Re: [squid-users] squid 3.1.15 + TProxy 4 + time out
On Tue, 20 Sep 2011 15:15:32 +0300, Tux Mason wrote: Hello, Thank you for the prompt reply. When I set my browser to use the troxy port, netstat output shows SYN_SENT for a while and the connection times out. Of course. Squid is required to invert the connecting IP addresses on arrival at a tproxy port. You CAN NOT send forward-proxy traffic from the browser to a Squid tproxy flagged port and have anything useful come out the WAN side of Squid. Set your browser to use no proxy at all and the Squid box as its box gateway router. My goal is to use WCCP with squid 3.1.x and TPROXY4. I would like to test with my browser first and ensure all is well before i can make any permanent settings on my router. I use the squid box for caching only and not routing. Routing is not optional. TPROXY operates by catching packets as they pass through the box. It must be setup either as a 'normal' router or as a bridging router. Note that there is no need for it to be the only router, or even to handle all outgoing traffic. One of the network designs is to have a main gateway router use WCCP to pass port 80 packets from LAN to the squid box for teh TPROXY steps and routing to take place. The routing Squid box does is usually just to send the packets back to the main gateway after TROXY. To test the TPROXY functionality, you can plug your test workstation into the squid box as the only client and use it as that workstations gateway router. It is a good idea not to get WCCP involved until you are sure that at least will work. Once that is done and being tested correctly. Check your rpfilter settings against the wiki page. I have reason to believe the wiki docs are now out of date as of kernel 2.6.35 and incorrect regarding rpfilter. But none has yet confirmed which altered settings we need. /etc/sysctl.conf - # Enable source routing net.ipv4.conf.all.accept_source_route = 1 net.ipv4.conf.lo.accept_source_route = 1 net.ipv4.conf.eth0.accept_source_route = 1 net.ipv4.conf.default.accept_source_route = 1 Source route is not relevant to TPROXY. Where the routing stages happen on packet output from squid or on bypassed traffic. Probably best to leave that at its default. # Enable IP spoofing net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 One of the kernel guys informs that rp_filter 2 now means loose routing checks. 0 should still mean none (I think), so that should be fine. # Enable packet forwarding net.ipv4.ip_forward=1 -- squid.conf excerpt I see no NAT rules for port 3128 interception. I used squid interception on port 3128 with WCCP and it worked ok. That means the client-WCCP_router-Squid stage works. NAT and TPROXY have very different outgoing packets, so means nothing about outgoing Squid-WCCP_router-Internet traffic. Below is the rule I was using for NAT (on the squid box) after creating the required gre tunnel between the cisco router and the squid box. iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination SQUID_PUBLIC_IP:3128 My objective now is to get squid TPROXY4 working with one or two pcs before I can attempt to make it work with WCCP. This way I can be sure that my squid server is well configured in case i run into trouble when configuring WCCP. In my firefox settings, I set the proxy server to SQUID_PUBLIC_IP and the port to 80. (squid tproxy is running on port 3129) This will make the browser send packets from its IP to the domain which is being hosted on the Squid IP on port 80. TPROXY will tell Squid to send packets to SQUID_PUBLIC_IP on port 80, using the browser IP as outgoing. Squid will connect to itself using port 80 and sending the client IP as source Like I said, configuring the browser to be aware of the proxy _is not possible_ with TPROXY. It only ever worked with NAT because of a bug, which is now fixed. The browser MUST be connecting directly to the IP and port where some website is hosted. The network routing functionality makes sure the packets flow through the squid box, where TPROXY there can pick packets up. The iptables status shows that the packets are forwarded from port 80 to port 3129 ok. -- root@cache1:~# iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 1856 packets, 185K bytes) pkts bytes target prot opt in out source destination 160K 6616K DIVERT tcp -- eth0 * 0.0.0.0/0
Re: [squid-users] RockStore squid 3.2
On Fri, 23 Sep 2011 11:58:09 +0200 (CEST), Fred B wrote: Hi, Actually i use squid with workers and diskd workers 2 if ${process_number} = 1 cache_dir diskd /cache1 13 128 512 else cache_dir diskd /cache2 13 128 512 endif But i lost cache performance because the caches are not shared How to use (test) the new feature RockStore with squid-3.2.0.12-20110923-r11343 (compilation, squid.conf) ? Thanks rock is just another cache_dir type. With this one you need to set max-size to something reasonable in the KB range. Make sure you run squid -z to create the directory properly first. There are a couple of quirks which you may need to work around: * a full restart is needed to change dirs, reconfigure wont work (yet). * there seems to be a bug in -z where dirs hidden inside if statements are not always built. So put them outside the if for the -z setup step to be safe. After that it seems fine for the run operations. From the docs which will get published next release: The rock store type: cache_dir rock Directory-Name Mbytes max-size=bytes The Rock Store type is a database-style storage. All cached entries are stored in a database file, using fixed-size slots, one entry per slot. The database size is specified in MB. The slot size is specified in bytes using the max-size option. See below for more info on the max-size option. swap-timeout=msec: Squid will not start writing a miss to or reading a hit from disk if it estimates that the swap operation will take more than the specified number of milliseconds. By default and when set to zero, disables the disk I/O time limit enforcement. Ignored when using blocking I/O module because blocking synchronous I/O does not allow Squid to estimate the expected swap wait time. On the whole rock fills the niche where COSS was used previously. So objects over something like 128KB would be best kept in diskd or AUFS dirs. If you like you could experiment with a set of rock dirs using min-size/max-size to split the files into bands for efficient space usage. We are interested in things like that to figure out what working practices should be advised. Amos
[squid-users] deleting headers
Is it a bad idea to put this in the conf? forwarded_for delete header_access From deny all header_access Referer deny all header_access Server deny all header_access User-Agent deny all header_access WWW-Authenticate deny all header_access Link deny all I accessed a What's my IP site and it knew that I was using a proxy, it even said squid 2.6. I believe some sites will block me base don the headers but won;t some sites block if headers do not exist?
[squid-users] won't accept port 8080, 80 works
I cannot get squid to connect on port 8080 even though it works on 80. Firstly, should this iptables script have a DROP/REJECT command somewhere? Port 8080 is open. squid conf is below: [code] # Generated by iptables-save v1.3.5 on Fri Sep 16 04:59:49 2011 *mangle :PREROUTING ACCEPT [19588:10233482] :INPUT ACCEPT [19588:10233482] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [18858:10334564] :POSTROUTING ACCEPT [18858:10334564] COMMIT # Completed on Fri Sep 16 04:59:49 2011 # Generated by iptables-save v1.3.5 on Fri Sep 16 04:59:49 2011 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [18851:1052] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1935 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Fri Sep 16 04:59:49 2011 # Generated by iptables-save v1.3.5 on Fri Sep 16 04:59:49 2011 *nat :PREROUTING ACCEPT [1234:59200] :POSTROUTING ACCEPT [338:21268] :OUTPUT ACCEPT [338:21268] COMMIT # Completed on Fri Sep 16 04:59:49 2011 [/code] [code] http_access deny manager http_access allow ncsa_users http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny maxuser http_access allow localhost http_access deny all icp_access allow all http_port 8080 http_port xxx.xxx.xx.xx:80 hierarchy_stoplist cgi-bin ? cache_mem 100 MB maximum_object_size_in_memory 50 KB cache_replacement_policy heap LFUDA cache_dir aufs /var/spool/squid 4 16 256 maximum_object_size 50 MB [/code]
[squid-users] Multiple ACL's
I have setup a small proxy server at home for my kids. My proxy is setup to allow access from 8am to 9pm on school nights. He has an alarm clock that uses his ipod, that needs 24x7 connectivity or his alarm clock doesn't work. Is it possible to create 2 different ACLS, one to allow access for his alarm clock without a logon to certain domain destinations and prevent him from going to the internet on his ipod after the scheduled block of the internet. Any ideas on how to accomplish this. Using Squid 3.1.15 and a Gentoo box. Dual 1ghz P3 server with 4gb ram. Jim
Re: [squid-users] Multiple ACL's
On Sat, 2011-09-24 at 04:18 -0700, Jim Gifford wrote: I have setup a small proxy server at home for my kids. My proxy is setup to allow access from 8am to 9pm on school nights. He has an alarm clock that uses his ipod, that needs 24x7 connectivity or his alarm clock doesn't work. Is it possible to create 2 different ACLS, one to allow access for his alarm clock without a logon to certain domain destinations and prevent him from going to the internet on his ipod after the scheduled block of the internet. Any ideas on how to accomplish this. I posted a similar question a few days ago :) You should be able to work it out using the details here: http://wiki.squid-cache.org/SquidFaq/SquidAcl#And.2BAC8-Or_logic http://wiki.squid-cache.org/SquidFaq/OrderIsImportant And the acl dstdomain: http://www.squid-cache.org/Doc/config/acl/ Andy
[squid-users] how to use the user auth parameters
my squid is configured with ./configure --prefix=/opt/squid32012 --includedir=/include --mandir=/share/man --infodir=/share/info --localstatedir=/opt/squid32012/var --disable-maintainer-mode --disable-dependency-tracking --disable-silent-rules --enable-inline --enable-async-io=8 --enable-storeio=ufs,aufs,diskd --enable-removal-policies=lru,heap --enable-delay-pools --enable-cache-digests --enable-underscores --enable-icap-client --enable-follow-x-forwarded-for --enable-digest-auth-helpers=ldap,password --enable-negotiate-auth-helpers=squid_kerb_auth --enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group --enable-arp-acl --enable-esi--disable-translation --with-logdir=/opt/squid32012/var/log --with-pidfile=/var/run/squid32012.pid --with-filedescriptors=65536 --with-large-files --with-default-user=proxy --enable-linux-netfilter --enable-ltdl-convenience ver 3.2.0.12 i have used the info on: http://www.cyberciti.biz/tips/linux-unix-squid-proxy-server-authentication.html cause it looks very good compared to others. but when im starting squid it shows an error about the unknow acl sorry for not having a lot of info i am doing a recompile of squid version for something. Thanks Eliezer
Re: [squid-users] how to use the user auth parameters
On 24/09/2011 15:37, Eliezer Croitoru wrote: my squid is configured with ./configure --prefix=/opt/squid32012 --includedir=/include --mandir=/share/man --infodir=/share/info --localstatedir=/opt/squid32012/var --disable-maintainer-mode --disable-dependency-tracking --disable-silent-rules --enable-inline --enable-async-io=8 --enable-storeio=ufs,aufs,diskd --enable-removal-policies=lru,heap --enable-delay-pools --enable-cache-digests --enable-underscores --enable-icap-client --enable-follow-x-forwarded-for --enable-digest-auth-helpers=ldap,password --enable-negotiate-auth-helpers=squid_kerb_auth --enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group --enable-arp-acl --enable-esi--disable-translation --with-logdir=/opt/squid32012/var/log --with-pidfile=/var/run/squid32012.pid --with-filedescriptors=65536 --with-large-files --with-default-user=proxy --enable-linux-netfilter --enable-ltdl-convenience ver 3.2.0.12 i have used the info on: http://www.cyberciti.biz/tips/linux-unix-squid-proxy-server-authentication.html cause it looks very good compared to others. but when im starting squid it shows an error about the unknow acl sorry for not having a lot of info i am doing a recompile of squid version for something. Thanks Eliezer there it is FATAL: ERROR: Invalid ACL: acl ncsa_users proxy_auth REQUIRED
Re: [squid-users] how to use the user auth parameters
On 24/09/2011 15:52, Eliezer Croitoru wrote: On 24/09/2011 15:37, Eliezer Croitoru wrote: my squid is configured with ./configure --prefix=/opt/squid32012 --includedir=/include --mandir=/share/man --infodir=/share/info --localstatedir=/opt/squid32012/var --disable-maintainer-mode --disable-dependency-tracking --disable-silent-rules --enable-inline --enable-async-io=8 --enable-storeio=ufs,aufs,diskd --enable-removal-policies=lru,heap --enable-delay-pools --enable-cache-digests --enable-underscores --enable-icap-client --enable-follow-x-forwarded-for --enable-digest-auth-helpers=ldap,password --enable-negotiate-auth-helpers=squid_kerb_auth --enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group --enable-arp-acl --enable-esi--disable-translation --with-logdir=/opt/squid32012/var/log --with-pidfile=/var/run/squid32012.pid --with-filedescriptors=65536 --with-large-files --with-default-user=proxy --enable-linux-netfilter --enable-ltdl-convenience ver 3.2.0.12 i have used the info on: http://www.cyberciti.biz/tips/linux-unix-squid-proxy-server-authentication.html cause it looks very good compared to others. but when im starting squid it shows an error about the unknow acl sorry for not having a lot of info i am doing a recompile of squid version for something. Thanks Eliezer there it is FATAL: ERROR: Invalid ACL: acl ncsa_users proxy_auth REQUIRED ok got a little more. on the nixcraft site people was talking about puttying the settings in this specific form: auth_param basic program /opt/squid32012/libexec/basic_ncsa_auth /opt/squid32012/etc/passwords auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl ncsa_users proxy_auth REQUIRED #added for user auth http_access allow ncsa_users but squid wont requied the passwords and will let everyone use the internet. Thanks Eliezer
Re: [squid-users] how to use the user auth parameters
Hallo, Eliezer, Du meintest am 24.09.11: i have used the info on: http://www.cyberciti.biz/tips/linux-unix-squid-proxy-server-authent ication.html there it is FATAL: ERROR: Invalid ACL: acl ncsa_users proxy_auth REQUIRED I use # - auth.conf --- auth_param basic program /usr/libexec/ncsa_auth /etc/squid/.htpasswd auth_param basic children 20 auth_param basic realm Surf-Anmeldung auth_param basic credentialsttl 60 minutes acl Anmeldung proxy_auth REQUIRED http_access deny !Anmeldung # Configuration: Squid Cache: Version 3.2.0.10 configure options: '--prefix=/usr' '--libdir=/usr/lib' '--sysconfdir=/ etc/squid' '--localstatedir=/var/log/squid' '--datadir=/usr/share/squid' '--with-pidfile=/var/run/squid' '--mandir=/usr/man' '--with-logdir=/var/ log/squid' '--enable-snmp' '--enable-basic-auth-helpers=NCSA,YP,MSNT- multi-domain,MSNT,SMB,getpwnam,LDAP,POP3,RADIUS' '--enable-linux- netfilter' '--enable-async-io' '--with-large-files' '--disable-option- checking' '--with-filedescriptors=65536' '--enable-icmp' '--enable- delay-pools' '--enable-digest-auth-helpers=LDAP,file' '--enable-ntlm- auth-helpers=smb_lm' '--enable-negotiate-auth-helpers=kerberos' '-- enable-inline' '--disable-loadable-modules' '--disable-translation' '-- enable-storeio=aufs,ufs' '--enable-arp-acl' '--enable-wccp' '--enable- external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '-- enable-removal-policies=lru,heap' '--enable-esi' '--enable-ssl' '-- build=i486-slackware-linux' 'build_alias=i486-slackware-linux' 'CFLAGS=- O2 -march=i486 -mtune=i686' 'CXXFLAGS=-O2 -march=i486 -mtune=i686' Viele Gruesse! Helmut
Re: [squid-users] Multiple ACL's
On 9/24/2011 4:47 AM, Pandu Poluan wrote: On Sep 24, 2011 6:19 PM, Jim Gifford maill...@jg555.com mailto:maill...@jg555.com wrote: I have setup a small proxy server at home for my kids. My proxy is setup to allow access from 8am to 9pm on school nights. He has an alarm clock that uses his ipod, that needs 24x7 connectivity or his alarm clock doesn't work. Is it possible to create 2 different ACLS, one to allow access for his alarm clock without a logon to certain domain destinations and prevent him from going to the internet on his ipod after the scheduled block of the internet. Any ideas on how to accomplish this. Using Squid 3.1.15 and a Gentoo box. Dual 1ghz P3 server with 4gb ram. Why would an alarm clock need Internet connectivity??? That said, the answer is: Yes, it is possible, if you know the domain where the, uh, alarm clock connects to. Arrange the ACLs like this: dst_domain domain.of.alarm.clock allow time range-time allow default deny I.e., put the ACL rule for the alarm clock domain before the rule for time range. Rgds, It's some ihome application it goes out to 3 different websites, there was no way to disable it. So here's what I did http_access deny BadSites http_access allow ihome http_access allow sunday localnet logon http_access allow weekend localnet logon http_access allow weekday localnet logon http_access deny all
Re: [squid-users] how to use the user auth parameters
Thanks i will check with the deny thing it seems much more efficient Eliezer On 24/09/2011 17:41, Helmut Hullen wrote: Hallo, Eliezer, Du meintest am 24.09.11: i have used the info on: http://www.cyberciti.biz/tips/linux-unix-squid-proxy-server-authent ication.html there it is FATAL: ERROR: Invalid ACL: acl ncsa_users proxy_auth REQUIRED I use # - auth.conf --- auth_param basic program /usr/libexec/ncsa_auth /etc/squid/.htpasswd auth_param basic children 20 auth_param basic realm Surf-Anmeldung auth_param basic credentialsttl 60 minutes acl Anmeldung proxy_auth REQUIRED http_access deny !Anmeldung # Configuration: Squid Cache: Version 3.2.0.10 configure options: '--prefix=/usr' '--libdir=/usr/lib' '--sysconfdir=/ etc/squid' '--localstatedir=/var/log/squid' '--datadir=/usr/share/squid' '--with-pidfile=/var/run/squid' '--mandir=/usr/man' '--with-logdir=/var/ log/squid' '--enable-snmp' '--enable-basic-auth-helpers=NCSA,YP,MSNT- multi-domain,MSNT,SMB,getpwnam,LDAP,POP3,RADIUS' '--enable-linux- netfilter' '--enable-async-io' '--with-large-files' '--disable-option- checking' '--with-filedescriptors=65536' '--enable-icmp' '--enable- delay-pools' '--enable-digest-auth-helpers=LDAP,file' '--enable-ntlm- auth-helpers=smb_lm' '--enable-negotiate-auth-helpers=kerberos' '-- enable-inline' '--disable-loadable-modules' '--disable-translation' '-- enable-storeio=aufs,ufs' '--enable-arp-acl' '--enable-wccp' '--enable- external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '-- enable-removal-policies=lru,heap' '--enable-esi' '--enable-ssl' '-- build=i486-slackware-linux' 'build_alias=i486-slackware-linux' 'CFLAGS=- O2 -march=i486 -mtune=i686' 'CXXFLAGS=-O2 -march=i486 -mtune=i686' Viele Gruesse! Helmut
[squid-users] Building on Mac OSX
I've been trying to build squid 3.2 on OSX, and I'm getting a lot of errors, does anyone know of a guide for this? I'm seeing things like: libtool: compile: g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src -I../../include -I../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT Config.lo -MD -MP -MF .deps/Config.Tpo -c Config.cc -fno-common -DPIC -o .libs/Config.o In file included from ../../src/protos.h:35, from Config.cc:3: ../../src/Packer.h:46: error: 'va_list' has not been declared If I add an include for cstdarg, and remove the SQUIDCEXTERN macro in Packer.h, I get a bit farther, but things like Address.h start to break because it doesn't seem to set the defines for HAVE_NETINET_IN_H. If I force that to 1 I get a bit farther, but there's more problems past that. Anyone have an idea? Matt