Re: [squid-users] A way to redirect google/Youtube SSL
On 28.11.12 23:22, David Touzeau wrote: Thanks !!! But what about Youtube ? I'm not aware of anything similar for youtube I'm afraid, but if you come across anything I'd be very interested. The other possibility is to ssl-bump the https sessions, but that's a bit nasty. -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:st...@opendium.com Email:st...@opendium.com Phone:sip:st...@opendium.com Sales / enquiries contacts: Email:sa...@opendium.com Phone:+44-844-9791439 / sip:sa...@opendium.com Support contacts: Email:supp...@opendium.com Phone:+44-844-4844916 / sip:supp...@opendium.com
Re: [squid-users] Allowing skype through on an ssl bumped proxy
On 29/11/2012 7:22 p.m., Sean Boran wrote: Thanks for the various suggestions. - Running on HEAD from August, I would have thought I'm running (almost) the newest 3.3, Server bumping is in there. Maybe. There are crtd helper crashes, data from wrong FD being used on some ACLs after bumping, hanging SSL traffic, early aborted SSL traffic, wrongly numbered certificates and http(s)_port options not being used by the crtd properly issues all fixed since Aug. - http://wiki.squid-cache.org/ConfigExamples/Chat/Skype does not help, it is basically saying allow 443, and explains how to allow HTTP to all numeric addresses. I dont want to disable bumping for all numeric addresses. Actually its all numeric IPs *if* the Skype UA is present. Or you could invert the assumptions. Only bump if the UA is a browser one :-) - If I run head Im not allowed to report issues here? :-) More along the lines of this being a general help list. Reports only get fixed *IF* someone has time and inclination to do so (in here that usually means me personally). squid-dev has a larger team of people to assist, and bugzilla is the *right* place to report issues that are clearly bugs - even bugs in HEAD. Amos I'll pull the latest HEAD and recompile and try that. Sean On 28 November 2012 00:03, Amos Jeffries squ...@treenet.co.nz wrote: On 28.11.2012 11:32, Marcus Kool wrote: I have seen this issue on 3.1.x and cannot find anything in the Changelog that indicates that this issue is resolved in 3.3. What I observed in 3.1 is that sslbump assumes that all CONNECTs are used for SSL-wrapped HTTP traffic and lets all applications that use port 443 for other protocols hang when the SSL handshake fails. Marcus How evil can it be? oh. It's interception. Well then. 3.1 and 3.2 as you say, the situation is all-or-nothing. There are also not going to be any more feature changes to them. 3.3 server-first bumping is a large step in the direction of proper transparent interception for CONNECT. With server-bump failures it is possible to take the bumping out of the transaction and relay the traffic as if bumping was not being performed at all. I'm not sure exactly where the testing and operational status of that particular failover handling is now, but it was one of several design goals behind server-bump. So, with my maintainer hat on... If you need HTTPS interception please skip straight to 3.3. And please report your issues with that one to *bugzilla* or *squid-dev*. ... back to the question at hand though... On 11/27/2012 11:48 AM, Eliezer Croitoru wrote: if it's linux machine try to use firewall rules to block all traffic with TCP-RESET except dst port 80 and 443. This will close some of the things for you. but 3.head 1408 it's kind of old. you can try the latest 3.3.0.1 beta which have pretty good chance of to solve it by the new features. Regards, Eliezer On 11/27/2012 3:19 PM, Sean Boran wrote: Typically one wishes to block Skype, but I'd like to enable it :-) Looking at the access.log, the following domains were excluded from ssl bump: .skype.com .skypeassets.com skype.tt.omtrdc.net Please read: http://wiki.squid-cache.org/ConfigExamples/Chat/Skype The ACLs should work equally well for ssl_bump_access as for http_access. Amos
[squid-users] How to set /etc/logrotate.d/squid to have good sarg reports?
Hi, How to set /etc/logrotate.d/squid to have good sarg reports? logrotate daily Seem to be wrong - it won't be enough data to run squid-reports weekly, squid-reports monthly logrotate weekly Seem to be wrong as well - it won't be enough data to run squid-reports monthly logrotate monthly Like a good and bad. But /etc/cron.weekly/sarg is running once perticular day a week. Assume Sunday. If end of month will be in Friday than /etc/logrotate.d/squid - monthly will run, I will have monthly report, but weekly report won't be fully cause data will be only from Saturday and Sunday. I've got example http://vlep.pl/a9xgmi.jpg 22-28 Jul (report OK), missing data no 29-31 of Jul, missing data only 1-4 Aug, three weeks (reports OK), missing data, 1-1Sep - unfully week, and so on... logrotate longer than month/ yearly It's not good, cause access.log after month has about 10gigabytes. So it would be impossible to sarge to parse such big log, and I dont have infinity disk space ... So, how to set up it to have a logic structure? regards. Bartosz.
Re: [squid-users] How to set /etc/logrotate.d/squid to have good sarg reports?
Hallo, Bartosz, you wrote in How to set /etc/logrotate.d/squid to have good sarg reports?: How to set /etc/logrotate.d/squid to have good sarg reports? My system runs the sarg reports at the end of the day, as a separate cronjob, and logrotate runs in the very early morning, as part of cron.daily. Viele Gruesse! Helmut
Re: [squid-users] How to set /etc/logrotate.d/squid to have good sarg reports?
My system runs the sarg reports at the end of the day, as a separate cronjob, and logrotate runs in the very early morning, as part of cron.daily. Helmut So how can you create weekly and monthly reports if you create every day new log file? /etc/sarg/sarg.conf # TAG: access_log file # Where is the access.log file # sarg -l file # access_log /var/log/squid/access.log And after rotating you are having only one day in log file, dont you? Bartosz.
Re: [squid-users] Tproxy without spoofed source address
Hey Steve, OK so, for your internal (LAN) traffic, why put it through TPROXY at all? Why not exclude it from the redirect into the TPROXY engine and allow it to proxy through organically? As well you know, if TPROXY sees the traffic in one direction, it needs to see it in the other. My suggestion: Bypass TPROXY for LAN traffic. Nick -- Nick Fennell n...@tbfh.org On 28 Nov 2012, at 16:12, Steve Hill st...@opendium.com wrote: On 28.11.12 13:30, Nick Fennell wrote: The route needs to be Symmetric. The way I work round this behaviour is to have the Squid box be a part of the route for return traffic. This completes the connection and allows everything to work. I understand the routing requirements required to support the spoofed source address. Our servers are usually placed between the customer's LAN and the internet, so traffic between the internet and the LAN does indeed always go via the server. However, if the client requests an object from a webserver located on the LAN via the proxy, this routing doesn't happen. It would be nice for all the clients to be configured to avoid the proxy for access to local servers, but this isn't something that can be trivially guaranteed. Furthermore, since the clients are usually on RFC1918 networks, the traffic will all be NATted to a single global scope IP anyway, so spoofing the source address gains nothing. Since there is nothing to be gained from the spoofing, and lots of routing considerations to take into account when spoofing is used, it is desirable to disable the spoofing functionality in this case. TPROXY transmits requests as the original source IP which will always create this problem. Does that mean there is no way to disable source spoofing? I require the proxy transparent from the client's perspective, but it is undesirable to make the proxy invisible to the server. The client-proxy connection is fundamentally separate from the proxy-server connection and it seems odd that the configuration of one side of the proxy would dictate the behaviour of the other to such an extent. -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:st...@opendium.com Email:st...@opendium.com Phone:sip:st...@opendium.com Sales / enquiries contacts: Email:sa...@opendium.com Phone:+44-844-9791439 / sip:sa...@opendium.com Support contacts: Email:supp...@opendium.com Phone:+44-844-4844916 / sip:supp...@opendium.com
Re: [squid-users] How to set /etc/logrotate.d/squid to have good sarg reports?
Hallo, Bartosz, you wrote to [squid-users] How to set /etc/logrotate.d/squid to have good sarg reports?: My system runs the sarg reports at the end of the day, as a separate cronjob, and logrotate runs in the very early morning, as part of cron.daily. Helmut So how can you create weekly and monthly reports if you create every day new log file? I create only daily reports. For quota etc. I use squish. And after rotating you are having only one day in log file, dont you? That's another problem; I've just seen that rotating doesn't work as expected ... Viele Gruesse! Helmut
Re: [squid-users] How to set /etc/logrotate.d/squid to have good sarg reports?
Hi, I also only do daily around 6h30, all from /etc/logrotate.d/squid: /var/log/squid/*.log { daily prerotate sarg 21 | logger /usr/lib/calamaris/calamaris-cron-script | logger endscript postrotate /etc/init.d/squid restart | logger endscript Sean On 29 November 2012 14:26, Helmut Hullen hul...@t-online.de wrote: Hallo, Bartosz, you wrote to [squid-users] How to set /etc/logrotate.d/squid to have good sarg reports?: My system runs the sarg reports at the end of the day, as a separate cronjob, and logrotate runs in the very early morning, as part of cron.daily. Helmut So how can you create weekly and monthly reports if you create every day new log file? I create only daily reports. For quota etc. I use squish. And after rotating you are having only one day in log file, dont you? That's another problem; I've just seen that rotating doesn't work as expected ... Viele Gruesse! Helmut
Re: [squid-users] How to set /etc/logrotate.d/squid to have good sarg reports?
On 29 November 2012 14:42, Sean Boran s...@boran.com wrote: Hi, I also only do daily around 6h30, all from /etc/logrotate.d/squid: /var/log/squid/*.log { daily prerotate sarg 21 | logger /usr/lib/calamaris/calamaris-cron-script | logger endscript postrotate /etc/init.d/squid restart | logger endscript Sean Do you have weekly and monthly reports by sarg? Bartosz.
Re: [squid-users] How to set /etc/logrotate.d/squid to have good sarg reports?
Hallo, Bartosz, bartos...@gmail.com meinte am 29.11.12 in squid zum Thema Re: [squid-users] How to set /etc/logrotate.d/squid to have good sarg reports?: My system runs the sarg reports at the end of the day, as a separate cronjob, and logrotate runs in the very early morning, as part of cron.daily. [...] And after rotating you are having only one day in log file, dont you? Yes, that may happen. I've just written a quick and dirty script which deletes all sarg directories which are older than 3 months. It's invoked from the /etc/ cron.monthly directory, it could be invoked from a simple cron job instead. The only thing you should change is DocRoot. #! /bin/bash # loescht alte sarg-Verzeichnisse # Helmut Hullen DocRoot=/home/www/squid-reports sargRef=/tmp/sarg$$ touch -d 'now - 3 months' $sargRef || exit 1 for Verz in $DocRoot/* do test -d $Verz || continue test -s $Verz/sarg-date || continue test $Verz/sarg-date -nt $sargRef continue rm -rf $Verz done rm -f $sargRef # # == # $Id: sarg-alt,v 1.1 2012-11-29 15:39:53+01 HHullen Exp $ # $Log: sarg-alt,v $ # Revision 1.1 2012-11-29 15:39:53+01 HHullen # Start # This script is independent from every logrotate mechanism. Viele Gruesse! Helmut
[squid-users] Problem accessing a site
Hi, Our Squid 2.7 proxies are failing on a specific request: KeyValue ResponseHTTP/1.0 400 Bad Request Server squid Date Wed, 28 Nov 2012 13:07:29 GMT Content-Typetext/html Content-Length2144 Expires Wed, 28 Nov 2012 13:07:29 GMT X-Squid-ErrorERR_INVALID_URL 0 X-Cache MISS from proxy.corp.com X-Cache-Lookup NONE from proxy.corp.com:80 Via 1.0 proxy.corp.com:80 (squid) Proxy-Connection close The request header is: KeyValue Request GET
Re: [squid-users] Problem accessing a site
On Nov 29, 2012, at 11:14 AM, Baird, Josh jba...@follett.com wrote: Hi, Our Squid 2.7 proxies are failing on a specific request: snip The request header is: KeyValue Request GET http://api.copiamobile.com/marketing-api/msQuiz/markFeaturedQuizzes?callback=jQuery171017257169384743326_1354106706654quizzes=%5B%7B%22quizId%22%3A1%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A2%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A3%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A4%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A5%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A6%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A7%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A8%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A9%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A10%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A11%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A12%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A13%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A14%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A15%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A16%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A17%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A18%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A19%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A20%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A21%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A22%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A23%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A24%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A25%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A26%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A27%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A28%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A29%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A30%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A31%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A32%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A33%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A34%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A35%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A36%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A37%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A38%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A39%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A45%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A46%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A47%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A48%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A49%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A50%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A51%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A52%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A53%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A54%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A55%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A56%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A58%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A59%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A60%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A61%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A62%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A63%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A64%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A65%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A66%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A67%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A68%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A69%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A71%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A73%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A74%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A75%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A77%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A81%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A85%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A87%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A88%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A90%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A91%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A92%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A93%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A98%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A99%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A100%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A102%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A103%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A104%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A105%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A106%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A108%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A109%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A110%2C%22featured%22%3Atrue%7D%5D_=1354108049439 HTTP/1.1 ,snip im sorry i have to chime in off topic but thats just crazy url abuse. is there some programmer on crack writing these things ? remember when a space in a url was just plain wrong ?? that
Re: [squid-users] Tproxy without spoofed source address
On 11/29/2012 3:31 PM, Nick Fennell wrote: Hey Steve, OK so, for your internal (LAN) traffic, why put it through TPROXY at all? Why not exclude it from the redirect into the TPROXY engine and allow it to proxy through organically? As well you know, if TPROXY sees the traffic in one direction, it needs to see it in the other. My suggestion: Bypass TPROXY for LAN traffic. +1 simple iptables rules. Eliezer Nick -- Nick Fennell n...@tbfh.org -- Eliezer Croitoru https://www1.ngtech.co.il sip:ngt...@sip2sip.info IT consulting for Nonprofit organizations eliezer at ngtech.co.il
Re: [squid-users] Problem accessing a site
On 30/11/2012 6:06 a.m., jeffrey j donovan wrote: On Nov 29, 2012, at 11:14 AM, Baird, Josh jba...@follett.com wrote: Hi, Our Squid 2.7 proxies are failing on a specific request: snip The request header is: KeyValue Request GET http://api.copiamobile.com/marketing-api/msQuiz/markFeaturedQuizzes?callback=jQuery171017257169384743326_1354106706654quizzes=%5B%7B%22quizId%22%3A1%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A2%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A3%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A4%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A5%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A6%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A7%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A8%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A9%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A10%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A11%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A12%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A13%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A14%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A15%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A16%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A17%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A18%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A19%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A20%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A21%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A22%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A23%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A24%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A25%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A26%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A27%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A28%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A29%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A30%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A31%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A32%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A33%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A34%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A35%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A36%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A37%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A38%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A39%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A45%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A46%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A47%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A48%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A49%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A50%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A51%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A52%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A53%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A54%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A55%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A56%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A58%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A59%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A60%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A61%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A62%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A63%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A64%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A65%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A66%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A67%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A68%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A69%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A71%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A73%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A74%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A75%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A77%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A81%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A85%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A87%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A88%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A90%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A91%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A92%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A93%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A98%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A99%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A100%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A102%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A103%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A104%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A105%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A106%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3A108%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A109%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A110%2C%22featured%22%3Atrue%7D%5D_=1354108049439 HTTP/1.1 ,snip im sorry i have to chime in off topic but thats just crazy url abuse. is there some programmer on crack writing these things ? remember when a
Re: [squid-users] Problem accessing a site
Sorry for top posting, my mobile device is crazy. I have seen SugarCRM also having these weird long URLs. But I also faintly remember a compile time option in a header file to increase this limit. -Nishant On 11/30/12, Amos Jeffries squ...@treenet.co.nz wrote: On 30/11/2012 6:06 a.m., jeffrey j donovan wrote: On Nov 29, 2012, at 11:14 AM, Baird, Josh jba...@follett.com wrote: Hi, Our Squid 2.7 proxies are failing on a specific request: snip The request header is: KeyValue Request GET
RE: [squid-users] Problem accessing a site
Top posting here as well (sorry). These proxies are actually squid 2.6 (RHEL5), sorry about that. So, because it is only 4.5k or so, you don't think the header size is an issue? I'm not sure how to debug this problem any further. Any suggestions? Thanks. -Original Message- From: Nishant Sharma [mailto:codemarau...@gmail.com] Sent: Thursday, November 29, 2012 10:32 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Problem accessing a site Sorry for top posting, my mobile device is crazy. I have seen SugarCRM also having these weird long URLs. But I also faintly remember a compile time option in a header file to increase this limit. -Nin 11/30/12, Amos Jeffries squ...@treenet.co.nz wrote: On 30/11/2012 6:06 a.m., jeffrey j donovan wrote: On Nov 29, 2012, at 11:14 AM, Baird, Josh jba...@follett.com wrote: Hi, Our Squid 2.7 proxies are failing on a specific request: snip The request header is: KeyValue Request GET http://api.copiamobile.com/marketing-api/msQuiz/markFeaturedQuizzes? callback=jQuery171017257169384743326_1354106706654quizzes=%5B%7B%22 quizId%22%3A1%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A2%2C%2 2featured%22%3Afalse%7D%2C%7B%22quizId%22%3A3%2C%22featured%22%3Afal se%7D%2C%7B%22quizId%22%3A4%2C%22featured%22%3Afalse%7D%2C%7B%22quiz Id%22%3A5%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A6%2C%22fea tured%22%3Afalse%7D%2C%7B%22quizId%22%3A7%2C%22featured%22%3Afalse%7 D%2C%7B%22quizId%22%3A8%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%2 2%3A9%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A10%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A11%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A12%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A13%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A14%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A15%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A16%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A17%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A18%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A19%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A20%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A21%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A22%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A23%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A24%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A25%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A26%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A27%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A28%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A29%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A30%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A31%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A32%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A33%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A34%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A35%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A36%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A37%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A38%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A39%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A45%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A46%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A47%2C%22featur ed%22%3Atrue%7D%2C%7B%22quizId%22%3A48%2C%22featured%22%3Afalse%7D%2 C%7B%22quizId%22%3A49%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22% 3A50%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A51%2C%22feature d%22%3Afalse%7D%2C%7B%22quizId%22%3A52%2C%22featured%22%3Afalse%7D%2 C%7B%22quizId%22%3A53%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22% 3A54%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A55%2C%22feature d%22%3Afalse%7D%2C%7B%22quizId%22%3A56%2C%22featured%22%3Afalse%7D%2 C%7B%22quizId%22%3A58%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22% 3A59%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A60%2C%22feature d%22%3Afalse%7D%2C%7B%22quizId%22%3A61%2C%22featured%22%3Afalse%7D%2 C%7B%22quizId%22%3A62%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22% 3A63%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A64%2C%22feature d%22%3Afalse%7D%2C%7B%22quizId%22%3A65%2C%22featured%22%3Afalse%7D%2 C%7B%22quizId%22%3A66%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22% 3A67%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A68%2C%22feature d%22%3Afalse%7D%2C%7B%22quizId%22%3A69%2C%22featured%22%3Afalse%7D%2 C%7B%22quizId%22%3A71%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22% 3A73%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A74%2C%22feature d%22%3Afalse%7D%2C%7B%22quizId%22%3A75%2C%22featured%22%3Afalse%7D%2 C%7B%22quizId%22%3A77%2C%22featured%22%3Atrue%7D%2C%7B%22quizId%22%3 A81%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A85%2C%22featured %22%3Afalse%7D%2C%7B%22quizId%22%3A87%2C%22featured%22%3Afalse%7D%2C %7B%22quizId%22%3A88%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3 A90%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A91%2C%22featured
Re: [squid-users] Problem accessing a site
On 30/11/2012 5:04 p.m., Baird, Josh wrote: Top posting here as well (sorry). These proxies are actually squid 2.6 (RHEL5), sorry about that. So, because it is only 4.5k or so, you don't think the header size is an issue? I'm not sure how to debug this problem any further. I think the URL length is the main issue. There may be a secondary one in some particular header, but that is not visible when displaying it via some header interpreter. Your 2.6 has a 20KB default header limit. That is for the entire header set, each line is still up to 64KB - so a request consisting of that long URL and only a few short headers shodul still get through. However in my experience long URL are usually accompanied by large Cookies and other things that bloat the whole request out a lot. http://www.squid-cache.org/Versions/v2/2.6/cfgman/request_header_max_size.html You can try increasing that directives limit or an upgrade; 3.1+ should work with 4-8K URLs fine. But this only resolves it for your Squid, most other networks Squid will not have been tweaked or upgraded yet and will generate the same error, as will non-Squid software with their own usually smaller limits. Amos Any suggestions? Thanks. -Original Message- From: Nishant Sharma [mailto:codemarau...@gmail.com] Sent: Thursday, November 29, 2012 10:32 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Problem accessing a site Sorry for top posting, my mobile device is crazy. I have seen SugarCRM also having these weird long URLs. But I also faintly remember a compile time option in a header file to increase this limit. -Nin 11/30/12, Amos Jeffries squ...@treenet.co.nz wrote: On 30/11/2012 6:06 a.m., jeffrey j donovan wrote: On Nov 29, 2012, at 11:14 AM, Baird, Josh jba...@follett.com wrote: Hi, Our Squid 2.7 proxies are failing on a specific request: snip The request header is: KeyValue Request GET http://api.copiamobile.com/marketing-api/msQuiz/markFeaturedQuizzes? callback=jQuery171017257169384743326_1354106706654quizzes=%5B%7B%22 quizId%22%3A1%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A2%2C%2 2featured%22%3Afalse%7D%2C%7B%22quizId%22%3A3%2C%22featured%22%3Afal se%7D%2C%7B%22quizId%22%3A4%2C%22featured%22%3Afalse%7D%2C%7B%22quiz Id%22%3A5%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A6%2C%22fea tured%22%3Afalse%7D%2C%7B%22quizId%22%3A7%2C%22featured%22%3Afalse%7 D%2C%7B%22quizId%22%3A8%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%2 2%3A9%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A10%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A11%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A12%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A13%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A14%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A15%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A16%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A17%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A18%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A19%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A20%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A21%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A22%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A23%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A24%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A25%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A26%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A27%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A28%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A29%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A30%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A31%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A32%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A33%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A34%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A35%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A36%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A37%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A38%2C%22featur ed%22%3Afalse%7D%2C%7B%22quizId%22%3A39%2C%22featured%22%3Afalse%7D% 2C%7B%22quizId%22%3A45%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22 %3A46%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A47%2C%22featur ed%22%3Atrue%7D%2C%7B%22quizId%22%3A48%2C%22featured%22%3Afalse%7D%2 C%7B%22quizId%22%3A49%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22% 3A50%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A51%2C%22feature d%22%3Afalse%7D%2C%7B%22quizId%22%3A52%2C%22featured%22%3Afalse%7D%2 C%7B%22quizId%22%3A53%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22% 3A54%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A55%2C%22feature d%22%3Afalse%7D%2C%7B%22quizId%22%3A56%2C%22featured%22%3Afalse%7D%2 C%7B%22quizId%22%3A58%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22% 3A59%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%3A60%2C%22feature d%22%3Afalse%7D%2C%7B%22quizId%22%3A61%2C%22featured%22%3Afalse%7D%2 C%7B%22quizId%22%3A62%2C%22featured%22%3Afalse%7D%2C%7B%22quizId%22%
[squid-users] A simple external helper error
Hi, I try to write a simple external helper for test. #!/bin/bash while read ip ; do if [ -e /tmp/test.err ] ; then echo ERR else echo OK fi done squid.conf external_acl_type test_helper ttl=0 negative_ttl=0 grace=0 %SRC /usr/lib64/squid/test.sh acl testacl external test_helper acl site1 dst 10.1.6.1 cache_peer proxy1.example.com parent 3128 0 name=P1 no-digest no-query cache_peer proxy2.example.com parent 3128 0 name=P2 no-digest no-query cache_peer_access P1 deny site1 testacl cache_peer_access P1 allow all cache_peer_access P2 allow all My plan is let site1 go through P1 proxy when exist /tmp/test.err file. But I'm fail because I found squid didn't check testacl. 0 requests in External ACL Statistics #FDPID# Requests# PendingFlagsTimeOffsetRequest 1382191900 0.0000(none) 2392192000 0.0000(none) But I configure like this: external_acl_type test_helper ttl=0 negative_ttl=0 grace=0 %SRC /usr/lib64/squid/test.sh acl testacl external test_helper http_access testacl all . . cache_peer_access P1 deny site1 testacl cache_peer_access P1 allow all It work. so, I think maybe external helper can't work first with cache_peer_access? My Squid Cache: Version 3.1.10 -- Regards, John Xue
Re: [squid-users] A simple external helper error
On 30/11/2012 7:46 p.m., John Xue wrote: Hi, I try to write a simple external helper for test. #!/bin/bash while read ip ; do if [ -e /tmp/test.err ] ; then echo ERR else echo OK fi done squid.conf external_acl_type test_helper ttl=0 negative_ttl=0 grace=0 %SRC /usr/lib64/squid/test.sh acl testacl external test_helper acl site1 dst 10.1.6.1 cache_peer proxy1.example.com parent 3128 0 name=P1 no-digest no-query cache_peer proxy2.example.com parent 3128 0 name=P2 no-digest no-query cache_peer_access P1 deny site1 testacl cache_peer_access P1 allow all cache_peer_access P2 allow all My plan is let site1 go through P1 proxy when exist /tmp/test.err file. But I'm fail because I found squid didn't check testacl. 0 requests in External ACL Statistics #FDPID# Requests# PendingFlagsTimeOffsetRequest 1382191900 0.0000(none) 2392192000 0.0000(none) But I configure like this: external_acl_type test_helper ttl=0 negative_ttl=0 grace=0 %SRC /usr/lib64/squid/test.sh acl testacl external test_helper http_access testacl all . . cache_peer_access P1 deny site1 testacl cache_peer_access P1 allow all It work. so, I think maybe external helper can't work first with cache_peer_access? Please read http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs dst and external type ACLs are both async/'slow' ACLs. Amos