[squid-users] Site not retaining log in
Hello people. I got some curious behaviour with my transparent proxy setup. When logging into a specific online shop, I can't get that site to maintain my logged in status. Whenever I choose a product and put it into the basket, I get asked again to log in (web form) and when I do log in, my basket is empty. Trying from a proxy-less LAN, it is working seamlessly! Could anybody please help me in setting things right? If needed, I'll gather some logs ... Kind regards. Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] Site not retaining log in
Hello Gonzalo and thanks for your thoughts... I do not know if this is your exact issue but a checking on webshop dns records and a simple lan trace with tcpdump on squid will show if this is the issue. As from an external DNS server (www.kloth.net) I get *one single* IP address: DNS server handling your query: localhost DNS server's address: 127.0.0.1#53 Non-authoritative answer: Name: abbo-shop.ch Address: 188.40.204.43 What else should I now check? Thanks, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] Forward loop detected: what does this mean?
Hello again Amos, you're precious debugger of my situation! :-) What you see there are some services redirected to my internal servers and the rule for intercepting web traffic... Okay. Looks okay. The use of eth0 replaces a specific Squid bypass. Squid will be using the Internet link eth1. Sorry, but I don't understand the above statement. What do you mean by replaces a specific Squid bypass? [cut] What could this be meaning? It look like the PC is trying to connect to the proxy port 3128, which is then directed to itself... uh?! Yes, this is the access.log displayed for all the forwarding attempts which failed. For each Forward loop detected there will be one or more of these in access.log to show the request which was forwarded to Squid then abandoned. The transaction looks something like this: client - squid (access.log 000 / request aborted by server) - squid (access.log 000 / request aborted by server) - squid (cache.log forward loop abort) OK: Squid is aborting the request to connect to itself because of design and setup, right? Congratulations, active use of the CVE-2009-0801 vulnerabilities. I would be grateful if you could provide any detailed info about the malware seen on the client box and the traffic itself (tcpdump -s0 traces would be great). If this can be confirmed as the malware and not just a forward-proxy config in the client browser I'm going to have to make an announcement that its finally gone wild. What would have gone wild there? Here you can find trace: http://www.sendspace.com/file/ij5qpe I now re-attached the infected PC to the network and with netstat -nab (it's a Win7 PC) I catched the process. It's McSvHost.exe, which tries to connect to *every IP* on the subnet on port 80!!! It seems to be part of some McAfee suite (which in fact is installed on the client PC). After uninstalling that McAfee software, it didn't happen anymore. The fix; is to follow the recommended config of not using port 3128 for intercept or transparent. Use a randomly selected high port instead. Also, at the Squid box mangle table configure this for your newly chosen intercept port: iptables -t mangle -A PREROUTING -p tcp --dport $NEW_PORT -j DROP Make sure *nobody* can get to Squid with that port directly from inside OR outside the network. If you want to be more selective and only block -i eth0 or -s 172.16.16.1, okay. But DNAT needs to be used then instead of REDIRECT since DNAT allows some explicit control over which IP gets picked by NAT and listened on by Squid. Match that IP to the mangle protected IP or NIC. This last iptables-part I have to take some time to apply it with care. Thanks so far! Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] Forward loop detected: what does this mean?
Hy Amos... [cut] .. or in this case, it appears, some security penetration testing software. Somehow installed on a users PC. Here you can find trace: http://www.sendspace.com/file/ij5qpe Sorry, that seems to be a summary packet log. Just confirms Sorry, I just took over your previously suggested command (tcpdump -s0)... that the PC and Squid are chattering away. I need it to be a full binary packet dump. The binary bit is saved with -w to a file. So tcpdump -s0 -w infected-dump.cap should grab the bit I need to look at. If its already cleaned up thats fine. This is just for my interest to confirm details. Well, cleaned in terms of I removed McAfee Suite, yes! :-) [cut] Could be McAfee Network Security Agent doing a network-wide scan/check? Well, maybe! But that's weird behaviour... why should my protection suite scan my whole subnet on port 80? Kind regards, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] Forward loop detected: what does this mean?
Alright Amos! Well, maybe! But that's weird behaviour... why should my protection suite scan my whole subnet on port 80? From the (marketing) docs that particular McAfee component is designed for admins to do network wide security with. Active scans are one way to do things. Why its on a users box is the question. At least it has worked and made you aware of the proxy config vulnerability. Ha! Yes indeed... it cost me some time, but... that's how life goes! ;-) Again, many thanks and have a nice weekend! Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
[squid-users] Forward loop detected: what does this mean?
Hello everybody. I ran out of space on my squid log directory because cache.log grew very fast filled by forward loop detected messages. I'm using my squid as a transparent proxy. What does that forward loop mean and how could it happen? I've noticed that the originating IP was from a PC I had in my LAN which was infected with some sort of mal-/spy-ware... Any informations will be appreciated, thanks! Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] Forward loop detected: what does this mean?
Hello Amos... What does that forward loop mean Your squid is sending requests out which subsequently arrive back to it. OK. and how could it happen? I've noticed Most likely your NAT rules are broken. Packets leaving Squid MUST NOT be sent back to Squids listening port. This is my iptables setup: proxy:/var/log/squid3# iptables -t nat -L -nv Chain PREROUTING (policy ACCEPT 208K packets, 20M bytes) pkts bytes target prot opt in out source destination 62956 3123K REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 10 548 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:81:83 redir ports 3128 31 1542 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:20:21 to:172.16.16.254 4689 277K DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 80,443 to:172.16.16.254 19 1144 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 to:172.16.16.254 14 822 DNAT 47 -- eth1 * 0.0.0.0/0 0.0.0.0/0 to:172.16.16.254 4170 213K DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:172.16.16.254 8 444 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:172.16.16.254 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:172.16.16.254 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt: to:172.16.16.37 227 13204 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 22,873 to:172.16.16.240 Chain INPUT (policy ACCEPT 96511 packets, 7924K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 341K packets, 21M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 291K packets, 17M bytes) pkts bytes target prot opt in out source destination 234K 18M MASQUERADE all -- * eth10.0.0.0/0 0.0.0.0/0 What you see there are some services redirected to my internal servers and the rule for intercepting web traffic... Or maybe the requests are for a domain which is pointing at your Squid with its IPs. that the originating IP was from a PC I had in my LAN which was infected with some sort of mal-/spy-ware... Or some attempted attack which is being short-circuited by setting the attackers domain to point at 0.0.0.0 or 127.0.0.1. In which case http_access deny to_localhost with the default definition of to_localhost should block it before looping. I get tons of these in the access.log: 1305812157.825 14481 172.16.16.38 TCP_MISS/000 0 GET http://172.16.16.1:3128/ - DIRECT/172.16.16.1 - 1305812227.706 14095 172.16.16.38 TCP_MISS/000 0 GET http://172.16.16.1:3128/ - DIRECT/172.16.16.1 - What could this be meaning? It look like the PC is trying to connect to the proxy port 3128, which is then directed to itself... uh?! I'll be further investigating on the client victim (172.16.16.38)... Kind regards, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
[squid-users] Not reaching one site
Hello everybody. I'm experiencing strange error happening with my transparent proxy setup. I'm not able to access the domain debian.org. Here's what I got from my proxy: proxy:~# ifconfig | grep inet addr: inet addr:172.16.16.1 Bcast:172.16.16.255 Mask:255.255.255.0 inet addr:192.168.1.253 Bcast:192.168.1.255 Mask:255.255.255.0 My LAN is 172.16.16.0/24. proxy:~# nslookup debian.org Server: 172.16.16.254 Address:172.16.16.254#53 Non-authoritative answer: Name: debian.org Address: 128.31.0.51 Name: debian.org Address: 206.12.19.7 The first thing I noticed, was that I am using my LAN DNS to resolve hostnames, which I think is not quite the best solution. Thus I changed it to use my router's DNS (192.168.1.254): proxy:~# nslookup debian.org Server: 192.168.1.254 Address:192.168.1.254#53 Non-authoritative answer: Name: debian.org Address: 206.12.19.7 Name: debian.org Address: 128.31.0.51 In both cases, when I use my browser in my LAN (whichever PC I use), I get: (101) Network is unreachable Squid logs shows in access.log: 1297161016.535104 172.16.16.37 TCP_MISS/503 4297 GET http://www.debian.org/ - DIRECT/www.debian.org text/html 1297161016.674106 172.16.16.37 TCP_MISS/503 3899 GET http://www.debian.org/favicon.ico - DIRECT/www.debian.org text/html 1297161035.574106 172.16.16.37 TCP_MISS/503 4297 GET http://www.debian.org/ - DIRECT/www.debian.org text/html What could my problem be and how may I resolve it? Thanks and kind regards. Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] Not reaching one site
-Original Message- From: Indunil Jayasooriya [mailto:induni...@gmail.com] Sent: Wednesday, February 09, 2011 11:47 AM To: Boniforti Flavio Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Not reaching one site In both cases, when I use my browser in my LAN (whichever PC I use), I get: (101) Network is unreachable Have you added DNS in your PCs ? try to add and see What do you mean by this? My PCs are correctly resolving hostnames: C:\Documents and Settings\flavionslookup www.debian.org Server: exchange.piramide.local Address: 172.16.16.254 Nome:www.debian.org Addresses: 86.59.118.148, 82.195.75.97 F.
RE: [squid-users] Not reaching one site
Hello Amos, I believe this is going down the wrong track focusing on IPv4 address. Debian is a IPv6 serviced website. Ah, really? Didn't know that... can you tell us more about this? I suspect you are using the 3.1.6 release from Debian Squeeze, yes? I bet yes: proxy:~# dpkg -l | grep squid ii squid-langpack 20100628-1 Localized error pages for Squid ii squid3 3.1.6-1.2 A full featured Web Proxy cache (HTTP proxy) ii squid3-cgi 3.1.1-1 A full featured Web Proxy cache (HTTP proxy) - control CGI ii squid3-common 3.1.6-1.2 A full featured Web Proxy cache (HTTP proxy) - common files ii squidclient3.1.6-1.2 A full featured Web Proxy cache (HTTP proxy) - control utility That version has several known major problems with IPv4/IPv6 recovery failover. Dual-stack sites display issues when someone has almost (but not correctly) disabled IPv6 on the local kernel or network. If you are you should update, hopefully Luigi will get new packages out soon now. Meanwhile I have an unofficial update package you can self-build: http://treenet.co.nz/projects/squid/. OK, thanks for your suggestion. Kind regards, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] Squid 3.1.6 and transparent mode: HTTPS
Wps... I thought I already replied, but instead my mail was in the drafts folder :-/ So here I go: Hello Amos and thanks for your reply. [cut] 3) would I completely miss the traffic done in HTTPS in my webalizer stats, if there'd be no way to have transparently proxied HTTPS requests? This is only a problems due to the transparent. If you can discard the transparent part of the setup the client browsers will send their HTTPS requests to Squid using CONNECT method, which gives webalizer all the client IP and destination domain details along with traffic sent/received there. All thats missing is the particular files being fetched. OK, I've played around with this: I configured my own browser to use the proxy and watched the access.log file. I saw those CONNECT connections, and the fact that I'd miss the files being fetched, would be 100% ok for me. Alternatives are to use firewall traffic accounting which can just as easily be gathered. Such as which client IP is using port 443 (HTTPS) to contact which external IPs and how much traffic they sent/received. Of course, but then I would have the problem to add that info to my webalizer logs. Would there be any way to sum it up to all the proxied traffic? Ah, BTW: as I *do not* intend to cache HTTPS traffic/requests, would it be easier to set up this sort of logging/filtering? What is easier depends on your network setup. I manage many different customer networks and there my primary goal is to avoid users being able to bypass my proxy (which I use to filter sites based on URLs). By using transparent mode, I have full control over network traffic: I can configure iptables and squid to do what I want them to. Actually, my users have discovered how to change proxy settings (even if configured by Windows Group Policies, because many are using alternative browsers like Firefox, Opera, and so on). So my countermeasure would be to use the transparent mode. My second goal (less important, but I want complete and precise data) is to have *all* the internet traffic showing up in webalizer reports: how to achieve both things? Kind regards and thanks for helping me out (and making me brainstorm a bit) ;-) Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
[squid-users] Squid 3.1.6 and transparent mode: HTTPS
Hello there. I've been googling around and reading some list posts about using transparent proxy with HTTPS (TCP 443) requests, but I didn't understand if there *today* is a solution to it. My goal is as follows: I want *every browser traffic* be transparently caught by my squid proxy. None of my clients shall be able to surf without passing through my squid setup, which I'll be using mainly for filtering purposes (block domains). But my second purpose of squid, is to generate webalizer stats which comprehend 100% of the web traffic. My questions: 1) is it in any way possible to have HTTPS traffic (TCP port 443) be intercepted and sent to my proxy? 2) which motivations are behind eventually *not* being able or not needing to intercept that sort of traffic? 3) would I completely miss the traffic done in HTTPS in my webalizer stats, if there'd be no way to have transparently proxied HTTPS requests? Ah, BTW: as I *do not* intend to cache HTTPS traffic/requests, would it be easier to set up this sort of logging/filtering? Thanks in advance. Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] Best policy to allow only proxy surfing
Hello Glenn, [cut] Good luck, but still I confess that I *may be* switching to this your suggestion too! ;-) Use default deny and break up the logic into chains (within reason). Makes things a lot easier to maintain. Did for me, anyway. glad to share some thoughts... We will eventually re-discuss issues on this list ;-) Regards, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
[squid-users] Best policy to allow only proxy surfing
Hello everybody. I've set up a proxy at a customers' site and set up an ACL to block some domains (first of all facebook.com). Now some clever users have discovered that they can use foreing external proxies to avoid filtering. What I was thinking to do, is to enable on my firewall LAN--WAN *only* my proxy's IP address, but the question is: how would I have to proceed, as the client PCs still could be set their proxy settings?! Kind regards, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] Best policy to allow only proxy surfing
Hy Glenn [cut] Aside from a few ports (SMTP, POP3, IMAP, DNS, etc. on the DMZ), the LAN won't be able to go anywhere. Except for me, of course; I can go anywhere... Don't know if this is going to work, but if it does, rules similar to these may solve your problem. With no proxy whinage. This *is* going to work, I did such setups too, some years ago. The fact is, that similar solutions require some more intervention, because (as you might know) every day a new software/tool/internet application needs to be used (and it is FOR SURE that it HAS to be used, for working purposes, not for joke)... This would mean, adding rules from time to time... Good luck, but still I confess that I *may be* switching to this your suggestion too! ;-) Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] Best policy to allow only proxy surfing
Remove the default gateway so nobody can get to the internet unless they go through the proxy. I've had my network set that for 9 years and nobody has ever noticed. Well... This could be a solution I may consider... In fact, the remote office uses VPN to connect to the HQ and to surf the web... They *do not* need anything on their internet connection... Email is also being sent via Exchange Server, VPN'ed... Mmhhh... I'll draw a schema and will do some brainstorming about this... Cheers, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] squid.conf.documented instead of squid.conf?
Hello Amos, B) is it normal that now the /etc/squid3/squid.conf is not anymore a file, but a directory? No. It's a new bug in the Debian squid3-3.1.1-2 package. Hopefully Luigi can fix it again. I checked bug-reportings and there it is: BUG #577615 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577615) C) how can I extract the actual configuration from the running squid3? squidclient mgr:con...@password (catch-22: usually requires the password as configured in cachemgr_passwd in squid.conf) I'm getting error: The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: cache_object://localhost/con...@cachemgr Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. - Password is correct, because I can login via webinterface at http://172.16.16.221/cgi-bin/cachemgr3.cgi Any clues to go further? Thanks, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
[squid-users] squid.conf.documented instead of squid.conf?
Hello list. I'm on Debian SID and wanted to update squid3 to the latest 3.1.1-2 version. What happened is that dpkg returned me following error: Configurazione di squid3 (3.1.1-2)... sed: errore di lettura su stdin: Is a directory dpkg: errore nell'elaborare squid3 (--configure): il sottoprocesso vecchio script di post-installation ha restituito lo stato di errore 4 Si sono verificati degli errori nell'elaborazione: squid3 E: Sub-process /usr/bin/dpkg returned an error code (1) The *second* line is the one that made me investigate a little bit: sed: error reading stdin: Is a directory... Thus I checked /etc/squid3 and got this: drwxr-xr-x 2 root root 4096 14 apr 15:54 squid.conf Entering that directory, I discovered: -rw-r--r-- 1 root root 198563 12 apr 16:09 squid.conf.documented My questions are: A) where did my customized squid.conf disappear to? B) is it normal that now the /etc/squid3/squid.conf is not anymore a file, but a directory? C) how can I extract the actual configuration from the running squid3? Many thanks in advance. Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] What 3rd party tools do you guys use?
For trend analysis, alerting, log parsing, configuration, etc. etc.? The only 3rd party tool we currently use is SARG. Me using webalizer (stats) and webmin (server management). In another environment I used to use the above + calamaris and SARG.
[squid-users] Exception for src client PC
Hello list, following is my setup (in relation to ACLs): acl localnet src 10.0.0.0/24 acl domini_bloccati dstdomain /etc/squid3/domini_bloccati.acl http_access deny localnet domini_bloccati How do I add an exception for one client of that network? I thought to write it like: acl localnet src 10.0.0.0/24 acl domini_bloccati dstdomain /etc/squid3/domini_bloccati.acl acl super_users src myhostname http_access allow super_users http_access deny localnet domini_bloccati Would this setup allow the rules to be read only until the http_access allow super_users line, if the client connecting through squid would be myhostname? Thanks, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
[squid-users] Firefox not googling anymore after setting up squid
Hello list, I've now set up my client to use squid proxy, which simply denies access (http_access deny) to a list of sites. This is the relevant config part: http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny domini_bloccati Why is it now happening, that when I type something in the address bar of Firefox, I get an Access Denied page, instead of some I feel lucky Google result as per default? Thanks, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
RE: [squid-users] Firefox not googling anymore after setting up squid
Missing the ACL defininitions, specifically that for 'localnet'. Maybe you have not set your local network range properly into it. Sorry, here the ACLs: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 172.16.16.0/24 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl domini_bloccati dstdomain /etc/squid3/domini_bloccati.acl My network is 172.16.16.0/24...
RE: [squid-users] Firefox not googling anymore after setting up squid
In that case the config you posted is all correct. You have a global allow for localnet before domini_bloccati is ever tested so it can't even be a bad domain entry in there. It must be something else doing the denial. Yes, indeed. Thanks for your confirmation, but now how do I solve this? Opppsss... I'll be taking a look at access.log... ;-) BRB
RE: [squid-users] Firefox not googling anymore after setting up squid
In that case the config you posted is all correct. You have a global allow for localnet before domini_bloccati is ever tested so it can't even be a bad domain entry in there. It must be something else doing the denial. Thanks for double-replying, I looked at the access.log file and I see only this: 1243437102.390 2 172.16.16.37 TCP_MISS/503 2458 GET http://teo/ - DIRECT/teo text/html 1243437102.494 1 172.16.16.37 TCP_MISS/503 2459 GET http://teo/favicon.ico - DIRECT/teo text/html 1243437105.496 1 172.16.16.37 TCP_MISS/503 2491 GET http://teo/favicon.ico - DIRECT/teo text/html It's clear to me that I'm getting TCP_MISS because in my network nor elsewhere there is any teo host like the above. What makes me wonder is *why* when I unset the proxy and I type teo in the address bar (Firefox), I get: http://www.google.com/search?ie=UTF-8oe=UTF-8sourceid=navclientgfns=1 q=teo Any help will be appreciated. Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
Re: [squid-users] Problems with Squid and Citrix
Young, Mike ha scritto: Cannot connect to the Citrix MetaFrame server. The Citrix SSL Relay name could not be resolved (SSL error 40) We can work around that error by putting entries in our windows/system32/drivers/etc/hosts file, but still can't connect. Instead, we get another error: Cannot connect to the Citrix MetaFrame server. There is no Citrix SSL server configured on the specified address. Suggestions? Try on a Citrix Mailinglist... I bet there you will get help. (www.experts-exchange.com or www.citrix.com) -- -- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania --
Re: [squid-users] Particular ACL setup
Boniforti Flavio ha scritto: Hello list. [cut] I'm now confused about *what* to put in there... how should the access lines be modified? Or do I have to insert something? Many thanks in advance... Anybody got a clue? Still seeking for help... -- -- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania --
[squid-users] Particular ACL setup
Hello list. In our network we have following ACLs used to block streaming media: acl ProtCiv src 10.167.211.11 10.167.211.42 10.167.211.86 acl streaming rep_mime_type -i ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/x-pn-realaudio ^application/x-mms-framed ^application/vnd.ms.wm s-hdr.asfv1 ^video/x-flv ^video/flv acl block_stream urlpath_regex -i \.(ra?m|mpe?g?|mov|m3u|pls|ivf|asf|asx|avi|wax|wma|wmv|wvx|wmp|wmx|m1v|mp2|mp3|mpa|mpe|mpv2|ogg|m4a|flv)($|\?) acl stream_uAgents browser -i ^Engelmann Media Radio Listener ^NSPlayer/* RMA/* Windows-Media-Player/* WMFSDK/* ^RealPlayer* ^QuickTime* http_access deny !ProtCiv stream_uAgents http_reply_access deny !ProtCiv block_stream http_reply_access deny !ProtCiv streaming Now I need the ProtCiv IP addresses to be restricted to access just the streaming media in two specific sites, which are: acl CodiceUno dst 88.32.161.35 88.32.161.37 acl RegionePiemonte dstdomain regione.piemonte.it I'm now confused about *what* to put in there... how should the access lines be modified? Or do I have to insert something? Many thanks in advance... -- -- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania --
Re: [squid-users] File extension blocking rules
Odhiambo WASHINGTON ha scritto: [cut] Okay, here is something else that I use in conjunction with squid...if you think dansguardian is the wrong thing ;) In my squid.conf: # Malware download sites - see http://www.malware.com.br acl malware_block_list url_regex -i /usr/local/etc/squid/malware_block_list.txt http_access deny malware_block_list deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list And the attached script, run via cron at a time of your choice. Yes, that's a good starting point when trying to filter out some mal-/spyware... :-) I'm using it too and I'm noticing that the list is growing everyday (my contributions also helped!) :-) -- -- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania --
Re: [squid-users] too many open files / Queue congestion
Mark Elsen ha scritto: [cut] - http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.4 - You also need to increase the max. allowed open files per process; See : /proc/sys/fs/file-max I read that FAQ, but as I installed squid from .deb package, I cannot follow that indication. And here: proxy:~# cat /proc/sys/fs/file-max 104800 Is this enough? -- -- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania --
Re: [squid-users] How to block
Mark Elsen wrote: ... www.pandora.com, while not blocking it's URL? I mean: I'm trying to find out if there's a way to block this radio station, which streams via Flash-7 plugin. Any advice for me? Check the squid FAQ on access controls. Yup, I know how to block based on domain URLs and also based on MIME Types (req or rep). It just seems that I can't be blocking that site in any other way than blocking the domain. Do you all agree? -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] How to block
... www.pandora.com, while not blocking it's URL? I mean: I'm trying to find out if there's a way to block this radio station, which streams via Flash-7 plugin. Any advice for me? Thanks... -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] Re: useragent list somewhere?
Joost de Heer wrote: Personally, I think such a list is useless, since 'User-Agent' is a header that can be faked. Yes, you are right, too. But if I apply such a blacklist, I reduce the chance for such malware to pass through (altough it will never be 100% protection). Do you agree? -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] useragent list somewhere?
Hello everybody. I'm actually playing around with my useragent logs, and would like to know if there's a place on the 'net where I could seek information about the useragent strings I find in my logfiles. Or, if anybody would be interested, I would donate part of my sparetime to create and maintain a list of useragents with their description. Anybody can help? -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] blocking malware by useragent?
Yes, it's me again... sorry for bothering with useragent issues these days, but I'm reading and finding out stuff (on the 'net and in our LAN) that I'd like to share with you all. So, here I'm back again, asking whether anybody knows of some useful and working Malware useragent blocking list. I got inspiration from here: http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/MALWARE/MALWARE_USER_Agents?rev=1.7 Any thoughts/opinions/success stories about this? Thanks again, -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] useragent.log and TCP_DENIED
Henrik Nordstrom wrote: The user agent is logged just after redirectors but before any cache lookups. So yes, the user agent log can't see any requests denied by http_access. OK, just one last thing: if I'd like to make a relation between the useragent I may find (actually in useragent.log) with the URL it has requested, it's fundamental that I enable log_mime_hdrs on, right? -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] useragent list somewhere?
Odhiambo Washington wrote: Hopefully, google.com also works from where you are, so you can search before asking questions. It's the only place on the net that I know equates to a big brain. Well, your interventions are quite interesting, but always pointing to the same google.com... In fact, I did some searches, but just found some sites which ain't actually up-to-date and do not seem to be maintained... This is why I came back to this list and tried to stimulate intelligent answers to an issue which not only me may be having... Regards, -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] blocking malware by useragent?
Odhiambo Washington wrote: Use a content filter like HAVP or Dansguardian. The later can do content filtering for malware only, if you disable everything else. With which blacklists would you suggest tu use DansGuardian for the purpose I need? Perhaps HAVP is what you need, not Dansguardian. This is nice... thanks -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] How to block shoutcast streams?
Brent Clark wrote: I basically deny the client used. ## Stop multimedia downloads ## acl useragent browser -i ^.*NSPlayer.* acl useragent browser -i ^.*player.* acl useragent browser -i ^.*Windows-Media-Player.* acl useragentq rep_mime_type ^.*video.* acl useragentq rep_mime_type ^.*audio.* http_access deny useragent http_access deny useragentq Sorry for bothering again, but: does this setup work for you? I mean, I have similar ACLs (not the ones with the browser tough) and I use http_reply_access for rep_mime_type ACLs. Here: # ACL List acl streaming rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/x-pn-realaudio ^application/x-mms- framed ^application/vnd.ms.wms-hdr.asfv1# MIME per streaming content acl block_stream urlpath_regex \.(ra?m|mpe?g?|mov|m3u|pls|ivf|asf|asx|avi|wax|wma|wmv|wvx|wmp|wmx|m1v|mp2|mp3|mpa|mpe|mpv2)($| \?) # estensioni file per blocco streaming # Consenti accesso a cachemgr anche da se stesso http_access deny manager !localhost !apache # Only allow purge requests from localhost http_access deny purge !localhost # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports acl our_networks src 10.167.208.0/24 10.167.209.0/24 10.167.210.0/24 10.167.211.0/24 10.167.212.0/24 acl our_networks src 10.3.21.10/32 10.3.21.13/32 10.3.21.15/32 # RUPAR dial-in http_access allow CED UtentiAutorizzati http_access allow our_networks http_access allow localhost http_reply_access deny block_stream http_reply_access deny streaming # And finally deny all other access to this proxy http_access deny all http_reply_access allow all ## Do you see some errors in what I've configured here? If not, I would then go further and set up browser (useragent) ACLs and place them in the right sequence. TIA, -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] How to block shoutcast streams?
Odhiambo Washington wrote: He said that it will allow you to see the clients used in you access.log, not that you need that for the rules to work ;) And yes, if you enable that option, log file size will increase. So here I got the bad useragent at work: 1132242131.462 5761 10.167.211.62 TCP_MISS/600 242482 GET http://131.130.46.68:8000/ - FIRST_PARENT_MISS/proxy.reteunitaria.piemonte.it - [User-Agent: Engelmann Media Radio Listener\r\nIcy-MetaData: 1\r\nHost: 131.130.46.68:8000\r\nPragma: no-cache\r\n] [] How may I block this one? -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] How to block shoutcast streams?
Brent Clark wrote: ## Stop multimedia downloads ## acl useragent browser -i ^.*NSPlayer.* acl useragent browser -i ^.*player.* acl useragent browser -i ^.*Windows-Media-Player.* acl useragentq rep_mime_type ^.*video.* acl useragentq rep_mime_type ^.*audio.* http_access deny useragent http_access deny useragentq For future, you may want to try switching log_mime_hdrs off to on and then you will see the clients used in you access.log. So you're telling me that I have to switch log_mime_hdrs to on to have your ACLs working, right? But, doesn't this measure make the logs grow very large? I actually have daily logs ranging from 30 MB to over 50 MB. -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] How to block shoutcast streams?
Hello all. I'm getting reports which show huge traffic amounts on some http IP addresses. These point to ports like 9000, 8000, 8100, 9720, and the like. When I put those URLs in the browser, I get to some shoutcast servers (let's take as an example: http://213.35.156.16:9000/). How may I block this sort of streaming media? Here the relevant log lines: 1131956633.216 7236 10.167.211.62 TCP_MISS/600 298294 GET http://213.35.156.16:9000/ - FIRST_PARENT_MISS/proxy.reteunitaria.piemonte.it - 1131965732.540917 10.167.211.62 TCP_MISS/600 25021 GET http://213.35.156.16:9000/ - FIRST_PARENT_MISS/proxy.reteunitaria.piemonte.it - 1131965815.003 81204 10.167.211.62 TCP_MISS/600 2093292 GET http://213.35.156.16:9000/ - TIMEOUT_FIRST_UP_PARENT/proxy.reteunitaria.piemonte.it - 1131982736.548 6082 10.167.211.62 TCP_MISS/600 362948 GET http://213.35.156.16:9000/ - TIMEOUT_FIRST_UP_PARENT/proxy.reteunitaria.piemonte.it - 1131985079.527 2613 10.167.211.62 TCP_MISS/600 163257 GET http://213.35.156.16:8000/ - FIRST_PARENT_MISS/proxy.reteunitaria.piemonte.it - 1131985825.545 2244 10.167.211.62 TCP_MISS/600 106951 GET http://213.35.156.16:9000/ - FIRST_PARENT_MISS/proxy.reteunitaria.piemonte.it - 1131986644.367 7009798 10.167.211.163 TCP_MISS/600 168504426 GET http://213.35.156.16:8000/ - FIRST_PARENT_MISS/proxy.reteunitaria.piemonte.it - As you can see, there's nothing more than the URL, no MIME type indication at all! Any help would be appreciated. Thanks in advance, -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] How to block shoutcast streams?
Covington, Chris wrote: Why don't you configure your squid to disallow connections to non-standard http ports? I only allow http to port 80 and https to port 443. I can't do this, because I have some clients which use governement services which are on non-standard ports. -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] Skype: anybody got it working through squid?
Hello! As the subject states: did anybody succeed in using Skype (www.skype.com) through squid proxy? If yes, could I be helped in achieving the same task? Thanks! -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] blocking audio/video online
Alfredo Adam III wrote: hi, how to block playing songs online without downloading it? How to stop it? Here my solution to online streaming multimedia contents: acl streaming rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/x-pn-realaudio ^application/x-mms- framed ^application/vnd.ms.wms-hdr.asfv1 acl block_stream urlpath_regex \.(ra?m|mpe?g?|mov|m3u|pls|ivf|asf|asx|avi|wax|wma|wmv|wvx|wmp|wmx|m1v|mp2|mp3|mpa|mpe|mpv2)($| \?) Then: http_reply_access deny block_stream http_reply_access deny streaming HTH. -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: RES: [squid-users] Skype: anybody got it working through squid?
Renato Policani wrote: Hi Boniforti, Skype works with https and udp, whell, you must access udp traffic in your firewall for comunication. The voice is in udp packet. hummm... Can you be more precise? Which ports (UDP and TCP)? Excuse for my poor english. Nothing to excuse for: I've understood quite well! :) Cheers! -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] Timestamps, logfiles and log analyzers
Hello all. I'm in Italy therefore my Linux Server is set on CEST as you can see from: proxy:/var/log/squid# date Mon Apr 18 12:24:46 CEST 2005 Now, to my question: are squid's access.log files written with the actual CEST timestamp, or do they ignore it and just write timestamps according to GMT? Thanks. -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] Merging http_access and http_reply_access?
Hello all! I'm actually using this configuration: acl UtentiAutorizzati proxy_auth REQUIRED acl our_networks src 10.167.208.0/24 10.167.209.0/24 10.167.210.0/24 10.167.211.0/24 10.167.212.0/24 acl streaming rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/x-pn-realaudio acl block_stream urlpath_regex \.(ra?m|mpe?g?|mov|m3u|pls|ivf|asf|asx|avi|wax|wma|wmv|wvx|wmp|wmx|m1v|mp2|mp3|mpa|mpe|mpv2)($| \?) http_access allow CED UtentiAutorizzati http_access allow our_networks http_access allow localhost http_reply_access deny block_stream http_reply_access deny streaming http_access deny all Now, I need to allow our users to access .rm files which reside on a specific web server, which I know by its IP address. Now, I added: acl SERVER dst 12.34.56.78 and was trying to figure out how to write the access line. http_access allow SERVER block_stream streaming doesn't work (I put it before the http_reply_access rules). My question is: is it possible (and if yes, *how*) to merge different access rules (http_access and http_reply_access)? Thank you! -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] No TCP_HIT, just TCP_MISS, why?
Henrik Nordstrom wrote: What does the following directives in your squid.conf look like? cache_peer no_cache refresh_pattern cache_peer proxy.reteunitaria.piemonte.it parent 31283130 proxy-only no_cache deny QUERY no_cache deny SIAN where SIAN looks like acl SIAN dstdomain sian.it refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] No TCP_HIT, just TCP_MISS, why?
Henrik Nordstrom wrote: Please look up the proxy-only flag in the squid.conf.default documentation and you will understand what is going on here. Man! I guess you got it (actually you *got* it!). So I just have to remove that option and restart squid, right? (BTW: I still got three times the same e-mail!) -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] No TCP_HIT, just TCP_MISS, why?
Henrik Nordstrom wrote: Then i see no reason why this did not get cached. Have you tried using squidclient to fetch the object? This is what gets logged. proxy:~# cat /var/log/squid/access.log|grep balkje 1096970730.882 8100 10.167.211.220 TCP_MISS/404 3791 GET http://www.nu.nl/img/balkje.img - FIRST_PARENT_MISS/proxy.reteunitaria.piemonte.it text/html [Accept: */*\r\n] [HTTP/1.0 404 Not Found\r\nDate: Tue, 05 Oct 2004 10:05:30 GMT\r\nServer: Apache/1.3.31 (Unix) mod_wodan/1.0 mod_ssl/2.8.19 OpenSSL/0.9.6c\r\nX-Powered-By: PHP/4.3.8\r\nContent-Type: text/html\r\nVia: 1.0 imc2 (ICS 2.3.0.16)\r\nX-Cache: MISS from proxy.reteunitaria.piemonte.it\r\nProxy-Connection: close\r\n\r] 1096970780.420393 10.167.211.220 TCP_MISS/200 538 GET http://www.nu.nl/img/balkje.gif - FIRST_PARENT_MISS/proxy.reteunitaria.piemonte.it image/gif [Accept: */*\r\n] [HTTP/1.0 200 OK\r\nDate: Tue, 05 Oct 2004 10:06:19 GMT\r\nServer: Apache/1.3.31 (Unix) mod_wodan/1.0 mod_ssl/2.8.19 OpenSSL/0.9.6c\r\nLast-Modified: Tue, 23 Jul 2002 06:48:03 GMT\r\nETag: 15aa9a-35-3d3cfc23\r\nAccept-Ranges: bytes\r\nContent-Type: image/gif\r\nVia: 1.0 imc3 (ICS 2.3.0.16)\r\nContent-Length: 53\r\nX-Cache: MISS from proxy.reteunitaria.piemonte.it\r\nProxy-Connection: keep-alive\r\n\r] 1096970796.086336 10.167.211.220 TCP_MISS/200 546 GET http://www.nu.nl/img/balkje.gif - PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif [Accept: */*\r\n] [HTTP/1.0 200 OK\r\nDate: Tue, 05 Oct 2004 10:06:19 GMT\r\nServer: Apache/1.3.31 (Unix) mod_wodan/1.0 mod_ssl/2.8.19 OpenSSL/0.9.6c\r\nLast-Modified: Tue, 23 Jul 2002 06:48:03 GMT\r\nETag: 15aa9a-35-3d3cfc23\r\nAccept-Ranges: bytes\r\nContent-Type: image/gif\r\nVia: 1.0 imc3 (ICS 2.3.0.16)\r\nContent-Length: 53\r\nAge: 16\r\nX-Cache: HIT from proxy.reteunitaria.piemonte.it\r\nProxy-Connection: keep-alive\r\n\r] 1096970802.485144 10.167.211.220 TCP_MISS/200 546 GET http://www.nu.nl/img/balkje.gif - PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif [Accept: */*\r\n] [HTTP/1.0 200 OK\r\nDate: Tue, 05 Oct 2004 10:06:19 GMT\r\nServer: Apache/1.3.31 (Unix) mod_wodan/1.0 mod_ssl/2.8.19 OpenSSL/0.9.6c\r\nLast-Modified: Tue, 23 Jul 2002 06:48:03 GMT\r\nETag: 15aa9a-35-3d3cfc23\r\nAccept-Ranges: bytes\r\nContent-Type: image/gif\r\nVia: 1.0 imc3 (ICS 2.3.0.16)\r\nContent-Length: 53\r\nAge: 23\r\nX-Cache: HIT from proxy.reteunitaria.piemonte.it\r\nProxy-Connection: keep-alive\r\n\r] -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] Re: No TCP_HIT, just TCP_MISS, why?
Adam Aube wrote: Then do as has already been suggested and change the cache_dir type you use (aufs recommended on Linux). OK, after doing this change, do I have to do something else? I will for sure restart squid, but will this be enough? Thank you again. -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] No TCP_HIT, just TCP_MISS, why?
Henrik Nordstrom wrote: That it was no longer cached in your browser and a full object was delivered. Before there was only a small Not changed indication delivered to the client. Here we go again, after I changed to aufs cache_dir type. Same troubles (it seems to me). Here the relevant log (extended because of log_mime_type: 1096620618.430 5697 10.167.211.11 TCP_MISS/200 554 GET http://www.nu.nl/img/balkje.gif boniforti PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif [Host: www.nu.nl\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)\r\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\nAccept-Language: it,en-us;q=0.7,en;q=0.3\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nProxy-Connection: keep-alive\r\nProxy-Authorization: Basic Ym9uaWZvcnRpOmZsYXZpbw==\r\n] [HTTP/1.0 200 OK\r\nDate: Thu, 30 Sep 2004 09:31:56 GMT\r\nServer: Apache/1.3.31 (Unix) mod_wodan/1.0 mod_ssl/2.8.19 OpenSSL/0.9.6c\r\nLast-Modified: Tue, 23 Jul 2002 06:48:03 GMT\r\nETag: 15aa9a-35-3d3cfc23\r\nAccept-Ranges: bytes\r\nContent-Type: image/gif\r\nVia: 1.0 imc3 (ICS 2.3.0.16)\r\nContent-Length: 53\r\nAge: 83277\r\nX-Cache: HIT from proxy.reteunitaria.piemonte.it\r\nProxy-Connection: keep-alive\r\n\r] 1096620618.757326 10.167.211.11 TCP_MISS/200 1657 GET http://www.nu.nl/favicon.ico boniforti PARENT_HIT/proxy.reteunitaria.piemonte.it image/x-icon [Host: www.nu.nl\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)\r\nAccept: image/png,*/*;q=0.5\r\nAccept-Language: it,en-us;q=0.7,en;q=0.3\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nProxy-Connection: keep-alive\r\nProxy-Authorization: Basic Ym9uaWZvcnRpOmZsYXZpbw==\r\n] [HTTP/1.0 200 OK\r\nDate: Thu, 30 Sep 2004 09:31:10 GMT\r\nServer: Apache/1.3.31 (Unix) mod_wodan/1.0 mod_ssl/2.8.19 OpenSSL/0.9.6c\r\nLast-Modified: Fri, 03 Sep 2004 01:03:38 GMT\r\nETag: 1fa0a6-47e-4137c2ea\r\nAccept-Ranges: bytes\r\nContent-Type: image/x-icon\r\nVia: 1.0 imc3 (ICS 2.3.0.16)\r\nContent-Length: 1150\r\nAge: 83948\r\nX-Cache: HIT from proxy.reteunitaria.piemonte.it\r\nProxy-Connection: keep-alive\r\n\r] 1096621089.182 6430 10.167.211.214 TCP_MISS/200 549 GET http://www.nu.nl/img/balkje.gif boniforti PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif [User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.54 %5bit%5d\r\nHost: www.nu.nl\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: it, en\r\nAccept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nProxy-Authorization: Basic Ym9uaWZvcnRpOmZsYXZpbw==\r\nProxy-Connection: close\r\n] [HTTP/1.0 200 OK\r\nDate: Thu, 30 Sep 2004 09:31:56 GMT\r\nServer: Apache/1.3.31 (Unix) mod_wodan/1.0 mod_ssl/2.8.19 OpenSSL/0.9.6c\r\nLast-Modified: Tue, 23 Jul 2002 06:48:03 GMT\r\nETag: 15aa9a-35-3d3cfc23\r\nAccept-Ranges: bytes\r\nContent-Type: image/gif\r\nVia: 1.0 imc3 (ICS 2.3.0.16)\r\nContent-Length: 53\r\nAge: 83748\r\nX-Cache: HIT from proxy.reteunitaria.piemonte.it\r\nProxy-Connection: keep-alive\r\n\r] What do you NOW suggest? Thank you really much! -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] No TCP_HIT, just TCP_MISS, why?
Henrik Nordstrom wrote: On Fri, 1 Oct 2004, Boniforti Flavio wrote: 1096620618.430 5697 10.167.211.11 TCP_MISS/200 554 GET ... [HTTP/1.0 200 OK Date: Thu, 30 Sep 2004 09:31:56 GMT Last-Modified: Tue, 23 Jul 2002 06:48:03 GMT Via: 1.0 imc3 (ICS 2.3.0.16) Age: 83277 What do you NOW suggest? What does your refresh_pattern settings look like? also save the information above in your reply, I need this when evaluating your refresh_pattern settings and their effect on this object. Regards Henrik Here we go: # TAG: refresh_pattern refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] No TCP_HIT, just TCP_MISS, why?
Elsen Marc wrote: For stable6 make sure you are adequately patched if the ufs store type is being used as Hendrik suggested : http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-ufs_no_valid_dir How may I check wheter or not I'm in need of that patch? Access the object from 2 different browsers on 2 different hosts. In the second attempt , SQUID should 'deliver' a TCP_HIT ,for this object. This is what I get from my 2.5stable1 proxy from 2 different clients: 1096536941.122214 10.167.211.11 TCP_MISS/200 491 GET http://www.nu.nl/img/balkje.gif boniforti PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif 1096536950.325396 10.167.211.11 TCP_MISS/304 418 GET http://www.nu.nl/img/balkje.gif boniforti PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif 1096536957.660386 10.167.211.208 TCP_MISS/200 489 GET http://www.nu.nl/img/balkje.gif mallone PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif 1096536966.315 1169 10.167.211.208 TCP_MISS/304 419 GET http://www.nu.nl/img/balkje.gif mallone PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif 1096536967.823757 10.167.211.208 TCP_MISS/304 419 GET http://www.nu.nl/img/balkje.gif mallone PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif This is what I get from my 2.5stable6 proxy from 2 different clients: 1096537329.518482 10.167.211.11 TCP_MISS/304 479 GET http://www.nu.nl/img/balkje.gif boniforti PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif 1096537333.764635 10.167.211.208 TCP_MISS/304 479 GET http://www.nu.nl/img/balkje.gif mallone TIMEOUT_FIRST_UP_PARENT/proxy.reteunitaria.piemonte.it image/gif 1096537335.454936 10.167.211.208 TCP_MISS/304 487 GET http://www.nu.nl/img/balkje.gif mallone TIMEOUT_FIRST_UP_PARENT/proxy.reteunitaria.piemonte.it image/gif 1096537336.065611 10.167.211.11 TCP_MISS/304 487 GET http://www.nu.nl/img/balkje.gif boniforti TIMEOUT_FIRST_UP_PARENT/proxy.reteunitaria.piemonte.it image/gif 1096537336.196244 10.167.211.208 TCP_MISS/304 487 GET http://www.nu.nl/img/balkje.gif mallone PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif 1096537337.013765 10.167.211.208 TCP_MISS/304 479 GET http://www.nu.nl/img/balkje.gif mallone TIMEOUT_FIRST_UP_PARENT/proxy.reteunitaria.piemonte.it image/gif 1096537338.582 1173 10.167.211.11 TCP_MISS/304 479 GET http://www.nu.nl/img/balkje.gif boniforti TIMEOUT_FIRST_UP_PARENT/proxy.reteunitaria.piemonte.it image/gif I also get some timeouts on the second proxy... but the main behaviour is the same: TCP_MISS at my proxy! Thank you... -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] No TCP_HIT, just TCP_MISS, why?
Henrik Nordstrom wrote: squid.conf is a good start. Looking in cache.log for errors is also good. And to make sure you are not bitten by the 2.5.STABLE6 bug mentioned before. The default of Squid is to have caching enabled, but certain directives can be used to disable caching such as the no_cache directive or by using a null cache_dir type. In cache.log no errors are found: 2004/09/29 00:01:02| storeDirWriteCleanLogs: Starting... 2004/09/29 00:01:03| Finished. Wrote 21 entries. 2004/09/29 00:01:03| Took 0.0 seconds (65625.0 entries/sec). 2004/09/29 00:01:03| logfileRotate: /var/log/squid/store.log 2004/09/29 00:01:03| logfileRotate: /var/log/squid/access.log 2004/09/29 00:01:03| helperOpenServers: Starting 5 'ncsa_auth' processes 2004/09/29 09:58:04| temporary disabling (Not Found) digest from proxy.reteunitaria.piemonte.it 2004/09/29 13:40:04| TCP connection to proxy.reteunitaria.piemonte.it/3128 failed 2004/09/29 13:40:35| TCP connection to proxy.reteunitaria.piemonte.it/3128 failed 2004/09/29 13:41:05| TCP connection to proxy.reteunitaria.piemonte.it/3128 failed 2004/09/29 13:43:12| Detected DEAD Parent: proxy.reteunitaria.piemonte.it/3128/3130 2004/09/29 13:43:12| Failed to select source for 'http://www.tiscali.it/' 2004/09/29 13:43:12| always_direct = -1 2004/09/29 13:43:12|never_direct = 1 2004/09/29 13:43:12|timedout = 0 2004/09/29 13:43:12| Detected REVIVED Parent: proxy.reteunitaria.piemonte.it/3128/3130 In squid.conf: cache_dir ufs /var/spool/squid 8192 16 256 -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] GAIM Error...
Rick Whitley wrote: I have a user that is using GAIM to talk with yahoo messenger. We have configured the proxy but when she tries to connect she gets the error: 'GAIM Error: Access denied proxy server forbids port 5050 tunnelling'. If I look at the conf file I can't see where that is being blocked. We are running squid-2.5-stable5 on suse 9. I have used the default safe-port list. Where do I need to look? Thanks for any help. I'm in the same trouble: no ICQ or MSN connection from GAIM... -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] No TCP_HIT, just TCP_MISS, why?
Henrik Nordstrom wrote: if you run squid-2.5.STABLE6 with the ufs cache_dir type then you need the patch. If any other version or another cache_dir type then not. mmhhh.. I guess I can't apply that patch, because I installed squid from www.backports.org Debian Archive... Should have been cached unless there is something your parent is doing which prevents the object from being cached or you are forcing a reload using the reload button or other action causing the browser to force a fresh copy. What could prevent my proxy to cache, done from my parent proxy? PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif This is what I get from my 2.5stable6 proxy from 2 different clients: 1096537329.518482 10.167.211.11 TCP_MISS/304 479 GET http://www.nu.nl/img/balkje.gif boniforti PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif Your clients already had the object cached. Clear the browser cache. I emptied both client browser's cache: nothing changes. 1096546876.678 1200 10.167.211.208 TCP_MISS/200 553 GET http://www.nu.nl/img/balkje.gif mallone PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif 1096546901.557733 10.167.211.11 TCP_MISS/200 553 GET http://www.nu.nl/img/balkje.gif boniforti PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] No TCP_HIT, just TCP_MISS, why?
Elsen Marc wrote: That's a bit circlonized reasoning in the sense that initially you reported a possible problem, concerning a no caching situation for all objects. For 2.5.stable6 this was a possible cause, to the idea is : 'take the patch' for that version and if that problem is seen. Then test again. You're right, man. The fact is, I guess I can't apply that patch, because I'm working with a pre-compiled Debian package. :( Make sure that you are not using browser refresh/reload during this tests, otherwise if-modified-since is induced and you get that behavior. Make sure also that your system clock is 'adequately synced to the Internet' (UTC synced, irrespective of Timezone). Yes, everthing is fine: correct time sync and no refresh/reload button... -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] No TCP_HIT, just TCP_MISS, why?
Elsen Marc wrote: Then I would advise to go more 'native' and fetch squid from squid-cache.org. Configuring-making and installing Squid is not so difficult. Oh, I know that's not difficult, but I am used to do everything via APT :-) -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] No TCP_HIT, just TCP_MISS, why?
Henrik Nordstrom wrote: Disagreement on time could be one reason. mmhhh... May I check this one, too? enable log_mime_hdrs and there will be more hints. Be warned that this also logs the authentication credentials so don't post log information while logging in with a sensitive account.. OK, I'll enable it right now. (uoo so many LOGs!!!) I emptied both client browser's cache: nothing changes. 1096546876.678 1200 10.167.211.208 TCP_MISS/200 553 GET http://www.nu.nl/img/balkje.gif mallone PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif 1096546901.557733 10.167.211.11 TCP_MISS/200 553 GET http://www.nu.nl/img/balkje.gif boniforti PARENT_HIT/proxy.reteunitaria.piemonte.it image/gif A lot changed. There is now status code 200, not 304, and the reply size is differnt (bigger). What do these facts mean? -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] No TCP_HIT, just TCP_MISS, why?
Hello all! I'm using a proxy, which sends every request to its upper parent. This is what I *always* get: 1096457070.690759 10.167.211.11 TCP_MISS/200 394 GET http://www.rossoalice.it/alice/vm/demand/include/reload.vm boniforti FIRST_PARENT_MISS/proxy.reteunitaria.piemonte.it text/html I mean: shouldn't there be any TCP_HIT, at least *once* in my logs? Thank you. -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] No TCP_HIT, just TCP_MISS, why?
Elsen Marc wrote: Not for that object : check - http://www.ircache.net/cgi-bin/cacheability.py?query=http%3A%2F%2Fwww.rossoalice.it%2Falice%2Fvm%2Fdemand%2Finclude%2Freload.vm+descend=on OK, in this case you're right and I'm wrong... :) But, is it possible to have *whole* log files (I rotate them daily) of squid usage done by at least 150 clients, *without* ANY TCP_HIT? -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] No TCP_HIT, just TCP_MISS, why?
Henrik Nordstrom wrote: Which Squid version are you using? Squid-2.5.STABLE6 has a broken ufs cache_dir type.. SQUID 2.5 stable 1 And on another proxy, squid 2.5 stable 6... But it happens on BOTH of them -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] Which authentication method for me?
Henrik Nordstrom wrote: On Mon, 30 Aug 2004, Billy Macdonald wrote: I think LDAP can be used in AD environment for basic only but not sure again, never done that. You'll need to search the FAQ In and AD environment you can choose either LDAP or Winbind for Basic authenticaiton, but since most people with an AD also wants the integrated ntlm login support they need winbind anyway and it is then easier to use winbind for both. The winbind authentication is also a little easier to configure, but requires a little more complex software: a running Samba joined to the AD tree or NT domain provided within the AD. Compared to just squid_ldap_auth with the correct parameters for your AD. mmhhh... So I would have to install Samba-3 on my Debian and other stuff too? If my boss wants two different user databases (AD for Windows logons, another one for squid), which would be the best solution in relation to squid? Would there be any chance to have MySQL with a table made of user/pass pairs, used by a squid authenticator? Thanks again... -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] chrooting: why and how?
Hello all! I noticed that there's the option to chroot my squid. Now, which benefits could I get from this configuration? What should I be doing/configuring for getting chroot to work in squid? Thank you all again... -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] Which authentication method for me?
Henrik Nordstrom wrote: Sure. http://www.google.com/search?ie=UTF-8q=squid+mysql+auth But I would recommend starting first with ncsa_auth while testing, then when you have figured out how authentication works in Squid move to MySQL if desired. From the above words, I understand that MySQL support is a bit more complex and/or difficult to implement than NCSA, right? -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] ACLs and squidGuard!?
Hello all! I was reviewing my squid setup after several months of nice activity, when I stumbled over some ACLs I've defined long time ago. I noticed also that I'm using squidguard integrated with squid to filter off some multimedia content with regular expressions. Now, what I'd like to know from you all is: does it still make sense tu use squidguard? Is that project still maintained/going on? What would you suggest me to use? Thank you all! -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] ACLs and squidGuard!?
Angela Burrell ha scritto: Squidguard, as far as i know, still being updated, but there is no mailing list for it. I use squidGuard and I like it. Squid ACLs might be fine for you, it depends on what your needs are. I was actually thinking to place the RegEx filters (with which I use to filter out multimedia/streaming content) in squid.conf, instead of using them with squidguard... What do you think of this? I mean: I actually should allow *some* people to access multimedia content, while the mass of our users doesn't have to get that content. Which way is the easiest/most suitable? Squid or squidguard? Do you want to filter out certain types of sites? Like gambling, auctions, porn? Do you have a computer use policy? If yes, you might want squidGuard. (you probably need to update your blacklists) Yes, where do I get good and updated blacklists? [cut] Regards, -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] Parent proxy or mine fault?
Hello all! I get: May 17 12:19:53 plin squid[433]: Failed to select source for 'http://www.provincia.verbania.it/piffero.css' May 17 12:19:53 plin squid[433]: always_direct = -1 May 17 12:19:53 plin squid[433]:never_direct = 1 May 17 12:19:53 plin squid[433]:timedout = 0 And the i get the Detected REVIVED proxy message... Where does the problem stay? Is it my task to solve it on my proxy or is it a peer proxy's trouble? Thank you. -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] Help with GAIM through squid!
Hy all! I'm getting troubles using GAIM through squid. I always get No tunnelling available on port 80, but MSN Messenger works fine! Who can help me? Thanks -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] Help with GAIM through squid!
Elsen Marc wrote: What is GAIM ? GAIM is a multi-protocol Instant Messenger (gaim.sourceforge.net). It's supposed to be configured to use a proxy, but I always get errors with squid... -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] Help with GAIM through squid!
Elsen Marc wrote: Whether or not this proxying is fully HTTP compliant can for instance be verified by checking squid's access log for request(s) coming from this 'source'. Also check squid's cache.log for further info and or errors. This is what I get in access.log: 1084802777.627 6 10.167.211.11 TCP_DENIED/403 1353 CONNECT login.oscar.aol.com:5190 - NONE/- text/html 1084803020.025 2 10.167.211.11 TCP_DENIED/403 1357 CONNECT messenger.hotmail.com:1863 - NONE/- text/html Nothing to mention in cache.log. What else? -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] Help with GAIM through squid!
Joel Jaeggli wrote: socks proxy or http proxy? HTTP proxy -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] Help with GAIM through squid!
Elsen Marc wrote: You get TCP_DENIED errors because the ports used, in this case 5190 and 1863 are not listed in your SSL_ports acl. BTW: I added both ports to SSL_ports ACL but nothing changed: 1084804324.562108 10.167.211.11 TCP_MISS/000 1365 CONNECT messenger.hotmail.com:1863 boniforti FIRST_UP_PARENT/proxy.reteunitaria.piemonte.it - 1084804331.028170 10.167.211.11 TCP_MISS/000 1361 CONNECT login.oscar.aol.com:5190 boniforti FIRST_UP_PARENT/proxy.reteunitaria.piemonte.it - -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] Re: Help with GAIM through squid!
Adam Aube wrote: Add those two ports to the Safe_ports and SSL_ports acls, then create an http_access rule that denies those two ports unless they are to the relevant servers. Do these two lines do the job? acl SSL_ports port 22 443 460 563 1863 5190 1 acl Safe_ports port 1025-65535 # unregistered ports And actually I just have this one (should allow every destination IP address to be reached by means of CONNECT method on SSL_ports, right?) http_access deny CONNECT !SSL_ports -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] Help with GAIM through squid!
SXB6300 Mailing wrote: The following is what you need in your squid.conf : acl SSL_ports port 443 ... 1863 5190 acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports This is actually what I got! 0__0 acl SSL_ports port 443 460 563 1863 5190 1 [...] acl CONNECT method CONNECT [...] http_access deny !Safe_ports http_access deny CONNECT !SSL_ports I know it works for ICQ (login.oscar.aol.com:5190), but where for msn messenger (messenger.hotmail.com:1863) I'm not sure that it will works through a thhp proxy. mmhhh... I can't get access to it, tough I'm getting it with MSN Messenger with HTTP proxy enabled and passing through the same and only proxy. -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] Selective ACL possible?
Hello all! I'm blocking all the media contents with a regex on my proxy setting. Now I'd like to enable ONE USER to access those contents. How may I achieve this? I would like to give him user/pass for accessing my proxy (which I'm already doing for some of our IPs, for testing purposes) but also enabling him to get media contents. Thank you! -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] squid and SSH
Henrik Nordstrom wrote: SOCKS, for proxying of other protocols such as SSH, POP-3, IMAP, ICQ, IRC, etc etc... OK, that's a good explanation, thank you. Now, the matter is: our network setup causes us to use OUR squid proxy which uses the PARENT of our ISP. How would I be using a SOCKS proxy in this environment? THanks... -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] squid and SSH
Hello all! Is there any way to use SSH by passing through squid proxy? Can squid in some way handle such kind of connections (don't know if it's called tunneling or whatever). Thank you -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] squid and SSH
Yes, I use such a setup for offering ssh to end users on UNIX. It's a perl script that make use of squid's CONNECT capabilities (method). You have to add port 22 then to your allowed SSL port's acl. I think it only works for OpenSSH versions , which allow specifying the tunneling perl script as a proxy. Can you explain a bit mor in depth? On Windows 'putty' (http://www.chiark.greenend.org.uk/~sgtatham/putty/) can also make/use advantage of the SQUID proxy for outgoing ssh, apparently without any problem. mmhhh... I will be using putty on my Windows box and OpenSSH client on Linux... -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] SuSE RPM package available?
Hello all! I'm seeking for the latest SuSE 7.3 RPM package of squid (I guess it's the 2.5 stable 4). Who knows where to get it? Thanks... -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] FTP access through squid IE issue
Hello all! I'm confused... :( I'm using Mozilla FireBird and I can simply type ftp://username:[EMAIL PROTECTED] and I get into it. When doing the same thing with IE6, I can't get in (the error is: Timeout). What could the trouble be? Thank you all. -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] SuSE RPM package available?
Henrik Nordstrom wrote: I am not sure anyone has bothered to make a SuSE 7.3 RPM package of Squid-2.5.STABLE4.. Yes, I just found the above version for SuSE 9.0. You should be able to update the latest SuSE 7.3 SRPM package to Squid-2.5.STABLE4, allowing you to build a SuSE 7.3 RPM. How can I achieve this (I'm no good at all with RPM manipulation)? -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] SuSE RPM package available?
Henrik Nordstrom wrote: I remember writing such description on squid-users earlier this year. Try the archives. BTW: do you think I could use the RPM built for SuSE 8.1 or SuSE 9.0 when upgrading my squid2.5stable1 on SuSE 7.3, or would this be causing troubles? -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
Re: [squid-users] Re: Authentication data...
Henrik Nordstrom wrote: 0. You must be using Squid-3 mmhh... unstable? 1. Squid must be running as a reverse-proxy with authentication enabled, in front of your web server where this PHP script resides. mmhh... what means reverse-proxy? 2. Configure Squid to forward the requests using the cache_peer directive in squid.conf using the originserver and login= cache_peer options. mmhh.. gotta take a look at the manual, right? 3. Make the PHP script read the Basic authentication user name from the request. See the PHP manual Chapter 17. HTTP authentication with PHP for details on how to do this. Gotta take a look at this too Alternatively, you can use a redirector helper to add the login details to the request by rewriting the URL to http://user:[EMAIL PROTECTED]/path/to/page.php (this approach works in all Squid versions) Since all this stuff is getting a bit too complicated, I'll ask another question (I'm still confused): Is there any way (other than NCSA_Auth) to have username available to PHP in some variable? Thank you very much... -- --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] How to avoid proxying for some sites?
Hello all. I would like to know _how_ do I have to configure squid to tell it that accessing a defined site (mysite.org) doesn't have to be handled by squid (that is, the server on mysite.org should see the client's IP address and not squid's one). Thank you!
Re: [squid-users] Corrupted downloads?
Henrik Nordstrom wrote: Have you tried downloading the same files directly from the parent proxy? Yes I did. And the facts don't change!
Re: [squid-users] Corrupted downloads?
Antony Stone wrote: What is the nature of the corruption? Are the files correct up to a certain point, and then simply end, suggesting that the data stream got cut off, or are there missing bytes within the file (so the resultant length is shortened), or are some bytes changed (so the final file is the right length but some of the contents are incorrect)? The length is always correct. ZIP files: CRC Error EXE files: errors when running them (if standalone programs) or when installing them (like Adobe Acrobat Reader 6). What happens if you download the same file across the same leased line but bypassing the Squid proxy? I did, and as I mentioned before, nothing changed. My parent proxy (which was my main proxy, until I dediced to put another local proxy here at my offce) seems still to cause corrupted downloads... What type of file/s get corrupted? Plain text? HTML? Binaries (images, executables, arbitrary data)? Mainly BIG files ( about every file bigger than 4/5MB), therefore ZIPs and EXEs. What is the MIME content type of the downloads which get corrupted? Text/plain? Text/html? Application/octet-stream? The last one, application/octet-stream. What do the Squid access.log files on both your proxy and the parent proxy tell you about the files which arrive corrupted? I can't get the parent proxy's log files, but mine is like: 1066382936.928 94247 10.167.211.11 TCP_MISS/200 18033719 GET http://ardownload.adobe.com/pub/adobe/reader/win/6.x/6.0/ita/AdbeRdr60_ita_full.exe boniforti FIRST_PARENT_MISS/proxy.reteunitaria.piemonte.it application/octet-stream Hope some of these questions point in a helpful direction. Regards, Antony. Thank you...
Re: [squid-users] How to avoid proxying for some sites?
Joel wrote: iptables -t nat -A PREROUTING -i $yourethernetcard -p tcp --dport 80 -j REDIRECT --to-port 3128 -d ! mysite.org or give the ip address of the site. This sounds to me like transparent proxying, ain't it?
[squid-users] Knowing username of connected users?
Hello all! Is there any way to know the username of the clients which are connected to my squid proxy and are using it? I looked into Cache Manager, but there's no trace of that information. Any help? Thank you in advance.
Re: [squid-users] Knowing username of connected users?
Francisco Neira wrote: I once managed to do that but only using authentication. If the proxy users are authenticated and recognized by the proxy then the proxy keeps the username in each connection. Can you tell me more about it? It's really important to me! Thanks..
[squid-users] Corrupted downloads?
Hello all. I'm using squid 2.5Stable1 which uses another parent proxy. I noticed that many time I get corrupted downloads when I get files bigger than 4/5 MB. How come? Where could the trouble be? If I download _exactly_ the same file from another place (with another leased line) I get NO ERRORS at all! Any help? Thank youy --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] Which variable stores auth_user?
Hello all! I would like to know if there's a way to know, by means of a PHP script, _which_ user is actually connected to my squid proxy. I'm using ncsa_auth. Thank you! --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] Somebody send me the conf file ?
I need to get my hands on a NEW squid 2.5ST1 conf file, not edited by anyone! Any help? --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
[squid-users] Authentication and IPs
Hello all! I'm using this: auth_param basic program /usr/sbin/ncsa_auth /home/squid/utenti auth_param basic children 5 auth_param basic realm INTRANET PROXY SERVER auth_param basic credentialsttl 1 hour And: acl pass proxy_auth flavio Which is my username. Ok, as I'm about to TEST this structure, I'd like to test it _only_ on my computer's IP Address. How may I achieve this? The final access line is: http_access allow pass http_access deny all --- Boniforti Flavio Provincia del Verbano-Cusio-Ossola Ufficio Informatica Tecnoparco del Lago Maggiore Via dell'Industria, 25 28924 Verbania ---
RE: [squid-users] How may I block MSN Messenger...
I will suggest better to block it via your firewall it can be Linux firewall ipfw, ipchains, iptables or router etcc.. I can't believe it! Another one is telling me to use FIREWALLING with this issue! Man!!! If I'm asking on the squid-users list, it's certainly because I WANT TO DO IT with squid and I KNOW it's feasible!!! I can't get my hands on our firewall, because its our ISP's one! Anyway... Thank you... :-o
RE: [squid-users] How may I block MSN Messenger...
Scratch that - I made the silly mistake of assuming that req_mime_type would match on the entire data; it probably looks for the Content-Type: line and matches from there. Well... I'm still at it: acl msn_no_block src 10.167.211.165/255.255.255.255 acl msn_server rep_mime_type ^application/x-msn-messenger #acl msn_server dstdomain gateway.messenger.hotmail.com #acl msn_server dst 207.46.110.0/255.255.255.0 http_access deny !msn_no_block msn_server http_access deny all I alternatively tried the different msn_server ACLs, with no success! My station's IP is 10.167.211.11, therefore it shouldn't be able to get through (msn_no_block just contains ONE IP: 10.167.211.165). What now? Thank you again!
RE: [squid-users] How may I block MSN Messenger...
Since you are matching on the reply MIME type, you should probably use this line instead: http_reply_access deny !msn_no_block msn_server I have no idea why that did not occur to me before. Me neither.. The fact is: NOW IT'S WORKING! I can't get connected anymore!!! ;) The only thing that remains a doubt for me is: Why I don't get any TCP/DENIED but instead I get: 1061385132.738 1807 10.167.211.11 TCP_MISS/403 1493 POST http://gateway.messenger.hotmail.com/gateway/gateway.dll? - FIRST_PARENT_MISS/proxy.reteunitaria.piemonte.it text/html Should I be doing it on req_mime_type instead? How would I need to change http_reply_access into? Thank you again and again...
RE: [squid-users] How may I block MSN Messenger...
Are you sure the clients send requests with this content type? access.log only shows the content type of the replies, not requests. To see the content type of requests you need to enable log_mime_hdrs and extract the Content-Type from the first block of headers [] (Note: the second block [] contains the reply headers). This is what I got: 1060175868.948 1332 10.167.211.11 TCP_MISS/200 345 POST http://gateway.messenger.hotmail.com/gateway/gateway.dll? - FIRST_PARENT_MISS/proxy.reteunitaria.piemonte.it application/x-msn-messenger [Accept: */*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MSN Messenger 6.0.0602)\r\nHost: gateway.messenger.hotmail.com\r\nProxy-Connection: Keep-Alive\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nContent-Type: application/x-msn-messenger\r\nContent-Length: 25\r\n] [HTTP/1.0 200 OK\r\nServer: Microsoft-IIS/5.0\r\nDate: Wed, 06 Aug 2003 12:49:02 GMT\r\nX-MSN-Messenger: SessionID=496570652.10145; GW-IP=207.46.110.43\r\nContent-Length: 25\r\nContent-Type: application/x-msn-messenger\r\nX-Cache: MISS from asia.csi.it\r\nProxy-Connection: keep-alive\r\n\r] 1060175869.933985 10.167.211.11 TCP_MISS/200 475 POST http://207.46.110.43/gateway/gateway.dll? - FIRST_PARENT_MISS/proxy.reteunitaria.piemonte.it application/x-msn-messenger [Accept: */*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MSN Messenger 6.0.0602)\r\nHost: 207.46.110.43\r\nProxy-Connection: Keep-Alive\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nContent-Type: application/x-msn-messenger\r\nContent-Length: 77\r\n] [HTTP/1.0 200 OK\r\nServer: Microsoft-IIS/5.0\r\nDate: Wed, 06 Aug 2003 12:49:04 GMT\r\nX-MSN-Messenger: SessionID=496570652.27824; GW-IP=207.46.110.43\r\nContent-Length: 154\r\nContent-Type: application/x-msn-messenger\r\nX-Cache: MISS from asia.csi.it\r\nProxy-Connection: keep-alive\r\n\r] What do you think? Cheers
RE: [squid-users] How may I block MSN Messenger...
These are allowed. Which rules dud you have which you think should have blocked this? acl msn_no_block src 10.167.211.11/255.255.255.255 acl msn_server req_mime_type ^application/x-msn-messenger # acl msn_server dstdomain gateway.messenger.hotmail.com # acl msn_server dst 207.46.110.0/255.255.255.0 http_access deny !msn_no_block msn_server http_access deny all This is what I use! The commented lines are also rules which I tried, without succeeding! The only IP you see (10.167.211.11) is the one that should be able to use MSN. Thank you!
