[squid-users] PAC file on a squid proxy
Hi all, Our upstream proxy (cloud based) requires a PAC file to be deployed on each workstation. Is there a way to have a PAC file on a squid servers and then have users use the local squid servers instead. Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] BUG 3279: HTTP reply without Date:
Hi all, Compiled squid 3.5.2 on CentOS 6.6 as follows: $ ./configure --prefix=/home/cache --enable-follow-x-forwarded-for --with-large-files --enable-ssl --disable-ipv6 --enable-esi --enable-kill-parent-hack --enable-snmp --with-pthreads --with-filedescriptors=65535 --enable-cachemgr-hostname=hostname --enable-storeio=ufs,aufs,diskd,rock After approx 24 hours I am seeing this error on my squid 3.5.2 with one user connected for testing: 2015/04/11 15:02:58| Logfile: closing log daemon:/home/cache/var/logs/access.log 2015/04/11 15:02:58| Logfile Daemon: closing log daemon:/home/cache/var/logs/access.log 2015/04/11 15:02:58| Open FD UNSTARTED 0 stdin 2015/04/11 15:02:58| Open FD UNSTARTED 1 stdout 2015/04/11 15:02:58| Open FD UNSTARTED 2 stderr 2015/04/11 15:02:58| Open FD UNSTARTED 8 DNS Socket IPv4 2015/04/11 15:02:58| Open FD UNSTARTED 9 IPC UNIX STREAM Parent 2015/04/11 15:02:58| Squid Cache (Version 3.5.2): Exiting normally. 2015/04/11 15:06:52| Set Current Directory to /usr/local/squid/var/cache/squid 2015/04/11 15:06:52| Starting Squid Cache version 3.5.2 for x86_64-unknown-linux-gnu... 2015/04/11 15:06:52| Service Name: squid 2015/04/11 15:06:52| Process ID 2005 2015/04/11 15:06:52| Process Roles: master worker 2015/04/11 15:06:52| With 65536 file descriptors available 2015/04/11 15:06:52| Initializing IP Cache... 2015/04/11 15:06:52| DNS Socket created at 0.0.0.0, FD 8 2015/04/11 15:06:52| Adding nameserver 8.8.8.8 from squid.conf 2015/04/11 15:06:52| Adding nameserver 41.78.211.30 from squid.conf 2015/04/11 15:06:52| Logfile: opening log daemon:/home/cache/var/logs/access.log 2015/04/11 15:06:52| Logfile Daemon: opening log /home/cache/var/logs/access.log 2015/04/11 15:06:52| Store logging disabled 2015/04/11 15:06:52| Swap maxSize 35840 + 9437184 KB, estimated 28295168 objects 2015/04/11 15:06:52| Target number of buckets: 1414758 2015/04/11 15:06:52| Using 2097152 Store buckets 2015/04/11 15:06:52| Max Mem size: 9437184 KB 2015/04/11 15:06:52| Max Swap size: 35840 KB 2015/04/11 15:06:52| Rebuilding storage in /home/cache/var/cache/squid (clean log) 2015/04/11 15:06:52| Using Least Load store dir selection 2015/04/11 15:06:52| Set Current Directory to /usr/local/squid/var/cache/squid 2015/04/11 15:06:52| Finished loading MIME types and icons. 2015/04/11 15:06:52| HTCP Disabled. 2015/04/11 15:06:52| Sending SNMP messages from 0.0.0.0:3401 2015/04/11 15:06:52| Squid plugin modules loaded: 0 2015/04/11 15:06:52| Adaptation support is off. 2015/04/11 15:06:52| Accepting HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 13 flags=9 2015/04/11 15:06:52| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3129 remote=[::] FD 14 flags=41 2015/04/11 15:06:52| Accepting SNMP messages on 0.0.0.0:3401 2015/04/11 15:06:52| Done reading /home/cache/var/cache/squid swaplog (94 entries) 2015/04/11 15:06:52| Finished rebuilding storage from disk. 2015/04/11 15:06:52|94 Entries scanned 2015/04/11 15:06:52| 0 Invalid entries. 2015/04/11 15:06:52| 0 With invalid flags. 2015/04/11 15:06:52|94 Objects loaded. 2015/04/11 15:06:52| 0 Objects expired. 2015/04/11 15:06:52| 0 Objects cancelled. 2015/04/11 15:06:52| 0 Duplicate URLs purged. 2015/04/11 15:06:52| 0 Swapfile clashes avoided. 2015/04/11 15:06:52| Took 0.05 seconds (2036.97 objects/sec). 2015/04/11 15:06:52| Beginning Validation Procedure 2015/04/11 15:06:52| Completed Validation Procedure 2015/04/11 15:06:52| Validated 94 Entries 2015/04/11 15:06:52| store_swap_size = 2000.00 KB 2015/04/11 15:06:53| storeLateRelease: released 0 objects 2015/04/11 15:48:51| WARNING: 1 swapin MD5 mismatches 2015/04/11 15:48:51| Could not parse headers from on disk object 2015/04/11 15:48:51| BUG 3279: HTTP reply without Date: 2015/04/11 15:48:51| StoreEntry-key: 039CA6C6725D0A9F31B498354995DE50 2015/04/11 15:48:51| StoreEntry-next: 0 2015/04/11 15:48:51| StoreEntry-mem_obj: 0x21ecd40 2015/04/11 15:48:51| StoreEntry-timestamp: -1 2015/04/11 15:48:51| StoreEntry-lastref: 1428763731 2015/04/11 15:48:51| StoreEntry-expires: -1 2015/04/11 15:48:51| StoreEntry-lastmod: -1 2015/04/11 15:48:51| StoreEntry-swap_file_sz: 0 2015/04/11 15:48:51| StoreEntry-refcount: 1 2015/04/11 15:48:51| StoreEntry-flags: PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/04/11 15:48:51| StoreEntry-swap_dirn: -1 2015/04/11 15:48:51| StoreEntry-swap_filen: -1 2015/04/11 15:48:51| StoreEntry-lock_count: 2 2015/04/11 15:48:51| StoreEntry-mem_status: 0 2015/04/11 15:48:51| StoreEntry-ping_status: 2 2015/04/11 15:48:51| StoreEntry-store_status: 1 2015/04/11 15:48:51| StoreEntry-swap_status: 0 2015/04/11 15:49:55| Could not parse headers from on disk object 2015/04/11 20:10:06| BUG 3279: HTTP reply without Date: 2015/04/11 20:10:06| StoreEntry-key: 8749EF6C14DB515AA7E09A4ED2019298 2015/04/11 20:10:06| StoreEntry-next: 0 2015/04/11 20:10:06| StoreEntry-mem_obj: 0x224f3f0 2015/04/11 20:10:06|
Re: [squid-users] squid intercept config
On 10.0.0.24 root@ISN-PHC-CACHE:/home/support # netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 52 10.0.0.24.22 96.255.8.226.50911 ESTABLISHED tcp4 0 0 *.3129 *.*LISTEN tcp4 0 0 *.3128 *.*LISTEN tcp4 0 0 *.81 *.*LISTEN tcp6 0 0 *.81 *.*LISTEN tcp4 0 0 *.22 *.*LISTEN tcp6 0 0 *.22 *.*LISTEN tcp6 0 0 ::1.562::1.40066 ESTABLISHED tcp6 0 0 ::1.40066 ::1.562 ESTABLISHED tcp6 0 0 *.561 *.*LISTEN tcp6 0 0 *.562 *.*LISTEN tcp4 0 0 *.199 *.*LISTEN tcp4 0 0 *.1*.*LISTEN udp4 0 0 *.3401 *.* udp4 0 0 *.34985*.* udp4 0 0 *.**.* udp4 0 0 *.161 *.* udp4 0 0 *.162 *.* udp4 0 0 *.1*.* udp4 0 0 127.0.0.1.123 *.* udp6 0 0 fe80::1%lo0.123*.* udp6 0 0 ::1.123*.* udp4 0 0 10.0.0.24.123 *.* udp6 0 0 *.123 *.* udp4 0 0 *.123 *.* udp4 0 0 *.514 *.* udp6 0 0 *.514 *.* On Thu, Mar 5, 2015 at 12:12 PM, Yuri Voinov yvoi...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - From your PC run telnet 10.0.0.24 80. You've seen if TCP socket opens. 05.03.15 23:10, Monah Baki пишет: How can I confirm, I have access only to the BSD box Thanks On Thu, Mar 5, 2015 at 11:12 AM, Yuri Voinov yvoi...@gmail.com wrote: Does 80 port outside BSD-box listens? 05.03.15 21:25, Monah Baki пишет: root@ISN-PHC-CACHE:/cache/squid/bin # tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes capability mode sandbox enabled 00:00:00.00 rule 0..16777216/0(match): pass in on bge0: 10.0.0.106.5678 255.255.255.255.5678: UDP, length 88 00:00:08.342860 rule 0..16777216/0(match): pass in on bge0: 10.0.0.14.54264 10.0.0.24.22: Flags [S], seq 3823043622, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 On Thu, Mar 5, 2015 at 10:20 AM, Yuri Voinov yvoi...@gmail.com wrote: Hm. No. We not checked only OS. Does your BSD really loads PF module? 05.03.15 21:16, Monah Baki пишет: Not sure why the client is running old hard/soft ware, could it be cause of the hardware? Is FreeBSD an issue, should I switch to linux? On Thu, Mar 5, 2015 at 10:14 AM, Yuri Voinov yvoi...@gmail.com wrote: Wow, 7600! But why is so antique iOS?! Current is 15.4 05.03.15 21:09, Monah Baki пишет: PORT STATE SERVICE VERSION 23/tcp open telnet Cisco IOS telnetd MAC Address: 88:5A:92:63:77:81 (Cisco) Device type: router Running: Cisco IOS 12.X OS CPE: cpe:/h:cisco:7600_router cpe:/o:cisco:ios:12.2 OS details: Cisco 7600 router (IOS 12.2) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: Randomized Service Info: OS: IOS; Device: switch; CPE: cpe:/o:cisco:ios On Thu, Mar 5, 2015 at 9:31 AM, Yuri Voinov yvoi...@gmail.com wrote: What is Cisco model and iOS version? 05.03.15 20:25, Monah Baki пишет: Yes, correct On Thu, Mar 5, 2015 at 9:23 AM, Yuri Voinov yvoi...@gmail.com wrote: 10.0.0.23 is your host? And 10.0.0.24 is proxy box? 05.03.15 20:15, Monah Baki пишет: '--prefix=/cache/squid' '--enable-follow-x-forwarded-for' '--with-large-files' '--enable-ssl' '--disable-ipv6' '--enable-esi' '--enable-kill-parent-hack' '--enable-snmp' '--with-pthreads' '--with-filedescriptors=65535' '--enable-cachemgr-hostname=hostname' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' --enable-ltdl-convenience On Thu, Mar 5, 2015 at 9:14 AM, Yuri Voinov yvoi...@gmail.com wrote: This looking good too. Stupid question: With witch interception option squid builed? I.e, squid -v? 05.03.15 18:19, Monah Baki пишет: Hi all, can anyone verify if this is correct, need to make ure that users will be able to access the internet via the squid. Running FreeBSD with a single
Re: [squid-users] I am seeing the following in my cache.log
Thanks Amos, My problem is I only have control over the squid server. I can only tell the ISP to take the client offline and run some AntiVirus or better reimage the device. Within 2 hours my cache.log grew to 50MB in size and it was repeating the error mentioned over and over again till my squid server started complaining about running out of file descriptors, and stopped working. Thanks On Tue, Mar 24, 2015 at 8:58 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 25/03/2015 9:05 a.m., Monah Baki wrote: Thanks Yuri for the URL. The company is a small ISP using policy based routing, so using WPAD or GPO isn't feasible. Did you start reading with the problem explanation? the bit about whats Squid's testing for and how to interpret the log lines? Your log is saying that there is a client sending requests on port 80 which claim to be requests *on port 443*. Even if the IP matches facebook the port dont. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] How to run squidclient
Hi all, I am running CentOS 6.6 64 bit, and need to get some information from the command line. Compiled squid as: ./configure --prefix=/home/cache --enable-follow-x-forwarded-for --with-large-files --enable-ssl --disable-ipv6 --enable-esi --enable-kill-parent-hack --enable-snmp --with-pthreads --with-filedescriptors=65535 --enable-cachemgr-hostname=hostname --enable-storeio=ufs,aufs,diskd,rock [root@ISN-PHC-Cache bin]# ./squidclient mgr:info HTTP/1.1 403 Forbidden Server: squid/3.5.2 Mime-Version: 1.0 Date: Fri, 20 Mar 2015 02:29:53 GMT Content-Type: text/html;charset=utf-8 Content-Length: 3552 X-Squid-Error: ERR_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from isn-phc-cache Via: 1.1 isn-phc-cache (squid/3.5.2) Connection: close # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_reply_access allow all http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 http_port 3129 intercept # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256 cache_dir ufs /home/cache/var/cache/squid 35 16 256 # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 Thanks ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to run squidclient
Hi Amos,
[root@ISN-PHC-Cache bin]# ./squidclient -V
Version: 3.5.2
[root@ISN-PHC-Cache bin]# ./squidclient -vv mgr:info
verbosity level set to 2
Request:
GET cache_object://localhost/info HTTP/1.0
Host: localhost
User-Agent: squidclient/3.5.2
Accept: */*
Connection: close
.
Transport detected: IPv4-only
Resolving localhost ...
Connecting... localhost (127.0.0.1:3128)
Connected to: localhost (127.0.0.1:3128)
Sending HTTP request ...
done.
HTTP/1.1 403 Forbidden
Server: squid/3.5.2
Mime-Version: 1.0
Date: Fri, 20 Mar 2015 17:29:54 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3549
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from isn-phc-cache
Via: 1.1 isn-phc-cache (squid/3.5.2)
Connection: close
!DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01//EN
http://www.w3.org/TR/html4/strict.dtd;
htmlhead
meta type=copyright content=Copyright (C) 1996-2015 The Squid Software
Foundation and contributors
meta http-equiv=Content-Type content=text/html; charset=utf-8
titleERROR: The requested URL could not be retrieved/title
style type=text/css!--
/*
* Copyright (C) 1996-2015 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
*/
/*
Stylesheet for Squid Error pages
Adapted from design by Free CSS Templates
http://www.freecsstemplates.org
Released for free under a Creative Commons Attribution 2.5 License
*/
/* Page basics */
* {
font-family: verdana, sans-serif;
}
html body {
margin: 0;
padding: 0;
background: #efefef;
font-size: 12px;
color: #1e1e1e;
}
/* Page displayed title area */
#titles {
margin-left: 15px;
padding: 10px;
padding-left: 100px;
background: url('http://www.squid-cache.org/Artwork/SN.png') no-repeat
left;
}
/* initial title */
#titles h1 {
color: #00;
}
#titles h2 {
color: #00;
}
/* special event: FTP success page titles */
#titles ftpsuccess {
background-color:#00ff00;
width:100%;
}
/* Page displayed body content area */
#content {
padding: 10px;
background: #ff;
}
/* General text */
p {
}
/* error brief description */
#error p {
}
/* some data which may have caused the problem */
#data {
}
/* the error message received from the system or other software */
#sysmsg {
}
pre {
font-family:sans-serif;
}
/* special event: FTP / Gopher directory listing */
#dirmsg {
font-family: courier;
color: black;
font-size: 10pt;
}
#dirlisting {
margin-left: 2%;
margin-right: 2%;
}
#dirlisting tr.entry td.icon,td.filename,td.size,td.date {
border-bottom: groove;
}
#dirlisting td.size {
width: 50px;
text-align: right;
padding-right: 5px;
}
/* horizontal lines */
hr {
margin: 0;
}
/* page displayed footer area */
#footer {
font-size: 9px;
padding-left: 10px;
}
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya,
sans-serif; float: right; }
:lang(he) { direction: rtl; }
--/style
/headbody id=ERR_ACCESS_DENIED
div id=titles
h1ERROR/h1
h2The requested URL could not be retrieved/h2
/div
hr
div id=content
pThe following error was encountered while trying to retrieve the URL: a
href=cache_object://localhost/infocache_object://localhost/info/a/p
blockquote id=error
pbAccess Denied./b/p
/blockquote
pAccess control configuration prevents your request from being allowed at
this time. Please contact your service provider if you feel this is
incorrect./p
pYour cache administrator is a href=mailto:webmaster
?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIEDamp;body=CacheHost%3A%20isn-phc-cache%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Fri,%2020%20Mar%202015%2017%3A29%3A54%20GMT%0D%0A%0D%0AClientIP%3A%2010.0.0.24%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2Finfo%20HTTP%2F1.0%0AHost%3A%20localhost%0D%0AUser-Agent%3A%20squidclient%2F3.5.2%0D%0AAccept%3A%20*%2F*%0D%0AConnection%3A%20close%0D%0A%0D%0A%0D%0Awebmaster/a./p
br
/div
hr
div id=footer
pGenerated Fri, 20 Mar 2015 17:29:54 GMT by isn-phc-cache
(squid/3.5.2)/p
!-- ERR_ACCESS_DENIED --
/div
/body/html
On Fri, Mar 20, 2015 at 12:13 PM, Amos Jeffries squ...@treenet.co.nz
wrote:
On 20/03/2015 11:04 p.m., Monah Baki wrote:
Hi all,
I am running CentOS 6.6 64 bit, and need to get some information from the
command line.
Compiled squid as:
./configure --prefix=/home/cache --enable-follow-x-forwarded-for
--with-large-files --enable-ssl --disable-ipv6 --enable-esi
--enable-kill-parent-hack --enable-snmp --with-pthreads
--with-filedescriptors=65535 --enable-cachemgr-hostname=hostname
--enable-storeio=ufs,aufs,diskd,rock
[root@ISN-PHC-Cache bin]# ./squidclient mgr:info
HTTP/1.1 403 Forbidden
Server: squid/3.5.2
Mime-Version: 1.0
Date: Fri, 20 Mar 2015 02:29:53 GMT
Content-Type: text/html
Re: [squid-users] How to run squidclient
Regarding DNS lookup, if I type nslookup 10.0.0.24 or nslookup
isn-phc-cache,
Our nameservers in /etc/resolv.conf are google's name server
Do I need to resolve first to use squidclient???
[root@ISN-PHC-Cache bin]# ./squidclient -vv -j isn-phc-cache mgr:info
verbosity level set to 2
Request:
GET cache_object://localhost/info HTTP/1.0
Host: isn-phc-cache
User-Agent: squidclient/3.5.2
Accept: */*
Connection: close
.
Transport detected: IPv4-only
Resolving localhost ...
Connecting... localhost (127.0.0.1:3128)
Connected to: localhost (127.0.0.1:3128)
Sending HTTP request ...
done.
HTTP/1.1 403 Forbidden
Server: squid/3.5.2
Mime-Version: 1.0
Date: Fri, 20 Mar 2015 18:11:21 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3553
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from isn-phc-cache
Via: 1.1 isn-phc-cache (squid/3.5.2)
Connection: close
!DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01//EN
http://www.w3.org/TR/html4/strict.dtd;
htmlhead
meta type=copyright content=Copyright (C) 1996-2015 The Squid Software
Foundation and contributors
meta http-equiv=Content-Type content=text/html; charset=utf-8
titleERROR: The requested URL could not be retrieved/title
style type=text/css!--
/*
* Copyright (C) 1996-2015 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
*/
/*
Stylesheet for Squid Error pages
Adapted from design by Free CSS Templates
http://www.freecsstemplates.org
Released for free under a Creative Commons Attribution 2.5 License
*/
/* Page basics */
* {
font-family: verdana, sans-serif;
}
html body {
margin: 0;
padding: 0;
background: #efefef;
font-size: 12px;
color: #1e1e1e;
}
/* Page displayed title area */
#titles {
margin-left: 15px;
padding: 10px;
padding-left: 100px;
background: url('http://www.squid-cache.org/Artwork/SN.png') no-repeat
left;
}
/* initial title */
#titles h1 {
color: #00;
}
#titles h2 {
color: #00;
}
/* special event: FTP success page titles */
#titles ftpsuccess {
background-color:#00ff00;
width:100%;
}
/* Page displayed body content area */
#content {
padding: 10px;
background: #ff;
}
/* General text */
p {
}
/* error brief description */
#error p {
}
/* some data which may have caused the problem */
#data {
}
/* the error message received from the system or other software */
#sysmsg {
}
pre {
font-family:sans-serif;
}
/* special event: FTP / Gopher directory listing */
#dirmsg {
font-family: courier;
color: black;
font-size: 10pt;
}
#dirlisting {
margin-left: 2%;
margin-right: 2%;
}
#dirlisting tr.entry td.icon,td.filename,td.size,td.date {
border-bottom: groove;
}
#dirlisting td.size {
width: 50px;
text-align: right;
padding-right: 5px;
}
/* horizontal lines */
hr {
margin: 0;
}
/* page displayed footer area */
#footer {
font-size: 9px;
padding-left: 10px;
}
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya,
sans-serif; float: right; }
:lang(he) { direction: rtl; }
--/style
/headbody id=ERR_ACCESS_DENIED
div id=titles
h1ERROR/h1
h2The requested URL could not be retrieved/h2
/div
hr
div id=content
pThe following error was encountered while trying to retrieve the URL: a
href=cache_object://localhost/infocache_object://localhost/info/a/p
blockquote id=error
pbAccess Denied./b/p
/blockquote
pAccess control configuration prevents your request from being allowed at
this time. Please contact your service provider if you feel this is
incorrect./p
pYour cache administrator is a href=mailto:webmaster
?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIEDamp;body=CacheHost%3A%20isn-phc-cache%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Fri,%2020%20Mar%202015%2018%3A11%3A21%20GMT%0D%0A%0D%0AClientIP%3A%2010.0.0.24%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2Finfo%20HTTP%2F1.0%0AHost%3A%20isn-phc-cache%0D%0AUser-Agent%3A%20squidclient%2F3.5.2%0D%0AAccept%3A%20*%2F*%0D%0AConnection%3A%20close%0D%0A%0D%0A%0D%0Awebmaster/a./p
br
/div
hr
div id=footer
pGenerated Fri, 20 Mar 2015 18:11:21 GMT by isn-phc-cache
(squid/3.5.2)/p
!-- ERR_ACCESS_DENIED --
/div
/body/html
On Fri, Mar 20, 2015 at 1:00 PM, Amos Jeffries squ...@treenet.co.nz wrote:
Interesting.
I wonder if your Squid is resolving localhost domain name as ::1 and
rejecting it because IPv6 is disabled, therefore not permitted. Or if
its the domain name not matching the proxy name.
Try adding -j isn-phc-cache which sets the Host: header to match what
the cache thinks its public domain name is.
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
It's working now, all I did is rem'd the following: # half_closed_clients off # quick_abort_min 0 KB # quick_abort_max 0 KB # vary_ignore_expire on # reload_into_ims on # memory_pools off # cache_mem 4096 MB # # memory_cache_shared on visible_hostname isn-phc-cache minimum_object_size 0 bytes maximum_object_size 512 MB maximum_object_size 512 KB ipcache_size 1024 # ipcache_low 90 # ipcache_high 95 cache_swap_low 98 cache_swap_high 100 # fqdncache_size 16384 # retry_on_error on # offline_mode off logfile_rotate 10 dns_nameservers 8.8.8.8 41.78.211.30 I can see tcp_hits. Note to self, something I do not know, don't add it. On Fri, Mar 13, 2015 at 1:23 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 14/03/2015 6:15 a.m., Antony Stone wrote: On Friday 13 March 2015 at 17:47:44 (EU time), Monah Baki wrote: http_access allow localhost manager http_access deny manager #http_access deny to_localhost http_access allow localnet http_access allow localhost You've got the standard references here (and above, for cache manager access) for localhost, and yet I don't see it defined anywhere - have you deliberately removed it? Current Squid versions define those ACLs automatically. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/1.3.4/js/player/CNNAPIVideoPlayer.js - ORIGINAL_DST/80.239.152.153 application/x-javascript 1426267535.494128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/1.3.4/js/legacy/CNNVideoPlayer.js - ORIGINAL_DST/80.239.152.153 application/x-javascript 1426267535.604217 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.609256 10.0.0.23 TCP_REFRESH_UNMODIFIED/200 41017 GET http://cdn.gigya.com/js/gigya.js? - ORIGINAL_DST/80.239.148.17 text/javascript 1426267535.619206 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.622208 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.696129 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 312 GET http://z.cdn.turner.com/cnn/.element/img/3.0/video/cnn_embedDefault.png - ORIGINAL_DST/80.239.152.153 image/png 1426267536.071656 10.0.0.23 TCP_MISS/302 849 GET http://metrics.cnn.com/b/ss/cnn-adbp-domestic/1/H.26.1/s11300422861240? - ORIGINAL_DST/66.235.141.144 text/plain 1426267536.075257 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 348 GET http://cdn.gigya.com/js/gigya.services.plugins.base.min.js? - ORIGINAL_DST/ 80.239.148.17 text/javascript 1426267536.203128 10.0.0.23 TCP_MISS/200 381 GET http://b.scorecardresearch.com/r? - ORIGINAL_DST/80.239.148.16 image/gif 1426267536.570393 10.0.0.23 TCP_MISS/304 338 GET http://cdn3.gigya.com/js/gigya.services.socialize.plugins.simpleshare.min.js - ORIGINAL_DST/80.239.148.32 text/javascript 1426267536.746125 10.0.0.23 TCP_MISS/304 340 GET http://static.chartbeat.com/js/chartbeat.js - ORIGINAL_DST/23.67.1.243 application/x-javascript 1426267536.819199 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 233 GET http://data.cnn.com/jsonp/video/nowPlayingSchedule.json? - ORIGINAL_DST/ 157.166.238.237 - 1426267536.942260 10.0.0.23 TCP_MISS/200 677 GET http://beacon.krxd.net/optout_check? - ORIGINAL_DST/176.34.190.30 text/javascript 1426267537.027236 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif 1426267537.146362 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif 1426267537.171388 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif 1426267537.230432 10.0.0.23 TCP_MISS/302 481 GET http://apiservices.krxd.net/um? - ORIGINAL_DST/54.243.83.18 text/html 1426267537.603173 10.0.0.23 TCP_MISS/204 676 GET http://beacon.krxd.net/pixel.gif? - ORIGINAL_DST/176.34.190.30 image/gif 1426267537.618247 10.0.0.23 TCP_MISS/200 322 GET http://ping.chartbeat.net/ping? - ORIGINAL_DST/54.235.85.218 image/gif 1426267537.892388 10.0.0.23 TCP_MISS/200 68649 GET http://z.cdn.turner.com/xslo/cvp/core/base/0/CVPBase.swf? - ORIGINAL_DST/ 80.239.152.153 application/x-shockwave-flash 1426267538.024130 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 329 GET http://js.moatads.com/turner763610601596/moatad.js - ORIGINAL_DST/ 80.239.148.9 application/x-javascript On Fri, Mar 13, 2015 at 12:18 PM, Yuri Voinov yvoi...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 13.03.15 21:58, Monah Baki пишет: Hi All, Installed squid on CentOS 6.6 and it's working, but mY access.log shows all TCP_MISS and no TCP_HIT. The following config: squid.conf # Squid normally listens to port 3128 http_port 3128 http_port 3129 intercept And that's all iptables # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015 *nat :PREROUTING ACCEPT [10:2031] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -s 10.0.0.24/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129 -A POSTROUTING -j MASQUERADE COMMIT # Completed on Fri Mar 13 16:04:02 2015 # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1818:649971] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3129 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Fri Mar 13 16:04:02 2015 # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015 *mangle :PREROUTING ACCEPT [68:6199] :INPUT ACCEPT
Re: [squid-users] squid intercept config
Hi Amos, Thanks for the assist. So basically from my end, the squid proxy which I am responsible for, I shouldn't concentrate on changing any of it's configuration, but instead tell them to try to solve on their end? If yes, what are we looking at, their router setup? Thanks On Fri, Mar 6, 2015 at 11:26 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 6/03/2015 1:19 a.m., Monah Baki wrote: Hi all, can anyone verify if this is correct, need to make ure that users will be able to access the internet via the squid. Running FreeBSD with a single interface with Squid-3.5.2 Policy based routing on Cisco with the following: interface GigabitEthernet0/0/1.1 encapsulation dot1Q 1 native ip address 10.0.0.9 255.255.255.0 no ip redirects no ip unreachables ip nat inside standby 1 ip 10.0.0.10 standby 1 priority 120 standby 1 preempt standby 1 name HSRP ip policy route-map CFLOW ip access-list extended REDIRECT deny tcp host 10.0.0.24 any eq www permit tcp host 10.0.0.23 any eq www route-map CFLOW permit 10 match ip address REDIRECT set ip next-hop 10.0.0.24 In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 - 10.0.0.24 port 3129 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state and finally in my squid.conf: http_port 3128 http_port 3129 intercept And for testing purposes from the squid server: ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ If I replace -p 3128 with -p 80, I get a access denied, and if I omit the -p 3128 completely, I can access the websites. If you omit the -p entirely squidclient assumes -p 3128 (the proxy default listening port), so it works exactly the same as if you had used -p 3128 explicitly. If you use -p 80 you also need to change the pther parameters so they generate port-80 syntax message: - the -h with IP or hostname of the remote web server, and - the URL parameters being a relative URL, and - the -j parameter with Host: header domain name of the server ... eg. squidclient -h www.freebsd.org -j www.freebsd.org -p 80 / NP: if your squidclient is too old to support -j, use this instead: -H 'Host: www.freebsd.org\n' ** this test should work from the squid box without having gone through the proxy. Only from the client machine should it work *with* NAT passing it through the proxy. Using a proxy syntax message sent directly to the proxy receiving port, or with the proxy as receiving IP on port 80 (NAT'ed to Squid) is a guaranted forwarding loop failure. That doesn't fix your clients issue, but hopefully makes it clear that the above desribed test is broken enough to prevent you identifying when the client issue is fixed if that happens on some change. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
Thanks Amos and everyone who helped me, Will revert to client to check his Cisco device, I been banging my head for days now troubleshooting the proxy. He's running an old cisco hardware and IOS too. On Sat, Mar 7, 2015 at 8:24 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 8/03/2015 1:09 a.m., Monah Baki wrote: Forgot to paste my test. Basically from my squid server: root@ISN-PHC-CACHE:/cache/squid/bin # ./squidclient -h www.cnn.com -H 'Host: www.cnn.com\n' -p 80 HTTP/1.1 302 Found Server: Varnish Retry-After: 0 Content-Length: 0 Location: http://edition.cnn.com80 Um, that redirect URL is invalid. This Varnish is outputting garbage. However, this test result does prove that output traffic from your Squid should be fine. The test connecting to your port 3128 should confirm that by getting the same or very similar result for normal traffic. So the problem is on the input. It could still be at the client end, or in the NAT redirection. One thing I've not seen clarified in the discussion is which machine the NAT rules have been placed (Squid box? or router?). Sorry if I missed that. The NAT operation MUST be done on the Squid box or the local machines NAT system tells it the client was connecting to connect to itself/Squid:3129 (which is the forwarding loop). The router looks liek a Cisco device, so it must do L2 routing redirection or WCCP to deliver packets to the Squid machine without having altered their IP:port details in any way. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
I forgot to paste my pf.conf # rdr pass inet proto tcp from 10.0.0.9/32 to any port 80 - 10.0.0.24 port 3128 # nat on bge0 inet from any to port 80 - bge0 rdr pass inet proto tcp from 10.0.0.23 to any port 80 - 10.0.0.24 port 3129 # pass on bge0 inet proto tcp from bge0 to bge0 port 3128 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state On Sat, Mar 7, 2015 at 8:24 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 8/03/2015 1:09 a.m., Monah Baki wrote: Forgot to paste my test. Basically from my squid server: root@ISN-PHC-CACHE:/cache/squid/bin # ./squidclient -h www.cnn.com -H 'Host: www.cnn.com\n' -p 80 HTTP/1.1 302 Found Server: Varnish Retry-After: 0 Content-Length: 0 Location: http://edition.cnn.com80 Um, that redirect URL is invalid. This Varnish is outputting garbage. However, this test result does prove that output traffic from your Squid should be fine. The test connecting to your port 3128 should confirm that by getting the same or very similar result for normal traffic. So the problem is on the input. It could still be at the client end, or in the NAT redirection. One thing I've not seen clarified in the discussion is which machine the NAT rules have been placed (Squid box? or router?). Sorry if I missed that. The NAT operation MUST be done on the Squid box or the local machines NAT system tells it the client was connecting to connect to itself/Squid:3129 (which is the forwarding loop). The router looks liek a Cisco device, so it must do L2 routing redirection or WCCP to deliver packets to the Squid machine without having altered their IP:port details in any way. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
Forgot to paste my test. Basically from my squid server: root@ISN-PHC-CACHE:/cache/squid/bin # ./squidclient -h www.cnn.com -H 'Host: www.cnn.com\n' -p 80 HTTP/1.1 302 Found Server: Varnish Retry-After: 0 Content-Length: 0 Location: http://edition.cnn.com80 Accept-Ranges: bytes Date: Sat, 07 Mar 2015 12:08:21 GMT Via: 1.1 varnish Connection: close X-Served-By: cache-lhr6328-LHR X-Cache: MISS X-Cache-Hits: 0 Thanks Monah On Fri, Mar 6, 2015 at 11:26 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 6/03/2015 1:19 a.m., Monah Baki wrote: Hi all, can anyone verify if this is correct, need to make ure that users will be able to access the internet via the squid. Running FreeBSD with a single interface with Squid-3.5.2 Policy based routing on Cisco with the following: interface GigabitEthernet0/0/1.1 encapsulation dot1Q 1 native ip address 10.0.0.9 255.255.255.0 no ip redirects no ip unreachables ip nat inside standby 1 ip 10.0.0.10 standby 1 priority 120 standby 1 preempt standby 1 name HSRP ip policy route-map CFLOW ip access-list extended REDIRECT deny tcp host 10.0.0.24 any eq www permit tcp host 10.0.0.23 any eq www route-map CFLOW permit 10 match ip address REDIRECT set ip next-hop 10.0.0.24 In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 - 10.0.0.24 port 3129 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state and finally in my squid.conf: http_port 3128 http_port 3129 intercept And for testing purposes from the squid server: ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ If I replace -p 3128 with -p 80, I get a access denied, and if I omit the -p 3128 completely, I can access the websites. If you omit the -p entirely squidclient assumes -p 3128 (the proxy default listening port), so it works exactly the same as if you had used -p 3128 explicitly. If you use -p 80 you also need to change the pther parameters so they generate port-80 syntax message: - the -h with IP or hostname of the remote web server, and - the URL parameters being a relative URL, and - the -j parameter with Host: header domain name of the server ... eg. squidclient -h www.freebsd.org -j www.freebsd.org -p 80 / NP: if your squidclient is too old to support -j, use this instead: -H 'Host: www.freebsd.org\n' ** this test should work from the squid box without having gone through the proxy. Only from the client machine should it work *with* NAT passing it through the proxy. Using a proxy syntax message sent directly to the proxy receiving port, or with the proxy as receiving IP on port 80 (NAT'ed to Squid) is a guaranted forwarding loop failure. That doesn't fix your clients issue, but hopefully makes it clear that the above desribed test is broken enough to prevent you identifying when the client issue is fixed if that happens on some change. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Fwd: squid intercept config
: 0.508835000 seconds] Frame Number: 9 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: Bad TCP] [Coloring Rule String: tcp.analysis.flags !tcp.analysis.window_update] Ethernet II, Src: Cisco_63:77:81 (88:5a:92:63:77:81), Dst: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4) Destination: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4) Source: Cisco_63:77:81 (88:5a:92:63:77:81) Type: IP (0x0800) Padding: Internet Protocol Version 4, Src: 10.0.0.23 (10.0.0.23), Dst: 68.71.212.158 (68.71.212.158) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) Total Length: 40 Identification: 0x572a (22314) Flags: 0x02 (Don't Fragment) Fragment offset: 0 Time to live: 127 Protocol: TCP (6) Header checksum: 0x81a9 [validation disabled] Source: 10.0.0.23 (10.0.0.23) Destination: 68.71.212.158 (68.71.212.158) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 42794 (42794), Dst Port: 80 (80), Seq: 401, Ack: 3332, Len: 0 On Fri, Mar 6, 2015 at 8:57 AM, Antony Stone antony.st...@squid.open.source.it wrote: On Friday 06 March 2015 at 14:50:50 (EU time), Monah Baki wrote: http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf So something else is missing? Can you run a packet sniffer on the proxy, to see what packets come in (noting the MAC address of the previous hop), what packets go out (to what address/es), and whether they then seem to come back in again (and if so, from which MAC address)? That might give you a clue as to where the forwarding loop is being created. Regards, Antony. -- How I want a drink, alcoholic of course, after the heavy chapters involving quantum mechanics. - mnemonic for 3.14159265358979 Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Fwd: squid intercept config
Hi All, As an addition to my yesterday's issue, Tail -f cache.log, I am getting the following: 015/03/06 13:54:02| WARNING: Forwarding loop detected for: GET /Artwork/SN.png HTTP/1.1 Host: www.squid-cache.org Accept: image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36 Referer: http://www.openbsd.org/ Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,ar;q=0.6 Via: 1.1 ISN-PHC-CACHE (squid/3.5.2) X-Forwarded-For: 10.0.0.23 Cache-Control: max-age=0 Connection: keep-alive 2015/03/06 13:54:02| WARNING: Forwarding loop detected for: GET /favicon.ico HTTP/1.1 Host: www.openbsd.org Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,ar;q=0.6 Via: 1.1 ISN-PHC-CACHE (squid/3.5.2) X-Forwarded-For: 10.0.0.23 Cache-Control: max-age=259200 Connection: keep-alive Any ideas? -- Forwarded message -- From: Monah Baki monahb...@gmail.com Date: Thu, Mar 5, 2015 at 7:19 AM Subject: squid intercept config To: Squid Users squid-us...@squid-cache.org Hi all, can anyone verify if this is correct, need to make ure that users will be able to access the internet via the squid. Running FreeBSD with a single interface with Squid-3.5.2 Policy based routing on Cisco with the following: interface GigabitEthernet0/0/1.1 encapsulation dot1Q 1 native ip address 10.0.0.9 255.255.255.0 no ip redirects no ip unreachables ip nat inside standby 1 ip 10.0.0.10 standby 1 priority 120 standby 1 preempt standby 1 name HSRP ip policy route-map CFLOW ip access-list extended REDIRECT deny tcp host 10.0.0.24 any eq www permit tcp host 10.0.0.23 any eq www route-map CFLOW permit 10 match ip address REDIRECT set ip next-hop 10.0.0.24 In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 - 10.0.0.24 port 3129 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state and finally in my squid.conf: http_port 3128 http_port 3129 intercept And for testing purposes from the squid server: ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ If I replace -p 3128 with -p 80, I get a access denied, and if I omit the -p 3128 completely, I can access the websites. tcpdump with (-p 3128) 13:15:02.681106 IP ISN-PHC-CACHE.44017 wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, options [nop,nop,TS val 985588797 ecr 1054387720], length 0 13:15:02.681421 IP wfe0.ysv.freebsd.org.http ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 Did I miss anything? Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Fwd: squid intercept config
No other process on 80 is on the server. I also confirmed from the client side if he runs telnet www.openbsd.org 80 on his desktop, he gets a response. Thanks On Fri, Mar 6, 2015 at 8:28 AM, Yuri Voinov yvoi...@gmail.com wrote: Did you have another listening process on 80 port on your proxy box? I.e., web-server? 06.03.15 19:26, Monah Baki пишет: I went and changed the 10.0.0.0/8 to 10.0.0.23, which is the client station we are testing on, same results. Forward loop detected Thanks On Fri, Mar 6, 2015 at 8:14 AM, Antony Stone antony.st...@squid.open.source.it wrote: On Friday 06 March 2015 at 14:03:28 (EU time), Monah Baki wrote: Hi All, As an addition to my yesterday's issue, Tail -f cache.log, I am getting the following: 015/03/06 13:54:02| WARNING: Forwarding loop detected for: Any ideas? Is your NAT rule catching the HTTP requests from the proxy itself (as well as the requests from the clients) and sending *everything* to the proxy (including the requests the proxy is trying to make out to the Internet)? I'm not an expert on Cisco or BSD, but it does strike me that your rule: rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 - 10.0.0.24 port 3129 looks like it will match requests from the proxy's address 10.0.0.24 as well as all the clients... Try adding an exception in before the NAT rule, saying traffic from 10.0.0.24 should not be NATted. Regards, Antony. -- Once you have a panic, things tend to become rather undefined. - murble Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Fwd: squid intercept config
http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf So something else is missing? On Fri, Mar 6, 2015 at 8:47 AM, Yuri Voinov yvoi...@gmail.com wrote: On proxy box. 06.03.15 19:47, monahb...@gmail.com пишет: From squid or router? Thanks Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. *From: *Yuri Voinov *Sent: *Friday, March 6, 2015 8:44 AM *To: *Monah Baki *Cc: *squid-users@lists.squid-cache.org *Subject: *Re: [squid-users] Fwd: squid intercept config Ok. In this case this is NAT misconfiguration. You need to check it carefully. 06.03.15 19:43, Monah Baki пишет: No other process on 80 is on the server. I also confirmed from the client side if he runs telnet www.openbsd.org 80 on his desktop, he gets a response. Thanks On Fri, Mar 6, 2015 at 8:28 AM, Yuri Voinov yvoi...@gmail.com wrote: Did you have another listening process on 80 port on your proxy box? I.e., web-server? 06.03.15 19:26, Monah Baki пишет: I went and changed the 10.0.0.0/8 to 10.0.0.23, which is the client station we are testing on, same results. Forward loop detected Thanks On Fri, Mar 6, 2015 at 8:14 AM, Antony Stone antony.st...@squid.open.source.it wrote: On Friday 06 March 2015 at 14:03:28 (EU time), Monah Baki wrote: Hi All, As an addition to my yesterday's issue, Tail -f cache.log, I am getting the following: 015/03/06 13:54:02| WARNING: Forwarding loop detected for: Any ideas? Is your NAT rule catching the HTTP requests from the proxy itself (as well as the requests from the clients) and sending *everything* to the proxy (including the requests the proxy is trying to make out to the Internet)? I'm not an expert on Cisco or BSD, but it does strike me that your rule: rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 - 10.0.0.24 port 3129 looks like it will match requests from the proxy's address 10.0.0.24 as well as all the clients... Try adding an exception in before the NAT rule, saying traffic from 10.0.0.24 should not be NATted. Regards, Antony. -- Once you have a panic, things tend to become rather undefined. - murble Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
How can I confirm, I have access only to the BSD box Thanks On Thu, Mar 5, 2015 at 11:12 AM, Yuri Voinov yvoi...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does 80 port outside BSD-box listens? 05.03.15 21:25, Monah Baki пишет: root@ISN-PHC-CACHE:/cache/squid/bin # tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes capability mode sandbox enabled 00:00:00.00 rule 0..16777216/0(match): pass in on bge0: 10.0.0.106.5678 255.255.255.255.5678: UDP, length 88 00:00:08.342860 rule 0..16777216/0(match): pass in on bge0: 10.0.0.14.54264 10.0.0.24.22: Flags [S], seq 3823043622, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 On Thu, Mar 5, 2015 at 10:20 AM, Yuri Voinov yvoi...@gmail.com wrote: Hm. No. We not checked only OS. Does your BSD really loads PF module? 05.03.15 21:16, Monah Baki пишет: Not sure why the client is running old hard/soft ware, could it be cause of the hardware? Is FreeBSD an issue, should I switch to linux? On Thu, Mar 5, 2015 at 10:14 AM, Yuri Voinov yvoi...@gmail.com wrote: Wow, 7600! But why is so antique iOS?! Current is 15.4 05.03.15 21:09, Monah Baki пишет: PORT STATE SERVICE VERSION 23/tcp open telnet Cisco IOS telnetd MAC Address: 88:5A:92:63:77:81 (Cisco) Device type: router Running: Cisco IOS 12.X OS CPE: cpe:/h:cisco:7600_router cpe:/o:cisco:ios:12.2 OS details: Cisco 7600 router (IOS 12.2) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: Randomized Service Info: OS: IOS; Device: switch; CPE: cpe:/o:cisco:ios On Thu, Mar 5, 2015 at 9:31 AM, Yuri Voinov yvoi...@gmail.com wrote: What is Cisco model and iOS version? 05.03.15 20:25, Monah Baki пишет: Yes, correct On Thu, Mar 5, 2015 at 9:23 AM, Yuri Voinov yvoi...@gmail.com wrote: 10.0.0.23 is your host? And 10.0.0.24 is proxy box? 05.03.15 20:15, Monah Baki пишет: '--prefix=/cache/squid' '--enable-follow-x-forwarded-for' '--with-large-files' '--enable-ssl' '--disable-ipv6' '--enable-esi' '--enable-kill-parent-hack' '--enable-snmp' '--with-pthreads' '--with-filedescriptors=65535' '--enable-cachemgr-hostname=hostname' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' --enable-ltdl-convenience On Thu, Mar 5, 2015 at 9:14 AM, Yuri Voinov yvoi...@gmail.com wrote: This looking good too. Stupid question: With witch interception option squid builed? I.e, squid -v? 05.03.15 18:19, Monah Baki пишет: Hi all, can anyone verify if this is correct, need to make ure that users will be able to access the internet via the squid. Running FreeBSD with a single interface with Squid-3.5.2 Policy based routing on Cisco with the following: interface GigabitEthernet0/0/1.1 encapsulation dot1Q 1 native ip address 10.0.0.9 255.255.255.0 no ip redirects no ip unreachables ip nat inside standby 1 ip 10.0.0.10 standby 1 priority 120 standby 1 preempt standby 1 name HSRP ip policy route-map CFLOW ip access-list extended REDIRECT deny tcp host 10.0.0.24 any eq www permit tcp host 10.0.0.23 any eq www route-map CFLOW permit 10 match ip address REDIRECT set ip next-hop 10.0.0.24 In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 - 10.0.0.24 port 3129 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state and finally in my squid.conf: http_port 3128 http_port 3129 intercept And for testing purposes from the squid server: ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ If I replace -p 3128 with -p 80, I get a access denied, and if I omit the -p 3128 completely, I can access the websites. tcpdump with (-p 3128) 13:15:02.681106 IP ISN-PHC-CACHE.44017 wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, options [nop,nop,TS val 985588797 ecr 1054387720], length 0 13:15:02.681421 IP wfe0.ysv.freebsd.org.http ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 Did I miss anything? Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 - 10.0.0.24 port 3129 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state Thanks On Thu, Mar 5, 2015 at 8:50 AM, Yuri Voinov yvoi...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Show complete pf.conf, please. 05.03.15 19:45, Monah Baki пишет: In my squid.conf http_port 3128 http_port 3129 intercept Thanks On Thu, Mar 5, 2015 at 8:44 AM, Yuri Voinov yvoi...@gmail.com wrote: Squid access denied? Look at this: In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 - 10.0.0.24 port 3129 Which port configured in Squid as intercept? 3129? and 3128 is forwarding? 05.03.15 19:36, monahb...@gmail.com пишет: Yes that's what I followed and user is getting a access denied from the squid when he tries www.cnn.com Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. Original Message From: Yuri Voinov Sent: Thursday, March 5, 2015 8:22 AM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] squid intercept config http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf 05.03.15 18:19, Monah Baki пишет: Hi all, can anyone verify if this is correct, need to make ure that users will be able to access the internet via the squid. Running FreeBSD with a single interface with Squid-3.5.2 Policy based routing on Cisco with the following: interface GigabitEthernet0/0/1.1 encapsulation dot1Q 1 native ip address 10.0.0.9 255.255.255.0 no ip redirects no ip unreachables ip nat inside standby 1 ip 10.0.0.10 standby 1 priority 120 standby 1 preempt standby 1 name HSRP ip policy route-map CFLOW ip access-list extended REDIRECT deny tcp host 10.0.0.24 any eq www permit tcp host 10.0.0.23 any eq www route-map CFLOW permit 10 match ip address REDIRECT set ip next-hop 10.0.0.24 In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 - 10.0.0.24 port 3129 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state and finally in my squid.conf: http_port 3128 http_port 3129 intercept And for testing purposes from the squid server: ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ If I replace -p 3128 with -p 80, I get a access denied, and if I omit the -p 3128 completely, I can access the websites. tcpdump with (-p 3128) 13:15:02.681106 IP ISN-PHC-CACHE.44017 wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, options [nop,nop,TS val 985588797 ecr 1054387720], length 0 13:15:02.681421 IP wfe0.ysv.freebsd.org.http ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 Did I miss anything? Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBAgAGBQJU+F8UAAoJENNXIZxhPexGUd0H/ikmReyo7lGbuMVZelLLdawa mtKS3N+dfyVWDT6LCGlgJaWFYV8N0Xqvf3dUv73xkrr3Gqoh6pQIVDdUJOObOC/7 /yX9qIPfHxz8pic18Hm3/RCwoeSzXp75JgD8LMy2xkOxto+Gvx3pFBBfMyViBYz9 VTCumGjDvx7pVlcO8MlmZ86jdSvBoEpLYi8J9rjD+11UKhA5mzy8gqzC8OCCTLvc mP9NcUfvIFPFIW//SyzS+X1DiM/fGJ/jFsJ6QVxU8oY///zpHWyXE9oYZzZ62DqA 2VtPKduIu2NVZ/ibbnPI4CEU52Ct0uz2scbC1ZEvSqrkfYklg+RGDPj3ckcwGMU= =xmOu -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
Not sure why the client is running old hard/soft ware, could it be cause of the hardware? Is FreeBSD an issue, should I switch to linux? On Thu, Mar 5, 2015 at 10:14 AM, Yuri Voinov yvoi...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wow, 7600! But why is so antique iOS?! Current is 15.4 05.03.15 21:09, Monah Baki пишет: PORT STATE SERVICE VERSION 23/tcp open telnet Cisco IOS telnetd MAC Address: 88:5A:92:63:77:81 (Cisco) Device type: router Running: Cisco IOS 12.X OS CPE: cpe:/h:cisco:7600_router cpe:/o:cisco:ios:12.2 OS details: Cisco 7600 router (IOS 12.2) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: Randomized Service Info: OS: IOS; Device: switch; CPE: cpe:/o:cisco:ios On Thu, Mar 5, 2015 at 9:31 AM, Yuri Voinov yvoi...@gmail.com wrote: What is Cisco model and iOS version? 05.03.15 20:25, Monah Baki пишет: Yes, correct On Thu, Mar 5, 2015 at 9:23 AM, Yuri Voinov yvoi...@gmail.com wrote: 10.0.0.23 is your host? And 10.0.0.24 is proxy box? 05.03.15 20:15, Monah Baki пишет: '--prefix=/cache/squid' '--enable-follow-x-forwarded-for' '--with-large-files' '--enable-ssl' '--disable-ipv6' '--enable-esi' '--enable-kill-parent-hack' '--enable-snmp' '--with-pthreads' '--with-filedescriptors=65535' '--enable-cachemgr-hostname=hostname' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' --enable-ltdl-convenience On Thu, Mar 5, 2015 at 9:14 AM, Yuri Voinov yvoi...@gmail.com wrote: This looking good too. Stupid question: With witch interception option squid builed? I.e, squid -v? 05.03.15 18:19, Monah Baki пишет: Hi all, can anyone verify if this is correct, need to make ure that users will be able to access the internet via the squid. Running FreeBSD with a single interface with Squid-3.5.2 Policy based routing on Cisco with the following: interface GigabitEthernet0/0/1.1 encapsulation dot1Q 1 native ip address 10.0.0.9 255.255.255.0 no ip redirects no ip unreachables ip nat inside standby 1 ip 10.0.0.10 standby 1 priority 120 standby 1 preempt standby 1 name HSRP ip policy route-map CFLOW ip access-list extended REDIRECT deny tcp host 10.0.0.24 any eq www permit tcp host 10.0.0.23 any eq www route-map CFLOW permit 10 match ip address REDIRECT set ip next-hop 10.0.0.24 In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 - 10.0.0.24 port 3129 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state and finally in my squid.conf: http_port 3128 http_port 3129 intercept And for testing purposes from the squid server: ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ If I replace -p 3128 with -p 80, I get a access denied, and if I omit the -p 3128 completely, I can access the websites. tcpdump with (-p 3128) 13:15:02.681106 IP ISN-PHC-CACHE.44017 wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, options [nop,nop,TS val 985588797 ecr 1054387720], length 0 13:15:02.681421 IP wfe0.ysv.freebsd.org.http ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 Did I miss anything? Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBAgAGBQJU+HLNAAoJENNXIZxhPexGQi8IAIfEtSR4e/FsHLwRqf7ynMMq tU6HhEyn1sce/YI+WfJ8gTGwBw5mbQr5WklK+3Rnkuq86ZFokVPahOXJg3lILD5I D+VfWc0rNNP3VLWJeC9OnacwVMzT52Ij7YeNLR0KJPpWzCLjOGf0PyqaXJftnWjx iT6CfeT+awwvKnogr1h3Cp/T4EDCwgTSSnjViaQjvFbFZa4MtJ1vWdCWoF0bSZic 5lmIc59Rb8VYTyFFjG4ZxSmZIK/xH+HDO4/IZhkL0CN1GmleALGiPFQ5szDCzIoB 7lXlN2M0usbXgREhu26gbHUV8716EN+Kgx2RsiFPREDPrqJmZLDSA0zv4FpN/n4= =a+x7 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
So from my proxy server, everything looks good? On Thu, Mar 5, 2015 at 1:12 PM, Yuri Voinov yvoi...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Looks good too. Damn. Will think. Need to run some external checks. 06.03.15 0:10, Monah Baki пишет: root@ISN-PHC-CACHE:/home/support # pfctl -s nat No ALTQ support in kernel ALTQ related functions disabled rdr pass inet proto tcp from 10.0.0.0/8 to any port = http - 10.0.0.24 port 3129 On Thu, Mar 5, 2015 at 1:08 PM, Yuri Voinov yvoi...@gmail.com wrote: Can you run pfctl -s nat state on proxy box? 06.03.15 0:05, Monah Baki пишет: Ok let me ask the client tomorrow to run telnet 10.0.0.24 80 from a workstation Thanks for he help Yuri On Thu, Mar 5, 2015 at 1:02 PM, Yuri Voinov yvoi...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry, I'm wrong. Netstat on host can't show redirected listeners. Need to check it externally. 05.03.15 23:59, Monah Baki пишет: On 10.0.0.24 root@ISN-PHC-CACHE:/home/support # netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 52 10.0.0.24.22 96.255.8.226.50911 ESTABLISHED tcp4 0 0 *.3129 *.*LISTEN tcp4 0 0 *.3128 *.*LISTEN tcp4 0 0 *.81 *.*LISTEN tcp6 0 0 *.81 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp6 0 0 *.22 *.* LISTEN tcp6 0 0 ::1.562 ::1.40066 ESTABLISHED tcp6 0 0 ::1.40066 ::1.562 ESTABLISHED tcp6 0 0 *.561 *.* LISTEN tcp6 0 0 *.562 *.* LISTEN tcp4 0 0 *.199 *.* LISTEN tcp4 0 0 *.1*.* LISTEN udp4 0 0 *.3401 *.* udp4 0 0 *.34985 *.* udp4 0 0 *.* *.* udp4 0 0 *.161 *.* udp4 0 0 *.162 *.* udp4 0 0 *.1 *.* udp4 0 0 127.0.0.1.123 *.* udp6 0 0 fe80::1%lo0.123 *.* udp6 0 0 ::1.123 *.* udp4 0 0 10.0.0.24.123 *.* udp6 0 0 *.123 *.* udp4 0 0 *.123 *.* udp4 0 0 *.514 *.* udp6 0 0 *.514 *.* On Thu, Mar 5, 2015 at 12:12 PM, Yuri Voinov yvoi...@gmail.com wrote: - From your PC run telnet 10.0.0.24 80. You've seen if TCP socket opens. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBAgAGBQJU+JyWAAoJENNXIZxhPexGUc4IAJmS4DMs6Kf2D8Klm2GsKiDD pHJsAk7XKPJ2oL97lQwPZs8vfDPB5AFJRSHS9BMxT5Y5q2tMbkuC8vh8w1uxG1rD QercldJCcw4Rwxlq4nJUxEp8Hj82tPrCoMIiedSwCPBzka3OBEZfGHXMJAsGsvO0 FnmPJ5PXyen9OycBbe/bWVmt3aypi3ZA5/T+5yTS2dU49jDY2Wg47RJEsWmd3DsV DU9js4Wz5woqzZerSkGizXSG9IZMBE8svR5X3l3nejy8NPwVc1ku2I7dAPcfCe9C Fcuww85x2PpYfMNEnzgzzSdXx2oxfeeUMtO++zK3CaNCQxm1veTrwbrlu5sY8z4= =diIu -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
'--prefix=/cache/squid' '--enable-follow-x-forwarded-for' '--with-large-files' '--enable-ssl' '--disable-ipv6' '--enable-esi' '--enable-kill-parent-hack' '--enable-snmp' '--with-pthreads' '--with-filedescriptors=65535' '--enable-cachemgr-hostname=hostname' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' --enable-ltdl-convenience On Thu, Mar 5, 2015 at 9:14 AM, Yuri Voinov yvoi...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This looking good too. Stupid question: With witch interception option squid builed? I.e, squid -v? 05.03.15 18:19, Monah Baki пишет: Hi all, can anyone verify if this is correct, need to make ure that users will be able to access the internet via the squid. Running FreeBSD with a single interface with Squid-3.5.2 Policy based routing on Cisco with the following: interface GigabitEthernet0/0/1.1 encapsulation dot1Q 1 native ip address 10.0.0.9 255.255.255.0 no ip redirects no ip unreachables ip nat inside standby 1 ip 10.0.0.10 standby 1 priority 120 standby 1 preempt standby 1 name HSRP ip policy route-map CFLOW ip access-list extended REDIRECT deny tcp host 10.0.0.24 any eq www permit tcp host 10.0.0.23 any eq www route-map CFLOW permit 10 match ip address REDIRECT set ip next-hop 10.0.0.24 In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 - 10.0.0.24 port 3129 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state and finally in my squid.conf: http_port 3128 http_port 3129 intercept And for testing purposes from the squid server: ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ If I replace -p 3128 with -p 80, I get a access denied, and if I omit the -p 3128 completely, I can access the websites. tcpdump with (-p 3128) 13:15:02.681106 IP ISN-PHC-CACHE.44017 wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, options [nop,nop,TS val 985588797 ecr 1054387720], length 0 13:15:02.681421 IP wfe0.ysv.freebsd.org.http ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 Did I miss anything? Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBAgAGBQJU+GS+AAoJENNXIZxhPexGb+8H/R/S58piXzwHUnfmDWEiBD1H 8qID7tliv+MaY2AEGKwr/vCU5d6z2wknXGL/kTk5QV+O4fvdVW9iftSDLfu+jL4F FKXn38yT+ALUiKeb3239Pd16Z1c/sdhjELDuY6zN7EmQ1Bhw2hW+48UUFptASNJ4 RDAGrKhhwj5l5j8TFn9U25PKgAr7+W4PWgVcQiYW+sYaKTjmr5YYBhOkH7zLIB3G ZRYb6pJFzLzDTX3NSrwVip1i1k4yRtxVvVjkoEkG042f+q8hX4CI4hGC7NloIuoa qTIGXVJTzD912p9UBsBJsDgG/tyb/MlTrC0SWcrDOp2SZcfo29bNExSYxeQATQI= =MZ5a -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
PORT STATE SERVICE VERSION 23/tcp open telnet Cisco IOS telnetd MAC Address: 88:5A:92:63:77:81 (Cisco) Device type: router Running: Cisco IOS 12.X OS CPE: cpe:/h:cisco:7600_router cpe:/o:cisco:ios:12.2 OS details: Cisco 7600 router (IOS 12.2) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: Randomized Service Info: OS: IOS; Device: switch; CPE: cpe:/o:cisco:ios On Thu, Mar 5, 2015 at 9:31 AM, Yuri Voinov yvoi...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What is Cisco model and iOS version? 05.03.15 20:25, Monah Baki пишет: Yes, correct On Thu, Mar 5, 2015 at 9:23 AM, Yuri Voinov yvoi...@gmail.com wrote: 10.0.0.23 is your host? And 10.0.0.24 is proxy box? 05.03.15 20:15, Monah Baki пишет: '--prefix=/cache/squid' '--enable-follow-x-forwarded-for' '--with-large-files' '--enable-ssl' '--disable-ipv6' '--enable-esi' '--enable-kill-parent-hack' '--enable-snmp' '--with-pthreads' '--with-filedescriptors=65535' '--enable-cachemgr-hostname=hostname' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' --enable-ltdl-convenience On Thu, Mar 5, 2015 at 9:14 AM, Yuri Voinov yvoi...@gmail.com wrote: This looking good too. Stupid question: With witch interception option squid builed? I.e, squid -v? 05.03.15 18:19, Monah Baki пишет: Hi all, can anyone verify if this is correct, need to make ure that users will be able to access the internet via the squid. Running FreeBSD with a single interface with Squid-3.5.2 Policy based routing on Cisco with the following: interface GigabitEthernet0/0/1.1 encapsulation dot1Q 1 native ip address 10.0.0.9 255.255.255.0 no ip redirects no ip unreachables ip nat inside standby 1 ip 10.0.0.10 standby 1 priority 120 standby 1 preempt standby 1 name HSRP ip policy route-map CFLOW ip access-list extended REDIRECT deny tcp host 10.0.0.24 any eq www permit tcp host 10.0.0.23 any eq www route-map CFLOW permit 10 match ip address REDIRECT set ip next-hop 10.0.0.24 In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 - 10.0.0.24 port 3129 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state and finally in my squid.conf: http_port 3128 http_port 3129 intercept And for testing purposes from the squid server: ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ If I replace -p 3128 with -p 80, I get a access denied, and if I omit the -p 3128 completely, I can access the websites. tcpdump with (-p 3128) 13:15:02.681106 IP ISN-PHC-CACHE.44017 wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, options [nop,nop,TS val 985588797 ecr 1054387720], length 0 13:15:02.681421 IP wfe0.ysv.freebsd.org.http ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 Did I miss anything? Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBAgAGBQJU+Gi2AAoJENNXIZxhPexG5ZsH/jmkZq8gHsA0LSfGBS4PcIb8 fghHqg00FH48WqCWo4WtagehI1MFU7wdtxERhDJWyO2a3kaOg6i8BfWgC0Cnu3WX AMRMs8z2f2Foz9o1UgLMb3LLLQOuXjioCHq0RKFaW5TD70Fqk14CHNCDOSTaHEMv e/65hh4aGek1f5wxAGCfPGoX7tTtiH0DZ/XBZ7YOlAqrl0wcAYLI+1gTq2zOk98Y Q6zu9whBqKeZvBXMxu8aLyxan3RZcGDeSDlF89l+jwNw+6enHgVElsU22+1eQ54P IxmIAaJEbNmSFisj1wb+XRV5SsdjN8etQcBgh5rCz4TWqh9UgsW1K2BonLH4yns= =hEYd -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid in transparent
Hi all, I have client who has his Policy Based Routing as: interface GigabitEthernet0/0/1.1 (route policy on the LAN interface) ip policy route-map CFLOW ip access-list extended REDIRECT (Redirect of my IP www) deny tcp host 10.0.0.24 any eq www permit tcp host 10.0.0.23 any eq www route-map CFLOW permit 10 (route map) match ip address REDIRECT set ip next-hop 10.0.0.24 The 10.0.0.24 is my FreeBSD 10.1 running squid 3.5, with one interface, 10.0.0.23 is his laptop. The IP address of the Cisco is 10.0.0.9 I configured squid as: ./configure --prefix=/cache/squid --enable-follow-x-forwarded-for --with-large-files --enable-ssl --disable-ipv6 --enable-esi --enable-kill-parent-hack --enable-snmp --with-pthreads --with-filedescriptors=65535 --enable-cachemgr-hostname=hostname --enable-storeio=ufs,aufs,diskd,rock --enable-ipfw-transparent --enable-pf-transparent My squid.conf has the following; # Squid normally listens to port 3128 http_port 3128 intercept http_port 80 intercept snmp_port 3401 If I remove the intercept and from a client browser points to the squid, it works. If I add the intercept, it does not work, I do not see any logs in my access.log file. Any help will be highly appreciated Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 3.5.2 and MRTG
Hi all, I need to monitor squid 3.5.2 using MRTG and can't seem to find any examples on how to do that. I found the following but nothing happens.Clueless on how to do this. Thanks Target[proxy-hit]: cacheHttpHitscacheServerRequests:pub...@proxy.sg.private :3401 # If you are using Squid 2.6 or later, uncomment the following line #RouterName[proxy-hit]: cacheUniqName MaxBytes[proxy-hit]: 10 Title[proxy-hit]: HTTP Hits PageTop[proxy-hit]: H2proxy Cache Statistics: HTTP Hits/Requests/H2 TABLE TRTDSystem:/TDTDproxy.sg.private/TD/TR TRTDMaintainer:/TDTDSerassio Guido/TD/TR TRTDDescription:/TDTDSquid Proxy server/TD/TR /TABLE Suppress[proxy-hit]: y LegendI[proxy-hit]: HTTP hits LegendO[proxy-hit]: HTTP requests Legend1[proxy-hit]: HTTP hits Legend2[proxy-hit]: HTTP requests YLegend[proxy-hit]: perminute ShortLegend[proxy-hit]: req/min Options[proxy-hit]: nopercent, perminute, dorelpercent, unknaszero ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Is squid for OpenBSD 5.5 broken????
Hi all, Using ./configure --prefix=/usr/local/squid --with-filedescriptors=32768 --enable-snmp --with-large-files I installed OpenBSD 5.4 on a vmware workstation and squid 3.4.5, works fine. However, OpenBSD 5.5 on both vmware workstation and on a SPARC64 T5220, I get the following error running make, po -c -o client_side.o client_side.cc mv -f $depbase.Tpo $depbase.Po depbase=`echo client_side_reply.o | sed 's|[^/]*$|.deps/|;s|\.o$||'`; g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\/usr/ local/squid/etc/squid.conf\ -DDEFAULT_SQUID_DATA_DIR=\/usr/local/squid/share\ -DDEFAULT_SQUID_CONFIG_DIR=\/usr/local/squid/etc\ -I.. -I../include -I../lib -I../src -I../include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../libltdl -I../src -I../libltdl -I/usr/include/kerberosV -I/usr/include/kerberosV -I/usr/include/kerberosV -I/usr/include/kerberosV -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT client_side_reply.o -MD -MP -MF $depbase.Tpo -c -o client_side_reply.o client_side_reply.cc mv -f $depbase.Tpo $depbase.Po cc1plus: warnings being treated as errors client_side_reply.cc: In member function 'void clientReplyContext::buildReplyHeader()': client_side_reply.cc:1326: warning: format '%ld' expects type 'long int', but argument 4 has type 'long long int' *** Error 1 in src (Makefile:6970 'client_side_reply.o') *** Error 1 in src (Makefile:7116 'all-recursive') *** Error 1 in src (Makefile:6036 'all') *** Error 1 in /home/mbaki/squid-3.4.5 (Makefile:587 'all-recursive') Thanks
[squid-users] Squid+openbsd 5.5 on sparc 64
OpenBSD 5.5-stable (GENERIC.MP) #1: Thu Jun 12 18:57:48 EDT 2014 mb...@proxy.home:/usr/src/sys/arch/sparc64/compile/GENERIC.MP real mem = 17045651456 (16256MB) avail mem = 16759693312 (15983MB) mainbus0 at root: SPARC Enterprise T5220 ./configure --prefix=/usr/local/squid --with-filedescriptors=32768 --enable-snmp --with-large-files No errors Run make after 40 min, po -c -o client_side.o client_side.cc mv -f $depbase.Tpo $depbase.Po depbase=`echo client_side_reply.o | sed 's|[^/]*$|.deps/|;s|\.o$||'`; g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\/usr/local/squid/etc/squid.conf\ -DDEFAULT_SQUID_DATA_DIR=\/usr/local/squid/share\ -DDEFAULT_SQUID_CONFIG_DIR=\/usr/local/squid/etc\ -I.. -I../include -I../lib -I../src -I../include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../libltdl -I../src -I../libltdl -I/usr/include/kerberosV -I/usr/include/kerberosV -I/usr/include/kerberosV -I/usr/include/kerberosV -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT client_side_reply.o -MD -MP -MF $depbase.Tpo -c -o client_side_reply.o client_side_reply.cc mv -f $depbase.Tpo $depbase.Po cc1plus: warnings being treated as errors client_side_reply.cc: In member function 'void clientReplyContext::buildReplyHeader()': client_side_reply.cc:1326: warning: format '%ld' expects type 'long int', but argument 4 has type 'long long int' *** Error 1 in src (Makefile:6970 'client_side_reply.o') *** Error 1 in src (Makefile:7116 'all-recursive') *** Error 1 in src (Makefile:6036 'all') *** Error 1 in /home/mbaki/squid-3.4.5 (Makefile:587 'all-recursive') Thanks
Re: [squid-users] squid 3.4.3 on Solaris Sparc
Hi, I did find /usr/lib/libdb.so but no results for libdb.a Thanks On Mon, Feb 17, 2014 at 12:42 AM, Francesco Chemolli gkin...@gmail.com wrote: On 17 Feb 2014, at 01:15, Monah Baki monahb...@gmail.com wrote: uname -a SunOS proxy 5.11 11.1 sun4v sparc SUNW,SPARC-Enterprise-T5220 Here are the steps before it fails ./configure --prefix=/usr/local/squid --enable-async-io --enable-cache-digests --enable-underscores --enable-pthreads --enable-storeio=ufs,aufs --enable-removal-policies=lru, heap make c -I../../../include -I/usr/include/gssapi -I/usr/include/kerberosv5 -I/usr/include/gssapi -I/usr/include/kerberosv5 -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -pthreads -g -O2 -std=c++0x -MT ext_session_acl.o -MD -MP -MF .deps/ext_session_acl.Tpo -c -o ext_session_acl.o ext_session_acl.cc mv -f .deps/ext_session_acl.Tpo .deps/ext_session_acl.Po /bin/sh ../../../libtool --tag=CXX--mode=link g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -pthreads -g -O2 -std=c++0x -g -o ext_session_acl ext_session_acl.o ../../../compat/libcompat-squid.la libtool: link: g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -pthreads -g -O2 -std=c++0x -g -o ext_session_acl ext_session_acl.o ../../../compat/.libs/libcompat-squid.a -pthreads Undefined first referenced symbol in file db_create ext_session_acl.o db_env_create ext_session_acl.o The build system is not being able to find the Berkeley db library files (but for some reason it can find the header). Please check that libdb.a or libdb.so are available and found on the paths searched for libraries by your build system. Kinkie
Re: [squid-users] squid 3.4.3 on Solaris Sparc
I hope this is the right output. root@proxy:~# nm -s /usr/lib/libdb.so | grep db_create [2332] |214036| 716|FUNC |GLOB |0|.text |__bam_db_create [1495] | 1098492| 2172|FUNC |GLOB |0|.text |__db_create_internal [2052] |395884| 216|FUNC |GLOB |0|.text |__ham_db_create [1755] |511400| 112|FUNC |GLOB |0|.text |__qam_db_create [1335] | 1096060| 2416|FUNC |GLOB |0|.text |db_create root@proxy:~# nm -s /usr/lib/libdb.so | grep db_env [1072] | 1265120| 104|FUNC |GLOB |0|.text |__db_env_destroy [656] | 1265240| 3208|FUNC |LOCL |0|.text |__db_env_init [1300] | 1264744| 376|FUNC |GLOB |0|.text |db_env_create [1445] | 1495184|52|FUNC |GLOB |0|.text |db_env_set_func_close [947] | 1495252|52|FUNC |GLOB |0|.text |db_env_set_func_dirfree [1340] | 1495320|52|FUNC |GLOB |0|.text |db_env_set_func_dirlist [915] | 1495388|52|FUNC |GLOB |0|.text |db_env_set_func_exists [2567] | 1495796|56|FUNC |GLOB |0|.text |db_env_set_func_file_map [1512] | 1495456|52|FUNC |GLOB |0|.text |db_env_set_func_free [2384] | 1495524|52|FUNC |GLOB |0|.text |db_env_set_func_fsync [1604] | 1495592|52|FUNC |GLOB |0|.text |db_env_set_func_ftruncate [1909] | 1495660|52|FUNC |GLOB |0|.text |db_env_set_func_ioinfo [2005] | 1495728|52|FUNC |GLOB |0|.text |db_env_set_func_malloc [1795] | 1496076|52|FUNC |GLOB |0|.text |db_env_set_func_open [904] | 1495940|52|FUNC |GLOB |0|.text |db_env_set_func_pread [1377] | 1496008|52|FUNC |GLOB |0|.text |db_env_set_func_pwrite [1238] | 1496144|52|FUNC |GLOB |0|.text |db_env_set_func_read [2513] | 1496212|52|FUNC |GLOB |0|.text |db_env_set_func_realloc [1901] | 1495868|56|FUNC |GLOB |0|.text |db_env_set_func_region_map [1327] | 1496280|52|FUNC |GLOB |0|.text |db_env_set_func_rename [1616] | 1496348|52|FUNC |GLOB |0|.text |db_env_set_func_seek [983] | 1496416|52|FUNC |GLOB |0|.text |db_env_set_func_unlink [2446] | 1496484|52|FUNC |GLOB |0|.text |db_env_set_func_write [1956] | 1496552|52|FUNC |GLOB |0|.text |db_env_set_func_yield On Mon, Feb 17, 2014 at 2:43 PM, Kinkie gkin...@gmail.com wrote: That should be enough. Check (you can use the nm -s tool) that libdb.so contains the symbols db_create and db_env_create. It may be that the file is corrupted, a wrong version or a stub. Alternatively, if you don't need the session helper, use squid's configure flags to skip building it. On Mon, Feb 17, 2014 at 4:23 PM, Monah Baki monahb...@gmail.com wrote: Hi, I did find /usr/lib/libdb.so but no results for libdb.a Thanks On Mon, Feb 17, 2014 at 12:42 AM, Francesco Chemolli gkin...@gmail.com wrote: On 17 Feb 2014, at 01:15, Monah Baki monahb...@gmail.com wrote: uname -a SunOS proxy 5.11 11.1 sun4v sparc SUNW,SPARC-Enterprise-T5220 Here are the steps before it fails ./configure --prefix=/usr/local/squid --enable-async-io --enable-cache-digests --enable-underscores --enable-pthreads --enable-storeio=ufs,aufs --enable-removal-policies=lru, heap make c -I../../../include -I/usr/include/gssapi -I/usr/include/kerberosv5 -I/usr/include/gssapi -I/usr/include/kerberosv5 -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -pthreads -g -O2 -std=c++0x -MT ext_session_acl.o -MD -MP -MF .deps/ext_session_acl.Tpo -c -o ext_session_acl.o ext_session_acl.cc mv -f .deps/ext_session_acl.Tpo .deps/ext_session_acl.Po /bin/sh ../../../libtool --tag=CXX--mode=link g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -pthreads -g -O2 -std=c++0x -g -o ext_session_acl ext_session_acl.o ../../../compat/libcompat-squid.la libtool: link: g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -pthreads -g -O2 -std=c++0x -g -o ext_session_acl ext_session_acl.o ../../../compat/.libs/libcompat-squid.a -pthreads Undefined first referenced symbol in file db_create ext_session_acl.o db_env_create ext_session_acl.o The build system is not being able to find the Berkeley db library files (but for some reason it can find the header). Please check that libdb.a or libdb.so are available and found on the paths searched for libraries by your build system. Kinkie -- Francesco
[squid-users] Solaris 3.4.3 on Sparc 11 64 bit
uname -a
SunOS proxy 5.11 11.1 sun4v sparc SUNW,SPARC-Enterprise-T5220
Here are the steps before it fails
./configure --prefix=/usr/local/squid --enable-async-io
--enable-cache-digests --enable-underscores --enable-pthreads
--enable-storeio=ufs,aufs --enable-removal-policies=lru,heap
make
c -I../../../include -I/usr/include/gssapi -I/usr/include/kerberosv5
-I/usr/include/gssapi -I/usr/include/kerberosv5 -Wall
-Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe
-D_REENTRANT -pthreads -g -O2 -std=c++0x -MT ext_session_acl.o -MD -MP
-MF .deps/ext_session_acl.Tpo -c -o ext_session_acl.o
ext_session_acl.cc
mv -f .deps/ext_session_acl.Tpo .deps/ext_session_acl.Po
/bin/sh ../../../libtool --tag=CXX--mode=link g++ -Wall
-Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe
-D_REENTRANT -pthreads -g -O2 -std=c++0x -g -o ext_session_acl
ext_session_acl.o ../../../compat/libcompat-squid.la
libtool: link: g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments
-Wshadow -Werror -pipe -D_REENTRANT -pthreads -g -O2 -std=c++0x -g -o
ext_session_acl ext_session_acl.o
../../../compat/.libs/libcompat-squid.a -pthreads
Undefined first referenced
symbol in file
db_create ext_session_acl.o
db_env_create ext_session_acl.o
ld: fatal: symbol referencing errors. No output written to ext_session_acl
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target `ext_session_acl'
Current working directory /home/mbaki/squid-3.4.3/helpers/external_acl/session
*** Error code 1
The following command caused the error:
fail= failcom='exit 1'; \
for f in x $MAKEFLAGS; do \
case $f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
dot_seen=no; \
target=`echo all-recursive | sed s/-recursive//`; \
list='LDAP_group SQL_session eDirectory_userip file_userip
kerberos_ldap_group session unix_group wbinfo_group'; for subdir in
$list; do \
echo Making $target in $subdir; \
if test $subdir = .; then \
dot_seen=yes; \
local_target=$target-am; \
else \
local_target=$target; \
fi; \
(CDPATH=${ZSH_VERSION+.}: cd $subdir make $local_target) \
|| eval $failcom; \
done; \
if test $dot_seen = no; then \
make $target-am || exit 1; \
fi; test -z $fail
make: Fatal error: Command failed for target `all-recursive'
Current working directory /home/mbaki/squid-3.4.3/helpers/external_acl
*** Error code 1
The following command caused the error:
fail= failcom='exit 1'; \
for f in x $MAKEFLAGS; do \
case $f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
dot_seen=no; \
target=`echo all-recursive | sed s/-recursive//`; \
list='basic_auth digest_auth external_acl log_daemon negotiate_auth
url_rewrite storeid_rewrite ntlm_auth '; for subdir in $list; do \
echo Making $target in $subdir; \
if test $subdir = .; then \
dot_seen=yes; \
local_target=$target-am; \
else \
local_target=$target; \
fi; \
(CDPATH=${ZSH_VERSION+.}: cd $subdir make $local_target) \
|| eval $failcom; \
done; \
if test $dot_seen = no; then \
make $target-am || exit 1; \
fi; test -z $fail
make: Fatal error: Command failed for target `all-recursive'
Current working directory /home/mbaki/squid-3.4.3/helpers
*** Error code 1
The following command caused the error:
fail= failcom='exit 1'; \
for f in x $MAKEFLAGS; do \
case $f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
dot_seen=no; \
target=`echo all-recursive | sed s/-recursive//`; \
list='compat lib snmplib libltdl scripts icons errors doc helpers src
tools test-suite'; for subdir in $list; do \
echo Making $target in $subdir; \
if test $subdir = .; then \
dot_seen=yes; \
local_target=$target-am; \
else \
local_target=$target; \
fi; \
(CDPATH=${ZSH_VERSION+.}: cd $subdir make $local_target) \
|| eval $failcom; \
done; \
if test $dot_seen = no; then \
make $target-am || exit 1; \
fi; test -z $fail
make: Fatal error: Command failed for target `all-recursive'
[squid-users] squid 3.4.3 on Solaris Sparc
uname -a
SunOS proxy 5.11 11.1 sun4v sparc SUNW,SPARC-Enterprise-T5220
Here are the steps before it fails
./configure --prefix=/usr/local/squid --enable-async-io
--enable-cache-digests --enable-underscores --enable-pthreads
--enable-storeio=ufs,aufs --enable-removal-policies=lru,
heap
make
c -I../../../include -I/usr/include/gssapi -I/usr/include/kerberosv5
-I/usr/include/gssapi -I/usr/include/kerberosv5 -Wall
-Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe
-D_REENTRANT -pthreads -g -O2 -std=c++0x -MT ext_session_acl.o -MD -MP
-MF .deps/ext_session_acl.Tpo -c -o ext_session_acl.o
ext_session_acl.cc
mv -f .deps/ext_session_acl.Tpo .deps/ext_session_acl.Po
/bin/sh ../../../libtool --tag=CXX--mode=link g++ -Wall
-Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe
-D_REENTRANT -pthreads -g -O2 -std=c++0x -g -o ext_session_acl
ext_session_acl.o ../../../compat/libcompat-squid.la
libtool: link: g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments
-Wshadow -Werror -pipe -D_REENTRANT -pthreads -g -O2 -std=c++0x -g -o
ext_session_acl ext_session_acl.o
../../../compat/.libs/libcompat-squid.a -pthreads
Undefined first referenced
symbol in file
db_create ext_session_acl.o
db_env_create ext_session_acl.o
ld: fatal: symbol referencing errors. No output written to ext_session_acl
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target `ext_session_acl'
Current working directory /home/mbaki/squid-3.4.3/helpers/external_acl/session
*** Error code 1
The following command caused the error:
fail= failcom='exit 1'; \
for f in x $MAKEFLAGS; do \
case $f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
dot_seen=no; \
target=`echo all-recursive | sed s/-recursive//`; \
list='LDAP_group SQL_session eDirectory_userip file_userip
kerberos_ldap_group session unix_group wbinfo_group'; for subdir in
$list; do \
echo Making $target in $subdir; \
if test $subdir = .; then \
dot_seen=yes; \
local_target=$target-am; \
else \
local_target=$target; \
fi; \
(CDPATH=${ZSH_VERSION+.}: cd $subdir make $local_target) \
|| eval $failcom; \
done; \
if test $dot_seen = no; then \
make $target-am || exit 1; \
fi; test -z $fail
make: Fatal error: Command failed for target `all-recursive'
Current working directory /home/mbaki/squid-3.4.3/helpers/external_acl
*** Error code 1
The following command caused the error:
fail= failcom='exit 1'; \
for f in x $MAKEFLAGS; do \
case $f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
dot_seen=no; \
target=`echo all-recursive | sed s/-recursive//`; \
list='basic_auth digest_auth external_acl log_daemon negotiate_auth
url_rewrite storeid_rewrite ntlm_auth '; for subdir in $list; do \
echo Making $target in $subdir; \
if test $subdir = .; then \
dot_seen=yes; \
local_target=$target-am; \
else \
local_target=$target; \
fi; \
(CDPATH=${ZSH_VERSION+.}: cd $subdir make $local_target) \
|| eval $failcom; \
done; \
if test $dot_seen = no; then \
make $target-am || exit 1; \
fi; test -z $fail
make: Fatal error: Command failed for target `all-recursive'
Current working directory /home/mbaki/squid-3.4.3/helpers
*** Error code 1
The following command caused the error:
fail= failcom='exit 1'; \
for f in x $MAKEFLAGS; do \
case $f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
dot_seen=no; \
target=`echo all-recursive | sed s/-recursive//`; \
list='compat lib snmplib libltdl scripts icons errors doc helpers src
tools test-suite'; for subdir in $list; do \
echo Making $target in $subdir; \
if test $subdir = .; then \
dot_seen=yes; \
local_target=$target-am; \
else \
local_target=$target; \
fi; \
(CDPATH=${ZSH_VERSION+.}: cd $subdir make $local_target) \
|| eval $failcom; \
done; \
if test $dot_seen = no; then \
make $target-am || exit 1; \
fi; test -z $fail
make: Fatal error: Command failed for target `all-recursive'
[squid-users] Squid error????
Hi all, I am running FreeBSD 9.2 with squid 3.4.1, this machine has no users at all yet. I saw this message and was not sure if it is squid or freebsd related. 2014/01/22 20:13:47| FD 15, [::] [ job1]: (53) Software caused connection abort 2014/01/22 20:30:20| FD 15, [::] [Stopped, reason:Listener socket closed job1]: (53) Software caused connection abort I can still use the proxy though and browse. No idea what it is, and what might have caused it. Any help will be greatly appreciated. Thanks
[squid-users] Squid error????
Hi all, I am running FreeBSD 9.2 with squid 3.4.1, this machine has no users at all yet. I saw this message and was not sure if it is squid or freebsd related. 2014/01/22 20:13:47| FD 15, [::] [ job1]: (53) Software caused connection abort 2014/01/22 20:30:20| FD 15, [::] [Stopped, reason:Listener socket closed job1]: (53) Software caused connection abort I can still use the proxy though and browse. No idea what it is, and what might have caused it. Any help will be greatly appreciated. Thanks
Re: [squid-users] Squid error????
Hi Amos, Upon starting squid, (See before last line below) root@devsrvr:/var/log # 2014/01/23 19:14:31| Set Current Directory to /usr/local/squid/var/cache/ squid 2014/01/23 19:14:31| Starting Squid Cache version 3.4.1 for i386-unknown-freebsd9.2... 2014/01/23 19:14:31| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/01/23 19:14:31| WARNING: no_suid: setuid(0): (1) Operation not permitted . 2014/01/23 19:14:33| Accepting HTTP Socket connections at local=[::]:80 remote=[::] FD 15 flags=9 2014/01/23 19:14:33| Accepting SNMP messages on [::]:3401 Thanks On Thu, Jan 23, 2014 at 7:02 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 24/01/2014 12:36 p.m., Monah Baki wrote: Hi all, I am running FreeBSD 9.2 with squid 3.4.1, this machine has no users at all yet. I saw this message and was not sure if it is squid or freebsd related. 2014/01/22 20:13:47| FD 15, [::] [ job1]: (53) Software caused connection abort 2014/01/22 20:30:20| FD 15, [::] [Stopped, reason:Listener socket closed job1]: (53) Software caused connection abort I can still use the proxy though and browse. No idea what it is, and what might have caused it. Any help will be greatly appreciated. Software caused connection abort is an operating system error message about the socket. What was FD 15 opened for? Amos
Re: [squid-users] Squid error????
I am running it on VMWare workstation 9.0.2 (32 bit) On Thu, Jan 23, 2014 at 8:09 PM, Eliezer Croitoru elie...@ngtech.co.il wrote: On 24/01/14 02:58, Monah Baki wrote: Hi Amos, Upon starting squid, (See before last line below) root@devsrvr:/var/log # 2014/01/23 19:14:31| Set Current Directory to /usr/local/squid/var/cache/ squid 2014/01/23 19:14:31| Starting Squid Cache version 3.4.1 for i386-unknown-freebsd9.2... 2014/01/23 19:14:31| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/01/23 19:14:31| WARNING: no_suid: setuid(0): (1) Operation not permitted . 2014/01/23 19:14:33| Accepting HTTP Socket connections at local=[::]:80 remote=[::] FD 15 flags=9 2014/01/23 19:14:33| Accepting SNMP messages on [::]:3401 I will probably have a VM with FBSD 64 bit to test it. Eliezer
Re: [squid-users] Transparent proxy
Hi Amos, Thanks for the explanation. I switched to intercept yet once I restart squid, I am still seeing the No forward proxy ports configured. The same machine later on will also be running IPtables since it has 2 NIC's in it. Monah On Sat, Nov 30, 2013 at 4:56 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 30/11/2013 10:26 a.m., Monah Baki wrote: Hi all, I'm trying to setup a transparent proxy squid 3.3.9 using the following URL: http://www.broexperts.com/2013/03/squid-as-transparent-proxy-on-centos-6-4/ What's the difference between http_port 3128 transparent The above expects all arriving traffic to be in HTTP port 80 origin server format. Used for receving intercept-proxy traffic. Also, the TCP level details are assumed to have passed through some form of NAT system and need to be un-NAT'd before use. In Squid since 3.2 if the original TCP details are not found in the NAT records some restrictions are placed on what happens with the request and response. and http_port 3128 This one expects all arriving traffic to be an HTTP proxy format. Used for receiving forward-proxy traffic. If I where to configure with http_port 3128 transparent and restart squid I get in my access.log file: ERROR: No forward-proxy ports configured. If I where to then browse, nothing happens. I am not running iptables by the way. iptables or some other NAT system is mandatory for getting the traffic to an intercept port. Squid is fetching the TCP details from the kernel NAT records and using that as the preferred destination on outbound connections. As for the tutorial. It is broken in several major ways. Which for a 8-line example is remarkable in itself. Consider following the official wiki configuration example instead http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect * The transparent option has been deprecated by intercept option since 2010. * Using DNAT rules without matching SNAT rules prevents TCP reply packets working at all. Im not surprised half teh comments are about it not working. * Having both REDIRECT and DNAT rules on the same box is overkill anyway. DNAT is best for machines with a static IP address, REDIRECT for machines with dynamically assigned IP address or if writing examples for complete newbies. * Using port 3128 for the intercept port is a very BAD idea. There are active attacks in the wild scanning for open proxy ports and intercept without firewall protection on the port is ripe for attack. It should be a secret port which you can firewall away from all access beyond the machine itself. Only the NAT firewall and Squid need to use it. HTH Amos
Re: [squid-users] Transparent proxy
Thanks, error went away. All remains is my IPTable rules. On Sat, Nov 30, 2013 at 7:45 AM, Pavel Kazlenka pavel.kazle...@measurement-factory.com wrote: On 11/30/2013 03:33 PM, Monah Baki wrote: Hi Amos, Thanks for the explanation. I switched to intercept yet once I restart squid, I am still seeing the No forward proxy ports configured. The same machine later on will also be running IPtables since it has 2 NIC's in it. You need both one 'intercept' and one 'forward proxy' port in config even if you don't use forward proxy: http_port 3129 http_port 3128 intercept Monah On Sat, Nov 30, 2013 at 4:56 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 30/11/2013 10:26 a.m., Monah Baki wrote: Hi all, I'm trying to setup a transparent proxy squid 3.3.9 using the following URL: http://www.broexperts.com/2013/03/squid-as-transparent-proxy-on-centos-6-4/ What's the difference between http_port 3128 transparent The above expects all arriving traffic to be in HTTP port 80 origin server format. Used for receving intercept-proxy traffic. Also, the TCP level details are assumed to have passed through some form of NAT system and need to be un-NAT'd before use. In Squid since 3.2 if the original TCP details are not found in the NAT records some restrictions are placed on what happens with the request and response. and http_port 3128 This one expects all arriving traffic to be an HTTP proxy format. Used for receiving forward-proxy traffic. If I where to configure with http_port 3128 transparent and restart squid I get in my access.log file: ERROR: No forward-proxy ports configured. If I where to then browse, nothing happens. I am not running iptables by the way. iptables or some other NAT system is mandatory for getting the traffic to an intercept port. Squid is fetching the TCP details from the kernel NAT records and using that as the preferred destination on outbound connections. As for the tutorial. It is broken in several major ways. Which for a 8-line example is remarkable in itself. Consider following the official wiki configuration example instead http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect * The transparent option has been deprecated by intercept option since 2010. * Using DNAT rules without matching SNAT rules prevents TCP reply packets working at all. Im not surprised half teh comments are about it not working. * Having both REDIRECT and DNAT rules on the same box is overkill anyway. DNAT is best for machines with a static IP address, REDIRECT for machines with dynamically assigned IP address or if writing examples for complete newbies. * Using port 3128 for the intercept port is a very BAD idea. There are active attacks in the wild scanning for open proxy ports and intercept without firewall protection on the port is ripe for attack. It should be a secret port which you can firewall away from all access beyond the machine itself. Only the NAT firewall and Squid need to use it. HTH Amos
[squid-users] Transparent proxy
Hi all, I'm trying to setup a transparent proxy squid 3.3.9 using the following URL: http://www.broexperts.com/2013/03/squid-as-transparent-proxy-on-centos-6-4/ What's the difference between http_port 3128 transparent and http_port 3128 If I where to configure with http_port 3128 transparent and restart squid I get in my access.log file: ERROR: No forward-proxy ports configured. If I where to then browse, nothing happens. I am not running iptables by the way. Thanks
[squid-users] cache_peer question
I came across this where it forward all requests to another proxy cache_peer parentcache.foo.com parent 3128 0 no-query default never_direct allow all How can I deny all requests to use the parent proxy except for a specific domain. Everything else use the child. Thanks Monah
Re: [squid-users] Re: parent proxy setup
I can access other https sites no problem. It's facebook that I have issues with. Amos - I added the nonhierarchical_direct off, still not working. Still facing the same issue. Thanks On Mon, Nov 4, 2013 at 3:46 PM, babajaga augustus_me...@yahoo.de wrote: I would guess, a problem regarding proxying/forwarding of HTTPS in CentOS machine. Similar problems with other https://example.com ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/parent-proxy-setup-tp4663116p4663134.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] parent proxy setup
Hi all, I have 2 servers a CentOS 6.4 and FreeBSD 9.2, both running squid 3.3.8. The CentOS however is configured as follows: cache_peer x.x.x.x parent 80 0 no-query no-digest never_direct allow all x.x.x.x is the IP address of my FreeBSD I can browse the internet fine, except https://facebook.com. I am able to authenticate, but after that, site does not load, images some show up and some do not, and if I refresh sometimes, the page goes blank and nothing shows up. I also see issues with cnn.com, the area where the live tv is missing, it's blank. If I change the proxy to my FreeBSD directly, all works fine. Any ideas?
[squid-users] Squid and Polygraph
Hi All, I need to run web polygraph for bench marking purposes. My scenario is 1 squid proxy (Freebsd 7.2 squid-2.7 stable 6) and a client. Which workload should I use. I am looking at WebAxe-4.pg and I noticed addr-space with a range of IP addresses. My client is 192.168.1.223 and my proxy is 192.168.1.156. I saw that I should not use simple.pg for bench marking purposes. Hope someone can give me some hints as to what to modify so I can run the test. Thanks Monah
[squid-users] squid3 MRTG
Hi all, I'm running squid on FreeBSD 7.2. Where can I find documentation on installing MRTG to monitor squid. Basically I'm running Squid 3 stable 16 and net-snmp-5.4.2.1 and mrtg-2.16. Assuming all support each other or I need to choose a certain version over another. Thank you
[squid-users] Question
Hi all, We have 2 squid servers running 2.7 stable 5. One is locally in our data center, the other is located remotely on the clients network. Is it possible to have whatever cached objects our local server has be replicated on the client? If yes, in my squid.conf, what should I look for? Thank you
Re: [squid-users] Secondary Cache
Does this mean my secondary will have the cached URL's that resides on my primary, or Primary/Secondary means as a failover? Thank you Henrik Nordstrom wrote: On mån, 2008-10-20 at 19:57 +0300, Monah Baki wrote: Can I have my squid cache be a secondary cache to a bluecoat server? Yes. Regards Henrik
[squid-users] Secondary Cache
Hi All, Can I have my squid cache be a secondary cache to a bluecoat server? Thanks
[squid-users] squid-cache.org
Out of curiosity at the download section it says version 2.7 Latest Release Stable 1, but when you click on the 2.7 link it says stable2, which is it? Thanks BSD Networking, Microsoft Notworking
[squid-users] Re: squid-cache.org
Forget it :) On Jun 11, 2008, at 6:28 AM, Monah Baki wrote: Out of curiosity at the download section it says version 2.7 Latest Release Stable 1, but when you click on the 2.7 link it says stable2, which is it? Thanks BSD Networking, Microsoft Notworking BSD Networking, Microsoft Notworking
[squid-users] dstdomain question
Hi all, I'm running squid with authentication, and my users are running IE. Of-course once they enable proxy in IE setting, MSN no longer works. I read by using the dstdomain before authentication in your squid.conf, users are able to use MSN messenger without manually adding the username and proxy in their MSN setting. What's the syntax for this in squid.conf Thank you BSD Networking, Microsoft Notworking
Re: [squid-users] dstdomain question
I think I got it, I am able to connect once I added in my squid.conf the following acl msnmessenger url_regex -i gateway.dll acl msnURL dstdomain .passport.com acl msnURL dstdomain .live.com acl msnURL dstdomain .msn.com http_access allow msnmessenger http_access allow msnURL This works on my MAC OS X, will test on windows. On Mar 9, 2008, at 10:30 AM, Monah Baki wrote: Hi all, I'm running squid with authentication, and my users are running IE. Of-course once they enable proxy in IE setting, MSN no longer works. I read by using the dstdomain before authentication in your squid.conf, users are able to use MSN messenger without manually adding the username and proxy in their MSN setting. What's the syntax for this in squid.conf Thank you BSD Networking, Microsoft Notworking BSD Networking, Microsoft Notworking
[squid-users] Squid stable 18 and IWSS
Hi all, I am testing the following scenario client --- IWSS (Redhat 4 ES) --- Squid (FreeBSD 6.3) --- Firewall (OpenBSD) --- Internet IWSS has the squid as its upstream proxy, and everything works like a charm except FTP When I try to access thru the browser a ftp site, I get the following error: An FTP protocol error occurred while trying to retrieve the URL: ftp://[EMAIL PROTECTED]/ Squid sent the following FTP command: NLST and then received this reply Use PORT or PASV first. Your cache administrator is webmaster. I have another test scenario using the same hardware as above client --- Squid (FreeBSD 6.3 running dansguardian) --- Firewall (OpenBSD) --- Internet I have no problem with FTP using this scenario. Thank you BSD Networking, Microsoft Notworking
Re: [squid-users] storeDiskdSend OPEN: (35) Resource temporarily unavailable
Hi Tek, I am planning on moving 1500 users to the proxy, ofcourse the system will change (hardware wise). Performance of squid should be important, I knew diskd was still in test mode, but I did not expect 4 users even though it was running for 27 days to display this error messages. For my own info, if I move to ufs, and if ufs is pretty stable, performance wise is it close to diskd or better. Thanks On Jan 21, 2008, at 1:57 AM, Tek Bahadur Limbu wrote: Hi Monah, Monah Baki wrote: Hi all, I'm running squid 2.6-stable17 on Freebsd 6.3. Machine is a 500MHz with 512MB RAM. Don't you think that your system is a little low on resources even for a low number of users? ./configure --prefix=/usr/local/squid --enable- storeio=ufs,coss,diskd,null --enable-underscores --with-large- files --enable-large-cache-files --enable-delay-pools --disable- ident-lookups --enable-snmp --enable-cache-digests --enable- underscores --enable-kill-parent-hack --enable-removal-policies -- enable-async-io --enable-kqueue --enable-follow-x-forwarded-for I think it's better to use --enable- storeio=ufs,aufs,coss,diskd,null and remove --enable-async-io. In the end if DISKD does not work for you, then I guess you should use UFS, AUFS or COSS. Since you only have 4 users, all of them will work fine for you... Thanking you... In my squid.conf: cache_dir diskd /usr/local/squid/var/cache 28000 32 512 Q1=72 Q2=64 Thanks BSD Networking, Microsoft Notworking -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np http://teklimbu.wordpress.com BSD Networking, Microsoft Notworking
[squid-users] storeDiskdSend OPEN: (35) Resource temporarily unavailable
Hi all, I'm running squid 2.6-stable17 on Freebsd 6.3. Machine is a 500MHz with 512MB RAM. ./configure --prefix=/usr/local/squid --enable- storeio=ufs,coss,diskd,null --enable-underscores --with-large-files -- enable-large-cache-files --enable-delay-pools --disable-ident-lookups --enable-snmp --enable-cache-digests --enable-underscores --enable- kill-parent-hack --enable-removal-policies --enable-async-io -- enable-kqueue --enable-follow-x-forwarded-for I just have squid displaying the following error message: 2008/01/20 18:24:15| storeDiskdSend OPEN: (35) Resource temporarily unavailable 2008/01/20 18:24:15| storeDiskdSend: msgsnd: (35) Resource temporarily unavailable 2008/01/20 18:24:15| assertion failed: diskd/store_io_diskd.c:541: + +send_errors 100 jubilee# ipcs -a Message Queues: T ID KEY MODEOWNERGROUPCREATOR CGROUP CBYTES QNUM QBYTESLSPIDLRPID STIMERTIMECTIME q 524288 942080 --rwa-- nobody nobody nobody nobody 1280 40 2048 920 927 18:05:08 18:05:08 7:34:35 q 524289 942081 --rwa-- nobody nobody nobody nobody00 2048 927 920 18:05:08 18:05:08 7:34:35 Shared Memory: T ID KEY MODEOWNERGROUPCREATOR CGROUP NATTCHSEGSZ CPID LPID ATIME DTIMECTIME m 524288 942082 --rw--- nobody nobody nobody nobody1 339968 920 927 7:34:35 18:05:28 7:34:35 Semaphores: T ID KEY MODEOWNERGROUPCREATOR CGROUP NSEMS OTIMECTIME There's only 4 users on this server, and it's been running for quite sometime now. I read that I need to increase the message queue limits, Im presuming it's the kern.ipc.msgmnb=16384. How can I monitor system before anything happens. I can run squidclient mgr:info, but what do I need to look for. Configured thee system with following parameters: kern.ipc.nmbclusters: 65536 kern.maxfiles=65536 kern.maxfilesperproc=32768 net.inet.ip.portrange.last=65535 kern.ipc.somaxconn=2048 kern.maxvnodes=10 kern.ipc.msgmnb=16384 kern.ipc.msgmni=40 kern.ipc.msgseg=512 kern.ipc.msgssz=64 kern.ipc.msgtql=2048 options SHMSEG=16 options SHMMNI=41 options MSGSSZ=64 options MSGTQL=512 options MSGSEZ=2048 options SHMMNI=40 options SHMMAX=2097152 options SHMALL=4096 options MAXFILES=8192 options NMBCLUSTERS=32768 options MSGMNB=16384 options VFS_AIO In my squid.conf: cache_dir diskd /usr/local/squid/var/cache 28000 32 512 Q1=72 Q2=64 Thanks BSD Networking, Microsoft Notworking
[squid-users] coss vs aufs vs diskd
Hi all, I am trying to deploy a cache server in a environment for kids (approx 2000). Currently my cache (squid-2.6-stable17) is configured to use diskd, but since it's in a test environment I did not reach the limit where I read under high load it will crash. Coss since it's experimental, yet some users have given it good remarks as far as performance and stability. So should I stick with diskd or switch to coss? Thanks BSD Networking, Microsoft Notworking
[squid-users] authenticate_ttl question
Hi all, Can you have a authenticate_ttl based on group I want to have two authentication groups FooA and FooB to authenticate using ncsa authentication, password generated using htpasswd, but I want to have the users in FooB to a 15 day limit before they get disconnected. Can this be done? Where can I get more info on using authenticate_ttl Thank you. BSD Networking, Microsoft Notworking
[squid-users] Compiling squid 3
Hi all, I downloaded squid 3 stable1 and used the following: ./configure --prefix=/usr/local/squid --enable-storeio=ufs,diskd,null --enable-underscores --with-large-files --enable-large-cache-files -- enable-delay-pools --disable-ident-lookups --enable-snmp --enable- removal-policies --enable-async-io --enable-kqueue --enable-icap-client When I run make I get the following error: Making all in scripts Making all in src sed [EMAIL PROTECTED]@%3128%g; [EMAIL PROTECTED]@%3130%g; s% @[EMAIL PROTECTED]; [EMAIL PROTECTED]@%/usr/ local/squid/etc/mime.conf%g; [EMAIL PROTECTED]@%/usr/local/squid/ libexec/`echo dnsserver | sed 's,x,x,;s/$//'`%g; [EMAIL PROTECTED]@%/ usr/local/squid/libexec/`echo unlinkd | sed 's,x,x,;s/$//'`%g; s% @[EMAIL PROTECTED]/usr/local/squid/libexec/`echo pinger | sed 's,x,x,;s/$//'`%g; [EMAIL PROTECTED]@%/usr/local/squid/libexec/`echo diskd | sed 's,x,x,;s/$//'`%g; [EMAIL PROTECTED]@%/usr/local/squid/ var/logs/cache.log%g; [EMAIL PROTECTED]@%/usr/local/squid/var/ logs/access.log%g; [EMAIL PROTECTED]@%/usr/local/squid/var/logs/ store.log%g; [EMAIL PROTECTED]@%/usr/local/squid/var/logs/squid.pid% g; [EMAIL PROTECTED]@%/usr/local/squid/var/cache%g; s% @[EMAIL PROTECTED]/usr/local/squid/share/icons%g; s% @[EMAIL PROTECTED]/usr/local/squid/share/mib.txt%g; s% @[EMAIL PROTECTED]/usr/local/squid/share/errors/English%g; s% @[EMAIL PROTECTED]/usr/local/squid%g; [EMAIL PROTECTED]@%/etc/hosts%g; s [EMAIL PROTECTED]@%3.0.STABLE1%g; ./cf.data.pre cf.data depbase=`echo cf_gen.o | sed 's|[^/]*$|.deps/|;s|\.o$||'`; if g++ - DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\/usr/local/squid/etc/squid.conf \ -I. -I. -I../include -I. -I. -I../include -I../include -I../lib/ libTrie/include -I/usr/local/include -Werror -Wall -Wpointer- arith -Wwrite-strings -Wcomments -D_REENTRANT -g -O2 -MT cf_gen.o - MD -MP -MF $depbase.Tpo -c -o cf_gen.o cf_gen.cc; then mv -f $depbase.Tpo $depbase.Po; else rm -f $depbase.Tpo; exit 1; fi depbase=`echo debug.o | sed 's|[^/]*$|.deps/|;s|\.o$||'`; if g++ - DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\/usr/local/squid/etc/squid.conf \ -I. -I. -I../include -I. -I. -I../include -I../include -I../lib/ libTrie/include -I/usr/local/include -Werror -Wall -Wpointer- arith -Wwrite-strings -Wcomments -D_REENTRANT -g -O2 -MT debug.o -MD -MP -MF $depbase.Tpo -c -o debug.o debug.cc; then mv -f $depbase.Tpo $depbase.Po; else rm -f $depbase.Tpo; exit 1; fi debug.cc: In function `void _db_print(const char*, ...)': debug.cc:558: internal compiler error: in convert_move, at expr.c:588 Please submit a full bug report, with preprocessed source if appropriate. See URL:http://gcc.gnu.org/bugs.html for instructions. *** Error code 1 Stop in /export/home/mbaki/squid-3.0.STABLE1/src. *** Error code 1 Stop in /export/home/mbaki/squid-3.0.STABLE1. [EMAIL PROTECTED] ~/squid-3.0.STABLE1]$ gcc -v Using built-in specs. Configured with: FreeBSD/i386 system compiler Thread model: posix gcc version 3.4.6 [FreeBSD] 20060305 Thank you BSD Networking, Microsoft Notworking
[squid-users] Video streaming
Hi all, Any way to bypass the proxy for any form of internet video streaming, like apple's movie trailers, abc.com where users can watch full episodes or even netflix or blockbuster. I do not mind a pac file if it cannot be done from squid.conf. Thanks BSD Networking, Microsoft Notworking
[squid-users] Authentication question
Hi All, If users require authentication in squid before browsing, is there a way for example to tell squid since user has authenticated in IE, if the user plans on using firefox while IE is still running, do not authenticate. Thanks BSD Networking, Microsoft Notworking
[squid-users] Squid authentication problem
Hi All, I have squid running, but for users to access the web they must authenticate. Thing is since its a windows platform (XP professional and Vista, all running IE 7), Instant Messenger also requires the username and password in (Options - Connections) and some user is saying an application called Vongo also requires authentication. Is there a way to have users authenticate JUST to access the web and every other app to bypass the proxy. Thanks
[squid-users] Accounting question
Hi all, If users are using authentication to use your squid proxy (htpasswd, ncsa-auth), is there anyway via freeradius or some other means to limit each user to use the proxy for 1 month and after 1 month lock the account. If yes how do you go about implementing and which file to modify. Thanks BSD Networking, Microsoft Notworking
[squid-users] Concurrent question
Hi all, I'm running squid 2.6 stable 16 on a Pentium III 500Mhz with 512MB RAM, IDE HDD, installed FreeBSD 6.3 with the following: --enable-storeio=ufs,diskd,null --enable-underscores --with-large- files --enable-large-cache-files --enable-delay-pools --disable-ident- lookups --enable-snmp --enable-removal-policies --enable-async-io -- enable-kqueue Added into the /boot/loader.conf: kern.ipc.nmbclusters: 32768 kern.maxfiles=65536 kern.maxfilesperproc=32768 net.inet.ip.portrange.last: 65535 Compiled kernel with these options: options SHMSEG=16 options SHMMNI=32 options SHMMAX=2097152 options SHMALL=4096 options MAXFILES=8192 I'm also running Dans Guardian on it too. My question is approximately how many users can I proxy for? Thanks BSD Networking, Microsoft Notworking
[squid-users] Access.log
Hi all, How can have the access.log display the source of the client IP using my proxy server rather than the IP address of the proxy itself. Thanks BSD Networking, Microsoft Notworking
[squid-users] time ACL
Hi all, Is there a way to restrict some users access to the internet at a particular time or this is glabol, applies to everyone who has their proxy setting pointed to the server. Thank you BSD Networking, Microsoft Notworking
Re: [squid-users] time ACL
How do I write the acl in such a way if all users IP is 192.169.10.0/32 but from Monday-Friday 192.168.10.6 and 192.168.10.7 can only use it from 10AM to 12PM. Thank you Yes, there's an acl named time that's described in squid.conf. # acl aclname time [day-abbrevs] [h1:m1-h2:m2] # day-abbrevs: # S - Sunday # M - Monday # T - Tuesday # W - Wednesday # H - Thursday # F - Friday # A - Saturday # h1:m1 must be less than h2:m2 You can make it work in conjunction with other acls. Regards, Isnard Em Qui, 2007-07-12 às 07:04 -0400, Monah Baki escreveu: Hi all, Is there a way to restrict some users access to the internet at a particular time or this is glabol, applies to everyone who has their proxy setting pointed to the server. Thank you BSD Networking, Microsoft Notworking
Re: [squid-users] time ACL
Never mind, found it. AclDefnitions acl abc src 172.161.163.85 acl xyz src 172.161.163.86 acl asd src 172.161.163.87 acl morning time 06:00-11:00 acl lunch time 14:00-14:30 acl evening time 16:25-23:59 Access Controls http_access allow abc morning http_access allow xyz morning lunch http_access allow asd lunch Thanks How do I write the acl in such a way if all users IP is 192.169.10.0/32 but from Monday-Friday 192.168.10.6 and 192.168.10.7 can only use it from 10AM to 12PM. Thank you Yes, there's an acl named time that's described in squid.conf. # acl aclname time [day-abbrevs] [h1:m1-h2:m2] # day-abbrevs: # S - Sunday # M - Monday # T - Tuesday # W - Wednesday # H - Thursday # F - Friday # A - Saturday # h1:m1 must be less than h2:m2 You can make it work in conjunction with other acls. Regards, Isnard Em Qui, 2007-07-12 às 07:04 -0400, Monah Baki escreveu: Hi all, Is there a way to restrict some users access to the internet at a particular time or this is glabol, applies to everyone who has their proxy setting pointed to the server. Thank you BSD Networking, Microsoft Notworking
[squid-users] Dynamic caching
Hi all, Where can I get information about dynamic caching in squid and how to enable it, and after a certain period of time go see if the content has changed and cache the new content. Thank you BSD Networking, Microsoft Notworking
[squid-users] Cache.log
Hi, I'm running Squid 2.5 stable1 on Openbsd 3.1, My cache.log file is full of the following error: 2003/02/05 08:03:14| WARNING: newer swaplog entry for dirno 2, fileno 1262 2003/02/05 09:03:14| WARNING: newer swaplog entry for dirno 1, fileno 01DE 2003/02/05 09:03:15| WARNING: newer swaplog entry for dirno 1, fileno 01E0 2003/02/05 09:03:15| WARNING: newer swaplog entry for dirno 1, fileno 01EA 2003/02/05 09:03:15| WARNING: newer swaplog entry for dirno 1, fileno 01ED 2003/02/05 09:03:15| Store rebuilding is 14.3% complete 2003/02/05 09:03:24| WARNING: newer swaplog entry for dirno 0, fileno 01C2 2003/02/05 09:03:31| Store rebuilding is 15.4% complete 2003/02/05 09:03:33| WARNING: newer swaplog entry for dirno 2, fileno 011B 2003/02/05 09:03:43| WARNING: newer swaplog entry for dirno 0, fileno 0209 2003/02/05 09:03:47| Store rebuilding is 16.4% complete 2003/02/05 09:04:04| Store rebuilding is 17.4% complete 2003/02/05 09:04:21| WARNING: newer swaplog entry for dirno 0, fileno 026C 2003/02/05 09:04:22| Store rebuilding is 18.5% complete 2003/02/05 09:04:37| Store rebuilding is 19.3% complete 2003/02/05 09:04:52| WARNING: newer swaplog entry for dirno 1, fileno 0431 2003/02/05 09:04:53| Store rebuilding is 20.1% complete 2003/02/05 09:04:58| WARNING: newer swaplog entry for dirno 0, fileno 02E7 2003/02/05 09:04:59| WARNING: newer swaplog entry for dirno 0, fileno 02E9 2003/02/05 09:05:06| WARNING: newer swaplog entry for dirno 0, fileno 031F 2003/02/05 09:30:32| WARNING: newer swaplog entry for dirno 1, fileno 05CD 2003/02/05 09:30:33| WARNING: newer swaplog entry for dirno 1, fileno 06B4 2003/02/05 09:30:39| WARNING: newer swaplog entry for dirno 2, fileno 061B 2003/02/05 09:30:42| WARNING: newer swaplog entry for dirno 1, fileno 06B8 2003/02/05 09:30:42| WARNING: newer swaplog entry for dirno 2, fileno 06EF 2003/02/05 09:30:45| WARNING: newer swaplog entry for dirno 2, fileno 0798 2003/02/05 09:30:52| Store rebuilding is 24.9% complete 2003/02/05 09:31:05| Starting Squid Cache version 2.5.STABLE1 for sparc64-unknow n-openbsd3.1... 2003/02/05 09:31:05| Process ID 6301 2003/02/05 09:31:05| With 3404 file descriptors available 2003/02/05 09:31:05| Performing DNS Tests... 2003/02/05 09:31:05| Successful DNS name lookup tests... 2003/02/05 09:31:05| DNS Socket created at 0.0.0.0, port 2683, FD 6 2003/02/05 09:31:05| Adding nameserver 108.52.22.1 from /etc/resolv.conf 2003/02/05 09:31:05| Unlinkd pipe opened on FD 11 2003/02/05 09:31:05| Swap maxSize 18432000 KB, estimated 1384 objects 2003/02/05 09:31:05| Target number of buckets: 69 2003/02/05 09:31:05| Using 8192 Store buckets 2003/02/05 09:31:05| Max Mem size: 65536 KB 2003/02/05 09:31:05| Max Swap size: 18432000 KB 2003/02/05 09:31:05| Store logging disabled 2003/02/05 09:31:05| Rebuilding storage in /cache1/cache (DIRTY) 2003/02/05 09:31:05| Rebuilding storage in /cache2/cache (DIRTY) 2003/02/05 09:31:05| Rebuilding storage in /cache3/cache (DIRTY) 2003/02/05 09:31:05| Using Least Load store dir selection 2003/02/05 09:31:05| Current Directory is / 2003/02/05 09:31:05| Loaded Icons. 2003/02/05 09:31:05| Accepting HTTP connections at 0.0.0.0, port 3128, FD 16. 2003/02/05 09:31:05| Accepting ICP messages at 0.0.0.0, port 3130, FD 17. 2003/02/05 09:31:05| WCCP Disabled. 2003/02/05 09:31:05| Ready to serve requests. 2003/02/05 09:31:06| Store rebuilding is 0.2% complete 2003/02/05 09:31:14| WARNING: newer swaplog entry for dirno 1, fileno 0008 2003/02/05 09:31:22| Store rebuilding is 2.8% complete 2003/02/05 09:31:29| WARNING: newer swaplog entry for dirno 1, fileno 002B 2003/02/05 09:31:32| WARNING: newer swaplog entry for dirno 1, fileno 0039 2003/02/05 09:31:37| Store rebuilding is 4.4% complete (. etc...etc) same error over and over again and if I run top squid is running at 98.5% when no one is connected to it.
