[squid-users] Re: Squid 3.1.12 times out when trying to access MSDN
(First of all, I apologize profusely for top-posting; Gmail Java Mobile client for Symbian can only top-post) There seems to be a glimpse of light for my situation... In the netfilter mailing list, there's someone having a problem similar to mine, i.e., unable to access some websites but no problem with other websites. His web proxy is behind a firewall who was DROPping packets incoming to TCP/80. When he changed the rule to ACCEPT, those websites work. (Although there weren't *any* process listening on TCP/80). I am going to experiment with my firewall rules on Monday. Rgds, On 2011-05-31, Pandu Poluan pa...@poluan.info wrote: On Mon, May 30, 2011 at 17:32, Pandu Poluan pa...@poluan.info wrote: On Mon, May 30, 2011 at 17:25, Pandu Poluan pa...@poluan.info wrote: On Fri, May 27, 2011 at 17:47, Amos Jeffries squ...@treenet.co.nz wrote: On 27/05/11 19:42, Pandu Poluan wrote: Hello list, I've been experiencing a perplexing problem. Squid 3.1.12 often times out when trying to access certain sites, most notably MSDN. But it's still very fast when accessing other non-problematic sites. For instance, trying to access the following URL *always* result in timeout: http://msdn.microsoft.com/en-us/library/aa302323.aspx Trying to get the above URL using wget: No problem. -- 8 8 8 8 8 -- I've specified dns_v4_fallback on explicitly (it was not specified previously) and even replaced the miss_access lines with miss_access allow all. Still failing on those problematic pages. No other bright ideas? :-( -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com -- -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/
Re: [squid-users] Squid 3.1.12 times out when trying to access MSDN
On Mon, May 30, 2011 at 17:25, Pandu Poluan pa...@poluan.info wrote: On Fri, May 27, 2011 at 17:47, Amos Jeffries squ...@treenet.co.nz wrote: On 27/05/11 19:42, Pandu Poluan wrote: Hello list, I've been experiencing a perplexing problem. Squid 3.1.12 often times out when trying to access certain sites, most notably MSDN. But it's still very fast when accessing other non-problematic sites. For instance, trying to access the following URL *always* result in timeout: http://msdn.microsoft.com/en-us/library/aa302323.aspx Trying to get the above URL using wget: No problem. -- 8 8 8 8 8 -- msdn.microsoft.com DNS response to lookup is a successful CNAME, but with no IP addresses to connect to. The behaviour you describe can appear if you have turned dns_v4_fallback OFF. Which disables A lookup (IPv4 connectivity) if there is any kind of successful , even a useless empty one like MSDN produces. Ah, I see... I'll try it out today. No joy :-( I've specified dns_v4_fallback on explicitly (it was not specified previously) and even replaced the miss_access lines with miss_access allow all. Still failing on those problematic pages. -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com Google Talk: pepoluan Y! messenger: pepoluan MSN / Live: pepol...@hotmail.com (do not send email here) Skype: pepoluan More on me: My LinkedIn Account My Facebook Account
Re: [squid-users] Squid 3.1.12 times out when trying to access MSDN
On Mon, May 30, 2011 at 17:32, Pandu Poluan pa...@poluan.info wrote: On Mon, May 30, 2011 at 17:25, Pandu Poluan pa...@poluan.info wrote: On Fri, May 27, 2011 at 17:47, Amos Jeffries squ...@treenet.co.nz wrote: On 27/05/11 19:42, Pandu Poluan wrote: Hello list, I've been experiencing a perplexing problem. Squid 3.1.12 often times out when trying to access certain sites, most notably MSDN. But it's still very fast when accessing other non-problematic sites. For instance, trying to access the following URL *always* result in timeout: http://msdn.microsoft.com/en-us/library/aa302323.aspx Trying to get the above URL using wget: No problem. -- 8 8 8 8 8 -- I've specified dns_v4_fallback on explicitly (it was not specified previously) and even replaced the miss_access lines with miss_access allow all. Still failing on those problematic pages. No other bright ideas? :-( -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com
[squid-users] Squid 3.1.12 times out when trying to access MSDN
Hello list, I've been experiencing a perplexing problem. Squid 3.1.12 often times out when trying to access certain sites, most notably MSDN. But it's still very fast when accessing other non-problematic sites. For instance, trying to access the following URL *always* result in timeout: http://msdn.microsoft.com/en-us/library/aa302323.aspx Trying to get the above URL using wget: No problem. I've even opened up the http_access and miss_access: http_access allow manager localhost http_access deny manager #http_access deny !Safe_ports #http_access deny CONNECT !SSL_ports #http_access allow localnet http_access allow localhost http_access allow pans_indonet http_access deny all miss_access allow pans_indonet miss_access deny all ... where pans_indonet is the acl containing the whole network of my company. Any pointers as to what I should check next? Rgds, -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com Google Talk: pepoluan Y! messenger: pepoluan MSN / Live: pepol...@hotmail.com (do not send email here) Skype: pepoluan More on me: My LinkedIn Account My Facebook Account
Re: [squid-users] SQUID transparent, HTTP/1.0, HTTP/1.1
On Tue, Feb 1, 2011 at 18:15, Amos Jeffries squ...@treenet.co.nz wrote: On 01/02/11 19:58, Pandu Poluan wrote: On Tue, Feb 1, 2011 at 13:36, Amos Jeffriessqu...@treenet.co.nz wrote: On 01/02/11 16:29, Pandu Poluan wrote: Hello, I want to configure SQUID as a transparent proxy, but on a separate box from the Linux gateway (both boxes using Ubuntu Server 10.04) I found this howto: http://www.faqs.org/docs/Linux-mini/TransparentProxy.html Now, my questions are: 1. Is the howto (esp. sections 6.2 and 6.3) still applicable with the latest SQUID version? The whole of section 6.1 is a major security vulnerability don't do it! situation. Read CVE-2009-0801 for an explanation of what malware can do to trivially spread themselves across your whole client base. The currently available Squid do permit it with loud failure warnings in cache.log. We are planning on fully disabling the security hole in the near future. Section 6.2 and 6.3 are the recommended way if you have to do NAT interception. The real transparent proxy (TPROXY) in the more recent Squid does not work reliably on Ubuntu 10.04. I don't really understand about TPROXY. Do I really need TPROXY for Squid to do transparent/intercepting proxy? No its not required. Just useful and nicer than NAT since it operates in both IPv4 and IPv6 and avoids websites with badly designed IP-based security systems (aka hotmail.com and some popular download sites). If I do, what Linux distro do you recommend? For TPROXY the best distro seem to be CentOS 5.5+ or Debian Squeeze or Ubuntu 10.10 all with a 3.1.10 self-built Squid. Ahhh, I see... More questions, then. But first, a description of my situation. I need to have 2 Squid boxes separate from the Linux firewall. The reason is that the users of the Squid boxes are different: Squid A is used by Management -- traffic must go through Internet-A Squid B is used by Rest Of Staff -- traffic must go through Internet-B There's a single Linux firewall connected to Internet-A and Internet-B; it performs SNAT and routing, currently using ip rules to route based on source address. Now, my questions: 1. Where must I apply the TPROXY patches? The firewall, or Squid boxes? 2. What configurations should be applied on the firewall and the Squid boxes? If you can point me to a HOWTO suitable for my situation, I'd appreciate it. I've been searching and it seems that most HOWTO on TPROXY assumes an intercepting Squid on the same box as the firewall. Again, thanks for your kind assistance. Apologies if I trouble you in any way. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4 -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com
Re: [squid-users] acl which matches unresolvable domain?
On Tue, Feb 1, 2011 at 18:26, Peter Warasin pe...@endian.com wrote: Hi squids Anyone ready for helping me? Have a quite funny problem. I have a more or less complex configuration, so i cut it down to the interesting part. Basically it is a sandwich configuration squid - content filters - squid which normally is working well. However, if you try to access an *inexistent* domain, squid is not returning the appropriate ERR_DNS_FAIL message, but ERR_ACCESS_DENIED, which of course is confusing users. I narrowed the problem down by debugging squid and actually found the problem. Here is the interesting part of my configuration: --8 acl from_all src 0.0.0.0/0.0.0.0 acl to_all dst 0.0.0.0/0.0.0.0 # http access to squid http_access allow from_localhost [...] http_access allow from_all to_all within_timeframe_rule1 http_access deny from_all (http_reply_access is similar and does not cause the access denied) --8 I found out that my http_access allow from_all to_all within_timeframe_rule1 is not matching in this case, because the domain resolving did not return an ip address. so the request is still the domain name and squid is comparing the domain name with 0/0, which will not match. Ok, so i tried to solve by adding these rules: acl to_alldomain dstdom_regex .* http_access allow from_all within_timeframe_rule1 to_alldomain This actually is working, but it seems quite an overhead to me. Is there no better solution for this? Something like an acl which matches not-resolved? Or something like a value of none or no-ip for dst? Anyone with a similar issue and a better solution? Any reason for from_all to_all? Why not just: http_access allow within_timeframe_rule1 Thanks in advance for suggestions peter -- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.com :: pe...@endian.com -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com
[squid-users] SQUID transparent, HTTP/1.0, HTTP/1.1
Hello, I want to configure SQUID as a transparent proxy, but on a separate box from the Linux gateway (both boxes using Ubuntu Server 10.04) I found this howto: http://www.faqs.org/docs/Linux-mini/TransparentProxy.html Now, my questions are: 1. Is the howto (esp. sections 6.2 and 6.3) still applicable with the latest SQUID version? 1a. If yes, which strategy should I be using? 2. Slightly tangential: Does SQUID fully support HTTP/1.1? Thanks for your time answering my questions. Rgds, -- -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/
[squid-users] Questions on SQUID peering/mesh
Hello again! I have 2 questions regarding SQUID peering: Q1: Should I use ICP or HTCP? Q2: I plan on deploying 2 SQUID boxes in my LAN, say A and B. They will peer with each other (sibling). I also have another SQUID at our ISP, say C. I want only A to have C as the parent, B will have no parent. Is this possible? What should I configure on A, B, and C? And if A's connection to C gets interrupted, can A go direct? Rgds, -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com
