[squid-users] Squid 3.1 failover problem from IPv6 to IPv4?
Hello! We use Squid 3.1.12 on a couple of servers with IPv4 and IPv6. The servers are FreeBSD 8.1. Squid is installed from ports. This works fine, except for this web: www.informator.se www.informator.se has an address, but it doesn't seem to listen to it. Eventually the browser times out with this error: (51) Network is unreachable But shouldn't Squid try the IPv4 address when the IPv6 address fails? If so, there is maybe something wrong with our config. The only IPv6 specific config we have is this (taken from the release notes of Squid 3.1): acl to_ipv6 dst ipv6 http_access allow to_ipv6 !all tcp_outgoing_address x:x:x::x to_ipv6 tcp_outgoing_address x.x.x.x !to_ipv6 Is the failure on www.informator.se a bug/feature in Squid, or is the problem in our setup/config? Thanks! -- Peter Olssonp...@leissner.se
Re: [squid-users] Squid terminates when my network goes down
On Tue, Jul 12, 2011 at 08:53:10AM +, Jenny Lee wrote: > > How can you expect *machineS* to get a response from squid if network is down? Proxy server. Squid accepts clients on inside interface and connects to internet servers on outside interface. Outside interface goes down with inside interface still alive. I would actually like to have the problem/feature below, since that would mean no clients get stuck at the nonfunctioning squid instead of moving to the next squid in the roundrobin failover. Peter Olsson > If squid is listening on localhost, the only client that can connect to it is > the one on that machine. Any other client cannot connect to it. This would be > a very isolated case I believe (squid after all is a cache, you might as well > use your browser's cache for that purpose). No point in running squid for > only 1 client. > > But I have not used squid windows, so I would not know the behaviour. > Moreoever, I have not used squid in an environment where there is no internet > connectivity 24/7. > > Another user pointed out that his squid on linux runs fine when network goes > down. So this might be something with Windows. > > http://www.squid-cache.org/Doc/config/windows_ipaddrchangemonitor/ > > windows_ipaddrchangemonitor on > > Have you tried turning this config value this on/off? > > Jenny > > > > > > > Date: Mon, 11 Jul 2011 21:06:09 -0400 > > From: january.sh...@gmail.com > > To: squid-users@squid-cache.org > > Subject: Re: [squid-users] Squid terminates when my network goes down > > > > Your analysis is correct and helpful, Jenny. Can you clarify further? > > Are you saying that Windows machines running squid should not have > > local web clients, i.e., not even set its browser to use the > > locally-running squid? > > > > J > > > > On Sun, Jul 10, 2011 at 9:50 PM, Jenny Lee wrote: > > > > > >> Is this a bug? If the network is down, shouldn't squid just generate > > >> an error page, like ERR_CONNECT_FAIL, and not collapse like this? > > > > > > Logically, how would you expect squid to convey ERR_CONNECT_FAIL to the > > > client if the network is down? > > > > > > I can think of only one case where this might make sense -- client > > > connects from localhost to a squid listening on localhost but going out > > > on other interface... which would mean a very isolated case of use for a > > > cache like squid. > > > > > > Jenny
Re: [squid-users] Squid terminates when my network goes down
On Tue, Jul 12, 2011 at 11:05:45AM +, Jenny Lee wrote: > > > > How can you expect *machineS* to get a response from squid if network is > > > down? > > > > Proxy server. Squid accepts clients on inside interface and > > connects to internet servers on outside interface. > > Outside interface goes down with inside interface still alive. > > > > I would actually like to have the problem/feature below, since > > that would mean no clients get stuck at the nonfunctioning squid > > instead of moving to the next squid in the roundrobin failover. > > > If you read the original post, he mentions squid terminating when network > goes down. Yes. I have had the case that the outside interface is nonfunctioning, but squid is still up and accepts clients on the inside interface. Squid then becomes a black hole for client traffic, so I would prefer a terminating squid in that case. > No clients get stuck at the nonfunctioning squid in a cache-hierarcy. They > would move on to the next one as is, since that one is already marked as dead > and removed from roundrobin pool. So that feature is built-in already (if I > am not misunderstanding your scenario). No cache-hierarchy, just several redundant squid servers on the same level. Roundrobin is handled by internal DNS, which has multiple A-records for the hostname "proxy". Peter Olsson
[squid-users] Problem with Bambuser live through squid?
Anyone know if it is possible to watch Bambuser live broadcasts through squid, and if it should work "out of the box" or if it needs special configuration? We can watch finished Bambuser broadcasts, but live broadcasts won't start. www.bambuser.com/broadcasts Their FAQ states: " To watch a broadcast: Mobile broadcast: TCP 80 Webcam broadcast: TCP 1935 " So the port 1935 might make it impossible, but I'm wondering if anyone has got it working or know more about this problem. Our squid version is 3.1.16. Thanks! -- Peter Olssonp...@leissner.se
[squid-users] Problem with swf streams from www.tv4play.se behind squid
Hello! We can't access swf streams from www.tv4play.se behind squid since about a month ago. Earlier we could at least play some of them, but now it seems that none of them work through squid. We haven't changed anything in the squid version or squid configuration that would cause this. We have contacted their support, but they see no problems on their side. I'm debugging the problem now (with ALL,9), but the size of the debug is enormous so it's hard to find anything relevant in there. Is there some debug setting I should rather use instead of ALL,9, to be able to locate the problem more easily? Our current squid version is 3.1, and I have tried both with 3.1.16 and 3.1.19. We run squid in FreeBSD. I have tried running squid both with and without caching active, same problem. I will try squid 2.7 later. Does anyone know of any problems with swf through squid, either in general or specifically from www.tv4play.se? (These streams are only available from Sweden, so they are unfortunately not available for general testing.) Thanks! -- Peter Olssonp...@leissner.se
Re: [squid-users] Problem with swf streams from www.tv4play.se behind squid
Sorry, forgot to mention that these streams work fine through a Microsoft TMG proxy at the same network position as one of our squid servers, so there is no network problem. And I also should mention that we run squid in proxy mode with clients configured either through wpad or with a static proxy server. No transparency. Peter Olsson On Fri, Mar 09, 2012 at 03:24:45PM +0100, Peter Olsson wrote: > Hello! > > We can't access swf streams from www.tv4play.se > behind squid since about a month ago. Earlier we > could at least play some of them, but now it seems > that none of them work through squid. We haven't > changed anything in the squid version or squid > configuration that would cause this. We have > contacted their support, but they see no problems > on their side. > > I'm debugging the problem now (with ALL,9), but the > size of the debug is enormous so it's hard to find > anything relevant in there. Is there some debug setting > I should rather use instead of ALL,9, to be able to > locate the problem more easily? > > Our current squid version is 3.1, and I have tried > both with 3.1.16 and 3.1.19. We run squid in FreeBSD. > I have tried running squid both with and without > caching active, same problem. > I will try squid 2.7 later. > > Does anyone know of any problems with swf through squid, > either in general or specifically from www.tv4play.se? > (These streams are only available from Sweden, so they > are unfortunately not available for general testing.) > > Thanks! > > -- > Peter Olssonp...@leissner.se
[squid-users] Probably solved: Problem with swf streams from www.tv4play.se behind squid
I set forwarded_for off in squid.conf, and this seems to solve the problem. I haven't tried in our production squids yet, but a lab squid is working now. Peter Olsson On Fri, Mar 09, 2012 at 03:46:19PM +0100, Peter Olsson wrote: > Sorry, forgot to mention that these streams work fine > through a Microsoft TMG proxy at the same network > position as one of our squid servers, so there is no > network problem. And I also should mention that we run > squid in proxy mode with clients configured either through > wpad or with a static proxy server. No transparency. > > Peter Olsson > > On Fri, Mar 09, 2012 at 03:24:45PM +0100, Peter Olsson wrote: > > Hello! > > > > We can't access swf streams from www.tv4play.se > > behind squid since about a month ago. Earlier we > > could at least play some of them, but now it seems > > that none of them work through squid. We haven't > > changed anything in the squid version or squid > > configuration that would cause this. We have > > contacted their support, but they see no problems > > on their side. > > > > I'm debugging the problem now (with ALL,9), but the > > size of the debug is enormous so it's hard to find > > anything relevant in there. Is there some debug setting > > I should rather use instead of ALL,9, to be able to > > locate the problem more easily? > > > > Our current squid version is 3.1, and I have tried > > both with 3.1.16 and 3.1.19. We run squid in FreeBSD. > > I have tried running squid both with and without > > caching active, same problem. > > I will try squid 2.7 later. > > > > Does anyone know of any problems with swf through squid, > > either in general or specifically from www.tv4play.se? > > (These streams are only available from Sweden, so they > > are unfortunately not available for general testing.) > > > > Thanks! > > > > -- > > Peter Olssonp...@leissner.se
Re: [squid-users] Probably solved: Problem with swf streams from www.tv4play.se behind squid
On Sat, Mar 10, 2012 at 04:11:30PM +1300, Amos Jeffries wrote: > On 10/03/2012 5:55 a.m., Peter Olsson wrote: > > I set forwarded_for off in squid.conf, and this seems to > > solve the problem. I haven't tried in our production squids > > yet, but a lab squid is working now. > > Perhapse this will help their technicians detect the problem. If > changing that header fixed it for you then the issue is clearly > something at their end in its processing. > > I've been noticing this on a few sites now. For my clients it seems to > be web systems which break on IPv6 addresses in the HTTP headers. > X-Forwarded-For included. SquirrelMail seems to be the common culprit > with its send button handler being broken. > > So, are your clients contacting Squid from IPv6 addresses? No, just IPv4 behind the Squid servers. We run IPv6 on the outside of Squid, but I don't know if www.tv4play.se uses any IPv6 in their services. I discovered today that the production squids (3.1.16) require forwarded_for delete. The lab squid (3.2 latest as of yesterday) worked with forwarded_for off, but not the 3.1.16 version. Strange that it should differ, or is there some way that Squid 3.1 and 3.2 handles this header differently? -- Peter Olssonp...@leissner.se
[squid-users] Are dns_v4_first and "acl to_ipv6 dst ipv6" mutually exclusive?
Hello! Squid 3.1.19. Our squid servers are dual stack IPv4/IPv6 since about a year, with this config "hack": tcp_outgoing_address x:x:x:x::x to_ipv6 tcp_outgoing_address x.x.x.x !to_ipv6 acl to_ipv6 dst ipv6 http_access allow to_ipv6 !all But now our users are tired of webs that announce IPv6 addresses but don't answer on port 80 on these addresses. So I enabled dns_v4_first in the config and did squid -k reconfigure. But it didn't help, we still get IPv6 timeouts towards misconfigured web sites. I'm guessing that dns_v4_first and the ipv6 config above are mutually exclusive? Should I change the tcp_outgoing_address line to just this: tcp_outgoing_address x:x:x:x::x tcp_outgoing_address x.x.x.x and remove these lines: acl to_ipv6 dst ipv6 http_access allow to_ipv6 !all Or will this remove all of our IPv6 connectivity through squid? Thanks! -- Peter Olssonp...@leissner.se
Re: [squid-users] Are dns_v4_first and "acl to_ipv6 dst ipv6" mutually exclusive?
On Tue, Apr 03, 2012 at 10:28:38AM +1200, Amos Jeffries wrote: > On 03.04.2012 02:21, Peter Olsson wrote: > > Hello! > > > > Squid 3.1.19. > > > > Our squid servers are dual stack IPv4/IPv6 since about a year, > > with this config "hack": > > > > tcp_outgoing_address x:x:x:x::x to_ipv6 > > tcp_outgoing_address x.x.x.x !to_ipv6 > > acl to_ipv6 dst ipv6 > > http_access allow to_ipv6 !all > > > > But now our users are tired of webs that announce IPv6 addresses > > but don't answer on port 80 on these addresses. So I enabled > > dns_v4_first in the config and did squid -k reconfigure. > > But it didn't help, we still get IPv6 timeouts towards > > misconfigured web sites. > > > > I'm guessing that dns_v4_first and the ipv6 config above are > > mutually exclusive? Should I change the tcp_outgoing_address > > line to just this: > > tcp_outgoing_address x:x:x:x::x > > tcp_outgoing_address x.x.x.x > > and remove these lines: > > acl to_ipv6 dst ipv6 > > http_access allow to_ipv6 !all > > > > Or will this remove all of our IPv6 connectivity through squid? > > > > You are the first person to report any issues. They are interrelated > but should not be exclusive. Does ordering the tcp_outgoing_address with > IPv4 address first help? > > Amos Changing order of tcp_outgoing_address doesn't help, our squid with "dns_v4_first on" still gives the Operation timed out error, and it is trying to connect to the IPv6 address of the web server. I also tried removing these four lines completely: tcp_outgoing_address x:x:x:x::x to_ipv6 tcp_outgoing_address x.x.x.x !to_ipv6 acl to_ipv6 dst ipv6 http_access allow to_ipv6 !all But that didn't help either, it still tries the IPv6 address even though I have dns_v4_first on. Is there some internal DNS timeout in squid that I should wait for before testing between changes? What debug setting should I use to see why squid is choosing the IPv6 address? Thanks! -- Peter Olssonp...@leissner.se
Re: [squid-users] Are dns_v4_first and "acl to_ipv6 dst ipv6" mutually exclusive?
On Tue, Apr 03, 2012 at 12:22:52PM +1200, Amos Jeffries wrote: > On 03.04.2012 12:12, Peter Olsson wrote: > > On Tue, Apr 03, 2012 at 10:28:38AM +1200, Amos Jeffries wrote: > >> On 03.04.2012 02:21, Peter Olsson wrote: > >> > Hello! > >> > > >> > Squid 3.1.19. > >> > > >> > Our squid servers are dual stack IPv4/IPv6 since about a year, > >> > with this config "hack": > >> > > >> > tcp_outgoing_address x:x:x:x::x to_ipv6 > >> > tcp_outgoing_address x.x.x.x !to_ipv6 > >> > acl to_ipv6 dst ipv6 > >> > http_access allow to_ipv6 !all > >> > > >> > But now our users are tired of webs that announce IPv6 addresses > >> > but don't answer on port 80 on these addresses. So I enabled > >> > dns_v4_first in the config and did squid -k reconfigure. > >> > But it didn't help, we still get IPv6 timeouts towards > >> > misconfigured web sites. > >> > > >> > I'm guessing that dns_v4_first and the ipv6 config above are > >> > mutually exclusive? Should I change the tcp_outgoing_address > >> > line to just this: > >> > tcp_outgoing_address x:x:x:x::x > >> > tcp_outgoing_address x.x.x.x > >> > and remove these lines: > >> > acl to_ipv6 dst ipv6 > >> > http_access allow to_ipv6 !all > >> > > >> > Or will this remove all of our IPv6 connectivity through squid? > >> > > >> > >> You are the first person to report any issues. They are interrelated > >> but should not be exclusive. Does ordering the tcp_outgoing_address > >> with > >> IPv4 address first help? > >> > >> Amos > > > > Changing order of tcp_outgoing_address doesn't help, our squid with > > "dns_v4_first on" still gives the Operation timed out error, and it > > is trying to connect to the IPv6 address of the web server. > > > > I also tried removing these four lines completely: > > tcp_outgoing_address x:x:x:x::x to_ipv6 > > tcp_outgoing_address x.x.x.x !to_ipv6 > > acl to_ipv6 dst ipv6 > > http_access allow to_ipv6 !all > > > > But that didn't help either, it still tries the IPv6 address even > > though I have dns_v4_first on. > > > > Is there some internal DNS timeout in squid that I should wait for > > before testing between changes? > > Er, yes. Whatever the TTL of the domain being tested against is. A > restart clears the DNS caches, so may be better here than just a > reconfigure. Excellent! It works now after restart. I will keep the ipv6 lines above out of our config, I don't think we really need them. Thanks! -- Peter Olssonp...@leissner.se CCIE #8963 R&S, Security+46 520 500511 Leissner Data AB+46 701 809511
[squid-users] Is Adobe Connect Pro possible through Squid?
Hello! Squid 3.1.19. Users behind squid can't connect to Adobe Connect Pro, probably because of RTMP. I have port 1935 in SSL_ports and 1025-65535 in Safe_ports. Is there anyone who had success connecting with Adobe Connect Pro through squid? Thanks! -- Peter Olssonp...@leissner.se
[squid-users] NTLM auth to remote server fails through squid
We're trying to connect to a remote server that requires authentication. This works fine when we place the browser client on the Internet, but when we place the browser client behind squid the authentication popup just returns without accepting the login. I have tried Squid 3.1.19 and 3.2.0.18. Browsers are IE 9 and Firefox 13. Here is an extract of the HTTP Server reply: Connection: Keep-Alive Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM The squid configuration in the test server is default, except that I have added visible_hostname and changed http_port to 80. What could be the reason for this auth failure? What debug values should I use? NB: This is not about authenticating to the proxy server, we allow proxy connections from inside without authentication. The question is about authenticating to an external server that is out of our control. Thanks! -- Peter Olssonp...@leissner.se
Re: [squid-users] NTLM auth to remote server fails through squid
Hello! On Mon, Jul 16, 2012 at 09:03:00PM +0300, Eliezer Croitoru wrote: > On 7/16/2012 7:05 PM, Peter Olsson wrote: > > We're trying to connect to a remote server that > > requires authentication. This works fine when > > we place the browser client on the Internet, but > > when we place the browser client behind squid the > > authentication popup just returns without accepting > > the login. > can you please be more specific about the topology? My test setup is very easy. Just a single squid server in plain proxy mode, using two network interfaces. One interface towards Internet, the other running a private network. I have a single PC client connected to the private interface in the squid server. There is no connection from the private network to the Internet without passing through the squid proxy. The squid server is running 3.2.0.18, with the default squid.conf installed by the 3.2.0.18 tarball. Only differences from default squid.conf are my added visible_hostname and changed http_port from 3128 to 80. There is no transparency or routing between interfaces configured in the squid server, just plain proxy from inside to outside. The external server I'm trying to reach is on the Internet. If I try to connect to this server through squid, I don't get authenticated. If I however move the PC client to the Internet, so it doesn't pass through squid, the authentication to the external server works fine. Thanks! Peter Olsson > it's kind of fog to me. > if you can out up some IP's for the devices and network relationship > will be very helpful. > if you can attach squid.conf it will be more efficient. > > > > What could be the reason for this auth failure? > > What debug values should I use? > > > > NB: This is not about authenticating to the proxy server, > > we allow proxy connections from inside without authentication. > > The question is about authenticating to an external server > > that is out of our control. > please describe more the position of the client and server, > proxy and server. > > Eliezer > > > > > Thanks! > > > > > -- > Eliezer Croitoru > https://www1.ngtech.co.il > IT consulting for Nonprofit organizations > eliezer ngtech.co.il > -- Peter Olssonp...@leissner.se
Re: [squid-users] NTLM auth to remote server fails through squid
On Tue, Jul 17, 2012 at 02:43:44PM +1200, Amos Jeffries wrote: > On 17.07.2012 07:35, Peter Olsson wrote: > > Hello! > > > > On Mon, Jul 16, 2012 at 09:03:00PM +0300, Eliezer Croitoru wrote: > >> On 7/16/2012 7:05 PM, Peter Olsson wrote: > >> > We're trying to connect to a remote server that > >> > requires authentication. This works fine when > >> > we place the browser client on the Internet, but > >> > when we place the browser client behind squid the > >> > authentication popup just returns without accepting > >> > the login. > >> can you please be more specific about the topology? > > > > My test setup is very easy. Just a single squid server > > in plain proxy mode, using two network interfaces. > > One interface towards Internet, the other running a > > private network. > > > > I have a single PC client connected to the private interface > > in the squid server. There is no connection from the private > > network to the Internet without passing through the squid proxy. > > > > The squid server is running 3.2.0.18, with the default > > squid.conf installed by the 3.2.0.18 tarball. Only differences > > from default squid.conf are my added visible_hostname and > > changed http_port from 3128 to 80. > > Why? > visible_hostname defaults to the machine system hostname. Since this is a test server that moves around occasionally, I don't usually have anything in it's /etc/hosts. This seems to upset squid, which gives this error: WARNING: Could not determine this machines public hostname. (It's a FreeBSD 9.0 if that matters.) > port 80 is likely to have interference from any number of firewall, > IDS or other software digging its fingers into the traffic. 80 for historic reasons, and there are no firewalls or other in the way. But to keep to default configuration as much as possible, I have now reverted to 3128 and added the server to /etc/hosts. > > There is no transparency or > > routing between interfaces configured in the squid server, > > just plain proxy from inside to outside. > > > > The external server I'm trying to reach is on the Internet. > > If I try to connect to this server through squid, I don't > > get authenticated. If I however move the PC client to the > > Internet, so it doesn't pass through squid, the authentication > > to the external server works fine. > > There is a growing collection of known MS software which cannot handle > the HTTP/1.0<->HTTP1/.1 gateway nature of Squid-3.1 series. But this > should not be an issue with 3.2 series. > > Please update to the latest beta though before doing more testing. > 3.2.0.20 is out and the latest snapshot has some relevant bug fixes. > > 3.2 would be best to test with since it provide a full HTTP header > trace at "debug_options 11,2". Those header trace will be the best > starting point to track this down. Now I run Squid 3.2.0.18-20120717-r11615. Configuration is default except that I have added debug_options 11,2 at the top of squid.conf. Same problem in IE 9, three auth popups and then the browser error page: You are not authorized to view this page HTTP Error 401.1 One thing I forgot to mention yesterday is that there is a rather long wait (about 20-30 seconds) before the first auth popup. Then there is a shorter wait (a couple of seconds) for the second popup, and the third popup comes up immediately after the second has been entered. I don't see anything strange in cache.log, what should I look for? Or can I post the debug to the list or in private email? It's about 600 lines in total for the three failed auth attempts. Thanks! Peter Olsson
[squid-users] Please help test a streaming problem through squid
Hello! We run squid as a caching proxy. No transparency or intercept in any form, and the only way out is through the squid proxy server. Web browsers use either wpad or hardcoded proxy configuration. Streams from www.dn.se/webbtv don't work. The commercial part first in every stream works fine, but when it's time to switch to the main stream it just stops and the screen goes black. Our production squid runs 3.1.21, and in a lab server I have tried with squid 2.7.STABLE9, 3.2.3 and 3.3.0.1-20121107-r12377. Same problem in all versions. The configuration in the lab server squids have been exactly as they were default installed, except that I enabled cache_dir ufs in all of them. Any ideas about this? (I will ask their support what the difference is in the streaming methods of the commercial part and the main part.) Thanks! -- Peter Olssonp...@leissner.se
Re: [squid-users] Please help test a streaming problem through squid
On Thu, Nov 08, 2012 at 05:14:41PM +1300, Amos Jeffries wrote: > On 8/11/2012 4:33 p.m., Peter Olsson wrote: > > Hello! > > > > We run squid as a caching proxy. No transparency > > or intercept in any form, and the only way out is > > through the squid proxy server. Web browsers use > > either wpad or hardcoded proxy configuration. > > > > Streams from www.dn.se/webbtv don't work. The commercial > > part first in every stream works fine, but when it's > > time to switch to the main stream it just stops and the > > screen goes black. > > > > Our production squid runs 3.1.21, and in a lab server > > I have tried with squid 2.7.STABLE9, 3.2.3 and > > 3.3.0.1-20121107-r12377. Same problem in all versions. > > The configuration in the lab server squids have been > > exactly as they were default installed, except that I > > enabled cache_dir ufs in all of them. > > > > Any ideas about this? > > Can you define "stream" in terms of the actual protocol taking place? > > There are many types of protocol involved with streaming. Squid only > supports the HTTP and ICY streaming protocols. RTSP, RTMP, VoIP, VoD, > SPDY and WebSockets streaming are not specifically supported by Squid > (may require CONNECT tunnel access, but that is as close as it gets). > > and what agent is being used as a client? > > Sadly not all applets or embeded clients are capable of using an HTTP proxy. > > > Amos I'm sorry, I don't know much about streaming, but their requirement for playing the streams is Adobe Flash. And the commercial part which works is played in the same plugin player as the main part which doesn't work. Maybe I'm using the word stream in the wrong way? Maybe video clip is a better phrase in this case? When I right click in the Flash plugin that is failing to play the video clip, it says "Qbrick Professional: 3.8.1.211" and "OSMF Version: 1.0", if that has any relevance. The Flash plugin in my web browser is version 11.3.300.270. These video clips are free to view so if you have a proxy squid available you could try them. I don't think they are limited to Swedish clients, at least I don't see anything about limitations on their web. http://www.dn.se/webbtv/ Thanks! -- Peter Olssonp...@leissner.se
Re: [squid-users] Please help test a streaming problem through squid
On Thu, Nov 08, 2012 at 02:06:46PM +0200, Eliezer Croitoru wrote: > On 11/8/2012 1:40 PM, Peter Olsson wrote: > > I'm sorry, I don't know much about streaming, > > but their requirement for playing the streams > > is Adobe Flash. And the commercial part which > > works is played in the same plugin player as > > the main part which doesn't work. > > > > Maybe I'm using the word stream in the wrong way? > > Maybe video clip is a better phrase in this case? > > > > When I right click in the Flash plugin that is > > failing to play the video clip, it says > > "Qbrick Professional: 3.8.1.211" and > > "OSMF Version: 1.0", if that has any relevance. > > > > The Flash plugin in my web browser is version > > 11.3.300.270. > > > > These video clips are free to view so if you have > > a proxy squid available you could try them. > > I don't think they are limited to Swedish clients, > > at least I don't see anything about limitations on > > their web. > > > > http://www.dn.se/webbtv/ > > > > Thanks! > It's most likely RTMP. > If you can access the internet only using proxy you do have problem > since flash dosnt really support proxy settings. > There might be a way to create an rtmp proxy to use CONNECT for RTMP but > it's a very big thing. > > Regards, > Eliezer But why is the commercial part working in the same plugin? Flash web clips work fine behind proxy for these commercials, and also for complete video clips on other webs. -- Peter Olssonp...@leissner.se
Re: [squid-users] Please help test a streaming problem through squid
On Thu, Nov 08, 2012 at 02:44:17PM +0200, Eliezer Croitoru wrote: > On 11/8/2012 2:13 PM, Peter Olsson wrote: > > But why is the commercial part working in the same plugin? > > Flash web clips work fine behind proxy for these commercials, > > and also for complete video clips on other webs. > Sorry I cant answer you yet since I dont have data on it. > If you are willing to capture the sessions with WireShark or tcpdump > (filtered) I will be happy to take a small look at it. > > Regards, > Eliezer Thanks, I will set this up later. I assume that the outside of the proxy is the most interesting to capture? Peter Olssonp...@leissner.se
Re: [squid-users] No logs to access.log
On Mon, May 06, 2013 at 09:47:01AM +0200, Utterheim Mats wrote: > Hi! > > We just upgraded our squid to 3.2.8 and found that we don't get any > access-logs anymore. > squid.out and cache.log are still logging as they should, but no access.log > > I have tried to remove the access.log and when squid is restarted it > creates a new access.log with the right permissions, but it is left empty. > > config is the standard for access_log: > access_log daemon:/var/log/squid/access.log squid > logfile_daemon /usr/lib64/squid/log_file_daemon > > What are we missing? I had the exact same problem this weekend, upgrading from 3.1 to 3.2. Are you using "log_access" in your configuration? Our problem turned out to be that log_access seems to have changed from implicit accept to implicit deny. Our logging started working when I added this at the end of our log_access: log_access allow all Peter Olsson
[squid-users] How can I avoid logging these: NONE error:invalid-request HTTP/0.0
We get a lot of these in our squid log: x.x.x.x - - [14/Jun/2013:11:20:01 +0200] "NONE error:invalid-request HTTP/0.0" 400 4026 NONE:NONE We tracked it to Spotify clients. We don't want to block Spotify but we want to avoid filling the log with these pointless lines. We run a non-transparent Squid 3.1.20 in FreeBSD. I will upgrade to Squid 3.2 this weekend, but I suspect that these lines will still be logged in 3.2. I tried this log_access, but it didn't work: acl spotify_invalid urlpath_regex invalid-request log_access deny spotify_invalid log_access allow all Anyone know how we can exclude these lines from the log? Thanks! Peter Olsson
Re: [squid-users] How can I avoid logging these: NONE error:invalid-request HTTP/0.0
On Fri, Jun 14, 2013 at 09:43:36PM +1200, Amos Jeffries wrote: > On 14/06/2013 9:27 p.m., Peter Olsson wrote: > > We get a lot of these in our squid log: > > > > x.x.x.x - - [14/Jun/2013:11:20:01 +0200] "NONE error:invalid-request > > HTTP/0.0" 400 4026 NONE:NONE > > > > We tracked it to Spotify clients. We don't want to > > block Spotify but we want to avoid filling the log > > with these pointless lines. > > Pointless? it alerted you to a bunch of non-HTTP traffic being thrown at > the proxy did it not? > Each and every one of these will be a TCP socket wasted until closure > timeout completes. If there were many of these at once you would be > calling it a DoS. Good point. But we only allow squid traffic from our internal network, with very few users, so in our view these lines are just a waste of log space. (I forgot to mention that each Spotify client can generate 4-5 of these lines every five seconds.) > Since you ave tracked it down already could you explain exactly what is > going on there? Are the spotify clients attempting to send non-HTTP > traffic over port 80? or is that the result of excess data on the > connection being dumped? Sorry, we have no details at all. We just went to the worst offender and shut down each application until the lines stopped. > > We run a non-transparent Squid 3.1.20 in FreeBSD. > > I will upgrade to Squid 3.2 this weekend, but I > > suspect that these lines will still be logged in 3.2. > > > > I tried this log_access, but it didn't work: > > acl spotify_invalid urlpath_regex invalid-request > > log_access deny spotify_invalid > > log_access allow all > > > > Anyone know how we can exclude these lines from the log? > > "acl ... method NONE" should match them. Doesn't seem to work unfortunately. I now have this in squid.conf, and I tried with these lines last or first in squid.conf: acl spotify_invalid method NONE log_access deny spotify_invalid log_access allow all But the log lines still keep coming after squid -k reconfigure. I will check again after the upgrade to Squid 3.2. Thanks! Peter Olsson
[squid-users] Performance of antivirus proxy solutions?
Hello! This is maybe not strictly a squid question, but I still think/hope that the squid list is the best candidate for good answers. I have read a lot of archived messages about different antivirus solutions, but I haven't found many that deal with the performance issue. We have about 5000 users which use squid as proxy towards Internet. We run four separate squid servers at different locations, for load balancing and redundancy. The peak load on these four servers is about 5 Mbps each, and the average load during office hours is about 3-4 Mbps each. The size of the squid caches vary depending on hardware in the proxy servers, from 10 GB to 40 GB. We now want to add antivirus to the solution. We use clamav for email antivirus, so we are thinking about clamav for proxy antivirus also. But what should we use to activate the virus scan, that won't make a big impact on the performance? The solution must also be stable. All our servers run FreeBSD, so there would have to be some very good arguments for us to run the antivirus solution on any other platform than FreeBSD. We have made some tests with SquidClamAV_Redirector.py, which doesn't seem to be able to keep up with the performance demands. We have briefly looked at some other free solutions, but none of them seem to be made for this kind of load. I'd be happy to be proven wrong on this. We have also looked at DansGuardian and SafeSquid, but we haven't setup tests with them yet. Has anyone got load/performance opinions on these, related to our demands? Are there other suitable products which we have missed? We would love to get some input on this issue. Thanks! -- Peter Olsson[EMAIL PROTECTED]
Re: [squid-users] Performance of antivirus proxy solutions?
On Wed, 18 Jan 2006 11:02 +0100, Ralf Hildebrandt wrote: We have 3 servers, each with about 80-100 connections/s We use dansguardian Danguardian increase the latency from 40m to about 70m. Interesting, thanks! Did you get any complaints about the slowdown, or was it unnoticed? -- Peter Olsson[EMAIL PROTECTED]
Re: [squid-users] squid and clamav
Hello! On Thu, 9 Feb 2006 12:18 +0100, jacusy wrote: I am not happy about using two different squids. But the problem is: dansguardian needs a proxy to forward its requests to. But with dansguardian, I lose the information about source ip. This soucre ip is needed to apply client-specific access-rules. Therefor, the first squid is needed (with squidGurad). But the patches on http://devel.squid-cache.org/follow_xff/ apply only to two specific source-trees. What about actual builds? Is there another solution? I installed a test server with dansguardian a couple of days ago, and the patch for follow_xff doesn't seem to be needed with recent versions of squid. I have this setup: client -> dansguardian -> squid -> internet. I put this in squid.conf: follow_x_forwarded_for allow all log_uses_indirect_client on And this in dansguardian.conf: forwardedfor = on And then I got the client source IP numbers in the squid log. This was with dansguardian 2.9.5.0 and squid 2.5.STABLE12. -- Peter Olsson[EMAIL PROTECTED]
[squid-users] Digest Auth pass through possible with squid?
Is Digest Auth pass through possible with squid 2.5, 2.6 or 3.0? If possible, how do I configure it? We haven't upgraded to 2.6 yet, but all I find is that NTLM Auth pass through is supported with 2.6, I find nothing about Digest Auth pass through. I have googled and searched the FAQ. I'm sure this question must have been raised before, I apologize in advance for not having found the answer. Thanks! -- Peter Olsson[EMAIL PROTECTED]
Re: [squid-users] Digest Auth pass through possible with squid?
On Thu, 8 Feb 2007 08:42 +0100, Henrik Nordstrom wrote: ons 2007-02-07 klockan 01:38 +0100 skrev Peter Olsson: Is Digest Auth pass through possible with squid 2.5, 2.6 or 3.0? If possible, how do I configure it? Proxying of Digest authentication and the other HTTP compliant authentication schemes has worked since Squid-1.x.. No special configuration required. Ok, good! But we get this reply when browsing a Digest Auth web through squid (2.5.STABLE13 in this case): " Unauthorized Correct authorization is required for this area. Either your browser does not perform authorization, or your authorization has failed. RomPager server by Digest Access Authentication, which is not supported by your browser. " This reply comes immediately without possibility to enter the login, and we get the same reply with Internet Explorer in windows and Firefox in FreeBSD. I thought this was because Digest Auth pass through wasn't supported. Any ideas what could be wrong? "Digest Access Authentication" is the same as "Digest Authentication", isn't it? Or could that be the problem? Thanks! Peter Olsson
