[squid-users] Re: squid_ldap_auth and Windows 2003 AD
Colin Farley wrote:
> We have a few production squid proxy servers running various STABLE
> versions of squid 2.5 and are encountering some issues as we upgrade our
> Domain controllers from windows 2000 to windows 2003. The proxy servers
> query the LDAP directory for user access control.
> Ideally, we would like all proxy servers to use a base dn that allows them
> to search the entire domain ("dn=domain,dn=lan"), when querying Windows
> 2000 domain controllers this works perfectly. However, when we point
> these proxy servers to Windows 2003 domain controllers for LDAP queries
> squid_ldap_auth fails.
> I have found that if I specify an ou for the base dn it works fine
> ("ou=site1,dn=domain,dn=lan"). So, it seems that Windows 2003 domain
> controllers have added security that stops searches beginning from the
> base of the domain and searches must start within an ou.
Have you configured squid_ldap_auth to bind using a user account?
Adam
[squid-users] RE: AW: Squid unreachable every hour and 6 minutes.
Gix, Lilian (CI/OSR) * wrote: > Thanks for your help : > > proxy1:~# crontab -l > 0 0 * * * /etc/webmin/webalizer/webalizer.pl /cache_log/access.log > proxy1:~# more /etc/crontab > SHELL=/bin/sh > PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin > > # m h dom mon dow user command > 17 ** * * rootrun-parts --report /etc/cron.hourly > 1 0 * * * roottest -x /usr/sbin/anacron || run-parts --report > /etc/cron.daily > 47 6* * 7 roottest -x /usr/sbin/anacron || run-parts --report > /etc/cron.weekly > 52 61 * * roottest -x /usr/sbin/anacron || run-parts --report > /etc/cron.monthly > > proxy1:~# ls /etc/cron.hourly/ > proxy1:~# > > > The server is a compaq DL580 (2*Xeon700Mhz, 1G of Ram, Raid 5: 32G), > working on Debian What about /etc/cron.d/ and /var/spool/cron/crontabs/? Adam
[squid-users] RE: RE: Urgent Samba / Squid NTLM Auth Problems
Dave Raven wrote: > We are currently talking to samba, but we are able to join the > domain. Where we sit right now is that if we use -basic instead of > -ntlmssp it works fine. I've narrowed it down to the password that's the > problem - its obtaining the user, domain and workstation just fine. All > the command line tools work perfectly - only when using auth_param ntlm * > does it fail... > > As far as I have been able to understand it, there is either a problem > with the way squid is passing the reply to the ntlm challenge to the > helper, or a problem with the helper... You can test plaintext and challenge/response authentication from the command line using wbinfo: wbinfo -a username%password You should get success for both plaintext and challenge/response. If not, then you know the problem is with Samba, rather than Squid or ntlm_auth. Adam
[squid-users] Re: "Binding" IP address to username
Pieter De Wit wrote: > I would like to know how I can "bind" an IP address to a username in > squid. So let's say I have a user called user1 and a machine on IP > 1.2.3.4. I would like squid to log any requests that come from 1.2.3.4 as > if the user user1 logged in. So you want Squid to accept requests from a certain IP, but log them as if a certain user had authenticated instead? Squid can't do this. Adam
[squid-users] Re: Urgent Samba / Squid NTLM Auth Problems
Abbas Salehi wrote: > I succeeded to joined to the domain and active directory , i can see the > domain users and groups > net ads testjoin > Join is OK > > net ads join administrator > Joined 'squid-server' to realm 'TEST.COM' > > But ntlm_auth does not work properly, > > I have following error when i run it : > > ntlm_auth --username=administrator > password: ** > NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > (0xc0da) Since you seem to be using Samba 3.x, make sure you are using the ntlm_auth helper that comes with Samba, not the helper that comes with Squid (which is for Samba 2.x only). Adam
[squid-users] RE: Urgent Samba / Squid NTLM Auth Problems
Dave Raven wrote: > Okay I have an update with more progress - it seems the problem is only to > do with ntlmssp. If I only have a basic authenticator - which looks like > the following, it works perfectly: > However, when I use ntlmssp in the squid config, shown below, it does not > work: > > auth_param ntlm program /usr/optec/ntlm_auth.sh ntlmssp > auth_param ntlm children 10 > auth_param ntlm use_ntlm_negotiate yes > > I see the following debug messages: > [2005/11/09 13:22:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) > Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24 > [2005/11/09 13:22:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) > Login for user [EMAIL PROTECTED] failed due to [Wrong Password] > > If I type ian instead of ianb, I see an error saying the user does not > exist. This must mean that somehow the wrong password is being passed in > the wrong way - even though it is typed right. > > For anyone who hasn't read the rest of this thread please note: this only > happens with the security option on the AD server set to ONLY allow > NTLMv2/LMv2 and not anything else. If we turn that off it works > perfectly... It looks like this might be a Samba issue - Ian had stated that if only NTLMv2 is allowed, then Samba can't even join the domain. I would suggest taking this to the Samba list. Adam
[squid-users] RE: Using LDAP Authentication with Windows 2003 Domain
Chris Robertson wrote: > Adam Aube wrote: >> Yes, some versions of Mozilla do work with NTLM, but the user >> still needs to enter their username and password - NTLM is then used for >> the exchange between the browser and the proxy. > > Not entirely true. There is a configuration option > (network.automatic-ntlm-auth.trusted-uris) which allows specifying domains > to automatically supply NTLM auth information. Good news for sites that like the ease of use NTLM + IE gives their users - now they have a choice of more than one browser. Now if only vendors would support something similar using Digest, which would give the security of NTLM without breaking the HTTP protocol. http://www.squid-cache.org/mail-archive/squid-users/200307/0503.html > Sorry for the off topic post. Not off-topic at all - this is useful information administrators need to make informed decisions about what authentication scheme to use with Squid. Adam
[squid-users] RE: Re: Using LDAP Authentication with Windows 2003 Domain
Derrick MacPherson wrote: > Is there an advantage to using LDAP and not using ntlm_auth? LDAP is simpler to setup and uses less system and network resources, as well as working readily with all browsers (on all platforms) that support authentication. NTLM authentication requires a full Samba install joined to the domain, is more resource intensive, breaks the HTTP protocol, and only provides a significant benefit with Internet Explorer on Windows (because authentication is transparent). Yes, some versions of Mozilla do work with NTLM, but the user still needs to enter their username and password - NTLM is then used for the exchange between the browser and the proxy. Adam
[squid-users] Re: Using LDAP Authentication with Windows 2003 Domain
Stefano Del Furia wrote: > could someone point me to the right direction of using LDAP authentication > with a Windows 2003 domain ?? You could start by searching the list archives for "LDAP Active Directory". Adam
[squid-users] Re: Selective Access
Rajesh K. Bahl wrote: > I need your guidance in doing the following:- > > We have a total of 30 numbers of PCs. About 8 of them require full > access to internet. Rest 22 needs to be restricted to only one site i.e. > antivirus site (Mcafee or Symantec) just for updation of virus signature > file. Also all the 30 clients need to be protected from visiting > porn/adult sites. > > How to accomplish the same using squid running on a Linux (CentOS 4) > machine ? Enable user authentication, then allow/deny access based on username. See the default squid.conf and the FAQ for more info. http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#ss19.6 Adam
[squid-users] Re: no logging
rs wrote: > why squid does not write access.log (permission there is)? Squid doesn't write to access.log until it receives a request. Make sure Squid is actually receiving the requests by running this command just after sending a request to Squid: netstat -nt | grep ":3128" This assumes Squid is listening on the default port of 3128. Adjust accordingly is Squid is running on a different port. If Squid is receiving requests but still isn't logging, post the log settings in squid.conf, the command line used to start Squid, and the contents of cache.log from the last time you started Squid. Adam
[squid-users] Re: re transparent proxy error
CsY wrote: > and what you think, how can i resolve this problem? http://www.squid-cache.org/Doc/FAQ/FAQ-17.html See Step 4. Adam
[squid-users] Re: Squid on Linux authenticating to two different Windows Active Directory groups
Roy Verrips wrote: > I've got Squid on a Linux (Debian 3.1) box running beautifully and > authenticating users to a Windows Active Directory. > Problem I have is how to setup the acl to get the different ADgroups? Do > I need two auth_params? Is that possible and what would the syntax be? Look into the wbinfo_group external acl helper. See the default squid.conf, the FAQ, and the list archives for more information. Also, if possible please remove the disclaimer when posting to the list. Adam
[squid-users] Re: email
azeem ahmad wrote: > i want to block my users from any kind of email. is it possible. bcuz if i > block smtp/pop3 then there are so many web based mail servers like > msn/yahoo. and if i block http then it means i have blocked everything on > my network. i like to block every kind of email plz tell me how can i do > that. Don't allow any traffic out from your network. Since that likely isn't a viable option, your best bet is to block common email ports using a packet filter (which has nothing to do with Squid), then use Squid acls to block the most popular webmail services. Since it isn't feasible to block the rest, you need to audit usage. Configure Squid to use authentication, then inform your users that web-based email is prohibited and Internet access is monitored. Audit your Squid logs, and punish violators according to your policy. Adam
[squid-users] Re: ntlm with groups
Wilson A. Galafassi Jr. wrote: > I'm using this to authenticate users with active directory by username. [auth_param lines snipped] > acl squid_access proxy_auth REQUIRED > http_access allow squid_access > What I have to change to authenticate by group? The acl and http_access lines will need to be changed. Setup an external_acl using the wbinfo_group helper. More information can be found in the FAQ, the default squid.conf, and the mailing list archives. Adam
[squid-users] RE: Maximum connections
[EMAIL PROTECTED] wrote: > Is he not asking for binding user name with Mac address of PC. > Way I understood this is - user should be able to browse only from one > PC using some user name. User should not be able to browse from any > other PC. The OP said that the user shouldn't be able to log in from more than one computer, not that the user should be restricted to one particular computer at all times. > If you bind user name with IP address, end user can change the IP > address, So will it not be better to bind username with MAC address of PC? MAC addresses can also be changed. Adam
[squid-users] Re: Difference between basic authentication
Guillaume wrote: > Do you know what is the difference between basic authentication and > NTLM authentication? Basic authentication is an Internet standard that is fully compatible with the stateless nature of HTTP, is easily integrated with most authentication backends, and works in virtually all browsers. Users will be prompted for a username and password when starting a browsing session. Passwords are not encrypted between the browser and Squid NTLM authentication is Microsoft's attempt to force a session-oriented authentication protocol onto the inherently stateless HTTP (which qualifies as a hack that breaks the protocol). Because it uses Microsoft's NTLM hash, the password is never sent across the network. It integrates easily with a Windows-style domain, and has the added advantage of users not being prompted for a username and password. However, it requires many more running auth helpers, increasing the load on your Squid server. A third authentication option, digest, solves the security issues of basic while remaining fully compatible with the HTTP protocol. However, it is more difficult to integrate with an authentication backend than basic. Adam
[squid-users] Re: can't get to certain sites through proxy
Mark Drago wrote: > On Wed, 2005-10-26 at 20:27 +0200, Christoph Haas wrote: >> On Wednesday 26 October 2005 20:11, Mark Drago wrote: >> > The site is http://webmail.ne.rr.com - it's the webmail for the >> > RoadRunner ISP that one of our customers is using. Our customer gave >> > us a username and password to help diagnose the problem, but obviously >> > and >> > unfortunately I can't pass it on. I can get to the login screen >> > without a problem, but when I try logging in I get an alert box that >> > reads: 'Session timed out. Log in again' and it then redirects me back >> > to the login screen. >> >> Sound suspiciously like cookie-based session handling in connection with >> additional security measures like checking your source IP address. Do you >> run more than one proxy or distribute requests to different parent >> proxies in a round-robin fashion? If the peer checks your IP address you >> will change your source IP address time and again and some authentication >> systems don't like that. > > Yeah I hear what you're saying. However, we're not doing anything like > that. This proxy is installed at the head of a school's network and all > of their traffic goes through the proxy. There is only one proxy - it's > really rather simple. I'm not even quite sure how RoadRunner would be > able to tell that the connection is going through a proxy. Since the > error is a javascript alert I would really like to look at the > javascript that they're sending back. You could try using a packet sniffer, such as ethereal. Adam
[squid-users] Re: Memory usage
Pablo Gietz wrote: > I have Squid 2.5 stable 6 + Fedora Core 3, Pentium III 700Mhz 768 MB of > RAM. This is a partial view of the TOP program: [snipped] > I can´t force squid to take more memory and the cache is performing slow. Squid will generally max out disk I/O before memory. vmstat or iostat will show you how your disks are performing. Adam
[squid-users] RE: Spam mail through Squid server
[EMAIL PROTECTED] wrote: > D & E Radel >> [EMAIL PROTECTED] wrote: >>> I am running transparent squid server on Redhat ES 3.0 box. I noticed >>> some time some of my users establish http connection with some server on >>> internet and send spam mail. Header of that mail always contain squid >>> server IP address. Is there any way I can insert customer's PC ip >>> address also which is actually sending that mail? >> If that really is the case, how about blocking access to that "some >> server" and cancelling your customer's account? > Yes, But this will be ongoing process. I will rather prefer to find out > who is doing this and remove him from my network. Just use Squid's access.log - correlate the logs with the time the emails were sent, and then you have the abuser's IP address. Adam
[squid-users] Re: ERROR on squid Authentication
Please reply to the list, and not to me directly. On Friday 29 April 2005 04:25 am, Alfredo Adam III wrote: > On 4/29/05, Adam Aube <[EMAIL PROTECTED]> wrote: >> Alfredo Adam III wrote: >>> Im now trying to setup squid authentication in fedora 3. My squid was >>> running ok, after i have configured its authentication, the problem is >>> the username and password were not accepting on the login box. >>> >>> It seems the ncsa_auth were not functioning. >> Have you read the Authentication FAQ? >> http://www.squid-cache.org/Doc/FAQ/FAQ-23.html >> >> Can the user Squid runs as read the password file? >> >> Did you test ncsa_auth from the command line? > After i run the command the message was "OK" Is it I got wrong on my > configuration especially on my acl and http_access? Possibly - there examples in the FAQ and the default squid.conf you can compare your configuration to. However, you didn't answer my first question - can the user Squid runs as read the password file ncsa_auth is using? Adam
[squid-users] Re: ERROR on squid Authentication
Alfredo Adam III wrote: > Im now trying to setup squid authentication in fedora 3. My squid was > running ok, after i have configured its authentication, the problem is > the username and password were not accepting on the login box. > It seems the ncsa_auth were not functioning. Have you read the Authentication FAQ? http://www.squid-cache.org/Doc/FAQ/FAQ-23.html Can the user Squid runs as read the password file? Did you test ncsa_auth from the command line? To do this, simply run it from a shell prompt, then type in "username password" (without the quotes, substituting a real username and password) and press Enter. The helper will reply with "OK" or "ERR". Use Ctrl-C to kill the helper when done. Adam
[squid-users] Re: limiting size of downloads
Alfredo Adam III wrote: > sir, how can I limit downloading files, for example i want to setup a > rule that would only make the user to download a file not exceeding of > 1MB. Is it possible to make this happen on squid? "Can I prevent users from downloading large files?" http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.21 Adam
[squid-users] Re: Squid, Hotmail and Outlook Express
Ytzhak Levy wrote: > Some users are trying to access yours hotmail account via http access by > outlook express. > > Squid requires authentication. > > OE does'nt has any field to insert login and password to access squid. > Thus, I make two acls: > > # login name of the users that need to access hotmail by OE > acl OE_USERS proxy_auth "/squid/etc/OE.users" > > # address accessed by outlook to fetch emails - actually the url: > # http://services.msn.com/svcs/hotmail/httpmail.asp > acl HM_SERVER dstdomain .msn.com > > allowing access: > > http_access allow OE_USERS HM_SERVER > > but OE still tells that squid is asking for a authenticated access. > > what is wrong ? You are still requiring authentication. Remove the OE_USERS acl and have just "http_access allow HM_SERVER" before any http_access lines that use proxy_auth acls. This will allow access to Hotmail without authentication. Adam
[squid-users] Re: Squid never caches to disk.
Scott Carpenter wrote: > I can;t seem to get any of my requests to cache. I am runnig RHEL4 ES > minimal install with Squid Cache: Version 2.5.STABLE6. > cache_dir ufs /var/cache/squid 2 16 256 2.5STABLE6 had a bug with UFS which would cause it to not cache anything in some configurations. Either upgrade, or change to a different cache_dir storage type (such as aufs). Adam
[squid-users] Re: Delay-pools
Vaughan Roberts wrote: > I am thinking about implementing delay-pools in my squid transparent proxy > on my Linux box. The reason is that my ISP (cable modem) has a monthly > limit on the number of bytes I can download. This didn't use to be a > problem, but recently my two kids have got laptops from school and all of > a sudden I am hitting the size limit as they plug into my LAN and play > games, mp3s, msn etc. Squid's delay pools aren't the right tool for this. Squid's delay pools will not count all bytes passed over the Internet connection (i.e. protocol overhead), whereas your cable provider almost certainly does. Furthermore, games and IM very likely aren't being tunneled over HTTP (unless you are somehow forcing them to), so Squid won't even see that traffic. I would suggest using a general IP-level accounting tool for tracking total usage (though I don't know of one to suggest off-hand). Adam
[squid-users] RE: Re: delay pools
azeem ahmad wrote: > Adam Aube wrote: >>azeem ahmad wrote: >> >> > i have configured delay pools and its working well. >> >> > delay_parameters 1 -1/-1 1000/1000 >> > delay_access 1 allow all >> >>> but it limits users to 1000 B/s even if there is only one user using >>> the internet all the remaining bandwidth is wasted. >>Use a class 1 delay pool instead, which sets a total limit for the pool, >>which is then shared equally between all connections. > > if i configure a class one pool. and two of user start downloading while 3 > others are browsing. will all these 5 get the equal bandwidth Assuming all 5 are using the same number of HTTP connections, then yes. > isnt it possible to create different buckets for all the users using class > two pool to make them use maximum say 3KB but when the bandwidth is free > then they can use more than 3KB. No. If you use a class 2 delay pool and set 3 KB as the individual limit, then they will never be able to use more than 3 KB, even when bandwidth is available. The closest you can get is to set the aggregate limit of a class 2 delay pool to (3 KB * [number of users]), then set the individual limit to -1/-1. However, this is essentially equivalent to using a class 1 delay pool with the same aggregate limit as the class 2 delay pool. The only benefit to using a class 2 in this way is that users with an excessive number of concurrent active HTTP connections (such as a broken download manager or a badly tweaked browser) will not get an unfair share of the aggregate limit. This can occur in class 1 delay pools if you do not limit the number of connections per IP address. Adam
[squid-users] Re: Delay_pool related question
Wennie V. Lagmay wrote: > For example I have 16000 bytes of bandwidth connection to the internet and > 10/100 Mbps connection to LAN. Also let us say I have 17 workstations each > one is given 1000 bytes strick bandwidth using delay_pools. > How can I implement such rule that every workstion has a commited rate of > 900 bytes, but if there's only few who's using the bandwidth (let say 5 > workstation) they can access the net around 1500 bytes? Assuming you use class 2 delay pools, set an aggregate limit of 16000 bytes and an individual limit of 1500 bytes. Squid will evenly divide the available bandwidth between the individual IP addresses once the aggregate limit is reached. Adam
[squid-users] Re: delay pools
azeem ahmad wrote: > i have configured delay pools and its working well. > delay_parameters 1 -1/-1 1000/1000 > delay_access 1 allow all > but it limits users to 1000 B/s even if there is only one user using the > internet all the remaining bandwidth is wasted. how can i make it to give > the user more bandwidth if other users are not consuming their shares. The Delay Pools FAQ explains the different delay pool classes: http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#ss19.8 Use a class 1 delay pool instead, which sets a total limit for the pool, which is then shared equally between all connections. > and another thing is that i m not getting wot does > delay_initial_bucket_level means in fact According to the Delay Pools FAQ and the default squid.conf, it is a percentage of how full the delay pool's "bucket" (count of available bytes) is when Squid starts, is reconfigured, or receives its first connection. This allows users to start surfing immediately after Squid starts, instead of having to wait for the delay pool's bucket to fill. It appears to default to 50%. Adam
[squid-users] Re: Newbie question....
Jean Cantarutti wrote: > then I look access.log but don't show downloaded files. only the > little ones files .gif. .jpg .js ... etc. > > Where are the .exe .zip .doc .pdf . files logged (the big ones)?. Squid logs all requests it receives. The requests for .exe, .zip, etc. files will be in access.log like all the others. Adam
[squid-users] Re: Is there a way to bypass squid for any destination ip address ?
Please don't ask a new question by replying to another post - instead, post a new message to the list. Nont Banditwong wrote: > My transparency squid box redirect packet which has destination port 80 to > 3128 by this iptable command > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT > --to-port 3128 > > but I don't want clients access some destination ip address through squid, > Is there a way to bypass squid by add some iptables command ? (This question really belongs on an iptables list.) Before the REDIRECT line above, add iptables rules similar to this: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -d a.b.c.d -j ACCEPT where "a.b.c.d" is the IP address of the server to bypass Squid for. Also, be sure to allow port 80 traffic in your FORWARD chain. Adam
[squid-users] Re: squid + winbind weird behavior
Please don't top post (which is replying above the original message) - it makes the thread hard to follow. Paulo Pires wrote: > Qui, 2005-02-17 às 00:40 +0100, Henrik Nordstrom escreveu: >> On Wed, 16 Feb 2005, Paulo Pires wrote: >> >> > chown nobody /usr/local/samba-3.0.10/var/locks/winbindd_privileged >> > >> > This solved the thing. We can't change the perms cause it's a socket, >> > so it's better to change the owner to the user which runs squid. >> >> You should change the group, not the owner.. >> >> http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 >> http://us4.samba.org/samba/docs/man/winbindd.8.html >> >> Changing the owner will make Samba quite upset about the security. > chgrp squid /path/to/winbind_privileged > I've added squid group, added user nobody into it and put it in my > squid.conf. But as you can see below, there's only read perms for squid > group, so the error is still there. > > 4 drwxr-s--- 2 root squid 4096 2005-02-17 14:15 winbindd_privileged > > I don't know how the hell this worked for others, since other users from > squid will only have read access to the dir, when they should have > execute permissions too. They do have execute permissions - the "s" in that position means the directory is group executable and SetGID. Adam
[squid-users] Re: squid with Windows 2003 group filtering problem
Srinivasa Chary wrote: > I am getting problem when doing group filtering using from windows 2003 > server. I am using squid-2.5.STABLE3 and samba-3.0.0 > i am able to authenticate all the users perfectly with out group > varification, when i want to do group filtering it is not applying . Can you be a little more specific on what happens when it doesn't work? > Squid.conf: > external_acl_type NT_global_group %LOGIN /etc/squid/wbinfo_group.pl > acl AllowedNTUsers external NT_global_group "/etc/squid/allowedntgroups" > acl LoggedInUsers proxy_auth REQUIRED > http_access allow AllowedNTUsers > http_access allow LoggedInUsers > http_access deny !AllowedNTUsers > http_access deny !LoggedInUsers So you allow access to anyone in an allowed group, then allow access to anyone who authenticates successfully. If this is what you want, then these settings are fine (though the explicit "deny" lines are unneeded). > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access deny all With the exception of the "deny all" rule, these rules should come before your own http_access rules (the "deny all" line should come after). > smb.conf Since your authentication works, your Samba settings are fine. > wbinfo_group.pl Unless you changed the script (other than specifying the full path to wbinfo), there's no need to post it. Adam
[squid-users] Re: LDAP and Novell E-Directory
Please don't top post (which is placing your reply above the original message) - it makes the thread hard to follow. Corey Tyndall wrote: > Henrik Nordstrom wrote: > On Fri, 11 Feb 2005, Esteban Darreche wrote: >> Try with this line >> >> auth_param basic program /usr/lib/squid/squid_ldap_auth -u cn -b >> ou=DEPARTMENT,o=COMPANY -h LDAPSERVER > > -f cn=%s > > would be better than -u here... > I was finnaly able to work with the -f. Upon testing internet access > is SLOW! Can I turn off caching? We have a very BIG pipe to the net so > caching is not necessary. "Can I make Squid proxy only, without caching anything?" http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.20 However, I would suggest leaving the caching on, and troubleshooting why Internet access is so slow instead. In a new thread, post a description of your problem, hardware and software information for the system running Squid, and your squid.conf (without comments or blank lines). [email disclaimer snipped] Could you please turn this off when posting to the list? Email disclaimers in general are of dubious legal value, and are completely useless (and a waste of space) on a public mailing list. Adam
[squid-users] Re: Clearing the Squid cache or disabling caching during certain periods
jennyw wrote: > Henrik Nordstrom wrote: >> The best approach to this is to make the web server set proper >> cache-control and/or Expires headers. Will make your and your users >> life much better. > > Yes, that would be nice, wouldn't it? ;-) Unfortunately, this is for > caching a commercial shopping cart (Miva Merchant) and we can't change > the headers that are sent out programmatically (and it currently sends > no cache-related headers at all). We might be able to add an expires > header in a .htaccess file, but then we'd have to write a script > changing .htaccess at various times. No, just set the Expires: header to access time + some short interval (like a half hour or an hour). Alternatively, if you can identify the content from this commercial shopping cart by URL, you could use refresh_pattern settings in squid.conf. However, fixing this at the web server is definitely the best solution. Adam
[squid-users] RE: Clearing the Squid cache or disabling caching d uring certain periods
Chris Robertson wrote: > jennyw wrote: >> Chris Robertson wrote: acl maint_time time 04:00-05:00 acl maint_pages dstdomain .my.server no_cache deny maint_time maint_pages >> Hmmm ... I tried using this: >> >> acl MAINT time 12:32-12:35 >> no_cache deny MAINT >> >> But during the time specified, when I hit pages I still got this header: >> >> X-Cache: HIT from squid > To the best of my knowledge (and I imagine I'll be corrected if wrong) > Squid completely ignores acls for cached content. That would be a very broken and stupid behavior, and is not the case with Squid. For example, consider a proxy that uses authentication. If Squid doesn't bother to check ACLs for cached content, you would see no authentication information for any TCP_HIT entries, because Squid would not process the ACLs and therefore would not request authentication information from the client. However, you do see the authentication information for TCP_HIT entries in access.log, therefore Squid still checks the ACLs for cached content. Another way to tell would be to turn up the debugging for access controls, then look at the data in cache.log for requested content that is cached. > Similarly, during the MAINT time listed above (12:32-12:35) no NEW pages > will be cached, but any pages currently in cache will be served. This is entirely possible - provided that Squid has no way to validate the freshness of the content, and it has not otherwise been marked as stale (which seems to be the issue this thread is attempting to resolve). Adam
[squid-users] Re: net2phone issue
Varun wrote: > Is it possible have net2phone working through > squid. That would be a good question to ask net2phone. If the software supports tunnelings its native protocol over HTTP, then the answer is yes. Otherwise, no. Adam
[squid-users] Re: Unable to log the correct data
[EMAIL PROTECTED] wrote: > I have created to groups of users to access the internet through the > proxy. We would like to log down 1 of the group only, but in the > access.log, it has both groups in it. Can anyone tell me how I can filter > out the other group that I don't want to log down? Are you saying you don't want requests from one of the groups logged in access.log? Squid, by design, logs all requests it receives. You can't change this without altering the source code. Adam
[squid-users] Re: [exim] Problems configuring Exim 4.20 with amavis-ne
Jens Strohschnitter wrote:
>> > yes - years ago we had a running exim 3.13. With the old amavis (0.3.x)
>> > the director workes :-)
>> > So now I have removed the director and corrected the condition to:
>> >
>> > amavis_router:
>> > driver = manualroute
>> > condition = "${if or {{eq {$interface_port}{10025}} \
>> > {eq {$received_protocol}{spam-scanned}} \
>> > {eq {$sender_address}{}} \
>> > }{0}{1}}"
>> > domains = ! +local_domains
>> > route_list = "*"
>> > transport = amavis
>> >
>> > But now I got the following error - and yes I'm not an exim-admin, so I
>> > don't know about some parameters in the config so here is the error:
>> >
>> > R=amavis_router defer (-1): error in amavis_router router: no host(s)
>> > specified for domain *
>> >
>> > Where do I have to add the "host" that is not specified ?
>>
>>
>> This is my router:
>>
>> amavis_router:
>> verify = false
>> condition = "${if or { \
>> {eq {$interface_port}{10025}} \
>> {eq {$received_protocol}{spam-scanned}} \
>> } \
>> {0}{1}}"
>> driver = manualroute
>> transport = amavis
>> route_list = * localhost byname
>> self = send
>>
>> This scans all e-mail, apart from that which has just arrived from
>> amavis or has just been scanned by SpamAssassin (spam scanning occurs
>> after virus scanning).
>>
>> I'm not sure exactly what e-mails you want to scan for viruses - you've
>> got "domains = ! +local_domains" in your router configuration, so you
>> may need to adapt it. It's probably the "route_list" and "self = send"
>> bits that you need.
>>
>
> Yep! It works fine :-) Thanxx a lot.
> But another little question: Is it possible and if, how to disable spam-
> assassin function in amavis-new ? But I think it is not the richt list
> for this question ?!
No, this isn't the right list - you sent this reply to the Squid Users list
and not the Exim mailing list the rest of the thread is on.
Adam
[squid-users] Re: Re: Squid "access.log" problem.
Please don't top post (which is putting your reply above the original message) - it makes the thread hard to follow. ads squid wrote: > --- Adam Aube <[EMAIL PROTECTED]> wrote: >> ads squid wrote: >>> SARG report "IN-CACHE-OUT" shows me total 1132 MB which is >>> based on squid 'acsess.log' file. This does not match with ISP's usage >>> report that is 3750 MB. I am paying My ISP on data transfer. >> Two sources come to mind: >> >> 1) Non-HTTP traffic that isn't processed by Squid. >> 2) TCP/IP protocol overhead for HTTP traffic (which isn't included in the >> access.log data). >> Your best solution would be to use a low-level tool that tracks the >> traffic sent and received at the network interface level. The "ifconfig" >> command on Linux includes information on bytes sent and received >> for each network interface, and a search for "ip accounting" or "traffic >> accounting" should turn up some other solutions. > In my case port 80 is redirected to 3128 to use squid > transperent proxy. Will squid access.log file collect > data transfer from port used by Kazza, Instant > Messenger? Only if these programs are configured to tunnel over port 80. If they use their native protocols and ports, they would fall under the "Non-HTTP traffic" source I mentioned before, and wouldn't be counted by Squid. > This diff. in data transfer might be due to data > uploading from ports used by Kazza, IM, etc. Possibly. Adam
[squid-users] Re: Printing problem
Daniel Navarro wrote: > Since I migrated from windows to linux gateway with > squid sometimes clients can´t print, have to reboot > clients in order to fix it. I've had the same issues on every Windows network I've worked with. Windows printing is just plain flaky sometimes. Squid has nothing to do with printing, so this definitely isn't a Squid issue. Is is possibly an issue with your Linux gateway, but only if one of the following is true: 1) The gateway is also a network print server 2) Clients go through the gateway to get to the print server If either of those is true, I would suggest asking on a mailing list for your Linux distribution. > What is the printing network port? Depends on how you are printing. Check your client configuration. Windows File/Print Sharing usually uses TCP ports 139 or 445 (depending on client and server Windows version). Network printing via LPR/LPD is on TCP port 515. Raw printing to many networked printers (such as HP JetDirect print servers) is on TCP port 9100. Again, this isn't a Squid issue, so you will likely get more useful help by asking on a different list. Adam
[squid-users] Re: Enforcing Refresh patterns
Alexander Shopov wrote: >> What version of squid are you using? > Native Squid 2.5.STABLE7 under Windows XP >> Can you post the full section out of your access.log, of a request where >> this happens, with >>log_mime_hdrs on >> >> (Just post 1 request logged) > > > Here is a simple web page request, for the image - just search for > "edit.gif". You really should have trimmed this yourself before posting. > 1106658618.587 47 127.0.0.1 TCP_MISS/304 216 GET > http://10.10.10.100:7778/pob/images/edit.gif - DIRECT/10.10.10.100 - Unfortunately, this is an IMS request from Squid (note the HTTP status code of 304), and not a request for actual content (which would have a HTTP status code of 200). Try flushing the browser's cache and requesting the file again. Also, next time please post only the access.log entries for the .gif file in question. Adam
[squid-users] Re: Squid "access.log" problem.
ads squid wrote: > I am using squid 2.5 STABLE on Redhat Linux 9 working > fine. I am using squid access logs file with "SARG" for > getting user reports. > SARG report "IN-CACHE-OUT" shows me total > 1132 MB which is based on squid 'acsess.log' file. > This does not match with ISP's usage report that is > 3750 MB. I am paying My ISP on data transfer. Two sources come to mind: 1) Non-HTTP traffic that isn't processed by Squid. 2) TCP/IP protocol overhead for HTTP traffic (which isn't included in the access.log data). Your best solution would be to use a low-level tool that tracks the traffic sent and received at the network interface level. The "ifconfig" command on Linux includes information on bytes sent and received for each network interface, and a search for "ip accounting" or "traffic accounting" should turn up some other solutions. Adam
[squid-users] Re: Re: Problems caching GRISOFT AVGFree update files
Please don't top post (which is replying above the original message) - it makes the thread hard to follow. Diego Amadey wrote: > Adam Aube wrote: >> Diego Amadey wrote: >>> I have installed avgfree antivirus in the clients of my net, and i have >>> configured them to update their signatures using >>> my squid proxy (2.5Stable3) >>> They are working fine but the problem is that the update files (.bin) >>> are not being cached. >>> This is a part of the access.log. >>> 1106765778.379 27278 10.21.6.169 TCP_MISS/200 949270 GET >>> http://free.grisoft.cz/softw/70free/update/u7avi439u39282.bin - >>> DIRECT/193.86.3.37 application/octet-stream >> Can you show a few more TCP_MISS entries? AVG will attempt to do a custom >> download which will only include the updates that are needed rather than >> the entire definition file. It is possible that this custom download is >> different for each client, resulting in different URLs for each request. > I am sending a few more lines. The urls seems to be the same in some > requests, but the result is always a MISS. > 1106830838.756 14886 dsur503a.dsur TCP_MISS/200 176265 GET > http://free.grisoft.cz/softw/70free/update/u7avi440u433wk.bin - > DIRECT/193.86.3.36 application/octet-stream > 1106830897.456 371326 eco906b TCP_MISS/200 4204647 GET > http://free.grisoft.cz/softw/70free/update/u7avi440wk.bin - > DIRECT/193.86.3.37 application/octet-stream > 1106830903.492 28325 agri1049d.sagpya TCP_MISS/200 176265 GET > http://free.grisoft.cz/softw/70free/update/u7avi440u433wk.bin - > DIRECT/193.86.3.37 application/octet-stream These three entries show the actual content sent back to the clients (note the HTTP status code of 200). Only the first and third have the same URLs - the second entry is for a different URL. Based on your squid.conf and the access.log entries here, the third request should have been a TCP_HIT. It could be that the web server is sending a "Pragma: no-cache" HTTP header, causing Squid to not serve the request from the cache despite your refresh_pattern settings. Unfortunately, attemtping to test the URL with the Cacheability Test Engine results in a timeout, so I cannot verify this. AFAIK, there is no way to override "Pragma: no-cache" in Squid. If the server is indeed sending this header, then there is nothing you can do to force Squid to cache the update files. Adam
[squid-users] RE: CONNECT issues
Please don't top post (which is putting your reply above the original message) - it makes the thread hard to follow. Diamond King wrote: > --- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: >> On Mon, 10 Jan 2005, Diamond King wrote: >>> I`ve checked the configuration file and it seems >>> that only port 443 and 563 were connected to >>> SSL_Ports acl rule. >> You then have some error in your http_access rules, >> allowing things you did not intend to allow. > Sorry for late reply. After further tracking, i > managed to re-check the squid configuration files and > below are the acls list :- [default Squid ACLs snipped] > http_access deny Bad_Domains > http_access deny Bad_Ports > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access allow our_networks > http_access allow manager localhost > After restart squid, i viewed the access.log files to > watch out for CONNECT strings. Well, this time, it is > different though. There are no more TCP_MISS:DIRECT at > the end of the log, instead, i got TCP:DENIED. Does > this mean i am successfully block those p2p or > tunneling softwares? TCP_DENIED indicates that Squid refused to serve the request. So if you are seeing TCP_DENIED for the traffic that was previously showing TCP_MISS, then yes, you are successfully blocking the P2P tunneling software. Adam
[squid-users] Re: SSL-2_5.patch
Rakesh Kumar wrote: > I want to insatll the SSL gatewaying support to Squid-2.5SATBLE8. Can > anyone help how can I install this patch. See the man page for the patch command. Adam
[squid-users] Re: Re: Limiting the number of connections to an address
Andrei Kovacs wrote: > Adam Aube wrote: >>Andrei Kovacs wrote: >>>I would like to know if it is possible to limit the number of >>>connections to a URI (not a particular one but in general) because I >>>want to limit the usage of "Download Accelerators" which make 5-10 >>>connections to a file. >>Take a look at the maxconn acl. See the FAQ or default squid.conf for more >>information. > Doesn't "maxconn" limit the number of connections from a specific IP .. > the total number of connections opened, not to a specific URI ? Correct. However, this is the closest you can get to what you want with Squid, and it is quite effective in reining in download managers and other misbehaving clients. Adam
[squid-users] Re: redirect squid to a authenticated proxy in windows
santos_fo wrote: > I'm Interested in use as a part of my Network a Transparent Proxy > using squid and CISCO router . The problem is that I need redirect > squid to a authenticated proxy in windows. So you want the router to transparently redirect requests to Squid, and Squid to send all requests through a Windows proxy that requires authentication? IIRC, this can be done. See the cache_peer directive in squid.conf - there are options that allow for sending of authentication credentials to the parent proxy. Note that a single credential set would be used for all the clients, because Squid is operating as a transparent proxy and cannot get any authentication information from the clients. Adam
[squid-users] Re: Synchronising Squid with NT Domains
Jason Ide wrote: > I have squid working with a mixed w2k and NT domain and users are > authenticating well. Except for when we create a new NT groups or change > users in the groups, squid will not recognise the new groups or changes. > > I have synchronised the domains, restarted samba, winbind and squid but to > no good > > How can I get squid to see the changes to the windows domains The group helpers have a ttl setting that will determine how long they will cache the results of a group lookup. Once that period expires, it should detect the changes in your Windows domain group memberships. Note that the ACLs used with the group helpers are explicitly configured to use a particular group or list of groups when checking membership - if you add a new group and do not update squid.conf, the group helpers will see it, but Squid will not use it as part of its access controls. Post your full squid.conf (without comments or blank lines), and give more detail (perhaps a single concrete example) about the behavior you are observing. Adam
[squid-users] Re: Limiting the number of connections to an address
Andrei Kovacs wrote: > I would like to know if it is possible to limit the number of > connections to a URI (not a particular one but in general) because I > want to limit the usage of "Download Accelerators" which make 5-10 > connections to a file. Take a look at the maxconn acl. See the FAQ or default squid.conf for more information. Adam
[squid-users] Re: mail box and mail content is not shown
Rakesh Kumar wrote: > I am using Squid-3 as SSL proxy for OWA (Exchange 2003). The issue is that > with latest snapshots of Squid-3-PRE3 frequently mailboxes do not open and > mail content is not shown. Sometimes I can read mails from my Inbox but > opening mail from other boxes takes infinite times / does not open. > > However with Squid-3-PRE3 (no snapshot) I do not have such delay but I > have other issue with squid as squid process gets killed due to > fragmentation error after receiving 16 SSL negotiation errors. Squid 3 is not production quality and should not be used in a production environment. IIRC, Squid 2.5 supports SSL in a reverse proxy setup (though some patches may be required). See the list archives for more information. Adam
[squid-users] Re: Problems caching GRISOFT AVGFree update files
Diego Amadey wrote: > I have installed avgfree antivirus in the clients of my net, and i have > configured them to update their signatures using > my squid proxy (2.5Stable3) > They are working fine but the problem is that the update files (.bin) are > not being cached. > > This is a part of the access.log. > 1106765778.379 27278 10.21.6.169 TCP_MISS/200 949270 GET > http://free.grisoft.cz/softw/70free/update/u7avi439u39282.bin - > DIRECT/193.86.3.37 application/octet-stream Can you show a few more TCP_MISS entries? AVG will attempt to do a custom download which will only include the updates that are needed rather than the entire definition file. It is possible that this custom download is different for each client, resulting in different URLs for each request. Adam
[squid-users] Re: digging from cache
Shiraz Gul Khan wrote: > but, if i use the command > #tail -f /var/log/squid/cache.log > i c my current running cache.log. cache.log doesn't log requests sent to Squid - access.log does. > so is there any command for catch a line and write to in other txt file > if someone use the proxy and put any line if they use as a @any mail > service. If your users are using a webmail service, and if the email address or username is somehow part of the URL, it will show up in access.log. You can parse the log and get this information there. If you are talking about POP, IMAP, and/or SMTP, and not webmail, then you are looking in the wrong place. Squid only deals with HTTP - it does not deal with email protocols. An mail relay server your clients are forced to use or a packet sniffer would be the preferred tools in this case. Adam
[squid-users] Re: tcp_ims_hit returns blank page?
[EMAIL PROTECTED] wrote:
> ** Reply to note from Henrik Nordstrom <[EMAIL PROTECTED]> Thu, 20 Jan
> 2005 14:49:25 +0100 (CET)
> I have edited all.js and disabled and zeroed disk and memory caches,
>
> pref("browser.cache.disk.enable", false);
> pref("browser.cache.disk.capacity", 0);
> pref("browser.cache.memory.enable", false);
> pref("browser.cache.memory.capacity", 0);
> Yet Squid still reports that:-
> 1) The browser issued an IMS request for an object that was in the
> Squid cache and fresh.
> 2) The browser already had an up to date version, so there was no need
> to send the Squid cached copy to the browser.
> Mozilla displays a blank page and reports "Done".
Then this is a Mozilla problem, not a Squid problem. I would suggest finding
a mailing list or discussion board for Mozilla users and posting there.
Adam
[squid-users] Re: Logfile analyzing
[EMAIL PROTECTED] wrote: > I checked out the squid log analyzer programs, But > haven't found one that can provide a sample output > like what I need to see on the report. > Say for example I go to microsoft.com, click on > "products", then click on "visual studio .NET" > I'd like to see this in the logfile: > http://www.microsoft.com > http://www.microsoft.com/products > http://www.microsoft.com/products/visual_studio > This is a theoretical example as if those are the > actual URL locations typed into the address bar, or > clicked via hyperlink. > I don't see how the access.log can be used to provide > this kind of report. In this case the initial request seen by Squid (and logged in access.log) will be the URL typed into the address bar. Any additional content or redirects will be shown after. > For example, if I simply type microsoft.com in my > address bar and click on "office" in the left pane, > then check my access.log, I see 35 entries have been > added just by clicking the "office" link once. The first one will be for the page the hyperlink points to, and the rest will be for any redirects and/or additional content needed for the page. > the access.log doesn't seem to differentiate between what > the user clicked, and what the webpage requested to > display the whole page correctly. Because Squid doesn't see what the user clicked (in this case, "Office") - Squid sees the URL the hyperlink points to (which is what the browser actually requests). > More specifically, the first 3 entries say: > > 127.0.0.1 - - [22/Jan/2005:15:56:31 -0500] "GET > http://g.microsoft.com/mh_mshp/2 HTTP/1.1" 301 538 > TCP_MISS:DIRECT If you check in the browser, this is the URL the "Office" hyperlink points to. Again, Squid sees requested URLs, not how the hyperlink was displayed to the user by the browser. In this case, the HTTP status is 301, which means this is a redirect. > 127.0.0.1 - - [22/Jan/2005:15:56:32 -0500] "GET > http://office.microsoft.com/home/default.aspx > HTTP/1.1" 301 467 TCP_MISS:DIRECT This is another redirect. > 127.0.0.1 - - [22/Jan/2005:15:56:32 -0500] "GET > http://office.microsoft.com/en-us/default.aspx > HTTP/1.1" 200 52134 TCP_MISS:DIRECT The HTTP status code of 200 indicates that this is the page that was ultimately shown to the user. > I don't see how the access.log can be used to provide > this kind of report. It can't. All Squid sees (and logs) is a series of HTTP requests from the browser. It doesn't know how those requests were rendered by the browser. Also, I see you are using the Common Logfile format. I would really recommend you use the Squid native log format - most log analyzers can use both, and the Squid native log format provides a great deal more detail. > How is ANY logfile analyzer going to tell the > difference between the first entry (which the user > clicked on) and the second/third entries (which were > requested by the html from the first entry)? Perhaps by content-type and timing (look at the first text/html request in a series of requests within a small window of time from the same client). But there's no way to know with 100% certainty. If you need that level of certainty, you should be looking at the browser history and not your proxy logs. > Is there is a squid configuration parameter that will > allow the logs to be filtered appropriately? No - because what the browser sends to Squid and what the browser shows the client are two entirely different things. Again, for the information you want, the browser's history is the best place to look. Adam
[squid-users] RE: squid performance
Please don't top post (which is putting your reply above the original message) - it makes the thread hard to follow. Daniel Navarro wrote: > --- Elsen Marc <[EMAIL PROTECTED]> escribió: >>> what is the squid performance parameter that shows >>> me how much efficient it is? >> Define efficient. >>> what is the squid parameter that shows me how much >>> bandwidth have saved? >> http://www.squid-cache.org/Scripts/ > Maybe I don't know how to make the correct question. > I already have webalizer, SARG, Squid > Logbuchauswertung and calamaris. Calamaris is a good source of information on general proxy performance. > What are the important parameters to measure and what > does they mean? > > What tells me how many pages or files are taking from > cache instead of internet? > > What tells me how much bandwidth is being saved? One of the output sections of Calamaris, "Incoming TCP-requests by status", will show the number and percentage of requests and bytes that are cache hits. For cache hits, requests are the number of items that were served from the cache and not from the Internet, and bytes are the amount of bandwidth that was saved. See the sample Calamaris HTML report for a view of this (note that this report is more verbose - a less verbose version can also be generated). http://cord.de/tools/squid/calamaris/calamaris-2.html Adam
[squid-users] Re: slow downloads
Please don't post your question to the list multiple times. BusyBoy wrote: > I have implemented Squid using WPAD and it's working nicely as far as > the Users are concenered. I have observed that when we use squid in > our browser , the download speed goes tremendously slow,, How slow is "tremendously slow"? Does explicitly configuring the client to use the proxy (instead of using WPAD) make a difference? > while without proxy configuration ,, the speed goes upto 40 Kbps. > also ,, I have not applied any delay_pools. Check to see if your system is having a memory or disk I/O bottleneck. Also, post your hardware configuration, squid.conf (without comments or blank lines), as well as the average and peak requests per second Adam.
[squid-users] RE: Re: squid_ldap_auth or squid_ldapauth supports MD5 ?
Joan Ramos Ramos wrote: > > squid_ldap_auth supports whatever passwords encryption schemes > > supported by your LDAP server > on my server only works if i have a Crypt (DES) password. > why not works with MD5? Most likely your LDAP server doesn't support it. Adam
[squid-users] Re: Problem on transparent proxy!
Hamed Majnoonian wrote: > I have a 4.11 box with squid [latest] on it. I want to use it as a > transparent proxy. Every setting which is necessary has been set correctly > but without setting the 3128 on my browser it doesn't work and the > access.log doesn't show anything. Then your redirection settings are wrong. This isn't a Squid issue - I would suggest asking on a mailing list for your firewall software. Adam
[squid-users] Re: most efficient browser viewable top sites visited analyzer
joe z wrote: > i am looking to setup a web page accessible via a browser that > lists top 15 websites visited, host html activity, and by clicking on the > name of the site in the top visited a list of which hosts were active on > that site. i want the default to be for the last twelve hours but the > option (via dropdown? with last day, last two days, last week) to view > more history. Probably Squidalyser is closest to what you want - it dumps the logs to a database, and has a web-based interface to control search criteria. Adam
[squid-users] Re: transparent proxy + web content filter problem
Henrik Nordstrom wrote: > On Mon, 17 Jan 2005, DurgaPrasad Adusumalli wrote: >> I am using web proxy content filter (Dansguardian) to scan all >> outgoing traffic from my LAN. I am using transparent proxying with an >> iptable rule that forwards all outgoing traffic to web proxy. This >> setup works but all the browsing activity gets slowed down. When I >> configure my browser to use proxy Internet access gets faster. > iptables interception normally does not have any speed difference compared > to directly configuring the proxy settings. "Speed" in terms of bandwidth or latency? A site I worked at saw browsing latency drop significantly after switching away from transparent proxying. Of course, it could have been something else besides the iptables redirection - extra DNS lookups, perhaps? Adam
[squid-users] Re: Bandwidth Control using Delay Pool. Help !
Henrik Nordstrom wrote: > On Wed, 19 Jan 2005, Anandh G wrote: >> 2. If I resctict the bandwidth for some, 5 users, to >> 128Kbps on a 256Kbps link, will all the other users, >> who are not in the restriction(Delay Pool) list, have >> the full 256Kbps bandwidth, when those 5 users are not >> using their 128Kbps bandwidth. > > No, Squid does not have any hierarchical delay pools allowing for > bandwidth lending. Since the other clients aren't in the delay pool system at all, wouldn't they get all currently available bandwidth by default? Adam
[squid-users] Re: Help me About Squid
Oliver Hookins wrote: > Umar Draz wrote: >> i have 512MB ram and 1100MB swap >> now questions is this i have set 5GB /cache so what should be cache_mem > If you check out the archives you will see that the rule of thumb for > disk cache to memory cache is about 100:1 (if I remember correctly). So > for a 5GB disk cache you should have 50MB of memory to handle it. No, that's the rule of thumb for how much memory Squid will use to store cache metadata, which is based purely on the size of the cache. The cache_mem setting controls how much memory Squid will use to cache on-disk objects in memory (which improves performance). Generally the default for cache_mem does not need to be changed, because the OS itself will use free memory to cache files. Items in Squid's cache that are frequently or recently accessed will be included in this file cache. If a memory shortage occurs, the OS can dump file cache to free up memory, but memory used by Squid's cache_mem setting can only be recovered by swapping out Squid, which will drastically hurt performance. Adam
[squid-users] Re: Help me About Squid
Umar Draz wrote: > i have a cable internet setup now i want configure for proxy server > i have P4 Intel Based Server with 512MB RAM 60GB Hardisk > now my question is this when i choose cache_replacement _policy heap LFUDA > and memory_replacement_policy heap LFUDA then what should be > maximum_object_size ? Generally the default is acceptable, though it certainly won't hurt if you increase it. 5 MB or 10 MB should be more than enough for your setup. > i have 512MB ram and 1100MB swap > now questions is this i have set 5GB /cache so what should be cache_mem The default (8 MB) is generally fine. Remember that the OS file cache will also retain a certain amount of the Squid disk cache (depending on what else the system is used for), so this value doesn't need to be very high. Adam
[squid-users] Re: Autentication x AD intermittent
Please don't post the same message to the list multiple times. rodd wrote: > I am having some problems using my Squid authenticating > against my Active Directory Server. > I have this environment working for about 6 months, and it was > fine, but since last month its behavior became very strange. The point > is when the clients request a page, some time it works fine, but some > times they get an error like: "The page cannot be displayed". Have you upgraded any software or installed any patches on the Squid server or the domain controller? Has your useage level increased significantly? > I have checked many things, starting with the DNS sctructure, > and I didn`t find any problem. I've checked the response time between > my workstation machine and the Squid Server, and between the Squid > Server and the AD server, and is everything fine, acctualy they are > all in the same LAN. How are you checking this? > I tryed many different configurations of samba and squid to > solve that, but it is still happen. I changed my smb.conf and the > squid.conf and now it is like that: [squid.conf and smb.conf snipped] I see you are using NTLM authentication. Due to the nature of NTLM, problems often occur for one of two reasons: 1) Insufficient NTLM helpers (most common) 2) Too much load on the DC Increase the number of helpers and see what happens. If the problem recurs, but takes longer than before to start happening, keep increasing the number of helpers until the problem goes away. Also, Cache Manager has an page of interesting info on the NTLM helpers. This may also help point you in the direction of the problem. > The softwares versions are: > > Squid: Version 2.5.STABLE7 > Winbindd: Version 3.0.7 > krb5 - 1.2.7-24 > and Red Hat Enterprise Server > Other important information is when I stop the > authentication, the problem stop. Other important information is that > the problem just happen during the bussiness day, we have around 3000 > users accessing the internet. Btw, the cpu and memory of the server > are ok. I tryed also disabling the cache, but without success. How many concurrent requests to the proxy? For NTLM, the recommendation is one helper for each concurrent request. > Other very interesting thing is that I have a backup proxy > server, and in that server the problem doesn`t happened, so, I > switched the clients to the backup server > the clients are accessing the backup server since two weeks ago without > any problem, but today the problem also started in the backup server. Which makes it seem like a load issue, though if all the clients were switched to the backup at once, it's odd that it would take two weeks for the problem to occur there as well. Was the load lighter than normal for the first part of the two weeks? Adam
[squid-users] Re: grab password from url
Luca Marchiori wrote: > Henrik Nordstrom wrote: >> So your real question is if it is possible to determine with the help of >> Squid if this employee is uploading confidential information to a third >> party web site. > We already know the employee is uploading confidential information to the > internet. Then turn over your proof to local law enforcement, and let them deal with it - you don't need the username and password for this. >> Generally speaking, if the web site is https based then all you can see >> is the amount of traffic going in both directions > Already done! HTTPS. Traffic confirm our suspect. We need user/password Due to the design of SSL, Squid cannot see the contents of HTTPS traffic. This includes the URL, so it is not possible to get the username and password this way. >> In an ethical point of view stealing the users personal login details to >> this third party web site by analyzing his traffic is very dubious in my >> view, and probably illegal in many countries. > My customer knows all. He pays me for technical things and he will pay > lawers for them things. I would suggest YOU speak with an attorney to make sure you adequately protect yourself - it would be easy for your customer to simply say "I never asked him to do that" if this backfired on him. All your customer's money an lawyers won't do you any good if he decides to pin the blame on you to save himself. >>You surely should be able to make up better approaches in >>proving/disproving the claims of Internet connection abuse. > Already done with a HW keylogger (fantastic toy !). If you are using such a "fantastic toy", then you should already have the username and password - unless it's not quite so "fantastic". Adam
[squid-users] Re: Re: Problem Blocking msn messenger
Ow Mun Heng wrote: > On Thu, 2005-01-06 at 05:52, Adam Aube wrote: >> Carlos Simbaña wrote: >> > 1. I am trying to block msn messenger >> Could you post all your acl and http_access lines, and detail what >> station IP address you are testing from? It might be a misconfiguration >> elsewhere. > I don't see why you have to use squid to do such things. > Squid is a proxy. It does not proxy MSN messengers Squid does not proxy MSN messenger directly. However, most IM applications (MSN included) support tunneling their protocol over HTTP. So even if the OP blocks the MSN messenger ports at the firewall, users can still configure MSN messenger to tunnel the protocol through Squid. Adam
[squid-users] Re: Number of users currecntly connected?
ads squid wrote: > Is there any way I can find out how many users are > currently connecte to squid. It should give dynamic > status of cunnected users. Cache Manager has a page with this info that is available if client_db is turned on in squid.conf. You just refresh the page in your browser and the data is updated. > If squid can not do this, is there any open source > utility which do this ? There are some log analysis tools (linked from the Squid site) that can. Adam
[squid-users] Re: Problem Blocking msn messenger
Please don't post a new issue by responding to another post - it breaks threading and makes the archives harder to follow. Instead, post a new message to the list. Carlos Simbaña wrote: > 1. I am trying to block msn messenger, but when I include > logginnet.passport.com in the squidGuard blacklist block the msn but > hotmail too. Since both use Passport for authentication, this isn't suprising. > 2. If I build a white list with hotmail.msn.com, the web page not appears. Because you're still blocking Passport. > 3. After that, I remove logginnet.passport.com from black list > (squidGuard) and put in my squid.conf > acl msnmessenger url_regex -i gateway.dll > http_access deny msnmessenger > acl msn req_mime_type -i ^application/x-msn-messenger > http_access deny all msn > http_access allow all > > Then works hotmail But NOT block msn messenger :-( Kudos to you for trying the archives before posting. Could you post all your acl and http_access lines, and detail what station IP address you are testing from? It might be a misconfiguration elsewhere. Adam
[squid-users] Re: pl help
Nitin wrote: > i am using squid & squint both. i have install web server locally. > my domain name is world.india . > > when users serve the page locally (internal network) like user serve > http://abc , squint report shows abc.world.india. > > I do not want squint show this type of report abc.world.india, only > external log i want like www.yahoo.com Squid will log whatever requests it receives. The only way to do what you want is to configure the browsers to not use the proxy for your internal domain. The simplest way to do this is with autoconfiguration scripts, which are explained in a Squid FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ-5.html#ss5.2 Despite the fact that it's called "Netscape automatic configuration", it works with other browsers as well - Netscape was just the first to use it. Adam
[squid-users] Re: Re: transparently proxying ICQ and other messengers
Kinkie wrote: >> It's no less secure than CONNECT tunneling, and from Squid's standpoint >> it may be more secure - fewer ports on which CONNECT is allowed. > This is the only solution in this case I think, since Squid only > understands HTTP and not the various IM protocols. Yes - the only way to get IM to work through Squid is to explicitly configure the application to use a proxy (because it will then tunnel it's protocol over HTTP via the proxy). Transparent proxying will not work. > The only downside to it is that since DNS is never taken in the equation > (except maybe at the time the chains are built) it is slightly more > expensive to maintain than - say a CONNECT + dstdomain + port ACL. In a transparent proxy environment, the clients are already doing their own DNS lookups, so nothing changes here. However, transparent proxying itself is a bad idea. It's a violation of the HTTP standard, and can sometimes break unexpectedly in very strange ways (just look at all the reports of Hotmail issues over the last week). A more robust setup is to use proxy autoconfiguration scripts to pass proxy settings to the clients. This also makes it easy to load balance and allow automatic failover (using round-robin DNS). Adam
[squid-users] Re: Re: limit no of requests
Henrik Nordstrom wrote: > On Sat, 1 Jan 2005, Adam Aube wrote: > >>> is it possible to limit the no. of requests/browsers from a client >>> at a given time >> >> "Can I limit the number of connections from a client?" >> >> http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.22 > > Yes, but this does not correspond in any easy manner to the question. True, but it is the closest you can get using Squid, and is probably reasonably close to what the OP wants. > The main reason to use this is to trap malfunctioning clients opening way > too many concurrent connections, not as a means to limit the user > experience. And also clients that are deliberately configured to behave this way, such as some download managers. Adam
[squid-users] Re: transparently proxying ICQ and other messengers
Please don't top post (which is putting your reply above the original message) - it makes the thread hard to follow. Chavdar Videff wrote: > On Tuesday 04 January 2005 04:45, Ow Mun Heng wrote: >> Look at the SSL_ports or SSL_safe_ports (can't remember the exact name) >> and put in the ports for ICQ and others there. >> That's just neccesary for them to use the CONNECT method for connecting. >> Note that these are _not_ proxying requests. Your box just acts as >> forwarders. > Sorry but this didn't work. Can the reason be that squid was not > configured with --enable-ssl option? That is for using SSL reverse proxying - it has nothing to do with normal (forward) proxy setups. > Would it be less secure if i just allow ICQ to pass > through the iptables firewall and SNAT in POSTROUTING chain? It's no less secure than CONNECT tunneling, and from Squid's standpoint it may be more secure - fewer ports on which CONNECT is allowed. Adam
[squid-users] Re: Re: delay_pools problem [[more info]]
kfliong wrote: > Adam Aube wrote: >>kfliong wrote: >>> I tried to use delay_pools to control the speed of some users but >>> somehow it doesn't work. Particularly delay_access 5. Those users in >>> delay_access 5 need to be running at only 1k/s but somehow this speed >>> limit is not imposed. Please help. >>> Here is my squid.conf for delay_pool : >>> #delay_acess 5 for very slow speed >>> delay_access 5 allow slow_sites >>> delay_access 5 allow slow_user2 >>> delay_access 5 deny all >>> acl slow_sites dstdomain .friendster.com uw.netroasia.com >>> .rottentomatoes.com >>> acl slow_user2 srcdomain jackye marcus >>Which ACL is having the problem - slow_sites or slow_user2? >>In slow_user2, you are using the srcdomain ACL, but the parameters you >>give it don't seem to be correct domain names (compare to the dstdomain >>ACL). >>Also, srcdomain requires a reverse lookup on the client's IP address. Is >>the reverse DNS setup correctly for your client IP addresses? >>What if you try using a src ACL (IP address) instead of srcdomain? > Both the slow_sites and slow_user2 doesn't work. Odd - slow_sites looks correct and should work. Can you give a specific example of something that should work but isn't? > If I use http_access to block slow_user2 it will work. So, I am sure that > the srcdomain works. > But when trying to limit the speed using delay_pools it doesn't seems to > work. According to the delay pools FAQ, "delay pool ACL processing is done using 'fast lookups', which means (among other things) it won't wait for a DNS lookup if it would need one." http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#ss19.8 srcdomain requires a reverse DNS lookup of the client IP address, which is why it isn't working in delay_access - Squid won't wait for the DNS lookup to complete. A workaround for this would be to use the slow_user2 acl somewhere in your http_access section. http_access will wait for the DNS lookup, and it will make the information available to delay_access. Adam
[squid-users] Re: new hotmail problem?
Again, I ask that you reply to the list and not to me directly. If your mail client does not have a "Reply to List" feature, use "Reply to All" and remove all addresses except the list's. I would also suggest switching to a better mail client. Patricio Bruna V wrote: > Adam Aube escribió: >> Please reply to the list, and not to me directly. >>Patricio Bruna V wrote: >>> Adam Aube escribió: >>>> Patricio Bruna V wrote: >>>>> now i can login to hotmail and read the emails but when try to >>>>> download an attached file i got a blank screen >>>> Are you using a transparent proxy? >>> Yes i am, the squid version is squid-2.5.STABLE5-4 >> What browsers are you experiencing this problem with? >> Does it work properly if the browser is configured to use the proxy? > Internet explorer, i works ok if i setup the proxy in the browser, but > its not an option Do other browsers, such as Mozilla FireFox, also have this problem? Can you use a packet sniffer (such as tcpdump or ethereal) to capture the HTTP headers sent/received? You would need to compare transparent proxying, going direct, and configuring the browser to use a proxy. Adam
[squid-users] Re: limit no of requests
azeem ahmad wrote: > is it possible to limit the no. of requests/browsers from a client > at a given time "Can I limit the number of connections from a client?" http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.22 Adam
[squid-users] Re: squid with Active Directory USers:
BusyBoy wrote: > I have Linux System with Squid and around 100 Domain clients. What I > want ActiveDirectory User based internet access . > Some Active Directory users have total access to internet all > domains, all protocols, and all else and some users should not be > able to open a specific site and protocol set like this Use the LDAP basic auth and group helpers. Then create Active Directory groups for your various restrictions and use those in Squid. See the FAQ and the archives for information on setting this up. Adam
[squid-users] Re: new hotmail problem?
Please reply to the list, and not to me directly. Patricio Bruna V wrote: > Adam Aube escribió: >> Patricio Bruna V wrote: >>> now i can login to hotmail and read the emails but when try to >>> download an attached file i got a blank screen >> Are you using a transparent proxy? > Yes i am, the squid version is squid-2.5.STABLE5-4 What browsers are you experiencing this problem with? Does it work properly if the browser is configured to use the proxy? Adam
[squid-users] Re: Hotmail problems
Tony Loosle wrote: > I have tried the posted fix for the recent hotmail problems, but squid > gives an error with the header command. > > I must have an old version of squid. Its on a cacheraq from sun/cobalt. > > Is there a way to fix this issue with older versions of squid? What version of Squid? Solutions have been posted for 2.5 and 2.4. Adam
[squid-users] Re: new hotmail problem?
Patricio Bruna V wrote: > now i can login to hotmail and read the emails but when try to download > an attached file i got a blank screen Are you using a transparent proxy? Adam
[squid-users] Re: transparent proxy problem
Tsillas, Demetrios J wrote: > The following accesses fail to show up using IE6 and transparent proxy. > These are accesses to download an attachment from a hotmail message. > The screen is blank. It works fine if I configure a non-transparent > proxy. Haven't tried it with other browsers. I'm using 2.5-stable7. Have you implemented the workaround for Hotmail problems discussed on the list over the past few days? > 1104368893.994228 192.168.128.20 TCP_MISS/302 850 GET = > http://65.54.184.250/cgi-bin/saferd/ourview.jpg? - DIRECT/65.54.184.250 > = text/html > 1104368894.375376 192.168.128.20 TCP_MISS/200 715 GET = > http://65.54.184.250/cgi-bin/getmsg/ourview.jpg? - DIRECT/65.54.184.250 > = image/jpeg These logs show an HTTP redirect and then a successful fetch. Other than the file size being rather small for an image file, nothing is amiss here. Adam
[squid-users] Re: squid shuts down and syslogs complains disk space over limit but I have free disc space
Jim_Brouse/[EMAIL PROTECTED] wrote: > Squid is shutting down and syslog is reporting the following "Dec 29 > 10:04:34 squid1 squid[7873]: WARNING: Disk space over limit: 153268 KB > > 102400 KB Squid normally won't shutdown if it is over its configured disk space limit - it will aggressively remove objects from the cache until it is below its configured low water mark. What are the contents of cache.log? Adam
[squid-users] RE: Hotmail problem
Angela Burrell wrote: > I would consider to update my squid; but the instructions on the Squid FAQ > site don't make sense to me (run 3 squid servers at once or something, > then you upgrade one, but with no instructions on how to do it.) Basically, you just build from source and install over your existing copy (after making a backup copy, of course). > Since upgrading would supposedly enable the Hotmail workaround, could > someone please point me to a *good* tutorial on how to do it (withOUT the > FAQ, thanks). The problem here is that an upgrade from Squid 2.4 to Squid 2.5 is more complicated than an upgrade from one Squid 2.5 release to the other, due to changes in configuration file parameters. I would recommend installing Squid 2.5 to a separate folder from your Squid 2.4 install, and run it on a separate port to test until you get it working how you want. Then change the port in squid.conf, shutdown the 2.4 instance, and turn on the 2.5 instance. > Also, Do I need to upgrade any packages in my kernel to do > that? I have 2.4.18. No, that kernel will work fine with Squid 2.5. Adam
[squid-users] Re: User Authentication
Mohammad Shoaib Irtaza wrote: > I have downloaded ip_user and compiled it on my > RH9 machine. I am runnig squid2.5.s1 > I have created the configuration files according to > the readme file provided in the downloaded. > > My entries in squid include > > external_acl_type srcip %SRC %LOGIN /etc/squid/ip_user_check -f > /usr/etc/example.conf > acl mynet external srcip > http_access allow mynet > http_access deny all > > my example.conf includes > 0.0.0.0/0.0.0.0 NONE > 10.0.0.6 ALL > > when I try accessing any site it gives me with > > ERROR:Cache Access Denied > > Sorry, you are not currently allowed to request: > > http://www.hotmail.com/ > > from this cache until you have authenticated yourself. > > I dont know what a seems to be the problem. I have gone > through the configuration files but find nothing. > Am I missing something? Please help. Yes - you are not using any authentication, which your external_acl setup requires (due to its use of %LOGIN). See the Authentication FAQ for help on setting it up: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html Adam
[squid-users] Re: Squid and Symantec Web Security
Greg Shepherd wrote: > I attempted the following configuration: > > Clients --> Symantec Web Security --> Squid 2.5STABLE5. > > The SWS server has the capability to forward requests to an upstream proxy > server (Squid in this case). > > It only fails with a timeout error message from SWS. > > I didn't see any issues with this on the Symantec Support site nor in > googling except for a single old reference in 2001. Did you verify that the SWS works going directly to the Internet? Have you tried contacting Symantec support? Adam
[squid-users] Re: delay_pools problem [[more info]]
kfliong wrote: > I tried to use delay_pools to control the speed of some users but somehow > it doesn't work. Particularly delay_access 5. Those users in delay_access > 5 need to be running at only 1k/s but somehow this speed limit is not > imposed. Please help. > Here is my squid.conf for delay_pool : > #delay_acess 5 for very slow speed > delay_access 5 allow slow_sites > delay_access 5 allow slow_user2 > delay_access 5 deny all > Sorry forgot to add the ACL list : > acl slow_sites dstdomain .friendster.com uw.netroasia.com > .rottentomatoes.com > acl slow_user2 srcdomain jackye marcus Which ACL is having the problem - slow_sites or slow_user2? In slow_user2, you are using the srcdomain ACL, but the parameters you give it don't seem to be correct domain names (compare to the dstdomain ACL). Also, srcdomain requires a reverse lookup on the client's IP address. Is the reverse DNS setup correctly for your client IP addresses? What if you try using a src ACL (IP address) instead of srcdomain? Adam
[squid-users] Re: denying a specific site to be cached
kavos gabor wrote: > How to deny a specific IP or domain-name to be cached in Squid? "How can I make Squid NOT cache some servers or URLs?" http://www.squid-cache.org/Doc/FAQ/FAQ-7.html#ss7.8 Adam
[squid-users] Re: delay_pools problem
kfliong wrote: > I tried to use delay_pools to control the speed of some users but somehow > it doesn't work. Particularly delay_access 5. Those users in delay_access > 5 need to be running at only 1k/s but somehow this speed limit is not > imposed. Please help. > > Here is my squid.conf for delay_pool : > > delay_pools 5 > > delay_class 1 2 > delay_class 2 2 > delay_class 3 2 > delay_class 4 2 > delay_class 5 1 > > delay_access 1 allow local_access > delay_access 1 deny all > > #delay_access 2 for fast_user and sites > delay_access 2 allow fast_user > delay_access 2 allow high_speed !slow_user2 > delay_access 2 allow fast_sites !slow_sites > delay_access 2 deny all > > #delay_access 3 for mid_speed users > delay_access 3 allow mid_speed !slow_user2 > delay_access 3 deny all > > #delay_access 4 for low_speed and slow sites > delay_access 4 allow low_speed !slow_user2 > delay_access 4 deny all > > #delay_acess 5 for very slow speed > delay_access 5 allow slow_sites > delay_access 5 allow slow_user2 > delay_access 5 deny all > > delay_parameters 1 -1/-1 -1/-1 > delay_parameters 2 64000/64000 32000/32000 > delay_parameters 3 32000/32000 18000/25000 > delay_parameters 4 8000/8000 3750/3750 > delay_parameters 5 1000/1000 We need more information - specifically, the acls referenced in your delay_access lines, and under what specific circumstances a client is not placed in delay pool 5 when it should be. Adam
[squid-users] Re: Allowing a dial up user?
Martin Joseph wrote: > My problem is that I can't really see how to best "allow" for a > wandering cell phone user to connect to my proxy? If I "allow all" it > works, but I realize this is a security issue, and don't seem to be > able to figure the best way to lock out bad guys while allowiing the > cell. Probably the best method would be using authentication, rather than trying to match a particular IP address. Since this information is transmitted over the Internet, I would suggest using digest authentication (which doesn't transmit the password in the clear). > I also don't seem to have any authentication working? I added a user > to the internal authentication list, and tried to authenticate, but > my stats seem to show that isn't happening? Take a look at the FAQs for Access Controls and Authentication: http://www.squid-cache.org/Doc/FAQ/FAQ-10.html http://www.squid-cache.org/Doc/FAQ/FAQ-23.html If you still have problems, explain exactly what you are trying to do and what is happening instead, and post your squid.conf (without newlines or comments). Adam
[squid-users] Re: ERROR W/FRENCH DESCRIPTION
[EMAIL PROTECTED] wrote: > does somebody speak french out there ? we constantly receive an error > message that says "L'erreur suivante a ete rencontree > Reponse de taille nulle > Squid n'a recu aucune donnee pour cette requete" > > if not, the english translation would look like : > > The following error has been encountered > Empty answer > Squid did not receive any data for that request. > > does anybody know what it's all about ? Try searching for "zero sized reply". Adam
[squid-users] Re: Re: Can we give different bandwidth to different users in a same group or network ??
Amit Khatri wrote: > But in this case I need to make 2 Delay pools for 2 different users. > (which I know.) But I want to assign different bandwidth to different > users in same Delay Pool (either aggregte or netowork). I want to know > is it possible with squid ?? No - all you can control is who is assigned to a delay pool. How bandwidth is divided up within a delay pool is based solely on the type of delay pool used (class 1 = number of connections; class 2 & 3 = IP address). Adam
[squid-users] Re: Delay_pools
ansari imtiyaz ahmed khadim husain wrote: > I am having some problem in delay pools. > > I have read the FAQ on the squid-cache site but I could > not resolve my problem. > > My problem is I want to assign different bandwidth to different people > in a particular group. > > It is possible to assign same bandwidth limit to each member of a > group using CLASS 2 delay pools. But is it possible to assign > different bandwidth to different members of a same group ? No. Squid divides bandwidth among those assigned to a delay pool based on number of connections to the proxy (class 1) or IP address (class 2 or 3). All you can control is who is and is not assigned to the delay pool. You will need to use multiple delay pools to accomplish what you want. Adam
[squid-users] Re: lockup problem
Stuart Clark wrote: > Celeron 2.4, 2 gig ram, redhat 9, squid-2.5.STABLE1-3.9 I would suggest updating to a newer 2.5 STABLE release, though it might not solve this particular problem. > My squid server is locking up and needs rebooting every couple of days > I know why. Its because I ran out of ram for the size of the cache (proven > with testing). > I have 2 gig ram and 105gig of cache, 7.3M objects (kinda blows the 1 > gig/100gig ratio outa the water) That ratio is a rule of thumb - the amount of cache metadata in memory is actually determined by the number of objects in your cache. http://www.squid-cache.org/Doc/FAQ/FAQ-8.html#ss8.1 Besides metadata, there's also memory used for caching hot objects (cache_mem setting), as well as memory used by other programs and the operating system itself. It could also be bad memory causing the problem - you can check this using memtest86+. > Is their any way of telling that the cache size is getting near the limit > of the physical memory rather than just believing the 1gigram/100gig cache > rule (which dosen't work anyway)? Monitor your memory usage as the cache fills and see at what level the lockup occurs. > When it does lockup because of ram limitation what percentage should I > reduce the cache? I tried reducing the cache by 3 gig and it locked up > again. Probably 10 - 15 percent would be a good number. > I have every squid mrtg graph known to man and I cannot see any > indications to anticipate a lockup. Then either your aren't monitoring the right data, or your assumption of the cause of the lockups is incorrect. Adam
[squid-users] Re: Delay Pools for Robots
Kent, Mr. John (Contractor) wrote: > Have an image intensive website (satellite weather photos). > Using Squid as an accelerator. > > Want to slow down robots and spiders while basically not > affecting human users who access the web pages. > > Would the following delay_pool parameters be correct for this purpose > or would other values be better? > > delay_pools 1 # 1 delay pools > delay_class 1 2# pool 1 is a class 2 pool > delay_parameters 1 -1/-1 32000/64000 This makes no distinction between robots and normal visitors. For that you can use the browser acl (which matches on the User-Agent string the client sends), then use different delay pools for the common browsers and robots. Adam
[squid-users] Re: problem loading hotmail page
Tsillas, Demetrios J wrote: > Problem started appearing 2 days ago. > > Using 2.5.STABLE5. > > Here's the access.log entry: > 1103634536.673 208 192.168.128.20 TCP_MISS/200 494 GET > http://by15fd.bay15.hotmail.msn.com/cgi-bin/hmhome? - DIRECT/65.54.184.250 > text/html > > nothing in cache.log > > page doesn't load. You are not alone - see the list archives for the past couple of days. Adam
[squid-users] Re: A problem with the cache server and hotmail
Luis Duran wrote: > Lately, some of my users are experiencing problems using their msn > hotmail account, when they try to go inside hotmail, after > authentication, they only can see a white page, i didn't believe it > until i see it with my own eyes. I know it is a Cahe problem 'cause i > have the same results with the same msn accounts with different > machines, But if I connect directly without using cache server they can > reach their mails. Can anyone here bring me some light, please ? You are definitely not alone - lots of people have been reporting this problem recently. It seems to only occur using Internet Explorer - with other browsers Hotmail works fine. Since Squid doesn't get the occasional random update from the Internet, and this has only recently been reported, it's probably an update from Microsoft (via Windows Update) that broke something in IE. Adam
[squid-users] Re: Dual Channel
Ronald wrote: > One more question. Because Squid is I/O based Im guessing that there > would be an improvement in using the dual channel ddr instead of just > the single channel ddr setup? Squid is normally disk I/O bound, not memory I/O bound, so dual-channel DDR won't make a noticeable difference over single-channel. Adam
[squid-users] Re: Re: Can we give different bandwidth to different users in a same group or network ??
Amit Khatri wrote: > Adam Aube <[EMAIL PROTECTED]> wrote: >> Amit Khatri wrote: >>> I am using Squid with Delay Pools. >>> But I want to assign different bandwidth to different users in a same >>> group or network. >> Do you have some acl mechanism (such as username, IP address, etc) to >> identify these users? >> If so, then this is possible in Squid - take a look at the delay_access >> settings in your squid.conf. > Yes. I have acl mechnism (i.e IP address) > I have aleady looked at delay_access settings. > But still i am unable to alot different bandwidth to different users > acl c5_76 src 192.168.2.5 192.168.2.76 > acl c153 src 192.168.2.153 > delay_access 1 allow c5_76 > delay_access 2 allow c153 > In the above code I have aloted bandwith 500/1024 to all individual > members of group c5_76. But I want to give different bandwith to both > individuals. Split that acl in two and adjust your delay_access rules. Something like: acl c5 src 192.168.2.5 acl c76 src 192.168.2.76 acl c153 src 192.168.2.153 delay_access 1 allow c5 delay_access 2 allow c76 delay_access 3 allow c153 Adjust the http_access and delay_parameters settings accordingly. Adam
[squid-users] Re: Can we give different bandwidth to different users in a same group or network ??
Amit Khatri wrote: > I am using Squid with Delay Pools. > I have read the faq given on squid-cache.org. > And I have successfully implemnted Delay Pools for class 1 & class 2. > > But I want to assign different bandwidth to different users in a same > group or network. Do you have some acl mechanism (such as username, IP address, etc) to identify these users? If so, then this is possible in Squid - take a look at the delay_access settings in your squid.conf. Adam
[squid-users] Re: Bandwidth Management
Craig Main wrote: > I have an internet cafe connected on a not so fast leased line (64k). > > I definately need to use a caching proxy. I currently use squid, and > it works fine. However if one of the terminals has a 'power surfer', > they tend to use all of the bandwidth leaving not much for the other > terminals. > > I have tryed squids delay pools, but they don't really do what I want. > What I really need is to split all the bandwidth between the terminals > that are drawing traffic fairly. This should work fine using delay pools - what setup did you try? Adam
