Re: [squid-users] How to rotate Cache.log
On Fri, 30 Sep 2011 00:30:01 +0200, John Kimble wrote: Hi all, My cache file is getting too big (250mb) so it becomes really hard to view the log file. I tried to rotate is using Squid -k rotate but it does nothing to either the cache.log or access.log. I read about using debug_options rotate=n but not sure how this directive will work. Does n means the number of cache.log that squid will keep? Regards, Nick Yes rotate=n in 3.2 limits cache.log, if it should be smaller than access.log. logfile_rotate sets for all logs, the number to keep of each file output. If you are using a pre-packaged squid it is likely the distributor has set it to 0 and integrated with whatever OS log management is available. Question is though why your cache.log is getting so big in the first place. It should only have rare messages about serious problems. Amos
Re: [squid-users] How to rotate Cache.log
Hallo, Amos, Du meintest am 30.09.11: My cache file is getting too big (250mb) so it becomes really hard to view the log file. [...] Question is though why your cache.log is getting so big in the first place. It should only have rare messages about serious problems. That can happen. I've seen log files with more than 2 GByte too. A bit more precise: squid rotates them if they are bigger than 2 GByte. And then the next 2 Gbyte were filled, but the partition wasn't big enough. All happened within less than 24 hours. But I've seen this nasty behaviour only 1 time in the many last years. Viele Gruesse! Helmut
[squid-users] Krb auth and case/realm
Hi squid users, it seems that when doing krb auth, proxy_auth acl are case sensitive and must contain the realm (like what is logged in squid access log). is there a way to change this, because when using squid_ldap_auth as fallback, I have to put names twice such as: acl administrator proxy_auth Administrator@TEST.LOCAL administrator Administrator@TEST.LOCAL works with kerberos administrator works for ldap, but not for kerberos any help will be appreciated :)
Re: [squid-users] Krb auth and case/realm
For the case problem, I RTFM ...: acl administrator proxy_auth -i administrator@test.local For the realm, I can use the proxy_auth_regex, but it would be really easier if there is a way to really strip the realm part. acl administrator proxy_auth_regex -i ^(administrator|foo)(@.*)?$ to allow either administrator or foo, using basic auth or kerberos auth.
[squid-users] Redirect Cached on deny_info
Hi, So i'm attempting to setup squid to interact with a hotspot/portal system where squid uses deny_info to redirect users to a terms page. Once they login their packets are marked and do not go through the proxy anymore. However when i configure squid to use deny_info like below it seems to cache the redirect in the users browser. So for about 5-10 min after they have logged in and are no longer going through the proxy they still get redirected every time they attempt to go to that original requesting page. cache deny all ... acl whitelist dstdomain /etc/squid/domains.lst deny_info http://login.domain.com/ whitelist http_access deny !whitelist I've tried using a url_redirector script to handle the redirect and using 307 instead of a 302 code but both seem to be cached in browser. Is there anyways to force the browser to not cache the redirect? or perhaps another way to go about this? Example use case below, thanks for any help/advise. Example: 1. User opens web browser and requests http://xkcd.com 2. Request to http://xkcd.com is then redirected with a HTTP 302 code to Login page. 3. User authenticates and accepts terms and conditions 4. User requests http://xkcd.com again after authenticating. They are redirected back to the login page 5. All other webpages and domains work as expected with out problems. Thanks, Using squid 3.1.11
[squid-users] Re: Two authentication helpers in one instance
Hi Rafael, squid_kerb_auth can not handle basic authentication. You need an auth handle which can use the username/password from basic authentication. It is not a good idea to use the domain username/password with basic auth and not SSL encryption. Does skype or your other clients work with NTLM or Negotiate/NTLM ? Markus Rafal Zawierta zawie...@gmail.com wrote in message news:capxtas-_rkmhi8sz88td8nqp_qesvk8_8hr_taoersfafkt...@mail.gmail.com... OK, now it's clear for me (that the browser will choose method). But now I should enable fallback method to my negotiate squid_kerb_auth, becaouse Skype and other stuff won't work with negotiate helper. Can I use squid_kerb_auth both in negotiate and in basic mode? If browser is ok (IE8, IE9, FF, Chrome) - negotiate will fork fine. Else - basic auth. auth_param negotiate program /usr/lib/squid3/squid_kerb_auth auth_param negotiate children 5 auth_param negotiate keep_alive on auth_param basic program /usr/lib/squid3/squid_kerb_auth auth_param basic children 5 auth_param basic keep_alive on Regards
[squid-users] Re: Basic hierarchical configuration
Simplifying: how to configure a cache cluster node as a child on the parent one? Just one parent and 3 children. Thanks, Erico. 2011/9/29 Erico Augusto Cavalcanti Guedes e...@cin.ufpe.br: Dears, does anyone have a section of a squid configuration file that shows a basic hierarchical configuration? My doubt is related to parent-child relationship. My environment has 4 nodes, one parent (frontend - 192.168.15.254) and three children: node01: 192.168.15.253 node02: 192.168.15.252 node03: 192.168.15.251 Parent and siblings relationship were implemented like that (on node01, for example): cache_peer 192.168.15.254 parent 3128 3130 no-digest default proxy-only cache_peer 192.168.15.252 sibling 3128 3130 no-digest proxy-only cache_peer 192.168.15.251 sibling 3128 3130 no-digest proxy-only Similar configuration will be found on other children nodes. Nevertheless, how cache_peer directive configuration should be performed on parent node, so that nodes 01, 02, and 03 are seen like children? Should it be implemented with ACLs? Thanks in advance, Erico Augusto
Re: [squid-users] Re: Two authentication helpers in one instance
Hi Rafael, squid_kerb_auth can not handle basic authentication. You need an auth handle which can use the username/password from basic authentication. It is not a good idea to use the domain username/password with basic auth and not SSL encryption. Does skype or your other clients work with NTLM or Negotiate/NTLM ? Markus Hi Markus! I'll check NTLM with skype as soon as I recover admin password for my dev environment :) All traffic is in isolated corporate network and basic auth is acceptable, but I'll try NTLM first. Regards
[squid-users] Re: 301 redirection with Squid based on URL (is Squirm the fastest way?)
Than you for your answer. Finally I do not like Squirm for this case since I need the page to not be cached. Thefore my idea is to use a specific cache_peer for any domain different than the main one in order to (1st) point all them to the main one and (2nd) avoid the use of an external redirector. Something like this: cache_peer 172.20.1.3 parent 80 0 no-query no-digest originserver name=mainweb acl maindomain dstdomain www.my.domain cache_peer_access mainweb allow maindomain cache_peer 172.20.1.4 parent 80 0 no-query no-digest originserver name=allredirects acl maindomain dstdomain !www.my.domain cache_peer_access allredirects allow maindomain And I will use apache with mod_rewrite in that cache_peer in order to avoid caching by the browsers: RewriteRule ^/(.*)$ http://www.my.domain/$1 [R=301,L,E=nocache:1] This should work, don't you think? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/301-redirection-with-Squid-based-on-URL-is-Squirm-the-fastest-way-tp3815289p3861956.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: 301 redirection with Squid based on URL (is Squirm the fastest way?)
Forget about the previous code, there was some errors. Something like this is my idea to deal with the redirections: cache_peer 172.20.1.3 parent 80 0 no-query no-digest originserver name=mainweb acl maindomain dstdomain www.my.domain cache_peer_access mainweb allow maindomain cache_peer_access mainweb deny all cache_peer 172.20.1.4 parent 80 0 no-query no-digest originserver name=allredirects acl otherdomains dstdomain !www.my.domain cache_peer_access allredirects allow otherdomains cache_peer_access allredirects deny all And I will use apache with mod_rewrite in that cache_peer in order to avoid caching by the browsers: RewriteRule ^/(.*)$ http://www.my.domain/$1 [R=301,L,E=nocache:1] -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/301-redirection-with-Squid-based-on-URL-is-Squirm-the-fastest-way-tp3815289p3861963.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] gzip with Squird working fine with our site but not with our vbulletin forum. Any advice?
Hi We have Squid in the main site and it is delivering content gzipped perfectly but on the forum when we have HITs (always guests) a lot of the times (maybe most of them) the content is delivered without the gzip header. The webserver is lighttpd and gzip is configured in vBulleting settings (not in lighttpd) https://www.vbulletin.com/docs/html/vboptions_group_http . If we try to get the content directly to webserver without Squid it is delivered in gzip perfectly. We have added this code to Squid.conf but is still not working properly: acl apacheandlighttpd rep_header Server ^(lighttpd|Apache) broken_vary_encoding allow apacheandlighttpd On the main site we have apache with mod_deflate and this code in Squid.conf and it is working perfecly: acl apache rep_header Server ^Apache broken_vary_encoding allow apache Any idea an what's going on or any recommendations on how to proceed to find the problem? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/gzip-with-Squird-working-fine-with-our-site-but-not-with-our-vbulletin-forum-Any-advice-tp3862015p3862015.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: Basic hierarchical configuration
On Fri, 30 Sep 2011 15:18:55 -0300, Erico Augusto Cavalcanti Guedes wrote: Simplifying: how to configure a cache cluster node as a child on the parent one? Just one parent and 3 children. The children are just regular clients to the parent. So you need http_access rules allowing them access, but that is all. Amos
Re: [squid-users] lost connection - reconnect automatically
On Wed, 28 Sep 2011 15:26:27 +0100, J. Webster wrote: I have a squid service with ncsa user auth (login/password). We have one user who loses their internet connection intermittently and is continually being re-presented with the login prompt. Presumably, the server / browser thinks they have disconnected from the server and asks them to re-authenticate. Is there a way round this? That is a feature of the browser or whatever client app they are using. HTTP requires requests to be interpreted independently, so every single request has to be accompanied by credentials. Squid is not concerned with TCP level details like the fact they changed connections. NCSA uses a local database file for passwords. Which eliminates the problems of connection or timeout to any central server during the Squid auth test. Or any statefulness of the login such a central server might be doing. Amos
Re: [squid-users] policy based routing from cisco router for squid tproxy
On Wed, 28 Sep 2011 11:01:35 -0500, Luis Daniel Lucio Quiroz wrote: 2011/9/28 Benjamin benjo11...@gmail.com: Hi, I am looking for POLICY BASED ROUTING rules , which i need to use route web traffic to squid box which is configured for tproxy purpose.If someone tried it , please share your tips and feedback for that. Network setup: ROUTER PBR CONFIGURATION | | | | SWITCH | | | | | | -SQUID BOX ( 1 interface ) | BANDWITH SHAPPER | | END USERS Thanks, Benjo Fernandis Easy, # acl normal_service_net src 10.0.0.0/24 # acl good_service_net src 10.0.1.0/24 # tcp_outgoing_tos 0x00 normal_service_net # tcp_outgoing_tos 0x20 good_service_net with this you are marking tcp packets, then in your cisco/linux you can do rules that depending mark and squid-ip will select an specific rule table. look for ip rule command to specify tables rules if you are using linux. Depending on your Squid version you may also have zph_* directives (2.7), or qos_flows (3.1+) to play with. They set the TOS value based on source flow type (HIT, MISS, etc). Amos
