RE: [squid-users] Utorrrent through squid
Could you please help me out that why such errors are happening? 1285227117.990 0 10.1.97.27 TCP_DENIED/403 1480 GET http://tracker.thepiratebay.org/announce? - NONE/- text/html [Host: tracker.thepiratebay.org\r\nUser-Agent: uTorrent/2040(21586)\r\nAccept-Encoding: gzip\r\n] [HTTP/1.0 403 Forbidden\r\nServer: squid\r\nDate: Thu, 23 Sep 2010 07:31:57 GMT\r\nContent-Type: text/html\r\nContent-Length: 1129\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\nX-Cache: MISS from squid.local\r\nX-Cache-Lookup: NONE from squid.local:8080\r\nVia: 1.0 squid.local:8080 (squid)\r\nConnection: close\r\n\r] still not able to use torrent..is it related to CONNECT method which is currently allowed for SSL(443) if http supported Torrent clients make http tunnel to work then which are the ports that required to be open? regards, Bilal Date: Thu, 23 Sep 2010 03:49:06 +1200 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] Utorrrent through squid On 22/09/10 22:43, GIGO . wrote: So Amos does this means that downloading of torrents with earlier version of squid is not possible at all? No, its perfectly possible with IPv4 trackers. His specific problem was with IPv6-only trackers. Date: Wed, 22 Sep 2010 20:27:29 +1200 Subject: Re: [squid-users] Utorrrent through squid On 22/09/10 19:56, GIGO . wrote: Hi all, I am unable to run utorrent software through squid proxy due to ipv6 tracker failure.I am unable to connect to an ipv 6 tracker. 1285141356.609 152 10.1.97.27 TCP_MISS/504 1587 GET http://ipv6.torrent.ubuntu.com:6969/announce? - DIRECT/ipv6.torrent.ubuntu.com text/html [Host: ipv6.torrent.ubuntu.com:6969\r\nUser-Agent: uTorrent/2040(21586)\r\nAccept-Encoding: gzip\r\n] [HTTP/1.0 504 Gateway Time-out\r\nServer: squid\r\nDate: Wed, 22 Sep 2010 07:42:36 GMT\r\nContent-Type: text/html\r\nContent-Length: 1234\r\nX-Squid-Error: ERR_DNS_FAIL 0\r\nX-Cache: MISS from xyz.com\r\nX-Cache-Lookup: MISS from xyz.com:8080\r\nVia: 1.0 xyz.com:8080 (squid)\r\nConnection: close\r\n\r] I am using squid 2.7 Stable 9 release. Squid-3.1 is required for IPv4/IPv6 gateway. For doing this is there a special configuration required on the Operating system(RHEL 5 ) or squid itself. Please guide. http://wiki.squid-cache.org/KnowledgeBase/RedHat Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2
[squid-users] Utorrrent through squid
Hi all, I am unable to run utorrent software through squid proxy due to ipv6 tracker failure.I am unable to connect to an ipv 6 tracker. 1285141356.609152 10.1.97.27 TCP_MISS/504 1587 GET http://ipv6.torrent.ubuntu.com:6969/announce? - DIRECT/ipv6.torrent.ubuntu.com text/html [Host: ipv6.torrent.ubuntu.com:6969\r\nUser-Agent: uTorrent/2040(21586)\r\nAccept-Encoding: gzip\r\n] [HTTP/1.0 504 Gateway Time-out\r\nServer: squid\r\nDate: Wed, 22 Sep 2010 07:42:36 GMT\r\nContent-Type: text/html\r\nContent-Length: 1234\r\nX-Squid-Error: ERR_DNS_FAIL 0\r\nX-Cache: MISS from xyz.com\r\nX-Cache-Lookup: MISS from xyz.com:8080\r\nVia: 1.0 xyz.com:8080 (squid)\r\nConnection: close\r\n\r] I am using squid 2.7 Stable 9 release. For doing this is there a special configuration required on the Operating system(RHEL 5 ) or squid itself. Please guide. regards, Bilal Aslam
RE: [squid-users] Utorrrent through squid
So Amos does this means that downloading of torrents with earlier version of squid is not possible at all? regards, Bilal Date: Wed, 22 Sep 2010 20:27:29 +1200 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] Utorrrent through squid On 22/09/10 19:56, GIGO . wrote: Hi all, I am unable to run utorrent software through squid proxy due to ipv6 tracker failure.I am unable to connect to an ipv 6 tracker. 1285141356.609 152 10.1.97.27 TCP_MISS/504 1587 GET http://ipv6.torrent.ubuntu.com:6969/announce? - DIRECT/ipv6.torrent.ubuntu.com text/html [Host: ipv6.torrent.ubuntu.com:6969\r\nUser-Agent: uTorrent/2040(21586)\r\nAccept-Encoding: gzip\r\n] [HTTP/1.0 504 Gateway Time-out\r\nServer: squid\r\nDate: Wed, 22 Sep 2010 07:42:36 GMT\r\nContent-Type: text/html\r\nContent-Length: 1234\r\nX-Squid-Error: ERR_DNS_FAIL 0\r\nX-Cache: MISS from xyz.com\r\nX-Cache-Lookup: MISS from xyz.com:8080\r\nVia: 1.0 xyz.com:8080 (squid)\r\nConnection: close\r\n\r] I am using squid 2.7 Stable 9 release. Squid-3.1 is required for IPv4/IPv6 gateway. For doing this is there a special configuration required on the Operating system(RHEL 5 ) or squid itself. Please guide. http://wiki.squid-cache.org/KnowledgeBase/RedHat Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2
RE: [squid-users] Alerting when cache Peer is used.
2010/09/20 12:40:56| WARNING: Forwarding loop detected for: Client: 10.25.88.175 http_port: 10.1.82.175:8080 As far as alerts are concerned i got your point thanks! i am getting these kind of messages in my cache.log can i ignore these warnings in reference to my requirements(internet backup path of each other) or i need to make some configuration changes. Please guide thanking you regards, Bilal Aslam Date: Fri, 17 Sep 2010 23:31:55 +1200 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] Alerting when cache Peer is used. On 17/09/10 23:14, GIGO . wrote: I have configured my proxy servers in two regions for backup internet path of each other by declaring the following directives. Directives on Proxy A: cache_peer A parent 8080 0 proxy-only prefer_direct on nonhierarchical_direct off cache_peer_access A allow all Directives on Proxy B: cache_peer B parent 8080 0 proxy-only prefer_direct on nonhierarchical_direct off cache_peer_access B allow all Is there a way that whenever a peer cache is used an email alert is generated to the admins. Not from Squid. That is a job for network availability software. You could hack up a script to scan squid access.log for the peer hierarchy codes (DIRECT or FIRST_UP_PARENT etc) being used. Note that the setting is only prefer _direct. It can go to the peer with perfectly working network access if the origin web server simply takes too long to reply to a connect attempt. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2
[squid-users] Alerting when cache Peer is used.
I have configured my proxy servers in two regions for backup internet path of each other by declaring the following directives. Directives on Proxy A: cache_peer A parent 8080 0 proxy-only prefer_direct on nonhierarchical_direct off cache_peer_access A allow all Directives on Proxy B: cache_peer B parent 8080 0 proxy-only prefer_direct on nonhierarchical_direct off cache_peer_access B allow all Is there a way that whenever a peer cache is used an email alert is generated to the admins. thanking you Best Regards, Bilal
[squid-users] Facebook issue despite server_http11 on
Dear All, I am using squid 2.7 stable 9 version the facebook was working fine since yesterday and suddenly the issue appears that a blank page comes whenever tried to access facebook. I have tried the recommended directive server_http11 on But the problem is unresolved please help. regards, Bilal
[squid-users] Cache Peer Setup Mutual Parents
Dear All, Is it possible to use squid as backup path if going direct fails? i am using squid 2.7 stable 9 with cache_digest enabled. Follwoing are the directives i think will do it please check them if they are correct? Setting of cache at North Region: cache_peer SOUTH parent 8080 0 no-query proxy-only default prefer_direct on nonhierarchical_direct off cache_peer_access SOUTH allow onlybrowsing Setting of Cache at South Region: cache_peer NORTH parent 8080 0 no-query proxy-only default prefer_direct on nonhierarchical_direct off cache_peer_access NORTH allow onlybrowsing I dont think that for my purpose ICP queries or cache Digest will serve any purpose because they only matter with sibling type relation? is it so is this a practical setup or could pose any problems can u please add any recommendations.? Thanking you Best Regards, Bilal _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Delay Pool Configuration Confirmation.
Well i have tried the class 2 settings but they seems not working except properly. I have quick_abort -1 setting (for youtube , windows update etc) . Could it be a problem? If so for fixing it what maximum size for quick_abort is possible. regards, Bilal Date: Sat, 24 Jul 2010 14:06:37 +1200 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] Delay Pool Configuration Confirmation. GIGO . wrote: Right Amos i think what i want was the class 2 so i will configure as you suggest and it will encompass the authenticated users as well? regards, Bilal Each pool encompasses whatever requests your delay_pool_access matches. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5 _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
[squid-users] Delay Pool Configuration Confirmation.
Dear all, I am using squid 2.7 stable 9. I want to restrict downloads for every one both authenticated and IP based clients to 128KB at the day time and with full capacity at night. I have done the following configurations however they dont seem to work for me. Can you confirm that if they are correct. i am using squid_kerb_ldap squid_kerb_auth and 50% users are based on this. 50% users are IP based 10.x.x.x (/24). #Definition of working hours--- acl wh time MTWHF 09:00-21:00 #--Delay Pools Settings--- delay_pools 1 delay_class 1 1 delay_parameters 1 128000/128000 delay_access 1 allow downloads wh _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Delay Pool Configuration Confirmation.
Right Amos i think what i want was the class 2 so i will configure as you suggest and it will encompass the authenticated users as well? regards, Bilal Date: Thu, 22 Jul 2010 23:56:21 +1200 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] Delay Pool Configuration Confirmation. GIGO . wrote: Dear all, I am using squid 2.7 stable 9. I want to restrict downloads for every one both authenticated and IP based clients to 128KB at the day time and with full capacity at night. I have done the following configurations however they dont seem to work for me. Can you confirm that if they are correct. i am using squid_kerb_ldap squid_kerb_auth and 50% users are based on this. 50% users are IP based 10.x.x.x (/24). #Definition of working hours--- acl wh time MTWHF 09:00-21:00 #--Delay Pools Settings--- delay_pools 1 delay_class 1 1 delay_parameters 1 128000/128000 delay_access 1 allow downloads wh class 1 is a aggregate limit. Meaning that config caps the whole network at 125KB combined. Divide that by the number of users on the network using the proxy at any time. If you want each user to have 128KB but no more, use a class 2 pool. With parameters of -1/-1 131072/131072 (no aggregate limit, 128KB individual caps). Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5 _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
[squid-users] clientcahehit: request has store_url http://www.xyx.com/whaever/abc.xyz ; mem object in hit has mis matchedurl
Dear All, I am having lot of such errors please your help and guidance is required. 2010/07/20 17:26:34| clientCacheHit: request has store_url 'http://www.cricinfo.com/navigation/cricinfo/ci/scorecard.css'; mem object in hit has mis-matched url 'http://www.cricinfo.com/navigation/cricinfo/ci/scorecard.css?1274977955'! regards, Bilal _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
[squid-users] squid stable 2.7 stable 9 store url errors in cache.log
Dear All, I am seeing the following in my cache.log. Is this refering to some misconfiguration or issue ? 2010/07/19 17:58:20| clientCacheHit: request has store_url 'http://cdn.nytimes.com/images/apps/timespeople/none.png'; mem object in hit has mis-matched url 'http://graphics8.nytimes.com/images/apps/timespeople/none.png'! 2010/07/19 17:58:31| storeLocateVary: Not our vary marker object, 853708066C81CBC307A860FBABB2E9DE = 'http://www.cricinfo.com/navigation/cricinfo/ci/scorecard.css?1274977955', 'accept-encoding'/'-' 2010/07/19 17:58:31| clientCacheHit: request has store_url 'http://www.cricinfo.com/navigation/cricinfo/ci/scorecard.css'; mem object in hit has mis-matched url 'http://www.cricinfo.com/navigation/cricinfo/ci/scorecard.css?1274977955'! 2010/07/19 17:58:44| clientCacheHit: request has store_url 'http://cdn.linkedin.com/mpr/mpr/shrink_40_40/p/2/000/065/250/1cdc957.jpg'; mem object in hit has mis-matched url 'http://media02.linkedin.com/mpr/mpr/shrink_40_40/p/2/000/065/250/1cdc957.jpg'! 2010/07/19 17:58:44| clientCacheHit: request has store_url 'http://cdn.linkedin.com/scds/common/u/img/bg/bg_border_3x1.png'; mem object in hit has mis-matched url 'http://static02.linkedin.com/scds/common/u/img/bg/bg_border_3x1.png'! 2010/07/19 17:58:31| storeLocateVary: Not our vary marker object, 853708066C81CBC307A860FBABB2E9DE = 'http://www.cricinfo.com/navigation/cricinfo/ci/scorecard.css?1274977955', 'accept-encoding'/'-' 2. With 8 GB of Memory 50gb of cache directory would there be any performance gain to declare 2gb cache_mem when squid is only being used as forward proxy. Is there any relation of Memory settings +max object size in mem to this error (| WARNING: swapfile header too small) Thanking you Best regards, Bilal _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] swapfile header too small
Amos, Thank you. I will do as per your advice. regards, Bilal Date: Fri, 16 Jul 2010 13:43:17 +1200 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] swapfile header too small GIGO . wrote: Dear All, I am finding this in my cache.log file. 2010/07/15 19:12:14| WARNING: swapfile header too small 2010/07/15 19:12:14| WARNING: swapfile header too small 2010/07/15 19:28:30| WARNING: swapfile header too small squid 2.7 stable 9 installed on RHEL What is the reason of these errors and how to resolve it. Each message is a file failing validity checks Squid does to prevent cache corruption. It's a strong sign of disk failure or manual tampering with the cached files. It's normal to see some of them and other similar during a DIRTY rebuild of the cache following a crash. If they are occuring during normal operation or a even lot. I recommend running a disk scan, and possibly erasing the cache and rebuilding it clean with squid -z. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5 _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
[squid-users] swapfile header too small
Dear All, I am finding this in my cache.log file. 2010/07/15 19:12:14| WARNING: swapfile header too small 2010/07/15 19:12:14| WARNING: swapfile header too small 2010/07/15 19:28:30| WARNING: swapfile header too small squid 2.7 stable 9 installed on RHEL What is the reason of these errors and how to resolve it. Thanking you regards, Bilal Aslam _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
[squid-users] Download manager
I am using ISA as a parent peer and have squid has no direct connection to internet I am unable to use IDM with Squid proxy i have both tried with Authenticated as well as IP based client but its not being successful.Another download manager (FDM) works fine with the same setup Error is connection closed by server. please help. regards, Bilal _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Re: Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102)
Hi, please some more guidance required. Can squid_kerb_ldap be used(alone) independentaly of calling squid_kerb_auth or any other helper?? If and only if it is must to use squid_kerb_auth squid_kerb_ldap both then is it correct that we are not using the following directives?? acl auth proxy_auth REQUIRED #used #http_access deny !auth # Not used #http_access allow auth #not used as instead ldap based directives of the following form are used... external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN /usr/sbin/squid_kerb_ldap -g GROUP@ acl ldap_group_check external squid_kerb_ldap http_access allow ldap_group_check thanking you regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Thu, 1 Jul 2010 21:31:13 +0100 Subject: [squid-users] Re: Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102) Hi 1) 1.2.1a is just a minor patch version to 1.2.1. 2) This happens only when you use the -d debug option 3) You can use the options -u BIND_DN -p BIND_PW -b BIND_PATH -l LDAP_URL 4) If they have different access needs then that is the only way. If they have the same access right you can use -g inetgrl...@mailserver.v.local:inetgrl...@mailserver.v.local:inetgrl...@mailserver.v.local Regards Markus - Original Message - From: GIGO . To: squidsuperuser2 ; SquidHelp Sent: Thursday, July 01, 2010 11:31 AM Subject: RE: [squid-users] Re: Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102) Dear Markus, Thank you so much for your help as i diagnosed the problem back to KRB5_KTNAME not exported properly through my startup script. For the completion sake and your analysis i have appended the cache.log at the bottom. Please i have few queries: 1. I am using squid_kerb_ldap version 1.2.1a as per your recommendation and which is the latest but is the a in 1.2.1(a) means alpha. Can i use this latest version in the production or i should switch back to 1.2.1. 2. i have just figured out that squid_kerb_ldap gets all the groups for a user in question even if the first group it find matches. Is this the normal behaviour? 3. Is there a way to bind to a specific or multiple(chosen) ldap servers rather than using DNS. (what is the syntax and how) 4. As i have different categories of users so i had defined the following directives. Is it ok to do this way as it does not look very neet to me and looks like squid_kerb_ldap being called redundantly. -Portion of squid.conf- auth_param negotiate program /usr/libexec/squid/squid_kerb_auth/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on # basic auth ACL controls to make use of it are.(if and only if squid_kerb_ldap(authorization) is not used) #acl auth proxy_auth REQUIRED #http_access deny !auth #http_access allow auth #Groups fom Mailserver Domain: external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetgrl...@mailserver.v.local external_acl_type squid_kerb_ldap_msgroup2 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetgrl...@mailserver.v.local external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetgrl...@mailserver.v.local acl msgroup1 external squid_kerb_ldap_msgroup1 acl msgroup2 external squid_kerb_ldap_msgroup2 acl msgroup3 external squid_kerb_ldap_msgroup3 http_access deny msgroup2 msn http_access deny msgroup3 msn http_access deny msgroup2 ym http_access deny msgroup3 ym ###Most Restricted settings Exclusive for Normal users..### http_access deny msgroup3 Movies http_access deny msgroup3 downloads http_access deny msgroup3 torrentSeeds http_access deny all _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102)
:24:49 krbtgt/mailserver.v.lo...@mailserver.v.local renew until 07/01/10 15:25:06 06/30/10 15:25:49 07/01/10 01:24:49 ldap/ldc-ms-dc2.mailserver.v.local@ renew until 07/01/10 15:25:06 06/30/10 15:25:49 06/30/10 15:27:49 kadmin/chang...@mailserver.v.local renew until 06/30/10 15:27:49 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Principal -- 2 HTTP/squidlhr1.mailserver.v.lo...@mailserver.v.local (DES cbc mode with CRC-32) 2 HTTP/squidlhr1.mailserver.v.lo...@mailserver.v.local (DES cbc mode with RSA-MD5) 2 HTTP/squidlhr1.mailserver.v.lo...@mailserver.v.local (ArcFour with HMAC/md5) 10.-msktutil-- msktutil -c -b OU=UNIXOU -s HTTP/squidlhr1.mailserver.mcb.com.pk -h squidlhr1.v.local -k /etc/squid/HTTP.keytab --computer-name squidlhr-http --upn HTTP/squidlhr1.mailserver.v.local --server ldc-ms-dc2.v.local --verbose Please help me out as tried so not yet got a clue about. Will be thankful. regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Tue, 29 Jun 2010 23:38:54 +0100 Subject: [squid-users] Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102) Can you add the option -d -i to squid_kerb_auth and squid_kerb_ldap to create more debut output and send the cache.log extract Regards Markus GIGO . wrote in message news:snt134-w34626d5c8ec65f9d8495b1b9...@phx.gbl... Hi Henrik/Markus/All Every setting(keeping in view your recommendation) was correct i many a times confirmed that.Even i tried re-creating the SPN but in vain. However i just realized that most of the users were required to logoff and login to get authenticated through squid. I wonder why a user even with a valid TGT was require to do that as he should be able to get the TGS for every new kerberized service??? Anyways of the few users i tried only one was able to access it without re-login. Bottom line is that its working. Now the authorization portion is not seems like behaving properly can you please check the syntax for correctness before i probe further. I have appended at the bottom my squid.conf portion relevant to this. e.g. After the authorization few of the clients were showing this wheter in the group or not: -- Internet explorer cannot display the webpage what you can try: Diagnose connection problems More Info -- Further i think IE7(and latest) and FireFox 3.6.x above are supportive for kerberos. Am i right? is there any special configuration required on the client side(other than the proxy settings).?? #After allowing IP based clients and the access controls related to them. http_access allow ipbc # Part 2 Authentication/Authorization auth_param negotiate program /usr/libexec/squid/squid_kerb_auth/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on # basic auth ACL controls to make use of it are.(if and only if squid_kerb_ldap(authorization) is not used) #acl auth proxy_auth REQUIRED #http_access deny !auth #http_access allow auth #Groups fom Mailserver Domain: external_acl_type squid_kerb_ldap_ms_group1 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetgrl...@mailserver.v.local external_acl_type squid_kerb_ldap_ms_group2 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetgrl...@mailserver.v.local external_acl_type squid_kerb_ldap_ms_group3 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetgrl...@mailserver.v.local acl ms_group1 external squid_kerb_ldap_ms_group1 acl ms_group2 external squid_kerb_ldap_ms_group2 acl ms_group3 external squid_kerb_ldap_ms_group3 http_access deny ms_group2 msnd http_access deny ms_group3 msnd http_access deny ms_group2 msn http_access deny ms_group3 msn http_access deny ms_group2 msn1 http_access deny ms_group3 msn1 http_access deny ms_group2 numeric_IPs http_access deny ms_group3 numeric_IPs http_access deny ms_group2 Skype_UA http_access deny ms_group3 Skype_UA http_access deny ms_group2 ym http_access deny ms_group3 ym http_access deny ms_group2 ymregex http_access deny ms_group3 ymregex ###Most Restricted settings Exclusive for Normal users..### http_access deny ms_group3 Movies http_access deny ms_group3 MP3s http_access deny ms_group3 FTP http_access deny ms_group3 MP3url http_reply_access deny ms_group3 deny_rep_mime_flashvideo http_access deny ms_group3 youtube_domains http_access deny ms_group3 facebook_sites http_access deny ms_group3 BIP http_access deny ms_group3 downloads http_access deny ms_group3
RE: [squid-users] Startup/shutdown script which was working perfactly alright for squid 3.0stable25 is not working for squid 2.7 stable9.0
Hi Amos, I just found that running it from rc.local works but is it ok to run it through there in CENTOS?? squidautostart.sh- #!/bin/sh KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME KRB5RCACHETYPE=none export KRB5RCACHETYPE echo -n $Starting squid instance2: /usr/sbin/squid -D -s -f /etc/squid/inst2squid.conf echo -n $Starting squid instance1: /usr/sbin/squid -D -s -f /etc/squid/inst1squid.conf Are the variables exported in the script are available to the running instances of squid through rc.local or not? (For the time program is running) I also think that for running squid manually to export these variables for all user i had to define them in /etc/profile .am i right? please guide. thanking you regards, Bilal Date: Mon, 24 May 2010 00:52:39 +1200 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] Startup/shutdown script which was working perfactly alright for squid 3.0stable25 is not working for squid 2.7 stable9.0 GIGO . wrote: Hi all, I am able to run squid manually however whenever i try to run it through the startup/shutdown script it fails. This is the same script working for squid 3.0 stable 25 however i am not being able to figure out that why its failing on squid 2.7 stable 9? Neither of the instance starts with system startup. Please guide me i be thankful. My startup script and tail of cache.log for both instances is below. #!/bin/sh # #my script case $1 in start) /usr/sbin/squid -D -s -f /etc/squid/squidcache.conf /usr/sbin/squid -D -s -f /etc/squid/squid.conf #The below line is to automatically start apache with system startup /usr/sbin/httpd -k start #KRB5_KTNAME=/etc/squid/HTTP.keytab #export KRB5_KTNAME #KRB5RCACHETYPE=none #export KRB5RCACHETYPE ;; stop) /usr/sbin/squid -k shutdown -f /etc/squid/squidcache.conf echo Shutting down squid secondary process /usr/sbin/squid -k shutdown -f /etc/squid/squid.conf echo Shutting down squid main process # The below line is to automatically stop apache at system shutdown /usr/sbin/httpd -k stop ;; esac The script looks right to me. tail instance 2 cache file: 2010/05/22 06:05:18| Beginning Validation Procedure 2010/05/22 06:05:18| Completed Validation Procedure 2010/05/22 06:05:18| Validated 0 Entries 2010/05/22 06:05:18| store_swap_size = 0k 2010/05/22 06:05:18| storeLateRelease: released 0 objects 2010/05/22 06:09:28| Preparing for shutdown after 62 requests This message means the Squid instance has received the shutdown signal from some external process. Either kill or squid -k shutdown. 2010/05/22 06:09:28| Waiting 30 seconds for active connections to finish 2010/05/22 06:09:28| FD 16 Closing HTTP connection 2010/05/22 06:09:28| WARNING: store_rewriter #1 (FD 7) exited 2010/05/22 06:09:28| Too few store_rewriter processes are running 2010/05/22 06:09:28| Starting new helpers 2010/05/22 06:09:28| helperOpenServers: Starting 1 'storeurl.pl' processes That may be a bug, restarting helpers on shutdown looks wrong. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3 _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Re: squid_kerb_auth (parseNegTokenInit failed with rc=102)
Hi Henrik/Markus/All Every setting(keeping in view your recommendation) was correct i many a times confirmed that.Even i tried re-creating the SPN but in vain. However i just realized that most of the users were required to logoff and login to get authenticated through squid. I wonder why a user even with a valid TGT was require to do that as he should be able to get the TGS for every new kerberized service??? Anyways of the few users i tried only one was able to access it without re-login. Bottom line is that its working. Now the authorization portion is not seems like behaving properly can you please check the syntax for correctness before i probe further. I have appended at the bottom my squid.conf portion relevant to this. e.g. After the authorization few of the clients were showing this wheter in the group or not: -- Internet explorer cannot display the webpage what you can try: Diagnose connection problems More Info -- Further i think IE7(and latest) and FireFox 3.6.x above are supportive for kerberos. Am i right? is there any special configuration required on the client side(other than the proxy settings).?? #After allowing IP based clients and the access controls related to them. http_access allow ipbc # Part 2 Authentication/Authorization auth_param negotiate program /usr/libexec/squid/squid_kerb_auth/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on # basic auth ACL controls to make use of it are.(if and only if squid_kerb_ldap(authorization) is not used) #acl auth proxy_auth REQUIRED #http_access deny !auth #http_access allow auth #Groups fom Mailserver Domain: external_acl_type squid_kerb_ldap_ms_group1 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetgrl...@mailserver.v.local external_acl_type squid_kerb_ldap_ms_group2 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetgrl...@mailserver.v.local external_acl_type squid_kerb_ldap_ms_group3 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetgrl...@mailserver.v.local acl ms_group1 external squid_kerb_ldap_ms_group1 acl ms_group2 external squid_kerb_ldap_ms_group2 acl ms_group3 external squid_kerb_ldap_ms_group3 http_access deny ms_group2 msnd http_access deny ms_group3 msnd http_access deny ms_group2 msn http_access deny ms_group3 msn http_access deny ms_group2 msn1 http_access deny ms_group3 msn1 http_access deny ms_group2 numeric_IPs http_access deny ms_group3 numeric_IPs http_access deny ms_group2 Skype_UA http_access deny ms_group3 Skype_UA http_access deny ms_group2 ym http_access deny ms_group3 ym http_access deny ms_group2 ymregex http_access deny ms_group3 ymregex ###Most Restricted settings Exclusive for Normal users..### http_access deny ms_group3 Movies http_access deny ms_group3 MP3s http_access deny ms_group3 FTP http_access deny ms_group3 MP3url http_reply_access deny ms_group3 deny_rep_mime_flashvideo http_access deny ms_group3 youtube_domains http_access deny ms_group3 facebook_sites http_access deny ms_group3 BIP http_access deny ms_group3 downloads http_access deny ms_group3 torrentSeeds http_access deny ms_group3 dlSites ##- Time based ACLs http_access deny ms_group2 youtube_domains wh http_access deny ms_group2 BIP wh http_access deny ms_group2 facebook_sites wh http_access allow ms_group1 http_access allow ms_group2 http_access allow ms_group3 http_access deny all Squid version: squid 2.7 stable 9 on CENTOS 5.4 64 bit. To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Mon, 28 Jun 2010 23:56:51 +0100 Subject: [squid-users] Re: squid_kerb_auth (parseNegTokenInit failed with rc=102) Make sure the squid servers hostname matches squidhr1.v.local. If not use -s HTTP/squidhr1.v.local as an option to squid_kerb_auth. Regards Markus GIGO . gi...@msn.com wrote in message news:snt134-w64257c53609757cd3cf006b9...@phx.gbl... Hi all, I am unable to do kerberos authentication in my live enviroment as appose to the test enviroment where it was successful. My environment is Active Direcory Single Forest Multidomain with each domain having multiple domain controllers. SPN was created through: msktutil -c -b OU=UNIXOU -s HTTP/squidlhr1.v.local -h squidlhr1.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/squidlhr1.v.local --server ldc-ms-dc2.v.local --verbose Through ADSIEDIT setspn tools SPN is confirmed in the Active Directory. My kerb5.conf Settings: [libdefaults] default_realm = MAILSERVER.V.LOCAL dns_lookup_realm = false dns_lookup_kdc = false default_keytab_name = /etc/krb5.keytab ; for windows 2003 encryption type configuration. default_tgs_enctypes
[squid-users] DNS server setup for squid/kerberos
Dear All, Your help is required. Problem: Setting up squid in an Active Directory environment. (where Active Directory domain controllers, Windows clients, UNIX clients, and application servers must all have a shared understanding of the correct host names and IP addresses for each computer within the environment.) The following options i just have thought about but i am not sure which one is better. 1.Using a local Active directory integrated dns server configured to forward internet queries to ISP DNS.(allowed through firewall). 2.Using two nics one for lan traffic configured with local AD integrated DNS and the second for internet traffic pointing to ISP DNS. Would there be any special requirements on the squid or linux side to setup squid with multiple nics ? is there a Kb article available for that. 3. Are there any material gains installing BIND DNS on squid server? regards, Bilal _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Confusion regarding regex
Hi Amos,
There is still some confusion regarding regex and any help will be great please.
you told that squid uses posix regex but is it BRE or ERE???
as for ERE according to my best understanding special characters are not
required to be escaped and if escaped then will lose there special meaning and
on the contrary in BRE some special characters like ( ) must be escaped
otherwise they will be treated as literals.
If the regex processor is built on the squid itself or it is using the os
default regex parser?
thanking you
regards,
Bilal
Date: Wed, 16 Jun 2010 23:11:08 +1200
From: squ...@treenet.co.nz
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Confusion regarding regex
GIGO . wrote:
Hi,
Please need your guidance regarding the regex used by squid. Is it bre ere
or perl? I assume that squid using a gnurep compatible version? Am i right?
POSIX regular expressions.
In grep to use some metacharacter we have to encode it which are ‘\?’, ‘\+’,
‘\{’, ‘\|’, ‘\(’, and ‘\)’ does this hold true to write regex for squid as
well?
Yes. I know for at least these: \. \? \+ \( \)
Not sure about the others.
acl MP3url urlpath_regex \.mp3(\?.*)?$ isnt this expression should be
written as \.mp3'\(''\?'.*'\)''\?'$
No. It means the text .mp3 ending the path (aka the MP3 file
extension), with optional query string parameters following.
Which matches URI standard syntax:
protocol ':' '/' '/' domain '/' path '?' parameters
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.4
_
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Confusion regarding regex
Henrik Thank you so much. regards, Bilal From: hen...@henriknordstrom.net To: gi...@msn.com CC: squid-users@squid-cache.org Date: Mon, 21 Jun 2010 10:59:45 +0200 Subject: RE: [squid-users] Confusion regarding regex mån 2010-06-21 klockan 06:25 + skrev GIGO .: Hi Amos, There is still some confusion regarding regex and any help will be great please. you told that squid uses posix regex but is it BRE or ERE??? Extended. as for ERE according to my best understanding special characters are not required to be escaped and if escaped then will lose there special meaning and on the contrary in BRE some special characters like ( ) must be escaped otherwise they will be treated as literals. Correct. If the regex processor is built on the squid itself or it is using the os default regex parser? Generall the os default regex implementation. Squid also ships with a copy of GNU Regex in case the OS regex implemetation to too broken. Regards Henrik _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
[squid-users] Confusion regarding regex
Hi,
Please need your guidance regarding the regex used by squid. Is it bre ere or
perl? I assume that squid using a gnurep compatible version? Am i right?
In grep to use some metacharacter we have to encode it which are ‘\?’, ‘\+’,
‘\{’, ‘\|’, ‘\(’, and ‘\)’ does this hold true to write regex for squid as well?
acl MP3url urlpath_regex \.mp3(\?.*)?$ isnt this expression should be written
as \.mp3'\(''\?'.*'\)''\?'$
please guidance regarding this will be of great value to me.
thanks Regards,
Bilal
_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Confusion regarding regex
ok what i understand is in the posix regular expression you encode special
characters . ? + ( ) with a back slash only and no need of (single
quote+backslash) is required which is a must in grep.
regards,
Bilal Aslam
Date: Wed, 16 Jun 2010 23:11:08 +1200
From: squ...@treenet.co.nz
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Confusion regarding regex
GIGO . wrote:
Hi,
Please need your guidance regarding the regex used by squid. Is it bre ere
or perl? I assume that squid using a gnurep compatible version? Am i right?
POSIX regular expressions.
In grep to use some metacharacter we have to encode it which are ‘\?’, ‘\+’,
‘\{’, ‘\|’, ‘\(’, and ‘\)’ does this hold true to write regex for squid as
well?
Yes. I know for at least these: \. \? \+ \( \)
Not sure about the others.
acl MP3url urlpath_regex \.mp3(\?.*)?$ isnt this expression should be
written as \.mp3'\(''\?'.*'\)''\?'$
No. It means the text .mp3 ending the path (aka the MP3 file
extension), with optional query string parameters following.
Which matches URI standard syntax:
protocol ':' '/' '/' domain '/' path '?' parameters
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.4
_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Youtube -An error occured, please try again later
Hi Amos Yes the problems seems to be gone and it could be the reason thanks for explaining. regards, Bilal Date: Mon, 31 May 2010 20:32:43 +1200 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] Youtube -An error occured, please try again later GIGO . wrote: Hi henrik, Right now i don't have my access.log. (will share it with you after the weekend) However let me tell you that after setting the negative_ttl to 0. Apparently the problem was resolved. But i need to be sure about it. Do you think that this had resolved the problem? Quite probably. negative_ttl forces Squid to cache and provide ALL clients with the 4xx or 5xx error page for a certain length of time. Even if it was only a temporary issue due to a single client request failure. It's a manually added DoS vulnerability to every Squid which uses it. It's rarely useful nowdays even for its original purpose of reducing 404 flooding of backend servers. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3 _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
FW: [squid-users] Youtube -An error occured, please try again later
My store.logs are following 1275025642.358 SWAPOUT 00 8152 04FD0DB17EE9789F06B1386F1D6CDA4D 200 1275025483 1234793502 1275047700 video/x-flv 5142132/5142132 GET http://r8.ts-bru5.c.youtube.com/videoplayback?ip=0.0.0.0sparams=id%2Cexpire%2Cip%2Cipbits%2Citag%2Calgorithm%2Cburst%2Cfactor%2Coc%3AU0dWSlBPVl9FSkNNNl9ISVpBfexp=907111algorithm=throttle-factoritag=34ipbits=0burst=40sver=3expire=1275048000key=yt1signature=538993A5EE74B6B699669E1D6A89F101C061148B.D937688FE5C5DD2447558E4AB677F51AF69E8A4Efactor=1.25id=8190a1a6ed3647edredirect_counter=1st=ts 1275025600.989 RELEASE -1 85FE590AE3CDAB37631292367AE052AA 200 1275025644-1 41629446 text/xml 66/66 GET http://www.youtube.com/set_awesome?feature=relatedvideo_id=gZChpu02R-0el=detailpagel=125.84w=0.8026064844246662plid=AASHoQDhJ0Nv8M8pt=vjVQa1PpcFO19wc78YvxNbP1S8x1t9MmvNUKqqI8EHk= 1275025495.423 RELEASE -1 E52CA19FA8D0AFC4DD582D9D0B53745B 204 1275025538-1 41629446 text/html 0/0 GET http://www.youtube.com/player_204?rt=63.047shost=v12.lscache8.c.youtube.comv=m336FlPPbEwplid=AASHoQCBv-E--QW6fv=WIN%2010,0,45,2fmt=5el=detailpagescoville=1ec=100fexp=907111event=streamingerror 1275025495.109 RELEASE -1 6B918E2BFCBE3D4B485CF5E1CE53DE7D 504 -1-1-1 text/html 4230/4230 GET http://v12.lscache8.c.youtube.com/videoplayback?ip=0.0.0.0sparams=id%2Cexpire%2Cip%2Cipbits%2Citag%2Calgorithm%2Cburst%2Cfactor%2Coc%3AU0dWSlBPVl9FSkNNNl9ISVpBfexp=907111algorithm=throttle-factoritag=5ipbits=0burst=40sver=3expire=1275048000key=yt1signature=7AF53A87CCB5E0C654C6BE521682B95A981A3A1F.D5A310DFCDF9C4061F378070ACEBDAAE0FA71050factor=1.25id=9b7dfa1653cf6c4c; 1275025494.782 RELEASE -1 36400B0F0D0E460A97CBBDA20D9D13FF 504 -1-1-1 text/html 4230/4230 GET http://v12.lscache8.c.youtube.com/generate_204?ip=0.0.0.0sparams=id%2Cexpire%2Cip%2Cipbits%2Citag%2Calgorithm%2Cburst%2Cfactor%2Coc%3AU0dWSlBPVl9FSkNNNl9ISVpBfexp=907111algorithm=throttle-factoritag=5ipbits=0burst=40sver=3expire=1275048000key=yt1signature=7AF53A87CCB5E0C654C6BE521682B95A981A3A1F.D5A310DFCDF9C4061F378070ACEBDAAE0FA71050factor=1.25id=9b7dfa1653cf6c4c 1275025447.415 RELEASE -1 1C82FB35508E2A7C1628DE606EB7B4AB 204 1275025490-1 41629446 text/html 0/0 GET http://www.youtube.com/player_204?rt=15.015shost=v12.lscache8.c.youtube.comv=m336FlPPbEwplid=AASHoQCBv-E--QW6fv=WIN%2010,0,45,2fmt=5el=detailpagescoville=1ec=102fexp=907111event=streamingerror From: gi...@msn.com To: squid-users@squid-cache.org Date: Fri, 28 May 2010 05:33:08 + Subject: [squid-users] Youtube -An error occured, please try again later Hi all, For some of my youtube videos i am getting the following error. An error occured, please try again later. I have confirmed that this only occur when squid is being used. find below the relevant information in this regard. cache_dir aufs /cachedisk1/var/spool/squid 5 128 256 cache_mem 1000 MB range_offset_limit -1 KB maximum_object_size 4194304 KB maximum_object_size_in_memory 1024 KB minimum_object_size 10 KB quick_abort_min -1 KB #specific for youtube custom refreshpatterns belowones refresh_pattern -i (get_video\?|videoplayback\?|videodownload\?) 5259487 % 5259487 override-expire ignore-reload refresh_pattern ^http://*.youtube.com/.* 720 100% 4320 refresh_pattern -i \.flv$ 10080 90% 99 ignore-no-cache override-expire ignore-private refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|mpg|swf|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-private acl store_rewrite_list urlpath_regex \/(get_video\?|videodownload\?|videoplayback.*id) acl video urlpath_regex \.((mpeg|ra?m|avi|mp(g|e|4)|mov|divx|asf|qt|wmv|m\dv|rv|vob|asx|ogm|flv|3gp)(\?.*)?)$ (get_video\?|videoplayback\?|videodownload\?|\.flv(\?.*)?) storeurl_rewrite_children 1 storeurl_rewrite_concurrency 10 The storeurl.pl script i am using is by: # by chudy_fernan...@yahoo.com # Updates at http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube/Discussion I also have applied the bug fix (src/client_side.c) Now what is causing this error to occur? And how to resolve it thanking you regards, Bilal _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969 _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Youtube -An error occured, please try again later
Amos/Maurizio :) though i am sure that i did not get the joke completely would it be i have enjoyed it morebut hopefully you have understood the problem and that was important. I request you to please guide me regarding it and help resolving it. (Also reminds me of Quentin Tarantino whose movies were without any sequencebut fun watching as you have to think randomly) p.s. sorry for the mail being sent out of sequence as when i had sent the mail i realized that the store.log would be important for diagnosing and solving so i appended it in the beggining which definitely was a mistake. regards, Bilal Date: Fri, 28 May 2010 18:39:39 +1200 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: FW: [squid-users] Youtube -An error occured, please try again later Maurizio Marini wrote: On Fri, 28 May 2010 06:15:32 + GIGO . wrote: My store.logs are following A. Because people read from top to bottom. Q. Why should I not top post? Ah, fun... you know. sdrawkcab daer lla tnac ew so please dont posting above the reference what is top posting? and my favourite: (can be read by both top and bottom posters. :) top posting. why do people still do it? how can people still do it? such a worrysome activity reading upwards _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Youtube -An error occured, please try again later
Hi henrik, Right now i don't have my access.log. (will share it with you after the weekend) However let me tell you that after setting the negative_ttl to 0. Apparently the problem was resolved. But i need to be sure about it. Do you think that this had resolved the problem? regards, Bilal Subject: Re: [squid-users] Youtube -An error occured, please try again later From: hen...@henriknordstrom.net To: gi...@msn.com CC: squid-users@squid-cache.org Date: Fri, 28 May 2010 18:53:19 +0200 fre 2010-05-28 klockan 05:33 + skrev GIGO .: Hi all, For some of my youtube videos i am getting the following error. An error occured, please try again later. What does access.log say? Regards Henrik _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Running Multiple instances and reporting confusion.
Hi Amos, Related to my earlier query regarding how to handle reports with multiple instances. The problem was that inst1access.log though track client activities correctly however give incorrect information regarding the in-cache returned objects.As the caching part is instead being done by Instance-2. So the SARG reports (parsing of inst1access.log) wrongly depicts about objects returned from the cache. Now i just thought an idea that may be pointing to the same cache will solve the problem if instance 1 has no-store option set. Please read below and guide me i would be thankful # INSTANCE-2 Cache directory setup of the instance that is doing the caching/fetching part --- cache_dir aufs /cachedisk1/var/spool/squid 5 128 256 coredump_dir /cachedisk1/var/spool/squid cache_mem 1000 MB range_offset_limit -1 KB maximum_object_size 4194304 KB maximum_object_size_in_memory 1024 KB quick_abort_min -1 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF # INSTANCE-1 Cache Directory setup Thought of the instance that is user facing - cache_peer 127.0.0.1 parent 1975 0 default no-digest no-query proxy-only prefer_direct off # point to the directory of instance 1? cache_dir aufs /cachedisk1/var/spool/squid 5 128 256 no-store cache_dir aufs /var/spool/squid 1 16 256 coredump_dir /var/spool/squid cache_replacement_policy heap GDSF 1. Is it possible for 1 instance to point to the cache directory of other insance in read only mode? 2. My original intention for multiple instances was to cache directory failover? However if the setup above mentioned is possible then would the setup will remain faulttolerant or failing of /cachedisk1 now will terminate both the instances and it is no longer faulttolerant? regards, Bilal Date: Sat, 22 May 2010 02:18:51 +1200 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] Running Multiple instances and reporting confusion. GIGO . wrote: Hi all, I am running multiple instances of squid on the same machine. One instance is taking the clients request and forwarding to its parent peer at 127.0.0.1. All is going well. However there is a confusion related to reporting through sarg. To capture the client activity sarge is parsing the access.log file of the instance i.e user facing which is correct. However obvioulsy it is depicting a wrong in-cache out-cache figures as this value should be instead of the instance which is managing/doing caching. Is there a way/trick to manage this? Is it possible that a cache_hit from a parent cache be recorded as in-cache in the child? The parent cache with the hier_code ACL type may be able to log only the requests that did not get sent to the child. The child cache using follow_x_forwarded_for trusting the parent proxy and log_uses_indirect_client should be able to log the remote client IP which connected to the parent with its received requests. Combining the parent and child proxies logs line-wise for analysis should then give you the result you want. That combination is a bit tricky though, since we have only just added TCP reliable logging to Squid-3.2. UDP logging is available for 2.7 and 3.1, but may result in some lost records under high load. With either of those methods you just need a daemon to receive the log traffic and store it in the one file. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3 _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
[squid-users] Youtube -An error occured, please try again later
Hi all, For some of my youtube videos i am getting the following error. An error occured, please try again later. I have confirmed that this only occur when squid is being used. find below the relevant information in this regard. cache_dir aufs /cachedisk1/var/spool/squid 5 128 256 cache_mem 1000 MB range_offset_limit -1 KB maximum_object_size 4194304 KB maximum_object_size_in_memory 1024 KB minimum_object_size 10 KB quick_abort_min -1 KB #specific for youtube custom refreshpatterns belowones refresh_pattern -i (get_video\?|videoplayback\?|videodownload\?) 5259487 % 5259487 override-expire ignore-reload refresh_pattern ^http://*.youtube.com/.* 720 100% 4320 refresh_pattern -i \.flv$ 10080 90% 99 ignore-no-cache override-expire ignore-private refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|mpg|swf|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-private acl store_rewrite_list urlpath_regex \/(get_video\?|videodownload\?|videoplayback.*id) acl video urlpath_regex \.((mpeg|ra?m|avi|mp(g|e|4)|mov|divx|asf|qt|wmv|m\dv|rv|vob|asx|ogm|flv|3gp)(\?.*)?)$ (get_video\?|videoplayback\?|videodownload\?|\.flv(\?.*)?) storeurl_rewrite_children 1 storeurl_rewrite_concurrency 10 The storeurl.pl script i am using is by: # by chudy_fernan...@yahoo.com # Updates at http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube/Discussion I also have applied the bug fix (src/client_side.c) Now what is causing this error to occur? And how to resolve it thanking you regards, Bilal _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] Squid 2.7 working with reference to storeurl/caching?
Hi all, I request that please read my squid.conf file and guide me on the order of the directives and any issue as i am unable to cache a single thing. Does it matter the order of definition of the following? 1. storeurl program 2. refresh patterns 3 storeurl rewrite lists... I assume : 1. whenever a user open a page in his user agent squid very first of all check the refresh pattern for deciding whether to search in the cache or go to web. Am i right? 2. Now if the request match the storeurl rewrite lists then the request is forwarded to storeurl program who then see that if the object is available in the cache in that case it is returned. Otherwise object is fetched from the web and stored as store_url for future reference. Please guide i am totally unclear? 3. With the following squid.conf not a single object is being cached. I am not sure whats happening? # This is the configuration file for instance 2 which is doing all the caching. squid v 2.7 stable 9 is chosen for its store_url feature. visible_hostname squidlhr1 unique_hostname squidlhr1cache cache_effective_user proxy # Directives to enhance security. allow_underscore off httpd_suppress_version_string on forwarded_for off log_mime_hdrs on pid_filename /var/run/inst2squid.pid access_log /var/logs/inst2access.log squid cache_log /var/logs/inst2cache.log cache_store_log /var/logs/inst2store.log http_port 1975 icp_port 0 # This option must be supported through giving at compilation snmp_port 7172 #Explicit definition of all is must in squid 2.7 version acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl CONNECT method CONNECT # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # If peering with ISA then following two directives will be required. Otherwise not #cache_peer 10.1.82.205 parent 8080 0 default no-digest no-query no-delay #never_direct allow all cache_dir aufs /cachedisk1/var/spool/squid 5 128 256 coredump_dir /cachedisk1/var/spool/squid cache_swap_low 75 #should be 1/4 of the physical memory installed in the system cache_mem 1000 MB range_offset_limit -1 KB maximum_object_size 4194304 KB minimum_object_size 10 KB quick_abort_min -1 KB cache_replacement_policy heap LFUDA # This portion is not understood yet well # Let the clients favorite video site through with full caching # - they can come from any of a number of youtube.com subdomains. # - this is NOT ideal, the 'merging' of identical content is really needed here acl youtube dstdomain .youtube.com cache allow youtube #-Refresh Pattern Portion-- # Custom Refresh patterns will come first # Updates windows/debian etc.. refresh_pattern windowsupdate.com/.*.(cab|exe)(\?|$) 518400 100% 518400 reload-into-ims refresh_pattern update.microsoft.com/.*.(cab|exe)(\?|$) 518400 100% 518400 reload-into-ims refresh_pattern download.microsoft.com/.*.(cab|exe)(\?|$) 518400 100% 518400 reload-into-ims refresh_pattern download.windowsupdate.com/.*\.(cab|exe|dll|msi) 1440 100% 43200 reload-into-ims refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880 refresh_pattern .deb$ 518400 100% 518400 override-expire #specific for youtube custom refreshpatterns belowones refresh_pattern -i (get_video\?|videoplayback\?|videodownload\?) 5259487 % 5259487 override-expire ignore-reload # Break HTTP standard for flash videos. Keep them in cache even if asked not to. refresh_pattern -i \.flv$ 10080 90% 99 ignore-no-cache override-expire ignore-private # Other long-lived items refresh_pattern -i .(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv)(\?|$) 161280 3000% 525948 override-expire reload-into-ims #Trial/Test refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|mpg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-private refresh_pattern -i \.(deb|rpm|exe|ram|bin|pdf|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-private refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-private refresh_pattern -i \.(zip|gz|arj|lha|lzh|tar|tgz|cab|rar)$ 10080 95% 43200 override-expire ignore-no-cache ignore-private refresh_pattern -i \.(php|asp|aspx|cgi|html|htm|css|js) 1440 40% 40320 refresh_pattern ^http://*.gmail.*/.* 720 100% 4320 refresh_pattern ^http://*.twitter.*/.* 720 100% 4320 refresh_pattern ^http://*.yimg.*/.* 720 100% 4320 refresh_pattern ^http://*.ymail.*/.* 720 100% 4320 refresh_pattern ^http://*.hotmail.*/.* 720 100% 4320 refresh_pattern ^http://*.live.*/.* 720 100% 4320 refresh_pattern ^http://*.wikipedia.*/.* 720 100% 4320 refresh_pattern ^http://wiki.*.*/.* 720 100% 4320 refresh_pattern ^http://*.profile/.* 720 100% 4320 refresh_pattern ^http://*.yahoo.*/.* 720 100% 4320 refresh_pattern ^http://*.microsoft.*/.* 720 100% 4320
[squid-users] Runcache script- Lot of confusion
Hi all, Please guide about runcache script behaviour uptil now i have only understood this that this script will check and autorestart squid in case of failure. I also assume that this script should be registered with init.d for startup/shutdown. Where is this script located?(2.7 version). Is this compiled already with the squid code? Is it Deprecated now? If squid must be run through runcache script? thanking you Regards Bilal My Startup/Shutdown Script for reference: #!/bin/sh # #my script case $1 in start) /usr/sbin/squid -D -s -f /etc/squid/squidcache.conf /usr/sbin/squid -D -s -f /etc/squid/squid.conf #The below line is to automatically start apache with system startup /usr/sbin/httpd -k start #KRB5_KTNAME=/etc/squid/HTTP.keytab #export KRB5_KTNAME #KRB5RCACHETYPE=none #export KRB5RCACHETYPE ;; stop) /usr/sbin/squid -k shutdown -f /etc/squid/squidcache.conf echo Shutting down squid secondary process /usr/sbin/squid -k shutdown -f /etc/squid/squid.conf echo Shutting down squid main process # The below line is to automatically stop apache at system shutdown /usr/sbin/httpd -k stop ;; esac _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
[squid-users] Startup/shutdown script which was working perfactly alright for squid 3.0stable25 is not working for squid 2.7 stable9.0
Hi all, I am able to run squid manually however whenever i try to run it through the startup/shutdown script it fails. This is the same script working for squid 3.0 stable 25 however i am not being able to figure out that why its failing on squid 2.7 stable 9? Neither of the instance starts with system startup. Please guide me i be thankful. My startup script and tail of cache.log for both instances is below. #!/bin/sh # #my script case $1 in start) /usr/sbin/squid -D -s -f /etc/squid/squidcache.conf /usr/sbin/squid -D -s -f /etc/squid/squid.conf #The below line is to automatically start apache with system startup /usr/sbin/httpd -k start #KRB5_KTNAME=/etc/squid/HTTP.keytab #export KRB5_KTNAME #KRB5RCACHETYPE=none #export KRB5RCACHETYPE ;; stop) /usr/sbin/squid -k shutdown -f /etc/squid/squidcache.conf echo Shutting down squid secondary process /usr/sbin/squid -k shutdown -f /etc/squid/squid.conf echo Shutting down squid main process # The below line is to automatically stop apache at system shutdown /usr/sbin/httpd -k stop ;; esac tail instance 2 cache file: 2010/05/22 06:05:18| Beginning Validation Procedure 2010/05/22 06:05:18| Completed Validation Procedure 2010/05/22 06:05:18| Validated 0 Entries 2010/05/22 06:05:18| store_swap_size = 0k 2010/05/22 06:05:18| storeLateRelease: released 0 objects 2010/05/22 06:09:28| Preparing for shutdown after 62 requests 2010/05/22 06:09:28| Waiting 30 seconds for active connections to finish 2010/05/22 06:09:28| FD 16 Closing HTTP connection 2010/05/22 06:09:28| WARNING: store_rewriter #1 (FD 7) exited 2010/05/22 06:09:28| Too few store_rewriter processes are running 2010/05/22 06:09:28| Starting new helpers 2010/05/22 06:09:28| helperOpenServers: Starting 1 'storeurl.pl' processes tail instance 1 cache file: 2010/05/22 06:05:25| 0 Objects expired. 2010/05/22 06:05:25| 0 Objects cancelled. 2010/05/22 06:05:25| 0 Duplicate URLs purged. 2010/05/22 06:05:25| 0 Swapfile clashes avoided. 2010/05/22 06:05:25| Took 0.3 seconds ( 0.0 objects/sec). 2010/05/22 06:05:25| Beginning Validation Procedure 2010/05/22 06:05:25| Completed Validation Procedure 2010/05/22 06:05:25| Validated 0 Entries 2010/05/22 06:05:25| store_swap_size = 0k 2010/05/22 06:05:25| storeLateRelease: released 0 objects 2010/05/22 06:09:28| Preparing for shutdown after 63 requests 2010/05/22 06:09:28| Waiting 30 seconds for active connections to finish 2010/05/22 06:09:28| FD 15 Closing HTTP connection regards, Bilal _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
[squid-users] Memory Considerations when you are running multiple instances of squid on the same server.
Hi All, can it be said as a generalization that one can allocate/fix 1/4 of physical ram for cache mem objects. Will it holds true even when you are running multiple instances??? please guide that how memory handling will be occuring in multiple instances setup???cache_mem will influencing per instance and not the program as whole. right? MysetuP: I am running multiple instances. I have 8 GB Physical memory installed. OS is installed on RAID1 which has a 10GB cache for instance1.This will only come into play if my Cache Disk fails. For actual caching 71 GB HD 15K SAS -- 50 GB has been defined for Cache directory is controlled by instance second... Thanking you regards, Bilal _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Memory Considerations when you are running multiple instances of squid on the same server.
Thank you for explaining well regards, Bilal From: hen...@henriknordstrom.net To: gi...@msn.com CC: squid-users@squid-cache.org Date: Fri, 21 May 2010 09:53:06 +0200 Subject: Re: [squid-users] Memory Considerations when you are running multiple instances of squid on the same server. fre 2010-05-21 klockan 06:38 + skrev GIGO .: can it be said as a generalization that one can allocate/fix 1/4 of physical ram for cache mem objects. Will it holds true even when you are running multiple instances??? I would not generalize a rule like that. It is a reasonable recommendation when sizing the system, but also depends on how your Squid is being used. A reverse proxy benefits much more from cache_mem than a normal forward proxy, and in a forward proxy you may want to give priority to on-disk cache instead. memory usage per Squid = cache size (in GB) * 10 MB + cache_mem + 10MB. memory usage by OS: Leave at least 25%. In smaller configurations up to 50%. system memory requirement = sum(squid instances) + system memory = sum(squid instances) / 0.75. If you inverse the above calculation then you'll notice that cache size is a function of cache_mem. If one is increased then the other need to be decreased. Note: if you also log in on the sever using graphical desktop (not recommended) then reserve about 1GB for that. please guide that how memory handling will be occuring in multiple instances setup???cache_mem will influencing per instance and not the program as whole. right? Right. Regards Henrik _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] squid_kerb_auth Squid_kerb_ldap (Squid 2.7)
Hi all, Does squid_kerb_auth squid_kerb_ldap work fine in squid 2.7 like squid 3.x. Are these the correct options? ./configure *...*--enable-basic-auth-helpers=LDAP --enable-auth=basic,negotiate,ntlm --enable-external-acl-helpers=wbinfo_group,ldap_group --enable-negotiate-auth-helpers=squid_kerb_auth One more question is that i not mentioned squid_kerb_ldap here is it being covered through --enable-external-acl-helpers=ldap_group ??? regards, Bilal _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] squid_kerb_auth Squid_kerb_ldap (Squid 2.7)
Thank you! regards, Bilal From: hen...@henriknordstrom.net To: gi...@msn.com CC: squid-users@squid-cache.org Date: Thu, 20 May 2010 11:24:15 +0200 Subject: Re: [squid-users] squid_kerb_auth Squid_kerb_ldap (Squid 2.7) tor 2010-05-20 klockan 07:52 + skrev GIGO .: Does squid_kerb_auth squid_kerb_ldap work fine in squid 2.7 like squid 3.x. Yes. ./configure *...*--enable-basic-auth-helpers=LDAP --enable-auth=basic,negotiate,ntlm --enable-external-acl-helpers=wbinfo_group,ldap_group --enable-negotiate-auth-helpers=squid_kerb_auth Looks reasonable to me. One more question is that i not mentioned squid_kerb_ldap here is it being covered through --enable-external-acl-helpers=ldap_group ??? squid_kerb_ldap is not (yet) included in the Squid distribution and need to be compiled separately. Regards Henrik _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] SELINUX issue(confinedunconfined)
Hi, I use CENTOS 5.3 and currently have no knowledge of SELINUX as yesterday was the first time i studied it. As u could have guessed i am a newbie in Linux field.yes.. i have been assigned the project of migrating from ISA to squid (managing having confidence in my capability to learn/understand things have assigned it... ) And i assume it would take quite a time to be able to build the policy myself for which i have short of time. So i am thinking of pending it for some future time. And concentrate towards other issues/stabalization that are necessary for the required Basic functionality. Once the project is piloted and management show confidence in me i can do more challenging tasks like this. But if you think its really very necessary then definately i will look forward to complete this task before piloting. Any tips/guidance will be warm welcomed. Thanking you regards, Bilal Date: Wed, 19 May 2010 11:33:40 +0200 From: tiery.de...@gmail.com To: gi...@msn.com CC: squid-users@squid-cache.org Subject: Re: [squid-users] SELINUX issue(confinedunconfined) Hi, In permissive mode, you only get log, but selinux will not be active (it will not forbid unauthorized access). Usually you put selinux in permissive mode only in order to get all access denied log in audit.log in order to build policy module or adjust filecontexts. I suggest you to spend some time on selinux, it can realy increase the security of your proxy server. But you will need to build a policy module for squid_kerb_auth witch is not currently supported by selinux policy on redhat-like systems. What distrib do you use ? Tiery On Wed, May 19, 2010 at 6:17 AM, GIGO . wrote: Thank you i will give it a try. However i am also thinking of running SELinux in permissive mode for my proxy server. what do you say about it? regards, Bilal Date: Tue, 18 May 2010 15:00:05 +0200 From: tiery.de...@gmail.com To: gi...@msn.com CC: squid-users@squid-cache.org Subject: Re: [squid-users] SELINUX issue(confinedunconfined) okay, I have also worked on a similar project (squid/kerberos/selinux). I installed squid in /usr/local/squid but I had to modify /etc/selinux/targeted/contexts/files/file_contexts and adapt it to my squid directory. /usr/local/squid/etc(/.*)? system_u:object_r:squid_conf_t:s0 /usr/local/squid/var/logs(/.*)? system_u:object_r:squid_log_t:s0 /usr/local/squid/share(/.*)? system_u:object_r:squid_conf_t:s0 /usr/local/squid/var/cache(/.*)? system_u:object_r:squid_cache_t:s0 /usr/local/squid/sbin/squid -- system_u:object_r:squid_exec_t:s0 /usr/local/squid/var/logs/squid\.pid -- system_u:object_r:squid_var_run_t:s0 /usr/local/squid/libexec(/.*)? system_u:object_r:lib_t:s0 /usr/local/squid -d system_u:object_r:bin_t:s0 /usr/local/squid/var -d system_u:object_r:var_t:s0 Then restore context (with restorecon or .autorelabel and reboot). But i am not sure modifing this file is the best way. It you update your selinux policy, changement will not be persistent. I think it is better to build a selinux module for our squid. Tiery On Tue, May 18, 2010 at 2:34 PM, GIGO . wrote: Yes i am using a compiled version. I have used this command chcon -t unconfined_exec_t /usr/sbin/squid and its working now. Is this a security issue? regards, Bilal Date: Tue, 18 May 2010 14:26:06 +0200 From: tiery.de...@gmail.com To: squid-users@squid-cache.org Subject: Re: [squid-users] SELINUX issue(confinedunconfined) Hi, ps -Z = squid_t and getenforce = enforcing squid is started with selinux Redhat/centos platform: If squid is installed with yum, squid will be started with a squid_t selinux context. If you compile your squid and installed it, you will have to change squid files contexts manually. As i see you have squid_kerb_plugin, you should have compile you squid to support kerberos, no? --- For your problem: try to check selinux log: audit2allow -al or cat /var/log/audit/audit.log | audit2allow You can also try to restore selinux context for all squid files: restorecon -R /etc/squid restorecon -R /var/log/squid etc... or touch /.autorelabel and reboot Tiery On Tue, May 18, 2010 at 9:47 AM, GIGO . wrote: Dear All, Your guidance is required. Please help. It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right? [r...@squidlhr ~]# ps -eZ | grep squid system_u:system_r:squid_t 3173 ? 00:00:00 squid system_u:system_r:squid_t 3175 ? 00:00:00 squid system_u:system_r:squid_t 3177 ? 00:00:00 squid system_u:system_r:squid_t 3179 ? 00:00:00 squid system_u:system_r:squid_t 3222 ? 00:00:00 unlinkd system_u:system_r:squid_t 3223 ? 00:00:00 unlinkd
[squid-users] Squid 3.1.3 squid 2.7 running together on the same server.
Hi All,
I was running multiple instances of squid 3.0 Stable 25 on the same server
successfully. However i intend to run squid 2.7 3.1.3 on the same server now
reason being 2.7s enhance support of dynamic content caching. (Earlier the main
intention to use multiple instances was to give fault tolerance to cache
failure )
My question is that if this possible? If there be any special changes i be
requiring?
copy of squid instance 2 which i will be using for caching please peruse it in
the context of youtube/facebook caching specifically. If you notice any other
drawback/discrepancy please do guide about it as well i would be really really
thankful.
( i have also altered the client_side.c as per the guide available on squid
cache web site)
-
visible_hostname squidl...@virtual.local
unique_hostname squidlhr1cache
pid_filename /var/run/inst2squid.pid
http_port 1975
icp_port 0
snmp_port 7172
access_log /var/logs/inst2access.log squid
cache_log /var/logs/inst2cache.log
cache_store_log /var/logs/inst2store.log
cache_effective_user proxy
cache_mgr squidadm...@virtual.local
# If peering with ISA then following options will be required. Otherwise not
#cache_peer 10.1.82.205 parent 8080 0 default no-digest no-query no-delay
#never_direct allow all
# Hard disk size 71gb SAS 15k dedicated for caching. Operating system is on
RAID1.
cache_dir aufs /cachedisk1/var/spool/squid 5 128 256
coredump_dir /cachedisk1/var/spool/squid
cache_swap_low 75
#should be 1/4 of the physical memory installed in the system
cache_mem 1000 MB
range_offset_limit -1 KB
maximum_object_size 4 GB
minimum_object_size 10 KB
quick_abort_min -1 KB
# not yet sure that what options during compilation should be provided and if i
have defined this directive correctly
cache_replacement_policy heap
#-Refresh Pattern Portion--
# Custom Refresh patterns will come first
#specific for youtube custom refreshpatterns belowones
refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 %
5259487 override-expire ignore-reload
# Break HTTP standard for flash videos. Keep them in cache even if asked not to.
refresh_pattern -i \.flv$ 10080 90% 99 ignore-no-cache override-expire
ignore-private
refresh_pattern ^ftp: 144020% 10080
refresh_pattern ^gopher:14400% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# This portion is not understood yet well what does it mean?
# Let the clients favorite video site through with full caching
# - they can come from any of a number of youtube.com subdomains.
# - this is NOT ideal, the 'merging' of identical content is really needed here
acl youtube dstdomain .youtube.com
cache allow youtube
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
acl store_rewrite_list urlpath_regex
\/(get_video\?|videodownload\?|videoplayback.*id)
# storeurl rewrite helper program
storeurl_rewrite_program /usr/local/etc/squid/storeurl.pl
storeurl_access allow store_rewrite_list
storeurl_access deny all
storeurl_rewrite_children 1
storeurl_rewrite_concurrency 10
#Allow access from localhost only
http_access allow localhost
http_access deny all
-
This is the script i be looking forward to use as per configuration guide.
--
#your perl location in here, mine is #!/bin/perl
$|=1;
while () {
@X = split;
$x = $X[0];
$_ = $X[1];
} elsif (m/^http:\/\/([0-9.]{4}
|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com).*?\(itag=
[0-9]*).*?\(id=[a-zA-Z0-9]*)/) {
print $x . http://video-srv.youtube.com.SQUIDINTERNAL/; . $2 .
. $3 . \n;
} else {
print $x . $_ . \n;
}
}
Just for the completion sake only here is the copy of my squid.conf that is
user facing...However if somebody could give suggestions over it as well
will definately be really thankful.
# This is the configuration file for the instance1 which is serving the user
requests by forwarding it to the local parent peer. All the logic of
Authentication/Access control is build here. Name this file squidinst1.conf
#---Adminsitrative Section-
visible_hostname squidLhr1
unique_hostname squidlhr1main
pid_filename /var/run/inst1squid.pid
http_port 8080
icp_port 0
snmp_port 3161
access_log /var/logs/inst1access.log squid
cache_log /var/logs/inst1cache.log
cache_store_log /var/logs/inst1store.log
cache_effective_user proxy
cache_mgr
[squid-users] SELINUX issue
Hi all, When i change SELINUX from permissive mode to Enforcing mode. My multiple instance setup fail to start. Please guide how to overcome this. ---Excerpts from cache.log- 2010/05/18 10:31:51| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:51| Store rebuilding is 7.91% complete 2010/05/18 10:31:52| Done reading /var/spool/squid swaplog (51794 entries) 2010/05/18 10:31:52| Finished rebuilding storage from disk. 2010/05/18 10:31:52| 51794 Entries scanned 2010/05/18 10:31:52| 0 Invalid entries. 2010/05/18 10:31:52| 0 With invalid flags. 2010/05/18 10:31:52| 51794 Objects loaded. 2010/05/18 10:31:52| 0 Objects expired. 2010/05/18 10:31:52| 0 Objects cancelled. 2010/05/18 10:31:52| 0 Duplicate URLs purged. 2010/05/18 10:31:52| 0 Swapfile clashes avoided. 2010/05/18 10:31:52| Took 1.13 seconds (45641.00 objects/sec). 2010/05/18 10:31:52| Beginning Validation Procedure 2010/05/18 10:31:52| Completed Validation Procedure 2010/05/18 10:31:52| Validated 103614 Entries 2010/05/18 10:31:52| store_swap_size = 913364 2010/05/18 10:31:52| storeLateRelease: released 0 objects 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| Detected DEAD Parent: 127.0.0.1 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| Failed to select source for 'http://1.channel19.facebook.com/p' 2010/05/18 10:31:52| always_direct = 0 2010/05/18 10:31:52|never_direct = 1 2010/05/18 10:31:52|timedout = 0 2010/05/18 10:31:57| Failed to select source for 'http://0.channel19.facebook.cm regards, Bilal _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] SELINUX issue(confinedunconfined)
Dear All, Your guidance is required. Please help. It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right? [r...@squidlhr ~]# ps -eZ | grep squid system_u:system_r:squid_t3173 ?00:00:00 squid system_u:system_r:squid_t3175 ?00:00:00 squid system_u:system_r:squid_t3177 ?00:00:00 squid system_u:system_r:squid_t3179 ?00:00:00 squid system_u:system_r:squid_t3222 ?00:00:00 unlinkd system_u:system_r:squid_t3223 ?00:00:00 unlinkd it was successful before i changed the selinux to enforcing.Now i even cannot start squid process that access the parent at localhost(3128) manually even. The other process starts normally if i do manually. When running as an unconfined process by the following command the problem had resolved chcon -t unconfined_exec_t /usr/sbin/squid However it doesnot feel appropriate to me. Please guide me on this. I am starting squid with the following init script if it has something to do with the problem: #!/bin/sh # #my script case $1 in start) /usr/sbin/squid -D -sYC -f /etc/squid/squidcache.conf /usr/sbin/squid -D -sYC -f /etc/squid/squid.conf #The below line is to automatically start apache with system startup /usr/sbin/httpd -k start #KRB5_KTNAME=/etc/squid/HTTP.keytab #export KRB5_KTNAME #KRB5RCACHETYPE=none #export KRB5RCACHETYPE ;; stop) /usr/sbin/squid -k shutdown -f /etc/squid3/squidcache.conf echo Shutting down squid secondary process /usr/sbin/squid -k shutdown -f /etc/squid3/squid.conf echo Shutting down squid main process # The below line is to automatically stop apache at system shutdown /usr/sbin/httpd -k stop ;; esac Thanking you regards, Bilal From: gi...@msn.com To: squid-users@squid-cache.org Date: Tue, 18 May 2010 06:02:35 + Subject: [squid-users] SELINUX issue Hi all, When i change SELINUX from permissive mode to Enforcing mode. My multiple instance setup fail to start. Please guide how to overcome this. ---Excerpts from cache.log- 2010/05/18 10:31:51| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:51| Store rebuilding is 7.91% complete 2010/05/18 10:31:52| Done reading /var/spool/squid swaplog (51794 entries) 2010/05/18 10:31:52| Finished rebuilding storage from disk. 2010/05/18 10:31:52| 51794 Entries scanned 2010/05/18 10:31:52| 0 Invalid entries. 2010/05/18 10:31:52| 0 With invalid flags. 2010/05/18 10:31:52| 51794 Objects loaded. 2010/05/18 10:31:52| 0 Objects expired. 2010/05/18 10:31:52| 0 Objects cancelled. 2010/05/18 10:31:52| 0 Duplicate URLs purged. 2010/05/18 10:31:52| 0 Swapfile clashes avoided. 2010/05/18 10:31:52| Took 1.13 seconds (45641.00 objects/sec). 2010/05/18 10:31:52| Beginning Validation Procedure 2010/05/18 10:31:52| Completed Validation Procedure 2010/05/18 10:31:52| Validated 103614 Entries 2010/05/18 10:31:52| store_swap_size = 913364 2010/05/18 10:31:52| storeLateRelease: released 0 objects 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| Detected DEAD Parent: 127.0.0.1 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| Failed to select source for 'http://1.channel19.facebook.com/p' 2010/05/18 10:31:52| always_direct = 0 2010/05/18 10:31:52| never_direct = 1 2010/05/18 10:31:52| timedout = 0 2010/05/18 10:31:57| Failed to select source for 'http://0.channel19.facebook.cm regards, Bilal _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] Running Multiple instances and reporting confusion.
Hi all, I am running multiple instances of squid on the same machine. One instance is taking the clients request and forwarding to its parent peer at 127.0.0.1. All is going well. However there is a confusion related to reporting through sarg. To capture the client activity sarge is parsing the access.log file of the instance i.e user facing which is correct. However obvioulsy it is depicting a wrong in-cache out-cache figures as this value should be instead of the instance which is managing/doing caching. Is there a way/trick to manage this? Is it possible that a cache_hit from a parent cache be recorded as in-cache in the child? Instance 1: # Fulfilling client requests and faultolerant incase of a cachedisk failure. cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query proxy-only Instance 2: Directly connected to internet and doing all the caching... @only allowed access from localhost. Thanks regards, Bilal _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] SELINUX issue(confinedunconfined)
Yes i am using a compiled version. I have used this command chcon -t unconfined_exec_t /usr/sbin/squid and its working now. Is this a security issue? regards, Bilal Date: Tue, 18 May 2010 14:26:06 +0200 From: tiery.de...@gmail.com To: squid-users@squid-cache.org Subject: Re: [squid-users] SELINUX issue(confinedunconfined) Hi, ps -Z = squid_t and getenforce = enforcing squid is started with selinux Redhat/centos platform: If squid is installed with yum, squid will be started with a squid_t selinux context. If you compile your squid and installed it, you will have to change squid files contexts manually. As i see you have squid_kerb_plugin, you should have compile you squid to support kerberos, no? --- For your problem: try to check selinux log: audit2allow -al or cat /var/log/audit/audit.log | audit2allow You can also try to restore selinux context for all squid files: restorecon -R /etc/squid restorecon -R /var/log/squid etc... or touch /.autorelabel and reboot Tiery On Tue, May 18, 2010 at 9:47 AM, GIGO . wrote: Dear All, Your guidance is required. Please help. It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right? [r...@squidlhr ~]# ps -eZ | grep squid system_u:system_r:squid_t 3173 ? 00:00:00 squid system_u:system_r:squid_t 3175 ? 00:00:00 squid system_u:system_r:squid_t 3177 ? 00:00:00 squid system_u:system_r:squid_t 3179 ? 00:00:00 squid system_u:system_r:squid_t 3222 ? 00:00:00 unlinkd system_u:system_r:squid_t 3223 ? 00:00:00 unlinkd it was successful before i changed the selinux to enforcing.Now i even cannot start squid process that access the parent at localhost(3128) manually even. The other process starts normally if i do manually. When running as an unconfined process by the following command the problem had resolved chcon -t unconfined_exec_t /usr/sbin/squid However it doesnot feel appropriate to me. Please guide me on this. I am starting squid with the following init script if it has something to do with the problem: #!/bin/sh # #my script case $1 in start) /usr/sbin/squid -D -sYC -f /etc/squid/squidcache.conf /usr/sbin/squid -D -sYC -f /etc/squid/squid.conf #The below line is to automatically start apache with system startup /usr/sbin/httpd -k start #KRB5_KTNAME=/etc/squid/HTTP.keytab #export KRB5_KTNAME #KRB5RCACHETYPE=none #export KRB5RCACHETYPE ;; stop) /usr/sbin/squid -k shutdown -f /etc/squid3/squidcache.conf echo Shutting down squid secondary process /usr/sbin/squid -k shutdown -f /etc/squid3/squid.conf echo Shutting down squid main process # The below line is to automatically stop apache at system shutdown /usr/sbin/httpd -k stop ;; esac Thanking you regards, Bilal From: gi...@msn.com To: squid-users@squid-cache.org Date: Tue, 18 May 2010 06:02:35 + Subject: [squid-users] SELINUX issue Hi all, When i change SELINUX from permissive mode to Enforcing mode. My multiple instance setup fail to start. Please guide how to overcome this. ---Excerpts from cache.log- 2010/05/18 10:31:51| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:51| Store rebuilding is 7.91% complete 2010/05/18 10:31:52| Done reading /var/spool/squid swaplog (51794 entries) 2010/05/18 10:31:52| Finished rebuilding storage from disk. 2010/05/18 10:31:52| 51794 Entries scanned 2010/05/18 10:31:52| 0 Invalid entries. 2010/05/18 10:31:52| 0 With invalid flags. 2010/05/18 10:31:52| 51794 Objects loaded. 2010/05/18 10:31:52| 0 Objects expired. 2010/05/18 10:31:52| 0 Objects cancelled. 2010/05/18 10:31:52| 0 Duplicate URLs purged. 2010/05/18 10:31:52| 0 Swapfile clashes avoided. 2010/05/18 10:31:52| Took 1.13 seconds (45641.00 objects/sec). 2010/05/18 10:31:52| Beginning Validation Procedure 2010/05/18 10:31:52| Completed Validation Procedure 2010/05/18 10:31:52| Validated 103614 Entries 2010/05/18 10:31:52| store_swap_size = 913364 2010/05/18 10:31:52| storeLateRelease: released 0 objects 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| Detected DEAD Parent: 127.0.0.1 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| Failed to select
RE: [squid-users] SELINUX issue(confinedunconfined)
Thank you i will give it a try. However i am also thinking of running SELinux in permissive mode for my proxy server. what do you say about it? regards, Bilal Date: Tue, 18 May 2010 15:00:05 +0200 From: tiery.de...@gmail.com To: gi...@msn.com CC: squid-users@squid-cache.org Subject: Re: [squid-users] SELINUX issue(confinedunconfined) okay, I have also worked on a similar project (squid/kerberos/selinux). I installed squid in /usr/local/squid but I had to modify /etc/selinux/targeted/contexts/files/file_contexts and adapt it to my squid directory. /usr/local/squid/etc(/.*)? system_u:object_r:squid_conf_t:s0 /usr/local/squid/var/logs(/.*)? system_u:object_r:squid_log_t:s0 /usr/local/squid/share(/.*)? system_u:object_r:squid_conf_t:s0 /usr/local/squid/var/cache(/.*)? system_u:object_r:squid_cache_t:s0 /usr/local/squid/sbin/squid -- system_u:object_r:squid_exec_t:s0 /usr/local/squid/var/logs/squid\.pid -- system_u:object_r:squid_var_run_t:s0 /usr/local/squid/libexec(/.*)? system_u:object_r:lib_t:s0 /usr/local/squid -d system_u:object_r:bin_t:s0 /usr/local/squid/var -d system_u:object_r:var_t:s0 Then restore context (with restorecon or .autorelabel and reboot). But i am not sure modifing this file is the best way. It you update your selinux policy, changement will not be persistent. I think it is better to build a selinux module for our squid. Tiery On Tue, May 18, 2010 at 2:34 PM, GIGO . wrote: Yes i am using a compiled version. I have used this command chcon -t unconfined_exec_t /usr/sbin/squid and its working now. Is this a security issue? regards, Bilal Date: Tue, 18 May 2010 14:26:06 +0200 From: tiery.de...@gmail.com To: squid-users@squid-cache.org Subject: Re: [squid-users] SELINUX issue(confinedunconfined) Hi, ps -Z = squid_t and getenforce = enforcing squid is started with selinux Redhat/centos platform: If squid is installed with yum, squid will be started with a squid_t selinux context. If you compile your squid and installed it, you will have to change squid files contexts manually. As i see you have squid_kerb_plugin, you should have compile you squid to support kerberos, no? --- For your problem: try to check selinux log: audit2allow -al or cat /var/log/audit/audit.log | audit2allow You can also try to restore selinux context for all squid files: restorecon -R /etc/squid restorecon -R /var/log/squid etc... or touch /.autorelabel and reboot Tiery On Tue, May 18, 2010 at 9:47 AM, GIGO . wrote: Dear All, Your guidance is required. Please help. It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right? [r...@squidlhr ~]# ps -eZ | grep squid system_u:system_r:squid_t 3173 ? 00:00:00 squid system_u:system_r:squid_t 3175 ? 00:00:00 squid system_u:system_r:squid_t 3177 ? 00:00:00 squid system_u:system_r:squid_t 3179 ? 00:00:00 squid system_u:system_r:squid_t 3222 ? 00:00:00 unlinkd system_u:system_r:squid_t 3223 ? 00:00:00 unlinkd it was successful before i changed the selinux to enforcing.Now i even cannot start squid process that access the parent at localhost(3128) manually even. The other process starts normally if i do manually. When running as an unconfined process by the following command the problem had resolved chcon -t unconfined_exec_t /usr/sbin/squid However it doesnot feel appropriate to me. Please guide me on this. I am starting squid with the following init script if it has something to do with the problem: #!/bin/sh # #my script case $1 in start) /usr/sbin/squid -D -sYC -f /etc/squid/squidcache.conf /usr/sbin/squid -D -sYC -f /etc/squid/squid.conf #The below line is to automatically start apache with system startup /usr/sbin/httpd -k start #KRB5_KTNAME=/etc/squid/HTTP.keytab #export KRB5_KTNAME #KRB5RCACHETYPE=none #export KRB5RCACHETYPE ;; stop) /usr/sbin/squid -k shutdown -f /etc/squid3/squidcache.conf echo Shutting down squid secondary process /usr/sbin/squid -k shutdown -f /etc/squid3/squid.conf echo Shutting down squid main process # The below line is to automatically stop apache at system shutdown /usr/sbin/httpd -k stop ;; esac Thanking you regards, Bilal From: gi...@msn.com To: squid-users@squid-cache.org Date: Tue, 18 May 2010 06:02:35 + Subject: [squid-users] SELINUX issue Hi all, When i change SELINUX from permissive mode to Enforcing mode. My multiple instance setup fail to start. Please guide how to overcome this. ---Excerpts from cache.log- 2010/05/18 10:31:51| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:51| Store rebuilding is 7.91% complete 2010/05/18 10:31:52| Done
RE: [squid-users] SELINUX issue
Mine is a compiled version of squid does it matter? Is it true that binaries available through a distro by default run in confined domain and in case squid is compiled it will run in unconfined domain. So i assume that my squid will run in an unconfined domain however still it was giving that error. your furhter guidance will be real valueable thanking you Bilal From: hen...@henriknordstrom.net To: gi...@msn.com CC: squid-users@squid-cache.org Date: Tue, 18 May 2010 21:12:52 +0200 Subject: Re: [squid-users] SELINUX issue tis 2010-05-18 klockan 06:02 + skrev GIGO .: 2010/05/18 10:31:52| storeLateRelease: released 0 objects 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed setsebool -P squid_connect_any true should help there. Regards Henrik _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
[squid-users] Squid Compilation
Hi All, Your guidance is required regarding compilation. I had compiled squid-3.0.STABLE25 with the following options: ./configure --prefix=/usr --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-cache-digests --enable-removal-policies=lru --enable-delay-pools --enable-storeio=aufs,ufs --with-large-files --disable-ident-lookups --with-default-user=proxy --enable-basic-auth-helpers=LDAP --enable-auth=basic,negotiate,ntlm --enable-external-acl-helpers=wbinfo_group,ldap_group --enable-negotiate-auth-helpers=squid_kerb_auth I wonder how my squid_kerb_ldap helper was working which i was using for authorization. As i did not mentioned during compilation?? Second question is that as i have decided to upgrade to 3.1.3 where i also want to include Heap support.how to do it ? just adding this option --enable-removal-policies lru,heap while keeping other options same?? in my squid.conf i had this directive cache_replacement_policy lru how would/should it be redefined/changed for optimal performance ((Single Hard disk being used for caching of 71 GB SAS15k out of which 50 gb is allocated to cache directory)) regards, Bilal _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
[squid-users] never_direct/always_direct
Dear all, never_direct/always_direct Why two directives had to be created while one directive could have done the trick? Please guide regards, Bilal _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Dynamic Content Caching/Windowsupdate/Facebook/youtube
You recommended the change in order of refresh_patterns same is written in the reference materials. I tried to understand what could be the reason for that but have no clue yet please guide. Further for windows clients (xpwithservice pack 3 an latest windows mostly ) do i need to manually do the configuration for winhttp proxysettings through proxycfg.exe on each computer? regards, Bilal --- refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 % 5259487 Amos The youtube pattern and all other custom refresh_patterns' need to be configured above the default set (ftp:, gopher:, cgi-bin, and . ). refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 Amos This dynamic content needs to be between the refresh_pattern ^gopher: and the refresh_pattern . patterns. Date: Sat, 15 May 2010 18:57:18 +1200 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] Dynamic Content Caching/Windowsupdate/Facebook/youtube GIGO . wrote: All, I am really sorry i was looking at the access.log file of squid instance that is user facing and not the instance that is doing the fetching/caching and there i can see mp4 files being cached. However i am not very much confident about my settings so please read my queries and the configuration file and advice. I would be really thankful. From: gi...@msn.com To: squid-users@squid-cache.org Date: Fri, 14 May 2010 12:00:46 + Subject: [squid-users] Dynamic Content Caching/Windowsupdate/Facebook/youtube Dear All, I require your help and guidance regarding dynamic content caching. Following are the quries. 1. I am running squid in multiple instances mode (For Cache Disk Failure Protection). I dont think that it has any effect on internet object caching? I am confused that if connect methods are to be duplicate on both of the instances or i have configured it right specially in perspective of windows update. Depends on whether the port the cache instance is listening on is reachable to external people, if it is then its Squid will definitely need the http_access security settings turned on as well. 2. As rewrite_url is not exported in new versions(version 3 and above) of squid is it still possible for squid to cache facebook/youtube videos? Have i configured it correctly? As i have seen no TCP_HIT for mp3,mp4 etc so i think caching is not done. If you meant to write storeurl_rewrite? then yes. That particular method of caching them is not possible yet in 3.x. YouTube will still cache using the low-efficiency duplicate-object way it does most places. 3. Please can u please check my configuration for windows updates? is there anything else which i have missed there? How could i assure that windows update is being cached properly? You don't show any http_access rules from the cache instance. The default is to block all access through that instance. The main instance is okay. Through studying online tutorials mailarchive support and best of my understanding i have configured squid as follows. Please peruse and guide. -- Squid Cache Instance: visible_hostname squidlhr.v.local unique_hostname squidcacheinstance pid_filename /var/run/squidcache.pid cache_dir aufs /cachedisk1/var/spool/squid 5 128 256 coredump_dir /cachedisk1/var/spool/squid cache_swap_low 75 cache_mem 1000 MB range_offset_limit -1 maximum_object_size 4096 MB minimum_object_size 10 KB quick_abort_min -1 cache_replacement_policy heap refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 #specific for youtube belowone refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 % 5259487 The youtube pattern and all other custom refresh_patterns' need to be configured above the default set (ftp:, gopher:, cgi-bin, and . ). # For any dynamic content caching. refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 This dynamic content needs to be between the refresh_pattern ^gopher: and the refresh_pattern . patterns. -- Squid Main Instance: visible_hostname squidlhr unique_hostname squidmain cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query prefer_direct off cache_dir aufs /var/spool/squid 1 16 256 coredump_dir /var/spool/squid cache_swap_low 75 cache_replacement_policy lru refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 (should be set on all squid caching or handling dynamic objects, even in memory-only mode). refresh_pattern
[squid-users] Dynamic Content Caching/Windowsupdate/Facebook/youtube
Dear All, I require your help and guidance regarding dynamic content caching. Following are the quries. 1. I am running squid in multiple instances mode (For Cache Disk Failure Protection). I dont think that it has any effect on internet object caching? I am confused that if connect methods are to be duplicate on both of the instances or i have configured it right specially in perspective of windows update. 2. As rewrite_url is not exported in new versions(version 3 and above) of squid is it still possible for squid to cache facebook/youtube videos? Have i configured it correctly? As i have seen no TCP_HIT for mp3,mp4 etc so i think caching is not done. 3. Please can u please check my configuration for windows updates? is there anything else which i have missed there? How could i assure that windows update is being cached properly? Through studying online tutorials mailarchive support and best of my understanding i have configured squid as follows. Please peruse and guide. -- Squid Cache Instance: visible_hostname squidlhr.v.local unique_hostname squidcacheinstance pid_filename /var/run/squidcache.pid cache_dir aufs /cachedisk1/var/spool/squid 5 128 256 coredump_dir /cachedisk1/var/spool/squid cache_swap_low 75 cache_mem 1000 MB range_offset_limit -1 maximum_object_size 4096 MB minimum_object_size 10 KB quick_abort_min -1 cache_replacement_policy heap refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 #specific for youtube belowone refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 % 5259487 # For any dynamic content caching. refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 -- Squid Main Instance: visible_hostname squidlhr unique_hostname squidmain cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query prefer_direct off cache_dir aufs /var/spool/squid 1 16 256 coredump_dir /var/spool/squid cache_swap_low 75 cache_replacement_policy lru refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 #Defining allowing ports section acl SSL_ports port 443 # https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny request to unknown ports http_access deny !Safe_ports # Deny request to other than SSL ports http_access deny CONNECT !SSL_ports #Allow access from localhost http_access allow localhost # Windows Update Section... acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com http_access allow CONNECT wuCONNECT all http_access allow windowsupdate all regards thanks Bilal _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Dynamic Content Caching/Windowsupdate/Facebook/youtube
All, I am really sorry i was looking at the access.log file of squid instance that is user facing and not the instance that is doing the fetching/caching and there i can see mp4 files being cached. However i am not very much confident about my settings so please read my queries and the configuration file and advice. I would be really thankful. From: gi...@msn.com To: squid-users@squid-cache.org Date: Fri, 14 May 2010 12:00:46 + Subject: [squid-users] Dynamic Content Caching/Windowsupdate/Facebook/youtube Dear All, I require your help and guidance regarding dynamic content caching. Following are the quries. 1. I am running squid in multiple instances mode (For Cache Disk Failure Protection). I dont think that it has any effect on internet object caching? I am confused that if connect methods are to be duplicate on both of the instances or i have configured it right specially in perspective of windows update. 2. As rewrite_url is not exported in new versions(version 3 and above) of squid is it still possible for squid to cache facebook/youtube videos? Have i configured it correctly? As i have seen no TCP_HIT for mp3,mp4 etc so i think caching is not done. 3. Please can u please check my configuration for windows updates? is there anything else which i have missed there? How could i assure that windows update is being cached properly? Through studying online tutorials mailarchive support and best of my understanding i have configured squid as follows. Please peruse and guide. -- Squid Cache Instance: visible_hostname squidlhr.v.local unique_hostname squidcacheinstance pid_filename /var/run/squidcache.pid cache_dir aufs /cachedisk1/var/spool/squid 5 128 256 coredump_dir /cachedisk1/var/spool/squid cache_swap_low 75 cache_mem 1000 MB range_offset_limit -1 maximum_object_size 4096 MB minimum_object_size 10 KB quick_abort_min -1 cache_replacement_policy heap refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 #specific for youtube belowone refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 % 5259487 # For any dynamic content caching. refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 -- Squid Main Instance: visible_hostname squidlhr unique_hostname squidmain cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query prefer_direct off cache_dir aufs /var/spool/squid 1 16 256 coredump_dir /var/spool/squid cache_swap_low 75 cache_replacement_policy lru refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 #Defining allowing ports section acl SSL_ports port 443 # https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny request to unknown ports http_access deny !Safe_ports # Deny request to other than SSL ports http_access deny CONNECT !SSL_ports #Allow access from localhost http_access allow localhost # Windows Update Section... acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com http_access allow CONNECT wuCONNECT all http_access allow windowsupdate all regards thanks Bilal _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969 _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] Access.log
Hi all, Can anybody please explain me what does this error mean and why it occurs it happens while i was testing youtube/facebook caching. TCP_NEGATIVE_HIT/204 Does this suggest that some object in cache has corrupted? if so how to rectify the error? Is this error only means that user has aborted the transfer or it may come for some other reason as well. TCP_MISS/000 thanks regards, Bilal _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
[squid-users] Cache Contents.
Dear All, I want to confirm that my youtube/facebook and windowsupdate are being cached as i configured. How to have this assurity. Further i wish to view what are the contents of my cache. Please guide in this respect. Thanking you regards, Bilal _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
[squid-users] Squid in Deamon Mode
Hi, I start squid in the normal mode as following: /usr/sbin/squid -D -f /etc/squid/squid.conf Could there be any benefit achieved running it in a deamon mode. Can please somebody guide in detail Thanking in advance regards, Bilal _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] Yum Updates and Squid
Dear All, Is it safe enough to use Automatic yum updates on the squid Server machine? Is there any strict package version requirements to have those with which squid was already installed. Automatic updates will even upgrade kernel as well so is it ok? Please your guidance will be much valuable. Thanks in advance. Regards, Bilal _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] Authentication Reverse Proxy
Hi, What is the behaviour/mechanism of authentication if using squid proxy for both as forward proxy and reverse proxy. I have successfully setup it for a forward proxy using the Helper files by Markus and the following tutorial; http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos Now comming in my mind two scenarios. One is that squid is being used for authentication and the second one is that web server is providing the authenticaiton/authorization and squid is just forwarding the requests to the web server? Please guide/suggest/comment about it. However what my pan is that I want that web server(outlookwebacess) should be the one taking care of auhentication part and squid should simply have given the role of forwarder. However i am not sure which approach to adopt and what are any special configurations that are required? what are the implications of each approach? regards, Bilal _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
[squid-users] squid_kerb_ldap/squid_kerb_auth in Single Forest Multidomains Active Directory.
Dear All,
The problem under discussion is a continutity of SPN creation/Single Forest
MultiDomain (Active Directory) topic.
@ Markus
Yes my infrastructure is Active Directory based (Root Forest Directory A with
two child domains B (80 % users) C (20 % users) in their own trees). Only
squid Proxy is installed on Centos OS and not joined to any domain.Markus you
are right I Observerd that the clients in the child domain are able to use
squidproxy without any changes required in the krb5.conf file.(no need to
define [CAPATH] section). I got it that by design of the Active directory
forest where Parent domains and child domains have two way transitive trusts,
Active directory/DNS infrastructure is managing itself...and the clients in any
domain are able to find that Service principal is in which domain to acquire a
service ticket from that domain. Right??
If the UnixServer(Proxy) is not belonged to any domain then the default_realm
section does not matter and i can choose any of my domains as default_realm. As
i think that the default_realm tag is compulsory to define so couldn't be left
blank. Similarly if am not to use any other kerberised service for example from
my SquidProxyunix server then .linux.home tag will be unimportant otherwise it
is a must. Right??
//krb5.conf for Active directory single forest multi domain its working
correctly
[libdefaults]
default_realm = A.COM.PK
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5.keytab
; for windows 2003 encryption type configuration.
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
A.COM.PK = {
kdc = dc1.a.com.pk
admin_server = dc1.a.com.pk
}
b.A.COM.PK = {
kdc = childdc.b.a.com.pk
admin_server = childdc.b.a.com.pk
}
[domain_realm]
.linux.home = A.COM.PK
.a.com.pk = A.COM.PK
a.com.pk = A.COM.PK
.b.a.com.pk = b.A.COM.PK
b.a.com.pk = b.A.COM.PK
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log
\\
Any suggestions/guidance required??
My squid.conf portion related to Authentication/Authorization along with the
questions.
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
# basic auth ACL controls to make use of it are.
#acl auth proxy_auth REQUIRED
#http_access deny !auth
#http_access allow auth
I think now above commented directives are not required as squid_kerb_ldap has
taken the charge. Right???
#external_acl_type squid_kerb1 ttl=3600 negative_ttl=3600 %LOGIN
/usr/libexec/squid/squid_kerb_ldap -g
gro...@a.com.pk:gro...@a.com.pk:gro...@a.com.pk:g...@b.a.com.pk:gro...@b.a.com.pk:gro...@b.a.com.pk
external_acl_type g1_parent ttl=3600 negative_ttl=3600 %LOGIN
/usr/libexec/squid/squid_kerb_ldap -g gro...@a.com.pk
external_acl_type g2_parent ttl=3600 negative_ttl=3600 %LOGIN
/usr/libexec/squid/squid_kerb_ldap -g gro...@a.com.pk
external_acl_type g2_child ttl=3600 negative_ttl=3600 %LOGIN
/usr/libexec/squid/squid_kerb_ldap -g gro...@a.b.com.pk
Although the commented single liner was working properly for me and look more
apporpriate to me but i had to split it into multiple linesnothing came
into my mind how to handle the ACL's based on user group membership. Please
guide me if there is a better way to do that as it feels that i am calling the
helper multiple times instead of single time now??
(There are other expected groups from child domains and parent domains so am
worried that isnt it affect the performance)
acl ldap_group_check1 external g1_parent
acl ldap_group_check2 external g2_parent
acl ldap_group_check3 external g2_child
Definition of YouTube.
## The videos come from several domains
acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com
http_access deny ldap_group_check1 youtube_domains
http_access allow ldap_group_check2
http_access allow ldap_group_check1
http_access allow ldap_group_check3
http_access deny all
As i think squid.conf file is parsed from top to bottom and if a related
statement/acl is met then will see no further so it means that putting the
statments in an order where groups containing most of the users will improve
performance. Can there be if-else structure be used in squid.conf and how? Am
not sure??? please guide...
Thanking you
regards,
Bilal
_
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
[squid-users] Single Forest Multiple Domains kebreos setup (squid_kerb_ldap)
Dear Markus/All,
Please guide me on the matter discussed below:
Single Forest Multiple Domain setup
A
/ \
/ \
BC
Problem:
Single FOrest Multiple domains where as Root A is empty with no users. Domain B
C have no trust configured between each other. The internet users belong to
Domain B Domain C. We want to enable users from both domains to authenticate
via Kerberos and authrorized through LDAP.
Guides and Helpers used:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
http://mailman.mit.edu/pipermail/kerberos/2009-March/014751.html
squid_kerb_ldap readme file
If you serve multiple Kerberos realms add a HTTP/f...@realm service
principal per realm to the
HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth..
i think this is the only change required in squid configuration to authenticate
and authorize from multiple domains?
Please confirm that am i to create SPN as below for this setup to work.
(SPNs for both the domains)
Creation of keytab/SPN/Computerobject for Domain A:
msktutil -c -b CN=COMPUTERS -s HTTP/squidlhr.b.com -h squidlhr.b.com -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/squidlhr.b.com
--server dcofbdomain.b.com --verbose
Appending in the same keytab SPN/keys for Domain B:
msktutil -c -b CN=COMPUTERS -s HTTP/squidlhr.c.com -h squidlhr.c.com -k
/etc/squid/HTTP.keytab --computer-name whatever-http --upn HTTP/squidlhr.c.com
--server dcofcdomain.c.com --verbose
PLease guide me on the changes that would be required in the krb5.conf file ?
My working krb5.conf file as per the guidance of Markus ( kerberos working
authorizaton portion yet to implement )
[libdefaults]
default_realm = B.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5.keytab
; for windows 2003 encryption type configuration.
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
B.COM = {
kdc = b.com
admin_server = dc.b.com }
[domain_realm]
.linux.home = B.COM
.b.com = B.COM
b.com = B.COM
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log
-
regards,
Bilal
_
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
[squid-users] SPN case sensitivity culprit for Negotiate/Kerberos Failures +msktutil
Dear Markus/Nick/All, After a great struggle and help (i got from you people)i was managed to resolve the issue however i have few confusions which i wish you to ask please. 1. First of all I traced down my problem to SPN Names casesensitivity the case for ServicePrincipalName attribute as seen through ADSIEDIT.msc tool was different from the value my klist -ke was showing. According to ASIedit.msc: servicePrincipalName == HTTP/squidlhrtest.v.local userPrinciapalName == HTTP/squidlhrtest.v.lo...@v.local Where as klisting the SPN as stored in my keytab: 2 HTTP/squidlhrtest.v.lo...@v.local (DES cbc mode with CRC-32) 2 HTTP/squidlhrtest.v.lo...@v.local (DES cbc mode with RSA-MD5) 2 HTTP/squidlhrtest.v.lo...@v.local (ArcFour with HMAC/md5) After diagnosing the problem i tried recreation of keytab/spn through msktutil utility however in no benefit. But Then i changed my hostname(squidmachines') all to lowercase and recreated the keytab and it worked. I confirmed that it matched the one as stored in the Active Directory. kerberos/negotiate was working. Although i have studied that microsoft spn is case insensitive but does this also mean that microsoft will always store spn in lower case no matter how you have given name in your msktutil command? Second thing is that what is the role of upn here? I mean why a upn is required when created SPN with computer objects? I can understand that its some kind of linkage but i am not sure and clear about the purpose ? Also why SPNattribute has no realm name appended in the output while upn has a realm name appended in the output when seeing it through ADSIEDIT.msc. Another question is that as i am using SARG configured with Apache i am looking forward to SSO apache also with kerberos. Now the keytab/spn for squid sso is already here created as : msktutil -c -b CN=COMPUTERS -s HTTP/squidlhrtest.v.local -h squidlhrtest.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/squidlhrtest.v.local --server vdc.v.local --verbose Right now to my understanding a keytab can have keys from multiple services so this means that i can have the same keytab used for squid Apache both ? For example i think the following command will append the keytab file with the following new keys. I guess that only computer-name is to be changed and the rest of the same command will do as far as the keytab creation is concerned. (apache specific settings is a seperate story which is definately out of scope here) The command to my understanding which will append keys to be used by Apache: msktutil -c -b CN=COMPUTERS -s HTTP/squidlhrtest.v.local -h squidlhrtest.v.local -k /etc/squid/HTTP.keytab --computer-name apache-http --upn HTTP/squidlhrtest.v.local --server vdc.v.local --verbose But why not apache and squid should share a single keytab? as after all they are both HTTP in the end. Isnt creating a seperate key/spn for apache be redundant or it is must? Another somewhat similar question is that My active Directory setup has a single forest with one Parent A wand two childs B and childs C. The internet users are only in childs A and B. What would be the way to handle SSO. I have not much clarity can anybody please advice? ...How Would i be pointing to the multiple realms? would i b duplicate exact setup which i have done for 1 domain and somehow(i am unclear) somehow update squid accordingly? Please i would be real thankful to all of you for guidance/help. best regards, Bilal Aslam _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
[squid-users] Kerberos Authentication in Relation to Connect ACLs
I get the following error whenever i try to use squid: (currently i am trying to use it from the AD which is also the KDC for squid to provide authentication.) Access Denied: Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. (No pop open for authentication just whenever i try to open any webpage this error) However i dont think that i have done any settings to prevent users. I am not sure what is happening please guide.Is it something to do with the connect method ACLs. acl CONNECT method CONNECT # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny request to unknown ports http_access deny !Safe_ports # Deny request to other than SSL ports http_access deny CONNECT !SSL_ports #Allow access from localhost http_access allow localhost auth_param negotiate program /usr/libexec/squid/squid_kerb_auth/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on acl auth proxy_auth REQUIRED http_access deny !auth http_access allow auth http_access deny all please guide regards, Bilal _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Re: Re: Creating a kerberos Service Principal.
Dear Nick,
This was the result of my klist -k command:
[r...@squidlhrtest log]# klist -k /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
--
2 HTTP/vdc.v.com...@v.com.pk
2 HTTP/vdc.v.com...@v.com.pk
2 HTTP/vdc.v.com...@v.com.pk
---
i recreated the spn as follows in my new lab ( domaincontroller name is now
vdc.v.local and proxyname is squidLhrTest)
msktutil -c -b CN=COMPUTERS -s HTTP/vdc.v.local -h squidLhrTest.v.local -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn
HTTP/squidLhrTest.v.local --server vdc.v.local --verbose
However whenever a client try to access the internet this error appears:
CacheHost: squidLhrTest
ErrPage: ERR_CACHE_ACCESS_DENIED
Err: [none]
TimeStamp: Fri, 16 Apr 2010 10:43:51 GMT
ClientIP: 10.1.82.54
HTTP Request:
GET /isapi/redir.dll?prd=iear=hotmail HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.microsoft.com
Proxy-Authorization: Negotiate
TlRMTVNTUAABB4IIogAFASgKDw==
thank you so much for you consideration Nick. yes despite doing lots of efforts
not being able to get this thing to work and am frustated now. however in
the journey at least learnt many things :)
regards,
Bilal Aslam
From: nick.cairncr...@condenast.co.uk
To: gi...@msn.com
Date: Fri, 16 Apr 2010 09:39:11 +0100
Subject: Re: [squid-users] Re: Re: Creating a kerberos Service Principal.
Bilal,
I understand your frustration! First off: What happens when you klist -k
/etc/squid/HTTP.keytab
As I understand it, shouldn't you be specifying the spn as
HTTP/yoursquidproxy and not your DC? You want to be able to authenticate from
the squid proxy, using the HTTP service to the squid-http computer account.
Nick
On 16/04/2010 08:43, GIGO . wrote:
Dear Nick/Markus,
I am totally lost in translation and am not sure what to do i need your help
please. The problem is that my kerberos authentication is not working. In my
virtual environment i have two machines one configured as Domain Controller
and the other one as SquidProxy. I am trying to use the internet from my
domain controller( internet explorer 7 DNS name is given instead of the
ip). However it only popup a authentication window and never works like it
should.
I have setup the squid authentication as follows:
Steps:
I copied the squid_kerb_auth files to correct directory. (SELinux is enabled)
cp -r squid_kerb_auth /usr/libexec/squid/
I then Installed the msktutil software
step No 1: i changed my krb5.conf file as follows;
krb5.conf-
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = V.COM.PK
dns_lookup_realm = no
dns_lookup_kdc = no
ticket_lifetime = 24h
forwardable = yes
default_keytab_name= /etc/krb5.keytab
; for windows 2003
default_tgs_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
[realms]
V.LOCAL = {
kdc = vdc.v.com.pk:88
admin_server = vdc.v.com.pk:749
default_domain = v.com.pk
}
[domain_realm]
.linux.home = V.COM.PK
.v.com.pk=V.COM.PK
v.local=V.COM.PK
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Step 2: I verified the settings in resolv.conf hosts file
--etc/resolv.conf---
nameserver 10.1.82.51 (My domain conroller and DNS)
/etc/hosts
file
127.0.0.1 squidLhrTest localhost.localdomain localhost
10.1.82.52 squidLhrTest.v.com.pk
::1 localhost6.localdomain6 localhost6
---
Step 3:
i created the keytab as follows:
kinit administra...@v.local
msktutil -c -b CN=COMPUTERS -s HTTP/vdc.v.com.pk -h squidLhrTest.v.com.pk
-k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/vdc.v.com.pk
--server vdc.v.com.pk --verbose
Out put of my command:
[r...@squidlhrtest msktutil-0.3.16]# msktutil -c -b CN=COMPUTERS -s
HTTP/vdc.v.com.pk -h squidLhrTest.v.com.pk -k /etc/squid/HTTP.keytab
--computer-name squid-http --upn HTTP/vdc.v.com.pk --server vdc.v.com.pk
--verbose
-- init_password: Wiping the computer password structure
-- finalize_exec: Determining user principal name
-- finalize_exec: User Principal Name is: HTTP
RE: [squid-users] Re: Re: Re: Creating a kerberos Service Principal.
Markus,
Now what to do why this behaviour of the browser though i have confirmed that
windows integrated authentication is checked. IE version can do the kerberos.
DNS name as proxy is given. The only missing thing is DNS reverse lookup
settings on my Domaincontoller/dns. Checked on two clients. I have a virtual
environment made on VMware.
How to move forward from here.
To: squid-users@squid-cache.org
From: hua...@moeller.plus.com
Date: Fri, 16 Apr 2010 15:18:27 +0100
Subject: [squid-users] Re: Re: Re: Creating a kerberos Service Principal.
Hi Bilal,
In your case the browser is returning a NTLM token not a Kerberos token whu
squid_kerb_auth will deny access.
Regards
Markus
GIGO . gi...@msn.com wrote in message
news:snt134-w155de8e05828b08d15c09ab9...@phx.gbl...
Dear Nick,
This was the result of my klist -k command:
[r...@squidlhrtest log]# klist -k /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
--
2 HTTP/vdc.v.com...@v.com.pk
2 HTTP/vdc.v.com...@v.com.pk
2 HTTP/vdc.v.com...@v.com.pk
---
i recreated the spn as follows in my new lab ( domaincontroller name is now
vdc.v.local and proxyname is squidLhrTest)
msktutil -c -b CN=COMPUTERS -s HTTP/vdc.v.local -h squidLhrTest.v.local -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn
HTTP/squidLhrTest.v.local --server vdc.v.local --verbose
However whenever a client try to access the internet this error appears:
CacheHost: squidLhrTest
ErrPage: ERR_CACHE_ACCESS_DENIED
Err: [none]
TimeStamp: Fri, 16 Apr 2010 10:43:51 GMT
ClientIP: 10.1.82.54
HTTP Request:
GET /isapi/redir.dll?prd=iear=hotmail HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.microsoft.com
Proxy-Authorization: Negotiate
TlRMTVNTUAABB4IIogAFASgKDw==
thank you so much for you consideration Nick. yes despite doing lots of
efforts not being able to get this thing to work and am frustated now.
however in the journey at least learnt many things :)
regards,
Bilal Aslam
From: nick.cairncr...@condenast.co.uk
To: gi...@msn.com
Date: Fri, 16 Apr 2010 09:39:11 +0100
Subject: Re: [squid-users] Re: Re: Creating a kerberos Service Principal.
Bilal,
I understand your frustration! First off: What happens when you klist -k
/etc/squid/HTTP.keytab
As I understand it, shouldn't you be specifying the spn as
HTTP/yoursquidproxy and not your DC? You want to be able to authenticate
from the squid proxy, using the HTTP service to the squid-http computer
account.
Nick
On 16/04/2010 08:43, GIGO . wrote:
Dear Nick/Markus,
I am totally lost in translation and am not sure what to do i need your
help please. The problem is that my kerberos authentication is not
working. In my virtual environment i have two machines one configured as
Domain Controller and the other one as SquidProxy. I am trying to use the
internet from my domain controller( internet explorer 7 DNS name is
given instead of the ip). However it only popup a authentication window
and never works like it should.
I have setup the squid authentication as follows:
Steps:
I copied the squid_kerb_auth files to correct directory. (SELinux is
enabled)
cp -r squid_kerb_auth /usr/libexec/squid/
I then Installed the msktutil software
step No 1: i changed my krb5.conf file as follows;
krb5.conf-
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = V.COM.PK
dns_lookup_realm = no
dns_lookup_kdc = no
ticket_lifetime = 24h
forwardable = yes
default_keytab_name= /etc/krb5.keytab
; for windows 2003
default_tgs_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
[realms]
V.LOCAL = {
kdc = vdc.v.com.pk:88
admin_server = vdc.v.com.pk:749
default_domain = v.com.pk
}
[domain_realm]
.linux.home = V.COM.PK
.v.com.pk=V.COM.PK
v.local=V.COM.PK
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Step 2: I verified the settings in resolv.conf hosts file
--etc/resolv.conf---
nameserver 10.1.82.51 (My domain conroller and DNS)
/etc/hosts
file
127.0.0.1 squidLhrTest
RE: [squid-users] Re: Re: Creating a kerberos Service Principal.
Dear Markus/all,
I am unable to create the keytab using mskutil please help me out i followed
the following steps:
1. I created a OU and named it UnixOU
2. I created a group account in the UnixOU and named it as UnixAdmins
3. I make my windows account bilal_admin part of UnixAdmins group.
4. I set the settings of UnixOU to be managed by UnixAdmins.
5. Then i synch time of Squid Machine and Active directory.
6. My domain fully qualified domain name is v.local and netbios names is V.
7. My domain controller name is vdc (fqdn=vdc.v.local)
8. The following lines were changed in the krb5.conf while rest being untouched.
[libdefaults]
default_realm=V.LOCAL
[realms]
V.LOCAL = {
kdc = vdc.v.local:88
admin_server = kerberos.example.com:749 (e.g this not changed does
it matter at the step of creation of keytab)
default_domain = example.com (unchanged)
}
The i run the following commands to create the keytab:
kinit squidad...@v.local
msktutil -c -b OU=unixPrincipals -s HTTP/v.local -h squidLhrTest.v.local -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/v.local --server
vdc.v.local --verbose
Output of the Command:
-- init_password: Wiping the computer password structure
-- finalize_exec: Determining user principal name
-- finalize_exec: User Principal Name is: HTTP/v.lo...@v.local
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.mskt-3550krb5.conf
-- get_krb5_context: Creating Kerberos Context
-- try_machine_keytab: Using the local credential cache:
/tmp/.mskt-3550krb5_ccache
-- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found in
Kerberos database)
-- try_machine_keytab: Unable to authenticate using the local keytab
-- try_ldap_connect: Connecting to LDAP server: vdc.v.local
-- try_ldap_connect: Connecting to LDAP server: vdc.v.local
SASL/GSSAPI authentication started
SASL username: squidad...@v.local
SASL SSF: 56
SASL installing layers
-- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=local
Warning: No DNS entry found for squidLhrTest.v.local
-- get_short_hostname: Determined short hostname: squidLhrTest-v-local
-- finalize_exec: SAM Account Name is: squid-http$
Updating all entries for squidLhrTest.v.local in the keytab
/etc/squid/HTTP.keytab
-- try_set_password: Attempting to reset computer's password
-- ldap_check_account: Checking that a computer account for squid-http$ exists
No computer account for squid-http found, creating a new one.
Error: ldap_add_ext_s failed (Insufficient access)
Error: ldap_check_account failed (No CSI structure available)
Error: set_password failed
-- krb5_cleanup: Destroying Kerberos Context
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
please help me resolving the issue.
regards,
Bilal Aslam
To: squid-users@squid-cache.org
From: hua...@moeller.plus.com
Date: Fri, 9 Apr 2010 08:10:19 +0100
Subject: [squid-users] Re: Re: Creating a kerberos Service Principal.
Hi Bilal,
I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I
then create a Windows Group UnixAdministrators and add the Windows account
of the UnixAdministrators to it. Finally I change the permissions on the
OU=UnixPrincipals so that the members of the group UnixAdministrators have
full rights (or limited rights ) for objects under this OU.
Regards
Markus
GIGO . wrote in message
news:snt134-w395b3433738667ded2186eb9...@phx.gbl...
Markus could not get you please can you elaborate a bit.
thank you all!
regards,
Bilal
To: squid-users@squid-cache.org
From: hua...@moeller.plus.com
Date: Thu, 8 Apr 2010 20:04:30 +0100
Subject: [squid-users] Re: Creating a kerberos Service Principal.
BTW You do not need Administrator rights. You can set permission for
different Groups on OUs for example for Unix Kerberos Admins.
Markus
Khaled Blah wrote in message
news:n2j4a3250ab1004080957id2f4a051xb31445428c62b...@mail.gmail.com...
Hi Bilal,
1. ktpass and msktutil practically do the same, they create keytabs
which include the keys that squid will need to decrypt the ticket it
receives from the user. However ktpass only creates a file which you
will then have to securely transfer to your proxy server so that squid
can access it. Using msktutil on your proxy server, you can get the
same keytab without having to transfer it. Thus, msktutil saves you
some time and hassle. AFAIR both need Administrator rights, which
means the account used for ktpass/msktutil needs to be a member of the
Administrator group.
2. To answer this question, one would need more information about your
network and your setup. Basically, mixing any other authentication
method with Kerberos is not a good idea. That's because if the other
method is insecure
RE: [squid-users] Re: Re: Creating a kerberos Service Principal.
Nick,
I tried but with not much success.
.
No computer account for squid-http found, creating a new one.
Error: ldap_add_ext_s failed (Insufficient access)
Error: ldap_check_account failed (No CSI structure available)
Error: set_password failed
-- krb5_cleanup: Destroying Kerberos Context
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
...
regards,
Bilal
From: nick.cairncr...@condenast.co.uk
To: gi...@msn.com; hua...@moeller.plus.com; squid-users@squid-cache.org
Date: Thu, 15 Apr 2010 09:31:40 +0100
Subject: Re: [squid-users] Re: Re: Creating a kerberos Service Principal.
Bilal,
I think we're doing a similar thing here! See my post earlier about SPN. I
think you need to be using the fqdn of the machine in the HTTP/ spn upn and
not just the domain. Also check your DNS and host local host entries.
E.g.: msktutil -c -b CN=COMPUTERS -s HTTP/squid1.[mydomain] -k
/etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/squid1 --server dc1
-verbose
Nick
On 15/04/2010 07:22, GIGO . wrote:
Dear Markus/all,
I am unable to create the keytab using mskutil please help me out i followed
the following steps:
1. I created a OU and named it UnixOU
2. I created a group account in the UnixOU and named it as UnixAdmins
3. I make my windows account bilal_admin part of UnixAdmins group.
4. I set the settings of UnixOU to be managed by UnixAdmins.
5. Then i synch time of Squid Machine and Active directory.
6. My domain fully qualified domain name is v.local and netbios names is V.
7. My domain controller name is vdc (fqdn=vdc.v.local)
8. The following lines were changed in the krb5.conf while rest being
untouched.
[libdefaults]
default_realm=V.LOCAL
[realms]
V.LOCAL = {
kdc = vdc.v.local:88
admin_server = kerberos.example.com:749 (e.g this not changed does it matter
at the step of creation of keytab)
default_domain = example.com (unchanged)
}
The i run the following commands to create the keytab:
kinit squidad...@v.local
msktutil -c -b OU=unixPrincipals -s HTTP/v.local -h squidLhrTest.v.local -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/v.local --server
vdc.v.local --verbose
Output of the Command:
-- init_password: Wiping the computer password structure
-- finalize_exec: Determining user principal name
-- finalize_exec: User Principal Name is: HTTP/v.lo...@v.local
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.mskt-3550krb5.conf
-- get_krb5_context: Creating Kerberos Context
-- try_machine_keytab: Using the local credential cache:
/tmp/.mskt-3550krb5_ccache
-- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found in
Kerberos database)
-- try_machine_keytab: Unable to authenticate using the local keytab
-- try_ldap_connect: Connecting to LDAP server: vdc.v.local
-- try_ldap_connect: Connecting to LDAP server: vdc.v.local
SASL/GSSAPI authentication started
SASL username: squidad...@v.local
SASL SSF: 56
SASL installing layers
-- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=local
Warning: No DNS entry found for squidLhrTest.v.local
-- get_short_hostname: Determined short hostname: squidLhrTest-v-local
-- finalize_exec: SAM Account Name is: squid-http$
Updating all entries for squidLhrTest.v.local in the keytab
/etc/squid/HTTP.keytab
-- try_set_password: Attempting to reset computer's password
-- ldap_check_account: Checking that a computer account for squid-http$ exists
No computer account for squid-http found, creating a new one.
Error: ldap_add_ext_s failed (Insufficient access)
Error: ldap_check_account failed (No CSI structure available)
Error: set_password failed
-- krb5_cleanup: Destroying Kerberos Context
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
please help me resolving the issue.
regards,
Bilal Aslam
To: squid-users@squid-cache.org
From: hua...@moeller.plus.com
Date: Fri, 9 Apr 2010 08:10:19 +0100
Subject: [squid-users] Re: Re: Creating a kerberos Service Principal.
Hi Bilal,
I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I
then create a Windows Group UnixAdministrators and add the Windows account
of the UnixAdministrators to it. Finally I change the permissions on the
OU=UnixPrincipals so that the members of the group UnixAdministrators have
full rights (or limited rights ) for objects under this OU.
Regards
Markus
GIGO . wrote in message
news:snt134-w395b3433738667ded2186eb9...@phx.gbl...
Markus could not get you please can you elaborate a bit.
thank you all!
regards,
Bilal
To: squid-users@squid-cache.org
From: hua...@moeller.plus.com
Date: Thu, 8 Apr 2010 20:04:30 +0100
Subject
[squid-users] Unable to create keytab Msktutil ldap_set_option failed (local errror)
Dear All,
Once again i failed to properly create keytab. Following is the detail of how i
performed this task
step No 1: i changed my krb5.conf file as follows;
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = V.LOCAL
dns_lookup_realm = no
dns_lookup_kdc = no
ticket_lifetime = 24h
forwardable = yes
default_keytab_name= /etc/krb5.keytab
; for windows 2003
default_tgs_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
[realms]
V.LOCAL = {
kdc = vdc.v.local:88
admin_server = vdc.v.local:749
default_domain = v.local
}
[domain_realm]
.linux.home = V.LOCAL
.v.local=V.LOCAL
v.local=V.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Step 2:
i tried to create the keytab as follows:
kinit administra...@v.local
msktutil -c -b CN=COMPUTERS -s HTTP/vdc.v.local -h squidLhrTest.v.local -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/vdc.v.local
--server vdc.v.local --verbose
However the following error:
SASL/GSSAPI authentication started
Error: ldap_set_option failed (Local error)
Error: ldap_connect failed
-- krb5_cleanup: Destroying Kerberos Context
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
My other settings are as follows:
/etc/resolv.conf
nameserver 10.1.82.51
# 10.1.82.51 is my domain controller and DNS server
/etc/hosts file
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 squidLhrTest localhost.localdomain localhost
10.1.82.52 squidLhrTest.v.local
::1 localhost6.localdomain6 localhost6
however running the hostname --fqdn shows squidLhrTest only
Please help me out and guide.
regards,
Bilal Aslam
_
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] ipcCreate error:
Hi Henrik, I created another setup but now again i am facing the ipccreate issue although i have copied the squid_kerb_auth from my compilation to /usr/libexec/squid by cp -r command and also i have pointed in squid.conf as auth_param negotiate program /usr/libexec/squid/squid_kerb_auth what could be the issue now? please help will be thankful. regards, Bilal From: hen...@henriknordstrom.net To: gi...@msn.com CC: squid-users@squid-cache.org Date: Wed, 14 Apr 2010 09:34:28 +0200 Subject: RE: [squid-users] ipcCreate error: ons 2010-04-14 klockan 04:47 + skrev GIGO .: Hi Henrik, Thank you this problem is resolved by placing the squid_kerb_auth in the libexec folder. Now i beleive that i also have to place any other helpers like squid_ldap_group in the same location to get it to work. Yes. if you have selinux enabled on the host then the security policy for squid restricts it to execute helpers in /usr/libexec/squid/ only. Which is a good thing in terms of security. Regards Henrik _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
[squid-users] Upgradtion to Squid 3.1.1
When you upgrade is it possible to use the existing cache directories created through previous version(squid 3) or you have to rebuild your cache. regards, Bilal Aslam _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] ipcCreate error:
Hi Henrik, Thank you this problem is resolved by placing the squid_kerb_auth in the libexec folder. Now i beleive that i also have to place any other helpers like squid_ldap_group in the same location to get it to work. regards, Bilal From: hen...@henriknordstrom.net To: gi...@msn.com CC: squid-users@squid-cache.org Date: Sat, 10 Apr 2010 19:44:31 +0200 Subject: Re: [squid-users] ipcCreate error: lör 2010-04-10 klockan 09:23 + skrev GIGO .: I have created a user proxy in Centos from which i am running my squid successfully with all the rights properly configured until i change my configuration file for Negotiate/Kerboros. Do you have selinux enabled? Try moving the helper to /usr/libexec/squid/ instead of /usr/sbin/... Now i have no idea how to use scripts from within squid.conf. And at which place should i place this script in the squid.conf in relation to the following? Instead of the normal program. auth_param negotiate program /usr/sbin/squid_kerb_auth Regards Henrik _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
[squid-users] Authorization via LDAP group
Authorizing users via LDAP group: It is listed in the squid_ldap_group man page that using -D binddn -W secret fle is to be preferred on -D binddn -w password. While it provides extra security then printing the password in plaintext inside squid.conf. Doesnt this query itself go in clear text over the network? If this is a risk how to handle this situation? 1. Should we create a special account with minimum of rights required to query Active Directory? 2. Or perform this query over TLS? and how it can be done? 3. Allowing anonymous queries can also be configured in Active directory however it does not look appropriate. May be it has no issues in the total private setup! Please your guidance is required. regards, Bilal _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
[squid-users] ipcCreate error:
I have created a user proxy in Centos from which i am running my squid successfully with all the rights properly configured until i change my configuration file for Negotiate/Kerboros. I am receiving the following error when trying to start squid: 2010/04/09 05:06:12| helperOpenServers: Starting 10/10 'squid_kerb_auth' processes 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| ipcCreate: /usr/sbin/squid_kerb_auth: (13) Permission denied 2010/04/09 05:06:12| Unlinkd pipe opened on FD 20 For trouble shooting I have just installed Strace and created a script as per Markus recommendations. --- #/bin/sh strace -f -F -o /tmp/strace.out.$$ squid_kerb_auth $* -- Now i have no idea how to use scripts from within squid.conf. And at which place should i place this script in the squid.conf in relation to the following? auth_param negotiate program /usr/sbin/squid_kerb_auth regards, Bilal Aslam _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Re: Re: SSO with Active Directory-Squid Clients
Nick, Thank you so much for your support. I am now much confident about Negotiate/Kerberos and have just decided to jump into the real thing (as enough theory). As far as KVNo i have not experienced it yet(as not practically implemented) however i may too in due course and surely will share with you. Rather i will share my whole experience. regards, Bilal From: nick.cairncr...@condenast.co.uk To: gi...@msn.com; hua...@moeller.plus.com; squid-users@squid-cache.org Date: Thu, 8 Apr 2010 10:17:13 +0100 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients Bilal, I'm working on much the same thing, with added Apple Mac just to complicate things. My aim is to create an SSO environment for all my Windows, OSX and nix machines. I want to use Kerberos as my primary authentication as IE7 and FF onwards are moving that way..but for my situation some browsers or applications do not support this and I must also use NTLM. However, Opera on my Macs seems to not like either and prefers Basic.. It's been a struggle to get each element to work but not impossible. I have found that all Negotiate/Kerberos supporting browsers have worked extremely well with the helper developed by Markus. Many of the authentication breaking elements have disappeared when compared to my Blue Coat and ISA experiences. Those machines joined to the domain using browsers that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass through credentials. Mac Safari relies on NTLM and prompts as such. Mac Opera prompts for Basic. Therefore if you're just Windows I would answer fairly confidently that your question 1 answer is Yes. Users not on the domain would be prompted for credentials. I haven't tested this and depending on which helper you are using (Samba or Squids) and whether you're joined to the domain I believe Negotiate should fall back to NTLM and work providing you supply a valid domain user/pass! So the answer to 2 would be 'depends..' :) As for the issue of not being to able to use Squid at all and taking into account what I said earlier, then yes there could be a scenario where Squid will not work for your users. However, it is less of a problem in just Windows. It's all about testing your various Windows configurations, apps and browsers until you are sure you have covered the conceivable setups of all your users. Finally, I have been struggling against an issue where my KVNO Keytab increments in AD and gets out of sync with the exported version making Squid un-useable until it's regenerated. Have you experienced this? Happy to discuss any of this off list or on. Cheers, Nick On 08/04/2010 04:06, GIGO . wrote: If i select negotiate/Kerberos as authentication protocol for my Squid on Linux and configure no FallBack Authentication.what would be the consequence ? 1. Isnt it that all of my users who have logged into Active Directory and where browser is supported will be able to use squid? 2. Only those users who will try to use squid from a workgroup giving their domain passoword (domainname/userid) will fail as there will be no fallback aviablable. 3. Is there any other scenario in which these users will not be able to use squid? I would be really thankful if you guide me further as i am failing to understand why a fallback authentication is necessary if it is. What could be the scenario when windows clients have no valid TGT even if they are login to the domain? I hope you can understand me and help me to clear my self. regards, Bilal Aslam To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Wed, 7 Apr 2010 20:17:20 +0100 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients Sorry I knew that but forgot to mention that I was talking about the Unix version. Thank you Markus Guido Serassio wrote in message news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc... Hi Markus, If you have a Windows client and the proxy send WWW-Proxy-Authorize: Negotiate the Windows client will try first to get a Kerberos ticket and if that succeeds sends a Negotiate response with a Kerberos token to the proxy. If the Windows client fails to get a Kerberos ticket the client will send a Negotiate response with a NTLM token to the proxy. Unfortunately there is yet no squid helper which can handle both a Negotiate/Kerberos response and a Negotiate/NTLM response (although maybe the samba ntlm helper can). So there is a fallback when you use Negotiate, but it has some caveats. This is not true when Squid is running on Windows: the Windows native Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM responses. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware
RE: [squid-users] Re: Re: Re: SSO with Active Directory-Squid Clients
Hi Markus/Nick, I have chosen the following method of creating the keytab can you give me your advice/expereince regarding it. 1. I have created a user account for SPN in Active directory with password never expires and preauthentication not required checked. squidLhr-proxy Pwd: X C:\Program Files\Support Tools setspn -A HTTP/squidLhr-proxy.v.mcb.com.pk squidLhr-proxy Creating keytab: ktpass -out c:\squidLhr-proxy.keytab -princ HTTP/squidlhr-proxy.v.com...@myrealm.v.com.pk -mapUser V\squidLhr-proxy -mapOp set -pass * -crypto DES-CBC-MD5 -pType KRB_NT_PRINCIPAL regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Thu, 8 Apr 2010 20:08:10 +0100 Subject: [squid-users] Re: Re: Re: SSO with Active Directory-Squid Clients Hi Nick, Did you use samba to create the keytab. I have seen that if you use samba for more then squid (e.g. cifs, winbind, etc) it will update regularly the AD entry and key for the host/fqdn principal which is the same as for HTTP/fqdn. I usually use msktutil and create a second AD entry called -HTTP to be independent of samba which usually uses . Regards Markus Nick Cairncross wrote in message news:c7e35da9.1eb06%nick.cairncr...@condenast.co.uk... Bilal, I'm working on much the same thing, with added Apple Mac just to complicate things. My aim is to create an SSO environment for all my Windows, OSX and nix machines. I want to use Kerberos as my primary authentication as IE7 and FF onwards are moving that way..but for my situation some browsers or applications do not support this and I must also use NTLM. However, Opera on my Macs seems to not like either and prefers Basic.. It's been a struggle to get each element to work but not impossible. I have found that all Negotiate/Kerberos supporting browsers have worked extremely well with the helper developed by Markus. Many of the authentication breaking elements have disappeared when compared to my Blue Coat and ISA experiences. Those machines joined to the domain using browsers that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass through credentials. Mac Safari relies on NTLM and prompts as such. Mac Opera prompts for Basic. Therefore if you're just Windows I would answer fairly confidently that your question 1 answer is Yes. Users not on the domain would be prompted for credentials. I haven't tested this and depending on which helper you are using (Samba or Squids) and whether you're joined to the domain I believe Negotiate should fall back to NTLM and work providing you supply a valid domain user/pass! So the answer to 2 would be 'depends..' :) As for the issue of not being to able to use Squid at all and taking into account what I said earlier, then yes there could be a scenario where Squid will not work for your users. However, it is less of a problem in just Windows. It's all about testing your various Windows configurations, apps and browsers until you are sure you have covered the conceivable setups of all your users. Finally, I have been struggling against an issue where my KVNO Keytab increments in AD and gets out of sync with the exported version making Squid un-useable until it's regenerated. Have you experienced this? Happy to discuss any of this off list or on. Cheers, Nick On 08/04/2010 04:06, GIGO . wrote: If i select negotiate/Kerberos as authentication protocol for my Squid on Linux and configure no FallBack Authentication.what would be the consequence ? 1. Isnt it that all of my users who have logged into Active Directory and where browser is supported will be able to use squid? 2. Only those users who will try to use squid from a workgroup giving their domain passoword (domainname/userid) will fail as there will be no fallback aviablable. 3. Is there any other scenario in which these users will not be able to use squid? I would be really thankful if you guide me further as i am failing to understand why a fallback authentication is necessary if it is. What could be the scenario when windows clients have no valid TGT even if they are login to the domain? I hope you can understand me and help me to clear my self. regards, Bilal Aslam To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Wed, 7 Apr 2010 20:17:20 +0100 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients Sorry I knew that but forgot to mention that I was talking about the Unix version. Thank you Markus Guido Serassio wrote in message news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc... Hi Markus, If you have a Windows client and the proxy send WWW-Proxy-Authorize: Negotiate the Windows client will try first to get a Kerberos ticket and if that succeeds sends a Negotiate response with a Kerberos token to the proxy
RE: [squid-users] Re: Creating a kerberos Service Principal.
Markus could not get you please can you elaborate a bit. thank you all! regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Thu, 8 Apr 2010 20:04:30 +0100 Subject: [squid-users] Re: Creating a kerberos Service Principal. BTW You do not need Administrator rights. You can set permission for different Groups on OUs for example for Unix Kerberos Admins. Markus Khaled Blah wrote in message news:n2j4a3250ab1004080957id2f4a051xb31445428c62b...@mail.gmail.com... Hi Bilal, 1. ktpass and msktutil practically do the same, they create keytabs which include the keys that squid will need to decrypt the ticket it receives from the user. However ktpass only creates a file which you will then have to securely transfer to your proxy server so that squid can access it. Using msktutil on your proxy server, you can get the same keytab without having to transfer it. Thus, msktutil saves you some time and hassle. AFAIR both need Administrator rights, which means the account used for ktpass/msktutil needs to be a member of the Administrator group. 2. To answer this question, one would need more information about your network and your setup. Basically, mixing any other authentication method with Kerberos is not a good idea. That's because if the other method is insecure or less secure an attacker who gains access to a user's credentials will be able to impersonate that user against Kerberos and those be able to use ALL services that this user has access to. In any case DO NOT use basic auth with Kerberos in a public, set-up. That's a recipe for disaster. Digest auth and NTLM (v2) might be suitable but these are in fact less secure than Kerberos and thus not preferrable. One down-side to Kerberos is that it's an all-or-nothing service, either you use Kerberos and only Kerberos or you risk security breaches in any mixed situation. HTH Khaled 2010/4/6 GIGO . : Dear All, Please guide me in regard to SSO setup with Active Directory(No winbind/Samba). I have the following questions in this regard. 1. Creating a Kerberos service principal and keytab file that is used by the Squid what is the effective method? Difference between using Ktpass vs Msktutil package? What rights would i be required in Active Directory and if none then why so? 2. How to configure the fallback Authentication scheme if Kerberos fails? Ldap authentication using basic looks to be an option but isnt it less secure? is there a better approach possible. regards, Bilal Aslam _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969 _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Re: Re: SSO with Active Directory-Squid Clients
If i select negotiate/Kerberos as authentication protocol for my Squid on Linux and configure no FallBack Authentication.what would be the consequence ? 1. Isnt it that all of my users who have logged into Active Directory and where browser is supported will be able to use squid? 2. Only those users who will try to use squid from a workgroup giving their domain passoword (domainname/userid) will fail as there will be no fallback aviablable. 3. Is there any other scenario in which these users will not be able to use squid? I would be really thankful if you guide me further as i am failing to understand why a fallback authentication is necessary if it is. What could be the scenario when windows clients have no valid TGT even if they are login to the domain? I hope you can understand me and help me to clear my self. regards, Bilal Aslam To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Wed, 7 Apr 2010 20:17:20 +0100 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients Sorry I knew that but forgot to mention that I was talking about the Unix version. Thank you Markus Guido Serassio wrote in message news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc... Hi Markus, If you have a Windows client and the proxy send WWW-Proxy-Authorize: Negotiate the Windows client will try first to get a Kerberos ticket and if that succeeds sends a Negotiate response with a Kerberos token to the proxy. If the Windows client fails to get a Kerberos ticket the client will send a Negotiate response with a NTLM token to the proxy. Unfortunately there is yet no squid helper which can handle both a Negotiate/Kerberos response and a Negotiate/NTLM response (although maybe the samba ntlm helper can). So there is a fallback when you use Negotiate, but it has some caveats. This is not true when Squid is running on Windows: the Windows native Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM responses. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
[squid-users] Creating a kerberos Service Principal.
Dear All, Please guide me in regard to SSO setup with Active Directory(No winbind/Samba). I have the following questions in this regard. 1. Creating a Kerberos service principal and keytab file that is used by the Squid what is the effective method? Difference between using Ktpass vs Msktutil package? What rights would i be required in Active Directory and if none then why so? 2. How to configure the fallback Authentication scheme if Kerberos fails? Ldap authentication using basic looks to be an option but isnt it less secure? is there a better approach possible. regards, Bilal Aslam _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Re: Re: SSO with Active Directory-Squid Clients
Dear Markus, That cleared/explained a lot to me and given me direction for developing a better understanding of the whole concept. Thanks a lot. regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Tue, 6 Apr 2010 20:14:32 +0100 Subject: [squid-users] Re: Re: SSO with Active Directory-Squid Clients Hi Bilal, It is a bit more complicated. it is not a pure Kerberos authentication but a Negotiate/Kerberos authentication. If you have a Windows client and the proxy send WWW-Proxy-Authorize: Negotiate the Windows client will try first to get a Kerberos ticket and if that succeeds sends a Negotiate response with a Kerberos token to the proxy. If the Windows client fails to get a Kerberos ticket the client will send a Negotiate response with a NTLM token to the proxy. Unfortunately there is yet no squid helper which can handle both a Negotiate/Kerberos response and a Negotiate/NTLM response (although maybe the samba ntlm helper can). So there is a fallback when you use Negotiate, but it has some caveats. Regarding your second point I can not really judge which one is better I think it will depend on your environment. Regards Markus GIGO . wrote in message news:snt134-w101cbed44254f957cda154b9...@phx.gbl... Dear Markus, Please i have few confusions which i want to satisfy. 1. If kerberos Authentication fails then what would be the fallback behavior would the Basic authentication to Ldap will be used instead? Does it need to be defined? what is the best strategy as Basic Authentication will be in clear text. In microsoft Environment the fallback is to NTLM authentication if kerberos fails isnt it a better strategy. 2. Isnt it better to use the combinition of kerberos/ldap only for SSO with active directory? Why winbind/Samba is referred in many tutorials while to me it look redundant? does it give any additional benefit or is it more stable? can u please enlighten me. regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Sat, 3 Apr 2010 13:34:15 +0100 Subject: [squid-users] Re: SSO with Active Directory-Squid Clients Have a look at http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos and http://sourceforge.net/projects/squidkerbauth/files/squidkerbldap/squid_kerb_ldap-1.2.1/squid_kerb_ldap-1.2.1.tar.gz/download Regards Markus GIGO . wrote in message news:snt134-w171836624ce7937ad90d3eb9...@phx.gbl... Dear All/Amos, I want to allow certain(not all) Active Directory users to use squid by way of SSO with Active Directory. So means when any one from those specific users will login into Active Directory they should have automatically access to internet via Squid Proxy. Other AD users which have not permissions granted in Squid will be disallowed. Is it possible? How please guide in detail. This was my assumption of how it would be done: I needed to compile squid with these additional options --enable-basic-auth-helpers=LDAP --enable-auth=basic,negotiate,ntlm --enable-external-acl-helpers=wbinfo_group,ldap_group --enable-negotiate-auth-helpers=squid_kerb_auth Right?? I need to configure krb5.conf to point to AD as Default_realm on CENTOS 5.4 to right? I think that i must need to make Centos 5.4 member of the domain? Am i right or its not necessary How these specific AD users(with internet access allowed) will be told/mentioned to the squid? I have also studied your article http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap?action=print However this is allowing all(not specific) Active Directory or LDAP users internet access. This logic is just checking the validity of user account with Active directory by popping up a login/password and if succeeded network access is granted. Am i right? Bottom line is that i am completely lost and have not much idea what and how to do it. We previously are using Microsoft ISA server and are about to move to Squid and this requirement is very necessary. regards, Bilal Aslam _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969 _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969 _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
[squid-users] Negotiate/NTLM Authentication a safer option then Negotiate/Kerberos??
Hi All, In our environment currently we are using ISA server with userbased authentication. we are using windows 2003 Active Directory and almost all of the users are using Windows based OS. We want to seemlessly migrate our users to Squid. I have not yet reached to any conlusion despite lot of studies/efforts/Squid Support. I would like you people to guide me in detail please. If Negotiate/kerberos has a limitation in squid that it has only one fallback scheme and that is Basic/Ldap. Then isnt it a safe option to use netgotiate/NTLM if all users belonged to Microsoft Active Directory only? As every logged-in domain user will always possess a valid NTLM token even if it dont have a valid kerberos token. So this scheme will not require any Fallback authentication mechanism to be defined.I would probably be needing to enumerate Active directory users through some mechanism(which i am not sure about at this moment) to get this scheme working. Am i right? please guide in detail. Another thing which is confusing is that if alike kerberos NTLM token(and hence users credentials) will automatically passed to squid and user never requires a need to explicitly give password. Am i right? What will happen if the user is not logged into the domain but on a workstation that is part of workgroup. I assume that in that case a password popup screen will appear and user will give his/her credentials in domainname/user format and that will work? regards, Bilal Aslam _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Re: SSO with Active Directory-Squid Clients
Dear Markus, Please i have few confusions which i want to satisfy. 1. If kerberos Authentication fails then what would be the fallback behavior would the Basic authentication to Ldap will be used instead? Does it need to be defined? what is the best strategy as Basic Authentication will be in clear text. In microsoft Environment the fallback is to NTLM authentication if kerberos fails isnt it a better strategy. 2. Isnt it better to use the combinition of kerberos/ldap only for SSO with active directory? Why winbind/Samba is referred in many tutorials while to me it look redundant? does it give any additional benefit or is it more stable? can u please enlighten me. regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Sat, 3 Apr 2010 13:34:15 +0100 Subject: [squid-users] Re: SSO with Active Directory-Squid Clients Have a look at http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos and http://sourceforge.net/projects/squidkerbauth/files/squidkerbldap/squid_kerb_ldap-1.2.1/squid_kerb_ldap-1.2.1.tar.gz/download Regards Markus GIGO . wrote in message news:snt134-w171836624ce7937ad90d3eb9...@phx.gbl... Dear All/Amos, I want to allow certain(not all) Active Directory users to use squid by way of SSO with Active Directory. So means when any one from those specific users will login into Active Directory they should have automatically access to internet via Squid Proxy. Other AD users which have not permissions granted in Squid will be disallowed. Is it possible? How please guide in detail. This was my assumption of how it would be done: I needed to compile squid with these additional options --enable-basic-auth-helpers=LDAP --enable-auth=basic,negotiate,ntlm --enable-external-acl-helpers=wbinfo_group,ldap_group --enable-negotiate-auth-helpers=squid_kerb_auth Right?? I need to configure krb5.conf to point to AD as Default_realm on CENTOS 5.4 to right? I think that i must need to make Centos 5.4 member of the domain? Am i right or its not necessary How these specific AD users(with internet access allowed) will be told/mentioned to the squid? I have also studied your article http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap?action=print However this is allowing all(not specific) Active Directory or LDAP users internet access. This logic is just checking the validity of user account with Active directory by popping up a login/password and if succeeded network access is granted. Am i right? Bottom line is that i am completely lost and have not much idea what and how to do it. We previously are using Microsoft ISA server and are about to move to Squid and this requirement is very necessary. regards, Bilal Aslam _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969 _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
[squid-users] SSO with Active Directory-Squid Clients
Dear All/Amos, I want to allow certain(not all) Active Directory users to use squid by way of SSO with Active Directory. So means when any one from those specific users will login into Active Directory they should have automatically access to internet via Squid Proxy. Other AD users which have not permissions granted in Squid will be disallowed. Is it possible? How please guide in detail. This was my assumption of how it would be done: I needed to compile squid with these additional options --enable-basic-auth-helpers=LDAP --enable-auth=basic,negotiate,ntlm --enable-external-acl-helpers=wbinfo_group,ldap_group --enable-negotiate-auth-helpers=squid_kerb_auth Right?? I need to configure krb5.conf to point to AD as Default_realm on CENTOS 5.4 to right? I think that i must need to make Centos 5.4 member of the domain? Am i right or its not necessary How these specific AD users(with internet access allowed) will be told/mentioned to the squid? I have also studied your article http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap?action=print However this is allowing all(not specific) Active Directory or LDAP users internet access. This logic is just checking the validity of user account with Active directory by popping up a login/password and if succeeded network access is granted. Am i right? Bottom line is that i am completely lost and have not much idea what and how to do it. We previously are using Microsoft ISA server and are about to move to Squid and this requirement is very necessary. regards, Bilal Aslam _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
[squid-users] Upgrade to 3.1.1
Is it possible to upgrade from Squid3.0 to Squid3.1.1 by applying patch/diff. Is there any howto available which can be refered to? Should every body upgrade? _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
[squid-users] DNS Related Problem resolved your further guidance is required.
Dear Amos, This problem is resolved by disabling following pieces of lines in my setup... #Define Local Servers # acl localServers dst 10.0.0.0/8 # Local server should never be forwarded to neighbour/peers and they should never be cached. #always_direct allow localservers #cache deny LocalServers By disabling these directives no dns server is required at all as Cache_peer ISA is doing the trick now and ISA servers DNS settings(whatever) are being utilized instead right? ok what was happending when these lines were not commented was that squid was trying to use the above acl in every request i have not a very confident picture. wasn't it should be able to resolve the dns throgh the settings in my etc/resovl.conf easily?? Or in reality it was trying to use the DNS configuration on the ISA server which has externel dns servers configured and therefore have no idea of the local network? what is the behaviour? Please guide me. However i just wonder wt good these lines for? when users in you local net are bound to go to local servers by configure there browsers for No proxy/bypass for local network web servers settings . Is there a way to go to even local servers through proxy as i have developed an understandign that for local servers you have to bypass the squid proxy?? Please enligthen me. Thanks in advance regards, Bilal Aslam From: gi...@msn.com To: squ...@treenet.co.nz; squid-users@squid-cache.org Date: Tue, 30 Mar 2010 05:43:48 + Subject: RE: [squid-users] HTTP_Miss/200,304 Very Slow responsetime. Experts please help. Dear Amos, Thank you so much i will try troubleshooting on the lines you suggested. regards, Bilal Aslam Date: Tue, 30 Mar 2010 17:05:50 +1300 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] HTTP_Miss/200,304 Very Slow responsetime. Experts please help. GIGO . wrote: I am using ISA server as cache_peer parent and runing multiple instances on my squid Sever. However i am failing to understand that why the behaviour of Squid is extremely slow. At home where i have direct access to internet the same setup works fine.Please somebody help me out regards, Bilal Aslam First thing to check is access times on the ISA and whether the problem is actually Squid or something else down the software chain. Extremely slow times are usually the result of DNS failures. Each of the proxies needs to do its own lookups, so any small failure will compound into a big delay very fast. Your squid does its own DNS lookup on every request to figure out if it's part of localservers ACL or not (in both the always_direct and cache access controls). Amos --- My squid server has internet access by being a secureNat client of ISA Server. My Configuration file for first Instance: visible_hostname squidLhr unique_hostname squidMain pid_filename /var/run/squid.pid http_port 8080 icp_port 0 snmp_port 3161 access_log /var/logs/access.log squid cache_log /var/logs/cache.log cache_store_log /var/logs/store.log cache_effective_user proxy cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query prefer_direct off # never_direct allow all (handy to test that if the processes are working in collaboration) cache_dir aufs /var/spool/squid 1 16 256 coredump_dir /var/spool/squid cache_swap_low 75 cache_replacement_policy lru refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 #Define Local Network. acl FcUsr src /etc/squid/FcUsr.conf acl PUsr src /etc/squid/PUsr.conf acl RUsr src /etc/squid/RUsr.conf #Define Local Servers acl localServers dst 10.0.0.0/8 #Defining allowing ports section acl SSL_ports port 443 #https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny request to unknown ports http_access deny !Safe_ports # Deny request to other than SSL ports http_access deny CONNECT !SSL_ports #Allow access from localhost http_access allow localhost # Local server should never be forwarded to neighbour/peers and they should never be cached. always_direct allow localservers cache deny LocalServers # Windows Update Section... acl windowsupdate dstdomain
[squid-users] Squid Reporting.
Is there a trick to trace cache_hits and Cache_misses in SARG and in more readable format.Also in detail and summarized form that how much data has been came through the cache.or i have to use someother tool and which? what is the best reporting tools to use for squid.Can someone give a suggestion please regards, Bilal Aslam _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] HTTP_Miss/200,304 Very Slow responsetime. Experts please help.
I am using ISA server as cache_peer parent and runing multiple instances on my squid Sever. However i am failing to understand that why the behaviour of Squid is extremely slow. At home where i have direct access to internet the same setup works fine.Please somebody help me out regards, Bilal Aslam --- My squid server has internet access by being a secureNat client of ISA Server. My Configuration file for first Instance: visible_hostname squidLhr unique_hostname squidMain pid_filename /var/run/squid.pid http_port 8080 icp_port 0 snmp_port 3161 access_log /var/logs/access.log squid cache_log /var/logs/cache.log cache_store_log /var/logs/store.log cache_effective_user proxy cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query prefer_direct off # never_direct allow all (handy to test that if the processes are working in collaboration) cache_dir aufs /var/spool/squid 1 16 256 coredump_dir /var/spool/squid cache_swap_low 75 cache_replacement_policy lru refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 #Define Local Network. acl FcUsr src /etc/squid/FcUsr.conf acl PUsr src /etc/squid/PUsr.conf acl RUsr src /etc/squid/RUsr.conf #Define Local Servers acl localServers dst 10.0.0.0/8 #Defining allowing ports section acl SSL_ports port 443 #https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny request to unknown ports http_access deny !Safe_ports # Deny request to other than SSL ports http_access deny CONNECT !SSL_ports #Allow access from localhost http_access allow localhost # Local server should never be forwarded to neighbour/peers and they should never be cached. always_direct allow localservers cache deny LocalServers # Windows Update Section... acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com http_access allow CONNECT wuCONNECT FcUsr http_access allow CONNECT wuCONNECT PUsr http_access allow CONNECT wuCONNECT RUsr http_access allow CONNECT wuCONNECT localhost http_access allow windowsupdate all http_access allow windowsupdate localhost acl workinghours time MTWHF 09:00-12:59 acl workinghours time MTWHF 15:00-17:00 acl BIP dst /etc/squid/Blocked.conf Definitions for BlockingRules# ###Definition of MP3/MPEG acl FTP proto FTP acl MP3url urlpath_regex \.mp3(\?.*)?$ acl Movies rep_mime_type video/mpeg acl MP3s rep_mime_type audio/mpeg ###Definition of Flash Video acl deny_rep_mime_flashvideo rep_mime_type video/flv ###Definition of Porn acl Sex urlpath_regex sex acl PornSites url_regex /etc/squid/pornlist Definition of YouTube. ## The videos come from several domains acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com ###Definition of FaceBook acl facebook_sites dstdomain .facebook.com Definition of MSN Messenger acl msn urlpath_regex -i gateway.dll acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com acl msn1 req_mime_type application/x-msn-messenger Definition of Skype acl numeric_IPs url_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443 acl Skype_UA browser ^skype^ ##Definition of Yahoo! Messenger acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com acl ym dstdomain .voice.yahoo.com acl ymregex url_regex yupdater.yim ymsgr myspaceim ## Other protocols Yahoo!Messenger uses ?? acl ym dstdomain .skype.com .imvu.com ###Definition for Disallowing download of executables from
RE: [squid-users] HTTP_Miss/200,304 Very Slow responsetime. Experts please help.
Dear Amos, Thank you so much i will try troubleshooting on the lines you suggested. regards, Bilal Aslam Date: Tue, 30 Mar 2010 17:05:50 +1300 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] HTTP_Miss/200,304 Very Slow responsetime. Experts please help. GIGO . wrote: I am using ISA server as cache_peer parent and runing multiple instances on my squid Sever. However i am failing to understand that why the behaviour of Squid is extremely slow. At home where i have direct access to internet the same setup works fine.Please somebody help me out regards, Bilal Aslam First thing to check is access times on the ISA and whether the problem is actually Squid or something else down the software chain. Extremely slow times are usually the result of DNS failures. Each of the proxies needs to do its own lookups, so any small failure will compound into a big delay very fast. Your squid does its own DNS lookup on every request to figure out if it's part of localservers ACL or not (in both the always_direct and cache access controls). Amos --- My squid server has internet access by being a secureNat client of ISA Server. My Configuration file for first Instance: visible_hostname squidLhr unique_hostname squidMain pid_filename /var/run/squid.pid http_port 8080 icp_port 0 snmp_port 3161 access_log /var/logs/access.log squid cache_log /var/logs/cache.log cache_store_log /var/logs/store.log cache_effective_user proxy cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query prefer_direct off # never_direct allow all (handy to test that if the processes are working in collaboration) cache_dir aufs /var/spool/squid 1 16 256 coredump_dir /var/spool/squid cache_swap_low 75 cache_replacement_policy lru refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 #Define Local Network. acl FcUsr src /etc/squid/FcUsr.conf acl PUsr src /etc/squid/PUsr.conf acl RUsr src /etc/squid/RUsr.conf #Define Local Servers acl localServers dst 10.0.0.0/8 #Defining allowing ports section acl SSL_ports port 443 #https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny request to unknown ports http_access deny !Safe_ports # Deny request to other than SSL ports http_access deny CONNECT !SSL_ports #Allow access from localhost http_access allow localhost # Local server should never be forwarded to neighbour/peers and they should never be cached. always_direct allow localservers cache deny LocalServers # Windows Update Section... acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com http_access allow CONNECT wuCONNECT FcUsr http_access allow CONNECT wuCONNECT PUsr http_access allow CONNECT wuCONNECT RUsr http_access allow CONNECT wuCONNECT localhost http_access allow windowsupdate all http_access allow windowsupdate localhost acl workinghours time MTWHF 09:00-12:59 acl workinghours time MTWHF 15:00-17:00 acl BIP dst /etc/squid/Blocked.conf Definitions for BlockingRules# ###Definition of MP3/MPEG acl FTP proto FTP acl MP3url urlpath_regex \.mp3(\?.*)?$ acl Movies rep_mime_type video/mpeg acl MP3s rep_mime_type audio/mpeg ###Definition of Flash Video acl deny_rep_mime_flashvideo rep_mime_type video/flv ###Definition of Porn acl Sex urlpath_regex sex acl PornSites url_regex /etc/squid/pornlist Definition of YouTube. ## The videos come from several domains acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com ###Definition of FaceBook acl
[squid-users] cache_peer
I want that if my first listed cache peer goes down then only should my second peer be used. - cache_peer 127.0.0.1 3128 0 default no-digest no-query no-delay (only if this is unavailable then the second one listed is used) cache_peer 10.1.82.205 8080 0 default proxy-only no-query no-digest default Please guide me on how to do this? what configuration would be required. Thanks regards, Bilal Aslam _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
[squid-users] Rebuilding storage in /var/spool/squid3 (DIRTY) ?
What is the meaning of Rebuilding storage in /var/spool/squid3 (DIRTY). regards, _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] SquidCompilationproblem -squid_ldap_auth.c:123:18: error: lber.h: No such file or directory
Dear Amos, It did worked on Ubuntu but now i am facing the same problem in RHEL. Can you please guide which package i would require. regards, Bilal Date: Sun, 21 Mar 2010 22:06:09 + From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] SquidCompilationproblem -squid_ldap_auth.c:123:18: error: lber.h: No such file or directory On Sun, 21 Mar 2010 19:37:56 +, GIGO . wrote: Please guide me on this whats wrong. I am unable to compile Squid3stable24 on Ubuntu 8.04 LTS server. I want to use active directory authentication(my clients should be able to authenticate themselves with active directory accounts) Following is my command: You need the LDAP packages to be installed. Make sure you have the package build dependencies listed here: https://launchpad.net/ubuntu/lucid/+source/squid3 Amos _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
[squid-users] After Running Multiple Instances my Squid speed/response is extremely slow.
DearAll, Please help me on this as after setting up multiple instances on the same server for (cache Directory fault tolerance myy squid speed/response is extremely slow and even most of the sites keep on opening and opening. I am failing to figure out whats wrong. Please guide me on this i am enclosing my configuration files for your reference. Instance 1 with which all the users are connected: visible_hostname squidLhr unique_hostname squidMainProcess pid_filename /var/run/squid3main.pid http_port 8080 icp_port 0 snmp_port 3161 access_log /var/logs/access.log cache_log /var/logs/cache.log cache_effective_user proxy cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query proxy-only no-delay #temporarily Directive never_direct allow all prefer_direct off cache_dir aufs /var/spool/squid3 1 32 320 coredump_dir /var/spool/squid3 cache deny all acl localServers dst 10.0.0.0/8 always_direct allow localservers cache deny LocalServers acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 http_access allow localhost acl FcUsr src /etc/squid3/FcUsr.conf acl PUsr src /etc/squid3/PUsr.conf acl RUsr src /etc/squid3/RUsr.conf acl BIP dst /etc/squid3/Blocked.conf acl CONNECT method CONNECT # Windows Update Section... acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com http_access allow CONNECT wuCONNECT FcUsr http_access allow CONNECT wuCONNECT PUsr http_access allow CONNECT wuCONNECT RUsr http_access allow CONNECT wuCONNECT localhost http_access allow windowsupdate FcUsr http_access allow windowsupdate PUsr http_access allow windowsupdate RUsr http_access allow windowsupdate localhost #Defining allowing ports section acl SSL_ports port 443 #https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl manager proto cache_object http_access allow manager localhost http_access deny manager acl workinghours time MTWHF 09:00-12:59 acl workinghours time MTWHF 15:00-17:00 Definitions for BlockingRules# ###Definition of MP3/MPEG acl FTP proto FTP acl MP3url urlpath_regex \.mp3(\?.*)?$ acl Movies rep_mime_type video/mpeg acl MP3s rep_mime_type audio/mpeg ###Definition of Flash Video acl deny_rep_mime_flashvideo rep_mime_type video/flv ###Definition of Porn acl Sex urlpath_regex sex acl PornSites url_regex /etc/squid3/pornlist Definition of YouTube. ## The videos come from several domains acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com ###Definition of FaceBook acl facebook_sites dstdomain .facebook.com Definition of MSN Messenger acl msn urlpath_regex -i gateway.dll acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com acl msn1 req_mime_type application/x-msn-messenger Definition of Skype acl numeric_IPs url_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443 acl Skype_UA browser ^skype^ ##Definition of Yahoo! Messenger acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com acl ym dstdomain .voice.yahoo.com acl ymregex url_regex yupdater.yim ymsgr myspaceim ## Other protocols Yahoo!Messenger uses ?? acl ym dstdomain .skype.com .imvu.com ###Definition for Disallowing download of executables from web# acl downloads url_regex /etc/squid3/download.conf ###Definiton of Torrentz acl torrentSeeds urlpath_regex \.torrent(\?.*)?$ ###Definition of Rapidshare### acl dlSites dstdomain .rapidshare.com .rapidsharemegaupload.com .filespump.com ###- http_access deny PornSites http_access deny Sex #http_access deny RUsr PornSites #http_access deny PUsr PornSites #deny everyone porn sites #http_access deny RUsr Sex #http_access deny PUsr Sex http_access deny PUsr msnd http_access deny RUsr msnd http_access deny PUsr msn http_access deny RUsr msn
RE: [squid-users] After Running Multiple Instances my Squid speed/response is extremely slow.
Please I want to add information for my previous query. My previous setup with single instance was running fine.Another change is that i compiled my new setup with more options this time like enabling delay pools , cache digest and active directory authentication support. Is the below issue in any way related to this as well. Please your support is required. From: gi...@msn.com To: squid-users@squid-cache.org Date: Thu, 25 Mar 2010 11:31:01 + Subject: [squid-users] After Running Multiple Instances my Squid speed/response is extremely slow. DearAll, Please help me on this as after setting up multiple instances on the same server for (cache Directory fault tolerance myy squid speed/response is extremely slow and even most of the sites keep on opening and opening. I am failing to figure out whats wrong. Please guide me on this i am enclosing my configuration files for your reference. Instance 1 with which all the users are connected: visible_hostname squidLhr unique_hostname squidMainProcess pid_filename /var/run/squid3main.pid http_port 8080 icp_port 0 snmp_port 3161 access_log /var/logs/access.log cache_log /var/logs/cache.log cache_effective_user proxy cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query proxy-only no-delay #temporarily Directive never_direct allow all prefer_direct off cache_dir aufs /var/spool/squid3 1 32 320 coredump_dir /var/spool/squid3 cache deny all acl localServers dst 10.0.0.0/8 always_direct allow localservers cache deny LocalServers acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 http_access allow localhost acl FcUsr src /etc/squid3/FcUsr.conf acl PUsr src /etc/squid3/PUsr.conf acl RUsr src /etc/squid3/RUsr.conf acl BIP dst /etc/squid3/Blocked.conf acl CONNECT method CONNECT # Windows Update Section... acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com http_access allow CONNECT wuCONNECT FcUsr http_access allow CONNECT wuCONNECT PUsr http_access allow CONNECT wuCONNECT RUsr http_access allow CONNECT wuCONNECT localhost http_access allow windowsupdate FcUsr http_access allow windowsupdate PUsr http_access allow windowsupdate RUsr http_access allow windowsupdate localhost #Defining allowing ports section acl SSL_ports port 443 #https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl manager proto cache_object http_access allow manager localhost http_access deny manager acl workinghours time MTWHF 09:00-12:59 acl workinghours time MTWHF 15:00-17:00 Definitions for BlockingRules# ###Definition of MP3/MPEG acl FTP proto FTP acl MP3url urlpath_regex \.mp3(\?.*)?$ acl Movies rep_mime_type video/mpeg acl MP3s rep_mime_type audio/mpeg ###Definition of Flash Video acl deny_rep_mime_flashvideo rep_mime_type video/flv ###Definition of Porn acl Sex urlpath_regex sex acl PornSites url_regex /etc/squid3/pornlist Definition of YouTube. ## The videos come from several domains acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com ###Definition of FaceBook acl facebook_sites dstdomain .facebook.com Definition of MSN Messenger acl msn urlpath_regex -i gateway.dll acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com acl msn1 req_mime_type application/x-msn-messenger Definition of Skype acl numeric_IPs url_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443 acl Skype_UA browser ^skype^ ##Definition of Yahoo! Messenger acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com acl ym dstdomain .voice.yahoo.com acl ymregex url_regex yupdater.yim ymsgr myspaceim ## Other protocols Yahoo!Messenger uses ?? acl ym dstdomain .skype.com
[squid-users] Extreme Slow Resposne from Squid ( Test environment only 4 users at the moment)
From the multiple instance setup using Squid 3stable25 i have shifted to squid3stable1 packaged with ubuntu 8.04 LTS.However i am unable to understand why its too much slow. Whats wrong please anybody help out.Is it something to do with Operating system? Or initially Squid runs that much slow? I feel helpless. Please guide me. My Hardware: Physical Server IBM 3650 Physical RAID 1 + A Volume Disk each of 73 GB size. currently i am doing caching on RAID1. RAM 4GB My Conf File: visible_hostname squidLhr unique_hostname squidDefault pid_filename /var/run/squid3.pid http_port 10.1.82.53:8080 icp_port 0 snmp_port 0 access_log /var/log/squid3/access.log squid cache_log /var/log/squid3/cache.log cache_peer 10.1.82.205 parent 8080 0 default no-digest no-query #cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query proxy-only no-delay use in the multiple setup #temporarily Directive never_direct allow all #prefer_direct off use in the multiple setup while ponder on the above directive as well as it may not be needed with direct internet access. cache_dir aufs /var/spool/squid3 1 32 320 coredump_dir /var/spool/squid3 cache_swap_low 75 cache_mem 100 MB range_offset_limit 0 KB maximum_object_size 4096 MB minimum_object_size 0 KB quick_abort_min 16 KB cache_replacement_policy lru refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 #specific for youtube belowone refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 % 5259487 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 #Define Local Network. acl FcUsr src /etc/squid3/FcUsr.conf acl PUsr src /etc/squid3/PUsr.conf acl RUsr src /etc/squid3/RUsr.conf #Define Local Servers acl localServers dst 10.0.0.0/8 #Defining allowing ports section acl SSL_ports port 443 #https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny request to unknown ports http_access deny !Safe_ports # Deny request to other than SSL ports http_access deny CONNECT !SSL_ports #Allow access from localhost http_access allow localhost # Local server should never be forwarded to neighbour/peers and they should never be cached. always_direct allow localservers cache deny LocalServers # Windows Update Section... acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com http_access allow CONNECT wuCONNECT FcUsr http_access allow CONNECT wuCONNECT PUsr http_access allow CONNECT wuCONNECT RUsr http_access allow CONNECT wuCONNECT localhost http_access allow windowsupdate all http_access allow windowsupdate localhost acl workinghours time MTWHF 09:00-12:59 acl workinghours time MTWHF 15:00-17:00 acl BIP dst /etc/squid3/Blocked.conf Definitions for BlockingRules# ###Definition of MP3/MPEG acl FTP proto FTP acl MP3url urlpath_regex \.mp3(\?.*)?$ acl Movies rep_mime_type video/mpeg acl MP3s rep_mime_type audio/mpeg ###Definition of Flash Video acl deny_rep_mime_flashvideo rep_mime_type video/flv ###Definition of Porn acl Sex urlpath_regex sex acl PornSites url_regex /etc/squid3/pornlist Definition of YouTube. ## The videos come from several domains acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com ###Definition of FaceBook acl facebook_sites dstdomain .facebook.com Definition of MSN Messenger acl msn urlpath_regex -i gateway.dll acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com acl msn1 req_mime_type application/x-msn-messenger Definition of Skype acl numeric_IPs url_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443 acl Skype_UA browser ^skype^ ##Definition of Yahoo! Messenger acl ym dstdomain
FW: [squid-users] Peering squid multiple instances.
From: gi...@msn.com To: squ...@treenet.co.nz Subject: RE: [squid-users] Peering squid multiple instances. Date: Wed, 24 Mar 2010 07:12:15 + Dear Amos, Thank you for your response and better design tips. However i am not able to comprehend it well (due to lack of expereince and knowledge both however at current). So i request you to elaborate it a bit more. Your guidance would be a real valuable. Question 1: You said that under my configuration this is the case: Client - squidinstance1 - squidinstance2 - (web servers) or client - squidinstance2 - webserver Well i am failing to understand how clients can talk to squidinstance2 directly when: 1. squidinstance2 is configured with an acl to accept traffic from localhost only. 2. On the Squid clients (browsers) the port 8080 of first instance is configured. And this is the only traffic that is being accepted through the iptables as well. according to my perception isnt this the case client -squidinstance1 - webserver client -squidinstance1 - squidinstance2 - webserver Please guide me in this respect. Question 2: I have created multiple instances to run on the same machine ,because in my server there are three hard drives. OS is on Physical RAID1.Cache directory is on the third hard drive (comprising 80% of total space). This setup is done because i wanted to survive a directory failure. so even all my drives which are holding cache directories get failed. Even then my client will be able to browse the internet through proxy-only instance until the disk system holding the OS fails. I am not sure that whether this approach is correct or not but this is what i have learnt in these days through available faqs and ofcourse guidance through squidmail help. Please guide me on this. Question 3: what does it mean by parent is the peering method for origin web servers? also you wrote that by reason of Parent it does not matter which protocol you are using. Pleae guide me. Question 4: i interpret that you mean that two instances running on the same machine should have sibling type relationships configured identically with digest type protocol between them. It means that i should run two instances but pointing to different cache directories on my third hard drive and instead of 50 Gb big cache give lets say 25 Gb space to each.((Holding two cache directories on the same hard isnt it degrade performance ? so is it only possible when i have multiple drives for holding cache ))Both permitted to cache data from origin servers.However in case of a cache miss first check the sibling before going to the origin server. Am i correct in understanding you? You further said that for failover which i am sorry that i failed to understand at this point of time due to my current skill/competency. However i am eager to learn and determined to work hard. your detailed response will be really really valueable to me (I have just started a couple of weeks back). Please is the following setup is for failover of a whole squid proxy server or failover of squid processes? * a cache_peer parent type to the web server. With originserver and default selection enabled. This topology utilizes a single layer of multiple proxies. Possibly with hardware load balancing in iptables etc sending alternate requests to each of the two proxies listening ports. Useful for small-medium businesses requiring scale with minimal hardware. Probably their own existing load balancers already purchased from earlier attempts. IIRC the benchmark for this is somewhere around 600-700 req/sec. The next step up in performance and HA is to have an additional layer of Squid acting as the load-balancer doing CARP to reduce cache duplication and remove sibling data transfers. This form of scaling out is how WikiMedia serve their sites up. It is documented somewhat in the wiki as ExtremeCarpFrontend. With a benchmark so far for a single box reaching 990 req/sec. These maximum speed benchmarks are only achievable by reverse-proxy people. Regular ISP setups can expect their maximum to be somewhere below 1/2 or 1/3 of that rate due to the content diversity and RTT lag of remote servers. (well that part i understood) Question 5: can you please tell some good read for knowledge/concepts builder? I have get hold of squid definitve guide though a very good one however isnt'it a bit outdated.Can you recommend please? Specially on the topics of Authenticating Active directory users in squid proxy. Date: Wed, 24 Mar 2010 18:06:46 +1300 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] Peering squid multiple instances. GIGO . wrote: I have successfully setup running of multiple instances of squid for the sake of surviving a Cache directory failure. However I
[squid-users] Allowing ports used by Squid through Iptables.
I want to do the security hardening of my Squid Server with Iptables. I intend to have no rule on outbond traffic however ibound traffic would be restricted. please guide what are the minimum ports that are required to be open on iptables. Following is what i thought: Allow all incoming traffic from loopback adapter Allow SSH traffic incoming Allow 80,443,161,389 these multiple ports (389 as i intend to authenticate my clients from active directory) Allow Squid specific http_port (i am using 8080) Allow snmp port according to the defined directive (mine is 3161 7172) Deny all other incoming traffic Any other perhaps i am not calculating? Please guide me. thanks Regards, _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
[squid-users] Squid Compilation and Active Directory Authentication
purpose:
To authenticate squid users through active directory before allowing them
access to internet.
Compile Options:
./configure --prefix=/usr --localstatedir=/var --libexecdir=${prefix}/lib/squid
--srcdir=. --datadir=${prefix}/shares/squid --sysconfdir=/etc/squid3
--enable-cache-digests --enable-removal-policies=lru --enable-delay-pools
--enable-storeio=aufs,ufs --with-large-files --disable-ident-lookups
--with-default-user=proxy --enable-basic-auth-helpers=LDAP
--enable-auth=basic,negotiate,ntlm
--enable-external-acl-helpers=wbinfo_group,ldap_group
--enable-negotiate-auth-helpers=squid_kerb_auth
Question:
1. --enable-digest-auth-helpers=\list of helpers\ if this option to have any
role in authentication through active directory.
2. If comiling with more options then you currently required has a down side or
its a good option to compile with as many options as you can guess you may need
in future.
3. Could you refer to an online complete guide for the authentication of squid
users through active directory. Currently i am refering to these hoping that
they are the latest and complete.
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
regards,
_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
[squid-users] Peering squid multiple instances.
I have successfully setup running of multiple instances of squid for the sake of surviving a Cache directory failure. However I still have few confusions regarding peering multiple instances of squid. Please guide me in this respect. In my setup i percept that my second instance is doing caching on behalf of requests send to Instance 1? Am i correct. what protocol to select for peers in this scenario? what is the recommendation? (carp, digest, or icp/htcp) If syntax of my cache_peer directive is correct or local loop back address should not be used this way? what is the recommended protocol for peering squids with each other? what is the recommended protocl for peering squid with ISA Server. Instance 1: visible_hostname vSquidlhr unique_hostname vSquidMain pid_filename /var/run/squid3main.pid http_port 8080 icp_port 0 snmp_port 3161 access_log /var/logs/access.log cache_log /var/logs/cache.log cache_peer 127.0.0.1 parent 3128 0 default no-digest no-query proxy-only no-delay prefer_direct off cache_dir aufs /var/spool/squid3 100 256 16 coredump_dir /var/spool/squid3 cache deny all Instance 2: visible_hostname SquidProxylhr unique_hostname squidcacheprocess pid_filename /var/run/squid3cache.pid http_port 3128 icp_port 0 snmp_port 7172 access_log /var/logs/access2.log cache_log /var/logs/cache2.log coredump_dir /cache01/var/spool/squid3 cache_dir aufs /cache01/var/spool/squid3 5 48 768 cache_swap_low 75 cache_mem 1000 MB range_offset_limit -1 maximum_object_size 4096 MB minimum_object_size 12 bytes quick_abort_min -1 regards, _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] SquidCompilationproblem -squid_ldap_auth.c:123:18: error: lber.h: No such file or directory
Please guide me on this whats wrong. I am unable to compile Squid3stable24 on Ubuntu 8.04 LTS server. I want to use active directory authentication(my clients should be able to authenticate themselves with active directory accounts) Following is my command: ./configure --sbindir=/usr/sbin --sysconfdir=/etc/squid3 --enable-removal-policies=lru --enable-delay-pools --enable-storeio=aufs,ufs --with-large-files --disable-ident-lookups --with-default-user=proxy --enable-basic-auth-helpers=LDAP --enable-auth=basic,negotiate,ntlm --enable-external-acl-helpers=wbinfo_group,ldap_group --enable-negotiate-auth-helpers=squid_kerb_auth The error i am getting is: Making all in basic_auth make[2]: Entering directory `/home/bilal/squid-3.0.STABLE24/helpers/basic_auth' Making all in LDAP make[3]: Entering directory `/home/bilal/squid-3.0.STABLE24/helpers/basic_auth/LDAP' gcc -DHAVE_CONFIG_H -I. -I../../../include -I../../../include-m32 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -g -O2 -MT squid_ldap_auth.o -MD -MP -MF .deps/squid_ldap_auth.Tpo -c -o squid_ldap_auth.o squid_ldap_auth.c squid_ldap_auth.c:123:18: error: lber.h: No such file or directory squid_ldap_auth.c:124:18: error: ldap.h: No such file or directory squid_ldap_auth.c:137: error: âLDAP_SCOPE_SUBTREEâ undeclared here (not in a function) squid_ldap_auth.c:141: error: âLDAP_DEREF_NEVERâ undeclared here (not in a function) squid_ldap_auth.c:147: error: âLDAP_NO_LIMITâ undeclared here (not in a function) squid_ldap_auth.c:154: error: expected â)â before â*â token squid_ldap_auth.c:208: error: expected â)â before â*â token squid_ldap_auth.c:213: error: expected â)â before â*â token squid_ldap_auth.c:218: error: expected â)â before â*â token squid_ldap_auth.c:226: error: expected â)â before â*â token squid_ldap_auth.c:231: error: expected â)â before â*â token squid_ldap_auth.c:249: error: expected â=â, â,â, â;â, âasmâ or â__attribute__â before â*â token squid_ldap_auth.c: In function âmainâ: squid_ldap_auth.c:348: error: âLDAPâ undeclared (first use in this function) squid_ldap_auth.c:348: error: (Each undeclared identifier is reported only once squid_ldap_auth.c:348: error: for each function it appears in.) squid_ldap_auth.c:348: error: âldâ undeclared (first use in this function) squid_ldap_auth.c:350: error: âLDAP_PORTâ undeclared (first use in this function) squid_ldap_auth.c:410: error: âLDAP_SCOPE_BASEâ undeclared (first use in this function) squid_ldap_auth.c:412: error: âLDAP_SCOPE_ONELEVELâ undeclared (first use in this function) squid_ldap_auth.c:440: error: âLDAP_DEREF_ALWAYSâ undeclared (first use in this function) squid_ldap_auth.c:442: error: âLDAP_DEREF_SEARCHINGâ undeclared (first use in this function) squid_ldap_auth.c:444: error: âLDAP_DEREF_FINDINGâ undeclared (first use in this function) squid_ldap_auth.c:586: warning: implicit declaration of function âopen_ldap_connectionâ squid_ldap_auth.c:587: warning: implicit declaration of function âcheckLDAPâ squid_ldap_auth.c:588: warning: implicit declaration of function âsquid_ldap_errnoâ squid_ldap_auth.c:588: error: âLDAP_INVALID_CREDENTIALSâ undeclared (first use in this function) squid_ldap_auth.c:590: warning: implicit declaration of function âldap_unbindâ squid_ldap_auth.c:594: warning: implicit declaration of function âldap_err2stringâ squid_ldap_auth.c:594: warning: format â%sâ expects type âchar *â, but argument 2 has type âintâ squid_ldap_auth.c:598: error: âLDAP_SUCCESSâ undeclared (first use in this function) squid_ldap_auth.c: At top level: squid_ldap_auth.c:640: error: expected â)â before â*â token make[3]: *** [squid_ldap_auth.o] Error 1 make[3]: Leaving directory `/home/bilal/squid-3.0.STABLE24/helpers/basic_auth/LDAP' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/bilal/squid-3.0.STABLE24/helpers/basic_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/bilal/squid-3.0.STABLE24/helpers' make: *** [all-recursive] Error 1 _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
[squid-users] Absolute Beginner help required on concepts related to Cache_effective_user.
On a compiled squid3 stable24. I am unable to run squid as root in Ubuntu. So the cache_effective_user defined in squid.conf never comes into play. Is this a security concern? what good is cache_effective_user for? Is it right to run squid with the default ubuntu user one has installed the OS? On ubuntu there lies another user proxy(13) having group proxy? For what purpose this user exist if this has any relation with squid? Startup scripts in etc/init.d run with root privilege on system startup? however my startup script never succeeds because permission is denied to run squid as root? is there a way to fix this issue. please if somebody enlighten me about these concepts i would be really thankful as unable to get this concept right myself. regards, _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Cache_dir size considerations
Yes you are right about asking of lot of questions at once. i be careful. + Thank you Date: Fri, 19 Mar 2010 16:44:18 +0100 From: mrom...@ottotecnica.com To: gi...@msn.com CC: squid-users@squid-cache.org Subject: Re: [squid-users] Cache_dir size considerations GIGO . ha scritto: Well i want to make sure that my settings are optimized and want to learn more about the cache_dir settings.let me come in details Gigo, you are asking a lot of questions all at once. This is a volounteer-based support list, so your chances of getting (good) responses are maximized if you ask specific questions, one or two per post (possibly related). That said, I'll try to answer with what I know... I have installed squid3stable24 on Ubuntu 8.04 on IBM 3650 X series server with two hard disks on which physical RAID1 is implemented. I am to use the Squid Server for 1000 users out of which 250 are power usrs rest of them are normal users for which there are many restrictions(youtube,facebook,msnmessgenger,yahoomessenger,mp3mpg etc...). OK I have done my settings specifically to ensure that windows updates are cached and my maximum_object_size is 256 mb. Also i am looking forward to cache Youtube content(for which i have no updated script and settings so far the one on internet is with storeurl directive which is depricated)... Now my cache directory size is 50 gb with 16 L1 and 256 L2. I think better would be Cache_dir_size aufs 50 GB 48(L1) 768(L2) as far as L1 L2 settings i am clear that there should be no more than around 100 file in L2 directories so one's settings should be adjusted accordingly. However i am confused that if setting your cache (50gb) of too large a size will have anything to do with your performance. Secondly at the moment the cache directory is implemented on the same hard drive on which OS is installed. I know that cache should be better moved to a spare hard drive. But what about the highavailability? Failure of a disk cud result in the failure of proxy? To maximize performance you want 1 disk for OS and logs, and one disk per cache_dir, without any RAID. With only two disks, obviously if either one dies you have an out of service. So to achieve ha squid you'd neeto to have two phisical squid boxes, I think. Haven't tried myself, so i cannot guide you on how to set that up... Another confusion which i have is that what about the cahe_effective_user i hav set my user cache_effective_user proxy but i dont have much concepts about it. I have read on SAN institute site a white paper published 2003 that squid should not be run as nobody user but as a sandbox user with noshell. However i am not sure what is it all about and whether this informaiton is still valid after 7 years have been passed. Squid should not be run as root. You should have a dedicated user account for it. Squid cache dirs should be rw by that squid account, obviously. I belive most distros (at least server-oriented ones) take care of this setup when you install squid via package manager. Please also guide me that what are the risks involved with this setting which i have done for windows update: range_offset_limit -1 maximum_object_size 256 MB quick_abort_min -1 No risk, but if a user interrupts a huge download, squid will continue it until it finishes, possibly wasting a lot of bandwidth on the wan side. Further after giving squid too many longs list of blocked site say containg 100+ sites. I have noticed that its slowed down however i am not sure that if it is the reason? please guide.. Well, blocking sites involves checking every request's url against all the sites in the blacklist. This might have a noticeable impact on the server load. Also, if you have many regexes in the blacklist(s) the load will be significantly higher. You might want to have a look at squidGuard or other external helper, to take advantage of the multiple CPU cores your server might have. Please guide in detail it will be really beneficial for me as concept building...i would be really thankful.. regards, HTH Date: Wed, 17 Mar 2010 11:00:22 +0100 From: mrom...@ottotecnica.com CC: squid-users@squid-cache.org Subject: Re: [squid-users] Cache_dir size considerations GIGO . ha scritto: The total amount of Ram on the server is 4 GB with cache_mem parameter set to 1 GB. IMHO there's plenty of HW for squid to run smoothly. But it also depends on the amount of traffic. I'm sorry but I think I don't get your point... what is exactly the problem you're having ? -- Marcello Romani _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969 -- Marcello Romani
RE: [squid-users] Squid cache_dir failed - can squid survive?
Dear henrik, If you have only one physical machine what is the best strategy for miminmizing the downtime and rebuild the cache directory again or start utilizing the squid without the cache directory? I assume we have to reinstall the Squid Software? Please guide From: hen...@henriknordstrom.net To: gina...@gmail.com CC: squid-users@squid-cache.org Date: Sat, 13 Mar 2010 09:32:30 +0100 Subject: Re: [squid-users] Squid cache_dir failed - can squid survive? fre 2010-03-12 klockan 14:28 -0800 skrev Maykeen: I want to know, if squid is able to survive if it suddenly loses access to its cache directories, for example, stop caching requests and just serving as a proxy. Is there a way to do this, instead of squid termintaing when this happens? Squid is not currently designed to handle this and will terminate. What you can do to handle this situation is to run two Squids, one just as a proxy and the other with the cache. The proxy only one uses the cache one as parent. Regards Henrik _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
[squid-users] Cache_effective_user issue
I installed ubuntu server as u-admin account. I have set the directive: cache_effective_user to squidadmin. However my squid process keep on running as b-admin account. And my cache_effective user never comes into play. As per a guide which described that squid will only shift to the defined user if it is run as root but i am unable to start it as root. I logged in as root by sudo -s (running it as root) and tried to start the squid but the permissions were denied. For the same reason i guess my startup scripts kept on failing. I have created the squidadmin account as nologin noshell for security purposes and feel tht squid process should be run with this account. Please guide am i thinking right? please help me out. regards, _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
[squid-users] Squid proxy Setup in fail-over mode
How to setup squid proxy to run in fail-over mode? Any guide. regards, Bilal Aslam _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
RE: [squid-users] Squid cache_dir failed - can squid survive?
Is it possible to run two instances/processes of squid on the same physicail machine that is one with cache and other in proxy only mode? is that what u mean ? how. From: hen...@henriknordstrom.net To: gi...@msn.com CC: gina...@gmail.com; squid-users@squid-cache.org Date: Thu, 18 Mar 2010 09:54:34 +0100 Subject: RE: [squid-users] Squid cache_dir failed - can squid survive? tor 2010-03-18 klockan 06:16 + skrev GIGO .: Dear henrik, If you have only one physical machine what is the best strategy for miminmizing the downtime and rebuild the cache directory again or start utilizing the squid without the cache directory? I assume we have to reinstall the Squid Software? Please guide The approach I proposed earlier with two Squid processes running in cooperation will make service surive automatically for as long as the system disk is working. If using just one process then making Squid stop trying to using the cache is as simple as removing the cache_dir specifications from squid.conf and start Squid again. You do not need to reinstall unless the system/os partition have been damaged. This change to squid.conf can easily be automated with a little script if you want. Regards Henrik _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
