Re: [squid-users] Custom error pages for cache_peer_access rules
Dear Amos, I have serious problem after upgrading to Squid3 it response extremely slow to some specific websites(www.cnn.com, www.brighttalk.com) I've tried squid-3.0.STABLE20,3.1.20,3.1.21,3.2.1 and all of them have the same slowness problem however this issue didn't happen in squid2.6 with the same configuration and accessing the same websites some guys suggested dns resolving issue but it's not, the problem is squid send (FIN,ACK) message to the website in the middle of loading and hold loading till resolving again the website and trying to access it again Best Regards, *Muhammad Shehata* IT Network Security Engineer TEData Building A11- B90, Smart Village Km 28 Cairo - Alex Desert Road, 6th October, 12577, Egypt T: +20 (2) 33 32 0700 | Ext: 1532 F: +20 (2) 33 32 0800 | M: E: m.sheh...@tedata.net On 11/22/2012 06:26 AM, Amos Jeffries wrote:
[squid-users] Squid3 extremely slow for some website cnn.com
Dear Amos, I have serious problem after upgrading to Squid3 it response extremely slow to some specific websites(www.cnn.com, www.brighttalk.com) I've tried squid-3.0.STABLE20,3.1.20,3.1.21,3.2.1 and all of them have the same slowness problem however this issue didn't happen in squid2.6 with the same configuration and accessing the same websites some guys suggested dns resolving issue but it's not, the problem is squid send (FIN,ACK) message to the website in the middle of loading and h Best Regards, *Muhammad Shehata* IT Network Security Engineer TEData Building A11- B90, Smart Village Km 28 Cairo - Alex Desert Road, 6th October, 12577, Egypt T: +20 (2) 33 32 0700 | Ext: 1532 F: +20 (2) 33 32 0800 | M: E: m.sheh...@tedata.net
[squid-users] Squid3 extremely slow for some website cnn.com
Dear Amos, I have serious problem after upgrading to Squid3 it response extremely slow to some specific websites(www.cnn.com, www.brighttalk.com) I've tried squid-3.0.STABLE20,3.1.20,3.1.21,3.2.1 and all of them have the same slowness problem however this issue didn't happen in squid2.6 with the same configuration and accessing the same websites some guys suggested dns resolving issue but it's not, the problem is squid send (FIN,ACK) message to the website in the middle of loading and h Best Regards, *Muhammad Shehata* IT Network Security Engineer TEData Building A11- B90, Smart Village Km 28 Cairo - Alex Desert Road, 6th October, 12577, Egypt T: +20 (2) 33 32 0700 | Ext: 1532 F: +20 (2) 33 32 0800 | M: E: m.sheh...@tedata.net
Re: [squid-users] Squid3 extremely slow for some website cnn.com
On 3/12/2012 9:12 p.m., Muhammed Shehata wrote: Dear Amos, I have serious problem after upgrading to Squid3 it response extremely slow to some specific websites(www.cnn.com, www.brighttalk.com) I've tried squid-3.0.STABLE20,3.1.20,3.1.21,3.2.1 and all of them have the same slowness problem however this issue didn't happen in squid2.6 with the same configuration and accessing the same websites some guys suggested dns resolving issue but it's not, the problem is squid send (FIN,ACK) message to the website in the middle of loading and h I notice brighttalk is an HTTPS site, so the issue there is likely to be bug 3659 which was resolved in 3.2.4. CNN problem is not obvious. It has a great many objects in its pages, all of which have ETag and Vary problems which could do some very strange things to the responses. Since it is HTTP site only there is no reason Squid should be sending (FIN,ACK). Amos
Re: [squid-users] Disabling client-initiated ssl renegotiation on Squid3.1.
Hi Amos. 2012/12/1 Amos Jeffries squ...@treenet.co.nz: On 1/12/2012 7:04 a.m., Thomas Martin wrote: Hello everyone. I'm trying to patch Squid3.1 to disable the client-initiated ssl renegotiation. I read that some users tried to do the same thing: http://www.squid-cache.org/mail-archive/squid-users/201203/0163.html I tried the solution of Amos but I can't make it work. So I tried Squid3.2 and saw that this security issue was fixed on this version. Now I'm trying to use the Squid3.2 sources to backport into Squid3.1. Unfortunately I am not making any progress for now. Since you are building Squid is there any particular reason why you are not building the currently supported 3.2 sources which as you noticed are fixed? Good point; this is because of my company's rules. In summary we have our own versionning; for example a server v14 will have Squid 3.1, Php5.2, etc. So to have Squid3.2 we will have to upgrade the server to v15 (for example) but we can't do that for all servers in the mean time. So for securities fix we try to patch by ourselves. AFAIK the fix in Squid was just the change to remove our default SSL_OP_ALL which breaks the OpenSSL protection hack. Possiby combined with the default of using SSLv3 instead of SSLv2. Renegotiation is one of the options enabled by ALL. Note that your config can contain the ssloption=ALL and cause the renegotiate to happen again. Also notice that for any of this to work you need to be building against a fixed version of OpenSSL. === modified file 'src/ssl_support.cc' --- src/ssl_support.cc 2012-02-01 07:55:01 + +++ src/ssl_support.cc 2012-11-30 23:39:04 + @@ -425,7 +425,7 @@ static long ssl_parse_options(const char *options) { -long op = SSL_OP_ALL; +long op = 0; char *tmp; char *option; I retry the compilation from the beginning and indeed it seems to work as expecting. I don't know what was my mistake in the first time... I'm confused :X. Probably because I patched some others files to make the compilation works with a newer gcc. Anyway a big thanks to you for your answer. Does someone can help me? At least give me an idea where I have to look (I didn't see anything about client-initiated renegotiation on ssl/support.* but I'm really not a great developer)... Squid contains nothing explicitly about client negotiation. It is all passed to OpenSSL. The closest that is reached is defaulting to SSL_OP_ALL (fixed by the above patch), the rest is squid.conf options set by the administrator and passed straight to OpenSSL. Any help will be really appreciated. Thanks. Regards. NB: Sorry for my English, I know it sucks. Reads fine to me :-) Amos Thanks for your kindness ;) and sorry for wasting your time a bit. Thomas
Re: [squid-users] SSL Attacks against Squid in reverse proxy mode
Hi. About this thread: http://www.squid-cache.org/mail-archive/squid-users/201210/0166.html Just to let you know that the OpenSSL flag which controls tls compression is SSL_OP_NO_COMPRESSION. This flag seems to exist only since OpenSSL 0.9.9. Here is a quick and dirty patch to disable the compression in Squid3.1: $ diff -u ../squeeze/squid3-3.1.6/src/ssl_support.cc src/ssl_support.cc --- ../squeeze/squid3-3.1.6/src/ssl_support.cc 2010-08-01 14:01:37.0 + +++ src/ssl_support.cc 2012-12-03 11:35:15.0 + @@ -376,6 +376,11 @@ NO_TLSv1, SSL_OP_NO_TLSv1 }, #endif +#ifdef SSL_OP_NO_COMPRESSION +{ +NO_Compression, SSL_OP_NO_COMPRESSION +}, +#endif { , 0 }, Next you will have to add NO_Compression to your Squid's configuration file (with ssloption= or options= in the https_port context). Obviously you have to build Squid with an OpenSSL version which support this parameter (working fine for me with OpenSSL 1.0.1c). Regards.
[squid-users] Failover from direct connect to sibling
Hello, we are running 2 squid servers on separate gateway machines each with its own internet connection. Our clients are given their configuration via WPAD. Recently we have had some trouble with the main connection and now would like to implement following scenario: Both Squid Servers as siblings, if the direct connection of one of the servers dies, it uses its sibling to provide a response. I found some older posts here, sadly only 'use direct if parent dies'. Hopefully somebody here can point me into the right direction. Cheers, Kim -- Kim Zeitler -- System- und Netzwerkoperator B.Sc (Hons) Konzept Informationssysteme GmbH Am Weiher 13 88709 Meersburg GERMANY
Re: [squid-users] Re: how do you deploy after building squid yourself?
Hi, On 12.04, I do install prerequisite packages/libraries, but not any squid package (it's cleaner), just build and run a make install (which puts squid in /usr/local) I have my own custom /etc/init.d/squid that starts squid with the config in /etc/squid/squid.conf and there specify log file locations, the proxy user etc. Sean On 2 December 2012 23:08, Amos Jeffries squ...@treenet.co.nz wrote: On 03.12.2012 09:55, carteriii wrote: I found where the user group are being set, so I have more confidence in my plan (detailed below), but would still appreciate some feedback. For future reference . . . There is no need to build with special parameters. Squid will run fine on Ubuntu with any ./configure build options. However as you noticed when building with ones different to Ubuntu you need to do all the scripts, directories and permissions setup yourself. If you want to integrate it with the Ubuntu package scripts then you need to install that package first to get all the special setup, then custom-build the sources with the Debian/Ubuntu build options: http://wiki.squid-cache.org/KnowledgeBase/Ubuntu#Compiling I recommend installing the squid package, since the squid3 package has a lot of patching to file paths adding that '3' which is not configurable in the official Squid sources. Amos
Re: [squid-users] Failover from direct connect to sibling
On 04.12.2012 05:41, Kim Zeitler wrote: Hello, we are running 2 squid servers on separate gateway machines each with its own internet connection. Our clients are given their configuration via WPAD. Recently we have had some trouble with the main connection and now would like to implement following scenario: Both Squid Servers as siblings, if the direct connection of one of the servers dies, it uses its sibling to provide a response. I found some older posts here, sadly only 'use direct if parent dies'. That is because of the definitions of sibling and parent types. Sibling is a cache in the same cluster/pool/group which may have a copy of the object if we don't - they do not normally provide any upstream connectivity. Parent is a proxy providing connectivity upstream towards the server where the resources is hosted - they may or not provide caching. Siblings are also normally sharing the same upstream connectivity, so if DIRECT has been tried and failed there is no reason to expect a sibling to have better connection. Whereas parent is expected to be useful as an alternative route. The way to do this is to configure the proxies as _parent_ of each other, with prefer_direct to make them try DIRECT access first. If you need to share cache data between them, setup a second linkage of type sibling for HTCP exchanges to happen on. Amos
Re: [squid-users] Squid3 extremely slow for some website cnn.com
Dear Amos, Kindly find wireshark of the squid behaviour when access cnn it takes 4 minutes to load the site, is there any workaround to avoid such slowness or any version of squid3 can handle efficiently such websites contains ETag Best Regards, *Muhammad Shehata* IT Network Security Engineer TEData Building A11- B90, Smart Village Km 28 Cairo - Alex Desert Road, 6th October, 12577, Egypt T: +20 (2) 33 32 0700 | Ext: 1532 F: +20 (2) 33 32 0800 | M: E: m.sheh...@tedata.net On 12/03/2012 01:30 PM, Amos Jeffries wrote: On 3/12/2012 9:12 p.m., Muhammed Shehata wrote: I notice brighttalk is an HTTPS site, so the issue there is likely to be bug 3659 which was resolved in 3.2.4. CNN problem is not obvious. It has a great many objects in its pages, all of which have ETag and Vary problems which could do some very strange things to the responses. Since it is HTTP site only there is no reason Squid should be sending (FIN,ACK). Amos Dear Amos, I have serious problem after upgrading to Squid3 it response extremely slow to some specific websites(www.cnn.com, www.brighttalk.com) I've tried squid-3.0.STABLE20,3.1.20,3.1.21,3.2.1 and all of them have the same slowness problem however this issue didn't happen in squid2.6 with the same configuration and accessing the same websites some guys suggested dns resolving issue but it's not, the problem is squid send (FIN,ACK) message to the website in the middle of loading and h