Re: [squid-users] external_acl_type and tos
On 29/12/2013 6:49 a.m., yogii wrote: Hello there.. since we know rep_mime_type only usable with http_reply_access directive, i'm thinking about how to use external_acl_type. but i'm completely don't know how to achieve this. how to use external_acl_type to mark content type ^application/x-shockwave-flash? i have spent many times to looking for this feature but i didn't find it out. How were you expecting the helper to predict the future? If you can do that then consider how Squid ACLs can be written to test those same details the helper would use. Amos
Re: [squid-users] Squid intercept mode loading problem
On 29/12/2013 6:16 p.m., 0bj3ct wrote: Hi! I've configured hotspot with squid 3.3.8 in intercept mode. But web pages load very slowly. Can I configure squid to work faster or the speed does not depend on squid conf? By default hotspot speed is 2mbps, but it loads like 64/128 kbps. The speed depends on what is being done to each request. Have you configured delay_pools to limit traffic to 64/128 Kbps? Are the requests you are testing from coming from a very slow server? Are the requests you are testing going through a CONNECT tunnel? (ie HTTPS traffic). Are the responses coming from or going to a slow cache disk? Is the proxy handling so many requests that it can't answer them all? Is the traffic looping back through the proxy several times? (I have more, but lets start with those ones.) Amos
Re: [squid-users] external_acl_type and tos
Hey, A more complex solution will be to use ICAP. It all depends on the issue in hands and the need. Eliezer On 29/12/13 11:22, Amos Jeffries wrote: How were you expecting the helper to predict the future? If you can do that then consider how Squid ACLs can be written to test those same details the helper would use. Amos
[squid-users] Re: Squid intercept mode loading problem
Thanks for reply, Amos! I've solved it. Just there was mistake in configuration. Btw I see This connection is untrusted popup screen everytime I enter to https website. If I accept the certificate (adding as exception) then I can continue to any https website. But is it possible to enter any https website without this security popup? Regards, -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-intercept-mode-loading-problem-tp4664080p4664085.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: squid_kerb_group (again)
Hi Eugene, I setup a virtual machine with freebsd 10-RC3 $ uname -a FreeBSD freebsd 10.0-RC3 FreeBSD 10.0-RC3 #0 r259778: Mon Dec 23 23:27:58 UTC 2013 r...@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 the attached packages and compiled squid trunk. Although squid does not fully compiled (SQUID_BSDNET_INCLUDES needs to change include order) and fails in the base code with In file included from AsyncCall.cc:2: In file included from ./AsyncCall.h:6: In file included from ./RefCount.h:40: In file included from /usr/include/c++/v1/iostream:38: In file included from /usr/include/c++/v1/ios:216: In file included from /usr/include/c++/v1/__locale:15: In file included from /usr/include/c++/v1/string:432: /usr/include/c++/v1/cstdio:139:9: error: no member named 'ERROR_sprintf_UNSAFE_IN_SQUID' in the global namespace using ::sprintf; ~~^ ../../compat/unsafe.h:10:17: note: expanded from macro 'sprintf' #define sprintf ERROR_sprintf_UNSAFE_IN_SQUID ^ the helpers compile fine and when I run ext_kerberos_ldap_group_acl it works with the MEMORY cache. $ ./ext_kerberos_ldap_group_acl -d -g SQUID_ALLOW kerberos_ldap_group.cc(275): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(374): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: INFO: Group list SQUID_ALLOW support_group.cc(439): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: INFO: Group SQUID_ALLOW Domain NULL support_netbios.cc(75): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(79): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(74): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(78): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: DEBUG: No ldap servers defined. m...@win2003r2.home kerberos_ldap_group.cc(372): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: INFO: Got User: mm Domain: WIN2003R2.HOME support_member.cc(55): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: User domain loop: group@domain SQUID_ALLOW@NULL support_member.cc(83): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Default domain loop: group@domain SQUID_ALLOW@NULL support_member.cc(111): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Default group loop: group@domain SQUID_ALLOW@NULL support_member.cc(113): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Found group@domain SQUID_ALLOW@NULL support_ldap.cc(801): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Got default keytab file name ./squid.keytab support_krb5.cc(110): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Get principal name from keytab ./squid.keytab support_krb5.cc(119): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Keytab entry has realm name: WIN2003R2.HOME support_krb5.cc(133): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Found principal name: HTTP/opensuse12.suse.h...@win2003r2.home support_krb5.cc(174): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_60129 support_krb5.cc(270): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Got principal name HTTP/opensuse12.suse.h...@win2003r2.home support_krb5.cc(313): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(830): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(836): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain WIN2003R2.HOME support_resolv.cc(373): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.WIN2003R2.HOME record to w2k3r2.win2003r2.home support_resolv.cc(201): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Resolved address 1 of WIN2003R2.HOME to w2k3r2.win2003r2.home support_resolv.cc(201): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Resolved address 2 of WIN2003R2.HOME to w2k3r2.win2003r2.home support_resolv.cc(201): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Resolved address 3 of WIN2003R2.HOME to w2k3r2.win2003r2.home support_resolv.cc(401): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Adding WIN2003R2.HOME to list support_resolv.cc(437): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain WIN2003R2.HOME: support_resolv.cc(439): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Host: w2k3r2.win2003r2.home Port: 389 Priority: 0 Weight: 0 support_resolv.cc(439): pid=60129
Re: [squid-users] Squid 3.4 sends Windows username without backslash to external wbinfo_group helper
Hi Eliezer, I can confirm it is the subprocess, can't get a snapshot now as it's in prod, but I did the same myself and it was definitely the kid (only 1 kid is configured). Cheers Alex On 27/12/13 19:21, Eliezer Croitoru wrote: Hey Alex, Can you by any chance get a top snapshot output to verify if this issue is related to the subprocess or the parent process. Thanks, Eliezer On 27/12/13 19:58, Alex Crow wrote: Hi Amos, Yes, this works re: the helper, but unfortunately we get very high CPU usage in 3.4.1 as opposed to 3.3.11. I was getting 80-100% after a few minutes whereas when I reverted back to 3.3.11, I only saw the odd peak at about 27%, and most of the time it was 10%. No other change other than the version, config was identical. Cheers Alex
Re: [squid-users] Re: Squid intercept mode loading problem
On 30/12/2013 1:09 a.m., 0bj3ct wrote: Thanks for reply, Amos! I've solved it. Just there was mistake in configuration. Btw I see This connection is untrusted popup screen everytime I enter to https website. If I accept the certificate (adding as exception) then I can continue to any https website. But is it possible to enter any https website without this security popup? Depends on whether you can pre-install a CA certificate into the client browser. That popup is the installation process for that browser. Amos
Re: [squid-users] Re: Squid intercept mode loading problem
The idea by itself is like that but there are many cases which in a real world implementations the result can surprise even me. The basics to make sure that the certificate is authentic is to read it and make sure that every part of it or at-least the basics in it are true. If you get into a bank https site and you see something like warning first make sure that your PC clock and date are fine. Next thing is to make sure that the DNS record is a secured one. After all the above you need to make sure that the certificate is satisfying your needs and security level. There are places which a switch port level state is needed to prevent breaches. I remember something about a hospital computer that was used for some purposes and then in couple seconds some nice guy showed up to check something with the printer. I would not start messing with SSL clients if they are security aware. Eliezer On 30/12/13 01:58, Amos Jeffries wrote: On 30/12/2013 1:09 a.m., 0bj3ct wrote: Thanks for reply, Amos! I've solved it. Just there was mistake in configuration. Btw I see This connection is untrusted popup screen everytime I enter to https website. If I accept the certificate (adding as exception) then I can continue to any https website. But is it possible to enter any https website without this security popup? Depends on whether you can pre-install a CA certificate into the client browser. That popup is the installation process for that browser. Amos
[squid-users] Re: squid proxy kerberos authentication failure. Help!!!
Hi Markus, I built a new Centos server at version 6.5 and redo all the configuration on the new server in the same way. Magic happened: everything is working now. Thank you very much for your help and guidance. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4664090.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: squid proxy kerberos authentication failure. Help!!!
Hi Flypast, Are you using the RPM or from source? (My RPM is not designed to compile external_acl and other helpers) Thanks, Eliezer On 30/12/13 02:30, flypast wrote: Hi Markus, I built a new Centos server at version 6.5 and redo all the configuration on the new server in the same way. Magic happened: everything is working now. Thank you very much for your help and guidance.
Re: [squid-users] Re: squid_kerb_group (again)
Hi. On 29.12.2013 18:59, Markus Moeller wrote: I setup a virtual machine with freebsd 10-RC3 $ uname -a FreeBSD freebsd 10.0-RC3 FreeBSD 10.0-RC3 #0 r259778: Mon Dec 23 23:27:58 UTC 2013 r...@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 the attached packages and compiled squid trunk. Although squid does not fully compiled (SQUID_BSDNET_INCLUDES needs to change include order) and fails in the base code with [...] ^ the helpers compile fine and when I run ext_kerberos_ldap_group_acl it works with the MEMORY cache. Yeah, I agree - I myself have a bunch of squids on FreeBSD 10.0-WHATEVER, and most of them work fine, except this one. I think openldap libraries lack the error handling output, basically they do two kinds of messages I did this and Oops, something has gone wrong. I spend serveral hours googling my problem and came to the conclusion above. I will ask in their mailing list. Thanks. Eugene.
Re: [squid-users] Slow loading WEB-PAGES
Hi guys Is there anybody to help me for how to increase the speed of loading web-pages?! any answers is appreciated On Thu, Dec 26, 2013 at 9:45 AM, zeagus zpt zeagus@gmail.com wrote: Hi Antony thanks for your answer I tested squid with a number of different static sites. When I don't use squid, it takes nearly 2 sec and when I use, it takes nearly 30 sec! I set refresh_pattern like this: refresh_pattern . 1440 40% 40320 override-expire ignore-no-cache ignore-no-store ignore-private store-stale None of them cache with squid and I saw cache_miss for all requests! Cheers Merry Christmas On Tue, Dec 24, 2013 at 2:07 PM, Antony Stone antony.st...@squid.open.source.it wrote: On Tuesday 24 December 2013 at 10:55:57, zeagus zpt wrote: Hello squid-users, I think my clients wait for a long time to view web pages. Would you mind suggesting a way to solve this problem? All the Best ... 1. What speed interconnect do you have between clients and Squid? 2. What speed connection do you have between Squid and the Internet? 3. Access a cacheable* web page (via Squid), note the time taken. 4. Request the same page again from the same browser on the same machine (still via Squid), note the time taken. 5. Request the same page again from the same browser on a different machine (also going via Squid), note the time taken. 6. Request the same page again from either of the above machines, this time direct (not via Squid), note the time taken. 7. Repeat for at least three different websites which show the problem. 8. Repeat when your network traffic is low, for example after employees have gone home (if this is a commercial network). * Cacheable means a web page which Squid is allowed to cache - check Squid's access log and/or the page headers if you're not sure. Tests 3, 4 and 5 should tell you whether Squid is caching (times for tests 4 and 5 should be notably less than test 3). Tests 4, 5 and 6 should tell you whether Squid is causing a problem (test 6 should not be noticeably faster than tests 4 and 5). In short - if test 6 (for all the sites you check) shows long response times, then you either have a saturated connection to the Internet, or the sites you are testing are simply slow. If test 8 also shows long response times, the sites are just slow. If the site is slow, and the pages you're accessing are cacheable, then Squid should improve the access times for tests 5 and 6 - if not, start (at the very least) with the Squid access log, to see what response times it's reporting. Happy Christmas, Antony. -- How I managed so long without this book baffles the mind. - Richard Stoakley, Group Program Manager, Microsoft Corporation, referring to The Art of Project Management, O'Reilly press Please reply to the list; please don't CC me.