RE: [squid-users] cache_peer siblings
Open icp_port 3130 to receive the packets. Amos Hi Amos, Sorry, I've also got this in my squid.conf: icp_port 3130 log_icp_queries on icp_query_timeout 2000 Also, port 3130 is open in iptables. Any other ideas? From what I understand UDP_DENIED means the ICP query can be denied due to the icp_access rules. I appear to have resolve the issue. Originally I had this: acl local_network src 192.168.0.0/16 icp_access allow local_network icp_access deny all Which *should* have worked right? Anyway I changed it to the following and now I am not seeing the errors: acl squid_peers src wp01.example.com wp02.example.com wp03.example.com icp_access allow squid_peers icp_access deny all Cheers, JLK
Re: [squid-users] cache_peer siblings
On 07/09/11 18:18, John Kenyon wrote: Open icp_port 3130 to receive the packets. Amos Hi Amos, Sorry, I've also got this in my squid.conf: icp_port 3130 log_icp_queries on icp_query_timeout 2000 Also, port 3130 is open in iptables. Any other ideas? From what I understand UDP_DENIED means the ICP query can be denied due to the icp_access rules. I appear to have resolve the issue. Originally I had this: acl local_network src 192.168.0.0/16 icp_access allow local_network icp_access deny all Which *should* have worked right? Anyway I changed it to the following and now I am not seeing the errors: acl squid_peers src wp01.example.com wp02.example.com wp03.example.com icp_access allow squid_peers icp_access deny all So the peers have IP addresses outside of 192.168.0.0/16 which they are using to communicate. Lookup the DNS and A records for them. Your http_access rules may need adjusting as well. If the ICP reply indicates success there will likely be a followup HTTP request using the same IPs. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.11
[squid-users] Issues with bad requests in Squid 2.7 stable 9
Hi there, we are using Squid 2.7 stable 9. One of our tools has issues with connectin to a server through the proxy. The interesting thing is, we didn't have this problem on Squid 2.5 stable 7. Looking at the communication with wireshark there are two connects. The first one: CONNECT x.x.com:443 HTTP/1.1\r\n [Expert Info (Chat/Sequence): CONNECT x.x.com:443 HTTP/1.1\r\n] [Message: CONNECT x.x.com:443 HTTP/1.1\r\n] [Severity level: Chat] [Group: Sequence] Request Method: CONNECT Request URI: x.x.com:443 Request Version: HTTP/1.1 Host: x.x.com\r\n Proxy-Connection: Keep-Alive\r\n \r\n works fine, I get a 200 response. The second one: CONNECT x.x.com:443 HTTP/1.0 \r\n [Expert Info (Chat/Sequence): CONNECT x.x.com:443 HTTP/1.0 \r\n] [Message: CONNECT x.x.com:443 HTTP/1.0 \r\n] [Severity level: Chat] [Group: Sequence] Request Method: CONNECT Request URI: x.x.com:443 Request Version: HTTP/1.0 Host: x.x.com:443\r\n \r\n doesn't work. The response is: HTTP/1.0 400 Bad Request\r\n [Expert Info (Chat/Sequence): HTTP/1.0 400 Bad Request\r\n] [Message: HTTP/1.0 400 Bad Request\r\n] [Severity level: Chat] [Group: Sequence] Request Version: HTTP/1.0 Response Code: 400 Server: squid/2.7.STABLE9\r\n Date: Tue, 06 Sep 2011 15:10:01 GMT\r\n Content-Type: text/html\r\n Content-Length: 1496\r\n [Content length: 1496] X-Squid-Error: ERR_INVALID_REQ 0\r\n X-Cache: MISS from florian-virtual-machine\r\n X-Cache-Lookup: NONE from florian-virtual-machine:3128\r\n Via: 1.0 florian-virtual-machine:3128 (squid/2.7.STABLE9)\r\n Connection: close\r\n \r\n Looking at the access.log, I get the following message. 1315321801.628 0 10.113.33.252 TCP_DENIED/400 1847 NONE NONE:// - NONE/- text/html Help would be much appreciated Florian
Re: [squid-users] Issues with bad requests in Squid 2.7 stable 9
On 07/09/11 19:53, Florian Schmidt wrote: Hi there, we are using Squid 2.7 stable 9. One of our tools has issues with connectin to a server through the proxy. The interesting thing is, we didn't have this problem on Squid 2.5 stable 7. Looking at the communication with wireshark there are two connects. The first one: CONNECT x.x.com:443 HTTP/1.1\r\n ... works fine, I get a 200 response. CONNECT x.x.com:443 HTTP/1.0 \r\n doesn't work. The response is: Notice how the broken request contains whitespace inside the version tag where none is permitted. If you have access to the tool code to get it fixed, you should also get the Proxy- part dropped off the Connection: header as well. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.11
[squid-users] I have a problem reverse squid3 for Exchange for RPC two domain
Hello, I have a problem with my configuration reverse squid3 for Exchange for RPC , everything goes well when I have only one reverse: 1314872037.795 58450 82.20.10.245 TCP_MISS/200 2528 RPC_OUT_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr application/rpc 1314872037.795 52619 118.68.25.162 TCP_MISS/000 0 RPC_IN_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr - 1314872037.795 52963 88.14.18.98 TCP_MISS/000 0 RPC_IN_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr - 1314872037.795 52823 88.14.18.98 TCP_MISS/200 12128 RPC_OUT_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr application/rpc 1314872037.795 52196 88.14.18.98 TCP_MISS/200 3152 RPC_OUT_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr application/rpc 1314872037.796 52352 88.14.18.98 TCP_MISS/504 0 RPC_IN_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr text/html 1314872037.796 51433 118.68.25.162 TCP_MISS/200 1540 RPC_OUT_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr application/rpc 1314872037.796 40253 92.90.23.30 TCP_MISS/000 0 POST https://rpc.exemple1.fr/Microsoft-Server-ActiveSync? - FIRST_UP_PARENT/echmes03.exemple1.fr - 1314872037.796 37657 90.84.146.225 TCP_MISS/000 0 RPC_IN_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr - 1314872037.796 37187 90.84.146.225 TCP_MISS/200 644 RPC_OUT_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr application/rpc otherwise, we need to use the reverse Squid for another domain, here is the extract of config suid.conf file : etc/squid3# cat squid.conf extension_methods RPC_IN_DATA RPC_OUT_DATA redirect_rewrites_host_header off visible_hostname none icp_port 0 https_port 442 accel cert=/clusterdata/etc/ssl/certs/exemple1.fr.pem key=/clusterdata/etc/ssl/private/exemple1.fr.key defaultsite=rpc.exemple1.fr vhost cache_peer echmes03.exemple1.fr parent 443 0 no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER forceddomain=echmes03.exemple1.fr name=exchangeServer acl EXCH dstdomain rpc.sogreah.fr acl EXCH dstdomain echmes03.exemple1.fr acl EXCH dstdomain autodiscover.exemple1.fr cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all https_port 441 accel cert=/clusterdata/etc/ssl/certs/exemple2.com.pem key=/clusterdata/etc/ssl/private/exemple2.com.key defaultsite=rpc.exemple2.com vhost cache_peer svechhub01.exemple2.com parent 443 0 no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER forceddomain=svechhub01.exemple2.com name=exchangeServerArtelia acl EXCHART dstdomain rpc.exemple2.com acl EXCHART dstdomain svechhub01.exemple2.com acl EXCHART dstdomain autodiscover.exemple2.com cache_peer_access exchangeServerArtelia allow EXCHART cache_peer_access exchangeServerArtelia deny all # Lock down access to just the Exchange Server! http_access allow EXCH EXCHART http_access deny all miss_access allow EXCH EXCHART miss_access deny all After restart squid, I see that ports 441 and 442 are listening: Initializing https_port 0.0.0.0:442 SSL context Initializing https_port 0.0.0.0:441 SSL context By cons, nothing works Do you have an idea? Thank you very much, best regards fred 2011/09/01 12:21:32.807| command-line -X overrides: ALL,7 2011/09/01 12:21:32.808| aclDestroyACLs: invoked 2011/09/01 12:21:32.808| ACL::Prototype::Registered: invoked for type src 2011/09/01 12:21:32.808| ACL::Prototype::Registered:yes 2011/09/01 12:21:32.808| ACL::FindByName 'all' 2011/09/01 12:21:32.808| ACL::FindByName found no match 2011/09/01 12:21:32.808| aclParseAclLine: Creating ACL 'all' 2011/09/01 12:21:32.808| ACL::Prototype::Factory: cloning an object for type 'src' 2011/09/01 12:21:32.808| aclParseIpData: all 2011/09/01 12:21:32.808| Processing Configuration File: squid_sog_art.conf (depth 0) 2011/09/01 12:21:32.809| Processing: 'extension_methods RPC_IN_DATA RPC_OUT_DATA' 2011/09/01 12:21:32.809| Processing: 'redirect_rewrites_host_header off' 2011/09/01 12:21:32.809| Processing: 'visible_hostname none' 2011/09/01 12:21:32.809| Processing: 'icp_port 0' 2011/09/01 12:21:32.809| Processing: 'https_port 442 accel cert=/clusterdata/etc/ssl/certs/exemple1.fr.pem key=/clusterdata/etc/ssl/private/exemple1.fr.key defaultsite=rpc.exemple1.fr vhost' 2011/09/01 12:21:32.809| Processing: 'cache_peer echmes03.exemple1.fr parent 443 0 no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER forceddomain=echmes03.exemple1.fr name=exchangeServer' 2011/09/01 12:21:32.810| event.cc(315) schedule: Adding 'peerClearRR', in 300.00 seconds 2011/09/01 12:21:32.810| Processing: 'acl EXCH dstdomain rpc.exemple1.fr' 2011/09/01 12:21:32.810|
Re: [squid-users] Caching YouTube content
On Thu, Sep 1, 2011 at 23:05, Amos Jeffries squ...@treenet.co.nz wrote: On 02/09/11 06:03, Kevin Wilcox wrote: On a small test deployment I can get the content to cache - and retrieve - using store_url and a perl handler, at least for youtube content, but the regex needs some work as it's *highly* inefficient, not at all ready to scale out beyond 100 or so users (which is about 5% of the population I need to handle on a single proxy) and requires the URL to be *exactly* alike between viewings (you know all those littlerelated= variations? they cause multiple downloads). What do you mean? The regex we have is supposed to erase all the volatile parameter pieces. So storeurl produces some fake domain with the video unique ID and HD resolution type as path. Hi Amos. Sorry, the regex I referred to isn't one provided by the project, it's the one I ended up with in my perl handler. I'll take another look at the discussion page as I've been on another component of the project since at least mid-summer. If my memory serves (some three or four months later), at the time the regex from the project was tailored for GoogleVideo and the YouTube component didn't quite fit. I spent a few days tweaking and testing; once I had content cache (and play properly) I noticed the perl handler would cause some interesting CPU spikes...nothing that would cause a problem under about 500 requests/second but it didn't inspire me to try to push it out to a few thousand requests/second. I assume it is how I was matching/rewriting the URL versus a performance issue with squid or perl in general. If I get it squared away I'll get some documentation and examples together. YT change things every few months, we have found waiting for a full result is not worth it. That wiki tutorial is being used as a living document with collaborative research into the remaining problems and solutions. You are welcome to join in. That's for certain, and I'm one of the worst at it. They had just changed something that turned out to be important (thus my tweaking and editing), I have no doubt that things are sufficiently different now such that if I re-enabled that particular configuration it would fail. kmw
[squid-users] RE: Help with squid3 auth schemes and updates v 3.1.15
My name is Shawn caron. I run a squid3 proxy server v 3.1.15. on ubuntu 11.04. I am having some trouble getting it to run as i want it to. First question is, do you know what is the most secure scheme in squid 3. Currently running digest with user name and password. Second question is. using aptitude and apt-get and antivirus updates through squid 3. Updates are for linux computers running a cron job connecting via command line only. If you need conf files email and i will provide
[squid-users] Squid Unable to Serve While Rebuilding Disk Cache After Unclean Shutdown
My squid instances are frequently restarted uncleanly (embedded system, long story), and each time they try to rebuild their cache with the message Rebuilding storage in /var/spool/squid3. However, I'd much prefer them to simply drop all that cache and start again fresh, because the time they're unable to handle requests while rebuilding is unacceptable. Is there a way I can configure squid to ignore an inconsistent cache? Or have it somehow serve requests while rebuilding? I could add something like `rm /var/spool/squid3/*` to the init script, but that'd be terribly kludgey. Our squid.conf is very similar to the one posted here: https://code.google.com/p/liquid-galaxy/source/browse/trunk/gnu_linux/etc/squid/squid.conf
[squid-users] I have a problem reverse squid3 for Exchange for RPC two domain
Hello, I have a problem with my configuration reverse squid3 for Exchange for RPC , everything goes well when I have only one reverse: 1314872037.795 58450 82.20.10.245 TCP_MISS/200 2528 RPC_OUT_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr application/rpc 1314872037.795 52619 118.68.25.162 TCP_MISS/000 0 RPC_IN_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr - 1314872037.795 52963 88.14.18.98 TCP_MISS/000 0 RPC_IN_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr - 1314872037.795 52823 88.14.18.98 TCP_MISS/200 12128 RPC_OUT_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr application/rpc 1314872037.795 52196 88.14.18.98 TCP_MISS/200 3152 RPC_OUT_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr application/rpc 1314872037.796 52352 88.14.18.98 TCP_MISS/504 0 RPC_IN_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr text/html 1314872037.796 51433 118.68.25.162 TCP_MISS/200 1540 RPC_OUT_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr application/rpc 1314872037.796 40253 92.90.23.30 TCP_MISS/000 0 POST https://rpc.exemple1.fr/Microsoft-Server-ActiveSync? - FIRST_UP_PARENT/echmes03.exemple1.fr - 1314872037.796 37657 90.84.146.225 TCP_MISS/000 0 RPC_IN_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr - 1314872037.796 37187 90.84.146.225 TCP_MISS/200 644 RPC_OUT_DATA https://rpc.exemple1.fr/rpc/rpcproxy.dll? - FIRST_UP_PARENT/echmes03.exemple1.fr application/rpc otherwise, we need to use the reverse Squid for another domain, here is the extract of config suid.conf file : etc/squid3# cat squid.conf extension_methods RPC_IN_DATA RPC_OUT_DATA redirect_rewrites_host_header off visible_hostname none icp_port 0 https_port 442 accel cert=/clusterdata/etc/ssl/certs/exemple1.fr.pem key=/clusterdata/etc/ssl/private/exemple1.fr.key defaultsite=rpc.exemple1.fr vhost cache_peer echmes03.exemple1.fr parent 443 0 no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER forceddomain=echmes03.exemple1.fr name=exchangeServer acl EXCH dstdomain rpc.sogreah.fr acl EXCH dstdomain echmes03.exemple1.fr acl EXCH dstdomain autodiscover.exemple1.fr cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all https_port 441 accel cert=/clusterdata/etc/ssl/certs/exemple2.com.pem key=/clusterdata/etc/ssl/private/exemple2.com.key defaultsite=rpc.exemple2.com vhost cache_peer svechhub01.exemple2.com parent 443 0 no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER forceddomain=svechhub01.exemple2.com name=exchangeServerArtelia acl EXCHART dstdomain rpc.exemple2.com acl EXCHART dstdomain svechhub01.exemple2.com acl EXCHART dstdomain autodiscover.exemple2.com cache_peer_access exchangeServerArtelia allow EXCHART cache_peer_access exchangeServerArtelia deny all # Lock down access to just the Exchange Server! http_access allow EXCH EXCHART http_access deny all miss_access allow EXCH EXCHART miss_access deny all After restart squid, I see that ports 441 and 442 are listening: Initializing https_port 0.0.0.0:442 SSL context Initializing https_port 0.0.0.0:441 SSL context By cons, nothing works Do you have an idea? Thank you very much, best regards fred 2011/09/01 12:21:32.807| command-line -X overrides: ALL,7 2011/09/01 12:21:32.808| aclDestroyACLs: invoked 2011/09/01 12:21:32.808| ACL::Prototype::Registered: invoked for type src 2011/09/01 12:21:32.808| ACL::Prototype::Registered:yes 2011/09/01 12:21:32.808| ACL::FindByName 'all' 2011/09/01 12:21:32.808| ACL::FindByName found no match 2011/09/01 12:21:32.808| aclParseAclLine: Creating ACL 'all' 2011/09/01 12:21:32.808| ACL::Prototype::Factory: cloning an object for type 'src' 2011/09/01 12:21:32.808| aclParseIpData: all 2011/09/01 12:21:32.808| Processing Configuration File: squid_sog_art.conf (depth 0) 2011/09/01 12:21:32.809| Processing: 'extension_methods RPC_IN_DATA RPC_OUT_DATA' 2011/09/01 12:21:32.809| Processing: 'redirect_rewrites_host_header off' 2011/09/01 12:21:32.809| Processing: 'visible_hostname none' 2011/09/01 12:21:32.809| Processing: 'icp_port 0' 2011/09/01 12:21:32.809| Processing: 'https_port 442 accel cert=/clusterdata/etc/ssl/certs/exemple1.fr.pem key=/clusterdata/etc/ssl/private/exemple1.fr.key defaultsite=rpc.exemple1.fr vhost' 2011/09/01 12:21:32.809| Processing: 'cache_peer echmes03.exemple1.fr parent 443 0 no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER forceddomain=echmes03.exemple1.fr name=exchangeServer' 2011/09/01 12:21:32.810| event.cc(315) schedule: Adding 'peerClearRR', in 300.00 seconds 2011/09/01 12:21:32.810| Processing: 'acl EXCH dstdomain rpc.exemple1.fr' 2011/09/01 12:21:32.810|
[squid-users] [PressRelease] QuintoLabs Content Security 1.4.0 is released
Hello Squid users, Here is the info about new release of QuintoLabs Content Security which may be interesting to some Squid users who use or plan to use ICAP in their deployments. FYI QuintoLabs Content Security is an ICAP daemon/URL rewriter that integrates with existing Squid Proxy Server and provides rich content filtering functionality to sanitize Internet traffic passing into internal home/enterprise network. It may be used to block illegal or potentially malicious file downloads, remove annoying advertisements, prevent access to various categories of the web sites and block resources with explicit content. --- QuintoLabs released the next version of Content Security 1.4 for Squid Proxy Server. This version adds the following new features, bug fixes and improvements: 1. Added File Type Filtering Module that could be used to easily identify executables or other types of files by looking at real file contents (up to 4096 Kb). 2. Implemented brute-force content inspection module used to search contents of downloaded web pages for adult or explicit contents. It allows the administrator to filter web pages based on their real contents often faster than URL and Domain block modules did before. 3. The application now supports sophisticated trickled inspection logic to be able to scan contents of huge files being downloaded through Squid. 4. Two phase scanner is implemented. It allows an inspection module to skip scanning large number of files that are known to be safe and that do not need filtering. 5. AdBlock module is greatly improved. It now uses a transparent .gif file to imitate the blocked advertisement which in turn leads to better looking web pages without ads (most notably in Microsoft Internet Explorer). 6. Improved ICAP RFC compliance when qlproxy detects errors in ICAP transactions, unavailable resources or incorrect internal states. 7. Improved file name parsing algorithm for Microsoft IIS servers. The detect ratio for File Name Blocking Module is greatly improved. 8. ICAP mode of integration now supports 'redirect' action for a detected object. 9. Objects with gzip transfer encoding are also inspected by all modules now. 10. Fixed a typo in the configuration parser module when disabling AdBlock also leads to disable Parental Controls module. 11. Tiny Proxy Virtual Appliance are now packed with README file. 12. Dropped support for Debian 5 and Fedora 13. 13. Added support for dumping inspected objects to temporary files in /var/opt/quintolabs/qlproxy/tmp to ease debugging scenarios. 14. Internal ICAP protocol tests are deployed with the application in /opt/quintolabs/qlproxy/bin/tests. For more detailed information see the release notes at http://quintolabs.com/qlproxy/binaries/1.4.0/releasenotes.htm. Installation packages and tiny web proxy virtual appliance can be downloaded from: http://quintolabs.com/qlicap_download.php and http://quintolabs.com/qlicap_virtual.php. The development team wishes to thank all users of QuintoLabs. Please direct your thoughts, critics and suggestions to supp...@quintolabs.com or https://groups.google.com/forum/#!forum/quintolabs-content-security-for-squid-proxy. --- Best regards, sich QuintoLabs Support Team
[squid-users] squid authentication with sqlite
hey,did squid work with sqlite authentication ?,i see in squid_db_auth file :my $dsn = DBI:mysql:database=squid; so i change it my $dsn = DBI:sqlite:database=squid; i create the squid database and passwd table,it dosen't work i put the squid database file with squid_db_auth ,not working ! can somone help please.thanks
[squid-users] Expect header
Hi all, I have a question about the behavior of Squid regarding Expect extensions (so I am *not* talking about 100-continue). RFC 2616 mandates that an intermediary that does not understand an Expect extension MUST return 417. Is it possible to extend Squid to understand a certain Expect extension? The intended behavior would be to simply pass on the request (and not respond with a 417). Jan
Re: [squid-users] squid authentication with sqlite
On Wed, 7 Sep 2011 23:12:46 +0200, abderrahmane abdmeziane wrote: hey,did squid work with sqlite authentication ?,i see in squid_db_auth file :my $dsn = DBI:mysql:database=squid; so i change it my $dsn = DBI:sqlite:database=squid; i create the squid database and passwd table,it dosen't work i put the squid database file with squid_db_auth ,not working ! can somone help please.thanks You need the DBI::* perl driver installed, and apparently the DSN driver names are case sensitive. The tutorials all use SQLite. It could be either of these problems or a problem locating the file. The helper will dump details to cache.log when run under Squid or to the terminal when run manually. NP: it only connects on first lookup, so when testing via command line press enter at least once. I've added a bit of extra help to the error message to display the available drivers in future. It can be applied to the basic_db_auth helper script already installed to gain that ability immediately: (just waiting on the mirrors to pick it up) http://www.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-11714.patch When using it, run the helper on command line and pressing enter will fail and show you what drivers are available. If SQLite is missing you need to install that Perl module. Amos
Re: [squid-users] I have a problem reverse squid3 for Exchange for RPC two domain
On Wed, 7 Sep 2011 18:16:21 +0200, frederic lubrano wrote: Hello, I have a problem with my configuration reverse squid3 for Exchange for RPC , everything goes well when I have only one reverse: snip otherwise, we need to use the reverse Squid for another domain, here is the extract of config suid.conf file : etc/squid3# cat squid.conf extension_methods RPC_IN_DATA RPC_OUT_DATA redirect_rewrites_host_header off Irrelevant, with potentially dangerous side effects if you actual re-write anything. Drop. visible_hostname none This should be the hostname for the squid machine, or otherwise a public domain name representing it. If the gethostname() system is correctly configured with a fully DNS registered domain, Squid can auto-detect it. snip # Lock down access to just the Exchange Server! http_access allow EXCH EXCHART http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes http_access deny all miss_access allow EXCH EXCHART miss_access deny all This usage of miss_access is redundant with your http_access. Drop it for faster service. Amos
Re: [squid-users] Expect header
On Wed, 7 Sep 2011 23:54:54 +0200, Jan Algermissen wrote: Hi all, I have a question about the behavior of Squid regarding Expect extensions (so I am *not* talking about 100-continue). RFC 2616 mandates that an intermediary that does not understand an Expect extension MUST return 417. Is it possible to extend Squid to understand a certain Expect extension? The intended behavior would be to simply pass on the request (and not respond with a 417). Jan Of course. Expect: is just a probe to identify whether a specific protocol feature is going to work end-to-end across a series of HTTP hops. All we have to do is write the logics to determine whether the feature requirements can be met. Squid gateways between different syntax formats of HTTP (v0.9, v1.0, v1.1, with origin and proxy variations). Depending on the feature being probed it could be passed-thru or mapped or rejected with 417. So where can we find the documentation defining this unspecified token, the feature it is probing for. We need the associated request/reply/object syntax for that feature, whether and how the headers can(must?) be translated between the HTTP syntaxes when relaying to/from older hops? NP: If there is no risk of transaction failure involved from passing it through very old middleware, there is no benefit from sending it as an Expectation. The feature could simply be enabled and used. Amos
[squid-users] commBind: Cannot bind socket FD 49
Amos, With recent version of squid after June 15, I'm getting the following error when connecting to this ftp site, all other sites seems ok. ftp://:y...@renftp1.dialogic.com/MLoewl error in cache.log ... commBind: Cannot bind socket FD 49 to 188.18.88.188:61276: (98) Address already in use Thanks, Jeff
Re: [squid-users] Squid Unable to Serve While Rebuilding Disk Cache After Unclean Shutdown
On Wed, 7 Sep 2011, Adam Vollrath wrote: Is there a way I can configure squid to ignore an inconsistent cache? Or have it somehow serve requests while rebuilding? I could add something like `rm /var/spool/squid3/*` to the init script, but that'd be terribly kludgey. I think you'll have to live with kludgey. I'd recommend something like this, though, to minimize the delay getting squid up and running: mv /var/spool/squid3 /var/spool/squid3-corrupt-`date +%s` mkdir /var/spool/squid3 rm -rf /var/spool/squid3-corrupt* # ...proceed with normal startup process -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- People seem to have this obsession with objects and tools as being dangerous in and of themselves, as though a weapon will act of its own accord to cause harm. A weapon is just a force multiplier. It's *humans* that are (or are not) dangerous. --- 10 days until the 224th anniversary of the signing of the U.S. Constitution
[squid-users] eCAP version
HI, Regarding the version of the latest eCAP on e-CAP.org, it is v0.2.0. And i wonder is it a release version or just a developing version. Thanks. -- Fr Lin Youhuang
[squid-users] automatic user auth via mac address
Hi, i have following question regarding user authentication in squid, let say i have this scenario - there is user with username bobby, he has 3 different device ( ipad, laptop and smartphone) - bobby register the device to IT dept ( register the mac address ) - IT support register mac address to the system and told the system if this 3 mac address is belong to user bobby, and setup an internet policy for him - bobby browse the internet using his device - system detect there is connection with registered mac address, then system do mac address look up, and find out this mac address is belong to user bobby - system arrange internet policy, which site category is allowed to user bobby - bobby then surf the net with only allowe category site my question is, can it done with squid+squidguard? the point is how to told squid to do automatic user authentication via mac address Thanks, Bambang
Re: [squid-users] eCAP version
On 08/09/11 13:40, 铀煌林 wrote: HI, Regarding the version of the latest eCAP on e-CAP.org, it is v0.2.0. And i wonder is it a release version or just a developing version. Thanks. It is a release version for a library whose entire protocol is under development. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.11
Re: [squid-users] commBind: Cannot bind socket FD 49
On Thu, Sep 8, 2011 at 9:23 AM, Le Trung Kien kie...@vietnamnet.vn wrote: It seem to have another process already listening on that port ? But when I revert back to version before June, it worked. And I checked and nothing was listen on that port. Thanks, Jeff
Re: [squid-users] automatic user auth via mac address
On 08/09/11 14:51, Bambang Sumitra wrote: Hi, i have following question regarding user authentication in squid, let say i have this scenario - there is user with username bobby, he has 3 different device ( ipad, laptop and smartphone) - bobby register the device to IT dept ( register the mac address ) - IT support register mac address to the system and told the system if this 3 mac address is belong to user bobby, and setup an internet policy for him - bobby browse the internet using his device - system detect there is connection with registered mac address, then system do mac address look up, and find out this mac address is belong to user bobby - system arrange internet policy, which site category is allowed to user bobby - bobby then surf the net with only allowe category site So in short: side-band authorization based on MAC address instead of IP? NOTE: this is not real authentication. Although it does produce a users name. my question is, can it done with squid+squidguard? the point is how to told squid to do automatic user authentication via mac address Squid-3.2 is needed for this to work reliably. That version does MAC/EUI lookups on both IPv4 and IPv6 by default for the required set of things like logging and external_acl_type database lookups etc. squidguard is not relevant. It operates on request URLs while they are inside Squid. Access controls and authentication have already finished and accepted the request by the time squidguard is contacted. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.11
Re: [squid-users] commBind: Cannot bind socket FD 49
On 08/09/11 12:50, Jeff Chua wrote: Amos, With recent version of squid after June 15, I'm getting the following error when connecting to this ftp site, all other sites seems ok. ftp://:y...@renftp1.dialogic.com/MLoewl error in cache.log ... commBind: Cannot bind socket FD 49 to 188.18.88.188:61276: (98) Address already in use Thanks, Jeff A trace of debug level 9,5 would be useful. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.11