RE: [squid-users] Squid 3.2.0.12 beta is available
> Date: Sun, 18 Sep 2011 12:29:57 +1200 > From: squ...@treenet.co.nz > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Squid 3.2.0.12 beta is available > > On 18/09/11 03:28, Jenny Lee wrote: > > > > "acl random" was the issue. Adding an explicit always_direct fixed it. > > Jenny > > Aha. Thank you Fixed. > > > > > > >> From: bodycare_5 > >> Date: Sat, 17 Sep 2011 14:54:54 + > >> > >> > >> Thank you for your hard work. Most of the squirks seem to be gone. > >> > >> Lots of: WARNING: always_direct resulted in 3. Username ACLs are not > >> reliable here. > >> > >> Why don't we have IP address logged in cache log? It is diffult to find > >> anything when you get a GB of debug log by the time you run a reconfigure > >> and reset debug level. > > What do you mean by this? in what case(s) are we missing it? I believe source IP must be part of every entry in cache log. Let's take a look at the error above, for example. I have no idea who is or what is generating it. It talked about Username ACLs, however, "acl random" paired with source IP was causing this. No usernames. I have to enable debug log. Send a configure to squid. This is a busy cache. By the time I return the debug level back to default and send a reconfigure to squid, I am left with 1GB of text to scavenge through to find out what our who was causing it. It could have taken me 2 seconds to figure it out had it printed the source IP. There are too many examples like this. Unparseable header, failed to select source, etc. Yes, some we might check from access log URLs. Some we might check from second. However, when you are having 500 reqs in that particular second, the job does not get easy. Source IP would be useful to narrow down the issues. > NP: Look for "local=$ip" or "remote=$ip". That is what I am looking for, actually :) Jenny
Re: [squid-users] Squid 3.2.0.12 beta is available
On 18/09/11 03:28, Jenny Lee wrote: "acl random" was the issue. Adding an explicit always_direct fixed it. Jenny Aha. Thank you Fixed. From: bodycare_5 Date: Sat, 17 Sep 2011 14:54:54 + Thank you for your hard work. Most of the squirks seem to be gone. Lots of: WARNING: always_direct resulted in 3. Username ACLs are not reliable here. Why don't we have IP address logged in cache log? It is diffult to find anything when you get a GB of debug log by the time you run a reconfigure and reset debug level. What do you mean by this? in what case(s) are we missing it? NP: Look for "local=$ip" or "remote=$ip". Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.12
RE: [squid-users] Squid 3.2.0.12 beta is available
"acl random" was the issue. Adding an explicit always_direct fixed it. Jenny > From: bodycar...@live.com > To: squ...@treenet.co.nz; squid-annou...@squid-cache.org; > squid-users@squid-cache.org > Subject: RE: [squid-users] Squid 3.2.0.12 beta is available > Date: Sat, 17 Sep 2011 14:54:54 + > > > Thank you for your hard work. Most of the squirks seem to be gone. > > Lots of: WARNING: always_direct resulted in 3. Username ACLs are not reliable > here. > > Why don't we have IP address logged in cache log? It is diffult to find > anything when you get a GB of debug log by the time you run a reconfigure and > reset debug level. > > Jenny
RE: [squid-users] Squid 3.2.0.12 beta is available
Thank you for your hard work. Most of the squirks seem to be gone. Lots of: WARNING: always_direct resulted in 3. Username ACLs are not reliable here. Why don't we have IP address logged in cache log? It is diffult to find anything when you get a GB of debug log by the time you run a reconfigure and reset debug level. Jenny > Date: Sat, 17 Sep 2011 22:00:25 +1200 > From: squ...@treenet.co.nz > To: squid-annou...@squid-cache.org; squid-users@squid-cache.org > Subject: [squid-users] Squid 3.2.0.12 beta is available > > The Squid HTTP Proxy team is very pleased to announce the > availability of the Squid-3.2.0.12 beta release! > > > This release brings fixes for all the currently known regressions since > 3.2.0.8. > > This release is intended as the working reference package for users > testing regressions in the SMP caching support which will be added in > the next release. In the same manner that 3.2.0.8 was a reference for > regressions added in 3.2.0.9 TCP handling support. > > > See the ChangeLog for the list of other minor changes in this release. > > > All users of the 3.2.0.9 to 3.2.0.11 packages are urged to upgrade to > this release as soon as possible. > > Users of earlier 3.2 beta releases are encouraged to test this release > and upgrade as soon as possible. > > > Upgrade tip: > "squid -k parse" is starting to display even more useful hints about > squid.conf changes. > > > Please refer to the release notes at > http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html > when you are ready to make the switch to Squid-3.2 > > > This new release can be downloaded from our HTTP or FTP servers > > http://www.squid-cache.org/Versions/v3/3.2/ > ftp://ftp.squid-cache.org/pub/squid/ > ftp://ftp.squid-cache.org/pub/archive/3.2/ > > or the mirrors. For a list of mirror sites see > > http://www.squid-cache.org/Download/http-mirrors.html > http://www.squid-cache.org/Download/mirrors.html > > If you encounter any issues with this release please file a bug report. > http://bugs.squid-cache.org/ > > > Amos Jeffries >
Re: [squid-users] Huge Squid
2011/9/16 Lucas Brasilino : > Hi, > >> I already try to find some information in wiki, but without success. >> >> I have a opportunity to configure a squid to 2 users. >> >> Can a huge machine handle this? I just wanna block some sites and caching. >> >> Is there some doc to help me with this? > > This one should help: > > http://pt.scribd.com/doc/7358805/Apres-Squid > > regards > Lucas Brasilino > Rafael, Squid of course can handle that kind of clients, if you are not going to place any ICAP capabilities, a dual core with about 8GB or RAM of course can do that job. Only take in mind next points: - Too many rules may slow your preformance, - Squid use short circuit, so it doesn't analyze hole rule if one ACL is false, take this in mind to place most probable ACL's first in your http_access line - if you are going to use authentication, dont place AUTH ACL in the way until you are going to use it, - IF you are going to use some kind of URL filtering such as url_rewrite or ICAP dont pass ALL content, only things that would be useful to filter traffic If you need more help, contact me offiine LD http://www.twitter.com/ldlq
Re: [squid-users] allowing facebook for spesific client IPs
acl john src 10.x.y.z acl jane src 10.x.y.t acl facebook dstdomain facebook.com (or .facebook.com) http_access allow john jane facebook. In case Amos's reference to Common Mistakes didn't help you: The http_access is wrong. It will allow only a client who was both the john IP and the jane IP access to facebook (obviously impossible) Should be http_access allow john facebook http_access allow jane facebook Alex
[squid-users] Squid 3.2.0.12 beta is available
The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.2.0.12 beta release! This release brings fixes for all the currently known regressions since 3.2.0.8. This release is intended as the working reference package for users testing regressions in the SMP caching support which will be added in the next release. In the same manner that 3.2.0.8 was a reference for regressions added in 3.2.0.9 TCP handling support. See the ChangeLog for the list of other minor changes in this release. All users of the 3.2.0.9 to 3.2.0.11 packages are urged to upgrade to this release as soon as possible. Users of earlier 3.2 beta releases are encouraged to test this release and upgrade as soon as possible. Upgrade tip: "squid -k parse" is starting to display even more useful hints about squid.conf changes. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html when you are ready to make the switch to Squid-3.2 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.2/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.2/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
Re: [squid-users] allowing facebook for spesific client IPs
On Fri, Sep 16, 2011 at 12:23 PM, a bv wrote: > Hi, > > Im trying to allow some client IPs to reach to facebook , and im > generally blocking the facebook successfully. I tried some entries > like below (which similar ones were working fine for other > exceptions) but this doesnt seem to work > > > acl john src 10.x.y.z > > acl jane src 10.x.y.t > > acl facebook dstdomain facebook.com (or .facebook.com) > > > http_access allow john jane facebook. > > > squid -k reconfigure > > Regards > http_access allow statement must be followed by a http_access deny too Babs
Re: [squid-users] proxyjudge result
On 16/09/11 05:18, joyd...@infoservices.in wrote: Hello, I have visited http://www.anonymitytest.com/cgi-bin/prxjdg.cgi to check my proxy anonymity level. I have found ` ` ` ` REMOTE_HOST Result ? Comment REMOTE_HOST includes proxy server like word "abcd.server.de". REMOTE_HOST includes no numbers, it's dubious. HTTP Env. Value Result Via a Proxy Comment Proxy servers valuable is detected. AnonyLevel : 3 So-so. ` ` ` ` ` How can I configure to increase anonymity ? There is no information above. That question cannot be answered. The website itself provides no informtion about why the details it is warning about are problems. Several are not even problems. So it appears to be a FUD site, possibly collecting information for the hacker team who created it. For me it contains a "warning" that two of the mandatory HTTP headers are containing the correct information. One is the browser advertising that it requires a non-cached response (this is a anonymity problem how?) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.12
Re: [squid-users] Site not found with proxy, without proxy it is OK
On 16/09/11 19:17, Jan Papež (mailing lists) wrote: Hello, sorry for my impatience, but this problem is annoying me. Have somebody already read my problem? Could you tell me, please? Have somebody had same problem as me? The website admin seems to have a prejudice against the X-Forwarded-For header and rejects every request containing it. Probably everybody who is using any kind of proxy, anti-virus or gateway filter cannot reach this website. You can avoid this in Squid with the forwarded_for directive. Please take pity on the website admin and inform them what their rejection is doing to their visitors. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.12
Re: [squid-users] allowing facebook for spesific client IPs
On 16/09/11 18:53, a bv wrote: Hi, Im trying to allow some client IPs to reach to facebook , and im generally blocking the facebook successfully. I tried some entries like below (which similar ones were working fine for other exceptions) but this doesnt seem to work acl john src 10.x.y.z acl jane src 10.x.y.t acl facebook dstdomain facebook.com (or .facebook.com) http_access allow john jane facebook. This should help: http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.12
Re: [squid-users] Re: bridge +tproxy
On 17/09/11 09:36, Saurabh Agarwal wrote: Hi, Can any of you guys suggest what must be done with the routes in the following case : 221.222.211.1 (router /gateway) --> switch --> tproxy + bridge --> super natting AAA device --> end users | |--> unused |--> unused I am using the same config. for TPROXY and Bridge as mentioned above. Now the problem arises when we are setting the routes for subnets in the super natting device as the device does SNAT from the pool of 255, 32, 64 global IPs but these IPs are on different subnets then the squid server and also there is an universal gateway for the whole network which has its own subnet (/30). The squid server also has its own subenet (/29) (a big IP pool has been divided into many small IP pools). I try to set following rules for each subnet ip route add x.y.z.a/24 dev br0 table 200 proto kernel scope link ip route add default via 221.222.211.1 dev br0 table 200 ip rule add from x.y.z.a/24 lookup 200 ip rule add to x.y.z.a/24 lookup 200 But I am not able to route the data properly. Some questions that might help get closer to an idea of teh answer: * are packers visible on br0 after they have been DROPped off the bridge into TPROXY routing? * does "add local 0.0.0.0/0" instead of from/to versions work better? The config we got from the kernel authors does not mention from/to. Background info: Squid with TPROXY operates similar to a regular bridge. Even when operating on a router. The proxy is not visible at the TCP-level, all that happens is that the IP-level source port changes as it passes through Squid outbound and destination port on return traffic. The Squid server will only make use of its assigned IP subnet for background traffic like DNS lookups. So... as you can see the NAT and other systems outside the Squid box should have little relevance. Including their IP ranges. As long as they ensure the packets symmetrically pass through the Squid box/bridge it "just works". That said, the routing table on the Squid box is relevant for all outgoing packets. So rules to route the global destination out your WAN interface and local destinations out your LAN interface are needed. Nothging special. TPROXY debugging usually comes down to double-checking the config rules and tracing every possible trace point along the intended packet pathways that they are showing up correctly and find the particular step where they disappear. HTH Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.12
Re: [squid-users] forward and reverse proxy with squid 3.2
On 17/09/11 01:48, Dean Weimer wrote: -Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Friday, September 16, 2011 8:28 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] forward and reverse proxy with squid 3.2 Hi Dean at 16.09.2011 15:12, Dean Weimer wrote: -Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Friday, September 16, 2011 3:35 AM To: squid-users@squid-cache.org Subject: [squid-users] forward and reverse proxy with squid 3.2 Hi Folks I need to replace my squid proxy running on a Debian Lenny, because the version provided does not handle ssl. I managed with some tweaks to the makefile (especially for the link phase) to compile 3.2.0.11, the configuration changes though apear to make it impossible to run a normal and reverse proxy in the same instance. I copied most of the configuration files from the old installation, hoping they would not to be too different. My new installation runs fine as a normal proxy, as soon as I include the reverse proxy configuration, everything is sent to the peer mentioned there. There are some strange behaviours we are straightening out in 3.2 beta series at the moment after a TCP connection re-write in 3.2.0.9. Please try 3.2.0.12 beta which is now released. If that still has problems you may need to use 3.2.0.8 beta which has several happy users. Or the stable production series 3.1.15. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.12
Re: [squid-users] Adding WAN IP address to SQUID.CONF so users can run .net program
On 17/09/11 19:39, Babu Chaliyath wrote: On Thu, Sep 15, 2011 at 5:44 PM, Amos Jeffries wrote: On 15/09/11 06:45, MargaretGillon wrote: Hi Amos, Even if I do not use the IP address the .services.chromalloy.local is being blocked. Adding the IP to this line acl localServices dstdomain .services.chromalloy.local 192.168.3.42 did not fix anything. Both addresses are blocked. Wow. Strange. Try setting debug_options to "ALL,1 28,4 85,2" and see what ACLs are denying it. Amos -- Sorry if I am jumping the gun, isn't it the IP of squid proxy server to be used instead of 192.168.3.42? Sorry if that question was wrong Babs Normally this type of thing is done with reverse-proxy mode, where it is the IP of the Squid server. Since that is where the browsers and agents are connecting to. In this particular case MargaretGillon has the agent operating in forward-proxy traffic which can pass the raw-IP of the remote server to Squid for forward-proxy connection to be established. The logs displayed in earlier emails indicate that these uncommon circumstance is happening. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.11
Re: [squid-users] squid cache statistics
> I am looking for some nice application which gives me correct and > perfect report of squid cache performance. squidclient mgr:info :) Babs
Re: [squid-users] Adding WAN IP address to SQUID.CONF so users can run .net program
On Thu, Sep 15, 2011 at 5:44 PM, Amos Jeffries wrote: > On 15/09/11 06:45, margaretgil...@chromalloy.com wrote: >> >> Hi Amos, >> >> Even if I do not use the IP address the .services.chromalloy.local is >> being blocked. >> >> Adding the IP to this line >> acl localServices dstdomain .services.chromalloy.local 192.168.3.42 >> >> did not fix anything. Both addresses are blocked. > > Wow. Strange. Try setting debug_options to "ALL,1 28,4 85,2" and see what > ACLs are denying it. > > > Amos > -- Sorry if I am jumping the gun, isn't it the IP of squid proxy server to be used instead of 192.168.3.42? Sorry if that question was wrong Babs