Re: [squid-users] Handling PUT-requests with "Expect: 100-continue" header
On Wed, 28 Sep 2011 16:15:33 +0200, Jan Sievers wrote: Hi, I was recently updating squid from version v3.0.STABLE23 to 3.1.15 and noticed, that the handling of PUT-requests with "Expect: 100-continue" header changed. While with version v3.0.STABLE23 the proxy wrote to the log file 1316481430.883 2303 192.168.0.1 TCP_MISS/200 314 PUT http://www.example.com/services/submit.php? - DIRECT/192.0.2.1 text/html what triggered the client to send a request shortly after: 1316481432.180 1294 192.168.0.1 TCP_MISS/200 314 PUT http://www.example.com/services/submit.php? - DIRECT/192.0.2.1 text/html Which look to me that the proxy has forwarded at least something to the origin server. I don't know if it really reported a 200 to the client which sounds strange for a PUT-request having a "Expect: 100-continue". Probably the client (using libcurl 7.16.1) just reached a timeout and issued another PUT-request without the Expect-header and with a body. Using version 3.1.15 the proxy wrote to the log file 1317091304.706 0 192.168.0.1 NONE/417 6181 PUT http://www.example.com/services/submit.php? - NONE/- text/html No other request comes hereafter. The client user reports the application says "Error 417". It seems the client does not repeat the POST-request without "expectations". On the other hand squid seems not to ask the origin server which is HTTP/1.1 aware and sends a 417 on it own, which at least for a HTTP/1.1 proxy would be wrong. Or am I missing something? Squid-3.1 is HTTP/1.1 on the side communicating with servers. Can I do something about it? In order of preference: * report teh problem to teh client software developers. They have failed to handle all the RFC 2616 requirements of chunked encoding. ie to retry without HTTP/1.1 when 417 is received. * ignore_expect_100 Is setting "ignore_expect_100 on" the right thing and without side-effects? It is there to resolve this problem if you wish to use it. There are side effects. Squid now passes HTTP/1.1 to servers, relaying the Expect: headers and discards the 100-continue if it comes back. This could make the client wait a long timeout and die anyway. Amos
[squid-users] Squidalyser: nothing entered into database
Right, I installed everything and ran the mysql script so that it put in x thousand rows into the database. However, when I access: http://mysite.org/cgi-bin/squidalyser.pl I just get a blank page. No errors, it doesn't show anything at all. The webserver is working because if I access http://mysite.org/cgi-bin/wordlist.pl then it brings up a webpage. I just checked the database, there is nothing in it? Strange, squidparse.pl reported a success: [root squidparse]# ./squidparse.pl Running ./squidparse.pl at Wed Sep 28 21:06:42 2011 DB Name: squid DB Host: localhost DB User: squidalyser Squidlog: /var/log/squid/access.log Expired 1976284 records from the database. Took 796 seconds to process 1976284 records.
Re: [squid-users] policy based routing from cisco router for squid tproxy
2011/9/28 Benjamin : > Hi, > > I am looking for POLICY BASED ROUTING rules , which i need to use route web > traffic to squid box which is configured for tproxy purpose.If someone tried > it , please share your tips and feedback for that. > > > Network setup: > > ROUTER > PBR CONFIGURATION > | > | > | > | > SWITCH > | | > | | > | | -SQUID BOX ( 1 interface ) > | > BANDWITH > SHAPPER > | > | > END USERS > > > Thanks, > Benjo Fernandis > > Easy, # acl normal_service_net src 10.0.0.0/24 # acl good_service_net src 10.0.1.0/24 # tcp_outgoing_tos 0x00 normal_service_net # tcp_outgoing_tos 0x20 good_service_net with this you are marking tcp packets, then in your cisco/linux you can do rules that depending mark and squid-ip will select an specific rule table. look for "ip rule" command to specify tables rules if you are using linux. LD http://www.twitter.com/ldlq
[squid-users] lost connection - reconnect automatically
I have a squid service with ncsa user auth (login/password). We have one user who loses their internet connection intermittently and is continually being re-presented with the login prompt. Presumably, the server / browser thinks they have disconnected from the server and asks them to re-authenticate. Is there a way round this?
[squid-users] Handling PUT-requests with "Expect: 100-continue" header
Hi, I was recently updating squid from version v3.0.STABLE23 to 3.1.15 and noticed, that the handling of PUT-requests with "Expect: 100-continue" header changed. While with version v3.0.STABLE23 the proxy wrote to the log file 1316481430.883 2303 192.168.0.1 TCP_MISS/200 314 PUT http://www.example.com/services/submit.php? - DIRECT/192.0.2.1 text/html what triggered the client to send a request shortly after: 1316481432.180 1294 192.168.0.1 TCP_MISS/200 314 PUT http://www.example.com/services/submit.php? - DIRECT/192.0.2.1 text/html Which look to me that the proxy has forwarded at least something to the origin server. I don't know if it really reported a 200 to the client which sounds strange for a PUT-request having a "Expect: 100-continue". Probably the client (using libcurl 7.16.1) just reached a timeout and issued another PUT-request without the Expect-header and with a body. Using version 3.1.15 the proxy wrote to the log file 1317091304.706 0 192.168.0.1 NONE/417 6181 PUT http://www.example.com/services/submit.php? - NONE/- text/html No other request comes hereafter. The client user reports the application says "Error 417". It seems the client does not repeat the POST-request without "expectations". On the other hand squid seems not to ask the origin server which is HTTP/1.1 aware and sends a 417 on it own, which at least for a HTTP/1.1 proxy would be wrong. Or am I missing something? Can I do something about it? Is setting "ignore_expect_100 on" the right thing and without side-effects? Thanks, Jan -- Jan Sievers | Freie Universität Berlin | siev...@zedat.fu-berlin.de Zentraleinrichtung für Datenverarbeitung | http://www.zedat.fu-berlin.de
[squid-users] policy based routing from cisco router for squid tproxy
Hi, I am looking for POLICY BASED ROUTING rules , which i need to use route web traffic to squid box which is configured for tproxy purpose.If someone tried it , please share your tips and feedback for that. Network setup: ROUTER > PBR CONFIGURATION | | | | SWITCH | | | | | | -SQUID BOX ( 1 interface ) | BANDWITH SHAPPER | | END USERS Thanks, Benjo Fernandis
Re: [squid-users] Two authentication helpers in one instance
i had another problem.. using squid 32012 that squid wont whow the auth screen on the browser. Thanks Eliezer On 30/08/2011 15:19, Rafal Zawierta wrote: Hello, Is it possible to use dual authentication helpers in one squid3 instance. In my example: auth_param negotiate program /usr/lib/squid3/squid_kerb_auth auth_param negotiate children 5 auth_param negotiate keep_alive on auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid/passwd auth_param basic children 5 startup=5 idle=1 auth_param basic realm Squid auth_param basic credentialsttl 2 hours How it *should* work: If user is in WinNT domain, he is authenticated against AD in negotiate mode. If user is not in in AD, then he is prompted for password. But next, I'd like to match all users that are authenticated with basic mode in separate acl. I'm able to use some regex with that usernames - for example guest_ prefix in username. Is it possible? Regards
Re: [squid-users] Two authentication helpers in one instance
OK, now it's clear for me (that the browser will choose method). But now I should enable fallback method to my negotiate squid_kerb_auth, becaouse Skype and other stuff won't work with negotiate helper. Can I use squid_kerb_auth both in negotiate and in basic mode? If browser is ok (IE8, IE9, FF, Chrome) - negotiate will fork fine. Else - basic auth. auth_param negotiate program /usr/lib/squid3/squid_kerb_auth auth_param negotiate children 5 auth_param negotiate keep_alive on auth_param basic program /usr/lib/squid3/squid_kerb_auth auth_param basic children 5 auth_param basic keep_alive on Regards
