuses to
open those pages and just hangs.., I cant see anything funny is my logs.

Just for testing when is disable proxy authencation (ntlm), the windows 7
machine loads HTTPS pages but refuses when its enabled.

Also tried to change the NT LAN Manager setting 

Has anyone experienced this issue? 

Re: [squid-users] Monitoring 407 authentications

[Amos Jeffries]

On 28/11/10 23:56, Amos Jeffries wrote:

On 25/11/10 21:13, Nick Cairncross wrote:

Hi List,

I have nailed a few niggles relating to extremely high CPU usage for
my authenticators, and I can now clearly look at the requests coming
in on the access.log. I use a combination of Kerb& NTLM helpers for
my 700 users - majority Kerberos.(70/30). I started tailing the log
yesterday and noticed some clients repeatedly attempting to
authenticate but failing due to no cred; Mac/Pc system or local and
not domain accounts The frequency of the requests is very high and
therefore hogging some helpers. I can increased the helper amounts
but there is a ratio (CPU/auth) that I need to bear in mind. The
clients are mainly trying to get out onto the internet to update
various software packages but don't have any credentials to do this,
hence the repeated, frequent 407s. Short of visiting these clients to
see what's going on (a possibility) is there a way to monitor for
these 407 auth requests and flag high-request users that are
constantly failing? Some clients occur VERY often and must be hogging
helpers maybe even multiple ones..


The log tailing you have is already finding the problem. It sounds like
you need to automate and add a notification or measure to that.

Squid does not have anything directly applicable at this time. Ideas on
what to look for and how to do it would be very welcome


Actually, thinking about this a bit more the clientdb may aready be able 
to provide this info (but not specific to 407).


This shows some useful entries:
  squidclient mgr:client_list | \
grep -E "Address:|TCP_DENIED" | \
grep --before-context=1 "DENIED"

Requires clientdb built into your squid. That may be more easily 
scripted for checking and alerting.



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3

Re: [squid-users] tproxy single ethernet ubuntu10.4 solve.

[Amos Jeffries]

On 29/11/10 22:07, jiluspo wrote:

clients -> squid -> router1
router1 -> squid -> client

with router1, squid, client on same subset.
router1 need to be distination routed to squid.

the tproxy setup fails but redirect port works fine when

client ->squid-> router1
router-> clients

Linux ubuntu 2.6.32-25-generic-pae #45-Ubuntu SMP Sat Oct 16 21:01:33 UTC
2010 i686 GNU/Linux
iptables v1.4.4
libcap-dev 1:2.17-2ubuntu1
libcap2 1:2.17-2ubuntu1



Thank you very much for this research jiluspo.

Can you state which Squid version you used to test please? and how it 
was built.



Also, What do you mean by "but redirect port works fine"? The NAT 
interception "REDIRECT"?


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3

Re: [squid-users] Squid configuration query

[Amos Jeffries]

On 29/11/10 22:26, Ajith P.T wrote:

Sir,
  We need to configure squid for our environment . I'm giving the 
requirement
1. we have the domain in windows 2008 and have to authenticate the users in it


Supported by any recent version.


2. we have to limit the total usage of browsing time of the day for
user (eg. user1 can use 1hrs each day, user 2 can use 2 hrs each day)


Supported by any recent version.


3. we have to limit the download limit of the day for user  (eg. user1
can download 100 mb each day, user 2 can download 1GB each day)


Quota (of a kind) supported only by Squid-3.2 (beta).
Requires external bandwidth monitoring and accounting for all other 
releases.




   We can user linux as well as  windows for internet server
but domain server cant be changed that must be windows server 2008.
Please suggest which server flavour should i use(Linux or Windows)


The choice depends on other criteria which have not been stated.

Windows has limited FD resources (max 2048) and a few unavailable 
features (ie NAT support), and Squid-3 is not considered production 
ready on Windows at this time. These may or may not be a problem.


You may also choose from BSD, Solaris or AIX servers.



Please advice me ang give me the documentation for the same
. I'm looking your favourable reply



http://wiki.squid-cache.org/SquidFaq
http://www.squid-cache.org/Doc

HTH
Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3

[squid-users] Squid configuration query

[Ajith P.T]

Sir,
 We need to configure squid for our environment . I'm giving the requirement
1. we have the domain in windows 2008 and have to authenticate the users in it
2. we have to limit the total usage of browsing time of the day for
user (eg. user1 can use 1hrs each day, user 2 can use 2 hrs each day)
3. we have to limit the download limit of the day for user  (eg. user1
can download 100 mb each day, user 2 can download 1GB each day)

  We can user linux as well as  windows for internet server
but domain server cant be changed that must be windows server 2008.
Please suggest which server flavour should i use(Linux or Windows)

   Please advice me ang give me the documentation for the same
. I'm looking your favourable reply


-- 
With Best Regards,



Ajith P.T
Project Manager
E&S Consultants L.L.C,
P.O.Box 46548, Code 640016,Fahaheel, Kuwait.
email- aj...@ensconsultants
Phone +965 9921,99094633
www.ensconsultants.com || www.enaskw.com
ENAS General Trading & Contracting Co.

[squid-users] tproxy single ethernet ubuntu10.4 solve.

[jiluspo]

clients -> squid -> router1
router1 -> squid -> client

with router1, squid, client on same subset.
router1 need to be distination routed to squid.

the tproxy setup fails but redirect port works fine when

client ->squid-> router1
router-> clients

Linux ubuntu 2.6.32-25-generic-pae #45-Ubuntu SMP Sat Oct 16 21:01:33 UTC
2010 i686 GNU/Linux
iptables v1.4.4
libcap-dev  1:2.17-2ubuntu1
libcap2 1:2.17-2ubuntu1




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.