Re: [squid-users] https://weather.yahoo.com redirect loop
On 08/20/2014 10:52 AM, Jatin Bhasin wrote: And when I browse to https://weather.yahoo.com then it goes in redirect loop. I am using Chrome browser and I get a message at the end saying 'This webpage has a redirect loop'. Happens in 3.4 series too. I added these in squid.conf as a solution: via off forwarded_for delete Amm
[squid-users] https://weather.yahoo.com redirect loop
Hello All, I am using SSL Bump in transparent mode in squid 3.3.12. And when I browse to https://weather.yahoo.com then it goes in a redirect loop. I am using Chrome browser and I get a message at the end saying 'This webpage has a redirect loop'. On checking the developer console I found that response code received for the GET is 301 Moved Permanently. But when I go to the same site direct (without squid in the middle) then it works normally and I see 200 OK for the same GET. Thanks, Jatin
Re: [squid-users] Poor cache
On 08/20/2014 12:21 AM, Délsio Cabá wrote: 3107 TCP_MISS/304 The above is good... It means that the file was not downloaded from the internet\src and was used the local(machine) copy of the file. Eliezer
Re: [squid-users] unbound and squid not resolving SSL sites
I wasn't sure but I am now. You are doing something wrong and I cannot tell what exactly. Try to share this script output: http://www1.ngtech.co.il/squid/basic_data.sh There are missing parts in the whole setup such as clients IP and server IP, what GW are you using etc.. Eliezer On 08/19/2014 02:37 PM, sq...@proxyplayer.co.uk wrote: Take a look at: http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP Your squid.conf seems to be too incomplete to allow SSL-Bump to work. Eliezer I recompiled to 3.4.6 and ran everything in your page there. squid started correctly. However, it is the same problem. Any https page that I had configured does not resolve. It is being redirected by unbound but as soon as it hits the proxy, it just gets dropped somehow: # Generated by iptables-save v1.4.7 on Tue Aug 19 03:14:13 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [5454:2633080] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -s 213.171.217.173/32 -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 161 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 3306 -m state --state NEW -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state NEW -j ACCEPT COMMIT # Completed on Tue Aug 19 03:14:13 2014 # Generated by iptables-save v1.4.7 on Tue Aug 19 03:14:13 2014 *nat :PREROUTING ACCEPT [23834173:1866373947] :POSTROUTING ACCEPT [22194:1519446] :OUTPUT ACCEPT [22194:1519446] -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130 -A POSTROUTING -s 0.0.0.0/32 -o eth0 -j MASQUERADE COMMIT # Completed on Tue Aug 19 03:14:13 2014
Re: [squid-users] what AV products have ICAP support?
Thanks for that, shouldn't squid be listed there as an ICAP client? On 19/08/14 17:56, Amos Jeffries wrote: > http://www.icap-forum.org/icap?do=products&isServer=checked -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
[squid-users] Poor cache
Hi guys, Need some help on cache. Basically I do not see many caches. root@c /]# cat /var/log/squid/access.log | awk '{print $4}' | sort | uniq -c | sort -rn 17403 TCP_MISS/200 3107 TCP_MISS/304 1903 TCP_MISS/000 1452 TCP_MISS/204 1421 TCP_MISS/206 1186 TCP_MISS/302 659 TCP_MISS/503 641 NONE/400 548 TCP_MISS/301 231 TCP_OFFLINE_HIT/200 189 TCP_MISS/404 126 TCP_IMS_HIT/304 112 TCP_MISS/504 68 TCP_MISS/401 56 TCP_MEM_HIT/200 50 TCP_SWAPFAIL_MISS/304 49 TCP_REFRESH_UNMODIFIED/200 46 TCP_SWAPFAIL_MISS/200 39 TCP_MISS/500 36 TCP_MISS/502 34 TCP_REFRESH_UNMODIFIED/304 31 TCP_MISS/403 25 TCP_MISS/400 19 TCP_CLIENT_REFRESH_MISS/200 17 TCP_REFRESH_MODIFIED/200 11 NONE/417 9 TCP_MISS/303 6 TCP_HIT/000 5 TCP_MISS/501 5 TCP_HIT/200 4 TCP_MISS/202 3 TCP_MISS/412 2 TCP_SWAPFAIL_MISS/000 2 TCP_MISS/408 1 TCP_MISS/522 1 TCP_MISS/410 1 TCP_MISS/405 1 TCP_CLIENT_REFRESH_MISS/000 The cache dir is raiserfs Config: cache_dir ufs /cache 640 32 512 max-size=1048576 minimum_object_size 0 KB maximum_object_size 10 MB cache_swap_low 90 cache_swap_high 95 snmp_port 0 snmp_access deny all icp_port 0 htcp_port 0 icp_access deny all htcp_access deny all pipeline_prefetch on shutdown_lifetime 1 second visible_hostname c.webmasters.co.mz acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 #debug_options rotate=1 ALL,1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed #acl localnet src 10.0.0.0/8# RFC1918 possible internal network acl localnet src x.x.x.0/24# RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl all src 0.0.0.0/0.0.0.0 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # http_access allow all acl winupdate dstdomain .windowsupdate.com acl peakperiod time 10:00-16:00 delay_pools 1 delay_class 1 1 # 64 Kbit/s delay_parameters 1 8000/8000 delay_access 1 allow winupdate peakperiod # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3401 http_port 0.0.0.0:3401 intercept # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? maximum_object_size 1280096 KB # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /cache # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144000 20% 1008000 refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv|mpg|wma|ogg|wmv|asx|asf)$ 26 90% 260009 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf|uxx)$ 26 90% 260009 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.index.(html|htm)$ 1440 90% 40320 refresh_pattern -i \.(html|htm|css|js)$ 1440 90% 40320 refresh_pattern (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 5259487 100% 9259487 ignore-no-cache ignore-private override-lastmod override-expire ignore-no-store ignore-must-revalidate # caching windows update various windows versions refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|
[squid-users] Re: server failover/backup
I got help by email: removed intercept from http port (bc i dont use nat) and removed quick_abort_min. (i got told it bugs sometimes) Still battle.net is not working. I cant believe im the only one with this problem... -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ONLY-Cache-certain-Websites-tp4667121p4667265.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] unbound and squid not resolving SSL sites
Take a look at: http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP Your squid.conf seems to be too incomplete to allow SSL-Bump to work. Eliezer I recompiled to 3.4.6 and ran everything in your page there. squid started correctly. However, it is the same problem. Any https page that I had configured does not resolve. It is being redirected by unbound but as soon as it hits the proxy, it just gets dropped somehow: # Generated by iptables-save v1.4.7 on Tue Aug 19 03:14:13 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [5454:2633080] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -s 213.171.217.173/32 -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 161 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 3306 -m state --state NEW -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state NEW -j ACCEPT COMMIT # Completed on Tue Aug 19 03:14:13 2014 # Generated by iptables-save v1.4.7 on Tue Aug 19 03:14:13 2014 *nat :PREROUTING ACCEPT [23834173:1866373947] :POSTROUTING ACCEPT [22194:1519446] :OUTPUT ACCEPT [22194:1519446] -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130 -A POSTROUTING -s 0.0.0.0/32 -o eth0 -j MASQUERADE COMMIT # Completed on Tue Aug 19 03:14:13 2014 #acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7# RFC 4193 local private network range acl localnet src fe80::/10# RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #http_access deny to_localhost external_acl_type time_squid_auth ttl=5 %SRC /usr/local/bin/squidauth acl interval_auth external time_squid_auth http_access allow interval_auth http_access deny all http_port 80 accel vhost allow-direct https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/usr/local/squid/ssl_cert/myCA.pem sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 16MB sslcrtd_children 10 ssl_bump server-first all #sslproxy_cert_error allow all #sslproxy_flags DONT_VERIFY_PEER hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 0 0%0 refresh_pattern . 020% 4320
[squid-users] Re: Very slow site via squid
>The latest squid-3.x stable releases may be able to help with this. < Actually, I am trying to use the standard package of squid for openWRT, which is squid2.7. So I would need to build my own one. >Also, in my experiene the worst slow domains like this are usually advertising hosts. So blocking their transactions outright (and quickly) can boost page load time a huge amount. < Correct, it is an advert side. Using hosts I block it already; however, I was wondering, why this does not happen when running without squid. This site is using varying names, like dcXX.s290.meetrics.net, with XX changing on almost every browser session, which points to a DNS issue. Could there be any "interference" between TRANSPARENT squid and fast DNS-resolution ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Very-slow-site-via-squid-tp4667243p4667263.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] CDN / JS 503 Service Unavailable
Hello Yes we tried disabling ufdbguard. I first suspected it was doing something with proxy tunnels but it made no difference. The dev has moved the .js file to another site so theres no pressure. I'll look at spinning up a basic squid and work through the config, see if i can identify whats or where the issue is. Thanks for your help On 19 August 2014 01:30, Eliezer Croitoru wrote: > On 08/18/2014 10:37 AM, Paul Regan wrote: >> >> @Eliezer - Sorry to say the acl lines made no difference. Can I use >> any of the debugging options to get deeper into this? > > Well it depends on the 503 content. > it can be a network issue or an application level issue. > Since you can download the file using wget from the proxy machine it seems > like a proxy settings error but there is an option that you are using some > wrong settings. > > For me and many others it do work with proper proxy settings. > Have you tried to remove the ufdbguard from the settings? > It might be the reason.. > > Eliezer