[squid-users] Re: delay pools and deny_info error messages
> how does one get deny_info error messages to work with delay pools so you > can message the user that they have reached their bandwidth limits. i have > tried the config below which stops the user from browsinng once the limit is > reached but never triggers the error message > > > > acl testuser proxy_auth test > deny_info ERR_NO_BW testuser > delay_pools 1 > delay_class 1 1 > #256 Kbit/s fill rate, 1024 Kbit/s reserve > delay_parameters 1 32000/128000 > delay_access 1 allow testuser > delay_access 1 deny all >
Re: [squid-users] url for certification providers
On 15.11.2012 04:49, Jeroen Ruijter wrote: How can I allow the lines beneath, so the patterns .ico .crl will work without certification errors. 1352906047.969 0 172.16.4.254 TCP_DENIED/407 3937 GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(6).crl - NONE/- text/html 1352906047.981 0 172.16.4.254 TCP_DENIED/407 3975 GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl - NONE/- text/html 1352906047.992 0 172.16.4.254 TCP_DENIED/407 3998 GET http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl - NONE/- text/html 1352906048.006 0 172.16.4.254 TCP_DENIED/407 3947 GET http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl - NONE/- text/html What makes you think there is anything wrong with these? 407 is a request that the client agent preform login before they can continue to use the proxy. Did you trim away the followup request where the client sent login details or is there none? the latter being a client user-agent problem, not Squid. This should help you understand what you have to change: http://wiki.squid-cache.org/Features/Authentication#How_do_I_use_authentication_in_access_controls.3F When you have read that you will understand why we cannot help you change your config file without seeing what the config contains or even whether the change will do anything. Amos
Re: [squid-users] compile error with sslbump on squid-3.3.0.1
On 15.11.2012 08:54, Shree R wrote: Hi, I am trying to compile squid-3.3.0.1 (latest release on 20 Oct 2012) with these configure options, "--enable-icap-client --enable-ssl --enable-ssl-crtd". I am building it on RHEL6.2 (64 bit), with GCC version as 4.4.6-3.el6 and openssl version as 1.0.0-20.el6. You are using the RHEL library which is known to have been patched in ways that break the library ABI interface provided by OpenSSL upstream. I suggest locating yourself a cleaner more recent upstream version of OpenSSL library, may require building it yourself. That patch should work for you, but may be incomplete. The SSL code in 3.3 has been extended so other places may need changing as well now. Amos
[squid-users] compile error with sslbump on squid-3.3.0.1
Hi, I am trying to compile squid-3.3.0.1 (latest release on 20 Oct 2012) with these configure options, "--enable-icap-client --enable-ssl --enable-ssl-crtd". I am building it on RHEL6.2 (64 bit), with GCC version as 4.4.6-3.el6 and openssl version as 1.0.0-20.el6. I am getting the following error on my system. certificate_db.cc: In member function ‘void Ssl::CertificateDb::load()’: certificate_db.cc:393: error: ‘index_serial_hash_LHASH_HASH’ was not declared in this scope certificate_db.cc:393: error: ‘index_serial_cmp_LHASH_COMP’ was not declared in this scope certificate_db.cc:396: error: ‘index_name_hash_LHASH_HASH’ was not declared in this scope certificate_db.cc:396: error: ‘index_name_cmp_LHASH_COMP’ was not declared in this scope certificate_db.cc: In member function ‘void Ssl::CertificateDb::deleteRow(const char**, int)’: certificate_db.cc:428: error: cannot convert ‘stack_st_OPENSSL_PSTRING*’ to ‘_STACK*’ for argument ‘1’ to ‘void* sk_delete(_STACK*, int)’ certificate_db.cc:437: error: ‘LHASH’ was not declared in this scope certificate_db.cc:437: error: ‘fieldIndex’ was not declared in this scope certificate_db.cc: In member function ‘bool Ssl::CertificateDb::deleteInvalidCertificate()’: certificate_db.cc:458: error: cannot convert ‘stack_st_OPENSSL_PSTRING*’ to ‘const _STACK*’ for argument ‘1’ to ‘int sk_num(const _STACK*)’ certificate_db.cc:459: error: cannot convert ‘stack_st_OPENSSL_PSTRING*’ to ‘const _STACK*’ for argument ‘1’ to ‘void* sk_value(const _STACK*, int)’ certificate_db.cc: In member function ‘bool Ssl::CertificateDb::deleteOldestCertificate()’: certificate_db.cc:482: error: cannot convert ‘stack_st_OPENSSL_PSTRING*’ to ‘const _STACK*’ for argument ‘1’ to ‘int sk_num(const _STACK*)’ certificate_db.cc:489: error: cannot convert ‘stack_st_OPENSSL_PSTRING*’ to ‘const _STACK*’ for argument ‘1’ to ‘void* sk_value(const _STACK*, int)’ certificate_db.cc: In member function ‘bool Ssl::CertificateDb::deleteByHostname(const std::string&)’: certificate_db.cc:506: error: cannot convert ‘stack_st_OPENSSL_PSTRING*’ to ‘const _STACK*’ for argument ‘1’ to ‘int sk_num(const _STACK*)’ certificate_db.cc:507: error: cannot convert ‘stack_st_OPENSSL_PSTRING*’ to ‘const _STACK*’ for argument ‘1’ to ‘void* sk_value(const _STACK*, int)’ make[3]: *** [certificate_db.o] Error 1 A similar error has been reported on the user group (http://www.squid-cache.org/mail-archive/squid-users/201202/0057.html) but I am not sure if the suggested patch will work for my configuration (http://www.squid-cache.org/mail-archive/squid-users/201202/0062.html). Any suggestions are appreciated. Thanks, Shree
[squid-users] url for certification providers
How can I allow the lines beneath, so the patterns .ico .crl will work without certification errors. 1352906047.969 0 172.16.4.254 TCP_DENIED/407 3937 GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(6).crl - NONE/- text/html 1352906047.981 0 172.16.4.254 TCP_DENIED/407 3975 GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl - NONE/- text/html 1352906047.992 0 172.16.4.254 TCP_DENIED/407 3998 GET http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl - NONE/- text/html 1352906048.006 0 172.16.4.254 TCP_DENIED/407 3947 GET http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl - NONE/- text/html 1352906048.017 0 172.16.4.254 TCP_DENIED/407 3954 GET http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl - NONE/- text/html 1352906048.029 0 172.16.4.254 TCP_DENIED/407 3930 GET http://crl.microsoft.com/pki/crl/products/WinPCA.crl - NONE/- text/html 1352906048.040 0 172.16.4.254 TCP_DENIED/407 3849 GET http://www.startssl.com/sfsca.crl - NONE/- text/html 1352906048.051 0 172.16.4.254 TCP_DENIED/407 3994 GET http://crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl - NONE/- text/html 1352906048.062 0 172.16.4.254 TCP_DENIED/407 3937 GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(5).crl - NONE/- text/html 1352906065.587 0 172.16.4.254 TCP_DENIED/407 3898 GET http://www.startpagina.nl/layouts/startpagina/favicon.ico - NONE/- text/html 1352906108.106 0 172.16.4.254 TCP_DENIED/407 3937 GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(6).crl - NONE/- text/html 1352906108.127 0 172.16.4.254 TCP_DENIED/407 3975 GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl - NONE/- text/html 1352906108.144 0 172.16.4.254 TCP_DENIED/407 3998 GET http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl - NONE/- text/html 1352906108.157 0 172.16.4.254 TCP_DENIED/407 3947 GET http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl - NONE/- text/html 1352906108.173 0 172.16.4.254 TCP_DENIED/407 3954 GET http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl - NONE/- text/html 1352906108.186 0 172.16.4.254 TCP_DENIED/407 3930 GET http://crl.microsoft.com/pki/crl/products/WinPCA.crl - NONE/- text/html 1352906108.202 0 172.16.4.254 TCP_DENIED/407 3849 GET http://www.startssl.com/sfsca.crl - NONE/- text/html 1352906108.216 0 172.16.4.254 TCP_DENIED/407 3994 GET http://crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl - NONE/- text/html 1352906108.230 0 172.16.4.254 TCP_DENIED/407 3937 GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(5).crl - NONE/- text/html 1352906117.713 3 172.16.4.254 TCP_DENIED/407 3938 GET http://www.experts-exchange.com/images/experts-exchange/favicon.ico - NONE/- text/html 1352906408.341 0 172.16.4.254 TCP_DENIED/407 3937 GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(6).crl - NONE/- text/html 1352906408.354 0 172.16.4.254 TCP_DENIED/407 3975 GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl - NONE/- text/html 1352906408.368 0 172.16.4.254 TCP_DENIED/407 3998 GET http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl - NONE/- text/html 1352906408.383 0 172.16.4.254 TCP_DENIED/407 3947 GET http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl - NONE/- text/html 1352906408.398 0 172.16.4.254 TCP_DENIED/407 3954 GET http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl - NONE/- text/html 1352906408.413 0 172.16.4.254 TCP_DENIED/407 3930 GET http://crl.microsoft.com/pki/crl/products/WinPCA.crl - NONE/- text/html 1352906408.427 0 172.16.4.254 TCP_DENIED/407 3849 GET http://www.startssl.com/sfsca.crl - NONE/- text/html 1352906408.443 0 172.16.4.254 TCP_DENIED/407 3994 GET http://crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl - NONE/- text/html 1352906408.455 0 172.16.4.254 TCP_DENIED/407 3937 GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(5).crl - NONE/- text/html
Re: [squid-users] Getting connection port with ICAP or eCAP
You can use the port name acl to allow specific ICAP service. you can use use an argument for ICAP service such as: "icap_service qlproxy13128 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod?3128" as you see there is an argument in the url so just add another service like: "icap_service qlproxy13129 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod?3129" and if the ICAP service supports arguments you will have an option to set rules per each port. What I was actually wondering is if something like that can be added to the ICAP url as argument to the same service instead of using this kind of ACL. There is another option that adds to the ICAP service headers to provide this data. Regards, Eliezer On 11/14/2012 10:17 AM, Sharon Sahar wrote: Hi, I Don't understand how do to combine an ICAP url ( like "icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod" ) with an ACL to use it only for traffic who reaches squid at a specific port. (one of the ports squid listens on ) can you please help me with an example? Much appreciated! -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il
Re: [squid-users] logformat emulate_httpd_log
On 14/11/2012 10:38 p.m., Alexandre Chappaz wrote: Hi, I am looking for some precision on the %>st in the log format directive. with squid 2.6, I used to set emulate_httpd_log on In order to have the useragent and referer I commented this line out and used instead the combined format as defined here : logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh This is messing up with the scripts I have for parsing the logfiles in the sense that %Hs and % If you use the built-in format named "combined" you should be getting the actual Apache defined values for each field. If you defined your own "logformat combined ..." you will get the Squid range of values where '-' is displayed for no-value in a field. Amos
[squid-users] logformat emulate_httpd_log
Hi, I am looking for some precision on the %>st in the log format directive. with squid 2.6, I used to set emulate_httpd_log on In order to have the useragent and referer I commented this line out and used instead the combined format as defined here : logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh This is messing up with the scripts I have for parsing the logfiles in the sense that %Hs and %
Re: [squid-users] Getting connection port with ICAP or eCAP
Hi, I Don't understand how do to combine an ICAP url ( like "icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod" ) with an ACL to use it only for traffic who reaches squid at a specific port. (one of the ports squid listens on ) can you please help me with an example? Much appreciated! - Forwarded message -- From: Eliezer Croitoru To: squid-users@squid-cache.org Cc: Date: Tue, 06 Nov 2012 17:20:58 +0200 Subject: Re: [squid-users] Getting connection port with ICAP or eCAP On 11/6/2012 5:09 PM, Sharon Sahar wrote: Hi, I understood that when using ICAP or eCAP, you basically receive the response and request body and headers, and there is an option to direct squid to send the client ip as well. I wonder, is there a way to instruct squid to send the listening port on which this client connection was received? (we use different listening ports to differentiate between users)