[squid-users] Filter by time and white-black lists
I've tried many times and I can not do it, please help :( I have 2 classrooms total 40 PC's +5 manager PC's +1 administrator So IP range is 10.77.88.1-10.77.88.41 - for classroom 10.77.88.42-10.77.88.46 - for managers 10.77.88.47 - admin Task: 1)Internet only for this 46 hosts 10.77.88.1-10.77.88.47 2)Classroom and managers can access internet only workdays from 9 to 17 3)Classroom have blacklist of sites in file for what access is denied 4)Managers only can visit white list sites in file, all other blocked 5)Admin can visit any web at any time 6)In weekends (A S) access only by authentification Iam new to squid so I have difficulty to do this, I was able to set access by days and time for one range, but how to join this with white black list and other ranges for manager and admin + authentication o_o I dont get how this http_access deny access work, in what order, can someone provide solution for my task?I will be very grateful
Re: [squid-users] Filter by time and white-black lists
Hallo, Artur, Du meintest am 21.01.13: I've tried many times and I can not do it, please help :( I have 2 classrooms total 40 PC's +5 manager PC's +1 administrator So IP range is 10.77.88.1-10.77.88.41 - for classroom 10.77.88.42-10.77.88.46 - for managers 10.77.88.47 - admin Task: 1)Internet only for this 46 hosts 10.77.88.1-10.77.88.47 2)Classroom and managers can access internet only workdays from 9 to 17 3)Classroom have blacklist of sites in file for what access is denied 4)Managers only can visit white list sites in file, all other blocked 5)Admin can visit any web at any time 6)In weekends (A S) access only by authentification Iam new to squid so I have difficulty to do this, I was able to set access by days and time for one range, but how to join this with white black list and other ranges for manager and admin + authentication o_o I dont get how this http_access deny access work, in what order, can someone provide solution for my task?I will be very grateful You seem to live in germany, perhaps you should look at linux-user 2/ 2013, p. 16 ... 20 (Squid als Spiel- und Social-Network-Bremse). I'd try the following http_access order (untested): acl localnet src 10.77.88.1-10.77.88.47 acl admin 10.77.88.47 http_access deny !localnet # all others get fired acl admin 10.77.88.47 http_access allow admin # they are privileged acl blacklist src /etc/squid/blacklist acl schueler 10.77.88.1-10.77.88.41 http_access allow !schueler # managers have more rights # you may define a special acl for managers; it's not necessary in this # example http_access allow schueler !blacklist # pupils are restricted http_access deny all # all other cases - The time restrictions are not implemented; take a look at listing 1 in the above mentioned article. Viele Gruesse! Helmut
[squid-users] How to modify the process owner name in syslog
Hi all, I just finished the configuration on my squid 2.7, make it send all the access log to an external syslog server. it is working properly. thanks very much for creating such a nice software. but I want to know whether can change the name in the syslog like below: Jan 21 08:09:10 192.168.0.1 *squid[12345]*: log message And when I trigger the logger via command line , I can get another syslog record like below, Jan 21 08:09:10 192.168.0.1 root: message via command line So my question is whether I can change the process name in the system log? or Just dont show it . thanks in advance. :)
[squid-users] Squid is crashing
Hi all, My squid is crashing and I am getting the file of following core dump, this is suddenly happening since last 2 weeks. Before it was working fine. [root@hostal-squid cache]# ls -lah /usr/local/squid/var/cache/ total 5.5G drwxr-xr-x. 2 squid squid 4.0K Jan 21 14:55 . drwxr-xr-x. 5 squid squid 4.0K Aug 29 03:44 .. -rw--- 1 squid squid 3.0G Jan 20 03:58 core.3878 -rw--- 1 squid squid 3.0G Jan 20 04:06 core.3904 The version of squid with compiled option is as below: [root@hostal-squid cache]# squid -v Squid Cache: Version LUSCA_HEAD-r14809 configure options: '--enable-delay-pools' '--disable-arp-acl' '--enable-linux-netfilter' '--enable-large-cache-files' '--enable-cache-digests' '--enable-external-acl-helpers=ip_user' '--disable-ident-lookups' '--enable-removal-policies=heap,lru' '--disable-snmp' '--disable-ssl' '--enable-storeio=aufs,coss' '--with-aio' '--with-maxfd=1048576' '--with-dl' '--with-pthreads' '--with-large-files' '--disable-unlinkd' '--disable-htcp' I am using this proxy in university setup and also using delay pool for controlling bandwidth. Please help me resolve the issue. And how can I check core dump files for further investigation of the issue. Looking forward for urgent support in this regards. BR Farooq
Re: [squid-users] Squid is crashing
Hi Farooq, For debugging purpose launch squid with gdb. gdb file path/squid run args and when squid crashes, type bt full -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 21 janvier 2013 à 15:32 +0500, Farooq Bhatti a écrit : Hi all, My squid is crashing and I am getting the file of following core dump, this is suddenly happening since last 2 weeks. Before it was working fine. [root@hostal-squid cache]# ls -lah /usr/local/squid/var/cache/ total 5.5G drwxr-xr-x. 2 squid squid 4.0K Jan 21 14:55 . drwxr-xr-x. 5 squid squid 4.0K Aug 29 03:44 .. -rw--- 1 squid squid 3.0G Jan 20 03:58 core.3878 -rw--- 1 squid squid 3.0G Jan 20 04:06 core.3904 The version of squid with compiled option is as below: [root@hostal-squid cache]# squid -v Squid Cache: Version LUSCA_HEAD-r14809 configure options: '--enable-delay-pools' '--disable-arp-acl' '--enable-linux-netfilter' '--enable-large-cache-files' '--enable-cache-digests' '--enable-external-acl-helpers=ip_user' '--disable-ident-lookups' '--enable-removal-policies=heap,lru' '--disable-snmp' '--disable-ssl' '--enable-storeio=aufs,coss' '--with-aio' '--with-maxfd=1048576' '--with-dl' '--with-pthreads' '--with-large-files' '--disable-unlinkd' '--disable-htcp' I am using this proxy in university setup and also using delay pool for controlling bandwidth. Please help me resolve the issue. And how can I check core dump files for further investigation of the issue. Looking forward for urgent support in this regards. BR Farooq
RE: [squid-users] Squid is crashing
Hi Blot, Thanks for the prompt response, do you mean I have to modify the startup script of squid and start it with? gdb /usr/local/squid/sbin/squid -D Further I have run the core analysis for both files it is giving this [root@hostal-squid cache]# gdb --core=core.3878 GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Missing separate debuginfo for the main executable file Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/2d/ab64a8900291abe7210d01082d20acdd047008 [New Thread 3878] [New Thread 3880] [New Thread 3890] [New Thread 3892] [New Thread 3894] [New Thread 3889] [New Thread 3888] [New Thread 3891] [New Thread 3887] [New Thread 3893] [New Thread 3886] [New Thread 3885] [New Thread 3884] [New Thread 3883] [New Thread 3879] [New Thread 3882] [New Thread 3881] Core was generated by `(squid) -D'. Program terminated with signal 6, Aborted. #0 0x00346b232885 in ?? () [root@hostal-squid cache]# gdb --core=core.3904 GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Missing separate debuginfo for the main executable file Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/2d/ab64a8900291abe7210d01082d20acdd047008 [New Thread 3904] [New Thread 3906] [New Thread 3918] [New Thread 3917] [New Thread 3916] [New Thread 3908] [New Thread 3909] [New Thread 3920] [New Thread 3919] [New Thread 3910] [New Thread 3907] [New Thread 3911] [New Thread 3913] [New Thread 3915] [New Thread 3914] [New Thread 3912] [New Thread 3905] Core was generated by `(squid) -D'. Program terminated with signal 6, Aborted. #0 0x00346b232885 in ?? () Regards, Muhammad Farooq Save the environment. Please don't print this email unless you really need to. -Original Message- From: Loïc Blot [mailto:loic.b...@unix-experience.fr] Sent: Monday, January 21, 2013 3:36 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid is crashing Hi Farooq, For debugging purpose launch squid with gdb. gdb file path/squid run args and when squid crashes, type bt full -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 21 janvier 2013 à 15:32 +0500, Farooq Bhatti a écrit : Hi all, My squid is crashing and I am getting the file of following core dump, this is suddenly happening since last 2 weeks. Before it was working fine. [root@hostal-squid cache]# ls -lah /usr/local/squid/var/cache/ total 5.5G drwxr-xr-x. 2 squid squid 4.0K Jan 21 14:55 . drwxr-xr-x. 5 squid squid 4.0K Aug 29 03:44 .. -rw--- 1 squid squid 3.0G Jan 20 03:58 core.3878 -rw--- 1 squid squid 3.0G Jan 20 04:06 core.3904 The version of squid with compiled option is as below: [root@hostal-squid cache]# squid -v Squid Cache: Version LUSCA_HEAD-r14809 configure options: '--enable-delay-pools' '--disable-arp-acl' '--enable-linux-netfilter' '--enable-large-cache-files' '--enable-cache-digests' '--enable-external-acl-helpers=ip_user' '--disable-ident-lookups' '--enable-removal-policies=heap,lru' '--disable-snmp' '--disable-ssl' '--enable-storeio=aufs,coss' '--with-aio' '--with-maxfd=1048576' '--with-dl' '--with-pthreads' '--with-large-files' '--disable-unlinkd' '--disable-htcp' I am using this proxy in university setup and also using delay pool for controlling bandwidth. Please help me resolve the issue. And how can I check core dump files for further investigation of the issue. Looking forward for urgent support in this regards. BR Farooq - No virus found in this message. Checked by AVG - www.avg.com Version: 2012.0.2221 / Virus Database: 2639/5546 - Release Date: 01/20/13
Re: [squid-users] Squid is crashing
Args are not passed to gdb. You must type: gdb /usr/local/squid/sbin/squid and in the gdb prompt run -D -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 21 janvier 2013 à 16:02 +0500, Farooq Bhatti a écrit : Hi Blot, Thanks for the prompt response, do you mean I have to modify the startup script of squid and start it with? gdb /usr/local/squid/sbin/squid -D Further I have run the core analysis for both files it is giving this [root@hostal-squid cache]# gdb --core=core.3878 GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Missing separate debuginfo for the main executable file Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/2d/ab64a8900291abe7210d01082d20acdd047008 [New Thread 3878] [New Thread 3880] [New Thread 3890] [New Thread 3892] [New Thread 3894] [New Thread 3889] [New Thread 3888] [New Thread 3891] [New Thread 3887] [New Thread 3893] [New Thread 3886] [New Thread 3885] [New Thread 3884] [New Thread 3883] [New Thread 3879] [New Thread 3882] [New Thread 3881] Core was generated by `(squid) -D'. Program terminated with signal 6, Aborted. #0 0x00346b232885 in ?? () [root@hostal-squid cache]# gdb --core=core.3904 GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Missing separate debuginfo for the main executable file Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/2d/ab64a8900291abe7210d01082d20acdd047008 [New Thread 3904] [New Thread 3906] [New Thread 3918] [New Thread 3917] [New Thread 3916] [New Thread 3908] [New Thread 3909] [New Thread 3920] [New Thread 3919] [New Thread 3910] [New Thread 3907] [New Thread 3911] [New Thread 3913] [New Thread 3915] [New Thread 3914] [New Thread 3912] [New Thread 3905] Core was generated by `(squid) -D'. Program terminated with signal 6, Aborted. #0 0x00346b232885 in ?? () Regards, Muhammad Farooq Save the environment. Please don't print this email unless you really need to. -Original Message- From: Loïc Blot [mailto:loic.b...@unix-experience.fr] Sent: Monday, January 21, 2013 3:36 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid is crashing Hi Farooq, For debugging purpose launch squid with gdb. gdb file path/squid run args and when squid crashes, type bt full -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 21 janvier 2013 à 15:32 +0500, Farooq Bhatti a écrit : Hi all, My squid is crashing and I am getting the file of following core dump, this is suddenly happening since last 2 weeks. Before it was working fine. [root@hostal-squid cache]# ls -lah /usr/local/squid/var/cache/ total 5.5G drwxr-xr-x. 2 squid squid 4.0K Jan 21 14:55 . drwxr-xr-x. 5 squid squid 4.0K Aug 29 03:44 .. -rw--- 1 squid squid 3.0G Jan 20 03:58 core.3878 -rw--- 1 squid squid 3.0G Jan 20 04:06 core.3904 The version of squid with compiled option is as below: [root@hostal-squid cache]# squid -v Squid Cache: Version LUSCA_HEAD-r14809 configure options: '--enable-delay-pools' '--disable-arp-acl' '--enable-linux-netfilter' '--enable-large-cache-files' '--enable-cache-digests' '--enable-external-acl-helpers=ip_user' '--disable-ident-lookups' '--enable-removal-policies=heap,lru' '--disable-snmp' '--disable-ssl' '--enable-storeio=aufs,coss' '--with-aio' '--with-maxfd=1048576' '--with-dl' '--with-pthreads' '--with-large-files' '--disable-unlinkd' '--disable-htcp' I am using this proxy in university setup and also using delay pool for controlling bandwidth. Please help me resolve the issue. And how can I check core dump files for further investigation of the issue. Looking forward for urgent support in this regards. BR Farooq - No virus found in this message. Checked by AVG - www.avg.com
Re: [squid-users] Filter by time and white-black lists
Hallo, Artur, Du meintest am 21.01.13: Can you please make full filter with test, I know that i maybe asking too much but I struggle to do this quite a while :( Sorry - I have enough other work to do. and what is schueler It's the german word for pupil. with complete version of filter I would understand how this work, exactly with time I started to get problems No - you should try to understand how squid works. Perhaps you know how a potato harvester works: it sorts for size, and it sorts out all particles which ar not potatos (a bit simplified). small potatoes: sort it out into the basket for small - ready no potato: sort it out to garbage - ready bigger potatos: go on to the next station And then you should study how and when acls are AND-combined or OR- combined. Viele Gruesse! Helmut
RE: [squid-users] Squid is crashing
Hi, I tried but I am getting this error [root@hostal-squid cache]# gdb /usr/local/squid/sbin/squid GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/local/squid/sbin/squid...done. (gdb) run -D Starting program: /usr/local/squid/sbin/squid -D [Thread debugging using libthread_db enabled] Program exited with code 01. Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.47.el6.x86_64 nss-softokn-freebl-3.12.9-11.el6.x86_64 (gdb) Regards, Muhammad Farooq Save the environment. Please don't print this email unless you really need to. -Original Message- From: Loïc Blot [mailto:loic.b...@unix-experience.fr] Sent: Monday, January 21, 2013 4:06 PM To: Farooq Bhatti Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid is crashing Args are not passed to gdb. You must type: gdb /usr/local/squid/sbin/squid and in the gdb prompt run -D -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 21 janvier 2013 à 16:02 +0500, Farooq Bhatti a écrit : Hi Blot, Thanks for the prompt response, do you mean I have to modify the startup script of squid and start it with? gdb /usr/local/squid/sbin/squid -D Further I have run the core analysis for both files it is giving this [root@hostal-squid cache]# gdb --core=core.3878 GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Missing separate debuginfo for the main executable file Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/2d/ab64a8900291abe7210d01082d20acdd047008 [New Thread 3878] [New Thread 3880] [New Thread 3890] [New Thread 3892] [New Thread 3894] [New Thread 3889] [New Thread 3888] [New Thread 3891] [New Thread 3887] [New Thread 3893] [New Thread 3886] [New Thread 3885] [New Thread 3884] [New Thread 3883] [New Thread 3879] [New Thread 3882] [New Thread 3881] Core was generated by `(squid) -D'. Program terminated with signal 6, Aborted. #0 0x00346b232885 in ?? () [root@hostal-squid cache]# gdb --core=core.3904 GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Missing separate debuginfo for the main executable file Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/2d/ab64a8900291abe7210d01082d20acdd047008 [New Thread 3904] [New Thread 3906] [New Thread 3918] [New Thread 3917] [New Thread 3916] [New Thread 3908] [New Thread 3909] [New Thread 3920] [New Thread 3919] [New Thread 3910] [New Thread 3907] [New Thread 3911] [New Thread 3913] [New Thread 3915] [New Thread 3914] [New Thread 3912] [New Thread 3905] Core was generated by `(squid) -D'. Program terminated with signal 6, Aborted. #0 0x00346b232885 in ?? () Regards, Muhammad Farooq __ __ P Save the environment. Please don't print this email unless you really need to.ü -Original Message- From: Loïc Blot [mailto:loic.b...@unix-experience.fr] Sent: Monday, January 21, 2013 3:36 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid is crashing Hi Farooq, For debugging purpose launch squid with gdb. gdb file path/squid run args and when squid crashes, type bt full -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 21 janvier 2013 à 15:32 +0500, Farooq Bhatti a écrit : Hi all, My squid is crashing and I am getting the file of following core dump, this is suddenly
[squid-users] Re: Squid 3.2.6 hot object cache
Rock and COSS storage types however are far more optimized for speed, using both disk and RAM storage in ther normal disk configuration. Amos, haven't you been a little bit too generous in your comments, especially this referred one ? I looked at the docs both for COSS and Rock, and the following excerpts made me a bit skeptical: 1) COSS: Changes in 3.3 cache_dir COSS storage type is lacking stability fixes from 2.6 When I read such a statement, I refuse to use this feature in a production environment. Even in case, it has a lot of speed advantages. One crash might wipe out all speed advantages. 2) Rock: http://wiki.squid-cache.org/Features/RockStore#limitations 2a) Rock store is available since Squid version 3.2.0.13. It has received some lab and limited deployment testing. It needs more work to perform well in a variety of environments, but appears to be usable in some of them. 2b)Objects larger than 32,000 bytes cannot be cached when cache_dirs are shared among workers. 2c)Current implementation uses OS buffers for simplicity. When reading 2a) I start to be cautious again :-) 2b) tells me, it very much depends upon the mean size/standard deviation of the cached objects, whether using Rock really has an advantage. Might change in the future with Rock-large, though. 2c) Makes the theoretical approach to evaluate performance advantages of Rock almost impossible. Because you always have to consider the filesystem used, with the respective options, having a huge impact on performance. So the only serious approach right now to advocate possible performance advantages would be after quite some benchmarking, using real workloads. Which certainly are very site specific. Because of the basic principle of Rock and Rock-large (which are like filesystems themselves), using raw disk-I/O is possible in the future, at least, which MIGHT THEN justify a general statement much more optimized to speed. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-2-6-hot-object-cache-tp4658133p4658154.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] How to modify the process owner name in syslog
Hey Bill, Since squid 2.7 is not maintained anymore I doubt you will get much support about it but if you have the relevant settings you have used maybe someone can help you. Regards, Eliezer On 1/21/2013 12:09 PM, Bill Yuan wrote: Hi all, I just finished the configuration on my squid 2.7, make it send all the access log to an external syslog server. it is working properly. thanks very much for creating such a nice software. but I want to know whether can change the name in the syslog like below: Jan 21 08:09:10 192.168.0.1 *squid[12345]*: log message And when I trigger the logger via command line , I can get another syslog record like below, Jan 21 08:09:10 192.168.0.1 root: message via command line So my question is whether I can change the process name in the system log? or Just dont show it . thanks in advance. :)
Re: [squid-users] Filter by time and white-black lists
Although Squid ACLs can do almost anything they are not the simplest thing to configure. A URL redirector like ufdbGuard offloads work from Squid and can do the same thing using a more intuitive configuration: source admin { ip 10.77.88.47 } source managers { ip 10.77.88.42-10.77.88.46 } source classroom { ip 10.77.88.1-10.77.88.41 } category whitelist01 { domainlist .../whitelist01/domains } category blacklist01 { domainlist .../blacklist01/domains } time workinghours { weekly mon,tue,wed,thu,fri 09:00 - 17:00 } acl { admin { pass any } managers within workinghours { pass whitelist01 none } else { pass none } classroom within workinghours { pass !blacklist01 any } else { pass none } default { pass none } } Marcus On 01/21/2013 07:33 AM, Helmut Hullen wrote: Hallo, Artur, Du meintest am 21.01.13: I've tried many times and I can not do it, please help :( I have 2 classrooms total 40 PC's +5 manager PC's +1 administrator So IP range is 10.77.88.1-10.77.88.41 - for classroom 10.77.88.42-10.77.88.46 - for managers 10.77.88.47 - admin Task: 1)Internet only for this 46 hosts 10.77.88.1-10.77.88.47 2)Classroom and managers can access internet only workdays from 9 to 17 3)Classroom have blacklist of sites in file for what access is denied 4)Managers only can visit white list sites in file, all other blocked 5)Admin can visit any web at any time 6)In weekends (A S) access only by authentification Iam new to squid so I have difficulty to do this, I was able to set access by days and time for one range, but how to join this with white black list and other ranges for manager and admin + authentication o_o I dont get how this http_access deny access work, in what order, can someone provide solution for my task?I will be very grateful You seem to live in germany, perhaps you should look at linux-user 2/ 2013, p. 16 ... 20 (Squid als Spiel- und Social-Network-Bremse). I'd try the following http_access order (untested): acl localnet src 10.77.88.1-10.77.88.47 acl admin 10.77.88.47 http_access deny !localnet # all others get fired acl admin 10.77.88.47 http_access allow admin # they are privileged acl blacklist src /etc/squid/blacklist acl schueler 10.77.88.1-10.77.88.41 http_access allow !schueler # managers have more rights # you may define a special acl for managers; it's not necessary in this # example http_access allow schueler !blacklist # pupils are restricted http_access deny all # all other cases - The time restrictions are not implemented; take a look at listing 1 in the above mentioned article. Viele Gruesse! Helmut
Re: [squid-users] Squid is crashing
Look at /var/log/squid/cache.log or /var/log/messages (under BSD) to get the error. If squid stops at boot there is a problem in your config. You can type also bt full when gdb give you the prompt. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 21 janvier 2013 à 16:53 +0500, Farooq Bhatti a écrit : Hi, I tried but I am getting this error [root@hostal-squid cache]# gdb /usr/local/squid/sbin/squid GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/local/squid/sbin/squid...done. (gdb) run -D Starting program: /usr/local/squid/sbin/squid -D [Thread debugging using libthread_db enabled] Program exited with code 01. Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.47.el6.x86_64 nss-softokn-freebl-3.12.9-11.el6.x86_64 (gdb) Regards, Muhammad Farooq Save the environment. Please don't print this email unless you really need to. -Original Message- From: Loïc Blot [mailto:loic.b...@unix-experience.fr] Sent: Monday, January 21, 2013 4:06 PM To: Farooq Bhatti Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid is crashing Args are not passed to gdb. You must type: gdb /usr/local/squid/sbin/squid and in the gdb prompt run -D -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 21 janvier 2013 à 16:02 +0500, Farooq Bhatti a écrit : Hi Blot, Thanks for the prompt response, do you mean I have to modify the startup script of squid and start it with? gdb /usr/local/squid/sbin/squid -D Further I have run the core analysis for both files it is giving this [root@hostal-squid cache]# gdb --core=core.3878 GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Missing separate debuginfo for the main executable file Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/2d/ab64a8900291abe7210d01082d20acdd047008 [New Thread 3878] [New Thread 3880] [New Thread 3890] [New Thread 3892] [New Thread 3894] [New Thread 3889] [New Thread 3888] [New Thread 3891] [New Thread 3887] [New Thread 3893] [New Thread 3886] [New Thread 3885] [New Thread 3884] [New Thread 3883] [New Thread 3879] [New Thread 3882] [New Thread 3881] Core was generated by `(squid) -D'. Program terminated with signal 6, Aborted. #0 0x00346b232885 in ?? () [root@hostal-squid cache]# gdb --core=core.3904 GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Missing separate debuginfo for the main executable file Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/2d/ab64a8900291abe7210d01082d20acdd047008 [New Thread 3904] [New Thread 3906] [New Thread 3918] [New Thread 3917] [New Thread 3916] [New Thread 3908] [New Thread 3909] [New Thread 3920] [New Thread 3919] [New Thread 3910] [New Thread 3907] [New Thread 3911] [New Thread 3913] [New Thread 3915] [New Thread 3914] [New Thread 3912] [New Thread 3905] Core was generated by `(squid) -D'. Program terminated with signal 6, Aborted. #0 0x00346b232885 in ?? () Regards, Muhammad Farooq __ __ P Save the environment. Please don't print this email unless you really need to.ü -Original Message- From: Loïc Blot [mailto:loic.b...@unix-experience.fr] Sent: Monday, January 21,
Re: [squid-users] CLOSE_WAIT
On 11.01.13 00:06, Amos Jeffries wrote: So it seems apparent that after Squid delivers the clear-text response, it abandons the socket but never closes it. From looking in the source, this is client_side.cc, and it has a comment: // XXX: Can this happen? CONNECT tunnels have deferredRequest set. It looks to me as if the (conn-flags.readMore) section above should be the bit being executed, although I don't quite understand deferred requests. In either case, it seems like we should close the socket if it ever gets abandoned? Calling conn-clientConnection-close() from else part where the connection is abandoned seems the right thing to do. Is there any situation where closing the connection when it is abandoned is the wrong thing to do? However, since the CONNECT and the response were both served with a Connection: keep-alive header, it seems that readMore should really be true at this point anyway. clientProcessRequest() explicitly sets readMore = false for CONNECT requests, so I don't understand how Squid handles keep-alive CONNECT tunnels? -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:st...@opendium.com Email:st...@opendium.com Phone:sip:st...@opendium.com Sales / enquiries contacts: Email:sa...@opendium.com Phone:+44-844-9791439 / sip:sa...@opendium.com Support contacts: Email:supp...@opendium.com Phone:+44-844-4844916 / sip:supp...@opendium.com
Re: [squid-users] Single Squid Server for different VLAN
Firstly i'm using Windows 2008 Server to set this up. I'm a starter with Squid so would like to know basic networking/TCP-IP setup of Squid server to enable it to serve two different VLAN simultaneously like: 1. Do i need two NIC on squid server to enable it to serve two VLAN? 2. If answer to 1 is Yes, then what should be the gateway settings for both NIC? Should both NIC have their gateway set? If Yes, will this configuration work on Windows 2008 Server? If No, how will Squid server route the traffic from both VLANs? Since i'm just starting up with the setup, any other suggestions/considerations related to initial Squid Proxy setup are welcome. Thanks From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Saturday, 19 January 2013 2:45 PM Subject: Re: [squid-users] Squid Proxy Server Setup Configuration On 19/01/2013 8:26 a.m., kamaljeet singh wrote: Hello, I'm looking to implement a single squid-proxy server for two different VLANs. Both VLAN have their outgoing traffic configured through different ISP i.e. traffic for users on VLAN1 is routed through ISP1 and traffic for users on VLAN2 is routed through ISP2. The proxy server needs to be setup such that it should route internet traffic for users in VLAN1 through ISP1 and for users in VLAN2 traffic should be routed through ISP2. Is this kind of setup possible? If yes, what hardware software configurations will be needed to fulfill this requirement. Yes it is possible. Use cache_peer if your ISP have proxies you can route directly to. Or tcp_outgoing_* functionality to set TOS or MARK values for the system route selection to make decisions about particular traffic. Amos
RE: [squid-users] Squid is crashing
Thanks for the prompt response. Actually I am newbie to debugging I have never used any debugging tool before so no idea of the error I am getting any how I have googled for the last error and be able to install the glibc debuginfo packages but now the error is changed which is like below. So far I am not been able to run gdb as my Program exited with code 01. Please check below: # [root@hostal-squid cache]# gdb /usr/local/squid/sbin/squid GNU gdb (GDB) Red Hat Enterprise Linux (7.2-56.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/local/squid/sbin/squid...done. (gdb) run -D Starting program: /usr/local/squid/sbin/squid -D [Thread debugging using libthread_db enabled] warning: the debug information found in /usr/lib/debug//lib64/libfreebl3.so.debug does not match /lib64/libfreebl3.so (CRC mismatch). warning: the debug information found in /usr/lib/debug/lib64/libfreebl3.so.debug does not match /lib64/libfreebl3.so (CRC mismatch). Missing separate debuginfo for /lib64/libfreebl3.so Try: yum --disablerepo='*' --enablerepo='*-debug*' install /usr/lib/debug/.build-id/68/195872ecfb188389d29aaf01031a976fd18168.debug Program exited with code 01. (gdb) bt full No stack. (gdb) quit ## Now by googling I am not getting any clue of it. Would you please help me in this regards. Regards, Muhammad Farooq Save the environment. Please don't print this email unless you really need to. -Original Message- From: Loïc Blot [mailto:loic.b...@unix-experience.fr] Sent: Monday, January 21, 2013 6:41 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid is crashing Look at /var/log/squid/cache.log or /var/log/messages (under BSD) to get the error. If squid stops at boot there is a problem in your config. You can type also bt full when gdb give you the prompt. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 21 janvier 2013 à 16:53 +0500, Farooq Bhatti a écrit : Hi, I tried but I am getting this error [root@hostal-squid cache]# gdb /usr/local/squid/sbin/squid GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/local/squid/sbin/squid...done. (gdb) run -D Starting program: /usr/local/squid/sbin/squid -D [Thread debugging using libthread_db enabled] Program exited with code 01. Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.47.el6.x86_64 nss-softokn-freebl-3.12.9-11.el6.x86_64 (gdb) Regards, Muhammad Farooq __ __ P Save the environment. Please don't print this email unless you really need to.ü -Original Message- From: Loïc Blot [mailto:loic.b...@unix-experience.fr] Sent: Monday, January 21, 2013 4:06 PM To: Farooq Bhatti Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid is crashing Args are not passed to gdb. You must type: gdb /usr/local/squid/sbin/squid and in the gdb prompt run -D -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 21 janvier 2013 à 16:02 +0500, Farooq Bhatti a écrit : Hi Blot, Thanks for the prompt response, do you mean I have to modify the startup script of squid and start it with? gdb /usr/local/squid/sbin/squid -D Further I have run the core analysis for both files it is giving this [root@hostal-squid cache]# gdb --core=core.3878 GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Missing separate
[squid-users] Squid as reverse proxy and PCI Tests
Hope this can help :) http://www.sw-servers.net/how-to-pass-pci-tests-with-squid/ Best Regards, Sebastien WENSKE
Re: [squid-users] Squid as reverse proxy and PCI Tests
On 1/21/2013 6:11 PM, Sébastien WENSKE wrote: Hope this can help :) http://www.sw-servers.net/how-to-pass-pci-tests-with-squid/ Best Regards, Sebastien WENSKE Just wondering how it helps in these tests? Since not everybody knows the reason you should explain the cause and the result of the patch. Regards, Eliezer
Re: [squid-users] Squid is crashing
On 1/21/2013 5:19 PM, Farooq Bhatti wrote: Thanks for the prompt response. Actually I am newbie to debugging I have never used any debugging tool before so no idea of the error I am getting any how I have googled for the last error and be able to install the glibc debuginfo packages but now the error is changed which is like below. So far I am not been able to run gdb as my Program exited with code 01. Please check below: SNIP Le lundi 21 janvier 2013 à 15:32 +0500, Farooq Bhatti a écrit : Hi all, My squid is crashing and I am getting the file of following core dump, this is suddenly happening since last 2 weeks. Before it was working fine. [root@hostal-squid cache]# ls -lah /usr/local/squid/var/cache/ total 5.5G drwxr-xr-x. 2 squid squid 4.0K Jan 21 14:55 . drwxr-xr-x. 5 squid squid 4.0K Aug 29 03:44 .. -rw--- 1 squid squid 3.0G Jan 20 03:58 core.3878 -rw--- 1 squid squid 3.0G Jan 20 04:06 core.3904 The version of squid with compiled option is as below: [root@hostal-squid cache]# squid -v Squid Cache: Version LUSCA_HEAD-r14809 configure options: '--enable-delay-pools' '--disable-arp-acl' '--enable-linux-netfilter' '--enable-large-cache-files' '--enable-cache-digests' '--enable-external-acl-helpers=ip_user' '--disable-ident-lookups' '--enable-removal-policies=heap,lru' '--disable-snmp' '--disable-ssl' '--enable-storeio=aufs,coss' '--with-aio' '--with-maxfd=1048576' '--with-dl' '--with-pthreads' '--with-large-files' '--disable-unlinkd' '--disable-htcp' SNIP Hey there, This version of squid in not squid but LUSCA which is a fork of squid 2.7. If you need help about it try contact LUSCA developers. Since I am not following lusca is dont know anything about their revisions and maintenance but there are many new features in squid 3+ so as always I suggest you to try to use squid latest stable. Best regards, Eliezer
Re: [squid-users] Squid as reverse proxy and PCI Tests
On 2013-01-21 10:11, Sébastien WENSKE wrote: Hope this can help :) http://www.sw-servers.net/how-to-pass-pci-tests-with-squid/ Best Regards, Sebastien WENSKE Wouldn't just compiling against OpenSSL build that has had zlib compression disabled get the same end result, without requiring a patch and editing your configuration? -- Thanks, Dean E. Weimer http://www.dweimer.net/
Re: [squid-users] How to modify the process owner name in syslog
Hi Eliezer, Thanks for you reply, I understand, but currently I am still using squid 2.7. it is good enough for me, now I am still trying to find out whether I can change the name in the syslog like below Jan 21 08:09:10 192.168.0.1 *squid[12345]*: log message I just want hide the squid[12345] anyone know it ? thanks. Best Regards, On Mon, Jan 21, 2013 at 9:22 PM, Eliezer Croitoru elie...@ngtech.co.il wrote: Hey Bill, Since squid 2.7 is not maintained anymore I doubt you will get much support about it but if you have the relevant settings you have used maybe someone can help you. Regards, Eliezer On 1/21/2013 12:09 PM, Bill Yuan wrote: Hi all, I just finished the configuration on my squid 2.7, make it send all the access log to an external syslog server. it is working properly. thanks very much for creating such a nice software. but I want to know whether can change the name in the syslog like below: Jan 21 08:09:10 192.168.0.1 *squid[12345]*: log message And when I trigger the logger via command line , I can get another syslog record like below, Jan 21 08:09:10 192.168.0.1 root: message via command line So my question is whether I can change the process name in the system log? or Just dont show it . thanks in advance. :)
RE: [squid-users] Squid as reverse proxy and PCI Tests
You're right, I just updated the post :) Sebastien. -Message d'origine- De : Eliezer Croitoru [mailto:elie...@ngtech.co.il] Envoyé : lundi 21 janvier 2013 17:42 À : squid-users@squid-cache.org Objet : Re: [squid-users] Squid as reverse proxy and PCI Tests On 1/21/2013 6:11 PM, Sébastien WENSKE wrote: Hope this can help :) http://www.sw-servers.net/how-to-pass-pci-tests-with-squid/ Best Regards, Sebastien WENSKE Just wondering how it helps in these tests? Since not everybody knows the reason you should explain the cause and the result of the patch. Regards, Eliezer
RE: [squid-users] Squid as reverse proxy and PCI Tests
Not tested, but the CIPHER_SERVER_PREFERENCE still needed :) Sebastien -Message d'origine- De : dweimer [mailto:dwei...@dweimer.net] Envoyé : lundi 21 janvier 2013 18:06 À : squid-users@squid-cache.org Objet : Re: [squid-users] Squid as reverse proxy and PCI Tests On 2013-01-21 10:11, Sébastien WENSKE wrote: Hope this can help :) http://www.sw-servers.net/how-to-pass-pci-tests-with-squid/ Best Regards, Sebastien WENSKE Wouldn't just compiling against OpenSSL build that has had zlib compression disabled get the same end result, without requiring a patch and editing your configuration? -- Thanks, Dean E. Weimer http://www.dweimer.net/
RE: [squid-users] ssl_crtd reporting certificate database as uninitialized
Has some time to play around again. SELinux was the culprit, Set to permissive and it launched without issue. Now to sort out Kerberos. When I revisit SELinux (after Kerberos and ICAP) I'll mail back what I did to make it SELinux friendly again. -Original Message- From: Jason A. Sloan [mailto:jason_sl...@oh.rr.com] Sent: Friday, January 11, 2013 5:30 PM To: 'Ahmed Talha Khan' Cc: 'squid-users@squid-cache.org' Subject: RE: [squid-users] ssl_crtd reporting certificate database as uninitialized So I found that the server comes up and stays up if I run: sudo -u squid /usr/sbin/squid -f /etc/squid/squid.conf or as root: /usr/sbin/squid -f /etc/squid/squid.conf # /usr/sbin/squid -f /etc/squid/squid.conf # ps -ef | grep squid root 30358 1 0 17:20 ?00:00:00 /usr/sbin/squid -f /etc/squid/squid.conf squid30360 30358 0 17:20 ?00:00:00 (squid-1) -f /etc/squid/squid.conf squid30361 30360 0 17:20 ?00:00:00 (ssl_crtd) -d -s /var/squid/ssl_db - M 4MB -b 4096 squid30362 30360 0 17:20 ?00:00:00 (ssl_crtd) -d -s /var/squid/ssl_db - M 4MB -b 4096 squid30363 30360 0 17:20 ?00:00:00 (ssl_crtd) -d -s /var/squid/ssl_db - M 4MB -b 4096 squid30364 30360 0 17:20 ?00:00:00 (ssl_crtd) -d -s /var/squid/ssl_db - M 4MB -b 4096 squid30365 30360 0 17:20 ?00:00:00 (ssl_crtd) -d -s /var/squid/ssl_db - M 4MB -b 4096 squid30366 30360 0 17:20 ?00:00:00 (logfile-daemon) /var/log/squid/access.log root 30368 29619 0 17:20 pts/000:00:00 grep squid So it appears the UID is not properly switching when running as root from startup? Contents of /etc/init.d/squid (no modifications made by me) http://pastebin.com/UeehzMH6 squid.conf excerpt: cache_effective_user squid cache_effective_group squid -Original Message- From: Jason A. Sloan [mailto:jason_sl...@oh.rr.com] Sent: Thursday, January 10, 2013 8:29 AM To: 'Ahmed Talha Khan' Cc: 'squid-users@squid-cache.org' Subject: RE: [squid-users] ssl_crtd reporting certificate database as uninitialized # pwd /var # ll ... drwxr-xr-x. 3 squid squid 4096 Jan 9 21:29 squid ... # cd squid # ll drwxr-xr-x. 3 squid nobody 4096 Jan 9 21:29 ssl_db # cd ssl_db # ll drwxr-xr- x. 2 squid nobody 4096 Jan 9 21:29 certs -rw-r--r--. 1 squid nobody0 Jan 9 21:29 index.txt -rw-r--r--. 1 squid nobody8 Jan 9 21:29 serial -rw-r--r--. 1 squid nobody1 Jan 9 21:29 size -Original Message- From: Ahmed Talha Khan [mailto:aun...@gmail.com] Sent: Thursday, January 10, 2013 4:26 AM To: Jason A. Sloan Cc: squid-users@squid-cache.org Subject: Re: [squid-users] ssl_crtd reporting certificate database as uninitialized Are the parent directories of ssl_db writeable by the squid user?You might want to look at that too On Thu, Jan 10, 2013 at 7:40 AM, Jason A. Sloan jason_sl...@oh.rr.com wrote: No joy. I initially ran the ssl_crtd command as root before using sudo to run it as the squid user. Regardless I tried that to no avail. As root: Deleted existing ssl_db implementation. /usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db Initialization SSL db... Done chown -R squid:nobody ssl_db/ Attempt to start died with same error message: (ssl_crtd): Uninitialized SSL certificate database directory: /var/squid/ssl_db. To initialize, run ssl_crtd -c -s /var/squid/ssl_db. ... FATAL: The ssl_crtd helpers are crashing too rapidly, need help! -Original Message- From: Ahmed Talha Khan [mailto:aun...@gmail.com] Sent: Wednesday, January 09, 2013 1:56 PM To: Jason A. Sloan Cc: squid-users@squid-cache.org Subject: Re: [squid-users] ssl_crtd reporting certificate database as uninitialized Try to create the ssl_db without sudo . There seems to be a problem with the permissions on that directory. Also change the group ownership of ssl_db to nobody. I hope that helps On Wed, Jan 9, 2013 at 11:38 PM, Jason A. Sloan jason_sl...@oh.rr.com wrote: I'm setting up dynamic SSL cert generation on a Centos 6.3 (i686) platform but I can't seem to get ssl-crtd to believe it's initialized. Perhaps I'm missing something. Either way I could use another set of eyes / ideas. I have compiled the latest stable release (3.2.5) and installed it. Packaged release was not compiled with --enable-ssl-crtd. When starting squid I get a message in cache.log from ssl-crtd that it believes the SSL Certificate database is uninitialized.. However I have executed the following: sudo -u squid /usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db Initialization SSL db... Done I can even execute ssl-crtd outside of squid and get a response.. sudo -u squid /usr/lib/squid/ssl_crtd -s
Re: [squid-users] Re: Squid 3.2.6 hot object cache
On 22/01/2013 2:00 a.m., babajaga wrote: Rock and COSS storage types however are far more optimized for speed, using both disk and RAM storage in ther normal disk configuration. Amos, haven't you been a little bit too generous in your comments, especially this referred one ? I don't think so. They *have* been optimized for speed and are measurably so. I made no comment about bug-free state in any of the disk I/O modues. Just about speed versus a RAM disk. I looked at the docs both for COSS and Rock, and the following excerpts made me a bit skeptical: 1) COSS: Changes in 3.3 cache_dir COSS storage type is lacking stability fixes from 2.6 When I read such a statement, I refuse to use this feature in a production environment. Even in case, it has a lot of speed advantages. One crash might wipe out all speed advantages. As it was intended. Until somebody wants to do the portage its unlikely to change either. We have debated both removing COSS entirely or expending the effort to debug it fully. Neither debate came to a satisfactory conclusion yet. The developers do agree that: Rock was designed to do the same things as COSS and does them a bit better, and COSS is not worth our time fixing. If you or someone else has a different opinion patches are still welcome (so we are required to leave the COSS code present in 3.2+). Note also that it is referring to the squid-3 version of COSS. There was some bug fixes that went into squid-2.6 and COSS in 2.7 has a proven track record for high performance now. Rock was built on that 2.7 track record with a few design fixes for lessons learned since COSS was created and SMP support. 2) Rock: http://wiki.squid-cache.org/Features/RockStore#limitations 2a) Rock store is available since Squid version 3.2.0.13. It has received some lab and limited deployment testing. It needs more work to perform well in a variety of environments, but appears to be usable in some of them. 2b)Objects larger than 32,000 bytes cannot be cached when cache_dirs are shared among workers. 2c)Current implementation uses OS buffers for simplicity. When reading 2a) I start to be cautious again :-) Good. It is a new feature, the small number of people using it so far give us confidence enough to promote it but not to say its bug-free. Problems may occur in a situation where nobody has tried using it. Also we are aware that startup time is slower with Rock than we would like. That is all 2a means. By all means be cautious. But please do not let that stop you testing or using it. The more people we have using it the more confident we can be that it is bug-free. 2b) tells me, it very much depends upon the mean size/standard deviation of the cached objects, whether using Rock really has an advantage. Might change in the future with Rock-large, though. 2c) Makes the theoretical approach to evaluate performance advantages of Rock almost impossible. Because you always have to consider the filesystem used, with the respective options, having a huge impact on performance. So the only serious approach right now to advocate possible performance advantages would be after quite some benchmarking, using real workloads. Which certainly are very site specific. Because of the basic principle of Rock and Rock-large (which are like filesystems themselves), using raw disk-I/O is possible in the future, at least, which MIGHT THEN justify a general statement much more optimized to speed. The COSS model is a slice model the same way that a disk backed RAM-disk operates its swap pages. In both designs large chunks of memory are swapped in and out to fetch items stored somewhere within that chunk. Under the UFS on RAM-disk model these would be allocated random disk locations by the generic disk manager and each is swapped in individually only after being requested by the client. Under Rock/COSS requests within a certain time range of each other are assigned slots within one memory page/chunk - such that a client loading a page causes, with a high probability, the related objects, images, scripts - to be swapped in and ready to served directly from the RAM area slice before they are requested by the client. Overall this means the latency of a first-request is either the same as RAM or the same as disk I/O, PLUS the latency of followup related items is that of RAM *instead* of disk I/O - for a total net reduction in latency / gain in speed when loading a web page. As you can see this is also very page-centric. If you are using Squid as gateway for a web app which does not have that type of page-centric temporal linkage between its requests the storage types become much closer in latency. Yes, it is *complicated*, with a great many factors which we have not or cannot measure with any accuracy. Amos
Re: [squid-users] Filter by time and white-black lists
On 22/01/2013 2:22 a.m., Marcus Kool wrote: Although Squid ACLs can do almost anything they are not the simplest thing to configure. A URL redirector like ufdbGuard offloads work from Squid and can do the same thing using a more intuitive configuration: I don't see how {} syntax with lots of pass none inside else conditions can be more intuitive. Note the following direct 1:1 translation of UFDB syntax into Squid syntax. Also, the overheads of using the URL redirector interface to Squid place a lot of limitations on what transaction details can be tested for and additional processing Squid must perform in order to utilize the helpers results. PS. if this is the main pull ufdbGuard has nowdays would you consider joining the squid dev team and helping the efforts to further improve the squid.conf syntax, parse, and ACL processing? source admin { ip 10.77.88.47 } acl admin src 10.77.88.47 source managers { ip 10.77.88.42-10.77.88.46 } acl managers src 10.77.88.42-10.77.88.46 source classroom { ip 10.77.88.1-10.77.88.41 } acl classroom src 10.77.88.1-10.77.88.41 category whitelist01 { domainlist .../whitelist01/domains } acl whitelist01 dstdomain .../whitelist01/domains category blacklist01 { domainlist .../blacklist01/domains } acl blacklist01 dstdomain .../blacklist01/domains time workinghours { weekly mon,tue,wed,thu,fri 09:00 - 17:00 } acl workinghours time MTWHF 0900-17:00 acl { admin { pass any } http_access allow admin managers within workinghours { pass whitelist01 none } else { pass none } http_access allow managers workinghours whitelist01 classroom within workinghours { pass !blacklist01 any } else { pass none } http_access allow classroom workinghours !blacklist01 default { pass none } http_access deny all } Marcus On 01/21/2013 07:33 AM, Helmut Hullen wrote: Hallo, Artur, Du meintest am 21.01.13: I've tried many times and I can not do it, please help :( I have 2 classrooms total 40 PC's +5 manager PC's +1 administrator So IP range is 10.77.88.1-10.77.88.41 - for classroom 10.77.88.42-10.77.88.46 - for managers 10.77.88.47 - admin Task: 1)Internet only for this 46 hosts 10.77.88.1-10.77.88.47 2)Classroom and managers can access internet only workdays from 9 to 17 3)Classroom have blacklist of sites in file for what access is denied 4)Managers only can visit white list sites in file, all other blocked 5)Admin can visit any web at any time 6)In weekends (A S) access only by authentification Iam new to squid so I have difficulty to do this, I was able to set access by days and time for one range, but how to join this with white black list and other ranges for manager and admin + authentication o_o I dont get how this http_access deny access work, in what order, can someone provide solution for my task?I will be very grateful You seem to live in germany, perhaps you should look at linux-user 2/ 2013, p. 16 ... 20 (Squid als Spiel- und Social-Network-Bremse). I'd try the following http_access order (untested): acl localnet src 10.77.88.1-10.77.88.47 acl admin 10.77.88.47 http_access deny !localnet # all others get fired acl admin 10.77.88.47 http_access allow admin # they are privileged acl blacklist src /etc/squid/blacklist acl schueler 10.77.88.1-10.77.88.41 http_access allow !schueler # managers have more rights # you may define a special acl for managers; it's not necessary in this # example http_access allow schueler !blacklist # pupils are restricted http_access deny all # all other cases - The time restrictions are not implemented; take a look at listing 1 in the above mentioned article. Viele Gruesse! Helmut
Re: [squid-users] How to modify the process owner name in syslog
On 22/01/2013 6:10 a.m., Bill Yuan wrote: Hi Eliezer, Thanks for you reply, I understand, but currently I am still using squid 2.7. it is good enough for me, now I am still trying to find out whether I can change the name in the syslog like below Jan 21 08:09:10 192.168.0.1 *squid[12345]*: log message I just want hide the squid[12345] That is a specified mandatory field of teh packets sent to syslog. So I doubt it. In Squid-3.2+ you can use various logging modules to send log lines to other places that might suit your needs better http://wiki.squid-cache.org/Features/LogModules And why do you want to hide the fact that the message came from Squid anyway? Amos
Re: [squid-users] Squid as reverse proxy and PCI Tests
On 22/01/2013 6:59 a.m., Sébastien WENSKE wrote: Not tested, but the CIPHER_SERVER_PREFERENCE still needed :) So why not use the Squid Project patch submission process to get it integrated? I don't see any [PATCH] emails in my queue for audit and merging with our name on them. Doing it this way you are leaving yourself wide open to IP theft - anyone can take your patch and email it to squid-dev for merging under their own name. Amos
Re: [squid-users] ssl_crtd reporting certificate database as uninitialized
On 22/01/2013 11:16 a.m., Jason A. Sloan wrote: Has some time to play around again. SELinux was the culprit, Set to permissive and it launched without issue. Now to sort out Kerberos. When I revisit SELinux (after Kerberos and ICAP) I'll mail back what I did to make it SELinux friendly again. Please do, Thank you. Far too often we simply see advice of enable permissive, which is probably the worst outcome. If we can get specific secure SELinux settings the wiki documentation can be updated to include it for future use, and the distro packaging can be updated to prevent it occuring for packaged installations. Amos
RE: [squid-users] Hello, can 'squidclient' check if a file is cached in the squid?
Hello, Anyone could help me? Thanks. BRs, Qingsheng. -Original Message- From: He, Qingsheng 2 Sent: Thursday, January 10, 2013 2:43 PM To: 'Amos Jeffries'; squid-users@squid-cache.org Subject: RE: [squid-users] Hello, can 'squidclient' check if a file is cached in the squid? Hello Amos, Sorry, I am a new subscriber for the mailing list. I am not sure how to raise a question. About use the squidclient to check if a file(url) has been cached by the squid, I just made a test, but it seem not work as my expectation. #Squidclient -t 1 -h SquidServerDNS -p 80 $url It return 'X-Cache: MISS from localhost'. But actally the file has been cached since I use wget to download the file very fast. If I use Icp to quiry it will return 'UDP_HIT'. Do you know why? Thanks. He Qingsheng -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Thursday, January 10, 2013 2:20 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Hello, can 'squidclient' check if a file is cached in the squid? On 10/01/2013 7:06 p.m., He, Qingsheng 2 wrote: Hello all, Can 'squidclient' check if a file is cached in the squid? Thanks. He Qingsheng Please do not hijack other peoples threads with unrelated topics. Yes it can. squidclient $URL | more and look for X-Cache: header contents. Amos