Re: [squid-users] Need advise about Squid statistics.
Siur, Look for Squid Analyzer on freshmeat.net Easy to install and customize. It will do the magic for you. # Edmonds Namasenda. On Sun, Oct 30, 2011 at 2:56 AM, siur siur@gmail.com wrote: Hello! I've got 500 archived squid log files. Now I need to analyze all of them and make a statistics report (top visited sites, per-user statistic, all that stuff). What's the best way to do it?
[squid-users] DNS handling different in 2.6 3.1 ?
Hi, I have just upgraded the squid proxies from 2.6 on RH el5 to 3.1.14 Debian at my site and have noticed that for some sites (update.ucas.co.uk as an example) fails to load with what appears to be DNS timeouts due to NXDOMAIN and then trying to find the entry through our local DNS search paths (correctly I admit). Investigation demonstrates that the DNS query is getting NXDOMAIN back from the DNS query along with an IP address, this applies to both the old and new proxies and so from a certain point of view is not an issue. However what I would like to be able to do is get squid 3.1 to ignore the NXDOMAIN (yes I know it is a risk) in the same way that 2.6 appears to do so, I understand that 3.1 and 2.6 have some differences in the way that DNS is handled probably for the good over all but at the moment this is causing me issues. Ultimately I am aware that this is a DNS issue that needs to be resolved at the remote site yet at the same time I am under pressure for business reasons to ensure the site is accessible and also to take down my old proxies which are currently still up with a kludge in WPAD to force these sites through the old proxies. Thoughts on how I can ensure that stuff works locally would be much appreciated. Thanks Paul
[squid-users] Transparently Proxying of https
Hi Everybody, Is it possible to do Transparently Proxy of https (i.e. face book, gmail etc) traffic? If no, how and why https traffic works through NAT/Masquerade? Please help me to understand the above. Thanks TI -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparently-Proxying-of-https-tp3955416p3955416.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] ssl_crtd crashes with Failed to remove certficate file file from db
On 10/30/2011 11:46 PM, Alex Rousskov wrote: Hi Will, Please file a bug report with Squid bugzilla, including the exact error message and other relevant details. Posting cache.log with debug_options set to ALL,9 may be helpful, especially if you can reproduce the problem with just a few transactions (but make sure you do not use any sensitive data during those transactions). Thank you, Alex. Alex, I've filed http://bugs.squid-cache.org/show_bug.cgi?id=3405 for this. Thanks, --Will
Re: [squid-users] Need advise about Squid statistics.
El 29/10/11 20:56, siur escribió: Hello! I've got 500 archived squid log files. Now I need to analyze all of them and make a statistics report (top visited sites, per-user statistic, all that stuff). What's the best way to do it? http://sarg.sourceforge.net/
[squid-users] squid deployment for cache gain
Hi All, We have to deploy squid for cache gain in our network where we are having 140-150 mbps bandwith and 600 users.As per our H/W, we have 8 gb ram and 2 TB disk with intel i3 processor with GBPS lan cards.We only use squid on this h/w nothing else. So for going to setup squid in network , i have some queries. 1) what should be memory we use for squid ? 2) multiple creation of cache_dir is better or single big cache_dir is better ? 3) At some blogs , i read that small objects in memory and disk are very much beneficial for cache gain rather then specifing big size objects for disk and memory ? 4) Multiple instance of squid is better or single squid instance is able to handle such kind of heavy load. ? Please share your suggestions with squid and cache gain in such kind of big networks Thanks, Benjamin
[squid-users] reverse proxy configuration still MISSes some pages which should be a HIT....
Hi. I'm using squid 3.1.16, compiled from source with: ./configure --prefix=/usr/local/squid-3.1.16/ --enable-useragent-log --enable-referer-log --disable-ident-lookups --with-large-files Running on a 64bit Debian 6 box. If I send a request: Sent by doing: cat file | nc proxy.example.com 80 == HEAD / HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Cookie: eplicaWebVisitor=-926431977; fptab=skjalftar; JSESSIONID=C44066454BC7A2C8A052BC0C69D44620 DNT: 1 Connection: keep-alive If-Modified-Since: Sat, 30 Oct 2011 16:42:36 GMT Cache-Control: max-age=0 If-None-Match: S-is-94659-1319906578198 == I get back: == HTTP/1.0 200 OK Date: Mon, 31 Oct 2011 18:22:45 GMT Set-Cookie: JSESSIONID=05358DBC68CE264A981D34FB8322CADC; Path=/ Powered-By: Eplica WMS 2.0 (2.0-SNAPSHOT) Last-Modified: Mon, 31 Oct 2011 18:22:21 GMT Expires: Mon, 31 Oct 2011 18:22:55 GMT Cache-Control: public, must-revalidate, max-age=10 ETag: S-is-94983-1320085375761 Content-Type: text/html;charset=UTF-8 Content-Language: is-IS Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 18425 X-Cache: MISS from proxy.example.com Via: 1.0 proxy.example.com (squid/3.1.16) Connection: keep-alive == If I send the same request, but leave out the If-None-Match, I get: HTTP/1.0 200 OK Date: Mon, 31 Oct 2011 18:24:10 GMT Powered-By: Eplica WMS 2.0 (2.0-SNAPSHOT) Last-Modified: Mon, 31 Oct 2011 18:23:22 GMT Expires: Mon, 31 Oct 2011 18:24:20 GMT Cache-Control: public, must-revalidate, max-age=10 ETag: S-is-94983-1320085460159 Content-Type: text/html;charset=UTF-8 Content-Language: is-IS Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 18425 Age: 3 X-Cache: HIT from proxy.example.com Via: 1.0 proxy.example.com (squid/3.1.16) Connection: keep-alive == Hmm... I *think* the needed lines from squid.conf would look like, but please correct me if this is not enough to determine the cause: http_port 1.2.3.4:80 accel defaultsite=www.example.com vhost ignore-cc cache_peer 1.2.3.99 parent 80 0 no-query originserver name=myAccel Now, is there a simple(ish) way of throwing away / ignoring that If-None-Match header, or configure squid in other ways, to go to the cache, and create a HIT? Thanks, -- EinarI
Re: [squid-users] Transparently Proxying of https
On 31/10/2011 13:02, Tymur Islam wrote: Hi Everybody, Is it possible to do Transparently Proxy of https (i.e. face book, gmail etc) traffic? it is possible to do a transparently(almost) proxy for https but not using squid. https is a secure protocol that his purpose is to prevent proxying\mangle it. If no, how and why https traffic works through NAT/Masquerade? the https protocol is on the higher levels of the network levels and not on the network level itself i.e not IP. nat and masquerade is on IP level so https doesnt really care as long the application level is untouched. Regrads Eliezer Please help me to understand the above. Thanks TI -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparently-Proxying-of-https-tp3955416p3955416.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] reverse proxy configuration still MISSes some pages which should be a HIT....
On Mon, 31 Oct 2011 18:56:00 +, Einar Indridason wrote: Hi. I'm using squid 3.1.16, compiled from source with: ./configure --prefix=/usr/local/squid-3.1.16/ --enable-useragent-log --enable-referer-log --disable-ident-lookups --with-large-files Running on a 64bit Debian 6 box. If I send a request: Sent by doing: cat file | nc proxy.example.com 80 == HEAD / HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Cookie: eplicaWebVisitor=-926431977; fptab=skjalftar; JSESSIONID=C44066454BC7A2C8A052BC0C69D44620 DNT: 1 Connection: keep-alive If-Modified-Since: Sat, 30 Oct 2011 16:42:36 GMT Cache-Control: max-age=0 If-None-Match: S-is-94659-1319906578198 == I get back: Calling this (1) ... == HTTP/1.0 200 OK Date: Mon, 31 Oct 2011 18:22:45 GMT Set-Cookie: JSESSIONID=05358DBC68CE264A981D34FB8322CADC; Path=/ Powered-By: Eplica WMS 2.0 (2.0-SNAPSHOT) Last-Modified: Mon, 31 Oct 2011 18:22:21 GMT Expires: Mon, 31 Oct 2011 18:22:55 GMT Cache-Control: public, must-revalidate, max-age=10 ETag: S-is-94983-1320085375761 Content-Type: text/html;charset=UTF-8 Content-Language: is-IS Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 18425 X-Cache: MISS from proxy.example.com Via: 1.0 proxy.example.com (squid/3.1.16) Connection: keep-alive == Calling this (2) ... If I send the same request, but leave out the If-None-Match, I get: HTTP/1.0 200 OK Date: Mon, 31 Oct 2011 18:24:10 GMT Powered-By: Eplica WMS 2.0 (2.0-SNAPSHOT) Last-Modified: Mon, 31 Oct 2011 18:23:22 GMT Expires: Mon, 31 Oct 2011 18:24:20 GMT Cache-Control: public, must-revalidate, max-age=10 ETag: S-is-94983-1320085460159 Content-Type: text/html;charset=UTF-8 Content-Language: is-IS Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 18425 Age: 3 X-Cache: HIT from proxy.example.com Via: 1.0 proxy.example.com (squid/3.1.16) Connection: keep-alive == 'delta' (time difference) between the two requests is 120 seconds (2 minutes). + Server indicates 'must-revalidate'. Always contact backend server. + max-age is 10 seconds. Always fetch new content if current is older than 10 seconds. + origin servers object was modified 60 seconds after request (1). So this is correct. The cached object was stale, backend had an updated copy which got returned in full using status 200. If-None-Match and If-Modified-Since are both true conditions for these tests. Either one alone is enough to make a 200 happen. Hmm... I *think* the needed lines from squid.conf would look like, but please correct me if this is not enough to determine the cause: http_port 1.2.3.4:80 accel defaultsite=www.example.com vhost ignore-cc The ignore-cc directive is there to ignore the client when it tries to override the server Cache-Crontrol. In the above your server is saying max-age=10 (give clients things up to 10 seconds old). But the client is attempting to override and says max-age=0 (nothing 1 second or older may be sent to me). Since this is a reverse-proxy and your Squid is one of the servers for this domain it is able to safely ignore that client max-age, and say here is object X, its valid right now (despite being 1-10 seconds old). In the case you detailed above, it will make Squid ignore the max-age=0 (force a reload) from the client. BUT, the server is still indicating 10 second max-age and must-revalidate. So the revalidate conditions will still happen and possibly produce a 200. cache_peer 1.2.3.99 parent 80 0 no-query originserver name=myAccel Now, is there a simple(ish) way of throwing away / ignoring that If-None-Match header, or configure squid in other ways, to go to the cache, and create a HIT? That is up to your server to respond with 304 instead of 200. When testing conditional requests a 304 message is equivalent to a HIT in older traffic. As or ignoring the If-* headers. This is a very bad idea(tm)... Consider a login script which presents exactly two variants. One says Successful login. The other says Successful logout. The If-* values and ETag encodes which of these the client is attempting to display so Squid and the server can override with 200 and essentially say 'no display this instead'. In the login example, the server would check its login/out state for the client and allow the display or replace it. Overriding these details and making Squid HIT would
Re: [squid-users] Transparently Proxying of https
On Oct 31, 2011, at 7:02 AM, Tymur Islam wrote: Hi Everybody, Is it possible to do Transparently Proxy of https (i.e. face book, gmail etc) traffic? If no, how and why https traffic works through NAT/Masquerade? Please help me to understand the above. Thanks TI not through squid, use ip tunnel through squid box and have your firewall NAT/PAT the https connection. squid will not speak directly in intercept mode. - simply put. if you need to proxy https connections use squid in regular mode. -j
[squid-users] wondering include capability
Just wondering if it is possible to place something like this: include /etc/squid/conf.d/*.conf for example, :) that would help the PRM squid packagers, if dont please add it it rocks LD
Re: [squid-users] wondering include capability
On Mon, 31 Oct 2011 23:06:48 -0600, Luis Daniel Lucio Quiroz wrote: Just wondering if it is possible to place something like this: include /etc/squid/conf.d/*.conf for example, :) that would help the PRM squid packagers, if dont please add it it rocks LD I believe it does. It uses glob() in the background wherever available. Amos