Re: [squid-users] Is it possible to mark tcp_outgoing_mark (server side) with SAME MARK as incoming packet (client side)?
On Thu, 2014-03-27 at 10:26 +, Ed W wrote: > Yes, I'm still really interested to implement this. I got as far as > doing some investigation a few weeks back. Thanks for looking into it. I'd like to sort it myself, but don't have the time at the moment. In the meantime, I'll aim to submit a patch to update the documentation! Andy
Re: [squid-users] Is it possible to mark tcp_outgoing_mark (server side) with SAME MARK as incoming packet (client side)?
On Sat, 2014-03-15 at 21:13 +0530, Amm wrote: > Ok I read further on that link itself, somewhere it says: > > disable-preserve-miss > This option disables the preservation of the TOS or netfilter > mark. By default, the existing TOS or netfilter mark value of > the response coming from the remote server will be retained > and masked with miss-mark. > NOTE: in the case of a netfilter mark, the mark must be set on > the connection (using the CONNMARK target) not on the packet > (MARK target). > > First, it says to use CONNMARK and not MARK. I tried with CONNMARK as > well but it did not work. Yes, you definitely need to use CONNMARK, not MARK. > Second, it says its for response coming from the remote server. I used (and created) the patch to get the value from the remote server. However, I can't remember whether it does it the other way as well (at the time I thought I'd written the documentation so clearly, but coming back to it now it's not clear...) >From memory, however, you do need to configure qos_flows to *something*, to trigger its operation. I think you can simply state "qos_flows mark". > My question however was to pass on mark from client side to server side. > i.e. reverse of what above paragraph says. As above, it's primarily server to client. Get that working first so you know everything is in order, and then try it the other way. Let me know what you find out and I will update the documentation! (I don't have time to look through the source code right now) Andy
Re: [squid-users] Squid3.3.10 tcp_outgoing_tos still does work with freeBSD ?
On Thu, 2013-12-26 at 15:59 +0800, Ge Jin wrote: > Hi all! > > We want to use tcp_outgoing_tos with freeBSD 10.0-BETA2. [...] > So, it's the tcp_outgoing_tos still has bug in freeBSD or I have some > mistake there ? Have you tried increasing the logging level? Set it to at least level 3 and see if/what TOS errors/messages you get. There will be a lot of messages, so look for the following strings: "fwdConnectStart: got outgoing addr" [will be followed by tos being set] "Ip::Qos::setSockTos: setsockopt(IP_TOS)" on [will be shown on error]
Re: [squid-users] Splash page doesn't work on every web browser
On Sat, 2013-08-10 at 12:24 +0100, Andrew Beverley wrote: > - I configured Squid as per [1] > > [1] > http://www.andybev.com/index.php/Setting_up_a_captive_portal_from_scratch_using_Debian#Configure_Squid There is also some extra stuff in there to only show the splash page on a certain day (using another external helper). You can take that out.
Re: [squid-users] Splash page doesn't work on every web browser
On Thu, 2013-08-08 at 22:53 -0300, Roberto Carna wrote: > In some cases depending on the Windows platform and web browser type > and version (Firefox, IE, etc.), the splash page works OK but in other > cases doesn't at al. > > Is there any way to implement an univeralñ splash page that work for > all Windows + web browser scenarios ??? I had a similar problem, which I think was being caused by other software on the computer triggering the splash page (antivirus, updates etc). I found the most reliable way was to force the user to "accept" the splash page before it was removed. It was a while ago when I did this, but I've just looked back through my code and in summary: - I configured Squid as per [1] to show the splash page for a fixed timeout using an external session helper. Ignore the comments about recent patches - they are now in the stable Squid release. - The splash page was created in PHP page with a button that when "accepted" wrote to the external session helper's database - Once the session's helper database had recorded the client's details then it allowed the user access http://www.google.co.uk";); exit; } // Your splash HTML here ?> Click ">here to continue. [1] http://www.andybev.com/index.php/Setting_up_a_captive_portal_from_scratch_using_Debian#Configure_Squid
Re: [squid-users] "I agree" page
On Sun, 2013-05-19 at 15:52 +0200, folkert wrote: > Hi, > > 8 years ago I implemented a program which can be integrated in Squid so > that users are initially redirect to a page where they have to tick an > "I agree" check-box and only then they can continue. > Is this functionally integrated in the current version of Squid? I think > it would make sense. The splash page functionality probably does what you want. If you want the user to actually have to do something to move on (such as click an "I agree" link), then check out the example in the documentation entitled "Squid Configuration File - Active Mode": http://wiki.squid-cache.org/ConfigExamples/Portal/Splash Andy
Re: [squid-users] Re: squid qos_flows - copying mark from client side to upstream request?
On Thu, 2013-03-28 at 22:52 +, Ed W wrote: [...] > Users have a choice of gateways to use the internet via (each will have > a cost). Their choice of gateway is marked on packets from their > machine, we then route through the appropriate gateway based on the > connection mark (hence why I need it passed upstream through squid) > > Also we mark each connection with a unique per user mark so that > iptables can account for the traffic they consume and bill them. > Technically this could be done inside squid, but all other traffic is > accounted in iptables and there is some hairy calculations needed to > bill differently for different gateways, so I don't want to reproduce > this in multiple locations Ah, I see. In which case I can't think of any other way around it. > Hence I think I need to implement the reverse of the current code? Yes, you're probably right. > Now, as for implementation, I don't have the code in front of me, but I > think I noticed there is a single code path to open a new upstream > connection? I can't remember the exact details off the top of my head, but there are various places that deal with the upstream network connection. Some parts are only run on connection to a new website host, others are run every time data is sent. > At present this applies a packet mark based on tcp_outgoing_mark. Well, there is various ways of applying a mark. tcp_outgoing_mark is only one of them. You'd probably be better looking at the qos_flows code, as this specifically transfers the connection mark from the server side to the client side. > Is the client connection information available at this point, so that I > could mark the connection at this point based on the client connection > mark? Again, off the top of my head I'm not 100% sure, but I imagine it would be possible. The key thing is that you can only retrieve the *connection* mark from the socket, not the *packet* mark, but I don't think that would be a problem for you. > However, I think squid uses persistent connections to upstream? Only if configured to do so, and even then you can still change the mark on an existing connection. > (I will always have another proxy as my upstream). If so then actually > I need to reset the mark for each request? I *think* you could just set the mark on the upstream connection for each request. > Where would be the correct location to put the marking code in this > case, ie I guess where the packet is sent to the upstream socket? I'd need to look into this in slower time. > (I guess I need to be careful about pipelining also?) Don't know. As I said, the above are answers without checking the code (it's been a couple of years since I've looked at it). I can have a look in due course, or Amos might be able to chip in ;-) In the meantime, you might want to look at the original patch for ideas: http://bazaar.launchpad.net/~squid/squid/3.2/revision/10815 Andy
[squid-users] Re: squid qos_flows - copying mark from client side to upstream request?
On Wed, 2013-03-27 at 00:13 +, Ed W wrote: > Hi Andy, Sorry to bug you, but I finally got round to trying the > qos_flows feature and I think my understanding is completely back to front? > > What I need is to copy the packet/connection mark from the client > request, and apply it to the upstream request. You're correct (I think - it's been a long time!): the qos_flows feature copies a mark value from the server side of Squid and puts that on the connection to the requesting client. > So for example I mark clients that have passed a captive portal test > with some mark, I need that mark copying up to requests coming from > squid so that I know they effectively come from a validated client As Amos says, this is probably the wrong way to do it. If you want to see an example of how I did it, then check out this page: http://andybev.com/index.php/PortalShaper I use iptables to drop (or redirect) all packets that are received from clients that have not passed the captive portal. > Near as I can tell the current qos_flows applies this all backwards, ie > it assumes that the upstream has some mark on it, and copies this back > to the client response connection? Yes. > How tricky would it be to offer this option in both directions? Does > anyone else have a use for this kind of feature? It's probably not overly difficult, but is there really a requirement for it? I think for what you want to achieve there is a better way to do it? Happy to discuss/advise further. Andy
Re: [squid-users] Compiling last 3.3.0.2 or 3.2.8
On Sun, 2013-03-03 at 14:38 +, Jorge Bastos wrote: > Howdy, > > When trying to compile latest 3.3.0.2 I have he below information, also > tried other versions like 3.2.8 and some problem. > Is this a library that need to be updated? I suspect that you are using an out of date and/or wrong version of Berkeley DB. Any idea what version you are using? Compatibility for V1.85 was removed a while ago (see commit 11806), but any version from the last few years should work. Andy
Re: [squid-users] Error using tcp_outgoing_mark
On Fri, 2013-03-01 at 18:38 +0700, Azma Yogi wrote: > >>> Hi.. the new squid 3.3 has a new feature called tcp_outgoing_mark. i > >>> tried this feature but not works. cache.log said this "ERROR: > >>> 'tcp_outgoing_mark' requires Packet MARK (Linux)". anybody could help me > >>> explain what this > >>> error means? > >> > >> > >> It means the directive requires Linux with the packet MARK funtionality. > >> That functionality is currently provided by libnetfilter-conntrack library > >> on Linux. > > i have checked it. the libnetfilter-conntrack library is installed on > my ubuntu. try to use tcp_outgoing_mark and squid -k reconfigure, > cache.log still noticed ERROR: 'tcp_outgoing_mark' requires Packet > MARK (Linux). Please don't top-post. You'll need the conntrack dev libraries, probably libnetfilter-conntrack-dev on Ubuntu. Make sure you've also got the LIBCAP dev libraries (libcap-dev). Andy
Re: [squid-users] tcp_outgoing_tos doesn't work in 3.2?
On Fri, 2013-01-04 at 10:05 +0200, John Hay wrote: > On Fri, Jan 04, 2013 at 07:36:35AM +0000, Andrew Beverley wrote: > > On Fri, 2013-01-04 at 06:31 +0200, John Hay wrote: > > > Looking at a linux man page: > > > > > > http://linux.die.net/man/2/setsockopt > > > > > > I see the same kind of text: > > > > > > Most socket-level options utilize an int argument for optval. For > > > setsockopt(), the argument should be nonzero to enable a boolean option, > > > or zero if the option is to be disabled. > > > > Ah, interesting, I have to admit that I didn't read the Linux man page. > > > > > So maybe it is just luck that the current code does work and all of them > > > actually expects it in an int. :-) > > > > That said, when I was searching the BSD options, I did read somewhere > > that Linux started accepting a char value after a certain kernel > > version. > > > > > I think it started because of hysterical raisins, from the days before > > > function prototypes, but even the examples in recentish rfcs (3493 and > > > 3542) that describe IPv6 usage, use an int in all their examples that > > > will fit in an int. Also a plain int is used and not a int32, probably > > > because a native int is assumed to be the most efficient size. > > > > Interesting - maybe I should have kept it as an int all along :) > > Rereading my own paragraph, maybe an extra comment. What I meant with most > efficient size, was going through the setsockopt call. If you want to store > many of these in an array, a char will be the most space efficient, but > going through the setsockopt() call, a char will not give you any advantage, > if you look at how processors do register and stack operations. Good point - I see what you're saying. Amos - given the (probably) small quantity of TOS configuration values, do you think it's worth changing tos_t back to an int for all operating systems, as it was in v3.1? This reduces the complexity of having different types for different operating systems, saves the overhead of initiating a new value for *BSD each time its used, and as John says it probably doesn't come at much (if any) of a price in terms of memory usage. Andy
Re: [squid-users] tcp_outgoing_tos doesn't work in 3.2?
On Fri, 2013-01-04 at 06:31 +0200, John Hay wrote: > Looking at a linux man page: > > http://linux.die.net/man/2/setsockopt > > I see the same kind of text: > > Most socket-level options utilize an int argument for optval. For > setsockopt(), the argument should be nonzero to enable a boolean option, > or zero if the option is to be disabled. Ah, interesting, I have to admit that I didn't read the Linux man page. > So maybe it is just luck that the current code does work and all of them > actually expects it in an int. :-) That said, when I was searching the BSD options, I did read somewhere that Linux started accepting a char value after a certain kernel version. > I think it started because of hysterical raisins, from the days before > function prototypes, but even the examples in recentish rfcs (3493 and > 3542) that describe IPv6 usage, use an int in all their examples that > will fit in an int. Also a plain int is used and not a int32, probably > because a native int is assumed to be the most efficient size. Interesting - maybe I should have kept it as an int all along :) Andy
Re: [squid-users] tcp_outgoing_tos doesn't work in 3.2?
On Thu, 2013-01-03 at 08:13 +0200, John Hay wrote: > > Again, no official documentation found, but I found other bug reports in > > software packages for a variety of BSD operating systems, so I think it > > should apply to any BSD derivative (including OSX). > > Doing a google of "setsockopt freebsd" and "setsockopt netbsd" point > directly to their man pages Yeah, thanks, I had already RTFM ;-) I expected something specific for IP_TOS though, given that it's always exactly an 8 bit value. > Most socket-level options utilize an int argument for optval. For > setsockopt(), the argument should be non-zero to enable a boolean option, > or zero if the option is to be disabled. SO_LINGER uses a struct linger > argument, defined in , which specifies the desired state of > the option and the linger interval (see below). SO_SNDTIMEO and > SO_RCVTIMEO use a struct timeval argument, defined in . But you're right: "most options utilise an int" should probably be interpreted as "all options utilise an int unless otherwise specified". Andy
Re: [squid-users] tcp_outgoing_tos doesn't work in 3.2?
On Wed, 2013-01-02 at 13:15 +1300, Amos Jeffries wrote: > On 2/01/2013 4:24 a.m., Andrew Beverley wrote: > > On Tue, 2013-01-01 at 15:15 +0000, Andrew Beverley wrote: > >> Therefore, could you please try the following (untested) patch? > > Ah, Amos, I've just re-read the bug report and seen that you have closed > > it with a FreeBSD workaround. I couldn't see your commit, but from what > > I have read it looks like FreeBSD definitely expects a TOS value as an > > int, so that should be the correct solution. > > I patched the function internally to store the 8-bit tos_t parameter > into a local int before sending to setsockopt() on FreeBSD. That way we > still save on 3 bytes in all the Squid objects using it. > > PS. I would still like to know if the problem occurs on other BSD > variants to extend the patch #if condition for them. Again, no official documentation found, but I found other bug reports in software packages for a variety of BSD operating systems, so I think it should apply to any BSD derivative (including OSX).
Re: [squid-users] tcp_outgoing_tos doesn't work in 3.2?
On Tue, 2013-01-01 at 15:15 +, Andrew Beverley wrote: > Therefore, could you please try the following (untested) patch? Ah, Amos, I've just re-read the bug report and seen that you have closed it with a FreeBSD workaround. I couldn't see your commit, but from what I have read it looks like FreeBSD definitely expects a TOS value as an int, so that should be the correct solution. Andy
Re: [squid-users] tcp_outgoing_tos doesn't work in 3.2?
On Mon, 2012-12-31 at 11:27 -0800, Nick Rogers wrote:
> On Fri, Dec 28, 2012 at 6:59 PM, Amos Jeffries wrote:
> > On 29/12/2012 3:49 p.m., Andrew Beverley wrote:
> >>
> >> On Fri, 2012-12-28 at 18:13 -0800, Nick Rogers wrote:
> >>>
> >>> I was able to come up with a patch that works in my environment by
> >>> looking at some of the changes between 3.1 and 3.2. It seems that
> >>> sizeof(tos_t) does not result in a valid setsockopt() argument,
> >>> whereas sizeof(int) that was used in 3.1.x does.
> >>
> >> Thanks for that. I vaguely remember making that change when creating the
> >> v3.2 patch set, probably for no reason other than tidying up the code.
> >> I'll have a closer look in the next couple of weeks, unless anyone else
> >> does before then.
> >
> > This is a bit of a strange error. Since the tos_t type is an 8-bit char.
> > Passing in a larger size than the object being passed means some garbage off
> > the stack will be passed to the setsockopt() internals.
>
> FWIW I've created a bug report.
>
> http://bugs.squid-cache.org/show_bug.cgi?id=3731
>
> So far the patch I mentioned has worked beautifully on my production machines.
Thanks for filing the bug report. The problem appears to be that FreeBSD
expects a TOS value as an integer, not a char. I can't find any official
documentation stating this, but I've found a couple of similar bug
reports in other software.
Therefore, could you please try the following (untested) patch? This
keeps it as a char for all other operating systems, but changes tos_t to
an integer for FreeBSD. Defining the type for all the code will
initialise the variable properly and stop garbage being passed in.
diff -rupN squid-3.2.5-20130101-r11743/src/typedefs.h
squid-3.2.5-20130101-r11743-tos/src/typedefs.h
--- squid-3.2.5-20130101-r11743/src/typedefs.h 2013-01-01 05:54:59.0
+
+++ squid-3.2.5-20130101-r11743-tos/src/typedefs.h 2013-01-01
15:09:04.501850487 +
@@ -40,7 +40,12 @@ typedef int32_t sfileno;
typedef signed int sdirno;
typedef uint32_t nfmark_t;
-typedef unsigned char tos_t;
+/* FreeBSD requires TOS values as an integer */
+#if defined(_SQUID_FREEBSD_)
+typedef unsigned int tos_t;
+#else
+typedef unsigned char tos_t;
+#endif
typedef struct {
size_t bytes;
Andy
Re: [squid-users] tcp_outgoing_tos doesn't work in 3.2?
On Fri, 2012-12-28 at 18:13 -0800, Nick Rogers wrote: > I was able to come up with a patch that works in my environment by > looking at some of the changes between 3.1 and 3.2. It seems that > sizeof(tos_t) does not result in a valid setsockopt() argument, > whereas sizeof(int) that was used in 3.1.x does. Thanks for that. I vaguely remember making that change when creating the v3.2 patch set, probably for no reason other than tidying up the code. I'll have a closer look in the next couple of weeks, unless anyone else does before then. > Also FWIW the Ip::Qos::setSockNfmark() function that is below this and > similar to the TOS code might have the same problem? That function is only applicable on Linux and definitely works as I use it regularly :) > Hoping someone that can do something about it reads this. Thanks! Thank you. Andy
Re: [squid-users] tcp_outgoing_tos doesn't work in 3.2?
On Tue, 2012-11-13 at 14:46 +0200, Pavel Bychykhin wrote: > I tried in VirtualBox without the jail. Nothing changed. > My system is FreeBSD 8.2. Maybe on Linux all is OK. Maybe, but it would be strange if it became broken in 3.2, as although the QOS code changed a lot, the actual code to set the TOS hasn't changed (I don't think). Anyway, I'll try on Linux in the next few days and let you know. Andy
Re: [squid-users] tcp_outgoing_tos doesn't work in 3.2?
On Sat, 2012-11-10 at 19:37 +0200, Pavel Bychykhin wrote: > I tried 0x10, 0x14, 0x3C, 0x80, 0x84. Result is the same for Squid 3.2 - not > working. I'll test it myself when I get a moment (on Linux), but it might not be until next week. > For Squid 3.1 all values works fine. There were a lot of changes to the QOS code in version 3.2, so it is possible that something was broken. > When i said about jail, i meant, that both versions runs in a jail. Can you try it without the jail anyway? Andy
Re: [squid-users] tcp_outgoing_tos doesn't work in 3.2?
On Sat, 2012-11-10 at 15:30 +0200, Pavel Bychykhin wrote: > Fragment from log of Squid 3.2: > 2012/11/10 14:31:08.157 kid1| fwdConnectStart: got outgoing addr 0.0.0.0, tos > 12 > 2012/11/10 14:31:08.157 kid1| The AsyncCall fwdConnectDoneWrapper > constructed, this=0x28fbb340 [call982] > 2012/11/10 14:31:08.157 kid1| peer_select.cc(87) peerSelectStateFree: > http://www.myip.ru/ru-RU/index.php > 2012/11/10 14:31:08.157 kid1| StoreEntry::unlock: key > '2B27CF0FA399E53F4D6BDA4269A33291' count=2 > 2012/11/10 14:31:08.157 kid1| comm_openex: Attempt open socket for: 0.0.0.0 > 2012/11/10 14:31:08.157 kid1| comm_openex: Opened socket local=0.0.0.0 > remote=[::] FD 12 flags=1 : family=2, type=1, protocol=6 > 2012/11/10 14:31:08.158 kid1| Ip::Qos::setSockTos: setsockopt(IP_TOS) on > local=0.0.0.0 remote=[::] FD 12 flags=1: (22) Invalid argument Hmmm, not sure. Can you try some different TOS values and see if that makes any difference? Certainly with Linux, some values cannot be set, although why that would change between Squid versions I do not know. > Fragment from log of Squid 3.1: [...] > This instance of Squid is running in jail. May be it's a key to > problem? I wouldn't have thought it would make any difference, but can you try the other one in a jail?
Re: [squid-users] tcp_outgoing_tos doesn't work in 3.2?
On Fri, 2012-11-09 at 14:18 +0200, Pavel Bychykhin wrote: > Hi All! > > Recently i tried to upgrade my Squid 3.1.21 to 3.2.3. > Everything works fine, but tcp_outgoing_tos no longer affects outgoing > packets. > Here fragment from my config: > > acl rfc1579 dst 192.168.0.0/16 > acl rfc1579 dst 10.0.0.0/8 > acl rfc1579 dst 172.16.0.0/12 > tcp_outgoing_tos 0xC !rfc1579 > > Rollback to old version solves the problem. > My system is FreeBSD 8.2. Squid installed from ports (squid-3.2.3_1). Can you set your debug to level 3 and see if/what TOS errors/messages you get? There will be a lot of messages, so look for the following strings: "fwdConnectStart: got outgoing addr" [will be followed by tos being set] "Ip::Qos::setSockTos: setsockopt(IP_TOS)" on [will be shown on error] Andy
Re: [squid-users] problems configuring squid with zph (packet marking)
On Thu, 2012-08-30 at 05:01 -0700, Mustafa Raji wrote: > i will try to use the 3.2, kindly would you tell me the linux os you > used (most used linux distribution with 3.2) [ Please don't top-post ] I use Debian and compile v3.2 myself. I am not aware of any Linux distribution shipping v3.2. Someone else may be able to advise.
Re: [squid-users] problems configuring squid with zph (packet marking)
On Thu, 2012-08-30 at 00:14 -0700, Mustafa Raji wrote: > hi i have a problem with zph configuration in squid 3.1.11 in the squid > wiki i find the zph configuration directive is qos_flows and i want to > mark the local-hit packet to root this packets locally > > the configuration in squid.conf file is > > acl localnet 10.10.10.0/24 > tcp_outgoing_tos 0xFF localnet I think you want clientside_tos if you want to affect packets going to the local client. tcp_outgoing_tos is for packets going to the remote server. > qos_flows local-hit=0xFF > > applying these configuration directive and dump the packets using > tcpdump shows that, this configuration does not works for me some > output of tcpdump >From http://www.squid-cache.org/Doc/config/tcp_outgoing_tos/ "Often only multiples of 4 is usable as the two rightmost bits have been redefined for use by ECN (RFC 3168 section 23.1)" > i am using squid 3.1.11 with --enable-zph-qos, squid works in the > intercept mode and the os is debian squeeze You may want to consider upgrading to the 3.2 branch (although I appreciate that this is not a Debian stable package). A lot of improvements have been made to the qos_flows code, and there is also the option to use netfilter marks which you may find more flexible. Andy
Re: [squid-users] DSCP mark not working
On Mon, 2012-07-09 at 18:22 +0530, Ben wrote: > We are running squid since long time and it is working fine.Now days, we > migrated squid for RHEL 6 to use qos_flow DSCP marking parameter. > > For testing purpose at lab, we deploy two squid box, one with rhel rpm ( > Version 3.1.19 ) and on second box with squid source compilation ( > Version 3.1.20 . You might want to consider the v3.2 tree, in which the QOS marking features were updated. Andy
Re: [squid-users] Transparent Proxy / Authentication / Landing Page
On Tue, 2012-06-26 at 17:30 +1200, Amos Jeffries wrote: > > Has anyone any idea how to actually Implement that in a system ? > > Search for information on "Captive Portal". You might like to check out my tutorial on how to do it with iptables. There are various "out of the box" software packages available, but doing it with iptables will give you full flexibility. You'd have to do your own integration with LDAP though. http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal
Re: [squid-users] question about setting TOS for specific media types
On Wed, 2012-04-25 at 00:11 -0400, Brian R. Landy wrote: > Well, I was not using the correct field. But it's still not working? > I had also tried using something simple, like "clientside_tos 0xb8 all" > (which under 3.0 definitely tagged all traffic) and it did nothing under > 3.2.0.17. I assume that you're definitely checking packets from squid to the *client* that made the original file request? > Sorry, I 'm not familiar with netfilter and what the proper hex value > would be. Any value will work, and it's easy to see if a packet's been marked just by using a -j LOG rule. As an aside, depending on what you are trying to do, netfilter marks are a much more flexible solution. Anyway, to further debug this, can you please wind the debug level up to 3 or greater. If setting the TOS is failing then you will see something like: Ip::Qos::setSockTos: setsockopt(IP_TOS) on ... If you don't see that, then search for the string "tos" (case-insensitive) in the logs and see if you can see any other TOS related messages. Failing any of that, I'll write a patch in order to debug further. Andy
Re: [squid-users] question about setting TOS for specific media types
> >> Hi, I’m very sorry it took so long for me to test this and reply; > >> unfortunately, under 3.2.0.16 and 3.2.0.17 I still don’t see > >> clientside_tos ever marking packets. My clientside_tos configuration > >> has been working perfectly with 3.0.STABLE26 for the last month. > > > > Can you post the relevant parts of squid.conf please? > > Sure, this is what I’m using: > > acl d_neulion url_regex -i neulion[.](com|net).*[.]ts$ > clientside_tos 0x46 d_neulion I'm afraid that I don't have a Squid installation handy to try this on. Can you try a much simpler regex (or another rule) to see if you get any success with that? Also, can you try with value 0xFF? Some bits cannot be set on the TOS (I forget which) so that will ensure that you are not trying to set those bits. Finally, maybe you can try the netfilter "mark" parameter, and see if that works with the same configuration. Andy
Re: [squid-users] question about setting TOS for specific media types
On Sun, 2012-04-22 at 21:30 -0400, Brian Landy wrote: > >> Hi, I applied the patch but it doesn’t seem to be working. > > > > Depending on your requirement, you could always try the 3.2 branch. A > > lot of the TOS code was rewritten in that version as part of the > > implementation of the netfilter mark feature. [ Top posting fixed ] > Hi, I’m very sorry it took so long for me to test this and reply; > unfortunately, under 3.2.0.16 and 3.2.0.17 I still don’t see > clientside_tos ever marking packets. My clientside_tos configuration > has been working perfectly with 3.0.STABLE26 for the last month. Can you post the relevant parts of squid.conf please? Andy
Re: [squid-users] proxy with authorization webpage?
On Mon, 2012-04-16 at 16:24 +0100, Marilo wrote: > I know one can set up an HTTP Proxy that requests authorization, and > the browser prompts for a username and password. Only when it's right, > can they then use the proxy, access the internet. If you want to prevent/allow people access to all internet services (not just web) then you can't do this with Squid. If that's what you want, then you need a captive portal. There are various software solutions for this, or you can spin your own using iptables: http://andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal Andy
Re: [squid-users] bash/mysql script not working
On Mon, 2012-04-02 at 14:28 -0400, Osmany Goderich wrote: > Please have a look at this bash/mysql external helper. Can anyone tell me > why is it not working? ... > is there anyway I can test this directly on the server's shell > Yes, just run it on the shell as you would any other script, and input the expected values (as specified in squid.conf) followed by a carriage return. The script should return OK or ERR as appropriate. Andy
Re: [squid-users] question about setting TOS for specific media types
[ Some stuff about TOS packet tagging ] > Hi, I applied the patch but it doesn’t seem to be working. Depending on your requirement, you could always try the 3.2 branch. A lot of the TOS code was rewritten in that version as part of the implementation of the netfilter mark feature. Andy
Re: [squid-users] session helper issue
> >> >>> I configured my splash like described here: > >> >>> http://wiki.squid-cache.org/ConfigExamples/Portal/Splash. I have > >> >>> chosen second example (Active Mode) and adopted it to my squid 3.0 > >> >>> version (there is squid_session helper instead ext_session_acl). So > >> >>> when i go to matched URL session is not starting. Only after i go to > >> >>> matched URL and do squid -k reconfigure everything goes well. > >> >>> > >> >>> Is there any method to renew squid automatically? [...] > Here is my config for session helper: > > > # Set up the session helper in active mode. Mind the wrap - this is one line: > external_acl_type session concurrency=3D100 ttl=3D3 %SRC > /usr/lib/squid/ext_session_acl -a -T 10800 =A0-b > /usr/lib/squid/session.db I think this may be the problem. You are logging the sessions to the file session.db here (which will use the old session code without synchronisation between threads)... > > # Pass the LOGIN command to the session helper with this ACL > acl session_login external session LOGIN > > # Set up the normal session helper. Mind the wrap - this is one line: > external_acl_type session_active_def concurrency=3D100 ttl=3D3 %SRC > /usr/lib/squid/ext_session_acl -a -T 10800 =A0-b > /usr/lib/squid/sessions/ ...But you use the directory /sessions/ here. Try changing the first one to /usr/lib/squid/sessions/ Granted this is as per the example, which is probably also wrong. Give it a go, and if it works, I'll correct the example on the wiki. Andy
Re: [squid-users] session helper issue
On Sun, 2012-02-26 at 15:49 +0400, Vyacheslav Maliev wrote: > 2012/2/24 Amos Jeffries : > > On 24/02/2012 11:26 a.m., Andrew Beverley wrote: > >> > >> On Fri, 2012-02-24 at 02:06 +0400, Vyacheslav Maliev wrote: > >>> > >>> Hi! > >>> I configured my splash like described here: > >>> http://wiki.squid-cache.org/ConfigExamples/Portal/Splash. I have > >>> chosen second example (Active Mode) and adopted it to my squid 3.0 > >>> version (there is squid_session helper instead ext_session_acl). So > >>> when i go to matched URL session is not starting. Only after i go to > >>> matched URL and do squid -k reconfigure everything goes well. > >>> > >>> Is there any method to renew squid automatically? > >> > >> You are possibly experiencing a bug with the session helper that means > >> it does not synchronise correctly between squid workers. The patch > >> discussed in the following thread fixes that. [ Top posting fixed ] > I have tried to build squid 3.2 with patch already in separate dir and > copied ext_session_acl in my squid 3.1 installation for using it > instead squid_session. Results were the same as with old > configuration. Nothing changed. Please post all the configuration directives for the session helper that you are currently using. Andy
Re: [squid-users] session helper issue
On Fri, 2012-02-24 at 02:06 +0400, Vyacheslav Maliev wrote: > Hi! > I configured my splash like described here: > http://wiki.squid-cache.org/ConfigExamples/Portal/Splash. I have > chosen second example (Active Mode) and adopted it to my squid 3.0 > version (there is squid_session helper instead ext_session_acl). So > when i go to matched URL session is not starting. Only after i go to > matched URL and do squid -k reconfigure everything goes well. > > Is there any method to renew squid automatically? You are possibly experiencing a bug with the session helper that means it does not synchronise correctly between squid workers. The patch discussed in the following thread fixes that. Regardless of whether this is your problem, you should really use a version that includes the patch anyway, but I'm not sure if it was back-ported to any 3.0 versions. http://www.squid-cache.org/mail-archive/squid-dev/201110/0087.html Andy
Re: [squid-users] Help-me recompile squid
On Sat, 2012-02-11 at 11:36 -0200, João Paulo Ferreira wrote: > Does anyone know how do I recompile my squid that was installing the > tool using yum (centos)? I've never used yum, but you should be able to recompile by downloading the packaged sources. The following page will probably help: http://wiki.centos.org/HowTos/RebuildSRPM Andy
Re: [squid-users] poor mans load balancing
On Tue, 2012-02-07 at 17:37 +0100, Carsten Ralle wrote: > Is there a configuration (preferably without ICP) to transparently use > all three lines in parallel for a connection (e.g. HTTP/FTP-download or > data streaming) ? How about multipath TCP? Assuming that you control both ends of your WAN links, which I think you do from the diagram. I've never tried it myself, but I saw a talk about it at FOSDEM, and it looked promising. It's not in the stable kernel yet, but the guys are keen for people to try it out. http://nrg.cs.ucl.ac.uk/mptcp/ Andy
RE: [squid-users] UNSUBSCRIBE!!!!
On Tue, 2012-01-24 at 09:50 -0500, Alona Rossen wrote: > How can I unsubscribe from this mailing list? http://lmgtfy.com/?q=squid+users+unsubscribe Third in the list.
RE: [squid-users] squid 3.2 helpers/external_acl/session compile problem
On Wed, 2011-12-21 at 11:52 +0200, yusuf özbilgin wrote: > > Can you try putting the line back to "#include " and then remove > > the "#if HAVE_DB_H" and "#endif" lines. Try recompiling, and see what > > error message you then get. > > Same error. > > When I remove the line > > #include > > Error is different; > 1. Please don't top post. See the last part of http://www.freebsd.org/doc/en/articles/mailing-list-faq/etiquette.html as to why. 2. Are you sure you are *compiling* with DB version 4.8? Could it be picking up an old version from somewhere? The functions you are getting errors on were introduced a lot earlier than V4.8. Andy
RE: [squid-users] squid 3.2 helpers/external_acl/session compile problem
On Wed, 2011-12-21 at 10:54 +0200, yusuf özbilgin wrote: > > On Tue, 2011-12-20 at 20:18 +0200, yusuf özbilgin wrote: > > > Hi, > > > > > > I am getting error when compile helpers/external_acl/session on freebsd > > > 7.4. > > > Error details are below. > > > > > > What can be the problem? > > > > > > Thanks, > > > Yusuf > > > > > > > > > squid version is squid-3.2.0.14-20111219-r11470 > > > berkeley db version is 4.8 > > > > > > > > > $make > > > > > > /usr/local/bin/bash ../../../libtool --tag=CXX --mode=link c++ -Wall > > > -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -pipe > > > -I/usr/local/include -g -I/usr/local/include -rpath=/usr/local/lib > > > -L/usr/local/lib -L/usr/local/lib -Wl,-R/usr/local/lib -o ext_session_acl > > > ext_session_acl.o -L../../../compat > > > libtool: link: c++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments > > > -Werror -pipe -pipe -I/usr/local/include -g -I/usr/local/include > > > -rpath=/usr/local/lib -Wl,-R/usr/local/lib -o ext_session_acl > > > ext_session_acl.o -L/usr/local/lib > > > -L/home/user1/squid/squid-3.2.0.14-20111219-r11470/compat > > > ext_session_acl.o(.text+0x3ff): In function `init_db': > > > /home/user1/squid/squid-3.2.0.14-20111219-r11470/helpers/external_acl/session/ext_session_acl.cc:68: > > > undefined reference to `db_env_create' > > > ext_session_acl.o(.text+0x4a6):/home/user1/squid/squid-3.2.0.14-20111219-r11470/helpers/external_acl/session/ext_session_acl.cc:74: > > > undefined reference to `db_create' > > > ext_session_acl.o(.text+0x57c):/home/user1/squid/squid-3.2.0.14-20111219-r11470/helpers/external_acl/session/ext_session_acl.cc:87: > > > undefined reference to `db_create' > > > *** Error code 1 > > > Stop in > > > /home/user1/squid/squid-3.2.0.14-20111219-r11470/helpers/external_acl/session. > > > > Looks like it hasn't found your db.inc. Try a "grep HAVE_DB_H > > config.log" in the source tree. You should see something like "HAVE_DB_H > > 1". If not, then it's not found db.h, hence the compilation errors > > above. > Yes there is a line #define HAVE_DB_H 1. > > and olsa I tried to compile after changed code like below. > But same problem. > > ext_session_acl.cc > > #if HAVE_DB_H > #include "/usr/local/include/db48/db.h" > #endif Can you try putting the line back to "#include " and then remove the "#if HAVE_DB_H" and "#endif" lines. Try recompiling, and see what error message you then get. Andy
Re: [squid-users] Squid3 don't run any external acl
On Tue, 2011-12-20 at 15:49 -0200, Igor NM wrote: > Hi all! > > My squid cannot run any external acl script or soft > I want to restrict web access by Windows AD group.. > > I test with other helpers, softs and scripts in this location and other > location (ex. /tmp, /, /etc/squid3) and I got same error on cache.log > > I use Ubuntu 64 11.10 and Squid 3.1.14 > > Ps.: The linux was integrated with Win AD 2008 R2 > > 2011/12/20 15:22:49| Starting Squid Cache version 3.1.14 for > x86_64-pc-linux-gnu... > 2011/12/20 15:22:49| Process ID 2503 > 2011/12/20 15:22:49| With 65535 file descriptors available > 2011/12/20 15:22:49| Initializing IP Cache... > 2011/12/20 15:22:49| DNS Socket created at [::], FD 7 > 2011/12/20 15:22:49| DNS Socket created at 0.0.0.0, FD 8 > 2011/12/20 15:22:49| Adding domain 4Talk.com.br from /etc/resolv.conf > 2011/12/20 15:22:49| Adding domain 4Talk.com.br from /etc/resolv.conf > 2011/12/20 15:22:49| Adding nameserver 192.168.1.6 from /etc/resolv.conf > 2011/12/20 15:22:49| helperOpenServers: Starting 5/5 'wbinfo_group.pl' > processes > 2011/12/20 15:22:49| commBind: Cannot bind socket FD 9 to [::1]: (99) Cannot > assign requested address > 2011/12/20 15:22:49| commBind: Cannot bind socket FD 10 to [::1]: (99) > Cannot assign requested address > 2011/12/20 15:22:49| ipcCreate: Failed to create child FD. > 2011/12/20 15:22:49| WARNING: Cannot run '/usr/lib/squid3/wbinfo_group.pl' > process. What are the permissions on /usr/lib/squid3/wbinfo_group.pl? Is it executable by the squid user? Does it even exist? Andy
Re: [squid-users] squid 3.2 helpers/external_acl/session compile problem
On Tue, 2011-12-20 at 20:18 +0200, yusuf özbilgin wrote: > Hi, > > I am getting error when compile helpers/external_acl/session on freebsd 7.4. > Error details are below. > > What can be the problem? > > Thanks, > Yusuf > > > squid version is squid-3.2.0.14-20111219-r11470 > berkeley db version is 4.8 > > > $make > > /usr/local/bin/bash ../../../libtool --tag=CXX --mode=link c++ -Wall > -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -pipe > -I/usr/local/include -g -I/usr/local/include -rpath=/usr/local/lib > -L/usr/local/lib -L/usr/local/lib -Wl,-R/usr/local/lib -o ext_session_acl > ext_session_acl.o -L../../../compat > libtool: link: c++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror > -pipe -pipe -I/usr/local/include -g -I/usr/local/include > -rpath=/usr/local/lib -Wl,-R/usr/local/lib -o ext_session_acl > ext_session_acl.o -L/usr/local/lib > -L/home/user1/squid/squid-3.2.0.14-20111219-r11470/compat > ext_session_acl.o(.text+0x3ff): In function `init_db': > /home/user1/squid/squid-3.2.0.14-20111219-r11470/helpers/external_acl/session/ext_session_acl.cc:68: > undefined reference to `db_env_create' > ext_session_acl.o(.text+0x4a6):/home/user1/squid/squid-3.2.0.14-20111219-r11470/helpers/external_acl/session/ext_session_acl.cc:74: > undefined reference to `db_create' > ext_session_acl.o(.text+0x57c):/home/user1/squid/squid-3.2.0.14-20111219-r11470/helpers/external_acl/session/ext_session_acl.cc:87: > undefined reference to `db_create' > *** Error code 1 > Stop in > /home/user1/squid/squid-3.2.0.14-20111219-r11470/helpers/external_acl/session. Looks like it hasn't found your db.inc. Try a "grep HAVE_DB_H config.log" in the source tree. You should see something like "HAVE_DB_H 1". If not, then it's not found db.h, hence the compilation errors above. Andy
Re: [squid-users] scheduling not working for me, what am I doing wrong?
On Wed, 2011-11-23 at 13:28 -0800, someone wrote: > I am unable to limit the hours squid will accept requests > > > > squid3 -v > Squid Cache: Version 3.0.STABLE8 <---yes I know its older but will do > for my needs. > > > Ive tried this: > > acl ACLTIME time SMTWHFA 06:00-23:30 > > http_access allow ACLTIME Have you got a "deny" option somewhere? Are you following the ACLTIME by another "allow" that is giving them access? Maybe you want something like: acl ACLTIME time 06:30-21:00 http_access deny !ACLTIME Andy
Re: [squid-users] squid compilation
On Sun, 2011-11-13 at 23:12 +0530, Benjamin wrote: > On 11/13/2011 10:51 PM, Andrew Beverley wrote: > > On Sun, 2011-11-13 at 22:29 +0530, Benjamin wrote: > >> Hi, > >> > >> I want to use squid version on centos 6.So for that i wonder that do i > >> compile squid latest stable version from squid source code or should i > >> go with rpm package which i get from my distro.? > > You're normally best using the one provided with your distro, unless > > there are specific features you need from a later version. > > > >> Actually my concern is that installation of rpm / compilation from > >> source code are same while compare with squid features ? > > Try the one from the distro first and see if it meets your requirements. > > > >> And as per my purpose with squid, we want to use it for only high cache > >> performance, so for that do i need to take care of specific squid feature ? > > I don't know, but others will be able to advise, or you can check the > > list archives. > > > >> And please provide me any good document or link from where i can have > >> good understanding of each squid features which we get while compilation > >> process in ./configure command. > > ./configure --help > > > > Andy > > > > > Hi, > > Thanks for your kind response.If i do not want any authentication module > from squid and when i install squid from distro rpm that time i have > that authentication module by default enabled so in that case, does it > impact on performance. Well if you've not configured any authentication in squid.conf then I imagine that the impact will be minimal. > Actually we need squid for forward proxy and cache gain only. > I'm sure you could tune Squid for your particular use, but I'm afraid I don't know exactly how much difference that will make. Andy
Re: [squid-users] squid compilation
On Sun, 2011-11-13 at 22:29 +0530, Benjamin wrote: > Hi, > > I want to use squid version on centos 6.So for that i wonder that do i > compile squid latest stable version from squid source code or should i > go with rpm package which i get from my distro.? You're normally best using the one provided with your distro, unless there are specific features you need from a later version. > Actually my concern is that installation of rpm / compilation from > source code are same while compare with squid features ? Try the one from the distro first and see if it meets your requirements. > And as per my purpose with squid, we want to use it for only high cache > performance, so for that do i need to take care of specific squid feature ? I don't know, but others will be able to advise, or you can check the list archives. > And please provide me any good document or link from where i can have > good understanding of each squid features which we get while compilation > process in ./configure command. ./configure --help Andy
Re: [squid-users] Erm, Need Make Install Command Syntax for Debian
On Fri, 2011-11-11 at 10:09 -0800, someone wrote:
> Im trying to Upgrade my squid install, I need to compile a newer version
> of squid 3.1 on a debian machine, but when I run Make Install, it puts
> everything in the wrong directories.
>
> Does anyone know the proper Make Install command for debian
> so everything goes into the proper directories?
The easiest way is to run "squid3 -v" which will print the configure
command that was used to compile your current version.
The one that I use (slightly customised) on Squeeze is:
./configure --with-netfilter-conntrack '--build=x86_64-linux-gnu'
'--prefix=/usr' '--includedir=${prefix}/include' '--mandir=
${prefix}/share/man' '--infodir=${prefix}/share/info'
'--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=
${prefix}/lib/squid3' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.'
'--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--with-cppunit-basedir=/usr'
'--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-arp-acl' '--enable-esi' '--disable-translation'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
'--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy'
'--enable-linux-netfilter' --disable-ipv6 'build_alias=x86_64-linux-gnu'
'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=' 'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g -Wall
-O2'
Andy
Re: [squid-users] configuring splash page
On Tue, 2011-10-25 at 02:23 +0300, Alex F wrote: > >> > >> BTW, how can I find out what version is the session helper? > >> Cheers. > > > > ext_session_acl -v should tell you. > > It doesn't work, I already tried it. > /usr/local/squid/libexec/ext_session_acl -v > /usr/local/squid/libexec/ext_session_acl: invalid option -- 'v' Not a wholly accurate test, but if you check the man page then that will tell you the version (man ext_session_acl). > BTW, did you leave "/var/lib/squid/session/" intentionally or was it > supposed to be /var/lib/squid/session/session.db? Ah, that could be your problem. It needs to be /var/lib/squid/session/ (it works with a filename for backward compatibility). Using a directory causes the helper to open a database environment, which prevents the sync problems that you are seeing (the man page provides more info). Try that and it should fix it. > Can you please confirm that this type of config is working with you, > so I can be sure that at least this isn't the problem. My *exact* current config (with extra stuff) that works is as follows: http_access allow localhost acl our_networks src 10.0.0.0/16 external_acl_type session_active_def concurrency=100 ttl=3 %SRC /usr/lib/squid3/ext_session_acl -a -T 10800 -b /var/lib/squid/session/ acl session_is_active external session_active_def acl session_day time "/var/www/announce_days.txt" deny_info http://nelsonwr.wardroom/announce.php?url=%u session_day session_is_active http_access deny session_day !session_is_active http_access allow our_networks http_access deny all My LOGIN code is contained in a local PHP page that serves up the splash page (I do this because local web requests bypass Squid): $handle = popen($session_helper, 'w'); fwrite($handle, "10 " . $_SERVER['REMOTE_ADDR'] . " LOGIN\n"); pclose($handle); Andy
Re: [squid-users] failed http redirection
On Sun, 2011-10-23 at 07:41 -0700, Ivan Matala wrote: > hello, this is my code > > iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --match multiport > --dports 80 -j DNAT --to-destination 118.67.78.136:80 > > what im trying to do is, im trying to redirect all http requests to a > foreign proxy, but it fails > What are your other iptables rules? Are you sure that there is not an ACCEPT (or another rule that stops that rule being transversed) before that rule? Try changing it to a LOG to check that it is actually doing something. Andy
Re: [squid-users] configuring splash page
On Sat, 2011-10-22 at 02:41 +0300, Alex F wrote: > On Wed, Oct 19, 2011 at 2:10 AM, Andrew Beverley wrote: > > > >> > >> acl A dstdomain 192.168.235.136 > >> acl B urlpath_regex /splash.html /check.html > >> http_access allow A B > > > > The above 2 rules do not appear to be used? > > Well the idea was to use these to be sure I can GET those 2 links used > for check and splash and not get stuck in a loop. It will actually have the opposite effect. If the ACL is matched then your user never actually gets to the ACL that forces the client IP address to be "logged in" to the session helper. So, for starters, I would remove those rules. However... > > >> acl clicked_login_url url_regex -i http://192.168.235.136/check.html > >> http_access allow clicked_login_url session_LOGIN > > > > This all looks correct to me. However, I would run a test yourself from > > a shell. Just run the session helper yourself from a command prompt and > > enter the IP address of your computer to test it: > > > > /usr/local/squid3.2/libexec/ext_session_acl -T 30 -b > > /usr/local/squid3.2/lib/session.db -a > > > > Then type: > > > > 10 192.168.0.1 [change IP address as appropriate] > > > > You should either get OK or ERR in response > > 10 192.168.235.136 > 10 ERR message="No session available" I should have said, you also need to add a LOGIN command to the initial challenge: 10 192.168.235.136 LOGIN then 10 192.168.235.136 > > It does seem to RANDOMLY work. It's like this: > * squid is started, I am not allowed any access although I hit the check link > ** I restart squid, I am allowed access and after a few seconds denied > * I restart squid, again no access. > ** Restart again, access allowed and after a few seconds denied > > The odd thing is that I can never make squid accurately reproduce the > errors. This does sound like the database sync bug that the patch below fixes. In fact, I would say that unless you upgrade to session helper v1.2 then you are almost certainly not going to get this working. > I just toyed around with the parameters in squid.conf and > after reverted to the old ones, and it's just stuck in an infinite > loop trying to GET splash.php. > > > I suspect that the actual problem is a sync problem when running > > multiple session helpers (they cache the database individually). This > > problem is fixed with an upgrade to a newer Berkeley DB version in > > version 1.2 of the session helper, currently waiting acceptance into > > trunk. In the meantime the patch is available here: > > > > http://www3.us.squid-cache.org/mail-archive/squid-dev/201110/0116.html > > > > Andy > I'm having trouble applying the patch. For some reason it doesn't seem to apply from the root source directory. Try changing to the helpers/ directory and applying from there (with the -p1 switch). It won't patch one of the man pages, but I'm sure you can live without that. > Can't I just recompile another build? Unfortunately the patch has not been accepted into trunk yet by the Squid developers. Amos: any news of it being accepted please? Andy
Re: [squid-users] Facebook page very slow to respond
On Wed, 2011-10-19 at 12:48 -0400, Wilson Hernandez wrote: > Hello. > > After attempting several suggestions from guys here in the list, I'm > still experiencing the same problem: Facebook is so sluggish that my > users are complaining everyday and is just depressing. > > Today I came up with an idea: Use a "dedicated" line for facebook > traffic. For ei. > > LAN > | > | > SERVER --- Internet line for facebook only > | > | > Internet > > Can this be possible? Yes, it's possible, using policy based routing with iproute2. However, you'll need all the IP addresses for facebook, which I imagine will prove difficult. > Can this solution fix my problems or give me more problems? > I'm not convinced this is the answer to your problem though. Are you having problems with any other websites? Have you tried by-passing Squid to see if it is indeed a bandwidth related issue or a problem with Squid itself? Andy
Re: [squid-users] configuring splash page
On Tue, 2011-10-18 at 14:44 +0300, Alex F wrote: > Hello, > > I am trying to set up a splash page as an initial page, no matter what > users request. > Please note I am using Squid 3.2 with session helper 1.1 on debian 6. > Following the examples from > http://wiki.squid-cache.org/ConfigExamples/Portal/Splash I have > managed to set up and get results with the first example. > Scrolling down, there is the second example on how to enforce a check > that the user did GET a specific page. > I've got the following set up: > __ > external_acl_type session_LOGIN_master concurrency=100 ttl=2 %SRC > /usr/local/squid3.2/libexec/ext_session_acl -T 30 -b > /usr/local/squid3.2/lib/session.db -a > acl session_LOGIN external session_LOGIN_master LOGIN > > external_acl_type session_ACTIVE_master concurrency=100 ttl=2 %SRC > /usr/local/squid3.2/libexec/ext_session_acl -T 30 -b > /usr/local/squid3.2/lib/session.db -a > acl session_is_ACTIVE external session_ACTIVE_master > > acl A dstdomain 192.168.235.136 > acl B urlpath_regex /splash.html /check.html > http_access allow A B The above 2 rules do not appear to be used? > > acl clicked_login_url url_regex -i http://192.168.235.136/check.html > http_access allow clicked_login_url session_LOGIN This all looks correct to me. However, I would run a test yourself from a shell. Just run the session helper yourself from a command prompt and enter the IP address of your computer to test it: /usr/local/squid3.2/libexec/ext_session_acl -T 30 -b /usr/local/squid3.2/lib/session.db -a Then type: 10 192.168.0.1 [change IP address as appropriate] You should either get OK or ERR in response > > http_access deny !session_is_ACTIVE > deny_info http://192.168.235.136/splash.html session_is_ACTIVE > __ > > BTW, note that in the example page, at the "# If we get here, URL not > present" section there is "http_access deny session_day > !session_is_active" - session_day ACL does NOT exist anywhere. May be > a typo or something. Yes, that's a typo. I'll correct that. > I am failing to see what's wrong. Any idea is appreciated. I suspect that the actual problem is a sync problem when running multiple session helpers (they cache the database individually). This problem is fixed with an upgrade to a newer Berkeley DB version in version 1.2 of the session helper, currently waiting acceptance into trunk. In the meantime the patch is available here: http://www3.us.squid-cache.org/mail-archive/squid-dev/201110/0116.html Andy
Re: [squid-users] Tutorial for Squid Splash Page
On Sun, 2011-10-02 at 21:50 -0700, Ivan Matala wrote: > Hello guys, do you any idea or is it possible to display a splash page > to squid proxy users? I want it like display for some specific > interval. Also can we put license agreement, in which they have to > press Yes or accept in order to browse any website. Thank you Squid > Users. > > Kindly include your ideas or tutorials. Thank you http://wiki.squid-cache.org/ConfigExamples/Portal/Splash
Re: [squid-users] Multiple ACL's
On Sat, 2011-09-24 at 04:18 -0700, Jim Gifford wrote: > I have setup a small proxy server at home for my kids. > > My proxy is setup to allow access from 8am to 9pm on school nights. He > has an alarm clock that uses his ipod, that needs 24x7 connectivity or > his alarm clock doesn't work. Is it possible to create 2 different ACLS, > one to allow access for his alarm clock without a logon to certain > domain destinations and prevent him from going to the internet on his > ipod after the scheduled block of the internet. > > Any ideas on how to accomplish this. I posted a similar question a few days ago :) You should be able to work it out using the details here: http://wiki.squid-cache.org/SquidFaq/SquidAcl#And.2BAC8-Or_logic http://wiki.squid-cache.org/SquidFaq/OrderIsImportant And the acl "dstdomain": http://www.squid-cache.org/Doc/config/acl/ Andy
[squid-users] Denying based on 2 ACLs
Hi, I would like to deny a request with http_access, but based on 2 ACLs. Is there a way to do this? The reason is that I want to produce a splash page, but only display it between certain times. I was thinking something like: http_access deny !new_users && correct_time where new_users and correct_time are ACLs. However, I don't think that's possible. Is there are way to achieve it? Thanks, Andy
Re: [squid-users] Squid and Splash page
On Mon, 2011-04-25 at 07:54 -0700, Daniel Shelton wrote:
> First of all, thanks to Amos and Andrew for replying to my previous
> question. I have setup squid_session with the following in
> squid.conf. The result is attached below also. For whatever reason
> the squid sessions are crashing and I am not sure why. The goal would
> be to display a splash page to the user and then release them after
> that. ("Catch and Release")
>
> Does anyone know why the sessions are exiting ?
A somewhat late reply, but for the record anyway.
I have found what I believe to be a bug in ext_session_acl.cc which
causes it to segfault every time it is called. I'll file a report (and
hopefully patch) to the squid-dev list shortly.
Andy
Re: [squid-users] Is there any Linux Wifi Hotspot Solution that can be used with squid .. ?
On Thu, 2011-07-21 at 23:56 +0630, Mr Crack wrote: > Dear Friends, > I would like to know if there is any wifi hotspot solution software in > Linux ( free or commercial ) > In Windows, that can be done with Antamedia Hotspot software. There are instructions here if you want to roll your own: http://andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal Andy
Re: [squid-users] TOS from remote to squid(2 series)
On Sat, 2011-04-23 at 21:24 +0800, jiluspo wrote: > therefore squid 3.2 still cant preserve TOS value from remote server to > clients. Correct. > hmn. what about the zph that requires kernel patch? zph and qos_flows are the same thing. The names differ between different versions of Squid. > would it work with > remote servers? > Should do. To avoid a kernel patch (using v3.2), what you could do, is to use the iptables tos match to set a mark on a packet, and then match the mark in Squid. For example: iptables -A PREROUTING -t mangle -m tos --tos 0x4 -j MARK --set-mark 0x4 will transfer a TOS value of 0x4 to a mark value of 0x4. You could transfer this back again in the POSTROUTING chain using a similar method. > lastly, what about its performance degradation(req/sec and service time) if > we add this feature. Performance degradation should be minimal, although I haven't run any benchmarks. Andy
Re: [squid-users] TOS from remote to squid(2 series)
On Sat, 2011-04-23 at 20:36 +0800, jiluspo wrote: > remote servers I mean http web servers TOS. > I already know about peers in fact current squid(as of 04/24/11) TOS are not > being marked peer(digest or icp) hit when local miss. > http://bugs.squid-cache.org/show_bug.cgi?id=3202 > > AFAIK squid 2 series TOS always marked zero from remote servers. > according to source code initial tos=0; > > there are some patches called preserve tos miss but kernel(linux) needs to > be patched. > > does kernel really need to patch in order to pass the TOS value from kernel > to squid? > Yes, I'm afraid it does, due to the way the networking stack works. If you want *similar* functionality *without* patching the kernel, then you can use the "qos_flows mark" feature, which uses the netfilter mark value rather than the TOS value. However, marks do not apply remotely, so this will only work to retain marks on the local machine. This feature is only available from 3.2 onwards. Andy
Re: [squid-users] Squid as a "Hotspot" ?
On Wed, 2011-04-20 at 05:39 -0700, Daniel Shelton wrote: > Does anyone know? Can Squid be set up as a wifi "Hotspot"? > > For example, with a splash page that users will see before connecting? > You can use Squid for a simple splash page: http://wiki.squid-cache.org/ConfigExamples/Portal/Splash However, as has already been pointed out, you will probably need more than that. Depending on how you want to do it, there are instructions below on how to create a captive portal using iptables: http://andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal Regards, Andy
Re: [squid-users] How to use cbq
On Thu, 2010-12-23 at 19:05 +0100, lupuscramus wrote: > > > Do you know someone who managed to use the squid marked packets > > > to make a QoS based on ip source with classful queuing ? (cbq, htb) > > > > Yes, I do this. For an example you could have a look at my website. It > > is out of date and probably not exactly what you are looking for, but it > > would probably give you an idea: > > > > http://www.andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_lo > > cal_network_using_Linux > > > On your website I don't see where you use Squid to mark packets. Sorry, it's just an example of using HTB, I've not updated it yet with my current Squid rules. > Hum, I've > noticed something : when i make > tc class show dev eth0 > I can see there are packets which pass by the class I want : they are packets > marked by Squid : the source is the proxy and the destination is the web > server. They represent a little proportion of packets between my user and my > web server (there is mainly download with HTTP) > > However, I want to limit the download rate : packets from web server to proxy > server. I'm a bit confused. Can you produce a diagram of your setup? Is your web server on a different server to Squid? If you want to limit packets *to* Squid, then you will need to set up HTB on the interface going to Squid (you might need to use IFB) *or* rate limit the packets going *from* Squid on the other interface to the one you are using now. > Is there a way to do this ? Was the feature written for this ? > Please provide some more info of your setup and I'll have a look. Andy
Re: [squid-users] How to use cbq
On Wed, 2010-12-22 at 23:57 +0100, lupuscramus wrote: > > Looks right for the Squid part. > > > > Also check that Squid was built with the netfilter-conntrack library and > > the QoS feature enabled. > > --enable-zph-qos --with-netfilter-conntrack > > > > when not explicitly specified for ./configure the feature support is at > > the mercy of the automatics and may be disabled relatively silently if > > required system pieces are missing. > That reminds me, I was going to have a further look at this, because if LIBCAP isn't present but netfilter-conntrack is, then the features get built but just "don't work". There should probably be a warning either when compiling or when running. > > iptables should have something to track packet markings with. > > I've recompiled squid with the missed options, and in the iptables logs I can > see the packets are marked. > > For information, if someone want to know how verify if the packets are marked > : > > iptables -A OUTPUT -j LOG > iptables -A INPUT -j LOG > iptables -A FORWARD -j LOG > cat /var/log/kern.log > > So, the problem comes from tc, not squid. > > > I'm not familiar with the specific tc configuration to help further sorry. > > Do you know someone who managed to use the squid marked packets > to make a QoS based on ip source with classful queuing ? (cbq, htb) > Yes, I do this. For an example you could have a look at my website. It is out of date and probably not exactly what you are looking for, but it would probably give you an idea: http://www.andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux HTB is a tricky beast. There is information out there, but sometimes need to look hard. > Or do you know where I can ask help ? It seems the LARTC mailing-list is dead. > The netfilter mailing lists are the places to ask. The LARTC mailing list unfortunately seemed to become unused a couple of years back. Andy
Re: [squid-users] Limiting user's bandwidth
On Fri, 2010-10-29 at 05:48 -0700, Landy Landy wrote: > > --- On Thu, 10/28/10, Andrew Beverley wrote: > > > From: Andrew Beverley > > Subject: Re: [squid-users] Limiting user's bandwidth > > To: "Landy Landy" > > Cc: "Squid-Users" > > Date: Thursday, October 28, 2010, 6:33 PM > > > > > $tc filter add > > dev eth1 parent 2:0 > > > >protocol ip prio 4 handle 1003 fw > > classid > > > > 2:1003 > > > > > > > > I'm no expert, but I would remove the prio > > parameter. I > > > > think this is > > > > matching the prio value of a packet - probably > > not what you > > > > want. I > > > > would also change the "classid" to "flowid". > > Changed "classid" to "flowid" and got this error: > > We have an error talking to the kernel > RTNETLINK answers: Invalid argument > Error: Qdisc "flowid" is classless. > RTNETLINK answers: File exists > We have an error talking to the kernel > RTNETLINK answers: Invalid argument > > Off the top of my head, I think you need to only include the MARK value (eg 1003), so drop the "2:" part. Andy
Re: [squid-users] Limiting user's bandwidth
> > > $tc filter add dev eth1 parent 2:0 > >protocol ip prio 4 handle 1003 fw classid > > 2:1003 > > > > I'm no expert, but I would remove the prio parameter. I > > think this is > > matching the prio value of a packet - probably not what you > > want. I > > would also change the "classid" to "flowid". > > The reason for the prio is becuase I'm prioritizing other traffic. I > want DNS, SSH, ICMP, and VOIP to have a higher priority than the rest. If you want to achieve that then you need to do it differently. The prio in the filter above is matching the packet's prio field and filtering traffic in as appropriate, so the only traffic going into the leaf above is that with a prio value 4 (which would explain why no shaping is taking place). If you want to do the prio stuff, you'll need to attach it as a separate qdisc to the appropriate class, but again remember that it will only do that for each user within that leaf class. > > > > You can just add these as a few extra rules to MARK the > > packets > > accordingly. However... if you're limiting per client IP > > address then > > they are largely irrelevant, as the user will just fill up > > their own > > leaf with P2P data. > > You are correct, adding your p2p rules will make the kernel > work harder. Just realized I stablished this control because > of p2p. That was my first reason and later just decided to > give each user the same amount of bw. In which case there's no need to add any P2P rules in this instance, unless you want to shape individual users' traffic for them. Andy
Re: [squid-users] Limiting user's bandwidth
[top posting corrected] >> Are you just trying to share bandwidth fairly between users? If so, your >> best bet is to change to one leaf for all your clients, but attach a >> filter to it that will share bandwidth *by IP address* (see below) - the >> default is to share by connection. If you want an overall limit you can >> apply that to the one leaf, and then everybody within it will get their >> fair share within. >> >> If you want people who are downloading/uploading large amounts to get a >> reduced share, then set up an iptables rule to set a MARK based on the >> amount of date transferred in that connection. There's a good example at >> the following web page, although it's currently a work in progress: >> >> http://www.andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux > > > Will that share the bandwidth pro rata? By "default", the kernel shares bandwidth by connection, not per user (this is not Squid specific). > Say the bandwidth is 10Mbps and you have 10 users, they only get 1 each? > Otherwise isn't it shared equally anyway? No, if one is downloading several different files (or using P2P software), they will get a disproportionate amount of bandwidth. > There must be a way to apply a kbps limit in case someone is hogging the > bandwidth? You can set a limit per IP address as Landy is doing, but it is better to use tc (and SFQ) to share bandwidth per IP address (using "flow hash keys nfct-dst divisor") as per the website above. Andy
Re: [squid-users] Limiting user's bandwidth
> Ah, well the difference is that you are using INPUT/OUTPUT chains with > Squid, not FORWARD, so that will be the difference. What a dreadful sentence! That will teach me to not proofread before posting to a list...
Re: [squid-users] Limiting user's bandwidth
> Thanks Andy for your reply and taking your time to help like always. > No problem at all. > > > $tc class add dev eth0 parent 1:0 classid 1:1 > > htb rate 900kbit ceil 945kbit > > As I understand, correct me if I'm wrong, this rule is telling the > kernel how much bw we want to use globally or how big is the entire > bucket. Yes, but the two are the same, so I would just keep these two parameters as the same figure. This is the maximum amount of bandwidth that the whole class can use. > I know the amount of the leafs don't add up to the root's bw but, not > all clients are connected at the same time. That's the beauty of HTB. Set your leaf rates to be the maximum amount you would want them to ever have, if they did happen to all be connected at the same time. Set the maximum to be the maximum that they should ever have if it was possible. The prio parameter will then share the excess bandwidth accordingly, should there be any available. > I don't know if this is > the problem or not but, I have similar rules for the LAN interface > which works pretty well. I don't know, but in accordance with the above, there is no reason to not have them all add up. > The weird thing is if I don't use squid caching and just use normal > FORWARD chain along with these tc script the upload and download > throtle works fine. Ah, well the difference is that you are using INPUT/OUTPUT chains with Squid, not FORWARD, so that will be the difference. Are you just trying to share bandwidth fairly between users? If so, your best bet is to change to one leaf for all your clients, but attach a filter to it that will share bandwidth *by IP address* (see below) - the default is to share by connection. If you want an overall limit you can apply that to the one leaf, and then everybody within it will get their fair share within. If you want people who are downloading/uploading large amounts to get a reduced share, then set up an iptables rule to set a MARK based on the amount of date transferred in that connection. There's a good example at the following web page, although it's currently a work in progress: http://www.andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux Andy
Re: [squid-users] Limiting user's bandwidth
On Tue, 2010-10-26 at 08:15 -0700, Landy Landy wrote: > Here's a snip: > > #!/bin/bash > #set -v > iptables='sudo iptables' > tc='sudo tc' > #$iptables -t mangle -F > #$iptables -t mangle -Z > > # > ## Traffic Shaping > # > ## Parent ID: 1, Associated with iface: eth0 -- External Interface - Internet > Side. > $tc qdisc del dev eth0 root > $tc qdisc add dev eth0 root handle 1: htb r2q 1 > > $tc class add dev eth0 parent 1:0 classid 1:1 htb rate 900kbit ceil 945kbit > > ## Optimum Wireless > $iptables -t mangle -A POSTROUTING -s 172.16.254.1 -j MARK --set-mark 1226 > $iptables -t mangle -A POSTROUTING -s 172.16.254.1 -j RETURN > $iptables -t mangle -A POSTROUTING -s 172.16.254.10 -j MARK --set-mark 1227 > $iptables -t mangle -A POSTROUTING -s 172.16.254.10 -j RETURN > $iptables -t mangle -A POSTROUTING -s 172.16.254.11 -j MARK --set-mark 1228 > $iptables -t mangle -A POSTROUTING -s 172.16.254.11 -j RETURN > $iptables -t mangle -A POSTROUTING -s 172.16.254.2 -j MARK --set-mark 1229 > $iptables -t mangle -A POSTROUTING -s 172.16.254.2 -j RETURN > $iptables -t mangle -A POSTROUTING -s 172.16.254.3 -j MARK --set-mark 1230 > $iptables -t mangle -A POSTROUTING -s 172.16.254.3 -j RETURN > $iptables -t mangle -A POSTROUTING -s 172.16.254.4 -j MARK --set-mark 1231 > $iptables -t mangle -A POSTROUTING -s 172.16.254.4 -j RETURN > $iptables -t mangle -A POSTROUTING -s 172.16.254.5 -j MARK --set-mark 1232 > $iptables -t mangle -A POSTROUTING -s 172.16.254.5 -j RETURN > $iptables -t mangle -A POSTROUTING -s 172.16.254.6 -j MARK --set-mark 1233 > $iptables -t mangle -A POSTROUTING -s 172.16.254.6 -j RETURN > $iptables -t mangle -A POSTROUTING -s 172.16.254.7 -j MARK --set-mark 1234 > $iptables -t mangle -A POSTROUTING -s 172.16.254.7 -j RETURN > $iptables -t mangle -A POSTROUTING -s 172.16.254.8 -j MARK --set-mark 1235 > $iptables -t mangle -A POSTROUTING -s 172.16.254.8 -j RETURN > $iptables -t mangle -A POSTROUTING -s 172.16.254.9 -j MARK --set-mark 1236 > $iptables -t mangle -A POSTROUTING -s 172.16.254.9 -j RETURN > $tc class add dev eth0 parent 1:528classid 1:1226 htb rate 141kbit ceil > 169kbit prio 4 > $tc class add dev eth0 parent 1:529classid 1:1227 htb rate 141kbit ceil > 169kbit prio 4 > $tc class add dev eth0 parent 1:530classid 1:1228 htb rate 141kbit ceil > 169kbit prio 4 > $tc class add dev eth0 parent 1:531classid 1:1229 htb rate 141kbit ceil > 169kbit prio 4 > $tc class add dev eth0 parent 1:532classid 1:1230 htb rate 141kbit ceil > 169kbit prio 4 > $tc class add dev eth0 parent 1:533classid 1:1231 htb rate 141kbit ceil > 169kbit prio 4 > $tc class add dev eth0 parent 1:534classid 1:1232 htb rate 141kbit ceil > 169kbit prio 4 > $tc class add dev eth0 parent 1:535classid 1:1233 htb rate 141kbit ceil > 169kbit prio 4 > $tc class add dev eth0 parent 1:536classid 1:1234 htb rate 141kbit ceil > 169kbit prio 4 > $tc class add dev eth0 parent 1:537classid 1:1235 htb rate 141kbit ceil > 169kbit prio 4 > $tc class add dev eth0 parent 1:538classid 1:1236 htb rate 141kbit ceil > 169kbit prio 4 > $tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1226 fw > classid 1:1226 > $tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1227 fw > classid 1:1227 > $tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1228 fw > classid 1:1228 > $tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1229 fw > classid 1:1229 > $tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1230 fw > classid 1:1230 > $tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1231 fw > classid 1:1231 > $tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1232 fw > classid 1:1232 > $tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1233 fw > classid 1:1233 > $tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1234 fw > classid 1:1234 > $tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1235 fw > classid 1:1235 > $tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1236 fw > classid 1:1236 > $tc qdisc add dev eth0 parent 1:1226 handle 1018: sfq perturb 2 > $tc qdisc add dev eth0 parent 1:1227 handle 1019: sfq perturb 2 > $tc qdisc add dev eth0 parent 1:1228 handle 1020: sfq perturb 2 > $tc qdisc add dev eth0 parent 1:1229 handle 1021: sfq perturb 2 > $tc qdisc add dev eth0 parent 1:1230 handle 1022: sfq perturb 2 > $tc qdisc add dev eth0 parent 1:1231 handle 1023: sfq perturb 2 > $tc qdisc add dev eth0 parent 1:1232 handle 1024: sfq perturb 2 > $tc qdisc add dev eth0 parent 1:1233 handle 1025: sfq perturb 2 > $tc qdisc add dev eth0 parent 1:1234 handle 1026: sfq perturb 2 > $tc qdisc add dev eth0 parent 1:1235 handle 1027: sfq perturb 2 > $tc qdisc add dev eth0 parent 1:1236 handle 1028: sfq perturb 2 > > I'm not sure that it's causing your
Re: [squid-users] Limiting user's bandwidth
On Mon, 2010-10-25 at 17:15 -0700, Landy Landy wrote: > > If it's not working, then I suspect it's something wrong > > with your tc > > rules. Are you sure you are shaping the correct interface? > > Remember that > > the interface will be the opposite one to the one that you > > are using for > > the user downloads. > > > My LAN interface is eth1 on which I'm applying the marks on the > POSTROUTING chain which works great. I don't have no problem with the > download. I'm able to control the download bw. > > I'm having problems with the upload: ext interface eth0. I can't seem > to control this. I've applied marks on the PREROUTING, INPUT, and > POSTROUTING as well, but nothing. Anyone can upload at full speed. > > I'm basically doing the same for both interfaces but, can't get that > upload to work as I would like to. Can you post your iptables and tc rules for eth0 please? Andy
Re: [squid-users] Limiting user's bandwidth
On Mon, 2010-10-25 at 15:39 -0700, Landy Landy wrote: > > Just to confirm: you are using a recent snapshot tarball of > > 3.2 beta > > releases to do this right? with the packet marking > > netfilter libraries > > built in? > > No, I'm actually using Squid Cache: Version 3.0.STABLE24 (the version > that has really worked well for me) with iptables -t mangle marking > packets. > If you're marking your packets in the POSTROUTING or OUTPUT chains then it shouldn't be a problem. If it's not working, then I suspect it's something wrong with your tc rules. Are you sure you are shaping the correct interface? Remember that the interface will be the opposite one to the one that you are using for the user downloads. Andy
Re: [squid-users] PHP Captive portal and squid.
On Mon, 2010-09-27 at 14:17 -0700, Landy Landy wrote: > > What's the reason that you can't get the customer IP > > address? > > > > If you can find a way to get the IP address, then you could > > use the > > following (which uses iptables and PHP): > > > > http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal > > > > Andy > I actually looked at that page before and got ideas from it. It lacks > some other things I would like to add the captive portal: I would like > to get the page the user intended to go to and after doing the > authentication on another server have the user continue to the > intended page or redirect to a "disconnected due to payment" page. > The details on how to do the redirect to the original page are contained in the "discussion" part of that wiki. A redirect to a "disconnected" page shouldn't be too difficult; you would just need to use PHP to generate the appropriate content rather than enabling and redirecting the user. Andy
Re: [squid-users] PHP Captive portal and squid.
> I would like to create a captive portal using PHP where it would > authenticate the user based on IP address and status. I tried using > php socket and redirect traffic to it with ip tables. I'm having some > problems since I can't get the customer ip address. What's the reason that you can't get the customer IP address? If you can find a way to get the IP address, then you could use the following (which uses iptables and PHP): http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal Andy
Re: [squid-users] squid splashpage
On Wed, 2010-09-22 at 12:29 +0200, Han Boetes wrote: > Hi, > > I installed squid and used this page to set up a splash page: > > http://wiki.squid-cache.org/ConfigExamples/Portal/Splash > > This works like expected, except that the customer wants it to work > slightly different. > > 1) He wants the splash page to be displayed every hour, independent from >the fact that they keep browsing or not. How can I set that up? I've not got much experience of the Squid splash page features, so I'm not sure how you can achieve that, but as an alternative you could set up your own captive portal using iptables, and add a cron job to clear out the relevant iptables rules every hour. This web page has some details, but you'll have to adapt it: http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal > 2) Also I noticed from the logs that for example windows update which is >running on almost every computer in the universe right now is using >http and since it's connecting as soon as a connection is established >it will trigger the splash page and thus causes the client not to see >the splashpage. How can make sure only browsers are triggering the >splash page? Again, not sure about Squid, but if you use iptables you could just add a rule to allow the windows update IP range. Andy
Re: [squid-users] Marking outgoing connections with a mark acc. to client IP.
On Fri, 2010-08-27 at 21:05 +1200, Amos Jeffries wrote: > Oguz Yilmaz wrote: > > Is it possible for Squid to mark outgoing connection with a mark > > indicating the requester for that connection. I want to try this way > > for user based time quota. My aim is to catch connections acc.to the > > mark through iptables AAA features and apply several time and > > bandwidth quota per day/week/month and apply several tc classes for > > the traffic. > > Not yet. All the current Squid can set TOS via tcp_outgoing_tos. > > Netfilter MARK support is only just being worked on now. It's close to > passing our QA audit process and should be in one of our upcoming releases. > Sorry for the delay, hopefully I'll get the next patch candidate in this weekend :) The work I've been doing has only been a MARK add-on to the QOS functionality, not the tcp_outgoing_tos feature. Guess I'd better add that as well... Oguz - would you be available to assist with testing? Andy
Re: [squid-users] Restricting bandwidth usage through squid
> >> I have been looking around for a howto on this. Numerous google searches > >> have only lead me to half explanations, etc. Can anyone please point me > >> to a nice howto on setting this up. > >> > > Depending on what exactly you want to achieve, you could, of course, > > also use some of the tc traffic shaping facilities (assuming you are > > running *nix). > > > I am using Ubuntu 10.4. Running squid 2.7 stable. We are trying to > restrict how much a particular group is downloading as well as > individuals in that group. In that case you're better using the built-in Squid functionality that was mentioned in a previous list message. Regards, Andy
Re: [squid-users] Restricting bandwidth usage through squid
> I have been looking around for a howto on this. Numerous google searches > have only lead me to half explanations, etc. Can anyone please point me > to a nice howto on setting this up. Depending on what exactly you want to achieve, you could, of course, also use some of the tc traffic shaping facilities (assuming you are running *nix). Andy
[squid-users] Squid netfilter mark patch for QOS (ZPH) functionality
Dear Squid users, I am currently creating a patch for Squid that offers the existing ZPH TOS functionality, but for netfilter marks. The patch will mark packets leaving Squid with a netfilter mark value, depending on whether they were retrieved from local cache or somewhere upstream. It will also retain the existing mark of the upstream connection (without needing to patch the kernel). I am looking for people to test the patch (in particular IPV6). If this is a feature that would be useful to you and you would be interested in testing it, then please let me know directly at a...@andybev.com Many thanks, Andy
[squid-users] store.log suddenly filling very quickly with question marks
Hi, In the last few days, my store.log has suddenly started filling up with entries such as the following: 1246200847.769 RELEASE -1 74D41A19D1E64DB54978AD277BA12FC7 ? ? ? ? ?/? ?/? ? ? Despite log rotation, the log file has hit 2GB and stopped Squid from working as the file is too big to write to. I have disabled the store.log file, but I am concerned that something is not right. Could there be something nasty on the network? I found a similar post here: http://marc.info/?l=squid-users&m=119006456530768&w=2 But the answer of that thread was to upgrade. I am using 3.0.STABLE8 on Debian 5. So in summary, I have found a workaround, but I am concerned that something is not right. Should I be concerned? Many thanks in advance, Andy
