RE: [squid-users] RE: ACL wildcard?
Hello, Just done http://bugs.squid-cache.org/show_bug.cgi?id=3815 Sebastien W. -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : lundi 18 mars 2013 23:25 À : squid-users@squid-cache.org Objet : Re: [squid-users] RE: ACL wildcard? On 19/03/2013 3:03 a.m., Sébastien WENSKE wrote: Hey, It would be great if this feature becomes available !!! Then please submit a Feature Request bug. acl aclname_1 type_1 acl aclname_2 type_2 acl aclname_3 type_3 acl aclname_4 type_4 [...] http_access allow|deny aclname_* Cheers! -Message d'origine- De : Nick Cairncross Hi all, Just a quick question today..: In a bid to keep to some standards my ACLs all follow similar naming conventions : FILETYPE_EXE_[object] - e.g. FILE_TYPE_EXE_Users, FILE_TYPE_EXE_Hosts, FILE_TYPE_EXE_IPAddresses FILETYPE_MP3_[object] - e.g. FILE_TYPE_MP3_Users, FILE_TYPE_MP3_Hosts, FILE_TYPE_MP3_IPAddresses FILETYPE_ZIP_[object] - e.g. FILE_TYPE_ZIP_Users, FILE_TYPE_ZIP_Hosts, FILE_TYPE_ZIP_IPAddresses Instead of repeating the deny_info entry three times for each of these, is it possible to use a wildcard for one? If so.. What is it?: deny_info CUSTOM_FILEBLOCKED FILETYPE_{wildcard} Have you considred making this a dynamic external_acl_type helper lookup? The helper can return a message=blah parameter to be embeded in a single error page which contains your variable explanation part. Amos smime.p7s Description: S/MIME cryptographic signature
[squid-users] RE: ACL wildcard?
Hey, It would be great if this feature becomes available !!! acl aclname_1 type_1 acl aclname_2 type_2 acl aclname_3 type_3 acl aclname_4 type_4 [...] http_access allow|deny aclname_* Cheers! -Message d'origine- De : Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk] Envoyé : jeudi 11 mars 2010 18:41 À : squid-users@squid-cache.org Objet : [squid-users] ACL wildcard? Hi all, Just a quick question today..: In a bid to keep to some standards my ACLs all follow similar naming conventions : FILETYPE_EXE_[object] - e.g. FILE_TYPE_EXE_Users, FILE_TYPE_EXE_Hosts, FILE_TYPE_EXE_IPAddresses FILETYPE_MP3_[object] - e.g. FILE_TYPE_MP3_Users, FILE_TYPE_MP3_Hosts, FILE_TYPE_MP3_IPAddresses FILETYPE_ZIP_[object] - e.g. FILE_TYPE_ZIP_Users, FILE_TYPE_ZIP_Hosts, FILE_TYPE_ZIP_IPAddresses Instead of repeating the deny_info entry three times for each of these, is it possible to use a wildcard for one? If so.. What is it?: deny_info CUSTOM_FILEBLOCKED FILETYPE_{wildcard} Thanks, Nick ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900 smime.p7s Description: S/MIME cryptographic signature
[squid-users] assertion failed: client_side.cc:3584: !switchedToHttps_
Hi List, I just install from sources the last 3.2.9 squid with ssl-bump feature. It works fine, except that I get random crashes as you can see below: [...] 2013/03/14 16:48:45 kid1| assertion failed: client_side.cc:3584: !switchedToHttps_ 2013/03/14 16:48:48 kid1| Starting Squid Cache version 3.2.9 for x86_64-unknown-linux-gnu... 2013/03/14 16:48:48 kid1| Process ID 17578 2013/03/14 16:48:48 kid1| Process Roles: worker 2013/03/14 16:48:48 kid1| With 1024 file descriptors available 2013/03/14 16:48:48 kid1| Initializing IP Cache... 2013/03/14 16:48:48 kid1| DNS Socket created at 0.0.0.0, FD 8 2013/03/14 16:48:48 kid1| Adding domain cr0.sw-servers.local from /etc/resolv.conf 2013/03/14 16:48:48 kid1| Adding domain sw-servers.local from /etc/resolv.conf 2013/03/14 16:48:48 kid1| Adding nameserver 10.0.0.1 from /etc/resolv.conf 2013/03/14 16:48:48 kid1| helperOpenServers: Starting 5/25 'ssl_crtd' processes 2013/03/14 16:48:48 kid1| Logfile: opening log stdio:/var/log/squid/access.log 2013/03/14 16:48:48 kid1| Unlinkd pipe opened on FD 23 2013/03/14 16:48:48 kid1| Store logging disabled 2013/03/14 16:48:48 kid1| Swap maxSize 11776 + 3170304 KB, estimated 9302331 objects 2013/03/14 16:48:48 kid1| Target number of buckets: 465116 2013/03/14 16:48:48 kid1| Using 524288 Store buckets 2013/03/14 16:48:48 kid1| Max Mem size: 3170304 KB 2013/03/14 16:48:48 kid1| Max Swap size: 11776 KB 2013/03/14 16:48:48 kid1| Rebuilding storage in /var/cache/squid (dirty log) 2013/03/14 16:48:48 kid1| Using Least Load store dir selection 2013/03/14 16:48:48 kid1| Set Current Directory to /var/cache/squid [...] Here is the conf: [...] ### SSL Bumping always_direct allow all ssl_bump allow all # the following two options are unsafe and not always necessary: #sslproxy_cert_error allow all #sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/cache/squid/ssl_db -M 4MB sslcrtd_children 25 ### http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/myCA.pem [...] Does someone encountered this error ? Cheers, Sebastien WENSKE smime.p7s Description: S/MIME cryptographic signature
RE: [squid-users] Dynamic SSL
Hi Hasanen, All certificates are generated on-the-fly by your Squid CA - who is sefl-signed. So you have to install/deploy this self-signed Root CA on all your clients. Cheers! Sebastien WENSKE -Message d'origine- De : Hasanen AL-Bana [mailto:hasa...@gmail.com] Envoyé : jeudi 14 mars 2013 18:54 À : Guy Helmer Cc : squid-users@squid-cache.org Objet : Re: [squid-users] Dynamic SSL Thank you Guy for your clarification, So you are saying that the only way to achieve squid https interception is to force users to upload our squid certificate to their browser, or they will have to deal with the browser warnings On Thu, Mar 14, 2013 at 5:29 PM, Guy Helmer guy.hel...@palisadesystems.com wrote: On Mar 14, 2013, at 9:23 AM, Hasanen AL-Bana hasa...@gmail.com wrote: I thought Squid can fetch the original certificate for a website and pass it to the browser instead of the one created by me, Isn't that how dynamic ssl generation should work ? No, there are two parts for the asymmetric encryption used for certificates: the public key in the certificate, and the private key known only to the original web server. Without the original private key, squid can not impersonate the original web server and thus can not simply pass the real certificate to the browser. So, dynamic SSL certificate generation involves creating 'imposter certificates and private keys, signed with a local signing certificate that the local web browsers trust. Guy On Thu, Mar 14, 2013 at 5:05 PM, Guy Helmer guy.hel...@palisadesystems.com wrote: On Mar 14, 2013, at 7:22 AM, Hasanen AL-Bana hasa...@gmail.com wrote: Hi, I have successfully installed squid 3.3 compiled with ssl support Interception SSL traffic is working fine with browsers loaded with my self created .DER file. But without it , I keep getting browser warningings , chrome doesn't work at all with gmail in this case. That's correct behavior. The question is , if I purchase a valid SSL certificate , will squid be able to use it for all websites ? Will user browsers accept it ? No, you can't purchase a certificate from legitimate certificate vendors that can sign other arbitrary certificates. If you could, then any site could impersonate any other site, and server authentication by certificates would be meaningless. Guy smime.p7s Description: S/MIME cryptographic signature
[squid-users] Squid as reverse proxy and PCI Tests
Hope this can help :) http://www.sw-servers.net/how-to-pass-pci-tests-with-squid/ Best Regards, Sebastien WENSKE
RE: [squid-users] Squid as reverse proxy and PCI Tests
You're right, I just updated the post :) Sebastien. -Message d'origine- De : Eliezer Croitoru [mailto:elie...@ngtech.co.il] Envoyé : lundi 21 janvier 2013 17:42 À : squid-users@squid-cache.org Objet : Re: [squid-users] Squid as reverse proxy and PCI Tests On 1/21/2013 6:11 PM, Sébastien WENSKE wrote: Hope this can help :) http://www.sw-servers.net/how-to-pass-pci-tests-with-squid/ Best Regards, Sebastien WENSKE Just wondering how it helps in these tests? Since not everybody knows the reason you should explain the cause and the result of the patch. Regards, Eliezer
RE: [squid-users] Squid as reverse proxy and PCI Tests
Not tested, but the CIPHER_SERVER_PREFERENCE still needed :) Sebastien -Message d'origine- De : dweimer [mailto:dwei...@dweimer.net] Envoyé : lundi 21 janvier 2013 18:06 À : squid-users@squid-cache.org Objet : Re: [squid-users] Squid as reverse proxy and PCI Tests On 2013-01-21 10:11, Sébastien WENSKE wrote: Hope this can help :) http://www.sw-servers.net/how-to-pass-pci-tests-with-squid/ Best Regards, Sebastien WENSKE Wouldn't just compiling against OpenSSL build that has had zlib compression disabled get the same end result, without requiring a patch and editing your configuration? -- Thanks, Dean E. Weimer http://www.dweimer.net/
RE: [squid-users] tcp_outgoing_mark + https
:49.257 kid1| Checklist.cc(162) preCheck: ACLChecklist::preCheck: 0x4945528 checking 'always_direct allow airpad_test' 2012/12/13 09:09:49.257 kid1| Acl.cc(321) matches: ACLList::matches: checking airpad_test 2012/12/13 09:09:49.257 kid1| Acl.cc(310) checklistMatches: ACL::checklistMatches: checking 'airpad_test' 2012/12/13 09:09:49.257 kid1| Ip.cc(571) match: aclIpMatchIp: '10.4.10.76:52320' NOT found 2012/12/13 09:09:49.257 kid1| Acl.cc(312) checklistMatches: ACL::ChecklistMatches: result for 'airpad_test' is 0 2012/12/13 09:09:49.257 kid1| Checklist.cc(229) matchAclList: aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2012/12/13 09:09:49.257 kid1| Checklist.cc(243) matchAclList: aclmatchAclList: 0x4945528 returning (AND list entry awaiting an async lookup) 2012/12/13 09:09:49.257 kid1| Checklist.cc(162) preCheck: ACLChecklist::preCheck: 0x4945528 checking 'always_direct allow ouest-express' 2012/12/13 09:09:49.257 kid1| Acl.cc(321) matches: ACLList::matches: checking ouest-express 2012/12/13 09:09:49.257 kid1| Acl.cc(310) checklistMatches: ACL::checklistMatches: checking 'ouest-express' 2012/12/13 09:09:49.257 kid1| Ip.cc(571) match: aclIpMatchIp: '10.4.10.76:52320' NOT found 2012/12/13 09:09:49.257 kid1| Acl.cc(312) checklistMatches: ACL::ChecklistMatches: result for 'ouest-express' is 0 2012/12/13 09:09:49.257 kid1| Checklist.cc(229) matchAclList: aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2012/12/13 09:09:49.257 kid1| Checklist.cc(243) matchAclList: aclmatchAclList: 0x4945528 returning (AND list entry awaiting an async lookup) 2012/12/13 09:09:49.257 kid1| Checklist.cc(124) matchNonBlocking: 0x4945528 NO match found, returning 0 2012/12/13 09:09:49.257 kid1| Checklist.cc(188) checkCallback: ACLChecklist::checkCallback: 0x4945528 answer=0 Note that I now running squid 3.2.5. Best Regards, Sébastien -Message d'origine- De : Eliezer Croitoru [mailto:elie...@ngtech.co.il] Envoyé : mercredi 12 décembre 2012 16:33 À : squid-users@squid-cache.org Cc : Sébastien WENSKE Objet : Re: [squid-users] tcp_outgoing_mark + https On 12/12/2012 09:44 AM, Sébastien WENSKE wrote: Eliezer, I'm running Debian 6 with a 3.6.9 kernel, Shorewall is v4.5.9.3 and Squid 3.2.3 (I had some troubles to compile 3.2.4) Indeed, just these to 100Mbit connection is what I need:) Hey Sébastien, It seems like a bug to me but just to make sure we need to check couple things. When these requests are being made make sure that in the CONNECT there is no IP in the log but the actual domain name such as: CONNECT www.google.com and not CONNECT ip.address.what.so The next step is to verify that the acls recognize the request dstdomain. You can either use the acls debug_options which suppose to be 28. debug_options ALL,1 28,3 will be basic to make sure the requests are being verified by the acl. If you can use 28,6 it can help with even more details but in most cases not needed. The above will provide a lot output in production machines so make sure to run small instance for testing or another machine. When you have the above information please do two things: File a bug in the squid bugzilla with as much details you can get on the bug and notice that logs can be attached as txt files. Send the basic description to the squid-dev mailing list. All the above will help to speed up the a bug fix and bug tracing. Maybe even one of the developers knows about it already or can give you a test patch. Regards, Eliezer
[squid-users] tcp_outgoing_mark + https
Hi List, I'm trying the tcp_outgoing_mark feature with dstdomain acls in order to route web traffic on several WAN links, but I noticed that it doesn't works with https requests. Does someone know how to achieve this? Many Thanks. Sebastien smime.p7s Description: S/MIME cryptographic signature
[squid-users] RE : [squid-users] tcp_outgoing_mark + https
Hi Eliezer, I'm not using SSL-Bump, I have a 100Mbit/s fiber connection and an SDSL 4Mbit/s. By default, all traffic goes through the SDSL except traffic to our production and VPN site-to-site. Squid running on the same box where I use shorewall to route marked packets and is directly connected to internet. Now, I want to mark packets with squid regarding dstdomain ACLs in order to route them on the 100Mb/s link. It works as expected with http but not for https (CONNECT) Best Regard, Sebastien De : Eliezer Croitoru [elie...@ngtech.co.il] Date d'envoi : mardi 11 décembre 2012 17:37 À : squid-users@squid-cache.org Objet : Re: [squid-users] tcp_outgoing_mark + https Hey Sebastien, Are you using ssl-bump at all? or just plain CONNECT requests? Else then the problem If you can explain more about the situation or the goal in more the just ROUTE web traffic over WAN connections. Do you have preference for specific routes? maybe you just want to load-balance? Maybe your approach is not in the right direction anyway? Regards, Eliezer On 12/11/2012 4:00 PM, Sébastien WENSKE wrote: Hi List, I'm trying the tcp_outgoing_mark feature with dstdomain acls in order to route web traffic on several WAN links, but I noticed that it doesn't works with https requests. Does someone know how to achieve this? Many Thanks. Sebastien -- Eliezer Croitoru https://www1.ngtech.co.il sip:ngt...@sip2sip.info IT consulting for Nonprofit organizations eliezer at ngtech.co.il
RE: [squid-users] Re: RE : [squid-users] tcp_outgoing_mark + https
refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 error_directory /usr/share/errors/fr /// Thanks -Message d'origine- De : Eliezer Croitoru [mailto:elie...@ngtech.co.il] Envoyé : mardi 11 décembre 2012 20:43 À : Sébastien WENSKE Cc : squid-users@squid-cache.org Objet : [squid-users] Re: RE : [squid-users] tcp_outgoing_mark + https Hey Sébastien, What linux and what squid version? It's different if your logic is all to 100Mbit connection to just these to 100Mbit connection. If you can share your squid.conf and remove the sensitive data it will maybe give us more info. Regards, Eliezer On 12/11/2012 7:47 PM, Sébastien WENSKE wrote: Hi Eliezer, I'm not using SSL-Bump, I have a 100Mbit/s fiber connection and an SDSL 4Mbit/s. By default, all traffic goes through the SDSL except traffic to our production and VPN site-to-site. Squid running on the same box where I use shorewall to route marked packets and is directly connected to internet. Now, I want to mark packets with squid regarding dstdomain ACLs in order to route them on the 100Mb/s link. It works as expected with http but not for https (CONNECT) Best Regard, Sebastien De : Eliezer Croitoru [elie...@ngtech.co.il] Date d'envoi : mardi 11 décembre 2012 17:37 À : squid-users@squid-cache.org Objet : Re: [squid-users] tcp_outgoing_mark + https Hey Sebastien, Are you using ssl-bump at all? or just plain CONNECT requests? Else then the problem If you can explain more about the situation or the goal in more the just ROUTE web traffic over WAN connections. Do you have preference for specific routes? maybe you just want to load-balance? Maybe your approach is not in the right direction anyway? Regards, Eliezer On 12/11/2012 4:00 PM, Sébastien WENSKE wrote: Hi List, I'm trying the tcp_outgoing_mark feature with dstdomain acls in order to route web traffic on several WAN links, but I noticed that it doesn't works with https requests. Does someone know how to achieve this? Many Thanks. Sebastien -- Eliezer Croitoru https://www1.ngtech.co.il sip:ngt...@sip2sip.info IT consulting for Nonprofit organizations eliezer at ngtech.co.il -- Eliezer Croitoru https://www1.ngtech.co.il sip:ngt...@sip2sip.info IT consulting for Nonprofit organizations eliezer at ngtech.co.il
RE: [squid-users] RE: TLS v1.2 support
Hello Amos, I probably did a mistake because I built openssl 10.0.1 in /lib_indep and specified the path in ./configure with --with-openssl=/lib_indep/include/openssl Squid works well, but no change on SSL Lab Server Test: https://www.ssllabs.com/ssldb/analyze.html?d=webmail.wenske.fr Cheers, Sebastien W. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: mercredi 14 mars 2012 22:33 To: squid-users@squid-cache.org Subject: Re: [squid-users] RE: TLS v1.2 support On 15.03.2012 05:16, Sébastien WENSKE wrote: OpenSSL 1.0.1 (not 10.0.1) -Original Message- From: Sébastien WENSKE [mailto:sebast...@wenske.fr] Sent: mercredi 14 mars 2012 17:14 To: squid-users@squid-cache.org Subject: [squid-users] TLS v1.2 support Hi guys, OpenSSL 10.01 just released, it seems that it supports TLS v1.2. Thanks for the heads-up. What about Squid? Squid supports whatever the library you build it with does. About the only relevance a change like this has is if there are new options which we have to map from squid.conf to the OpenSSL API calls (NO_TLSv11 or such.). Or if they do some more ABI-breaking alterations like the 1.0.0 c-d re-write had. Amos smime.p7s Description: S/MIME cryptographic signature
RE: [squid-users] RE: TLS v1.2 support
Thanks Amos for your quick reply, I tried your recommendations but nothing works, I can't get TLS 1.2 to work I get a 404 error on your patch link Cheers, Sebastien W. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: jeudi 15 mars 2012 11:32 To: squid-users@squid-cache.org Subject: Re: [squid-users] RE: TLS v1.2 support On 15/03/2012 8:41 p.m., Sébastien WENSKE wrote: Hello Amos, I probably did a mistake because I built openssl 10.0.1 in /lib_indep and specified the path in ./configure with --with-openssl=/lib_indep/include/openssl Squid works well, but no change on SSL Lab Server Test: https://www.ssllabs.com/ssldb/analyze.html?d=webmail.wenske.fr Looking at it Squid has no explicit support for TLSv1.1 or 1.2. But the TLS/SSL auto-negotiate (https_port ... version=1) should be arranging for it to appear. You might need to also set the ssloptions=NO_SSLv2,NO_SSLv3,NO_TLSv1 for the new ones to show up though. I have a patch you can try at http://www.squid-cache.org/~amosjeffries/patches/squid-3.1_upgrade_TLSv12.patch It adds support for the server/client methods and NO_TLSv1_* options to help with your experimenting. Amos Cheers, Sebastien W. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: mercredi 14 mars 2012 22:33 To: squid-users@squid-cache.org Subject: Re: [squid-users] RE: TLS v1.2 support On 15.03.2012 05:16, Sébastien WENSKE wrote: OpenSSL 1.0.1 (not 10.0.1) -Original Message- From: Sébastien WENSKE [mailto:sebast...@wenske.fr] Sent: mercredi 14 mars 2012 17:14 To: squid-users@squid-cache.org Subject: [squid-users] TLS v1.2 support Hi guys, OpenSSL 10.01 just released, it seems that it supports TLS v1.2. Thanks for the heads-up. What about Squid? Squid supports whatever the library you build it with does. About the only relevance a change like this has is if there are new options which we have to map from squid.conf to the OpenSSL API calls (NO_TLSv11 or such.). Or if they do some more ABI-breaking alterations like the 1.0.0 c-d re-write had. Amos smime.p7s Description: S/MIME cryptographic signature
RE: [squid-users] RE: TLS v1.2 support
Hi Amos, I used your patch, but no change: FATAL: Unknown SSL option 'NO_TLSv1_1' Squid Cache (Version 3.1.19-20120306-r10434): Terminated abnormally. With only NO_SSLv2 [...] 2012/03/15 18:40:52.513| Initializing https proxy context 2012/03/15 18:40:52.514| Using SSLv2/SSLv3. 2012/03/15 18:40:52.514| Setting RSA key generation callback. 2012/03/15 18:40:52.514| Setting certificate verification callback. 2012/03/15 18:40:52.514| Setting CA certificate locations. 2012/03/15 18:40:52.514| Initializing https_port 172.16.1.10:443 SSL context 2012/03/15 18:40:52.514| Using SSLv2/SSLv3. 2012/03/15 18:40:52.514| Enabling quiet SSL shutdowns (RFC violation). 2012/03/15 18:40:52.515| Using chiper suite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM. 2012/03/15 18:40:52.515| Using certificate in 2012/03/15 18:40:52.515| Using private key in 2012/03/15 18:40:52.515| Comparing private and public SSL keys. 2012/03/15 18:40:52.515| Setting RSA key generation callback. 2012/03/15 18:40:52.515| Setting CA certificate locations. 2012/03/15 18:40:52.515| Not requiring any client certificates 2012/03/15 18:40:52.515| leave_suid: PID 3335 called 2012/03/15 18:40:52.515| leave_suid: PID 3335 giving up root, becoming 'proxy' 2012/03/15 18:40:52.515| command-line -X overrides: ALL,1 strange :) -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: jeudi 15 mars 2012 14:03 To: Sébastien WENSKE Cc: squid-users@squid-cache.org Subject: Re: [squid-users] RE: TLS v1.2 support On 16/03/2012 1:09 a.m., Sébastien WENSKE wrote: Thanks Amos for your quick reply, I tried your recommendations but nothing works, I can't get TLS 1.2 to work I get a 404 error on your patch link Hmm. Something broken in our personal directory mirroring. Try west on that instead of www. Amos smime.p7s Description: S/MIME cryptographic signature
[squid-users] TLS v1.2 support
Hi guys, OpenSSL 10.01 just released, it seems that it supports TLS v1.2. What about Squid? Cheers, Sebastien W. smime.p7s Description: S/MIME cryptographic signature
[squid-users] RE: TLS v1.2 support
OpenSSL 1.0.1 (not 10.0.1) -Original Message- From: Sébastien WENSKE [mailto:sebast...@wenske.fr] Sent: mercredi 14 mars 2012 17:14 To: squid-users@squid-cache.org Subject: [squid-users] TLS v1.2 support Hi guys, OpenSSL 10.01 just released, it seems that it supports TLS v1.2. What about Squid? Cheers, Sebastien W. smime.p7s Description: S/MIME cryptographic signature
RE: [squid-users] Re: Password for ssl/https key file
Hi guys, Hope you are well ! I'm searching wich program I can use with this directive sslpassword_program ? I want to put manually the key but I don't want that squid runs foreground. Thanks a lot! Sebastian. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: mercredi 22 septembre 2010 04:39 To: squid-users@squid-cache.org Subject: Re: [squid-users] Re: Password for ssl/https key file On Tue, 21 Sep 2010 08:44:03 -0700 (PDT), gurgo u...@gmx.net wrote: Hi! One more important thing to know is: the sslpassword_program line has to come before the https_port line in your configuration file. Otherwise squid will still prompt you for the passphrase on startup. Regards, Dean This is a bug. Squid should be catching that config error. Amos smime.p7s Description: S/MIME cryptographic signature
RE: [squid-users] Splash page -- detect if client is mobile?
Hi Dale, I think that you can achieve that with dynamic stuff like PHP and browser headers. Sebastian -Message d'origine- De : Dale Mahalko [mailto:dmaha...@gmail.com] Envoyé : lundi 10 octobre 2011 19:33 À : squid-users@squid-cache.org Objet : [squid-users] Splash page -- detect if client is mobile? Is there a way for a splash page to detect if it is being displayed on a mobile device, and to be able to redirect or show a different page that is reformatted to fit the much smaller display area of the mobile screen? I don't know if this is really a squid-related question, or if this can all be handled through the magic of javascript, independent of squid. -- Dale Mahalko smime.p7s Description: S/MIME cryptographic signature
[squid-users] RE : [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
Hello Amos and Dean, Thank you very much, I found a workaround in the same time you sent your openssl compil procedure In /usr/src/openssl/openssl-1.0.0a I have create a symlink lib - /usr/local/ssl/lib64 lrwxrwxrwx 1 root src20 2010-11-16 16:43 lib - /usr/local/ssl/lib64 and --with-openssl=/usr/src/openssl/openssl-1.0.0a Now, all is green in Qualys report: https://www.ssllabs.com/ssldb/analyze.html?d=webmail.wenske.fr :-) Thanks you again for your support, Cheers, Sebastian De : Dean Weimer [dwei...@orscheln.com] Date d'envoi : mardi 16 novembre 2010 16:13 À : Sébastien WENSKE Cc : squid-users@squid-cache.org Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported Hi Amos, Glad to hear you, I have already try and retry this one, but no changes... this is freaky and I'm tired :) I will continue tomorrow, I think I need to find a guide to compile squid with non-system ssl libraries/headers. Otherwise, is there a way to know with wich openssl squid is compiled??? Because à every time squid will run correctly in ssl mode... :-/ Man thanks, Sebastian -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : lundi 15 novembre 2010 23:55 À : Sébastien WENSKE Cc : Dean Weimer; squid-users@squid-cache.org Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported On Mon, 15 Nov 2010 21:33:40 +, Sébastien WENSKE sebast...@wenske.fr wrote: I think this should be --with-openssl=/usr/src/openssl/openssl-1.0.0a/ I'm lost ... I need to fix this issue before implementing this in my company ... Sébastien, If it helps, my system had openssl installed with the following options. ./config --prefix=/usr/local --openssldir=/usr/local/etc/ssl -fPIC shared make make install Squid had the following options for enabling openssl --enable-ssl --with-openssl=/usr/local In your squid source directory, look for the config.log Amos mentioned, and in it the following lines should indicate which path it found your openssl libraries under. configure:26112: checking openssl/err.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp 5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/err.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/err.h configure:26232: result: yes configure:26112: checking openssl/md5.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp 5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/md5.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/md5.h configure:26232: result: yes configure:26112: checking openssl/ssl.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp 5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/ssl.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/ssl.h configure:26232: result: yes configure:26112: checking openssl/x509v3.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp 5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/x509v3.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/x509v3.h configure:26232: result: yes From examining these paths on mine, and looking under the source build directory for openssl-1.0.0a, it looks like Amos is indeed correct that the path for your system should be --with-openssl=/usr/src/openssl/openssl-1.0.0a also verify that /usr/src/openssl/openssl-1.0.0a/include/openssl does indeed exist on your system and it contains the *.h files shown in the output from the config.log listed above (should actually be linked files under the source tree, but that shouldn't matter). Thanks, Dean Weimer Network Administrator Orscheln Management Co
[squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
Hello guys, I have set up a squid as SSL reverse proxy, it works very fine. I have checked SSL security against Qualys and they report me that the server is vulnerable to MITM attacks because it supports insecured renegotiation There is my SSL relating configuration: https_port xx.xx.xx.xx:443 cert=/etc/squid/ssl/RapidSSL_xxx.xxx.xx.crt key=/etc/squid/ssl/RapidSSL_xxx.xxx.xx.key options=NO_SSLv2 cipher=RSA: HIGH:!eNULL:!aNULL:!LOW:!RC4 RSA:!RC2 RSA:!EXP:!ADH accel ignore-cc defaultsite=xxx..xx vhost [...] cache_peer 10.x.x.x parent 80 0 front-end-https=on name=sw01 no-query originserver default login=PASS no-digest [...] ssl_unclean_shutdown on [...] Is it openssl related or squid configuration Many Thanks, Sebastian smime.p7s Description: S/MIME cryptographic signature
[squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
Thanks Dean, I have tried to compile with openssl 10.0.0a, but I get the same result... even with sslproxy_ directives. Can you check your server on https://www.ssllabs.com/ssldb/index.html just to see In my case: browser --- HTTPS reverse proxy (squid 3.1.9) HTTP - OWA 2010 (IIS 7.5) Maybe I miss something, how can I see which version of openssl is use in squid ? Tanks, Sebastian. -Message d'origine- De : Dean Weimer [mailto:dwei...@orscheln.com] Envoyé : lundi 15 novembre 2010 16:42 À : Sébastien WENSKE Objet : RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported It was at the bottom ☺ I deleted everything else see below. Thanks, Dean Weimer Network Administrator Orscheln Management Co I have squid compiled from source against Openssl 1.0.0a, with the following options set: https_port x.x.x.x:443 accel cert=xxx.crt key=xxx.key defaultsite=xxx..xxx vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 sslproxy_options NO_SSLv2 sslproxy_cipher ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 It passes the entire test from our PCI (Payment Card Industry) site certification scans, the options and ciphers are set both on the https_port line and on individual lines, not sure if both or only one are required.
RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
Thanks for your support Dean, but I'm definitively a n00b :) I had compile many times (without error) with some ssl paths, but no result I got the same result on the scan... I compiled openssl with no particular option (no make install) ./configure --localstatedir=/var --prefix=/usr --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid --exec-prefix=/usr --sysconfdir=/etc/squid --enable-x-accelerator-vary --with-default-user=proxy --enable-ssl --enable-follow-x-forwarded-for --enable-underscores --enable-delay-pools --enable-cache-digests --enable-auth=basic --enable-ecap --with-openssl=/usr/src/openssl/openssl-1.0.0a/include/openssl I'm lost ... I need to fix this issue before implementing this in my company ... Cheers, Sebastian -Message d'origine- De : Dean Weimer [mailto:dwei...@orscheln.com] Envoyé : lundi 15 novembre 2010 19:56 À : Sébastien WENSKE; squid-users@squid-cache.org Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported -Original Message- From: Sébastien WENSKE [mailto:sebast...@wenske.fr] Sent: Monday, November 15, 2010 11:29 AM To: squid-users@squid-cache.org Subject: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported Thanks Dean, I have tried to compile with openssl 10.0.0a, but I get the same result... even with sslproxy_ directives. Can you check your server on https://www.ssllabs.com/ssldb/index.html just to see In my case: browser --- HTTPS reverse proxy (squid 3.1.9) HTTP - OWA 2010 (IIS 7.5) Maybe I miss something, how can I see which version of openssl is use in squid ? Here is the information I got back, minus the certificate section, the overall score was a 91. When you compiled with openssl, make sure to use the --with-openssl=[DIR] to specify your path. To make sure you hit the version you installed, and not the local system libraries as they may differ. Though it would be best to update the local system libraries as well if possible. Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3.0 Yes SSL 2.0+ Upgrade SupportYes SSL 2.0 No Cipher Suites (sorted; server has no preference) TLS_RSA_WITH_IDEA_CBC_SHA (0x7) 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)128 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)128 TLS_RSA_WITH_SEED_CBC_SHA (0x96)128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 Miscellaneous Test date Mon Nov 15 18:49:14 UTC 2010 Test duration 102.430 seconds Server signatureMicrosoft-IIS/6.0 Session resumption Yes Renegotiation Secure Renegotiation Supported Strict Transport Security No TLS Version Tolerance 0x0304: 0x301; 0x0399: 0x301; 0x0499: fail PCI compliant Yes FIPS-ready No Thanks, Dean Weimer Network Administrator Orscheln Management Co smime.p7s Description: S/MIME cryptographic signature
RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
Hi Amos, Glad to hear you, I have already try and retry this one, but no changes... this is freaky and I'm tired :) I will continue tomorrow, I think I need to find a guide to compile squid with non-system ssl libraries/headers. Otherwise, is there a way to know with wich openssl squid is compiled??? Because à every time squid will run correctly in ssl mode... :-/ Man thanks, Sebastian -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : lundi 15 novembre 2010 23:55 À : Sébastien WENSKE Cc : Dean Weimer; squid-users@squid-cache.org Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported On Mon, 15 Nov 2010 21:33:40 +, Sébastien WENSKE sebast...@wenske.fr wrote: Thanks for your support Dean, but I'm definitively a n00b :) I had compile many times (without error) with some ssl paths, but no result I got the same result on the scan... I compiled openssl with no particular option (no make install) ./configure --localstatedir=/var --prefix=/usr --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid --exec-prefix=/usr --sysconfdir=/etc/squid --enable-x-accelerator-vary --with-default-user=proxy --enable-ssl --enable-follow-x-forwarded-for --enable-underscores --enable-delay-pools --enable-cache-digests --enable-auth=basic --enable-ecap --with-openssl=/usr/src/openssl/openssl-1.0.0a/include/openssl I think this should be --with-openssl=/usr/src/openssl/openssl-1.0.0a/ I'm lost ... I need to fix this issue before implementing this in my company ... Cheers, Sebastian smime.p7s Description: S/MIME cryptographic signature
RE: [squid-users] Squid compression in reverse mode
Thanks Amos, I tried this module and it works very well for me. It compresses up to 60% text/html. But I didn't find how to compresses .js and .css files, that seems to be not possible... maybe I'm wrong. Cheers, Sebastian -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : vendredi 12 novembre 2010 02:36 À : squid-users@squid-cache.org Objet : Re: [squid-users] Squid compression in reverse mode On 12/11/10 10:39, Sébastien WENSKE wrote: Hi All, Below, is what I setup today: browser--- HTTPS reverse proxy (squid 3.1.9) HTTP - OWA 2010 All work fine, but I want be able to compress data on the fly (text, image...) between squid and browsers (internet clients): browser--- HTTPS [compression] reverse proxy (squid 3.1.9) HTTP - OWA 2010 Has someone already get this work in this specific scenario? There is an eCAP module available for compression. http://wiki.squid-cache.org/Features/eCAP Peoples results varies. Some it works, some compression is much slower and others the adapter does not work at all. Feedback to the author please so any bugs can be fixed. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3 smime.p7s Description: S/MIME cryptographic signature
[squid-users] Squid compression in reverse mode
Hi All, Below, is what I setup today: browser --- HTTPS reverse proxy (squid 3.1.9) HTTP - OWA 2010 All work fine, but I want be able to compress data on the fly (text, image...) between squid and browsers (internet clients): browser --- HTTPS [compression] reverse proxy (squid 3.1.9) HTTP - OWA 2010 Has someone already get this work in this specific scenario? Many thanks, Sebastien WENSKE smime.p7s Description: S/MIME cryptographic signature
[squid-users] Reverse proxy scenario
Hi list, I have set up a reverse proxy on a 100MB/s server to preserve my home bandwidth (upload ~128KB/s). It works very fine, objects are stored in the cache and served to the clients. However, I had last week a rush on my blog, about 1500 visitor in two days that had result to overload my connection with a huge amount of 304 queries. My question is: Is it possible to tell Squid to not check the parent (my local web server) if an object has been modified for a while? by directory or mime type? Cheers, Sébastien WENSKE. smime.p7s Description: S/MIME cryptographic signature
[squid-users] Reverse proxy (with squid :) ) and http basic authentication
Hi All, I have some troubles with an http basic authentication through a Squid reverse proxy. The web site (nagios) ask me for credentials, I put them correctly but he refuse to log me. I get this error: This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. Is it something special to do, on the squid box? Many thanks, Sébastien WENSKE
[squid-users] Squid 3.0 as reverse proxy
Hi List, I use a Squid Cache version 3.0.STABLE16 as reverse proxy on an 100Mb server (hosted by Iliad) to cache my web sites running on my home connection (1024Kb Max). This configuration Works pretty fine, but I have troubles to cache some images (jpg|png) with a particular url: For example, I have a photos gallery where the link to download the original picture (biggest size) has a ? at the end: http://gallery.wenske.fr/wallpapers/holland_dream_2560x1600.jpg.html? In the access log I can see that this object is not cached: 23/Nov/2009:15:17:43 +0100.960 12372 84.207.23.135 TCP_MISS/200 1313021 GET http://gallery.wenske.fr/wallpapers/holland_dream_2560x1600.jpg.html? - DEFAULT_PARENT/sl01 image/jpeg (store.log, may be helpful: 1258985863.960 RELEASE -1 B8B54D74210C1D0090AA8E1390D77D9C 200 1258985851 1258985851 375007920 image/jpeg -1/1312295 GET http://gallery.wenske.fr/wallpapers/holland_dream_2560x1600.jpg.html?) I suppose that's due to this directive in the squid.conf: hierarchy_stoplist cgi-bin ? Is it possible to enable caching for this kind of url? Maybe with a regex? Thanks for your help, Sébastien WENSKE - the complete squid.conf - acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl all src acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow all icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all http_port 88.191.97.6:80 accel vhost acl dest_site dstdomain blog.canardwc.com gallery.wenske.fr verdin.canardwc.com acl dest_addr dst 10.0.1.5 acl dest_port port 80 cache_peer 10.0.1.5 parent 80 0 name=sl01 no-query originserver default cache_peer_access sl01 allow dest_site http_access allow dest_addr dest_port hierarchy_stoplist cgi-bin ? cache_mem 1024 MB maximum_object_size_in_memory 2048 KB memory_replacement_policy lru cache_replacement_policy lru cache_dir ufs /var/cache/squid 2048 16 256 minimum_object_size 0 KB maximum_object_size 64096 KB logformat squid %tl.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %un %Sh/%A %mt access_log /var/log/squid/reverse-proxy_access.log squid cache_log /var/log/squid/reverse-proxy_cache.log cache_store_log /var/log/squid/reverse-proxy_store.log pid_filename /var/run/reverse-proxy.pid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname sl03.wenske.local cache_mgr x #icp_port 3130 coredump_dir /var/cache
[squid-users] RE: Squid 3.0 as reverse proxy
Sorry I've make a mistake, the url to get the original picture is http://gallery.wenske.fr/wallpapers/holland_dream_2560x1600.jpg.html?zp=full-image This will force the download of the picture. Regards, Sebastien WENSKE -Message d'origine- De : Sébastien WENSKE [mailto:sebast...@wenske.fr] Envoyé : lundi 23 novembre 2009 15:27 À : squid-users@squid-cache.org Objet : [squid-users] Squid 3.0 as reverse proxy Hi List, I use a Squid Cache version 3.0.STABLE16 as reverse proxy on an 100Mb server (hosted by Iliad) to cache my web sites running on my home connection (1024Kb Max). This configuration Works pretty fine, but I have troubles to cache some images (jpg|png) with a particular url: For example, I have a photos gallery where the link to download the original picture (biggest size) has a ? at the end: http://gallery.wenske.fr/wallpapers/holland_dream_2560x1600.jpg.html? In the access log I can see that this object is not cached: 23/Nov/2009:15:17:43 +0100.960 12372 84.207.23.135 TCP_MISS/200 1313021 GET http://gallery.wenske.fr/wallpapers/holland_dream_2560x1600.jpg.html? - DEFAULT_PARENT/sl01 image/jpeg (store.log, may be helpful: 1258985863.960 RELEASE -1 B8B54D74210C1D0090AA8E1390D77D9C 200 1258985851 1258985851 375007920 image/jpeg -1/1312295 GET http://gallery.wenske.fr/wallpapers/holland_dream_2560x1600.jpg.html?) I suppose that's due to this directive in the squid.conf: hierarchy_stoplist cgi-bin ? Is it possible to enable caching for this kind of url? Maybe with a regex? Thanks for your help, Sébastien WENSKE - the complete squid.conf - acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl all src acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow all icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all http_port 88.191.97.6:80 accel vhost acl dest_site dstdomain blog.canardwc.com gallery.wenske.fr verdin.canardwc.com acl dest_addr dst 10.0.1.5 acl dest_port port 80 cache_peer 10.0.1.5 parent 80 0 name=sl01 no-query originserver default cache_peer_access sl01 allow dest_site http_access allow dest_addr dest_port hierarchy_stoplist cgi-bin ? cache_mem 1024 MB maximum_object_size_in_memory 2048 KB memory_replacement_policy lru cache_replacement_policy lru cache_dir ufs /var/cache/squid 2048 16 256 minimum_object_size 0 KB maximum_object_size 64096 KB logformat squid %tl.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %un %Sh/%A %mt access_log /var/log/squid/reverse-proxy_access.log squid cache_log /var/log/squid/reverse-proxy_cache.log cache_store_log /var/log/squid/reverse-proxy_store.log pid_filename /var/run/reverse-proxy.pid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname sl03.wenske.local cache_mgr x #icp_port 3130 coredump_dir /var/cache
[squid-users] squid 3.0 as reverse proxy and apache log at back-end
Hi again, In my previous mail I explained that I'm using a squid reverse proxy with high bandwidth to cache my apache at home. There are connected by VPN, and I would know if it is possible to get original IP in my apache logs. Currently I see only the squid local IP: sl03.wenske.local - - [23/Nov/2009:17:39:23 +0100] GET / HTTP/1.0 200 6761 I've tried some configurqtion with forwarded-for and follow_x_forwarded_for with no success. Thanks, Sébastien WENSKE
RE: [squid-users] RE: Squid 3.0 as reverse proxy
Thanks both, I will check the code and try to fix or remove these headers. Whit witch bin do you get this below information? Squidclient? Regards, Sébastien -Message d'origine- De : Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Envoyé : mardi 24 novembre 2009 00:24 À : Sébastien WENSKE Cc : squid-users@squid-cache.org Objet : Re: [squid-users] RE: Squid 3.0 as reverse proxy mån 2009-11-23 klockan 15:34 +0100 skrev Sébastien WENSKE: Sorry I've make a mistake, the url to get the original picture is http://gallery.wenske.fr/wallpapers/holland_dream_2560x1600.jpg.html?zp=full-image This will force the download of the picture. That's a very very cache-unfriendly object.. Some key elements from the response header: Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Mon, 23 Nov 2009 23:14:13 GMT Vary: Accept-Encoding And my comments: Expires is set in the past, which forces caches to revalidate the object on each request. Cache-Control no-store is a very aggressive nocache directive. Forbids everyone involved from storing the response on any form of persistent storage. I.e. not even browsers are allowed to cache the object in their disk cache, and they must also remove it as soon as possible from the memory cache. Really only intended for very sensitive responses where it would be a major disaster if an unauthorized third party got hold of the response by stealing the computer and inspecting the cached files and similar scenarios. Cache-Control no-cache must-revalidate, also quite unfriendly and says that the response MUST be validated with the origin before reuse. Regards Henrik
RE: [squid-users] squid 3.0 as reverse proxy and apache log at back-end
Many thanks Henrik! I have add these two directive in apache2.conf: LogFormat %{X-Forwarded-For}i %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ reverse_proxy and SetEnvIf X-Forwarded-For ^.*\..*\..*\..* is-forwarder And in my vhost: CustomLog /var/log/apache2/blog.log reverse_proxy env=is-forwarder CustomLog /var/log/apache2/blog.log combined env=!is-forwarder This works pretty fine. Best regards, Sébastien WENSKE -Message d'origine- De : Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Envoyé : mardi 24 novembre 2009 00:25 À : Sébastien WENSKE Cc : squid-users@squid-cache.org Objet : Re: [squid-users] squid 3.0 as reverse proxy and apache log at back-end mån 2009-11-23 klockan 17:41 +0100 skrev Sébastien WENSKE: In my previous mail I explained that I'm using a squid reverse proxy with high bandwidth to cache my apache at home. There are connected by VPN, and I would know if it is possible to get original IP in my apache logs. Yes. You need to configure Apache to log the X-Forwarded-For header sent by Squid. Regards Henrik
RE: [squid-users] only TCP_MISS/200 in log files
Hi Amos, I have just build the 3.1.0.5 (3.1.0.6 make error), it works fine with the same configuration. Ciao, Thx, Sébastien. -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : lundi 2 mars 2009 01:42 À : Sébastien WENSKE Cc : squid-users@squid-cache.org Objet : Re: [squid-users] only TCP_MISS/200 in log files Hi All, I have noticed that there are only TCP_MISS/200 in my squid (3.1.0.0) log files A little surprising, but please use the latest code when testing beta releases. We have very many bug and stability fixes since 3.1 was in alpha release. Amos
RE: [squid-users] Squid NTLM + Windows Vista update
Thanks Amos, It was very helpfull. Now I need to fix an issue with dansguardian, when I get through it, I notice this in squid log: 01/Mar/2009:16:43:48.329 73520 10.0.0.11 TCP_MISS/200 -0- CONNECT update.microsoft.com:443 - DIRECT/65.55.13.126 - and I get a windows update 80072EE2 error... But with squid only, it works fine. 01/Mar/2009:16:42:08.667 117784 10.0.0.11 TCP_MISS/200 -7780- CONNECT update.microsoft.com:443 - DIRECT/65.55.184.93 - Thanks, Sébastien -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : samedi 28 février 2009 23:51 À : Sébastien WENSKE Cc : squid-users@squid-cache.org Objet : Re: [squid-users] Squid NTLM + Windows Vista update Sébastien WENSKE wrote: Hi All, I have some troubles to get update with windows vista when I use squid with NTLM. 28/Feb/2009:19:04:39.534 2 10.0.0.11 TCP_DENIED/407 452 HEAD http://download.windowsupdate.com/v8/windowsupdate/redir/muv3wuredir.cab? - NONE/- text/html Is it possible to allow a specific url/domain without the authentication process? Many thanks, Sébastien WENSKE. http://wiki.squid-cache.org/SquidFaq/WindowsUpdate Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5
[squid-users] Compiling suiqd 3.1.0.6
Hi All, I get error when try to built squid 3.1.0.6: ./configure --localstatedir=/var --prefix=/usr --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid --exec-prefix=/usr --sysconfdir=/etc/squid --enable-icmp --enable-arp-acl --with-default-user=squid --enable-auth=basic ntlm --enable-basic-auth-helpers=LDAP SMB NCSA multi-domain-NTLM --enable-ntlm-auth-helpers=smb_lm --enable-ntlm-fail-open --enable-external-acl-helpers=ip_user ldap_group session wbinfo_group --enable-err-languages=French English --enable-default-err-languages=French --enable-follow-x-forwarded-for --enable-storeio=ufs diskd aufs coss --enable-removal-policies=lru heap [...] make [...] /squid/etc\ -I. -I. -I../include -I. -I. -I../include -I../include -I../lib/libTrie/include -I../lib -I../lib-Werror -Wall -Wpointer-arith -Wwrite-strings -Wcomments -g -O2 -MT globals.o -MD -MP -MF $depbase.Tpo -c -o globals.o globals.cc; \ then mv -f $depbase.Tpo $depbase.Po; else rm -f $depbase.Tpo; exit 1; fi depbase=`echo comm.lo | sed 's|[^/]*$|.deps/|;s|\.lo$||'`; \ if /bin/sh ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\/usr/local/squid/etc/squid.conf\ -DDEFAULT_SQUID_DATA_DIR=\/usr/local/squid/share\ -DDEFAULT_SQUID_CONFIG_DIR=\/usr/local/squid/etc\ -I. -I. -I../include -I. -I. -I../include -I../include -I../lib/libTrie/include -I../lib -I../lib -Werror -Wall -Wpointer-arith -Wwrite-strings -Wcomments -g -O2 -MT comm.lo -MD -MP -MF $depbase.Tpo -c -o comm.lo comm.cc; \ then mv -f $depbase.Tpo $depbase.Plo; else rm -f $depbase.Tpo; exit 1; fi g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\/usr/local/squid/etc/squid.conf\ -DDEFAULT_SQUID_DATA_DIR=\/usr/local/squid/share\ -DDEFAULT_SQUID_CONFIG_DIR=\/usr/local/squid/etc\ -I. -I. -I../include -I. -I. -I../include -I../include -I../lib/libTrie/include -I../lib -I../lib -Werror -Wall -Wpointer-arith -Wwrite-strings -Wcomments -g -O2 -MT comm.lo -MD -MP -MF .deps/comm.Tpo -c comm.cc -fPIC -DPIC -o .libs/comm.o cc1plus: warnings being treated as errors comm.cc: In member function 'int ConnectStateData::commResetFD()': comm.cc:960: warning: deprecated conversion from string constant to 'char*'' comm.cc:977: warning: deprecated conversion from string constant to 'char*'' comm.cc: In member function 'void ConnectStateData::connect()': comm.cc:1078: warning: deprecated conversion from string constant to 'char*'' comm.cc:1083: warning: deprecated conversion from string constant to 'char*'' comm.cc:1088: warning: deprecated conversion from string constant to 'char*'' comm.cc:1104: warning: deprecated conversion from string constant to 'char*'' comm.cc:1116: warning: deprecated conversion from string constant to 'char*'' comm.cc: In function 'int commSetTimeout(int, int, void (*)(int, void*), void*)': comm.cc:1153: warning: deprecated conversion from string constant to 'char*'' comm.cc: In function 'int commSetTimeout(int, int, RefCountAsyncCall)': comm.cc:1164: warning: deprecated conversion from string constant to 'char*'' comm.cc: In member function 'bool AcceptFD::acceptOne()': comm.cc:2247: warning: deprecated conversion from string constant to 'char*'' comm.cc: In function 'void commStartHalfClosedMonitor(int)': comm.cc:2384: warning: deprecated conversion from string constant to 'char*'' comm.cc: In function 'void commHalfClosedCheck(void*)': comm.cc:2405: warning: deprecated conversion from string constant to 'char*'' comm.cc: In function 'void commStopHalfClosedMonitor(int)': comm.cc:2433: warning: deprecated conversion from string constant to 'char*'' make[1]: *** [comm.lo] Error 1 make[1]: Leaving directory `/usr/src/squid-3.1.0.6/src' make: *** [all-recursive] Error 1 r...@sl05:/usr/src/squid-3.1.0.6# I'm running Ubuntu on a SUN Sparc64. Thanks for your help. Sébastien
[squid-users] only TCP_MISS/200 in log files
Hi All, I have noticed that there are only TCP_MISS/200 in my squid (3.1.0.0) log files 01/Mar/2009:22:53:22.770 31 10.0.0.15 TCP_MISS/200 710 GET http://www.google.fr/images/flags/uy_flag.png canardwc DIRECT/209.85.229.103 image/png 01/Mar/2009:22:53:22.775 36 10.0.0.15 TCP_MISS/200 696 GET http://www.google.fr/images/flags/uz_flag.png canardwc DIRECT/209.85.229.103 image/png 01/Mar/2009:22:53:22.787 47 10.0.0.15 TCP_MISS/200 1161 GET http://www.google.fr/images/flags/vc_flag.png canardwc DIRECT/209.85.229.103 image/png 01/Mar/2009:22:53:22.807 28 10.0.0.15 TCP_MISS/200 715 GET http://www.google.fr/images/flags/ve_flag.png canardwc DIRECT/209.85.229.103 image/png 01/Mar/2009:22:53:22.814 31 10.0.0.15 TCP_MISS/200 1788 GET http://www.google.fr/images/flags/vg_flag.png canardwc DIRECT/209.85.229.103 image/png 01/Mar/2009:22:53:22.832 50 10.0.0.15 TCP_MISS/200 1494 GET http://www.google.fr/images/flags/vi_flag.png canardwc DIRECT/209.85.229.103 image/png 01/Mar/2009:22:53:22.838 43 10.0.0.15 TCP_MISS/200 679 GET http://www.google.fr/images/flags/vn_flag.png canardwc DIRECT/209.85.229.103 image/png 01/Mar/2009:22:53:22.850 31 10.0.0.15 TCP_MISS/200 1675 GET http://www.google.fr/images/flags/vu_flag.png canardwc DIRECT/209.85.229.103 image/png 01/Mar/2009:22:53:22.857 27 10.0.0.15 TCP_MISS/200 689 GET http://www.google.fr/images/flags/ws_flag.png canardwc DIRECT/209.85.229.103 image/png 01/Mar/2009:22:53:22.872 28 10.0.0.15 TCP_MISS/200 803 GET http://www.google.fr/images/flags/rs_flag.png canardwc DIRECT/209.85.229.103 image/png 01/Mar/2009:22:53:22.884 36 10.0.0.15 TCP_MISS/200 1181 GET http://www.google.fr/images/flags/za_flag.png canardwc DIRECT/209.85.229.103 image/png 01/Mar/2009:22:53:22.907 28 10.0.0.15 TCP_MISS/200 871 GET http://www.google.fr/images/flags/zm_flag.png canardwc DIRECT/209.85.229.103 image/png And there is no file in the cache dir it worked before what could be the cause? Ask me for more details. Many thanks, Sébastien WENSKE
[squid-users] Squid NTLM + Windows Vista update
Hi All, I have some troubles to get update with windows vista when I use squid with NTLM. 28/Feb/2009:19:04:39.534 2 10.0.0.11 TCP_DENIED/407 452 HEAD http://download.windowsupdate.com/v8/windowsupdate/redir/muv3wuredir.cab? - NONE/- text/html Is it possible to allow a specific url/domain without the authentication process? Many thanks, Sébastien WENSKE.
RE: [squid-users] Squid failover between DIRECT connect and PARENT PROXY
Hi Chris, Many thanks for your reply, I have try to set nonhierarchical_direct to off, but this have no effect. I have comment hierarchy_stoplist cgi-bin ?, this have solved google form, but google use GET method. My problem whit POST method forms persist... Best Regards, Sébastien. -Message d'origine- De : crobert...@gci.net [mailto:crobert...@gci.net] Envoyé : jeudi 8 janvier 2009 21:45 À : squid-users@squid-cache.org Objet : Re: [squid-users] Squid failover between DIRECT connect and PARENT PROXY Sébastien WENSKE wrote: Hi all, I've set a squid server to use direct connections by default and to use a parent proxy if direct is unavailable: - http_port 8080 acl manager proto cache_object acl localhost src 127.0.0.1 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all icp_access deny all htcp_access deny all cache_peer 10.151.8.10 parent 3128 0 name=prod default prefer_direct on cache_peer_access prod allow all hierarchy_stoplist cgi-bin ? cache_mem 4000 MB maximum_object_size_in_memory 5000 KB cache_dir ufs /var/cache/squid 10 64 512 maximum_object_size 40960 KB access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log pid_filename /var/log/squid/squid.pid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 icp_port 0 coredump_dir /var/cache -- When I simulate an issue (DIRECT/ unavailable), this will work for GET, but POST try always DIRECT/ --- 1231334419.908292 127.0.0.1 TCP_MISS/200 2383 GET http://playlist.yacast.net/ - DEFAULT_PARENT/10.151.8.10 text/html 1231334427.526 0 127.0.0.1 TCP_MISS/503 2373 POST http://playlist.yacast.net/ - DIRECT/playlist.yacast.net text/html 1231334562.494 0 127.0.0.1 TCP_MISS/503 2373 POST http://playlist.yacast.net/ - DIRECT/playlist.yacast.net text/html 1231335100.244311 127.0.0.1 TCP_MISS/200 7401 GET http://www.google.fr/ - DEFAULT_PARENT/10.151.8.10 text/html 1231335100.599318 127.0.0.1 TCP_MISS/204 492 GET http://clients1.google.com/generate_204 - DEFAULT_PARENT/10.151.8.10 text/html 1231335158.319311 127.0.0.1 TCP_MISS/200 2383 GET http://playlist.yacast.net/ - DEFAULT_PARENT/10.151.8.10 text/html 1231335159.585 0 127.0.0.1 TCP_MISS/503 2373 POST http://playlist.yacast.net/ - DIRECT/playlist.yacast.net text/html --- Any ideas ??? Change nonhierarchical_direct from the default of on to off. http://www.squid-cache.org/Doc/config/nonhierarchical_direct/ Best Regards, Sébastien WENSKE Chris
[squid-users] Squid failover between DIRECT connect and PARENT PROXY
Hi all, I've set a squid server to use direct connections by default and to use a parent proxy if direct is unavailable: - http_port 8080 acl manager proto cache_object acl localhost src 127.0.0.1 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all icp_access deny all htcp_access deny all cache_peer 10.151.8.10 parent 3128 0 name=prod default prefer_direct on cache_peer_access prod allow all hierarchy_stoplist cgi-bin ? cache_mem 4000 MB maximum_object_size_in_memory 5000 KB cache_dir ufs /var/cache/squid 10 64 512 maximum_object_size 40960 KB access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log pid_filename /var/log/squid/squid.pid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 icp_port 0 coredump_dir /var/cache -- When I simulate an issue (DIRECT/ unavailable), this will work for GET, but POST try always DIRECT/ --- 1231334419.908292 127.0.0.1 TCP_MISS/200 2383 GET http://playlist.yacast.net/ - DEFAULT_PARENT/10.151.8.10 text/html 1231334427.526 0 127.0.0.1 TCP_MISS/503 2373 POST http://playlist.yacast.net/ - DIRECT/playlist.yacast.net text/html 1231334562.494 0 127.0.0.1 TCP_MISS/503 2373 POST http://playlist.yacast.net/ - DIRECT/playlist.yacast.net text/html 1231335100.244311 127.0.0.1 TCP_MISS/200 7401 GET http://www.google.fr/ - DEFAULT_PARENT/10.151.8.10 text/html 1231335100.599318 127.0.0.1 TCP_MISS/204 492 GET http://clients1.google.com/generate_204 - DEFAULT_PARENT/10.151.8.10 text/html 1231335158.319311 127.0.0.1 TCP_MISS/200 2383 GET http://playlist.yacast.net/ - DEFAULT_PARENT/10.151.8.10 text/html 1231335159.585 0 127.0.0.1 TCP_MISS/503 2373 POST http://playlist.yacast.net/ - DIRECT/playlist.yacast.net text/html --- Any ideas ??? Best Regards, Sébastien WENSKE
[squid-users] Use parent proxy when direct failed
Hi all, I need to setup squid to use a parent proxy when direct connection failed. -- acl playlist dstdomain .yacast.net http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all cache_peer 10.151.8.10 parent 3128 0 name=prod default cache_peer_access prod allow all prefer_direct on -- This configuration works fine, when I remove de default route (to simulate an ASDL issue) squid will use the parent proxy, but I want that squid use always the parent proxy for dstdomain .yacast.net: -- acl playlist dstdomain .yacast.net http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all cache_peer 10.151.8.10 parent 3128 0 name=prod default always_direct deny playlist cache_peer_access prod allow all prefer_direct on --- That don't work, I've tried some others configurations with no success. Many Thanks, Sebastien.
[squid-users] [Squid Win32] cache_peerr_access by user (ext_user)
Hi All, I'm currently setting up a squid under windows with basic authentification. The goal is to allow access to different cache peer regarding the logged user. squid.conf--- auth_param basic program c:/squid/libexec/ncsa_auth.exe c:/squid/etc/proxy_users.pwd auth_param basic children 5 auth_param basic realm Test Platform Squid Cache auth_param basic credentialsttl 1 hours acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl vlan119 proxy_auth REQUIRED src 10.147.119.0/24 acl user_moka_prod ext_user moka_prod acl user_moka_training ext_user moka_training acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow vlan119 http_access deny all icp_access deny all http_port 3128 cache_peer 10.148.20.50 parent3128 0 name=profile_moka_prod login=moka_prod:ccF1lt3r! cache_peer 10.148.20.50 parent3128 0 name=profile_moka_training login=moka_training:ccF1lt3r! cache_peer 10.147.20.35 parent3128 0 name=profile_moka_prod_bkp login=moka_prod:ccF1lt3r! cache_peer 10.147.20.35 parent3128 0 name=profile_moka_training_bkp login=moka_training:ccF1lt3r! cache_peer_access profile_moka_prod allow user_moka_prod cache_peer_access profile_moka_training allow user_moka_training cache_peer_access profile_moka_prod_bkp allow user_moka_prod cache_peer_access profile_moka_training_bkp allow user_moka_training hierarchy_stoplist cgi-bin ? cache_mem 350 MB maximum_object_size_in_memory 200 KB memory_replacement_policy heap LFUDA cache_replacement_policy heap LFUDA cache_dir ufs c:/squid/var/cache 1000 16 256 maximum_object_size 8096 KB cache_swap_low 90 cache_swap_high 95 access_log c:/squid/var/logs/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache dns_nameservers 10.147.113.10 10.147.113.11 coredump_dir c:/squid/var/cache never_direct allow all -- The authentification works, i can see the username in access.log when direct access is allowed. But when I set never_direct allow all, I get a squid error page: - Unable to forward this request at this time. This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that: The cache administrator does not allow this cache to make direct connections to origin servers, and All configured parent caches are currently unreachable. - and in the cache.log: 2008/09/10 11:44:59| Failed to select source for 'http://www.google.fr/' 2008/09/10 11:44:59| always_direct = 0 2008/09/10 11:44:59|never_direct = 1 2008/09/10 11:44:59|timedout = 0 2008/09/10 11:45:04| Failed to select source for 'http://www.google.fr/' 2008/09/10 11:45:04| always_direct = 0 2008/09/10 11:45:04|never_direct = 1 2008/09/10 11:45:04|timedout = 0 2008/09/10 11:45:05| Failed to select source for 'http://www.google.fr/' 2008/09/10 11:45:05| always_direct = 0 2008/09/10 11:45:05|never_direct = 1 2008/09/10 11:45:05|timedout = 0 2008/09/10 13:36:38| Failed to select source for 'http://www.google.fr/' 2008/09/10 13:36:38| always_direct = 0 2008/09/10 13:36:38|never_direct = 1 2008/09/10 13:36:38|timedout = 0 Although there are no errors on startup: - 2008/09/10 17:00:31| Configuring profile_moka_prod Parent profile_moka_prod/3128/0 2008/09/10 17:00:31| Configuring profile_moka_training Parent profile_moka_training/3128/0 2008/09/10 17:00:31| Configuring profile_moka_prod_bkp Parent profile_moka_prod_bkp/3128/0 2008/09/10 17:00:31| Configuring profile_moka_training_bkp Parent profile_moka_training_bkp/3128/0 2008/09/10 17:00:31| Ready to serve requests. Thanks for your help, let me know if you need more informations. Best Regards, Sebastien. listen funk, jazz soul at www.canardwc.com
[squid-users] squid won't start on boot
Hi guys, Iget some troubles with squid3-stable8 when I try ti enable it on boot Starting squid: WARNING: Cannot write log file: /var/logs/cache.log /var/logs/cache.log: Permission denied [...] squid: ERROR: Could not read pid file /var/logs/squid.pid: (13) Permission denied It work fine when I start it manualy. You can find below what i did : ./configure --localstatedir=/var --prefix=/usr --exec-prefix=/usr --sysconfdir=/etc/squid/ --enable-icmp --enable-arp-acl --with-default-user=squid make make install adduser squid mkdir /var/logs mkdir /var/cache chown -R squid.squid /var/logs chown -R squid.squid /var/cache /usr/sbin/squid -z OS is RedHat EL 5.1 What's wrong ? A big thank you to those who can help me. Regards, Sebastien WENSKE
Re: [squid-users] squid won't start on boot
Thanks Angela, But I've found the problem, in RedHat EL there is SELINUX, I have just disable it and it works fine Thanks All, Sébastien. - Original Message - From: Angela Williams [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Wednesday, July 23, 2008 4:19 PM Subject: Re: [squid-users] squid won't start on boot On Wednesday 23 July 2008, Sébastien WENSKE wrote: Hi guys, Iget some troubles with squid3-stable8 when I try ti enable it on boot Starting squid: WARNING: Cannot write log file: /var/logs/cache.log /var/logs/cache.log: Permission denied [...] squid: ERROR: Could not read pid file /var/logs/squid.pid: (13) Permission denied It work fine when I start it manualy. You can find below what i did : ./configure --localstatedir=/var --prefix=/usr --exec-prefix=/usr --sysconfdir=/etc/squid/ --enable-icmp --enable-arp-acl --with-default-user=squid make make install adduser squid mkdir /var/logs mkdir /var/cache chown -R squid.squid /var/logs chown -R squid.squid /var/cache /usr/sbin/squid -z OS is RedHat EL 5.1 What's wrong ? Quick guess? When you test squid as root squid created the cache.log as owner root! Now that you are starting squid from an rc script it runs as user squid so needless to say cannot write a file created by root! Try linux101!! chown squid.squid /var/logs/cache.log chown -R squid.squid /var/cache Check the perms and ownerships on the rest of your files in /var/logs! Cheers Ang -- Angela Williams Enterprise Outsourcing Unix/Linux Cisco spoken here! Bedfordview [EMAIL PROTECTED] Gauteng South Africa Smile!! Jesus Loves You!!
[squid-users] cache_peer_domain + POST
Hi all, I have set a cache_peer_domain to use a parent proxy for a specific domain. cache_peer 10.147.113.254 parent218 0 proxy-only name=office cache_peer_domain office .specific.net acl specific dstdomain specific.net never_direct allow specific It will work fine until i try to post a form 1215348582.324285 127.0.0.1 TCP_MISS/200 2310 GET http://host.specific.net/ - FIRST_UP_PARENT/10.147.113.254 text/html 1215348582.435 49 127.0.0.1 TCP_MISS/304 457 GET http://host.specific.net/style/index.css - CD_PARENT_HIT/10.147.113.254 text/css 1215348582.442 53 127.0.0.1 TCP_MISS/304 458 GET http://host.specific.net/webdesign/bandeau-v-musicfinder.gif - CD_PARENT_HIT/10.147.113.254 image/gif 1215348582.448 55 127.0.0.1 TCP_MISS/304 457 GET http://host.specific.net/webdesign/bouton-go.gif - CD_PARENT_HIT/10.147.113.254 image/gif 1215348589.843 24 127.0.0.1 TCP_MISS/403 550 POST http://host.soecific.net/ - DIRECT/xxx.xxx.xxx.xxx text/html Why POST method try DIRECT ? What's wrong? Thanks in advance. Best Regards, Sébastien WENSKE
Re: [squid-users] cache_peer_domain + POST
Thanks Henrik, I've try to do this, but I don't know how to specify never_direct POST method only for this specific domain, i need to get this parent proxy fot this domain because it's IP filtred and only the IP of my office is allowed. Sebastien. - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Sébastien WENSKE [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Sunday, July 06, 2008 9:10 PM Subject: Re: [squid-users] cache_peer_domain + POST On sön, 2008-07-06 at 15:49 +0200, Sébastien WENSKE wrote: Hi all, I have set a cache_peer_domain to use a parent proxy for a specific domain. cache_peer 10.147.113.254 parent218 0 proxy-only name=office cache_peer_domain office .specific.net acl specific dstdomain specific.net never_direct allow specific It will work fine until i try to post a form You'll need never_direct as well. POST isn't normally cachable so Squid does not bother to use peer caches if it doesn't have to. Regards Henrik
Re: [squid-users] cache_peer_domain + POST
It works fine !! thank you so much !!! - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Sébastien WENSKE [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Sunday, July 06, 2008 10:51 PM Subject: Re: [squid-users] cache_peer_domain + POST On sön, 2008-07-06 at 21:57 +0200, Sébastien WENSKE wrote: Thanks Henrik, I've try to do this, but I don't know how to specify never_direct POST method only for this specific domain, i need to get this parent proxy fot this domain because it's IP filtred and only the IP of my office is allowed. Sorry, read your configuration again and I now see that you did try to use never_direct. But a . was missing from your acl.. (but present in cache_peer_domain..) Try this: acl specific dstdomain .specific.net cache_peer 10.147.113.254 parent218 0 proxy-only name=office cache_peer_access office allow specific never_direct allow specific that cache_peer_access line is equivalent to a cache_peer_domain using the same domains, but as you also need an acl matching these domains cache_peer_access is easier as there is less duplication and less risk for unnoticed configuration errors... Regards Henrik