Re: [squid-users] cache keeping downloaded files
I could fetch the file from the server but I don't know how to look at the header of a .pd5 file Jason On Mon, Apr 18, 2011 at 2:41 AM, Matus UHLAR - fantomas wrote: > On 14.04.11 12:08, Jason Greene wrote: >> Can some one tell me if it is possible to make squid not cache a single >> domain? > > it is, however... > >> We have a service that downloads a file and squid seems to be keeping >> the old file in cache so we are not getting the updates. > > the webserver probably provides incorrect data about the file, so squid does > not check whether the cached content is fresh. > >> How do I set squid to not cache a domain and/or how do I clear that >> domain's cache and/or how to I change the life (ttl) of the cache? > > You can use the 'cache' directive. > > But it's much better to find out why doesn't squid revalidate the object. > > Can you fetch the file directly from the server and look at the headers? > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > 2B|!2B, that's a question! >
[squid-users] cache keeping downloaded files
I found the answer # Deny cache for shavlik acl shavlik-nocache dstdomain .shavlik.com cache deny shavlik-nocache Jason
[squid-users] cache keeping downloaded files
Can some one tell me if it is possible to make squid not cache a single domain? We have a service that downloads a file and squid seems to be keeping the old file in cache so we are not getting the updates. How do I set squid to not cache a domain and/or how do I clear that domain's cache and/or how to I change the life (ttl) of the cache? thanks Jason
[squid-users] multiple squid servers and logs
We have two squid servers and would like to run some reports on the logs. Is there a way to get both servers to use a single access.log file so our report app (MySAR) can do its job with a single file? Jason
Re: [squid-users] maxconn
Amos, I have been trying to send my squid.conf to your personal email but your system won't let it through. The error that the other server returned was: 550 550 5.7.1 SPF-Strict Policy Denied and I have SPF entries in my DNS... I don't want to send my conf file to the entire list... how can I get it to you? Jason On Wed, Dec 22, 2010 at 6:35 PM, Amos Jeffries wrote: > On 21/12/10 06:15, Jason Greene wrote: >> >> So what do you recommend as a solution? >> >> The only line I have in my conf that has "ssl" in it is this >> acl SSL_ports port 443 563 > > I'd recommend adding back in the basic security for CONNECT requests then. > The config order can be found here: > http://www.squid-cache.org/Doc/config/http_access/ > > I'll need to see your full squid.conf to give any better advice. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.9 > Beta testers wanted for 3.2.0.3 >
Re: [squid-users] maxconn
So what do you recommend as a solution? The only line I have in my conf that has "ssl" in it is this acl SSL_ports port 443 563 but I have these port as "safe" acl Safe_ports port 443 563 How do I allow the connection thru SSL ports but close them down enough to not get a HTTP Proxy CONNECT Loop DoS show on my scan? Thanks Jason On Fri, Dec 17, 2010 at 11:38 PM, Amos Jeffries wrote: > On 18/12/10 04:35, Jason Greene wrote: >> >> On Thu, Dec 16, 2010 at 7:41 PM, Amos Jeffries >> wrote: >>> >>> On 17/12/10 10:38, Jason Greene wrote: >>>> >>>> I m trying to close a security hole >>>> >>>> >>>> I want to use maxconn on ALL IPs >>>> >>>> acl limitusercon maxconn 3 >>>> http_access deny all limitusercon >>> >>> Testing the "all" there is not useful. That should be just: >>> >>> http_access deny limitusercon >>> >>> ... making sure its placed at the top of your access controls so nothing >>> doing an allow can bypass it. Right after the "deny CONNECT !SSL_Ports" >>> should do. >> >> Thanks, I'll try this out. >> >>> >>>> >>>> But it doesn't seem to work and the hole still appears on a scan. >>> >>> What hole? >> >> >> HTTP Proxy CONNECT Loop DoS >> > > If that is what I think it is you are missing the default "deny CONNECT > !SSL_Ports" or have opened SSL_Ports too wide. > Due to: > - the proxy listening ports are not SSL/CONNECT safe ports. > - port 443 listening is reverse-proxy territory + reverse proxy must not > accept CONNECT requests (older squid releases allowed it wrongly). > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.9 > Beta testers wanted for 3.2.0.3 >
Re: [squid-users] maxconn
It doesn't make sense... I set the limit to 50 and I run my scan and the vulnerability shows... I drop it back by 5 and run my scan... it show until I get to 20...the vulnerability goes away I increase the limit by 1 until I get to 25 where it shows back up... I drop back down to 24 ... still there Now, even if I set it to 5, the vulnerability shows Anyone know what is going on? Jason On Fri, Dec 17, 2010 at 9:35 AM, Jason Greene wrote: > On Thu, Dec 16, 2010 at 7:41 PM, Amos Jeffries wrote: >> On 17/12/10 10:38, Jason Greene wrote: >>> >>> I m trying to close a security hole >>> >>> >>> I want to use maxconn on ALL IPs >>> >>> acl limitusercon maxconn 3 >>> http_access deny all limitusercon >> >> Testing the "all" there is not useful. That should be just: >> >> http_access deny limitusercon >> >> ... making sure its placed at the top of your access controls so nothing >> doing an allow can bypass it. Right after the "deny CONNECT !SSL_Ports" >> should do. > > Thanks, I'll try this out. > >> >>> >>> But it doesn't seem to work and the hole still appears on a scan. >> >> What hole? > > > HTTP Proxy CONNECT Loop DoS > > >> >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.9 >> Beta testers wanted for 3.2.0.3 >> >
Re: [squid-users] maxconn
On Thu, Dec 16, 2010 at 7:41 PM, Amos Jeffries wrote: > On 17/12/10 10:38, Jason Greene wrote: >> >> I m trying to close a security hole >> >> >> I want to use maxconn on ALL IPs >> >> acl limitusercon maxconn 3 >> http_access deny all limitusercon > > Testing the "all" there is not useful. That should be just: > > http_access deny limitusercon > > ... making sure its placed at the top of your access controls so nothing > doing an allow can bypass it. Right after the "deny CONNECT !SSL_Ports" > should do. Thanks, I'll try this out. > >> >> But it doesn't seem to work and the hole still appears on a scan. > > What hole? HTTP Proxy CONNECT Loop DoS > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.9 > Beta testers wanted for 3.2.0.3 >
[squid-users] maxconn
I m trying to close a security hole I want to use maxconn on ALL IPs acl limitusercon maxconn 3 http_access deny all limitusercon But it doesn't seem to work and the hole still appears on a scan. Are these the correct settings? Jason
