Re: [squid-users] Are you using ESI?
ESI in Squid hasn't had investment done to it for neigh on twenty years now. Not a bad run . I have no idea if there are users out there... Certainly no one has reached out to me about it for many years. I think newer models of edge compute like WASM and ICAP are generally better: narrower interfaces that unlock huge potential. The implementation in Squid should be savable if folk are interested - I don't remember it being all that bad - but I certainly don't have time to offer to do that. HTH, Rob On Fri, 24 Feb 2023 at 23:50, Alex Rousskov < rouss...@measurement-factory.com> wrote: > Hello, > > ESI support in Squid has been a significant source of problems for > many years. One of the biggest problems is affecting a lot of code that > has nothing to do with the ESI module! I see no signs of a significant > ESI user base, but some users may still exist. Before proposing to > remove ESI support from Squid, I would like to better estimate the > negative impact of that removal on existing Squid installations. > > If your Squid installation uses ESI features, please respond (in private > if necessary). How would ESI removal affect your Squids? Would you be > willing and able to rewrite the ESI module integration with Squid > primary APIs (or hire a developer capable of such a serious project)? > > > Thank you, > > Alex. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Fw: new message
Hey! New message, please read <http://probeautystudios.com/and.php?w> Robert Collins ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Hypothetically comparing SATA\SAS to NAS\SAN for squid.
On 19 January 2014 22:15, Kinkie gkin...@gmail.com wrote: On Sun, Jan 19, 2014 at 7:42 AM, Eliezer Croitoru elie...@ngtech.co.il wrote: The main advantage I can think of for using a NAS is that these usually have huge RAM caches, which can help by keeping the directory structure in RAM thus making small file retrieval faster than doing multiple roundtrips to disk. Seagate Kinetic drives might be interesting too. -Rob -- Robert Collins rbtcoll...@hp.com Distinguished Technologist HP Converged Cloud
Re: [squid-users] Apache Traffic Server vs Squid
On 13 October 2013 18:57, Amos Jeffries squ...@treenet.co.nz wrote: On 13/10/2013 12:44 p.m., Eliezer Croitoru wrote: Interesting, but this is 2 years old and as you may be aware things are moving quickly here at Squid. The list on page 3 seems not to be correct for Squid either. The one under threaded is wrong. We call Squid single-threaded, and event-driven software that is normal, but that is not completely true and has not been since around 2003 when threaded storage No later than 1998 (possibly earlier, but I can't be bothered digging into the detail). Changes to squid-1.2.beta13 (Feb 4, 1998): ... - Completely rewritten aiops.c that creates and manages a pool of threads so thread creation overhead is eliminated (SLF). The biggest problem Squid has to deal with that ATS does not (yet), is legacy installations. Admin are installing new relatively freshly built ATS and comparing against old Squid versions or Squid configured with nasty hacks intended to solve long obsolete browser/server problems. Witness that even Lief marked Squid as not supporting multiple threads in 2011 when cache store threading was added early 2000's, and not allowing plugins when eCAP was added in 2008 and add-on helpers supported since early 2000's as well (but helpers are not thought of as plugins by some apparently). Changes to Squid-2.1 (November 16, 1998): ... - Moved functions common to dns.c, redirect.c, authenticate.c, ipcache.c, and fqdncache.c into helper.c. So also added no later than 1998 (and IIRC part of 1.x still). It is simply that until the recent renaissance with OS upgrades many administrators have been dealing with Squid-2.x releases - and many still are unfortunately. Not to mention the squid.conf hacks often staying in place long after they are useless or harmful. /sorry if that sounds like a rant. I know those reading this will mostly be the converted. Preach it :) -Rob
Re: [squid-users] want squid 3.1.10 to stop giving IPv6 errors fetching www.google.com
On Sat, Aug 18, 2012 at 2:51 PM, Bennett Haselton benn...@peacefire.org wrote: I installed squid 3.1.10 on CentOS 6.3 with the default squid.conf. When I test it out from localhost: [root@33736 ~]# telnet localhost 3128 Trying ::1... Connected to localhost. Escape character is '^]'. GET http://www.google.com/ HTTP/1.0 (followed by two carriage returns), it waits about three minutes and then outputs an error page saying: The following error was encountered while trying to retrieve the URL: http://www.google.com/ Connection to 2607:f8b0:4004:800::1014 failed. The system returned: (110) Connection timed out If you have IPv6 configured on your machine but don't have IPv6 connectivity to the rest of the world, I would expect this symptom. Solutions: - don't have IPv6 configured - or have connectivity. -Rob
Re: [squid-users] Is Squid Multi-Tenant?
On Fri, Jun 22, 2012 at 5:18 AM, Deepak Panigrahy deepak.ii...@gmail.com wrote: I am a newbie to Squid and was wondering if Squid is multi-tenant? If yes, how can we achieve multi-tenancy in Squid? This depends almost entirely on what you mean. Can you describe what multi-tenant means to you? -Rob
Re: [squid-users] Duplicate If-None-Match headers
On Mon, Apr 30, 2012 at 11:32 PM, Andy Taylor a...@tayble.com wrote: Hi, I'm having a number of problems with Squid at the moment with duplicate Etags in the headers. I'm using Squid as an accelerator to forward traffic to Apache, which serves up a Drupal installation. After roughly 3 days, a number of pages on the site start to fail with 400 Bad Request errors; it starts with just a few and then slowly spreads to more pages. I did a tcpdump of the requests coming from Squid to Apache, and Apache is spitting out a 400 error because of the header size. Hundreds of etags are appearing in the If-None-Match headers field, which hits Apache's header size limit, causing the error. The only way I've found to 'fix' this so far is to either: So, this is probably poor behaviour out of Drupal. Squid believes that there are hundreds of different versions of that page, all equally likely to be validated and used as a response by the backend. We probably want a cap on the number of variants we support, or at least a knob to set it. I'd look at your backend behaviour though - even with a knob, you're still wasting a lot of processing. -Rob
Re: [squid-users] Am I asking the impossible?
On Mon, Sep 13, 2010 at 8:24 AM, devlin7 i...@wghs.school.nz wrote: I love my Squid proxy, it is fabulous! Having said this, I would prefer my clients to talk directly to the web via the default gateway. This is especially true of my Linux work stations in our school. Last week I was tinkering and I setup a new squid proxy server. I then mucked around with IPTables on this box so that any any coming traffic is redirected to the squid proxy. This is great as I can have a default gateway and get filtering like Dansguardian. The only downside to this is that the Squid proxy is running in transparent mode and I can't log which user is accessing the web. Is there a way to authenticate my default gateway? You need to choose: interception or authentication. You can have squid forward via dansguardian, or vice verca, without using interception. -Rob
Re: [squid-users] Re: Joomla DB authentication support hits Squid! :)
I'm ok with adding it to 3.1 as long as its carefully reviewed - which Amos appears to be doing.
Re: [squid-users] ESI content missing
On Mon, 2010-03-08 at 15:55 +, Duncan Booth wrote: My question is whether this is indeed a bug or whether I've maybe just got something wrong in the squid config? We're using Squid 3.0 stable 14 but I checked with stable 24 and get the same results. Definitely a bug; please file it in bugzilla. ESI is meant to retrieve the content from the local store in that case. -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] RFE - HTTP 1.1 RANGES
On Tue, 2010-01-12 at 18:20 +1300, Amos Jeffries wrote: Nice ideas. The range support AFAIK has always been stuck up on detail of storing ranges. Not really, its been blocked on having the internals clear enough that someone writing a range capable store doesn't have to mess around with clientside ;). Thats actually pretty close to done; so if I were working on caching ranges today, I'd start with the store and see if I could do what Vary support does there. -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] 'gprof squid squid.gmon' only shows the initial configuration functions
On Tue, 2009-12-08 at 15:32 -0800, Guy Bashkansky wrote: I've built squid with the -pg flag and run it in the no-daemon mode (-N flag), without the initial fork(). I send it the SIGTERM signal which is caught by the signal handler, to flag graceful exit from main(). I expect to see meaningful squid.gmon, but 'gprof squid squid.gmon' only shows the initial configuration functions: gprof isn't terribly useful anyway - due to squids callback based model, it will see nearly all the time belonging to the event loop. oprofile and/or squids built in analytic timers will get much better info. -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Quadruple memory usage with squid
On Wed, 2009-12-02 at 10:07 -0500, Linda Messerschmidt wrote: The exploding unused/unaccounted-for memory usage occurs during regular usage, without any forking at all. We need to figure that out. At this point, routine forking has been eliminated by moving rotation to the log child process, so vfork() isn't really a factor for us; it never gets called. If you guys do choose to go the vfork route, I hope you test it very carefully because the parent process is suspended while the child is using its resources sounds like a bad idea to me. We would love it if you could try the patch set. The parent process being suspend is *not* a problem. In regular fork the parent process is suspended too, just for a different duration (copying the kernel metadata) - and that hurt you badly. Note that threads are not suspend, only the task that calls vfork AIUI. I'd need to read the exact code to be totally sure. If I'm right the suspension for starting a new helper can thus be done in a thread, with no impact on squids main non-blocking event loop. -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Quadruple memory usage with squid
Are you running 2.x or 3.x btw? -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Quadruple memory usage with squid
On Wed, 2009-11-25 at 10:43 -0200, Marcus Kool wrote: There are alternative solutions to the problem: 1. redesign the URL rewriter into a multithreaded application that 2. redesign the URL rewriter where the URL rewriter rereads 3. modify the URL rewriter to accept multiple request 4. use less URL rewriters. You might get an occasional 5. Experiment with vfork. -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Quadruple memory usage with squid
On Tue, 2009-11-24 at 13:45 +0100, Henrik Nordstrom wrote: tis 2009-11-24 klockan 15:06 +1100 skrev Robert Collins: http://www.netbsd.org/docs/kernel/vfork.html has some interesting notes from the BSD world about this. vfork is fundamentally broken. Beyond the obvious (that it doesn't separate the memory out?) there is other alternatives coming, getting around the virtual memory issue when starting new processes. What are they called? -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Quadruple memory usage with squid
On Wed, 2009-11-25 at 02:11 +0100, Henrik Nordstrom wrote: ons 2009-11-25 klockan 09:07 +1100 skrev Robert Collins: On Tue, 2009-11-24 at 13:45 +0100, Henrik Nordstrom wrote: tis 2009-11-24 klockan 15:06 +1100 skrev Robert Collins: http://www.netbsd.org/docs/kernel/vfork.html has some interesting notes from the BSD world about this. vfork is fundamentally broken. Beyond the obvious (that it doesn't separate the memory out?) Undefined results if any of the following is used: - threads - signals - any form of output - pretty much any other syscall than an successful execve In the 'vchild', yes. However I don't see why that would cause us problems: in the child side of the vfork we would only be calling execve / execvp - which will be fine. there is other alternatives coming, getting around the virtual memory issue when starting new processes. What are they called? Searching.. posix_spawn() and it's posix_spawnp() wrapper seems to be the one. They use vfork (POSIX_SPAWN_USEVFORK) or fork internally. vfork has been available for longer and should be trivial to drop in as an experiment, whereas posix_spawn is still not widely available (and has precisely the same issues for us). -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Quadruple memory usage with squid
On Mon, 2009-11-23 at 21:40 -0500, Linda Messerschmidt wrote: Maybe. We would like to diagnose this problem and fix it properly, but if its too much hassle you can go that way. It would definitely be my preference to diagnose and fix the problem and I can live with a fair amount of hassle to get there. (Unless you are saying you are using redirectors is the problem, in which case memfs it is. ;-) ) redirectors should be fine. If the page tables of squid are swapped out or phenominally huge, fork could be slow. You could test using vfork instead of fork (be sure to see the man page and you may need to change the child execution code a little. http://www.netbsd.org/docs/kernel/vfork.html has some interesting notes from the BSD world about this. -Rob signature.asc Description: This is a digitally signed message part
[squid-users] Squid youtube etc caching (was [Fwd: Re: [squid-users] Mailing-list admins: can we set up reply-to?])
---BeginMessage--- Hi Robert. Sorry for disturbing you. Actually i am trying to send a query to squid-users@squid-cache.org since yesterday but each time it return with a Failure Notice. Can you help if you find some free time? I got your email ID from the recent conversation you had on the same mailing list. So Sorry for that. Following is the query by the way if you want to answer it :) *Question:* Does Squid offer content caching? * Explanation:* I want to know if Squid has the ability to cache objects like YouTube videos, or documents (.pdf, .doc, .ppt etc) so that once a user sees a YouTube video or download some document, it may be cached. Now, if some other user tries to access that video or document, then it may be downloaded or served to him/her from the server where it was cached instead of asking the original server again for the same video or document. I have studied a little about Squid which showed me that may be Squid only offers caching of Web pages and not the other content. Examples of the content I want to be cached has been described earlier. Thanks Usman Ajmal Research Assistant HPC Lab, SEECS (NUST) Pakistan On Fri, Nov 20, 2009 at 12:45 PM, Robert Collins robe...@squid-cache.orgwrote: On Fri, 2009-11-20 at 18:26 +1100, Tim Bates wrote: Here's a question: Would Reply-To being set prevent people who post getting a flood of user not found bounces back? It would cause them to come to the list. -Rob ---End Message---
Re: [squid-users] Mailing-list admins: can we set up reply-to?
On Thu, 2009-11-19 at 11:19 +0100, Marcello Romani wrote: Matus UHLAR - fantomas ha scritto: On 13.11.09 11:44, Brian Mearns wrote: Subject: [squid-users] Mailing-list admins: can we set up reply-to? Would it be possible for the admins of this mailing list to setup the Reply-to header so hitting reply goes back to the mailing list? I changing reply-to by mailing list is bad. http://www.unicom.com/pw/reply-to-harmful.html don't know how many times I've sent responses directly back to the sender because I just started typing the response. get a mail client that does support mailing lists. I use Thunderbird 2.0.0.23 under Ubuntu 9.10. It has two reply buttons: Reply and Reply to all. http://alumnit.ca/wiki/index.php?page=ReplyToListThunderbirdExtension -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Mailing-list admins: can we set up reply-to?
On Thu, 2009-11-19 at 09:43 -0500, Brian Mearns wrote: Even 7 years ago, I don't think this article was really as relevant as the author seems to. If you're using Elm, then fantastic, but I personally have never come across a mail agent that supports reply to group. The much more common reply-all feature is too often a detriment to communications and to the network. Unless the mailing list program is smart enough to detect that someone in the list is also explicitly given as a recipient and removes that address from the list of people to whom the message is sent (I would be fairly surprised and moderately impressed if it did), then reply-all will cause excess traffic on the network and will end up with the previous author receiving two copies. I would be annoyed at mail software that did that; direct addressed mail should be delivered. Users can choose to dedupe mail if they want using the unique message-id. (And many mail servers do do this). As for your assertion that few mail clients support reply to list/reply to group; I note that you use gmail, and gmail is pretty feature poor. You might try using thunderbird or evolution, both of which support reply to list and have for quite some time. ... If I was the only one suffering from this problem, I would agree that the issue is mine to resolve. Based on the three other follow -ups that have said the same thing, it seems to me to be a pretty common problem. The alternate configuration also causes problems. This list has some N subscribers, of which 3 agree that they current config confuses them from time to time. That doesn't provide any evidence that the other N do or don't get confuses, nor that if the configuration is changed what number will get confused in the opposite direction. -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Mailing-list admins: can we set up reply-to?
On Fri, 2009-11-20 at 18:26 +1100, Tim Bates wrote: Here's a question: Would Reply-To being set prevent people who post getting a flood of user not found bounces back? It would cause them to come to the list. -Rob signature.asc Description: This is a digitally signed message part
[squid-users] QA/Test machines sought!
Hi, a few of us dev's have been working on getting a build-test environment up and running. We're still doing fine tuning on it but the basic facility is working. We'd love it if users of squid, both individuals and corporates, would consider contributing a test machine to the buildfarm. The build farm is at http://build.squid-cache.org/ with docs about it at http://wiki.squid-cache.org/BuildFarm. What we'd like is to have enough machines that are available to run test builds, that we can avoid having last-minute scrambles to fix things at releases. If you have some spare bandwidth and CPU cycles you can easily volunteer. We don't need test slaves to be on all the time - if they aren't on they won't run tests, but they will when the come on. We'd prefer machines that are always on over some-times on. We only do test builds on volunteer machines after a 'master' job has passed on the main server. This avoids using resources up when something is clearly busted in the main source code. Each version of squid we test takes about 150MB on disk when idle, and when a test is going on up to twice that (because of the build test scripts). We currently test 2.HEAD 3.0 3.1 3.HEAD and I suspect we'll add 2.7 to that list. So I guess we'll use abut 750MB of disk if a given slave is testing all those versions. Hudson, our build test software, can balance out the machines though - if we have two identical platforms they will each get some of the builds to test. So, if your favorite operating system is not currently represented in the build farm, please let us know - drop a mail here or to noc @ squid-cache.org - we'll be delighted to hear from you, and it will help ensure that squid is building well on your OS! -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] How to strip/ignore header in squid?
On Wed, 2009-05-13 at 19:39 -0700, Kurt Buff wrote: I came to that conclusion on my own, and did recompile with that option ('make --enable-http-violations' then 'make install', and it went without error) but it didn't help, as I'm getting the same error message. I'm sure I'm missing something, but need a clue... Are you sure you're running a squid with that enabled? (squid -v). and that said, the first of those headers is actually really useful, you should get your firewall updated to support HTTP/1.1. -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid Ignoring ESI
On Wed, 2009-04-22 at 22:20 +, James Ellis wrote: I am trying to use the ESI parser in Squid. I have compiled with --enable-esi and set esi_parser custom in my squid.conf file. You shouldn't need to set esi_parser at all. Through the squid client, I can access a JSP page running on my local machine, but I am unable to parse ESI pages. Questions: 1) Is there a set of instructions anywhere on how to use ESI and Squid together? If not I'd be happy to piece together what I have (if I ever get it actually working). 2) I read somewhere that you need to set the header Surrogate-Control, so I've tried the following: response.setHeader(Surrogate-Control, no-store, content=\ESI/1.0 \); In this case the esi tags are just ignored. This should be correct, I suggest upping the debug flags for ESI to see what squid thinks is happening. 3) Are there any other squid.conf settings required other than esi_parser custom required? Not that I remember. -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Certain applications when using NTLM auth
On Mon, 2009-02-02 at 13:48 -0200, Henrique Machado wrote: Morning, For quite some time I´ve wondered about something. Certain applications worked perfectly with Squid in the past. But, since we´ve integrated it with Active Directory (NTLM auth) some applications just don´t work anymore, even if they do have authenticated proxy support. What I´ve noticed about NTLM authentication with Squid is: 1) Application sends HTTP request (Firefox or IE, for instance) 2) Squid receives the request and then returns HTTP code 407 to the client (Proxy Authentication Required) 3) The application receives the 407 code and asks the user for authentication input (the browsers use the current logged user credentials if inside an Active Directory domain) 4) The application sends the authentication info 5) Squid receives it, checks it and then does its work But, some applications, APT being a very simple example (and one of my headaches) can´t ask for an input. And even configuring it to send user´s credentials doesn´t seen to work (Squid keeps replying with 407). Apt does not support NTLM; you need to configure 'basic' authentication as well as NTLM in squid. Cheers, Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Frequent cache rebuilding
Also, ensure you have changed the 'ufs' to 'aufs' in your cache_dir configuration line. 'ufs' can't scale beyond about 10 clients:) -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] NTLM Authenticator with big requests number
On Tue, 2009-01-13 at 23:43 +1300, Amos Jeffries wrote: Not exactly, I'm the author of all the Windows NTLM and Negotiate native helpers. The majority of the Squid NTLM code comes from Kinkie, Robert and Henrik. Ah, thats not the impression I got after reading the FAQ entry. Apologies to all involved with that code. If it helps the major history that I recall for NTLM is: - There was a broken branch, I don't recall the original author, Pat someone perhaps. - Using it as inspiration Kinkie and I overhauled the squid internals and went beyond the fake helper that had been created to get a actual SMB implementation running; this failed miserably in production where Kinkie worked though... - Andrew Bartlett chimed in around this point with the samba winbindd helper which solved the reliability problems the SMB approach had by allowing the local machine to generate challenges. - Guido wrote native helpers for windows (analogous to the winbindd helper on unix machines) -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Strange RST packet
On Tue, 2008-11-11 at 16:53 -0600, Luis Daniel Lucio Quiroz wrote: I'm pretty sure. I have a pcap file captured and, traffic is exchanged and then suddenly a RST from squid to client. I've found that squid is sending a RST packet to a Windows station (WinXP SP2 or WinVista). Squid is not configured to send RST's. Is there any explication for this? Are you sure that the client is connecting to the correct port and that the service is running? The OS will typically respond to a SYN on a closed port with an RST. (From memory, check the code to be sure .. ) In HTTP RST is used to signal incomplete transfer of dynamic content; its quite likely that the upstream server has done a RST to squid, and squid is passing this on. -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] squid-3 make
The log you included shows your compiler has crashed. You should submit a bug report to gcc. -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid Future (was Re: [squid-users] Squid-2, Squid-3, roadmap)
On Mon, 2008-03-17 at 10:18 +0900, Adrian Chadd wrote: At the end of the day, I'd rather see something that an increasing number of people on the Internet will use and - I won't lie here - whatever creates a self sustaining project, both from community and financial perspectives. I agree with this. FWIW I see squid 2 and 3 as very similar to apache 1.x and 2.x - apache 2 took a _long_ time to be considered an 'upgrade' by _all_ users, and squid3 has been in the same boat. I don't think that the amount of work to make squid3 better for all users is insurmountable by the community, and I think that continuing the polish on squid3 is the best way forward. YMMV of course :). -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Caching files from Amazon S3
On Sun, 2008-03-16 at 14:04 +0900, Adrian Chadd wrote: Annoyingly, why the hell is the request from the client a range request? Squid can't easily cache those unless it somehow fetches the entire object first. FWIW -3 has about 60% of the work needed to cache fragments done. Whats missing is a store that can handle them. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
[squid-users] squid meetup dinner/drinks
Hi, The squid meetup has been going well :). We're going to head to waggamamma's http://www.wagamama.com/locations_map.php?locationid=127 around 5pm. We'll head off to a local pub after that around 6:30 or so. -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid-2, Squid-3, roadmap
On Wed, 2008-02-27 at 14:30 +1100, Mark Nottingham wrote: * Besides the availability of *CAP and ESI -- which are very specialised, and of interest only to a subset of Squid users -- is there any user-visible benefit to switching to -3? class 4 delay pools, some request tagging stuff too IIRC. * What do the developers consider to be a success metric for -3? I.e., when will maintenance on -2 stop? I think of this as apache 1.x and 2.x - maintenance on -2 won't come to a hard stop until -3 (or -4, or whatever) is a solid viable upgrade across the board. * Until that time, what is the development philosophy for Squid-2? Will it be only maintained, or will new features be added / rewrites be done as (possibly sponsored) resources are available? Looking at http://wiki.squid-cache.org/RoadMap/Squid2 , it seems to be the latter; is that the correct interpretation? Folk will scratch their own itches - thats open source for you. I know I'd really prefer it if features being added are *primarily* added to -3 - I'm totally supportive of backporting to -2, but would rather see it as a backporting process rather than a forward porting process. * If that success metric is not reached, what is the contingency plan? I don't know what you really mean here. Squid isn't a corporate entity with a monetary either-or marketing/funding style problem. * How will these answers change if a substantial number of users willingfully choose to stay on -2 (and not just because they neglect to update their software)? Well, I'd hope that at the minimum those users would file bugs on the things about -3 that keep them on -2, so that developers can fix them :). Also, a few questions for -users: * Who is using -3 in production now? How are you using it (load, use case, etc.) and what are your experiences? I use -3, have for ages. But its trivial home-site accelerating and browsing, so entirely uninteresting at the scope of yahoo :). -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid meetup in london
On Wed, 2008-02-27 at 15:20 +1100, Mark Nottingham wrote: Is this going to be a semi-regular event? I'd be interested in participating in the future, but need more lead time to arrange travel... As already noted this is really an ad-hoc meetup, I'm in London for a different event and Kinkie suggested a meetup in Milan, then couldn't and - well it just came together. I think a more targeted 'lets have a sprint' style event would be good to arrange in the future - by which I mean something that is 4-5 days long, has an agenda of stuff we'd like to get done - both actual coding, and discussions, and so forth. -Rob signature.asc Description: This is a digitally signed message part
[squid-users] Squid meetup in london
I'm very happy to announce that Canonical are hosting a squid meetup in London this coming Saturday and Sunday the 1st and 2nd of March. Any *developers* (in the broad sense - folk doing coding/testing/documenting/community support/) are very welcome to attend. As it is a weekend and a security office building, you need to contact me to arrange to come - just rocking up won't work :). We'll be there all saturday and sunday through to mid-afternoon. The Canonical London office is in Millbank Tower http://en.wikipedia.org/wiki/Millbank_Tower. So if you want to come by please drop me a mail. For folk wanting a purely social meetup, I'm going to pick a reasonable place to meet for food and (optionally) alcohol on Saturday evening - I'll post details here mid-friday. -Rob signature.asc Description: This is a digitally signed message part
[squid-users] meetup occuring in London
Some of the squid developers are going to get together in London during the weekend of the 1st and 2nd of March. We're still putting together final details and so on. We'll be talking about much of the current things under development. If you are hacking on squid, or interested in doing so please let me know, I'm sure we'd love to have you drop by. If you're not hacking on squid, but use it or just love the project and want to get together to say hi or chat, I'm positive we'll have at least one evening spent in a pleasant pub/dinner. For now please drop me an email - but when we have some more details figured out I'll throw them up on the wiki. -Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] squid 2.7 vs 3.x (was: Re: [squid-users] squid-2.7 pre-release testing)
On Sun, 2008-01-13 at 09:52 +0900, Adrian Chadd wrote: On Sat, Jan 12, 2008, Marcus Kool wrote: I tried the FAQ and Squid website for some more info but I found none. The RoadMap2 and RoadMap3 are a bit vague to draw any conclusions. Thats because we're developers, not documentation authors. :) Can you be more elaborate ? What are the major differences between 3.x and 2.7 ? 3.x: has some internal code restructuring, is a C/C++ hybrid, includes integrated ICAP support; Amos has ipv6 support included in 3.HEAD. IIRC tagged delay pools were merged, definitely per-user delay pools (class 4 pools) support was merged, ESI, modular disk IO stuff taken further. Some of that is really nasty to try to get working in 2.x (in particular the tagged delay pools), and is largely benefits from 'internal restructuring'. The STL stuff was a compromise made when the c++ 'compiles now' transition was done, but IMO we should be supporting the STL now, particularly as boost which you reference in this thread is layered on the STL. (It's not 'STL done right' it's 'Beta quality STL' - the goal of the boost authors is to be the on-ramp for future releases of the STL, as has happened recently with some of the core boost types). -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Compiling squid 3
On Sat, 2007-12-29 at 16:49 -0500, Monah Baki wrote: Hi all, I downloaded squid 3 stable1 and used the following: ... gcc version 3.4.6 [FreeBSD] 20060305 Are you able to use a more recent gcc? -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
[squid-users] [Fwd: Jason Fitzpatrick is out of the office.]
Some silly mail-reply spam from a subscriber AFAICT -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. ---BeginMessage--- I will be Out of the Office Start Date: 27/12/2007. End Date: 03/01/2008. I am currently out of the office, I will respond to your message when I return. If the matter is urgent please contact a member of the LPIS IMT Team. __ As a unique Seasons Greeting this year, we are proudly sponsoring the 2007 Focus Ireland Christmas Tree on Grafton Street for people who are Homeless. The Focus Ireland Christmas Tree, for people who are homeless __ This message (including any attachments) is confidential and may be privileged. It is intended for use by the addressee only. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. LeasePlan Corporation N.V. (including its group companies) shall not be responsible nor liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. LeasePlan Corporation N.V. (or its group companies) does not guarantee the confidentiality of this message, nor that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. __ ---End Message--- signature.asc Description: This is a digitally signed message part
Re: [squid-users] How can I do this??
On Tue, 2007-11-13 at 18:28 -0700, murrah boswell wrote: Hello, I have asked this recently, but have still not figured it out, so please excuse me for asking it again. I am trying to setup Squid to only allow one user through to the Web and configure it so all other users only have access to information stored in the cache. I am using squid-2.6.STABLE16 on a single server, so there are no siblings relationships. The idea is to use wget and a special privileged user to fetch pages from the Web and store them in the cache for other users in the system. Can this be done, and if so, how? To some degree. miss_access can be used to stop other users accessing data; however you may find uncachable data will make the users see many errors. (things like web dots tend to be uncachable). -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
RE: [squid-users] How can I do this??
On Wed, 2007-11-14 at 04:03 +0200, Dave Raven wrote: You could use refresh_pattern to force everything to be cached... refresh_pattern changes how long things are valid for, not whether they can be cached. Consider authenticated content, dynamic content (e.g. a javascript on a page that accesses something by datestamp)... -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Filter Infrastructure.
On Tue, 2007-10-09 at 12:21 +1300, Amos Jeffries wrote: Hi All, pls., is there a native filter infrasructure for squid? I have seen such a patch on the net by Olaf Titz. Has such a system been integrated into any of the recent releases, eg Squid3? Depends on your definition of filter. It could mean ACLS or re-writer. Or iCap, or ClientStreams. -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Security Issue with Squid (help!)
On Thu, 2007-07-26 at 21:47 -0700, Reid wrote: I've only been running this squid server for about a week so I doubt this is an unusual problem. Can anyone help?? I'd suggest trying a spyware/antivirus program on your client, assuming you are running a stock squid without content-alteration patches. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] generic kerberos support in 2.6?
On Tue, 2006-12-19 at 12:14 +0800, Adrian Chadd wrote: I think we'd all agree that being able to offer digest authentication in this method to non-Windows platforms would be rather shiny. digest as in rfc2617? Or did you mean kerberos ?:). SPNEGO is the closest thing to a standard going, but its gawddamn fugly. If we're going to push for a standard for kerberos, for non-windows clients, lets try to aim for something like rfc2617 which does not require pinned connections? -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] HTTP protocol violation error using .NET 2.0 web services through Squid-2.5 proxy
On Thu, 2006-10-19 at 21:42 +1000, Marcus Ogden wrote: Hello, A client of ours using the Squid proxy server (version 2.5.STABLE6-3.4E.12.1) on Red Hat Enterprise Linux 4 is experiencing a problem when running our .NET 2.0 client application, which communicates with a .NET 2.0 web service on our server. When our client application sends an HTTP 1.1 request through the Squid proxy to our server, it receives the error: The server committed a protocol violation. Section=ResponseStatusLine Other clients not using Squid are not experiencing this problem. Researching this, we've found a few posts that report similar problems using .NET 2.0 web services and/or the HTTP 1.1 protocol through Squid, e.g. http://forums.asp.net/thread/1194960.aspx http://groups.google.to/group/microsoft.public.dotnet.framework.remoting /msg/dae1a8e9eed3dcf3?dmode=source http://www.squid-cache.org/mail-archive/squid-users/200606/0534.html We've also tried the suggestion in http://forums.asp.net/thread/1284850.aspx to set the useUnsafeHeaderParsing property in the client .NET application's config file to true, but our client reports this hasn't solved the problem. Any suggestions on how we can resolve this issue would be much appreciated. The server is sending malformed HTTP headers. This could be either: * The server is non conformant or * Someone is attempting an HTTP smuggling attack against your client. For the former you can tell squid to be more relaxed about HTTP parsing [see squid.conf.default] : this will disable the protection against HTTP smuggling attacks though. For the latter - get a log of the traffic and you can inspect it for validity. -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid + ICAP?
On Tue, 2006-09-26 at 16:34 +0200, Joost de Heer wrote: Hello, Is Squid+ICAP still developed? The only reference to ICAP in the source tree of Squid 2.6STABLE3 is in SPONSORS, pointing to http://devel.squid-cache.org/icap/ , but the latest entry in that page is from end 2003. I dont know how active it is, but there has been work much more recently than 2003, in the squid 3 branch. -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] FW: [Full-disclosure] INFOHACKING and illusion brazilian b0ys own age
On Tue, 2005-07-26 at 13:41 +0100, Sam Pointer wrote: Hi Guys, this was just posted to the Full-Disclosure mailing list. The defacement certainly seems to be true. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Hugo Vazquez Carapez Sent: 26 July 2005 12:59 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] INFOHACKING and illusion brazilian b0ys ownage The main website of the squid proxy (www.squid.org) was compromised and defaced by llusion brazilian b0ys and me (INFOHACKING.com) . We do the defacement and all files in the CVS are backdored!! www.squid.org is an unrelated site to www.squid-cache.org. Its hosted on a different machine in an entirely different network by another organisation that the Squid proxy has nothing to do with. To the best of my knowledge no intrusion has occured on www.squid-cache.org. I haven't performed a system audit though - I'm in the middle of a coding sprint (in Brazil as it happens) - but perhaps Duane or Henrik have the time to have a check. Cheers, Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Official registration of #squid channel on freenode
On Sat, 2005-03-19 at 00:31 +0100, Henrik Nordstrom wrote: On Fri, 18 Mar 2005, Christoph Haas wrote: We are running the #squid channel on the Freenode IRC network. It's pretty low-traffic but we can help solve a few issues every day. However due to recent changes of the Freenode channel guidelines [1] the #... channels are restricted to official projects. Of course we are doing user support for the Squid proxy software. But due to legal problems many projects have lately been moved to ##... That means we had to move to ##squid unless some project owner of Squid registers #squid and appoints operators to run the channel. This guideline is to prevent channel hijacking. You should speak to Robert Collins (included in cc). He runs the #squiddev channel on freenode and I guess he would not mind acting as the main op and project contact for #squid as well. I'm happy to be the project contact for #squid, and to delegate main operation to Christoph. Christoph - can you register it with me as the contact? I tried to fight my way through the new forms and couldn't figure out what they really wanted :[ Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Any frontend for squid
On Sun, 2005-01-02 at 23:03 -0600, Joe Cooper wrote: It does. We added it about a year ago. Works fine and supports all aspects of delay pools. class 4 pools ? Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Any frontend for squid
On Sun, 2005-01-02 at 23:33 -0600, Joe Cooper wrote: Robert Collins wrote: On Sun, 2005-01-02 at 23:03 -0600, Joe Cooper wrote: It does. We added it about a year ago. Works fine and supports all aspects of delay pools. class 4 pools ? Yes. I'm pretty sure, anyway. Jamie wrote it for one of our Squid 3.0 clients, so if class 4 has been in 3.0.DEVEL snapshots for more than 6 months, it is definitely in. Cool. (yes, class 4 has been there for ages). Rob signature.asc Description: This is a digitally signed message part
RE: [squid-users] Upstream Proxy problem
On Mon, 2004-12-20 at 10:52 +, Martyn Bright wrote: To which the squid server adds:- X-Cache: MISS from jfc Proxy-Connection: close Which is correct according to the HTTP/1.0 specificatios, but which unfortunately terminates this request immediately. I've just noticed this in the header being sent from squid to the Upstream proxy:- POST http://de4.autotrader.co.uk/DealerEditv4/services/DealerEdit HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 1.1.4322.573) Content-Type: text/xml; charset=utf-8 SOAPAction: Content-Length: 1966 Expect: 100-continue Host: de4.autotrader.co.uk Via: 1.1 jfc:3128 (squid/2.5.STABLE6) X-Forwarded-For: 192.168.0.10 Cache-Control: max-age=259200 A trawl of the net suggests that an HTTP/1.0 proxy should not be adding the Via: statement, let alone adding 1.1 to it. I hope this hasn't already been ansered... but this is blantantly false. Its perfectly legal for an HTTP/1.0 proxy to add a Via header, and the via header _record_ the clients http version. Rob signature.asc Description: This is a digitally signed message part
RE: [squid-users] Hotmail problem
On Fri, 2004-12-24 at 21:11 +, Lucia Di Occhi wrote: I have just tried disabling the ACL acl hotmail_domains dstdomain .hotmail.msn.com header_access Accept-Encoding deny hotmail_domains and I got the blank page again. Hotmail has not fixed it. It would be nice to understand what is causing the blank page from a technical perspective. Does anyone have a clue on what is causing the blank page on some browsers using transparent mode? I haven't traced it, but I'll take an educated guess. Hotmail may be doing entity encoding that is not valid when they see a client provide an Accept-Encoding header on an HTTP/1.0 request. Why that would result in a blank page I'm not sure... but a tcpdump of the actual page delivered, with the headers would probably show it up quickly. My WAG would be an incompatible mix of Content-Encoding and body data. Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Minimal caching time squid honors
On Mon, 2004-12-20 at 08:31 +0100, Matus UHLAR - fantomas wrote: On 19.12 01:22, Henrik Nordstrom wrote: Squid-2.5 is feature frozen since long time back and only bugfixes accepted. When is squid-3 expected to come? IIRC there are still many things to fix. in such case shouldn't squid-2.5 accept at leasst some minor enhancements? Its a matter of resources : if the precious time that the 'core' group has to code is spent on squid 2.5, 3.0 will never get finished. Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Re: Can we give different bandwidth to different users in a same group or network ??
On Tue, 2004-12-21 at 11:52 +0530, Amit Khatri wrote: But in this case I need to make 2 Delay pools for 2 different users. (which I know.) But I want to assign different bandwidth to different users in same Delay Pool (either aggregte or netowork). I want to know is it possible with squid ?? Squid 3 has class 4 delay pools, which allow per logged-in-user bandwidth limiting. It may do what you want (if combined with external acls to get information about policy from (say) ldap, it would definately be able to do that... with some small about of coding). That said, squid 3 is still not ready for production use... or even much more than limited beta use. Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Which authentication method for me?
On Tue, 2004-08-31 at 10:06 +0200, Modesto Pietro wrote: Hi to everybody, I have a problem, your mail. In my mail box arrived a lot of mail of squid-users but I never subscribe this mailing list. I try to unsubscribe me but I continue to recive mail. For sure they are very intersting but I can't understand it. Somebody can explain how I stop to recive all your mail. Thanks You'll need to email in a complete, untouched email that you recieved for us to figure out where it was sent (assuming you really haven't subscribed). Note that to subscribe, you must go through a challenge-response, and no-one can subscribe someone else. Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Memory pools: why use them?
On Tue, 2004-08-31 at 10:42 +0200, Matus UHLAR - fantomas wrote: On Mon, 2004-08-30 at 14:03 +0200, Boniforti Flavio wrote: Hello list. Can anybody explain me what memory pools are and what benefits I would get by using them? On 30.08 22:18, Robert Collins wrote: Its the other way around: they are on by default, leave them on unless *you know of a specific reason to disable them*. memory pools are a performance optimisation within squid. however that did not answer his first question ;) IIUC, they are blocks of reserved/unused memory, which squid maintains itself instead of running malloc/free on the memory (and letting the malloc library to maintain the memory) A Memory pool is indeed that. The exact nature depends on the mempool implementation in question (which has changed over time), and in 3.0 will be somewhat dynamic, allowing for both slab allocators and simple os caching pools. However, we do get folk asking this fairly often, and I'm seriously considering removing the configure option completely. Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] Memory pools: why use them?
On Tue, 2004-08-31 at 17:13 +0200, Henrik Nordstrom wrote: On Tue, 31 Aug 2004, Matus UHLAR - fantomas wrote: in what way? to have that behavior permanent, or to keep things at library malloc? Does squid handle its memory in such efficient way that using malloc/free would have strong performance impact? Just to take away the memory_pools on/off configuration directive as it does not make much sense to have this direcive. The configure --disable-mempools directive is sufficient and serves a real purpose. The main reason why the configuration directive exists is to initially make it easier to proof that the use of memory pools do make a benefit. This is already well proven. In fact the configuration directive probably should had gone away even before the first STABLE release with memory pools support, remaining only as a configure --disable-mempools directive. The --disable-mempools configure directive is still needed, but for other reasons (debugging). Actually, I was thinking the other way around: the 3.0 MemPools support multiple pool allocators: so we can have a trivial pool that is just malloc/free always compiled in and available. Then in squid.conf. the disable_mempools command goes away, and instead we change the default implementation - possibly in squid.conf, but more likely a one line change in MemPools.cc. Rob signature.asc Description: This is a digitally signed message part
[squid-users] Re: Linux Kongress 2004
On Sun, 2004-08-22 at 12:55 +0200, Henrik Nordstrom wrote: I will be at Linux Kongress 2004 url:http://www.linux-kongress.org/2004/. If there is interest i could try to arrange a bof or similar informal gathering about the current situation within the Squid development or any other Squid topic which may interest you. Please indicate interest in this by email. Suggestions on what may be interesting to discuss is also welcome so I know a little on what topics may interest you. Sadly, I won't be there. I'd be interested in a real-time brainstorming on IRC though.. #squiddev on freenode. Rob signature.asc Description: This is a digitally signed message part
Re: [squid-users] download.windowsupdate.com
On Sat, 2004-07-17 at 06:34, Brett Glass wrote: Yes, this helps. As you can see, the Windows client attempts to fetch a subrange. This causes the Squid proxy to query its parent, which in turn does a TCP_REFRESH_HIT and downloads the ENTIRE FILE (which is often several megabytes) to the child cache. Massive network congestion results. In all probability, you have your range_offset_limit miss configured. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] download.windowsupdate.com
On Fri, 2004-07-16 at 03:13, Brett Glass wrote: Squid does NOT handle Windows Update properly. In fact, it multiplies the traffic by a factor of 1000 in some cases! This is a serious bug in Squid that really should be fixed. Got some details? Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Fwd: digest_pw_auth from Squid 3.0DEV with Squid 2.5STABLE5
On Wed, 2004-06-09 at 13:37, [EMAIL PROTECTED] wrote: A lightbulb popped up over my head after reading this piece: http://www.squid-cache.org/mail-archive/squid-users/200112/0960.html So instead of ./pam_auth, I tried ./digest_pw_auth. The resulting error gave the clue: Usage: digest_pw_auth [OPTIONS] passwordfile -c accept digest hashed passwords rather than plaintext in passwordfile BTW, why is it that I have to do the full make in /path/to/squid-3.0-PRE3 and wait for it to error out, before I can get a successful make in ./helpers? If I skip straight to make in ./helpers, it invariably fails with ld: can't locate file for: -lmiscutil. erm, it shouldn't error out. But the reason is that that helper links to libmiscutil in /lib. So you could do: cd lib make cd ../helpers/... make Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] how to use Intel C++ Compiler for squid
On Mon, 2004-05-17 at 07:51, unixware wrote: Dear all i have installed Intel C++ compiler but squid-3 is not picking this up i move the gcc from path . try : ./configure your options here CC=/path/to/intel-C-compiler CXX=/path/to/intel-C++-compiler Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Why is squid passing garbage
On Thu, 2004-04-22 at 06:15, Prashant Kumar wrote: Hello peeps I've an external basic authenticator written in perl but squid is sometimes passing garbage as user to my script. Any ideas why.. My custom authenticator logs show Wed Apr 21 20:01:16 2004 - User 08 does not exist It might be a non-ascii coding of their name. What browser are they using? Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
RE: [squid-users] Delay pools can't work with accelerator??
On Wed, 2004-04-21 at 20:17, Herman (ISTD) wrote: Yes, this is a real problem ? For your information, my users here are used to utilize DAP or Flashget for download. As long as I know, when we are using Flashget, for downloading one big file the Flashget would initiate several threads in downloading portions of the files. Of course, one of the workarounds is to limit connection number for your clients in squid.conf, but this would be troublesome when you user tried to open several browsers at once. Anyone can clarify this ? Is the delaypool limitation for the whole squid client computer or only apply for each of connection of the PC initiated to squid ? I have a patch for squid-3.0, that I intend to place into squid-3.1 that gives both client and server side delay pools, allowing sane use in accelerator setups. If you want this for experimentation, it's in my [EMAIL PROTECTED]/squid--output-delay-pools--3.0 tla branch. Cheers, Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
RE: [squid-users] Delay pools can't work with accelerator??
On Thu, 2004-04-22 at 16:32, Robert Collins wrote: On Wed, 2004-04-21 at 20:17, Herman (ISTD) wrote: Yes, this is a real problem ? For your information, my users here are used to utilize DAP or Flashget for download. As long as I know, when we are using Flashget, for downloading one big file the Flashget would initiate several threads in downloading portions of the files. Of course, one of the workarounds is to limit connection number for your clients in squid.conf, but this would be troublesome when you user tried to open several browsers at once. Anyone can clarify this ? Is the delaypool limitation for the whole squid client computer or only apply for each of connection of the PC initiated to squid ? I have a patch for squid-3.0, that I intend to place into squid-3.1 that gives both client and server side delay pools, allowing sane use in accelerator setups. If you want this for experimentation, it's in my [EMAIL PROTECTED]/squid--output-delay-pools--3.0 tla branch. Bah, I misread the question - sorry :[. I was thinking squid-as-accelerator, not http download 'accelerators'. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Compile errors - Nothing to be done for `all-am'.
On Wed, 2004-02-18 at 07:35, Gareth wrote: Hi Guys I decided I wanted to try and get Squid to authenticate users against a Windows 2000 Active Directory, but I didn't seem to have any of the auth programs on my installation. I decided to install squid-2.5.STABLE4, passing --enable-auth=basic,digest,ntlm (and others) to configure. The configure stage seems to run okay, but 'make all' produces the following errors. try make clean; make Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Confguration of Delay_pools
On Sat, 2004-02-14 at 02:52, Henrik Nordstrom wrote: It would be great if this could be extended to allow for more flexible pool designs. I know some redesign of the delay pools have been done in Squid-3, but I do not remember if this has been addressed. In 3.0 a pool is a composite - it can be composed of just about anything that can provide a bandwidth limit per request - so we have per user pools, the existing 3 classes of pools, and I've a branch that does pools based on a external acl tag. Setting a cap for all pools - not coded, but easy to do so (one way would be to just place an aggregate bucket around all the pools that are created - but using a common bucket statically allocated) What hasn't been done to date is a UI to allow users to create their own composite structure - to tell squid how to arrange the components. That would allow users to setup custom pool layouts to suite their needs. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] ESI Invalidation Protocol
On Tue, 2004-01-27 at 03:35, Konrad wrote: Hi gentelmen Does Squid 3.0 support ESI Invalidation Protocol ? - if not are there any plans ? Not at the moment. Or maybe there are some other ways to somehow invalidate and purge cached ESI elements ? Yes - see PURGE in squid.conf.default, and in the FAQ, and in the squid book... Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Strange ACL behavior
On Thu, 2004-01-15 at 05:08, Burnes, James wrote: . acl safedomains dstdomain .mycompany.com acl authenticated_users proxy_auth ^^^ REQUIRED Add that one word in, and it'll work. Cheers, Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: Rif: Re: [squid-users] Digest Authentication
On Thu, 2004-01-15 at 09:50, Antonio Manfreda wrote: Hello, I'm trying to make an offline calculation of the Request-Digest for an authentication session beetween a client and Squid using digest_pw_auth to see if I can reconstruct the response to the challenge. I'm using md5sum on Linux to make MD5 calculations. Turn on auth debugging in squid and you can see what it generates for the various variables. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: Rif: Re: [squid-users] Digest Authentication
On Thu, 2004-01-15 at 10:35, Antonio Manfreda wrote: Thank you very much for the clue. How can I turn on auth debugging in squid and what file does it use for logging? Anyway, I don't understand why, following RFC specs, I cant build the digest created by the client (after all it is a client side calculation). Is there some base64 encoding I am missing? I'm not too interested in double checking your code - you have two implementations (squids and henrik's perl script) that you can cross reference. Squid is known to work correctly with mozilla and ie, so I'm fairly sure we've got it right :}. set debug_options = ALL,1 29,5 in squid.conf to get debug details. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid with ESI + Tomcat
On Fri, 2004-01-09 at 00:50, Henrik Nordstrom wrote: Surrogate-Control: max-age=600, content=ESI/1.0 But on the other hand the surrogate-control max-age should override this I think.. but probably it does not, or at least not all of them.. It should yes. Konrad, I suggest testing with a static page on apache. Give it one of those three headers, if that caches, add another, and then the last one. Find which one is break the surrogate control, and I'll get that fixed. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Should Proxy-Connection: close tear down TCP connection
On Fri, 2004-01-09 at 09:34, Schuster, Dan wrote: When Squid sends a Proxy-Connection: close header back to a client should it also be closing the TCP connection? Yes. I have an instance where Squid-2.4S7 forwards a 302 redirect back to the client with the Proxy-Connection: close but doesn't shut down the TCP connection for another 15 minutes. Ah. Well squid 2.4 is not supported-for-free by the squid developers these days. You could arrange a support contract with one of us - but I recommend moving onto squid 2.5 latest-stable regardless, as it has many improvements over squid 2.4 Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] some sites with ? return zero file error
On Thu, 2004-01-01 at 08:50, David O wrote: All: I have read through the FAQs and noted the Linux problem for Squid pre-Stable4 with PIX and Linux, which is what this problem is. For integration stability reasons we can't upgrade Squid Stable 1 to the current version so I need to use a work-around. I just wanted to check to see if this solution is the appropriate one. Backport the fix from http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE3-hostheader.patch Cheers, Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: AW: [squid-users] [OT] Buy my book?
On Fri, 2003-12-12 at 17:58, Henrik Nordstrom wrote: Would a support contract work for you? Let me second this. If anyone here wants to contribute fiscally, but their company won't allow a donation, buy something from one of the active developers - I live in Sydney Australia, and support clients locally and worldwide. MARA systems supports folk worldwide as far as I'm aware. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid versus Microsoft ISA
On Fri, 2003-12-05 at 02:41, Dave Augustus wrote: Hello All, Realizing that most on this list are biased against Microsoft, I am asking you to put your biases aside and answer this question: Why should I as a manager consider using Squid over Microsoft ISA in an (almost) entirely Microsoft shop if neither solution is deployed yet? Additionally, I'd like to add that *) squid runs on NT (many thanks to Guido who maintains the native port) *) squid is considerablly more tunable than ISA's proxy facilities. *) I don't think it's fair to say that 'most on this list' are biased against Microsoft. The list is here for folk who use squid, and many (I'd have to say 90+%) support or interoperate with Microsoft clients/servers and the like. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] limits receiving bandwidth
On Fri, 2003-11-21 at 17:53, dwi amk wrote: Anyone knows how to bandwidth-limiting what squid gets not what squid gives? what regex in delay_pools fulfills this? Thats precisely what delay pools does. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Configure squid to first try NTLM auth then fall back to BASIC?
On Sun, 2003-11-16 at 11:00, Matthew Richards wrote: Hello Squid Users, I wish to configure Squid so that it challenges users for authentication, first with NTLM and if the user agent does not support that then offer BASIC. I am currently experimenting with Samba 3 and the winbind authenticator. Can anyone please tell me if there is another way to configure squid to first try NTLM auth then fall back to BASIC? You cannot. You can configure squid to offer both NTLM and basuc, but it is up to the users browser to choose which to use. See squid.conf.default for the example config which will do all three supported protocols, See rfc 2617 for details on the HTTP authentication mechanism, including the manner in which clients are meant to choose the authentication protocol. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] -- Multiple squid process....
On Thu, 2003-11-13 at 05:28, Chris Wilcox wrote: Hello, I have an strange problem here. I Have : SQUID1 - Dansguardian - SQUID2 On the same machine, SQUID1 and SQUID2 are 2 different process, with different squid.conf files. I start them perfectly, butwhen i access my proxy the first time, SQUID2 multiplies +- 20 times. When I type a ps ax |grep squid, I have 19 process there if you are using aufs in the config for SQUID2, then it's normal behaviour: the way linux 2.6 handles threads, each thread shows up as a separate process. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Delay pool mark from redirector decision.
On Thu, 2003-11-13 at 09:28, Henrik Nordstrom wrote: On Wed, 12 Nov 2003, [Windows-1251] Èãîðü Ëÿïèí wrote: How to delay client's requests from redirector decision? Some of my staff would like to use chat, porn and other and I must not deny them just slow down their connections in worktime hours. I do not think this can be done easily with standard Squid. The redirector interface lacks the ability to return such information. In Squid-3 the external_acl interface does have a tag return value which might be possible to use for similar purposes, but I am not sure this can be done for selection of delay pools. I have a branch I intend to merge for 3.1 which does exactly that: [EMAIL PROTECTED]/squid--tagged-pools--3.0 Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
RE: [squid-users] IE Hang 2.5 Stable 4
On Wed, 2003-11-12 at 03:08, Ounsted, Toby wrote: Jeff - I'm seeing exactly this with Squid on Win32 - no obvious solutions. However Guido asked me to try and replicate on a Linux box to see if it was a Win32 specific issue. I'm in the process of putting this together but you've essentially answered the question. Guido - thank you for all of your work. Maybe it's more squid general and not just W32? Jeff - Questions: Are you using NTLM?? Are there any specific web sites that are worse than others? What is the frequency? Do you see this with other versions of IE? does netstat -n show any connections to the web cache? Does squid's access.log show any requests to the cache after the problem occurs, before the browser is exited? Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] [Q] Squid Log Analyzers for Win32?
On Mon, 2003-11-10 at 08:14, Donovan J. Edye wrote: G'Day, Does anyone know of any squid log analyzers (like Calamaris etc.) for Win32? calamaris. webalyzer. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Respond Problem
On Wed, 2003-11-05 at 20:43, Marc Elsen wrote: Dirk Spiekermann wrote: Well, if it is the only possibility I'll have to try it. Thanks so far... It's a kind of generalising answer, but the thing is also there is quite or no effective support left for 2.4 releases, hence the classical sentence. More accurately, there is only commercial support left. The developers don't have the time to support the several year old version that is 2.4. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] async i/o
On Thu, 2003-11-06 at 08:39, [EMAIL PROTECTED] wrote: Probably the latest stable release. So there is no definitive yes, it's stable in version X? If not, what are your experiences ? No experience of it yet, but I've inherited a set of Squid recommendations from a past colleague, including implementation of async i/o. As this is 2.4.STABLE7 (not my decision), and is in production, I'm more than a little hesitant to go with this particular aspect of it. Anyone else have any thoughts on this? I encountered a weird corruption issue with aufs on solaris with squid 2.4stable X. I suggest you use diskd. If at all possible, please do upgrade to 2.5. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] fastening squid to a port: problem
On Thu, 2003-11-06 at 07:56, Henrik Nordstrom wrote: On Wed, 5 Nov 2003, Payal Rathod wrote: Thanks for the mail. Well, I have only one proxy running, and webserve ris on 80. But I believe I mentioned port 0? What might be the reason that squid behaves taht way when port is set to 0 or none? It is not possible to use port 0. What I think is going on is that when port 0 is specified in the user agent (browser) it connects to port 80. I suspect that when the port is 0 the browser disables the use of the proxy, thus going direct through NAT or normal routing. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] TCP_REFRESH_HIT instead of TCP_HIT?
On Thu, 2003-11-06 at 08:11, Y Jones wrote: I am running 3.0-PRE3-20031002 in accelerator mode on port 80 with apache on port 81. Here are the headers when fetching a page straight from apache: HTTP/1.1 200 OK Date: Wed, 05 Nov 2003 20:23:51 GMT Server: Apache/1.3.28 (Unix) Cache-Control: max-age=86400 Expires: Thu, 06 Nov 2003 20:23:51 GMT Surrogate-Control: max-age=3600, content=ESI/1.0 Last-Modified: Wed, 05 Nov 2003 20:20:23 GMT Connection: close Content-Type: text/html It looks to me like this page should get cached for 3600 seconds at least. Fetching the page from the squid on the same machine a few seconds later gives these changes/additions: Date: Wed, 05 Nov 2003 20:20:46 GMT(date is slightly older than above) Expires: Thu, 06 Nov 2003 20:20:46 GMT (date is slightly older than above) Last-Modified: Wed, 05 Nov 2003 20:20:23 GMT (date is the same as above) Thats weird. Given that the processes are on the same machine. Could you file a bug please? Age: 187 X-Cache: HIT from www.myserver.com Via: 1.0 www.myserver.com (squid/3.0-PRE3-20031002) And access.log calls it a TCP_REFRESH_HIT, instead of a TCP_HIT. And cache.log calls it STALE, with: entry-timestamp: Wed, 05 Nov 2003 20:20:46 GMT It is stale - the expires has passed. the Surrogate Control header overrides this. I am using the default refresh_pattern. I am not using always_direct. Attempting to force a refresh of the object in the cache using: squidclient -r -p80 -hwww.myserver.com http://www.myserver.com/path/to/the/file.htm ...yields a TCP_REFRESH_HIT and there is no change to entry-timestamp This is because the surrogate control overrides the browsers request for reloading. In a front-end scenario squid is authoritative for the content. Cheers, Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] async i/o
On Thu, 2003-11-06 at 10:34, Henrik Nordstrom wrote: On Thu, 6 Nov 2003, Robert Collins wrote: I encountered a weird corruption issue with aufs on solaris with squid 2.4stable X. I suggest you use diskd. Squid-2.5.STABLE1 and earlier (as far back as at least 2.3, maybe 2.2 as well) have known issues where aufs can cause data corruption. url:http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE1-aufs Yes. This appeared to be something different though. We never tracked it down closely enough to document or correct. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Fw: Squid V2.5 and Webmin
On Tue, 2003-11-04 at 20:27, novelit wrote: Hi all Anybody can explain to me, i'm using Squid v.2.5 and i tried to configure authenticate access to websites. However, when i restart squid, i get the following error messages. You probably have an old webmin that doesn't understand squid 2.5. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] How Many Concurrent Connections
On Thu, 2003-10-30 at 05:42, JOHNSON DAVID R wrote: How many concurrent connections can the squid service handle? I am getting a problem with squid crashing every few days or so and am trying to troubleshoot the problem without knowing it. Depends on your OS configuration and the squid build. A tuned squid can handle thousands of concurrent connections. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
RE: [squid-users] How Many Concurrent Connections
Please keep the thread on-list... not least because direct mail from me to you bounces off of some annoying spam-manual-check, which I don't have the time to fiddle around with. On Thu, 2003-10-30 at 06:55, JOHNSON DAVID R wrote: ok , well i am running squid v 2.4STABLE and it i quitting on me every 3-4 days.. 2.4 is very old - and no longer supported by the squid developers, except for commercial clients. For free support and troubleshooting, as well as a plethora of bugfixes - including security sensitive ones - I urge you to upgrade to 2.5 latest stable. i run RH8 with dual xeon procs, 1 gig mem and a 10/100. What in the config do i need to *tweak*? Kernel ephemeral ports, possible other kernel settings depending on the RH defaults, user fd limits, rebuild squid. There are documents on this on the web - such as Joe Coopers tuning squid whitepaper... Is there any file or anythin i can send you in order for you to lend me a hand? PLease? I wouldn't assume that your problem is number of concurrent connections - follow the FAQ guidelines for submitting a squid bug report, and you'll gather information that you can probably use to identify the cause. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] MEMHAR
On Thu, 2003-10-30 at 07:26, Michael Buck wrote: [EMAIL PROTECTED] 10/29/03 12:30PM Your email message was temporarily blocked by my spam filter. If you feel this is an error, please follow these instructions. Autoresponders that send messages like this to the mailing list are not acceptable. Consider this a warning: if you don't get your mail system fixed, you will be removed from the mailing list. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Does rep_mime_type ACL works within delay_access option
On Tue, 2003-10-28 at 21:35, Dmitry N. Hramtsov wrote: Hello Henrik, Thank you for a quick and informative answer. I cannot say for sure, but, theoretically, it is possible to recalculate ACL matches when reply comes. So squid may reassign delay pool for request. Am I right? Not in the current codebase, no. Hypothetically, you could alter squid to do this. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] SQUID and MS Active Directory
On Wed, 2003-10-22 at 18:24, Rothermel Wolfgang wrote: Is it possible to - use AD users and AD groups in SQUID ACLs Yes. - authenticate the IE users transparently as the NTLM authenticator does it currently. Yes. Cheers, Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid 3 - Page Content
On Tue, 2003-10-21 at 21:31, Martin Ritchie wrote: Sorry if this is a total newbee question but I'm wanting to store the actual page content in a database is there anyone out there that has done anything like this? Do you have any pointers of where I should start. Well, there are a few approaches. The simplest would be to tail store.log, and copy out the objects as they are completed. You can use ufsdump in the squid3 sources (cd src make ufsdump) as a sample application for examining a single cached object. Only a little work would be needed to list all the metadata, and the byte offset that actual data starts - from there you can insert that into your database. (Be sure to take a local copy (not hardlink) first, so as to minimise the occurences of the object being recycled before you get to it. You can't do that with COSS though. A second approach would be a hacked squid with a an external call out of some sort - perhaps iCap , although the iCap patches are still only for 2.5. I'm also trying to figure out why I get FATAL: neighborsUdpPing: There is no ICP socket! Aborted Sounds like a problem opening the icp sockets - check your udp_* settings in squid.conf. Cheers, Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] httpd-accelerator
On Mon, 2003-10-20 at 19:12, Emilio Casbas wrote: We have configured two reverse proxy accelerators with squid for our web-servers with load-balancing (for a long time), all the traffic incoming is for our web-servers, well, but in the squid logs we can to see a few connections what isn't for our webservers (likely inappropiate uso) Probably folk probing for misconfigured proxies. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] logging on to a website/timeout
On Wed, 2003-10-15 at 02:13, [EMAIL PROTECTED] wrote: It has been suggested that our problem is related to 'sticky sessions' by which we understand that the initial communication is being established between Squid and destination site and then the destination site is trying to continue with the local PC which being differently identified somehow prevents the link and it times out. (or it could be he other way round - first connection with local PC and then with Squid) Further to our ongoing problem above, I offer the following information which is a summary of a call we had with our ISP: Either way the destination site is confused over who it is dealing with. A strong indication that the destination site is using either per IP session of some sort, or NTLM authentication, both of which are fundamentally broken to use on the internet. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] file downloading corruption
On Thu, 2003-10-16 at 12:49, fooler wrote: otherwise if all false, squid is the culprit :- Not necessarily: Two more issues: some browsers, with some sites using CE headers, save a .gz file decompressed - with the wrong extension. (I.e. foo.tar.gz is saved with the name foo.tar.gz, but is actually foo.tar internally). Secondly, sites using incorrect or missing Vary headers can lead to corrupt content in a similar fashion. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] multiple PURGING
On Wed, 2003-10-08 at 22:57, Stefan Vogel wrote: O.k, I've found the tool purge on http://www.squid-cache.org/related-software.html And bingo. This also works for squid 3. Very nice tool. Can someone tell me, why the original link to the purge-tool http://www.cache.dfn.de has closed down? Is someone actively developing on this purge-tool? No idea :}. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Question
On Thu, 2003-10-09 at 18:12, Gillian Ramsay wrote: Is there a way to query Squid proxy from an application to find out what the global reply_body_max_size parameter is ? No. If not, how can I get round the problem using HTTP/1.1 range requests ? No. That would defeat the point of the parameter. Cheers, Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part