Re: [squid-users] Squid 3.3.4 icap request issue
On 05/18/2013 04:32 PM, Guy Helmer wrote: > Any thoughts on appropriate timeouts for the ICAP protocol? I have > not seen recommendations for timeouts in RFC 3507 or the ICAP > Errata. Let the ICAP client determine them? :-) Cheers, Alex.
Re: [squid-users] Squid 3.3.4 icap request issue
On 05/18/2013 04:32 PM, Guy Helmer wrote: > further testing indicates that building with --enable_kqueue causes > squid not to read the remainder of the body Yes, if my interpretation of the sources is correct, Squid kqueue code does not fully support SSL yet :-(. There is no kqueue code to resume buffered reads when SSL layer asks Squid to do that. This may affect all SSL traffic, including https_port, SslBump, and SSL peers. Alex.
Re: [squid-users] squidguard not redirecting
Ok, apparently the problem with squidGuard was related to corrupted databases, causing unpredictably behaviour. I recompiled everything and now is working fine. I'll think about the suggestions (ufdbguard and raw squid), and maybe write down a comparison. thanks guys! On Mon, May 20, 2013 at 8:34 AM, Helmut Hullen wrote: > Hallo, Amos, > > Du meintest am 18.05.13: > >>> I have enabled squidGuard within a huge network. > > [...] > >> What are you using squidGuard for anyway? > > There are 2 different options/decisions: > > a) using "redirect"/"rewrite" (as "squidGuard" and "ufdbguard" do) or > using the "squid" options "acl" and "http_access" (as "squidblacklist" > does) > > b) using a long time maintained blacklist (p.e. shallalist or > squidguard.mesd.k12.or.us/blacklists.tgz) or a newer one (as > "squidblacklist" does) and/or using self made lists and/or using lists > from some other places > > Using blacklists is (especially in schools) a job with many legal > implications; people who use them should at least have a "good feeling". > And using something like "squidguard" gives such a "good feeling" - even > when such a program may be technically ugly. But the teacher who uses it > as a helper has to explain this helper to many parents, and sometimes > he/she has to epxlain it to a court of justice (but he never has to > explain it to programmers etc). > > Yes - I know how to circumvent (? - please excuse my gerlish) such > filters like squidguard. > > Viele Gruesse! > Helmut
Re: [squid-users] Squid and MySql authentication
On 20/05/2013 11:54 p.m., Delton wrote: The problem was --cond 'enabled=1'. Without it worked. ??? then your test which used it should have failed as well. Amos Thanks! Em 18/05/2013 00:38, Amos Jeffries escreveu: On 18/05/2013 6:49 a.m., Delton wrote: Dear guys, I'm testing in MySql authentication via 'basic_db_auth'. I ran the test and it worked: /lib/squid3/basic_db_auth --user squid --password password --md5 --cond 'enabled=1' --persis testuser test OK But in the Squid error is returned: 2013/05/17 15:43:17.868 kid1| UserRequest.cc(66) start: auth_user_request '0x8fa6478' 2013/05/17 15:43:17.868 kid1| UserRequest.cc(86) module_start: 'delton:password' 2013/05/17 15:43:17.868 kid1| UserRequest.cc(144) HandleReply: {ERR unknown login} Any idea? Try --debug on the helper. It is a query lookup failure for some reason. Amos
Re: [squid-users] GNU GPL Question
Thanks for the reply Amos. I'm pretty sure they're using Squid to provide their services, but they are distributing the binaries in the product they call the "Client Site Proxy". It's a packaged install of Squid for Windows that's preconfigured to point to their cloud-based upstream proxies. As for that blog, that was back in the days before Symantec bought Messagelabs. I've discussed that with them previously. On 20/05/2013, at 21:24, Amos Jeffries wrote: > Firstly, thank you for bringing this to everyones attention. > > On 20/05/2013 12:54 p.m., Daniel Streefkerk wrote: >> Symantec provide a version of Squid to their Symantec.Cloud customers >> that they call the "Client Site Proxy". They've modified the source to >> add two "encrypted" headers (X-TEACUP and X-SAUCER) to each request, >> and only provide a Windows version of the product. These headers >> provide reporting information back to the centralised admin portal. I >> think one of them contains an encoded username, not sure about the >> other. >> >> They're refusing to provide a Linux version on the grounds that their >> modifications are "confidential" due to the "encryption" of the >> headers. > > A bogus reason. Squid-3 offers eCAP exactly for the purpose of commercials > like this to write their own modules and publish those under different > licensing than Squid. If they were doing *that* they would be able to > restrict the source code for their module(s). > > Also, this blogger appears to have managed to get one out of them: > http://blog.periodicfailure.com/?p=22 > > >> Seeing as Squid is GNU-GPL licensed and they're providing a commercial >> product based upon it, aren't they required by GPL to make the source >> code for their modifications to squid-cache available to the consumer? > > Maybe. The key question is whether they are distributing the binaries or just > offering access through them? > > Squid is released as GPL version 2. Any patches made to a distributed Squid > binary fall under its clauses. But, anyone can *use* Squid patched or > otherwise to offer a commercial service. > > FWIW: Hiding the code on those grounds is a sure sign that their "security" > measure is a bogus protection. eg rot-13, base-64, X+N cipher or something > just as easily broken by knowing the algorithm. > > Amos
Re: [squid-users] Squid and MySql authentication
The problem was --cond 'enabled=1'. Without it worked. Thanks! Em 18/05/2013 00:38, Amos Jeffries escreveu: On 18/05/2013 6:49 a.m., Delton wrote: Dear guys, I'm testing in MySql authentication via 'basic_db_auth'. I ran the test and it worked: /lib/squid3/basic_db_auth --user squid --password password --md5 --cond 'enabled=1' --persis testuser test OK But in the Squid error is returned: 2013/05/17 15:43:17.868 kid1| UserRequest.cc(66) start: auth_user_request '0x8fa6478' 2013/05/17 15:43:17.868 kid1| UserRequest.cc(86) module_start: 'delton:password' 2013/05/17 15:43:17.868 kid1| UserRequest.cc(144) HandleReply: {ERR unknown login} Any idea? Try --debug on the helper. It is a query lookup failure for some reason. Amos
Re: [squid-users] Strange behavior in selection of tcp_outgoing_address
On 5/20/2013 11:34 AM, Alex Domoradov wrote: older than 3.2 newer then 3.2 beta so 3.2 stable. but now there is 3.3 stable then if you can use it it's better. Eliezer
Re: [squid-users] Re: what is best method to connect two squid servers on the same router?
On 5/20/2013 12:17 PM, Ahmad wrote: hi Amos , thanks fro reply , sorry for late , i dont think that its hardware issue . i mean that i dont think that my hardware router cant bear two squid . it can do it and perfectly . i returned to its refernece manual and find it has a specific enhancement featured implemented fro wccp and it can load balance alot of clusters . agian , my platform is multilayer switch cisco 7604 . about ur queston in cpu dissipation : 1- when none of squid working on router ===> cpu of router is 4 % 2- when 1 squid working on router >cpu of router is 35 % 3- when 1 squid is running , and add the 2nd server while the 1st squid is running , i note that squid 1 fail and the 2nd squid dont work and the cpu of router reach 90 , 95 % , 97 % The problem is that WCCP works on the IP level which you cannot use the same IP to the same transparent service. Also you need to a configure exceptions on the cisco for traffic which comes from one service to not pass into the second service. I dont know what your network load but squid works using EPOLL which will decrease the traffic load on the cpu by more then 100% compared to regular SOCKET. Is this a self compiled squid or from of the repositories? if it's from one of the repos from which? actually i dont know , if i need to change the return , forwarding , or assignment methods to fix my problem !!! which is better method between squid and router ? should i let the interface between switch and router as Layer 2 port , and put the wccp setting on the vlan interface of port ?? If you do ask me just put the squid machine in bridge mode just to see the actual load of the network to understand if wccp is better the bridge mode. or let it as router "Layer 3 " port and apply wccp settings on the giga interface ?? any documents from squid about my issue ?? I have written about how to use squid as transparent cache proxy with WCCP. http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2 wish to help regards If you need more help just ask. Regards, Eliezer -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/what-is-best-method-to-connect-two-squid-servers-on-the-same-router-tp4659922p4660147.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] squidguard not redirecting
Hallo, Amos, Du meintest am 18.05.13: >> I have enabled squidGuard within a huge network. [...] > What are you using squidGuard for anyway? There are 2 different options/decisions: a) using "redirect"/"rewrite" (as "squidGuard" and "ufdbguard" do) or using the "squid" options "acl" and "http_access" (as "squidblacklist" does) b) using a long time maintained blacklist (p.e. shallalist or squidguard.mesd.k12.or.us/blacklists.tgz) or a newer one (as "squidblacklist" does) and/or using self made lists and/or using lists from some other places Using blacklists is (especially in schools) a job with many legal implications; people who use them should at least have a "good feeling". And using something like "squidguard" gives such a "good feeling" - even when such a program may be technically ugly. But the teacher who uses it as a helper has to explain this helper to many parents, and sometimes he/she has to epxlain it to a court of justice (but he never has to explain it to programmers etc). Yes - I know how to circumvent (? - please excuse my gerlish) such filters like squidguard. Viele Gruesse! Helmut
Re: [squid-users] Strange behavior in selection of tcp_outgoing_address
ok, I will try 3.2 On Mon, May 20, 2013 at 1:48 PM, Amos Jeffries wrote: > On 20/05/2013 8:34 p.m., Alex Domoradov wrote: >> >> So I need to upgrade at least to squid 3.2? 3.1.23 wouldn't be enough? > > > Probably not. Most of the issues with tcp_outgoing_address required a major > overhaul of the TCP handling. Which we don't do to stable release series. > > Amos
Re: [squid-users] GNU GPL Question
Firstly, thank you for bringing this to everyones attention. On 20/05/2013 12:54 p.m., Daniel Streefkerk wrote: Symantec provide a version of Squid to their Symantec.Cloud customers that they call the "Client Site Proxy". They've modified the source to add two "encrypted" headers (X-TEACUP and X-SAUCER) to each request, and only provide a Windows version of the product. These headers provide reporting information back to the centralised admin portal. I think one of them contains an encoded username, not sure about the other. They're refusing to provide a Linux version on the grounds that their modifications are "confidential" due to the "encryption" of the headers. A bogus reason. Squid-3 offers eCAP exactly for the purpose of commercials like this to write their own modules and publish those under different licensing than Squid. If they were doing *that* they would be able to restrict the source code for their module(s). Also, this blogger appears to have managed to get one out of them: http://blog.periodicfailure.com/?p=22 Seeing as Squid is GNU-GPL licensed and they're providing a commercial product based upon it, aren't they required by GPL to make the source code for their modifications to squid-cache available to the consumer? Maybe. The key question is whether they are distributing the binaries or just offering access through them? Squid is released as GPL version 2. Any patches made to a distributed Squid binary fall under its clauses. But, anyone can *use* Squid patched or otherwise to offer a commercial service. FWIW: Hiding the code on those grounds is a sure sign that their "security" measure is a bogus protection. eg rot-13, base-64, X+N cipher or something just as easily broken by knowing the algorithm. Amos
Re: [squid-users] Strange behavior in selection of tcp_outgoing_address
On 20/05/2013 8:34 p.m., Alex Domoradov wrote: So I need to upgrade at least to squid 3.2? 3.1.23 wouldn't be enough? Probably not. Most of the issues with tcp_outgoing_address required a major overhaul of the TCP handling. Which we don't do to stable release series. Amos
[squid-users] Re: what is best method to connect two squid servers on the same router?
here is some verification from router , : Gateway7600#sh ip wccp capabilities WCCP Platform Capability Settings Capability Setting Supported forwarding methodsGRE & L2 Supported return methodsGRE & L2 Supported assignment methodsHash & Mask Accelerated forwarding methods L2 Accelerated return methods GRE & L2 Accelerated assignment methods Mask Accelerated Mode CLICLI Enabled Check Outbound ACL CLI CLI Enabled Check All Services CLI CLI Enabled Closed Service Suport Unsupported VRF Support Supported Gateway7600#sh ip wcc Gateway7600#sh ip wccp Global WCCP information: Router information: Router Identifier: 192.168.100.100 Protocol Version:2.0 Service Identifier: 80 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets Redirected:486448036 Process: 143 CEF: 486447893 Service mode:Open Service Access-list: -none- Total Packets Dropped Closed:0 Redirect access-list:CACHE88 Total Packets Denied Redirect: 1611 Total Packets Unassigned:4037586 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total GRE Bypassed Packets Received: 0 Process: 0 CEF: 0 Service Identifier: 90 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets Redirected:451437390 Process: 2014 CEF: 451435376 Service mode:Open Service Access-list: -none- Total Packets Dropped Closed:0 Redirect access-list:CACHE99 Total Packets Denied Redirect: 96392 Total Packets Unassigned:5963594 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total GRE Bypassed Packets Received: 0 Process: 0 CEF: 0 Gateway7600# Gateway7600#sh ip wcc Gateway7600#sh ip wccp de Gateway7600#sh ip wccp su Gateway7600#sh ip wccp summary WCCP version 2 enabled, 2 services Warning: 2 service(s) referenced in interface config but not configured! Service Clients Routers Assign Redirect Bypass --- --- --- -- -- Default routing table (Router Id: 192.168.100.100): 60 referenced but not configured 70 referenced but not configured 80 1 1 HASHL2 L2 90 1 1 HASHL2 L2 Gateway7600# regards -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/what-is-best-method-to-connect-two-squid-servers-on-the-same-router-tp4659922p4660148.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: what is best method to connect two squid servers on the same router?
hi Amos , thanks fro reply , sorry for late , i dont think that its hardware issue . i mean that i dont think that my hardware router cant bear two squid . it can do it and perfectly . i returned to its refernece manual and find it has a specific enhancement featured implemented fro wccp and it can load balance alot of clusters . agian , my platform is multilayer switch cisco 7604 . about ur queston in cpu dissipation : 1- when none of squid working on router ===> cpu of router is 4 % 2- when 1 squid working on router >cpu of router is 35 % 3- when 1 squid is running , and add the 2nd server while the 1st squid is running , i note that squid 1 fail and the 2nd squid dont work and the cpu of router reach 90 , 95 % , 97 % actually i dont know , if i need to change the return , forwarding , or assignment methods to fix my problem !!! which is better method between squid and router ? should i let the interface between switch and router as Layer 2 port , and put the wccp setting on the vlan interface of port ?? or let it as router "Layer 3 " port and apply wccp settings on the giga interface ?? any documents from squid about my issue ?? wish to help regards -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/what-is-best-method-to-connect-two-squid-servers-on-the-same-router-tp4659922p4660147.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Strange behavior in selection of tcp_outgoing_address
So I need to upgrade at least to squid 3.2? 3.1.23 wouldn't be enough? On Mon, May 20, 2013 at 10:16 AM, Amos Jeffries wrote: > On 20/05/2013 9:37 a.m., Alex Domoradov wrote: >> >> Hello all, I have encountered with strange issue in selection of >> tcp_outgoing_address. I have linux box with CentOS-6.4 x64. Is default >> getaway for a few vlans. On the router is installed squid >> >> # squid -v >> Squid Cache: Version 3.1.10 > > > Squid versions older than 3.2 have some big problems with > tcp_outgoing_address, and not enough debugging to identify the problem > correctly either. > You will find an upgrade of Squid very probably resolves the issue(s) > causing this. > > Amos
Re: [squid-users] Strange behavior in selection of tcp_outgoing_address
On 20/05/2013 9:37 a.m., Alex Domoradov wrote: Hello all, I have encountered with strange issue in selection of tcp_outgoing_address. I have linux box with CentOS-6.4 x64. Is default getaway for a few vlans. On the router is installed squid # squid -v Squid Cache: Version 3.1.10 Squid versions older than 3.2 have some big problems with tcp_outgoing_address, and not enough debugging to identify the problem correctly either. You will find an upgrade of Squid very probably resolves the issue(s) causing this. Amos