[squid-users] R: [squid-users] Configuring SQUID in Windows to authenticate with Active Directory
Hi, You must add the .exe extension after squid_ldap_auth as noted in the documentation. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it > -Messaggio originale- > Da: Liyanage, Lakshman [mailto:lakshman.liyan...@jcu.edu.au] > Inviato: sabato 12 febbraio 2011 4.41 > A: squid-users@squid-cache.org > Oggetto: [squid-users] Configuring SQUID in Windows to authenticate with > Active Directory > > Hello All, > I am new to SQUID and hence require some help. > I have SQUID 2.7 Stable8 installed on a Windows Server 2008 R2. I am now > trying to configure it to use MS Active Directory. I have the following > lines in the .conf file: > - > auth_param basic program c:/squid/libexec/squid_ldap_auth -R -b "dc=ad- > mycompany,dc=domain,dc=com" -D "cn=admin,cn=Users,dc=ad- > mycompany,dc=domain,dc=com" -w "password" -f sAMAccountName=%s -h > myipnumber > auth_param basic children 5 > auth_param basic realm My_Company > auth_param basic credentialsttl 5 minute > -- > When I try to start SQUID, Windows throws" Error 1067: The process > terminated unexpectedly" at me. I have a web server/service running on > port 80 and 443. > What am I missing here? > Many many thanks for your help > > Lakshman
[squid-users] squid-3.2.0.5 compilation errors
Hi, I tried to compile the latest beta this morning and the compilation failed . I'm running Ubuntu 10.04.2 LTS I'm using the following configure string: ./configure --enable-build-info '--enable-storeio=aufs,coss,diskd,ufs' '--enable-removal-policies=heap,lru' '--enable-icmp' '--enable-delay-pools' --enable-esi --enable-icap-client '--enable-ssl' --enable-forw-via-db '--enable-cache-digests' '--enable-follow-x-forwarded-for' --disable-ident-lookups --enable-ssl-crtd '--enable-default-hostsfile=/etc/hosts' --enable-auth --enable-auth-basic -enable-auth-ntlm --enable-auth-negotiate --enable-auth-digest '--enable-log-daemon-helpers=file' --enable-external-acl-helpers '--enable-x-accelerator-vary' --disable-translation It fails with the following message: /bin/bash ../../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src -I../../include -I../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT MyPortName.lo -MD -MP -MF .deps/MyPortName.Tpo -c -o MyPortName.lo MyPortName.cc libtool: compile: g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src -I../../include -I../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT MyPortName.lo -MD -MP -MF .deps/MyPortName.Tpo -c MyPortName.cc -fPIC -DPIC -o .libs/MyPortName.o In file included from ../../src/ProtoPort.h:10, from MyPortName.cc:37: ../../src/ssl/gadgets.h:54: error: variable or field 'TXT_DB_free_cpp' declared void ../../src/ssl/gadgets.h:54: error: 'TXT_DB' was not declared in this scope ../../src/ssl/gadgets.h:54: error: 'a' was not declared in this scope ../../src/ssl/gadgets.h:55: error: 'TXT_DB' was not declared in this scope ../../src/ssl/gadgets.h:55: error: 'TXT_DB_free_cpp' was not declared in this scope ../../src/ssl/gadgets.h:55: error: template argument 1 is invalid ../../src/ssl/gadgets.h:55: error: template argument 2 is invalid ../../src/ssl/gadgets.h:55: error: invalid type in declaration before ';' token make[3]: *** [MyPortName.lo] Error 1 make[3]: Leaving directory `/root/squid-3.2.0.5/src/acl' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/root/squid-3.2.0.5/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/root/squid-3.2.0.5/src' make: *** [all-recursive] Error 1 Thanks, Yonah
Re: [squid-users] problem using squid as proxy server to load balance reverse-proxies
Yep. The patch seems to be working correctly.
Thanks,
Sri
On Sat, Feb 12, 2011 at 1:21 PM, Amos Jeffries wrote:
> On 12/02/11 22:05, Sri Rao wrote:
>
>>
>> Okay let's say I am trying to loadbalance using squid to 2 origin
>> servers. The 2 origin servers would be setup as cache_peers applying
>> the originserver directive no? Right now that wouldn't happen. It
>> would return not allowed for cache_peers right? The patch below would
>> allow for cache_peers if set as originserver to do the passthru you
>> are talking about above.
>>
>> I thought a possible patch could be:
>>
>> diff -Naur squid-3.1.11/src/tunnel.cc squid-3.1.11-cf/src/tunnel.cc
>> --- squid-3.1.11/src/tunnel.cc 2011-02-07 20:05:51.0 -0800
>> +++ squid-3.1.11-cf/src/tunnel.cc 2011-02-11 11:08:34.256181949
>> -0800
>> @@ -589,10 +589,10 @@
>> err->callback_data = tunnelState;
>> errorSend(tunnelState->client.fd(), err);
>> } else {
>> - if (tunnelState->servers->_peer)
>> - tunnelProxyConnected(tunnelState->server.fd(), tunnelState);
>> - else {
>> + if (!tunnelState->servers->_peer ||
>> tunnelState->servers->_peer->options.originserver)
>> tunnelConnected(tunnelState->server.fd(), tunnelState);
>> + else {
>> + tunnelProxyConnected(tunnelState->server.fd(), tunnelState);
>> }
>>
>> commSetTimeout(tunnelState->server.fd(),
>>
>> Wondering if there are reasons that this shouldn't be done?
>
> Hmm, my brain seems not to have been working much. :(
>
> Yes that appears a correct and useful solution. Thank you.
>
> If you can test this and verify that it produces the right operation for
> your needs I'll replace the earlier patch with this one.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.11
> Beta testers wanted for 3.2.0.4
>
Re: [squid-users] Configuring SQUID in Windows to authenticate with Active Directory
On 12/02/11 16:41, Liyanage, Lakshman wrote: Hello All, I am new to SQUID and hence require some help. I have SQUID 2.7 Stable8 installed on a Windows Server 2008 R2. I am now trying to configure it to use MS Active Directory. I have the following lines in the .conf file: - auth_param basic program c:/squid/libexec/squid_ldap_auth -R -b "dc=ad-mycompany,dc=domain,dc=com" -D "cn=admin,cn=Users,dc=ad-mycompany,dc=domain,dc=com" -w "password" -f sAMAccountName=%s -h myipnumber auth_param basic children 5 auth_param basic realm My_Company auth_param basic credentialsttl 5 minute -- When I try to start SQUID, Windows throws" Error 1067: The process terminated unexpectedly" at me. I have a web server/service running on port 80 and 443. What am I missing here? The error messages logged in the squids' cache.log which say what happened and which app is breaking. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.4
Re: [squid-users] Squid 3 and active directory transparent user authentication
On 13/02/11 12:00, Cedric DC wrote: Hello, Currently architecture -- We have a dedicated squid 3 server and squidguard installed on a Linux Ubuntu server. The goal is currently able to perform web cache for the corporate users and filtering web sites. The server is installed on a DMZ private and allow : -Trafic initiated from the LAN to the squid server for the port TCP 3128 -Trafic initiated from the squid server to internet with services HTTP, HTTPS, FTP, NTP, DNS -The rest of the traffic is dropped by a hardware cluster firewall Evolution architecture -- We want TRANSPARENTLY authenticate the corporate users who want to go on Internet. In more, we want to have in the log files the "username" for each request to Internet. We want perform the user authentication in asking our windows server 2003 (active directory). NOTE: The only real form of auth which is "transparent" in Squid is for reverse proxies, which your case does not seem to be. What you seem to mean by "TRANSPARENT" is that the user does not notice it happening. This is a browser configuration issue. When configured properly on a stable network the browser only asks for login once (if at all) when starting up. Regardless of the auth protocol used talking to Squid I have perform search to Internet and it seems to have several options : -NTLM authentication http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmWithGroups If you are newly adding auth to the network try and avoid NTLM auth. Kerberos is the much simpler and more secure replacement. The groups checking if you need it applies equally and almost the same to both auth protocols. -LDAP authentication http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap -Kerberos authentication http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos 1-What is the best options to make authentication with Windows 2003 (active directory) and will be easy to deploy ? "best" as defined by what criteria? ... easy to setup? secure? compatibility with HTTP? range of clients supporting it? When working properly none of the auth mechanisms actually need to display popups to the user. When incompletely setup or broken they all will regardless of protocol claims of transparency/invisibility. This is a browser security decision. and No, it will likely not be easy. There are many apps that do not do auth at all, many that do only a limited ranges of auth types, and some which claim to but do it badly. 2-It's possible for example to enable authentication for user and NOT for server ? I believe its possible. That is a backend configuration problem though, nothing to do with Squid. 3-It is possible to create a special group in active directory which contain all user allowed to surf. Squid allow surf only if the user is present in this group ? Um, Did you read those wiki pages you linked to? Particularly the one called "NtlmWithGroups"? 4-How can I differenciate in squid this 2 profiles ? For information, users and datacenters are in two separate IP subnets ? You just answered your own question there. Use IP to alter the auth ACLs tested. 5-Do you have a very good tutorial concerning the implementation in my case ? The three wiki pages you linked to seem to be good ones if I do say so myself (as a co-author and editor). Here the squid package version installed on our server root@XX:/etc/squid3# dpkg -l | grep squid ii squid33.0.STABLE8-3 A full featured Web Proxy cache (HTTP proxy) ii squid3-common 3.0.STABLE8-3 A full featured Web Proxy cache (HTTP proxy) ii squidguard1.2.0-8.4ubuntu1 filter, redirector and access controller plu You will find much less auth problems in the 3.1 or later series of Squid. Ubuntu 10.10 has 3.1.6. And I provide a PPA for source packages of the even newer 3.1 code with fixes 3.1.6 is lacking. https://launchpad.net/~yadi/+archive/ppa Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.4
[squid-users] [spam]
--- Begin Message --- Dear valued beneficiary, You have inherited fund valued $4,600,000.00 (Four million six hundred thousand dollars.) from the United Nations Compensation as a result of the recent world economic and financial meltdown. Please reconfirm your bank details once again to enable us effect transfer of the fund into your account immediately without any further delay. Contact Mr. Edward Smith below for more advise and immediate transfer action. Contact Person: Mr. Edward Smith Bank Name: Halifax Bank Plc Phone: +22966059607 Sub Email: halifaxbnkpl...@live.com Thank you Bank Security Alert--- End Message --- --- Begin Message --- Hello, I feel safe and confident dealing with you in this important business.Though this medium (Internet) has been greatly abused, I choose to reach you through it because it still remains the fastest and safest medium of communication considering the details of this business. However, this correspondence is unofficial and private, and it should be treated as such. I'm establishing a direct communication with you soliciting for your partnership and co-operation in this business transaction. My name is Mr Sam Morse,Funds Manager of Fidelity Investment International The World's largest independent investment management organization;with over $1.2 Trillion Capital Investment Funds.Nevertheless, as Fidelity Funds Manager, I handle all our Investor's Direct Capital Funds and secretly extract1.2% Excess Maximum Return Capital Profit (EMRCP) per annual on each of the investor's Magellan Capital Funds.As an expert,I have made over $15m US dollars from the Investor's EMRCP and hereby looking for someone to trust who will stand as an Investor to receive the funds as Annual Investment Proceeds from Fidelity Magellan Capital Funds. All confirm able documents to back up the claims will be made available to you prior to your acceptance. Meanwhile, I have worked out the strategies and technicalities whereby the funds can be claimed in any of our 6 Clearing Houses without any hitches.Our sharing ratio will be 60-40,and in case you are interested, do email me your direct telephone number so we can discuss this transaction in further details. Sincerely, Mr Sam Morse. Funds Manager Fidelity Investment International.--- End Message ---
[squid-users] Squid 3 and active directory transparent user authentication
Hello, Currently architecture -- We have a dedicated squid 3 server and squidguard installed on a Linux Ubuntu server. The goal is currently able to perform web cache for the corporate users and filtering web sites. The server is installed on a DMZ private and allow : -Trafic initiated from the LAN to the squid server for the port TCP 3128 -Trafic initiated from the squid server to internet with services HTTP, HTTPS, FTP, NTP, DNS -The rest of the traffic is dropped by a hardware cluster firewall Evolution architecture -- We want TRANSPARENTLY authenticate the corporate users who want to go on Internet. In more, we want to have in the log files the "username" for each request to Internet. We want perform the user authentication in asking our windows server 2003 (active directory). I have perform search to Internet and it seems to have several options : -NTLM authentication http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmWithGroups -LDAP authentication http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap -Kerberos authentication http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos 1-What is the best options to make authentication with Windows 2003 (active directory) and will be easy to deploy ? 2-It's possible for example to enable authentication for user and NOT for server ? 3-It is possible to create a special group in active directory which contain all user allowed to surf. Squid allow surf only if the user is present in this group ? 4-How can I differenciate in squid this 2 profiles ? For information, users and datacenters are in two separate IP subnets ? 5-Do you have a very good tutorial concerning the implementation in my case ? Best regards, Here the squid package version installed on our server root@XX:/etc/squid3# dpkg -l | grep squid ii squid3 3.0.STABLE8-3 A full featured Web Proxy cache (HTTP proxy) ii squid3-common 3.0.STABLE8-3 A full featured Web Proxy cache (HTTP proxy) ii squidguard 1.2.0-8.4ubuntu1 filter, redirector and access controller plu
FW: [squid-users] Squid architecture
> From: onea...@hotmail.com > To: chad.nau...@travimp.com > Subject: RE: [squid-users] Squid architecture > Date: Sat, 12 Feb 2011 10:09:49 + > > Thank you shad for your reply. > We use dedicated cluster hardware firewalls enought powerfull, I think. > We will install the squid cache server in the DMZ private. > On the firewall, we will allow only DNS, NTP, HTTP, HTTPS from the > squid server to internet AND LDAP port between the squid and the active > directory servers. The web traffic initiated since Internet will be > drop. > > Regards, > > OnEal > > > > Date: Tue, 8 Feb 2011 16:13:21 -0500 > > From: chad.nau...@travimp.com > > To: onea...@hotmail.com; squid-users@squid-cache.org > > Subject: Re: [squid-users] Squid architecture > > > > Usually Squid runs on a machine with Public Access, as opposed to the > > rest of the network, whether it being a NAT/Firewall itself, or behind a > > Hardware Firewall, while the Firewall blocks outbound traffic from > > everywhere BUT the Proxy. > > > > Placing Squid in the DMZ can work as well, as long as the same rules > > apply, and the Internal Network can access it on the configured port(s), > > and Squid can access to AD Domain. I would just be more cautious of > > various security ACL's, and general security of the box, so it can't be > > used as a public relaying proxy, or anything else. You also need to > > consider how easily it can access the AD Domain for authentication, > > because there will be a significant amount of traffic required for that > > as well. > > > > 1000 machines should be able to be served by 1 dedicated Squid install > > fairly well, assuming that it is configured optimally, and with the > > correct CPU + RAM + HDD configurations. > > > > >>> Cedric DC 2/8/2011 3:53 PM >>> > > > > Hello all, > > > > I want to configure a web proxy squid cache for my LAN > > users (~1000 PCs exist on the LAN). I want use > > squid+squidguard+authentication on a domain controler (active directory > > > > :') > > For the moment, we want install only one server (and in the future a > > second...). > > My question is where can I install the squid ? On the LAN or on the > > private DMZ of our firewalls cluster ? > > > > Do you have some best pratices concerning the position of the squid ? > > If there are several possibilities what are for each one the advantages > > and nconveniences ? > > Do you have documents about proxy cache architecture ? > > > > Thank you in advance for your help. > > > > OnEal > > > > > > Travel Impressions made the following annotations > > - > > "This message and any attachments are solely for the intended recipient > > and may contain confidential or privileged information. If you are not > > the intended recipient, any disclosure, copying, use, or distribution of > > the information included in this message and any attachments is > > prohibited. If you have received this communication in error, please > > notify us by reply e-mail and immediately and permanently delete this > > message and any attachments. > > Thank you."
[squid-users] Squid 3.2.0.5 beta is available
The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.2.0.5 beta release! This release brings in a lot of polish and completes two more of the structural bugs/features before release 3.2 can be made. Several regressions in the earlier 3.2 beta have been resolved: * profiler should not have been built by default * Bug 3081: assertion failed: AsyncCallQueue * Bug 2948: Requests for FTP active downloads cause failed assertion * Bug 3089: FTP command output overrides directory listing Other bugs and problems resolved: - Bug 2870: Make Squid obey --disable-auth and --disable for the individual authentication modules. This is a big change with effects feature availability and behaviour in several unusual places. If you wish to use this please read the change commit message or http://squidproxy.wordpress.com/2011/02/10/disabling-authentication/ for a long description of the changes and effects. - HTTP/1.1: Support configurable status codes for deny_info 3xx and 4xx and 5xx codes may now be configured. see the config documentation for details. - Bug 2586: multiple memory leaks during reconfigure - Bug 2581: FTP directory listing sometimes fails - Port from 2.7: maximum staleness limits - Support upcoming "fresh message creation" eCAP API - Aggregate SNMP responses when using SMP with multiple workers - Several more Solaris, Windows and ICC support fixes. This is ongoing. As usual this beta contains all the fixes passed on to 3.1 series alongside its own changes. There are several important changes shared with the 3.1.11 release which need to be noticed: Bug 3144: URL re-write/redirect programs are potentially vulnerable to hanging while receiving very long URLs. Due to buffer overflow protections truncating long URLs. This enables trusted clients to perform a DoS on the Squid server, possibly via loading web links in a malicious website. Popular scripting helpers appear not to be vulnerable to this DoS effect, but will produce errors or truncated URL output instead. Helpers which depend on and wait for receiving the API documented newline terminator are all vulnerable. Squid will now catch these and produce a 414 status code error instead. Bug 2959: We have removed the use of environment variable SAMBAPREFIX during build. Instead the helpers which previously used it to locate the Samba tools require those tools (nmblookup, smbclient, wbinfo) to be available in the system $PATH. This allows several helpers to be build on systems without Samba as long as it is present when they are run. * Build scripts should be forward-compatible since the Squid build simply ignores the variable now. * Run-time scripts may need a check and update to ensure the above mentioned Samba tools are in the system $PATH now. Pipelining is one of the standard HTTP features which clashes and breaks badly when NTLM or Negotiate/Kerberos TCP connection authentication are performed. Squid will now produce a warning message and disable pipelining cleanly if those authentication methods are configured in Squid. The default setting for pipelining is OFF. Configurations receiving that waring should remove the pipeline_prefetch directive from their squid.conf. WARNING: the current Squid will not produce this notice if NTLM or Negotiate/Kerberos are simply passed through Squid to an origin server. If you are aware of such traffic needing to pass through your Squid it is up to you to ensure pipelining remains OFF. Users of earlier 3.2 beta releases are encouraged to test this beta out and upgrade as soon as possible. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html when you are ready to make the switch to Squid-3.2 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.2/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.2/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
[squid-users] Squid 3.1.11 is available
The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.1.11 release! This release brings several bug fixes and some further HTTP/1.1 improvements into 3.1. Bug 3140: A small but cumulative memory leak was found and fixed in error page generation. Bug 3144: URL re-write/redirect programs are potentially vulnerable to hanging while receiving very long URLs. Due to buffer overflow protections truncating long URLs. This enables trusted clients to perform a DoS on the Squid server, possibly via loading web links in a malicious website. Popular scripting helpers appear not to be vulnerable to this DoS effect, but will produce errors or truncated URL output instead. Helpers which depend on and wait for receiving the API documented newline terminator are all vulnerable. Squid will now catch these and produce a 414 status code error instead. Bug 2959: We have removed the use of environment variable SAMBAPREFIX during build. Instead the helpers which previously used it to locate the Samba tools require those tools (nmblookup, smbclient, wbinfo) to be available in the system $PATH. This allows several helpers to be build on systems without Samba as long as it is present when they are run. * Build scripts should be forward-compatible since the Squid build simply ignores the variable now. * Run-time scripts may need a check and update to ensure the above mentioned Samba tools are in the system $PATH now. Bug 3149: eCAP was not updating the object state correctly on altered bodies. Causing them not to be cacheable. This was particularly noticable in the compression eCAP adapter as reduced efficiency and slower transfers. HTTP/1.1 support has been boosted slightly with: * extension of deny_info to send 307 status when appropriate instead of always sending 302. This will allow some browsers to start safely displaying the error page in response to HTTPS rejections. * removal of an old limit on agents using the "Mozilla/3.0" string. This will allow more download agents to gain the benefits of persistent connections. * addition of support for the "Cache-Control: stale-if-error=N" option from RFC 5861. There is no Squid configuration required. NP: The paired stale-while-revalidate is much more complex and not supported in 3.1. * pipeline_prefetch auto-disabled under several authentication schemes. Pipelining is one of the standard HTTP features which clashes and breaks badly when NTLM or Negotiate/Kerberos TCP connection authentication are performed. Squid will now produce a warning message and disable pipelining cleanly if those authentication methods are configured in Squid. The default setting for pipelining is OFF. Configurations receiving that waring should remove the pipeline_prefetch directive from their squid.conf. WARNING: the current Squid will not produce this notice if NTLM or Negotiate/Kerberos are simply passed through Squid to an origin server. If you are aware of such traffic needing to pass through your Squid it is up to you to ensure pipelining remains OFF. See the ChangeLog for the list of other minor changes in this release. All users of Squid-3 are urged to upgrade as soon as possible. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.1/RELEASENOTES.html when you are ready to make the switch to Squid-3.1 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.1/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.1/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
Re: [squid-users] problem using squid as proxy server to load balance reverse-proxies
On 12/02/11 22:05, Sri Rao wrote:
Okay let's say I am trying to loadbalance using squid to 2 origin
servers. The 2 origin servers would be setup as cache_peers applying
the originserver directive no? Right now that wouldn't happen. It
would return not allowed for cache_peers right? The patch below would
allow for cache_peers if set as originserver to do the passthru you
are talking about above.
I thought a possible patch could be:
diff -Naur squid-3.1.11/src/tunnel.cc squid-3.1.11-cf/src/tunnel.cc
--- squid-3.1.11/src/tunnel.cc 2011-02-07 20:05:51.0 -0800
+++ squid-3.1.11-cf/src/tunnel.cc 2011-02-11 11:08:34.256181949 -0800
@@ -589,10 +589,10 @@
err->callback_data = tunnelState;
errorSend(tunnelState->client.fd(), err);
} else {
-if (tunnelState->servers->_peer)
-tunnelProxyConnected(tunnelState->server.fd(), tunnelState);
-else {
+if (!tunnelState->servers->_peer ||
tunnelState->servers->_peer->options.originserver)
tunnelConnected(tunnelState->server.fd(), tunnelState);
+else {
+tunnelProxyConnected(tunnelState->server.fd(), tunnelState);
}
commSetTimeout(tunnelState->server.fd(),
Wondering if there are reasons that this shouldn't be done?
Hmm, my brain seems not to have been working much. :(
Yes that appears a correct and useful solution. Thank you.
If you can test this and verify that it produces the right operation for
your needs I'll replace the earlier patch with this one.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.11
Beta testers wanted for 3.2.0.4
Re: [squid-users] Squid Cache - hangs after a few minutes
On 12/02/11 10:47, justin hyland wrote: Im trying to get multiple squid servers to act as front-end web servers for my main central apache web server, here is my setup so far... So far you have an unrestricted "open proxy". Not good. See below for fixes. I have changed the IP of the apache server that this sends traffic to, to 123.123.123.123, fyi Code: # egrep -v "^#" squid.conf | sed -e '/^$/d' acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 Add: acl to_localhost dst 0.0.0.0/32 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT NP: Missing reverse proxy ACL and http_access rules indicating what websites you are hosting. http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator Note the http_access rules and the extra-special mention that the reverse-proxy stuff needs to be first in the config file before any of these forward-proxy restrictions. Order is important. http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all After placing the right accelerator http_access rules up above, this "allow all" can be set back to the safe "deny all". icp_access allow all http_port 80 accel defaultsite=123.123.123.123 vhost cache_peer 123.123.123.123 parent 80 0 no-query originserver name=myAccel cache_peer_access myAccel allow all hierarchy_stoplist cgi-bin ? Drop this hierarchy_stoplist for reverse proxies. cache_dir ufs /var/spool/squid 2000 16 256 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log acl QUERY urlpath_regex cgi-bin \? cache deny QUERY If you have 2.7 this QUERY stuff can be dropped. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 Add right here: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache always_direct allow all "always_direct allow all" overrides the one piece of security preventing your Squid from being an open-proxy. Set the http_access correctly and remove this or set it back to "always_direct deny all". coredump_dir /var/spool/squid This works wonders.. for about 4 minutes. then the requests go from half a second per a page load, to 5 to 10, then 30 or 40 seconds.., then it wont even process, the tail -f access_logs shows that its not even hitting apache any longer on the central server, so its like squid freezes up, any idea??? One of the main purposes of a reverse-proxy is to reduce load in the backend, serving pages from the proxy cache instead. When this is working the central Apache will not see many hits. Somewhere between 80% and 100% of all traffic will "disappear" from the Apache log. Look to the Squid access.log for a full record of actual visitors and service times. I have turned off the firewall on the squid server as well as the central apache server, and still doesn't help much. I read through http://squidproxy.wordpress.com/2007...s-are-hanging/ and did all of it, with no avail. P.S. I doubt this is a connection issue between the servers, as the website WITH squid loads just as fast as apache for a few minutes, then slowly goes to a hault With Squid-2 you will need to add this to your configuration file: never_direct 0 seconds If the problem persists after all the above changes are made then debugging why will start to be useful. Luis mentioned the -X -N command line options that will produce a full debug output to the terminal/screen stdout. Alternatively just -X will leave that same trace in Squids cache.log for later analysis. Just watch the available disk space when doing this way. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.4
[squid-users] Re: kerberos authentication - performance tuning
Hi Peter "Nick Cairncross" wrote in message news:c9782338.5940f%nick.cairncr...@condenast.co.uk... On 09/02/2011 09:34, "guest01" wrote: Hi, We are currently using Squid 3.1.10 on RHEL5.5 and Kerberos authentication for most of our clients (authorization with an icap server). At the moment, we are serving approx 8000 users with two servers. Unfortunately, we have performance troubles with our Kerberos authentication. Load values are way to high ... 10:19:58 up 16:14, 2 users, load average: 23.03, 32.37, 25.01 10:19:59 up 15:37, 2 users, load average: 58.97, 57.92, 47.73 Peak values have been >70 for the 5min interval. At the moment, there are approx 400 hits/second (200 per server). We already disabled caching on harddisk. Avg service time for Kerberos is up to 2500ms (which is quite long). Our kerberos configuration looks pretty simple: #KERBEROS auth_param negotiate program /opt/squid/libexec/negotiate_kerberos_auth -s HTTP/fqdn -r auth_param negotiate children 30 auth_param negotiate keep_alive on Is there anyway for further caching or something like that? For testing purposes, we authenticated a certain subnet by IP and load values decreased to <1. (Unfortunately, this is not possible because every user gets a policy assigned by its username) Any ideas anyone? Are there any kerberos related benchmarks available (could not find any), maybe this issue is not a problem, just a limitation and we have to add more servers? Thanks! best regards Peter Peter, I have pretty much the same setup as you - just 3.1.8, though only 700 users. Have you disabled the replay cache: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos But beware of a memory leak (depending on your libs of course): http://squid-web-proxy-cache.1019090.n4.nabble.com/Intermittent-SquidKerbAu th-Cannot-allocate-memory-td3179036.html. I have a call outstanding with RH at the moment. Could you try disabling the replay cache ? Did it improve the load ? Are your rules repeating requesting authentication unnecessarily when it's already been done? Amos was very helpful when advising on this (search for the post..) 8000 users.. Only 30 helpers? What does cachemgr say about used negotiate helper stats, timings/sec etc. Is your krb5.conf using the nearest kdc in it's own site etc? The kdc is only important for the client. The server (squid) never talks to the kdc. Some load testers out there incorporate Kerberos load testing. Just my thoughts.. Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] problem using squid as proxy server to load balance reverse-proxies
On Fri, Feb 11, 2011 at 1:14 PM, Amos Jeffries wrote:
> On 12/02/11 06:37, Sri Rao wrote:
>>
>> Hi Amos,
>>
>>
>>
>> I am trying to setup squid as a ssl proxy to load balance btwn
>> reverse-proxies. I believe the config is right but what is happening
>
> What you have setup is a forward proxy load balancer which only permits
> management and binary-over-HTTP tunneled traffic from its localhost
> machine
> IP.
That is actually what I want. I want to do binary-over-HTTP from the
localhost to the reverse-proxy servers. When the forward proxy tries
to connect to the origin server directly it does a tunnelConnect but
even though I have set originserver for the cache_peers it seems to
just forward the CONNECT instead of doing a tunnelConnect. I thought
originserver should force squid to treat the cache_peers as if they
were web servers?
>>>
>>>
>>> It should. You seem to have found a bug there. I've added a fix for that
>>> now.
>>
>> Where can I grab the fix?
>
> It will be here when the mirrors next update:
> http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10230.patch
>
>>
>>> A secondary problem in your config was "never_direct allow sp_test" -
>>> since
>>> sp_test always matches direct tunnel setup (tunnelConnect) is not
>>> permitted.
>>
>> yeah I never want it to go direct to the origin. I want it to connect
>> to the peers but as the originserver which should still be
>> tunnelConnect right?
>
> Hmm, I think I finally get what you are trying to do. :)
> And no Squid's handling of CONNECT is not smart enough to do CONNECT
> properly to origins when the origin is a cache_peer without direct TCP
> access from Squid.
>
>
> tunnelConnect is Squid being a gateway and converting the CONNECT into a
> TCP tunnel directly CONNECTed from to the destination server. Similar to the
> way SSH would for example. Bytes are shuffled but squid sees none of them.
> Like so:
> client--(CONNECT)-->Squid --(direct TCP)-->some host
>
> using cache_peer is Squid passing an HTTP requests (just happens to be
> CONNECT) on unchanged for another proxy cache_peer to process. The tunnel
> data is just a regular HTTP body entity to Squid, same as a POST with data
> going both ways to the client and cache_peer.
> Like so:
> client--(CONNECT)-->Squid--(CONNECT)-->Other proxy--(direct TCP)-->some
> host
>
> inside the tunnel:
> client <--(binary)--> some host
>
>
> In your case you have the peer origins hostname in the CONNECT destination
> yes? so allowing CONNECT to go direct will go there.
> I think you should be doing "never_direct deny" of everything *except*
> CONNECT requests to your internal origins.
Okay let's say I am trying to loadbalance using squid to 2 origin
servers. The 2 origin servers would be setup as cache_peers applying
the originserver directive no? Right now that wouldn't happen. It
would return not allowed for cache_peers right? The patch below would
allow for cache_peers if set as originserver to do the passthru you
are talking about above.
I thought a possible patch could be:
diff -Naur squid-3.1.11/src/tunnel.cc squid-3.1.11-cf/src/tunnel.cc
--- squid-3.1.11/src/tunnel.cc 2011-02-07 20:05:51.0 -0800
+++ squid-3.1.11-cf/src/tunnel.cc 2011-02-11 11:08:34.256181949 -0800
@@ -589,10 +589,10 @@
err->callback_data = tunnelState;
errorSend(tunnelState->client.fd(), err);
} else {
-if (tunnelState->servers->_peer)
-tunnelProxyConnected(tunnelState->server.fd(), tunnelState);
-else {
+if (!tunnelState->servers->_peer ||
tunnelState->servers->_peer->options.originserver)
tunnelConnected(tunnelState->server.fd(), tunnelState);
+else {
+tunnelProxyConnected(tunnelState->server.fd(), tunnelState);
}
commSetTimeout(tunnelState->server.fd(),
Wondering if there are reasons that this shouldn't be done?
Sri
