[squid-users] squid & squidGuard redirect only domain (but not imgs, scripts etc)
Hello all! I am trying to set up redirects from denied domains to our local web-server page. Redirect works, but he don't show pictures from new website, don't use js scripts from new site and etc For first time I used such redirector: #!/usr/bin/perl $|=1; while (<>) { s@http://sex.com@http://mywebsrv/www/workblock\n@; print; } This redirect works but all images (and swf- js- files) on our workblock page (like http://mywebsrv/www/workblock/dem.jpg) it try to GET from sex.com - in logs we see GET http://sex.com/dem.jpg or http://sex.com/workblock/dem.jpg :( Why so? What I do wrong? After that I install squidGuard (both configs are below) but problem is still here :( Thank you for any solution or help. My /etc/squid/squidGuard.conf: dbhome /var/lib/squidguard/db logdir /var/log/squid dest redirector { domainlist redirector/domains urllist redirector/urls } acl { default { pass !redirector all redirect http://mywebsrv/www/workblock } } My /etc/squid3/squid.conf: redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf redirect_children 3 redirector_bypass on cache_effective_user proxy acl SNBC src 10.250.16.0/24 http_access allow SNBC http_port 10.250.16.222:3128 cache_peer 10.80.20.222 parent 3128 0 no-query default never_direct allow all cache_mgr n...@n.com dns_nameservers 10.250.16.10 10.250.1.13 Some like such my trouble described here: http://www.mail-archive.com/squid-users@squid-cache.org/msg03292.html (but no solution) With best regards, Albert
Re: [squid-users] [reverse proxy] ESTABLISHED on squid server
Thank you, Amos, for your very clear answer. On Wed, Jun 22, 2011 at 7:51 PM, Amos Jeffries wrote: > On 22/06/11 22:54, Le Trung, Kien wrote: >> >> Hi, I trouble about how to reduce the ESTABLISHED statuses of connections. >> It always have approximately 6300 ESTABLISHED connections when server >> at high load time of the day and just reduce below 1000 ESTABLISHED in >> the midnight. >> >> 1 established) >> 1 Foreign >> 5 FIN_WAIT2 >> 6 LISTEN >> 11 CLOSING >> 43 SYN_RECV >> 63 LAST_ACK >> 237 FIN_WAIT1 >> 1331 TIME_WAIT >> 6258 ESTABLISHED >> >> I wonder how to free the connection after data all been tranferred >> between squid server and clients. (I think squid keeps connections as >> much as possible). > > Depends on which Squid you have. 3.1 and later try to use HTTP/1.1 features > to speed up client access times. These require persistent connections. > > ~6300 connections is not bad. Your box can handle far more than that easily. > >> On another web server (same operating system and hardware, etc ...) >> which has the same connections to (because of DNS round-robin) the >> ESTABLISH connections are range from 2000-3000. > > This is not a valid comparison. see: > http://wiki.squid-cache.org/Features/LoadBalance#Bias:_Connection-based > > This same problem affects DNS round-robin and TCP SYN load balancers. Which > are also per-connection. > > > > Generally speaking ESTABLISHED is good. They are either currently in active > use or waiting and will have zero TCP connection setup delay when they are > needed. > > The more recent your Squid version number the more efficiently it handles > persistent connections. Thus the lower number it uses. So if this is > actually a problem for you a newer version is better. > > You can also adjust it by tweaking the idle_timeout directive. Which > determines a maximum amount of time any one connection can be kept waiting. > > You can disable the persistence and all HTTP features which rely on it by > configuring client_persistent_connections and/or > server_persistent_connections OFF. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.9 and 3.1.12.3 >
RE: [squid-users] SSLBump and intermedia CA Certificate.
On Wed, 22 Jun 2011 21:37:35 +, Ming Fu wrote: I am also interested in understanding the issue. Can squid send the certificate chain as a part of the negotiation? Apache is able to do that, so I think the underlining openssl is not the problem. This may require new configure option in the ssl_bump to tell squid where the certificate chain file is. It is indeed possible. The certificate generator is new and does not cover every possible situation of SSL. Patches welcome. Amos Ming -Original Message- From: Lindsay Hill [mailto:linds...@makonetworks.com] Sent: Tuesday, June 07, 2011 11:31 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] SSLBump and intermedia CA Certificate. On 06/08/2011 02:52 PM, Amos Jeffries wrote: > On Tue, 07 Jun 2011 11:54:52 +0200, Paweł Mojski wrote: >> Hi all. >> >> Finally I successful implemented ssl-bump with dynamic certificate >> generation feature. >> But, I don't know how to configure squid to use intermediate ca >> certificate. >> I generated Root CA, then using Root CA i signed Intermediate CA >> certificate and now, I want squid to use this Intermediate CA >> Certificate while generating certs for https connections. >> Then I want to import Root CA certificate into Windows PKI to solve >> "Unknown CA" error while surfing https pages. >> How can I do that? > > The client must have a full chain of trust from the root all the way > down to the end certificate during the transactions. I think you may > find that signing with an intermediate CA needs to install both the > root and the intermediate public CA on the clients. > > >> I'm looking around cafile, capath of ssl-bump options but nothing >> works for me. > > http://wiki.squid-cache.org/Features/SslBump > > To squid there is only the cert PEM you told it to sign with. > > Amos > This matches up with what I've seen so far with my testing - I thought I might be able to get it to provide the full certificate chain to users, by playing around with the cafile settings, but no joy. Since all my browsers already trust my root CA, I thought that creating an intermediate CA for use by Squid would be sufficient. But no, I've had to install the intermediate CA on my browsers too. Feature request I guess? - Lindsay
RE: [squid-users] SSLBump and intermedia CA Certificate.
I am also interested in understanding the issue. Can squid send the certificate chain as a part of the negotiation? Apache is able to do that, so I think the underlining openssl is not the problem. This may require new configure option in the ssl_bump to tell squid where the certificate chain file is. Ming > -Original Message- > From: Lindsay Hill [mailto:linds...@makonetworks.com] > Sent: Tuesday, June 07, 2011 11:31 PM > To: squid-users@squid-cache.org > Subject: Re: [squid-users] SSLBump and intermedia CA Certificate. > > On 06/08/2011 02:52 PM, Amos Jeffries wrote: > > On Tue, 07 Jun 2011 11:54:52 +0200, Paweł Mojski wrote: > >> Hi all. > >> > >> Finally I successful implemented ssl-bump with dynamic certificate > >> generation feature. > >> But, I don't know how to configure squid to use intermediate ca > >> certificate. > >> I generated Root CA, then using Root CA i signed Intermediate CA > >> certificate and now, I want squid to use this Intermediate CA > >> Certificate while generating certs for https connections. > >> Then I want to import Root CA certificate into Windows PKI to solve > >> "Unknown CA" error while surfing https pages. > >> How can I do that? > > > > The client must have a full chain of trust from the root all the way > > down to the end certificate during the transactions. I think you may > > find that signing with an intermediate CA needs to install both the > > root and the intermediate public CA on the clients. > > > > > >> I'm looking around cafile, capath of ssl-bump options but nothing > >> works for me. > > > > http://wiki.squid-cache.org/Features/SslBump > > > > To squid there is only the cert PEM you told it to sign with. > > > > Amos > > > > This matches up with what I've seen so far with my testing - I thought I > might be able to get it to provide the full certificate chain to users, > by playing around with the cafile settings, but no joy. Since all my > browsers already trust my root CA, I thought that creating an > intermediate CA for use by Squid would be sufficient. But no, I've had > to install the intermediate CA on my browsers too. Feature request I > guess? > > - Lindsay
Re: [squid-users] DNS or proxy
On 22/06/11 11:08, Martin Lukeš wrote: Hi Hasanen, I'm not familiar with Squid yet, hence I'm not sure if I understand you right. Maybe this will clarify my situation. I manage tens of student computers. Until now on my server I used Privoxy to filter out explicit websites (porn, etc.). Unfortunately some of these students figured out how to disable proxy which was set on these computers, since on OSes we use there is no way how to prevent them to do so. Last line of "defense" remains DNS which system prevents them to change. This is why I want DNS to filter these sites. OOOH! Can Squid even be set like DNS server? Do you have control over the firewall/gateway? If so, just deny port 80 and 443 connections from any host other than the proxy. If not then even the DNS server approach would be easy to circumvent as the users could just change the DNS servers on the client. Cheers Alex
Re: [squid-users] Squid 3.1 failover problem from IPv6 to IPv4?
On 23/06/11 01:44, Peter Olsson wrote: Hello! We use Squid 3.1.12 on a couple of servers with IPv4 and IPv6. The servers are FreeBSD 8.1. Squid is installed from ports. This works fine, except for this web: www.informator.se www.informator.se has an address, but it doesn't seem to listen to it. Eventually the browser times out with this error: (51) Network is unreachable On BSD you should only it this if the site has no A address either. split-stack 3.1 uses IPv4-only links to servers unless the hack you found (below) is added. But shouldn't Squid try the IPv4 address when the IPv6 address fails? If so, there is maybe something wrong with our config. The only IPv6 specific config we have is this (taken from the release notes of Squid 3.1): acl to_ipv6 dst ipv6 http_access allow to_ipv6 !all tcp_outgoing_address x:x:x::x to_ipv6 tcp_outgoing_address x.x.x.x !to_ipv6 Is the failure on www.informator.se a bug/feature in Squid, or is the problem in our setup/config? That hack requires its http_access line to be run. So preferrably that is placed at the top of http_access list. This ensures that the destination IP is always resolved early in processing and with luck available to the outgoing address selection. The solution to all these split-stack problems has just hit 3.2 series this week in 3.2.0.9. We are working through the bunch of unexpected problems right now. Any help welcome. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.9 and 3.1.12.3
[squid-users] Squid 3.1 failover problem from IPv6 to IPv4?
Hello! We use Squid 3.1.12 on a couple of servers with IPv4 and IPv6. The servers are FreeBSD 8.1. Squid is installed from ports. This works fine, except for this web: www.informator.se www.informator.se has an address, but it doesn't seem to listen to it. Eventually the browser times out with this error: (51) Network is unreachable But shouldn't Squid try the IPv4 address when the IPv6 address fails? If so, there is maybe something wrong with our config. The only IPv6 specific config we have is this (taken from the release notes of Squid 3.1): acl to_ipv6 dst ipv6 http_access allow to_ipv6 !all tcp_outgoing_address x:x:x::x to_ipv6 tcp_outgoing_address x.x.x.x !to_ipv6 Is the failure on www.informator.se a bug/feature in Squid, or is the problem in our setup/config? Thanks! -- Peter Olssonp...@leissner.se
Re: [squid-users] Squid 3.2.0.9 beta is available
* Amos Jeffries : > On 22/06/11 23:16, Ralf Hildebrandt wrote: > >* Amos Jeffries: > >>The Squid HTTP Proxy team is very pleased to announce the > >>availability of the Squid-3.2.0.9 beta release! > > > >With ICAP enabled I'm getting: > > > >2011/06/22 13:15:22| assertion failed: comm.cc:749: "fd>= 0" > > > >Without ICAP, all is well... > > > > Noted. ICAP does not do DNS well for ICAP. This one is on the urgent > todo list. > For now a possible workaround is to use a raw-IP in the service URI. I used: icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/srv_clamav so what else could I do? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] Delay Pools don't work
On 22/06/11 20:36, Romag wrote: Hi at all, i need to limit the bandwith of my subnet (10 subnet) and i try to use Delay Pool for this..if i use a Delay Pool for all the net it's works very well, but if i specify a ACL for any subnet the limit don't work.. My stub of configuration is: acl SUBNET1 src IP/SUBNET acl SUBNET2 src IP/SUBNET delay_pools 1 delay_class 1 3 delay_access 1 allow SUBNET1 delay_access 1 deny all delay_parameters 1 64000/64000 -1/-1 16000/64000 whole network bandwidth is limited to 64,000 bytes/sec (note that is bytes) shared between all machines listed in SUBNET1 ACL. No limitation on /24 subnet. any one machine (/32) is allowed to consume up to 16000 bytes/sec from the Internet. But the bandwith is not limited.. i need to limit some subnet to 1Mbps and some to 2Mbps and no limit for localnet. Thanks! By "dont work" you mean what? NP: keeping in mind that delay_pool only affects traffic fetched from peers or DIRECT from origins. Cache HIT are not delayed. Which version of Squid are you using ? Are you sure the machine IP is in SUBNET1 ? (sorry if that seems dumb, but it happens sometimes that testers are using localhost and trying to match global IPs. Or the reverse) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.9 and 3.1.12.3
Re: [squid-users] iphone problem with economist magazine application.
On 22/06/11 22:48, Paul Khadra wrote: Without squid there is no problem. However with squid iphone is not able to download the news. Below is a sample from access.log: 2011-06-21 13:11:35210 194.126.14.56 TCP_MISS/403 201 HEAD http://digitaleditions.economist.com/sites/default/files/digitaleditions/20110618/iPhone/Basic/LEADERS.cdo? You have configured the Squid to prevent access permission. 403 means "Forbidden". Administrative denial of access. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.9 and 3.1.12.3
Re: [squid-users] [reverse proxy] ESTABLISHED on squid server
On 22/06/11 22:54, Le Trung, Kien wrote: Hi, I trouble about how to reduce the ESTABLISHED statuses of connections. It always have approximately 6300 ESTABLISHED connections when server at high load time of the day and just reduce below 1000 ESTABLISHED in the midnight. 1 established) 1 Foreign 5 FIN_WAIT2 6 LISTEN 11 CLOSING 43 SYN_RECV 63 LAST_ACK 237 FIN_WAIT1 1331 TIME_WAIT 6258 ESTABLISHED I wonder how to free the connection after data all been tranferred between squid server and clients. (I think squid keeps connections as much as possible). Depends on which Squid you have. 3.1 and later try to use HTTP/1.1 features to speed up client access times. These require persistent connections. ~6300 connections is not bad. Your box can handle far more than that easily. On another web server (same operating system and hardware, etc ...) which has the same connections to (because of DNS round-robin) the ESTABLISH connections are range from 2000-3000. This is not a valid comparison. see: http://wiki.squid-cache.org/Features/LoadBalance#Bias:_Connection-based This same problem affects DNS round-robin and TCP SYN load balancers. Which are also per-connection. Generally speaking ESTABLISHED is good. They are either currently in active use or waiting and will have zero TCP connection setup delay when they are needed. The more recent your Squid version number the more efficiently it handles persistent connections. Thus the lower number it uses. So if this is actually a problem for you a newer version is better. You can also adjust it by tweaking the idle_timeout directive. Which determines a maximum amount of time any one connection can be kept waiting. You can disable the persistence and all HTTP features which rely on it by configuring client_persistent_connections and/or server_persistent_connections OFF. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.9 and 3.1.12.3
Re: [squid-users] Squid 3.2.0.9 beta is available
On 22/06/11 23:12, Ralf Hildebrandt wrote: * Amos Jeffries: All users interested in 3.2 features are encouraged to assist testing this release. After the upgrade, cache.log is being filled with lines like: 2011/06/22 13:12:01| forward.cc(96) FwdState: Forwarding client request local=141.42.1.205:8080 remote=10.43.33.219:4240 FD 634 flags=1, url=http://www.essence.eu/uploads/RTEmagicC_comp_lips_30.png.png Can this be disabled somehow? The daily snapshot has a fix for that and a cache_peer port problem. http://www.squid-cache.org/Versions/v3/3.2/changesets/ Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.9 and 3.1.12.3
Re: [squid-users] Squid 3.2.0.9 beta is available
On 22/06/11 23:16, Ralf Hildebrandt wrote: * Amos Jeffries: The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.2.0.9 beta release! With ICAP enabled I'm getting: 2011/06/22 13:15:22| assertion failed: comm.cc:749: "fd>= 0" Without ICAP, all is well... Noted. ICAP does not do DNS well for ICAP. This one is on the urgent todo list. For now a possible workaround is to use a raw-IP in the service URI. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.9 and 3.1.12.3
Re: [squid-users] Squid 3.2.0.9 beta is available
* Amos Jeffries : > The Squid HTTP Proxy team is very pleased to announce the > availability of the Squid-3.2.0.9 beta release! With ICAP enabled I'm getting: 2011/06/22 13:15:22| assertion failed: comm.cc:749: "fd >= 0" Without ICAP, all is well... -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
[squid-users] Re: DNS or proxy
SKIPPED Unfortunately some of these students figured out how to disable proxy which was set on these computers, since on OSes we use there is no way how to prevent them to do so. Last line of "defense" remains DNS which system prevents them to change. my two cents transparent squid + ICAP, ECAP or URL rewriting? or chain to privoxy?
Re: [squid-users] Squid 3.2.0.9 beta is available
* Amos Jeffries : > All users interested in 3.2 features are encouraged to assist testing > this release. After the upgrade, cache.log is being filled with lines like: 2011/06/22 13:12:01| forward.cc(96) FwdState: Forwarding client request local=141.42.1.205:8080 remote=10.43.33.219:4240 FD 634 flags=1, url=http://www.essence.eu/uploads/RTEmagicC_comp_lips_30.png.png Can this be disabled somehow? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
[squid-users] [reverse proxy] ESTABLISHED on squid server
Hi, I trouble about how to reduce the ESTABLISHED statuses of connections. It always have approximately 6300 ESTABLISHED connections when server at high load time of the day and just reduce below 1000 ESTABLISHED in the midnight. 1 established) 1 Foreign 5 FIN_WAIT2 6 LISTEN 11 CLOSING 43 SYN_RECV 63 LAST_ACK 237 FIN_WAIT1 1331 TIME_WAIT 6258 ESTABLISHED I wonder how to free the connection after data all been tranferred between squid server and clients. (I think squid keeps connections as much as possible). On another web server (same operating system and hardware, etc ...) which has the same connections to (because of DNS round-robin) the ESTABLISH connections are range from 2000-3000. Best Regards.
[squid-users] iphone problem with economist magazine application.
Without squid there is no problem. However with squid iphone is not able to download the news. Below is a sample from access.log: 2011-06-21 13:11:35210 194.126.14.56 TCP_MISS/403 201 HEAD http://digitaleditions.economist.com/sites/default/files/digitaleditions/20110618/iPhone/Basic/LEADERS.cdo? Thank you, Paul -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/iphone-problem-with-economist-magazine-application-tp3616647p3616647.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] DNS or proxy
Squid doesn't work as DNS proxy , but you can use filtering software with Squid such as Dansguardian http://dansguardian.org/ and others... 2011/6/22 Martin Lukeš : > Hi Hasanen, > > I'm not familiar with Squid yet, hence I'm not sure if I understand you right. > > Maybe this will clarify my situation. > I manage tens of student computers. Until now on my server I used > Privoxy to filter out explicit websites (porn, etc.). Unfortunately > some of these students figured out how to disable proxy which was set > on these computers, since on OSes we use there is no way how to > prevent them to do so. Last line of "defense" remains DNS which system > prevents them to change. > > This is why I want DNS to filter these sites. > > OOOH! Can Squid even be set like DNS server? > > --- > Regards > Martin Lukeš > > > > 2011/6/22 Hasanen AL-Bana : >> No , no need to change DNS entries. You can use url_rewrite_program to >> rewrite specific URLs >> >> 2011/6/22 Martin Lukeš >>> >>> Hi all, >>> >>> I'd like to get answer to my question about Squid before I install it >>> on my server. >>> >>> In case I want Squid to respond to certain requests (based on that >>> requests URLs) with predefined page. Do I have to set Squid as a proxy >>> on clients computers or is it enough if I set it only as a DNS? >>> >>> Thank you in advance. >>> >>> --- >>> Regards >>> Martin Lukeš >> >
Re: [squid-users] DNS or proxy
Hi Hasanen, I'm not familiar with Squid yet, hence I'm not sure if I understand you right. Maybe this will clarify my situation. I manage tens of student computers. Until now on my server I used Privoxy to filter out explicit websites (porn, etc.). Unfortunately some of these students figured out how to disable proxy which was set on these computers, since on OSes we use there is no way how to prevent them to do so. Last line of "defense" remains DNS which system prevents them to change. This is why I want DNS to filter these sites. OOOH! Can Squid even be set like DNS server? --- Regards Martin Lukeš 2011/6/22 Hasanen AL-Bana : > No , no need to change DNS entries. You can use url_rewrite_program to > rewrite specific URLs > > 2011/6/22 Martin Lukeš >> >> Hi all, >> >> I'd like to get answer to my question about Squid before I install it >> on my server. >> >> In case I want Squid to respond to certain requests (based on that >> requests URLs) with predefined page. Do I have to set Squid as a proxy >> on clients computers or is it enough if I set it only as a DNS? >> >> Thank you in advance. >> >> --- >> Regards >> Martin Lukeš >
Re: [squid-users] DNS or proxy
No , no need to change DNS entries. You can use url_rewrite_program to rewrite specific URLs 2011/6/22 Martin Lukeš > > Hi all, > > I'd like to get answer to my question about Squid before I install it > on my server. > > In case I want Squid to respond to certain requests (based on that > requests URLs) with predefined page. Do I have to set Squid as a proxy > on clients computers or is it enough if I set it only as a DNS? > > Thank you in advance. > > --- > Regards > Martin Lukeš
[squid-users] DNS or proxy
Hi all, I'd like to get answer to my question about Squid before I install it on my server. In case I want Squid to respond to certain requests (based on that requests URLs) with predefined page. Do I have to set Squid as a proxy on clients computers or is it enough if I set it only as a DNS? Thank you in advance. --- Regards Martin Lukeš
[squid-users] Squid 3.2.0.9 beta is available
The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.2.0.9 beta release! This release includes major changes to the TCP handling layer of Squid. As a result of the low level and wide impact of this change this beta is less stable than previous releases. The daily snapshot already includes several important behaviour fixes and is recommended for testing instead of the version marker bundle. With your assistance tracking down the new bugs we hope this can be a very short lived instability. We have traded this step down to gain: * Support split-stack IPv6 to servers This is expected to resolved most if not all outstanding IPv6 issues on OpenBSD, NetBSD, MacOSX and other systems with redacted TCP stack capabilities. Failure recovery in the event of broken external services is greatly enhanced, although further improvement is possible. * Support persistent connections with tcp_outgoing_address Persistent connections are now expected to be picked reliably despite any forced outgoing IP. This also resolves all issues around tcp_outgoing_address ACL not having access to the destination IP for use in the dst ACL. * Optimize persistent connection handling * Optimize FTP data connection handling * Optimize TCP failure recovery This release is expected to pool and re-use connections more efficiently than ever before. Resolving several outstanding issues with unnecessarily high connection counts to peers, resolving FTP data connection failures and much faster TCP connection retry stages. A new directive connect_retries is added to limit the absolute number of routing paths to attempt on each requests before presenting an error page to the user. Also added some HTTP/1.1 support fixes and extra logformat tags for display of the HTTP request line received from the client and sent to the server. As usual this release contains all the fixes passed on to 3.1 series alongside its own changes. There are several important bugs fixed amongst those changes: * A small security vulnerability in the ssl-bump certificate validation. This only affects those choosing to bypass certificate failures. * Several squid.conf parsing segmentation faults fixed. See the ChangeLog for the list of other minor changes in this release. All users interested in 3.2 features are encouraged to assist testing this release. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html when you are ready to make the switch to Squid-3.2 Upgrade tip: "squid -k parse" is starting to display even more useful hints about squid.conf changes. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.2/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.2/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
[squid-users] Delay Pools don't work
Hi at all, i need to limit the bandwith of my subnet (10 subnet) and i try to use Delay Pool for this..if i use a Delay Pool for all the net it's works very well, but if i specify a ACL for any subnet the limit don't work.. My stub of configuration is: acl SUBNET1 src IP/SUBNET acl SUBNET2 src IP/SUBNET delay_pools 1 delay_class 1 3 delay_access 1 allow SUBNET1 delay_access 1 deny all delay_parameters 1 64000/64000 -1/-1 16000/64000 But the bandwith is not limited.. i need to limit some subnet to 1Mbps and some to 2Mbps and no limit for localnet. Thanks!
Re: [squid-users] Squid not caching
From: Fabiano Carlos Heringer > minimum_object_size 512 KB > maximum_object_size 200 bytes Are these the values you really want...? JD