[squid-users] squid-users-unsubscribe-balramg=gmail....@squid-cache.org
squid-users-unsubscribe-balramg=gmail@squid-cache.org
Re: [squid-users] TCP_MISS/401 when accessing portal on IIS
Thank you. I will check it. Amos Jeffries wrote: On 27/12/10 20:25, Senthilkumar wrote: Hi All, I am using squid 3.1.8 with icap, ntlm scheme. Everything works fine. I have a problem when i connect to a portal which is running on IIS server and it has external authentication.(i am not sure about the authentication used by the iis server, we hope it is ntlm ) Being IIS it probably is, check the WWW-Auth* header in the replies to be sure. There may be alternative options you can make the browser use by stripping the broken one out. When i connect to that site it asks for a username and password and it continues to ask even after providing username and password, finally the following error is displayed page cannot be displayed. In access log i can find TCP_DENIED/401. I have tried by enabling client_persistent connections on. But no luck. How can we make portal to work with squid? NTLM does not work very well with HTTP to start with and does not work at all over the Internet without a lot of trouble. If it is NTLM: You must enable persistent connections to both servers and clients, enable authentication pass-thru hacks in Squid. Then cross your fingers and hope that every other proxy admin does the same. Complain to the website admin as well. The other less-likely possibility is that it is Kerberos auth (almost as bad as NTLM over the 'Net), or some other breakage. Amos
[squid-users] How to set up squid_session with transparent proxy
I want to set up a transparent squid proxy to monitor the same box it is running on. It needs to use squid_session to first force a login screen to the user, and then allow web browsing until an idle timeout. This is on Ubuntu 10.10, with squid 2.7. I'd like to use squid3 but I'm not sure it is well supported. A link to a tutorial for something like this would also be helpful, as I have not found anything very helpful. the same question is asked (by me) here: http://stackoverflow.com/questions/4543024/how-to-set-up-squid-session-with-transparent-proxy
Re: [squid-users] Squid 3.2 - Dynamic SSL certs that aren't self-signed
Disregard, I figured it out. In my helper script I had a mistake in counting the number of chars in my cert/key. Fixed that and now it works. On Mon, Dec 27, 2010 at 1:56 PM, Alex Ray wrote: > Here are logs from /usr/local/squid/var/lib/ssl_db/index.txt > > V 131124202916Z 058BD142 unknown > /CN=www.microsoft.com-BEGIN CERTIFICATE- > V 131124203005Z 058BD143 unknown > /CN=clients1.google.com-BEGIN CERTIFICATE- > V 131124203006Z 058BD144 unknown > /CN=mail.google.com-BEGIN CERTIFICATE- > > > On Mon, Dec 27, 2010 at 1:00 PM, Alex Ray wrote: >> No, the certificate is being made, just incorrectly. Look at the common >> name: >> >> microsoft.com-BEGIN CERTIFICATE- >> >> ^ I'm fairly sure that "-BEGIN CERTIFICATE-" shouldn't be a >> part of the CN for microsoft.com. >> >> On Mon, Dec 27, 2010 at 12:42 PM, Amos Jeffries wrote: >>> On 28/12/10 06:42, Alex Ray wrote: Looks like dynamic ssl certs are still broken as of 3.2.0.4: microsoft.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for microsoft.com-BEGIN CERTIFICATE- (Error code: sec_error_untrusted_issuer) >>> >>> Does your browser trust the signing CA? >>> That message does not show up if the CA is installed in the browser. >>> >>> Amos >>> -- >>> Please be using >>> Current Stable Squid 2.7.STABLE9 or 3.1.10 >>> Beta testers wanted for 3.2.0.4 >>> >> > > > > -- > Alex Ray > > Technical Support Representative > > Enhanced Software Products, Inc. > > www.espsolution.net > > 800 456-5750 > > > > NOTICE: This e-mail may contain confidential or legally privileged > information and is intended solely for delivery to the specific person > identified as the recipient. Any review, re-transmission, > dissemination or other use or taking of any action in reliance upon > this e-mail by persons other than the intended recipient is prohibited > and may require legal action. If you receive this e-mail in error, > please contact me at the address above and delete from your computer > system, or otherwise from your records, the information, which was > transmitted to you in error. > -- Alex Ray Technical Support Representative Enhanced Software Products, Inc. www.espsolution.net 800 456-5750 NOTICE: This e-mail may contain confidential or legally privileged information and is intended solely for delivery to the specific person identified as the recipient. Any review, re-transmission, dissemination or other use or taking of any action in reliance upon this e-mail by persons other than the intended recipient is prohibited and may require legal action. If you receive this e-mail in error, please contact me at the address above and delete from your computer system, or otherwise from your records, the information, which was transmitted to you in error.
Re: [squid-users] Squid 3.2 - Dynamic SSL certs that aren't self-signed
Here are logs from /usr/local/squid/var/lib/ssl_db/index.txt V 131124202916Z 058BD142unknown /CN=www.microsoft.com-BEGIN CERTIFICATE- V 131124203005Z 058BD143unknown /CN=clients1.google.com-BEGIN CERTIFICATE- V 131124203006Z 058BD144unknown /CN=mail.google.com-BEGIN CERTIFICATE- On Mon, Dec 27, 2010 at 1:00 PM, Alex Ray wrote: > No, the certificate is being made, just incorrectly. Look at the common name: > > microsoft.com-BEGIN CERTIFICATE- > > ^ I'm fairly sure that "-BEGIN CERTIFICATE-" shouldn't be a > part of the CN for microsoft.com. > > On Mon, Dec 27, 2010 at 12:42 PM, Amos Jeffries wrote: >> On 28/12/10 06:42, Alex Ray wrote: >>> >>> Looks like dynamic ssl certs are still broken as of 3.2.0.4: >>> >>> microsoft.com uses an invalid security certificate. >>> >>> The certificate is not trusted because it is self-signed. >>> The certificate is only valid for microsoft.com-BEGIN CERTIFICATE- >>> >>> (Error code: sec_error_untrusted_issuer) >> >> Does your browser trust the signing CA? >> That message does not show up if the CA is installed in the browser. >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.10 >> Beta testers wanted for 3.2.0.4 >> > -- Alex Ray Technical Support Representative Enhanced Software Products, Inc. www.espsolution.net 800 456-5750 NOTICE: This e-mail may contain confidential or legally privileged information and is intended solely for delivery to the specific person identified as the recipient. Any review, re-transmission, dissemination or other use or taking of any action in reliance upon this e-mail by persons other than the intended recipient is prohibited and may require legal action. If you receive this e-mail in error, please contact me at the address above and delete from your computer system, or otherwise from your records, the information, which was transmitted to you in error.
Re: [squid-users] TCP_MISS/401 when accessing portal on IIS
On 27/12/10 20:25, Senthilkumar wrote: Hi All, I am using squid 3.1.8 with icap, ntlm scheme. Everything works fine. I have a problem when i connect to a portal which is running on IIS server and it has external authentication.(i am not sure about the authentication used by the iis server, we hope it is ntlm ) Being IIS it probably is, check the WWW-Auth* header in the replies to be sure. There may be alternative options you can make the browser use by stripping the broken one out. When i connect to that site it asks for a username and password and it continues to ask even after providing username and password, finally the following error is displayed page cannot be displayed. In access log i can find TCP_DENIED/401. I have tried by enabling client_persistent connections on. But no luck. How can we make portal to work with squid? NTLM does not work very well with HTTP to start with and does not work at all over the Internet without a lot of trouble. If it is NTLM: You must enable persistent connections to both servers and clients, enable authentication pass-thru hacks in Squid. Then cross your fingers and hope that every other proxy admin does the same. Complain to the website admin as well. The other less-likely possibility is that it is Kerberos auth (almost as bad as NTLM over the 'Net), or some other breakage. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] tproxy configuration
On 28/12/10 00:55, benjamin fernandis wrote: Hi, I want to deploy tproxy in my network .I m using rhel 5.5.Please provide me good document or configuration guide for getting good explanation.I m new to tproxy. Step #1: upgrade. And please suggest me for the same, means what are the caviates , kept in mind while using tproxy. TPROXYv2 which is likely the only one available with RHEL 5.x old software requires kernel patching and is no longer supported by any of the authors. Unless you are required to go to those great lengths to do it you may as well upgrade to a newer kernel-2.6.32+ and use a Squid-3.1+ with TPROXYv4 support. http://wiki.squid-cache.org/Features/Tproxy4 Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] Monitoring/Performance tuning of squid (stands behind a firewall)
On 27/12/10 20:40, a bv wrote: Hi , For a squid proxy running behind a firewall (and has a QOS rule for itself) how can i monitor/measure /tune the performance of it. People are always ready to say that internet connection is slow (already have a low bandwith) but i need to find out if there are really bottlenecks. SNMP usually. http://wiki.squid=ache.org/Features/Snmp Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] User-Agent redirect?
On 27/12/10 11:07, Daniel Gary wrote: I have a client that runs a handful of vhosts on a single server, frontended by Squid 3 (debian) What would be the simplest solution to doing a redirect in squid when the user-agent is an iphone for example, but only for a specific domain (leaving the other vhosts unredirected) To a fixed bounce page? acl iphones browser ... acl dom dstdomain ... http_access deny dom iphones deny_Info http://example.com iphones Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] Squid 3.2 - Dynamic SSL certs that aren't self-signed
On 28/12/10 06:42, Alex Ray wrote: Looks like dynamic ssl certs are still broken as of 3.2.0.4: microsoft.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for microsoft.com-BEGIN CERTIFICATE- (Error code: sec_error_untrusted_issuer) Does your browser trust the signing CA? That message does not show up if the CA is installed in the browser. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] Add MAC-addresses to log
On 28/12/10 08:44, Alibek Bolatov wrote: Hello. Do I have a problem for which you need write MAC-addresses to log-files. I do not know very well the C-language itself to make such changes in the source code could not. I understand that I need to make changes to the file access_log.c, the function accessLogCustom or accessLogCommon, using an object AccessLogEntry * al. I can get client address with al->cache.caddr, but how to get the MAC-address, I do not know. Tell me what changes must be made in the source code to a log-files to be stored MAC-addresses of clients? Sincerely, Alibek. It's a bit tricky to add. Try 3.2 which has EUI logging and controls already. (NP: 3.2.0.4 beta will need building with --disable-cpu-profiling due to a bug) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] prevent squid being used as spam passthrough
On 27/12/10 09:23, J Webster wrote: Is it possible for a proxy running on port 80 or 8080 to be used as a pass through or zone origination for spam email? Maybe. If it has been configured as an open proxy. http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls We have had some users sign up with email addresses such as spambot and other stuff recently. I suspect these are just bots signing up around the web but got me thinking whether a proxy could be used in a chain or tunneled somehow and whether that could be blocked? The default squid.conf http_access controls are designed to prevent this type of thing. It requires Safe_ports to list only the ports <1024 which are nown to be safe for proxy connections-to. As well as SSL_ports for CONNECT tunnels to only connect to known HTTPS ports. You can see the quid default settings at http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#Squid_configuration Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] Remove entries from access.log
On 27/12/10 07:09, David Touzeau wrote: Dear I have these entries in access.log squid-maison.localhost - - [26/Dec/2010:19:05:13 +0100] "GET cache_object://127.0.0.1/diskd HTTP/1.0" 200 679 TCP_MISS:NONE squid-maison.localhost - - [26/Dec/2010:19:05:13 +0100] "GET cache_object://127.0.0.1/store_io HTTP/1.0" 200 431 TCP_MISS:NONE I woul like to force squid not logging events came from 127.0.0.1, Is it possible to do that ? Yes, but slightly dangerous. These are cachemgr requests. Be careful other general requests don't come from localhost as well before omitting from the logs. Or you could just block the "manager" ACL requests being logged. The log_access directive allows global control: http://www.squid-cache.org/Doc/config/log_access The access_log local ACL set allows per-log control: http://www.squid-cache.org/Doc/config/access_log Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
[squid-users] Add MAC-addresses to log
Hello. Do I have a problem for which you need write MAC-addresses to log-files. I do not know very well the C-language itself to make such changes in the source code could not. I understand that I need to make changes to the file access_log.c, the function accessLogCustom or accessLogCommon, using an object AccessLogEntry * al. I can get client address with al->cache.caddr, but how to get the MAC-address, I do not know. Tell me what changes must be made in the source code to a log-files to be stored MAC-addresses of clients? Sincerely, Alibek.
Re: [squid-users] size of squid binary
Hallo, Orestes, Du meintest am 27.12.10: > I've built squid 3.1.10 on openbsd4.6 sucessfuly > but my squid binary it's 40M of size, then I do a: > strip --strip-unneeded squid > to low this to 2M and all ok. > it's this size by default normal? > squid gets a debug build by default? Slackware, LZO-packed: about 1 MByte http://arktur.shuttle.de/CD/5.4/slack/n1/squid-3.1.10-i486-1hln.tgz My pure binary "/usr/bin/squid" is about 2 MByte big. Viele Gruesse! Helmut
Re: [squid-users] Squid 3.2 - Dynamic SSL certs that aren't self-signed
Looks like dynamic ssl certs are still broken as of 3.2.0.4: microsoft.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for microsoft.com-BEGIN CERTIFICATE- (Error code: sec_error_untrusted_issuer)
Re: [squid-users] refusing connections
Is it possible that something in this squid.conf might cause a memory block or excessive CPU usage that could lead to this: It seems a coincidence that a server reboot seemed to fix the issue. auth_param basic realm NameHere proxy server auth_param basic credentialsttl 2 hours auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd authenticate_cache_garbage_interval 1 hour authenticate_ip_ttl 2 hours acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1863 # MSN messenger acl ncsa_users proxy_auth REQUIRED acl maxuser max_user_ip -s 2 acl CONNECT method CONNECT http_access deny manager http_access allow ncsa_users http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny maxuser http_access allow localhost http_access deny all icp_access allow all http_port 8080 http_port XX.XXX.XXX.198:80 hierarchy_stoplist cgi-bin ? cache_mem 100 MB maximum_object_size_in_memory 50 KB cache_replacement_policy heap LFUDA cache_dir aufs /var/spool/squid 4 16 256 #cache_dir null /null maximum_object_size 50 MB cache_swap_low 90 cache_swap_high 95 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log none buffered_logs on acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 quick_abort_min 0 KB quick_abort_max 0 KB acl apache rep_header Server ^Apache broken_vary_encoding allow apache half_closed_clients off visible_hostname NameHereProxyServer log_icp_queries off dns_nameservers 208.67.222.222 208.67.220.220 hosts_file /etc/hosts memory_pools off forwarded_for off client_db off coredump_dir /var/spool/squid delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 125000/125000
[squid-users] size of squid binary
I've built squid 3.1.10 on openbsd4.6 sucessfuly but my squid binary it's 40M of size, then I do a: strip --strip-unneeded squid to low this to 2M and all ok. it's this size by default normal? squid gets a debug build by default? LeaL
Re: [squid-users] squid-3.1 couldn't be installed.
I think that you must just install the package Perl::DBI and you're done. LeaL Dear all, I have a problem of installing of squid-3.1.8-1 when I installed 'squid' on Redhat 5.2, I had the erre message in cache.log, "Failed dependencies: per (DBI) is needed by squid-3.1.8-1.el5.x86_64. Please, let me know its reason. best regards. J. -- Using Opera's revolutionary email client: http://www.opera.com/mail/
Re: [squid-users] [HELP] As times passed, web browser didn't open.
Thaks for reply~ ^^ I did reinstalled [squid 3.0] and I set 'squid.conf' as below. o visible_hostname localhost o http_access allow locahost o http_port 3128 o cache_dir ufs /var/spool/squid/cache 100 16 256 (as default) but still the squid makes web-browser slower and slower. at the end, web-browser has timeout. I can't use internet. I don't know why~~ Best regards J. 2010/12/24 Amos Jeffries : > On 24/12/10 03:38, Seok Jiwoo wrote: >> >> Dear all, >> I have several problems of squid-cache server. >> >> Firstly, the symptoms are >> o at first when I installed squid, it worked well as cache-server. >> o but as times passed, web browser didn't open. >> - there're some kinds of error messages. >> - one is 'time out' >> - the other is 'your proxy have some problems.' >> - and so on.. >> o I had had vry loong access time.(when I checked 'access.log' >> file) >> o eventually, squid server dosen't work when I give the command, ' >> squid -X or -D or start'. >> >> I already did >> o use [squid -k rotate] and rotated log-files. >> o it didn't work. >> >> My squid-cache is squid-3.0.STABLE25-1.el5 and the OS is the RedHat >> 5-64bit. >> >> I installed squid and set up 'squid.conf' file as below. >> >> o visible_hostname localhost >> o http_port 3128 >> o cache_dir ufs /web-cache/cache1 10 16 256 >> cache_dir ufs /web-cache/cache2 10 16 256 >> cache_dir ufs /web-cache/cache3 10 16 256 > > 300GB of cache. I hope you have well over 4GB of RAM on that box dedicated > to Squid. ~3GB of it will be sucked up by the disk index. > > Add cache_mem on top of that, add another 10% of cache_mem for the index of > that space, and then add about 64KB for you maximum peak client count. > > >> o access_log /log/squid/access.log squid >> o cache_log /log/squid/cache.log >> o store_log /log/squid/store.log > > You can drop store log under normal use, its not that useful unless > debugging the storage: > cache_store_log none > >> o logfile_rotate 9 ( and /etc/logrotate.d/squid file has been reviesed.) > > By "reviesed" I hope you mean erased. logrotate.d and squid internal log > rotation do not work well together. Pick one. > >> o shutdown_lifetime 1 seconds > > Large cache + extremely short shutdown period = cache corruption. > Squid will handle it by doing a full scan of the entire disk space on > startup to reload all the meta data from scratch. This is a period of slow > proxy speed while it dedicates CPU cycles for the scan. > When your 300GB of cache is full this will likely take somewhere between 4 > and 10 hours to complete. > > > Things to check: > * memory usage is not swapping. This will cause squid to significantly drop > in speed. > * check for crashes or other problems in cache.log. Note the 4-10 hour > recovery time loading the index after each crash will be a slow period. > > On top of that 3.0 is obsolete for nrearly a year now. There are a number of > fatal bugs and leaks which are resolved in later releases. > Some newer packages can be found linked from > http://wiki.squid-cache.org/KnowledgeBase/RedHat. These still have some of > the leaks only recently fixed but should be better than 3.0 on bugs. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.9 > Beta testers wanted for 3.2.0.3 >
[squid-users] squid-3.1 couldn't be installed.
Dear all, I have a problem of installing of squid-3.1.8-1 when I installed 'squid' on Redhat 5.2, I had the erre message in cache.log, "Failed dependencies: per (DBI) is needed by squid-3.1.8-1.el5.x86_64. Please, let me know its reason. best regards. J.
[squid-users] tproxy configuration
Hi, I want to deploy tproxy in my network .I m using rhel 5.5.Please provide me good document or configuration guide for getting good explanation.I m new to tproxy. And please suggest me for the same, means what are the caviates , kept in mind while using tproxy. Thanks, Benjo
Re: [squid-users] refusing connections
Now it is 2799 -rw-r- 1 squid squid 2863056 Dec 27 08:50 /var/spool/squid/swap.state but it was root:squid I changed something in webmin - could that have caused the issue? Why would webmin change the file permissions? -- From: "Travel Factory S.r.l." Sent: Sunday, December 26, 2010 11:44 PM To: "J Webster" ; Subject: Re: [squid-users] refusing connections what are the permissions and who is the owner of /var/spool/squid/swap.state ? please do a ls -lsa /var/spool/squid/swap.state and report