Re: [squid-users] squid 3.2.0.16 built --with-filedescriptors=16384 only has 256 file descriptors
On Wed, Jun 20, 2012 at 7:30 AM, wrote: > I'm running one of the nightly 3.2.0.16. I've always built squid 3.x > "--with-filedescriptors=16384". > > Squid Cache: Version 3.2.0.16 > configure options: '--prefix=/usr/local/squid' '--build=i686-apple-darwin' > '--mandir=/usr/local/share/man' '--with-large-files' > '--disable-ident-lookups' '--disable-dependency-tracking' '--enable-filters' > '--enable-removal-policies=heap,lru' '--enable-delay-pools' > '--enable-multicast-miss' '--enable-default-err-language=templates' > '--enable-fd-config' '--with-filedescriptors=16384' '--with-dl' > '--enable-ltdl-convenience' '--enable-http-violations' '--enable-build-info' > '--enable-log-daemon-helpers' '--enable-auth-basic=PAM,NCSA,LDAP,NCSA' > '--enable-auth-digest=password' > '--enable-external-acl-helpers=ip_user,ldap_group' '--enable-ssl' > '--enable-internal-dns' '--disable-eui' 'build_alias=i686-apple-darwin' > > So it's very surprising for me to see "WARNING! Your cache is running out of > filedescriptors" in cache.log after I pumped a few hundred of connections > through recently. > > According to squidclient -r -l localhost -U manager -W passwd mgr:info |grep > 'file descr', my instance of squid 3.2.0.16 only has 256 file descriptors: > > Maximum number of file descriptors: 256 > Available number of file descriptors: 221 > Reserved number of file descriptors: 64 > > I can resolve this easily by setting "max_filedescriptors " in > squid.conf. However, this is supposedly a "Squid 2.7+" feature, according to > "http://wiki.squid-cache.org/SquidFaq/TroubleShooting#Running_out_of_filedescriptors";. > It's not clear whether that's inclusive of Squid 3.x, which is a separate > branch from squid 2.6 in my understanding. The other question is why the > configure option "--with-filedescriptors=16384" has no effect or stopped > taking effect in Squid 3.2.0.16. Is this just an isolated one-off incident? Watch out for the ulimit in the shell launching squid. -- /kinkie
[squid-users] squid 3.2.0.16 built --with-filedescriptors=16384 only has 256 file descriptors
I'm running one of the nightly 3.2.0.16. I've always built squid 3.x "--with-filedescriptors=16384". Squid Cache: Version 3.2.0.16 configure options: '--prefix=/usr/local/squid' '--build=i686-apple-darwin' '--mandir=/usr/local/share/man' '--with-large-files' '--disable-ident-lookups' '--disable-dependency-tracking' '--enable-filters' '--enable-removal-policies=heap,lru' '--enable-delay-pools' '--enable-multicast-miss' '--enable-default-err-language=templates' '--enable-fd-config' '--with-filedescriptors=16384' '--with-dl' '--enable-ltdl-convenience' '--enable-http-violations' '--enable-build-info' '--enable-log-daemon-helpers' '--enable-auth-basic=PAM,NCSA,LDAP,NCSA' '--enable-auth-digest=password' '--enable-external-acl-helpers=ip_user,ldap_group' '--enable-ssl' '--enable-internal-dns' '--disable-eui' 'build_alias=i686-apple-darwin' So it's very surprising for me to see "WARNING! Your cache is running out of filedescriptors" in cache.log after I pumped a few hundred of connections through recently. According to squidclient -r -l localhost -U manager -W passwd mgr:info |grep 'file descr', my instance of squid 3.2.0.16 only has 256 file descriptors: Maximum number of file descriptors:256 Available number of file descriptors: 221 Reserved number of file descriptors:64 I can resolve this easily by setting "max_filedescriptors " in squid.conf. However, this is supposedly a "Squid 2.7+" feature, according to "http://wiki.squid-cache.org/SquidFaq/TroubleShooting#Running_out_of_filedescriptors";. It's not clear whether that's inclusive of Squid 3.x, which is a separate branch from squid 2.6 in my understanding. The other question is why the configure option "--with-filedescriptors=16384" has no effect or stopped taking effect in Squid 3.2.0.16. Is this just an isolated one-off incident? -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
[squid-users] squid3.1, squid_kerb_auth and Negotiate GSSAPI errors
Hi, we run a couple of squid caches using the squid_kerb_auth helper to do Negotiate GSSAPI authentication and generally it all works rather nicely but we will get little bursts of the following error 2012/06/20 14:54:02| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_context() failed: A token was invalid. unknown mech-code 1859794441 for mech unknown' Always with that particular mech-code. Given the number of successful hits on the cache (couple of million a day) I'm struggling to identify whats causing these errors and how to rectify so suggestions welcomed. As well as wanting to identify the root cause, this problem has the effect that every time squid_kerb_auth deals with one of these requests the kerberos libraries (heimdal 1.5pre1 from NetBSD 5.99.59) keeps a file descriptor open to the keytab file (actually two) so eventually the squid_kerb_auth hits the max filedescriptors per process limit and other things start to fail (if it hasn't been restarted before then). cheers mark
Re: [squid-users] Time based Video Streaming Access
On 19.06.2012 23:57, Anonymous wrote: Hello Respected All, I want to setup Time based Video Streaming Access for different IPs (same subnet), few IPs are allowed every time video/you tube streaming access, while other IPs (IPs list in file as SRC) are only allowed in set time duration any other IPs are not allowed to access Video/You tube access. Here's setup: --- Ubuntu 12.04 Squid 3.1.x Two Groups of IPs G-1 = Allowd Everytime G-2 = Time Restriction (09:00-14:59) G-3 = Everybody, Deny Access to Video/You tube streaming every time. -- acl OpenIPs src "/etc/squid3/AlwaysOpenIPs. txt" # G-1= List of IPs allowed for Video Streaming Everytime. acl TimedTubed src "/etc/squid3/TimeBasedIPs.txt" # G-2 = List of IPs allowed for set time duration. acl NoTubeTime time SMTWHFA 08:30-14:59 # Time duration when you access to Time based IPs. acl deny_rep_mime_flashvideo rep_mime_type video/x-flv # ACL to Deny Video Straming for everyone else. http_reply_access allow OpenIPs TimedTubed NoTubeTime This above line can only allow the IPs which are listed in *both* OpenIPs and TimedTubed. It will allow them only during NoTubeTime. If I'm reading your policy description above correctly you actually want: # G-1 policy = Allowed Everytime http_reply_access allow OpenIPs # G-2 policy = Time Restriction (09:00-14:59) http_reply_access allow TimedTubed NoTubeTime http_reply_access deny TimedTubed That above line seems wrong according to your stated policies. It will block TimedTubed IPs from going to non-YouTube content. # G-3 policy = Deny Access to Video/You tube streaming every time. http_reply_access deny deny_rep_mime_flashvideo http_reply_access allow all -- --- Above mentioned ACLs are not working properly, General Internet Access (http_access) is also denied when used with "http_reply_access deny" I want to only deny video streaming/you tube in set time duration and allow internet access. Thank you in advance. One thing to note here. Blocking in http_reply_access means the video is already arriving when you decide not to deliver it. squid id forced to do one of two things: a) close the server connection and wait out the TCP reset timouts (15 minutes) before re-using the socket. Not a major issue on networks with low web traffic, but can be a major problem if you are needing to use those sockets again fast. b) read in the entire video from the server and discard it before re-using the socket. Avoids TCP timeouts, but provides wastes bandwidth and may on some videos take longer than a 15-min TCP reset would have. NOTE: You also need to consider an http_access or miss_access ACL block to prevent people not allowed to view videos from even making a request to the video site in the first place. This front-line block is where the bandwidth and speed savings will come from. The http_reply_access can be used as an inefficient but more accurate block only for those requests which get past your front-line blocking. Amos
Re: [squid-users] acl forbidden_domains dstdom_regex "file.txt" with huge file fails
On 20.06.2012 04:52, Stefan Bauer wrote: Dear Developers & Users, we want to use acl forbidden_domains dstdom_regex "file.txt" with a 30 MB file. Squid is instantly terminating if this acl-stanza is set active. Where can and do we have to tune squid settings to achive this? http://wiki.squid-cache.org/SquidFaq/BugReporting#Sending_Bug_Reports_to_the_Squid_Team " Any bug report must include The Squid release version Your Operating System type and version A clear description of the bug symptoms. If your Squid crashes the report must include a coredumps stack trace as described below Please note that: bug reports are only processed if they can be reproduced or identified in the current STABLE or development versions of Squid. If you are running an older version of Squid the first response will be to ask you to upgrade unless the developer who looks at your bug report immediately can identify that the bug also exists in the current versions. It should also be noted that any patches provided by the Squid developer team will be to the current STABLE version even if you run an older version. " Most of these details are needed to answer the question you have asked. In particular; what Squid version? what is Squid logging when it terminates? Try running "squid -k parse" to see if anything is noted to stdout or the cache.log. If nothing useful is displayed add "debug_options ALL,9" to your config file and try running "squid -N -k parse". The developers will need a copy of your cache.log from that parse attempt in order to debug this further. Amos
Re: [squid-users] help with acl max_user_ip
On 20.06.2012 03:48, Diego Maciel Gomes wrote: Hi all! This is my first post. I have one doubt about how to use this acl max_user_ip Well, I put it in my squid.conf, look: acl max_user max_user_ip -s 1 http_access deny max_user Im running squid 3.0 stable25 Please consider an upgrade. Seriously out of date software (2+ years expired) exposes you to many problems. As of this writing the currently supported version is 3.1, with the latest bug fix update release being 3.1.20. The last major security vulnerability was fixed in 3.1.15. I saw that max_user_ip doesnt show to me in yellow font. Is it a problem? Maybe my squid version doesnt support this feature? Maybe it isnt a problem, whatever. Font colour has nothing to do with Squid. Your editor is missing some highlight feature support? "squid -k parse" will tell you what config your version does (or not) support. My ACL and my deny for ACL is the first thing after "auth_param basic credentialsttl 2 hours" credentialsttl is related to how often the basic auth helper gets re-checked. http://www.squid-cache.org/Versions/v3/3.0/cfgman/acl.html states that authenticate_ip_ttl is the relevant timeout for the user-vs-IP pairs. The minimum of the two timeouts applies to max_user_ip. As user:IP pairs get discarded on authenticate_ip_ttl, and user + all IPs might get discarded on credentialsttl. So, i guess it is OK. "max_user_ip" only counts the user/IP pairs which the username credentials have been tested as valid logins and linked to the request by a proxy_auth ACL. You can imagine this as max_user_ip operating on the output of a successful proxy_auth test. Skipping proxy_auth test, not having run it yet, or the user failing to login correctly will result in max_user_ip counting this request as having no user at all (thus not a match). I did a test and I can use proxy with my user in two machines... The rule should allow only 1, right? *IF* tested in the right order with proxy_auth, yes. I think from your vague description that you are not testing proxy_auth at all, or are testing it after max_user_ip is checked. Amos
Re: [squid-users] Cant login to certain flash page via squid?
On 20.06.2012 09:13, Terry Dobbs wrote: When users are going through squid there are certain pages, like the one I mentioned where you just can't click a specific button. It always seems flash related. If I reconfigure this user to not use squid I can use the page just fine. This leads me to believe its not solely a browser issue. When I say I told it to ignore I meant in the squid.conf file, where I allowed access to that specific domain without any kind of authentication. Thinking about it, I understand this step is pretty pointless as squid still processes the site. However I have had success in the past by allowing access to sites before the proxy_auth required command. Not really sure what the issue is, but it seems to happen with just a handful of random sites. Flash player is separate software not permitted access to the browsers internal password manager information. * Flash player does not provide any means for users to enter passwords unless the HTTP request is a GET. * Flash script frameworks do not provide easily available support unless the HTTP request is a POST. * recent Flash versions prevent HTTP authentication unless the visited *website* provides explicit file-based (ONLY file based) CORS support for the relevant headers. NP: as documented this would prohibit Proxy-Authentication. Website authentication only works if the author who wrote the script knows how to write a) the user I/O interface and b) the relevant encryption algorithms (rare for anything better than Basic auth), and c) adds explicit CORS support to their site. AND decided it was worth the trouble. As a result HTTP authentication of any type rarely works in Flash applications. Proxy authentication has never been reported working, not to say it can't, just that in my experience nobody has ever mentioned seeing it happen despite common complaints here and in many other places online. Personally I rate Flash as a worse problem than Java in this regard. At least Java provides libraries and API making it easy for developers who know where to look (most seem not to use it, but that is a knowledge/time issue not a technical barrier). Amos
Re: [squid-users] Cant login to certain flash page via squid?
When users are going through squid there are certain pages, like the one I mentioned where you just can't click a specific button. It always seems flash related. If I reconfigure this user to not use squid I can use the page just fine. This leads me to believe its not solely a browser issue. When I say I told it to ignore I meant in the squid.conf file, where I allowed access to that specific domain without any kind of authentication. Thinking about it, I understand this step is pretty pointless as squid still processes the site. However I have had success in the past by allowing access to sites before the proxy_auth required command. Not really sure what the issue is, but it seems to happen with just a handful of random sites.
[squid-users] acl forbidden_domains dstdom_regex "file.txt" with huge file fails
Dear Developers & Users, we want to use acl forbidden_domains dstdom_regex "file.txt" with a 30 MB file. Squid is instantly terminating if this acl-stanza is set active. Where can and do we have to tune squid settings to achive this? We're aware of third-party software like squidguard for this task - we only want to use additional software if everything else fails :) Any help is greatly appreciated Thanks in advance! Stefan
[squid-users] help with acl max_user_ip
Hi all! This is my first post. I have one doubt about how to use this acl max_user_ip Well, I put it in my squid.conf, look: acl max_user max_user_ip -s 1 http_access deny max_user Im running squid 3.0 stable25 I saw that max_user_ip doesnt show to me in yellow font. Is it a problem? Maybe my squid version doesnt support this feature? Maybe it isnt a problem, whatever. My ACL and my deny for ACL is the first thing after "auth_param basic credentialsttl 2 hours" So, i guess it is OK. I did a test and I can use proxy with my user in two machines... The rule should allow only 1, right? Can anyone help me? Thanks anyway -- Esta mensagem foi verificada pelo sistema de antivirus e acredita-se estar livre de perigo.
[squid-users] Time based Video Streaming Access
Hello Respected All, I want to setup Time based Video Streaming Access for different IPs (same subnet), few IPs are allowed every time video/you tube streaming access, while other IPs (IPs list in file as SRC) are only allowed in set time duration any other IPs are not allowed to access Video/You tube access. Here's setup: --- Ubuntu 12.04 Squid 3.1.x Two Groups of IPs G-1 = Allowd Everytime G-2 = Time Restriction (09:00-14:59) G-3 = Everybody, Deny Access to Video/You tube streaming every time. -- acl OpenIPs src "/etc/squid3/AlwaysOpenIPs. txt" # G-1= List of IPs allowed for Video Streaming Everytime. acl TimedTubed src "/etc/squid3/TimeBasedIPs.txt" # G-2 = List of IPs allowed for set time duration. acl NoTubeTime time SMTWHFA 08:30-14:59 # Time duration when you access to Time based IPs. acl deny_rep_mime_flashvideo rep_mime_type video/x-flv # ACL to Deny Video Straming for everyone else. http_reply_access allow OpenIPs TimedTubed NoTubeTime http_reply_access deny TimedTubed http_reply_access deny deny_rep_mime_flashvideo -- --- Above mentioned ACLs are not working properly, General Internet Access (http_access) is also denied when used with "http_reply_access deny" I want to only deny video streaming/you tube in set time duration and allow internet access. Thank you in advance.
