RE: [squid-users] Problem logging in to webmail site
> >> > >>Using WCCP... applicable router config lines: > >> > >>ip wccp version 1 > >>ip wccp web-cache redirect-list 199 > >> > >>access-list 199 permit tcp any any eq www > >>access-list 199 permit tcp any any eq 8080 > >> > >>interface FastEthernet3/1 > >> description connected to EthernetLAN_2 > >> ip wccp web-cache redirect out > >> > >>So it seems like maybe SSL/HTTPS traffic isn't being > >>forwarded to the squid at all? > > > >That is good. Check your firewall logs for traffic from the > client and > > >/ or to the web server in question. Look for dport 443 to > see if that > >traffic is going out the firewall (i.e. not going thru Squid). > > > > Okay looked into the fw logs. No traffic on dport 443... > but I did find traffic, which seems to be addressed to the > webmail site being dropped by iptables: Sep 14 13:42:21 fw1 > kernel: [IPTABLES DROP] : IN=eth1 OUT=eth0 SRC=[my > workstation] DST=[webmail host] LEN=60 TOS=0x00 PREC=0x00 > TTL=63 ID=62112 DF PROTO=TCP SPT=38972 DPT=2095 WINDOW=5840 > RES=0x00 SYN URGP=0 > > So this seems to suggest that the issue relates to the fw > configuration? Why would connecting to a squid vs. > transparent caching make a difference here? The dport is 2095, but WCCP is not redirecting that port. Add to your accessl-list 199 permit tcp any any eq 2095 First you might want to see if Squid is configured to proxy tcp/2095. Check your Safe_ports acl or manually configure your web browser to use the proxy. > > This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] Problem logging in to webmail site
> -Original Message- > From: Listserv [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 14, 2005 11:27 AM > To: Sturgis, Grant > Subject: RE: [squid-users] Problem logging in to webmail site > > > Using WCCP... applicable router config lines: > > ip wccp version 1 > ip wccp web-cache redirect-list 199 > > access-list 199 permit tcp any any eq www > access-list 199 permit tcp any any eq 8080 > > interface FastEthernet3/1 > description connected to EthernetLAN_2 > ip wccp web-cache redirect out > > So it seems like maybe SSL/HTTPS traffic isn't being > forwarded to the squid at all? That is good. Check your firewall logs for traffic from the client and / or to the web server in question. Look for dport 443 to see if that traffic is going out the firewall (i.e. not going thru Squid). > > Sean > > > >>>"Sturgis, Grant" <[EMAIL PROTECTED]> 09/14 12:58 pm > >>> > Let's see what the list says (I have known to be wrong ;-) > > If I am correct, then you cannot intercept SSL requests and > send them to > > your proxy. This technique would be essentially a man-in-the-middle > attack on an SSL connection. > > So, how are you doing transparent proxying / interception? Are you > using WCCP or policy based routing? > > > > > >-Original Message- > >From: Listserv [mailto:[EMAIL PROTECTED] > >Sent: Wednesday, September 14, 2005 10:52 AM > >To: Sturgis, Grant > >Subject: RE: [squid-users] Problem logging in to webmail site > > > > > >>>>"Sturgis, Grant" <[EMAIL PROTECTED]> 09/14 12:38 pm > >>>> > > > > > >>-Original Message- > >>From: Listserv [mailto:[EMAIL PROTECTED] > >>Sent: Wednesday, September 14, 2005 10:31 AM > >>To: squid-users@squid-cache.org > >>Subject: [squid-users] Problem logging in to webmail site > >> > >> > >>Hi... I'm fairly new to all this. Inherited a set of squids > >>running transparently for web caching. Everything runs fine, > >>mostly... recently noticed that when I attempt to connect to > >>a certain webmail site, the login box for the site does not > >>pop up... the browser just tries to connect, and connect, and > >>connect. So I set the domain to always connect. This seems > >>to work when I'm connected directly to one of the caching > >>servers, but not when I'm just using the proxy transparently. > >>Any suggestions? > >> > >>This is similar to a login problem that I never got any > >>response on a month or so ago, so any help anyone may have > >>would be greatly appreciated. Thanks! > >> > >>Sean Albright > > > >My guess would be that the login box (frame) is https. Since > >you cannot > > > >transaprently proxy https, the requests are getting lost. You should > >send https requests out directly (not through the proxy). > > > >> > > > >Thanks for the quick response. It's possible that I'm > >already configured to do that... the conf contains the following: > > > >acl SSL_ports port 443 563 > > > >http_access deny CONNECT !SSL_ports > > > >Is that what you're talking about? > > > >If that's doing something else, how can I send out the > >requests directly... Would I do that something like this: > > > >acl FOO https > >nocache deny FOO > > > > > >Sean > > > > > > This electronic message transmission is a PRIVATE > communication which contains > information which may be confidential or privileged. The > information is intended > to be for the use of the individual or entity named above. If > you are not the > intended recipient, please be aware that any disclosure, > copying, distribution > or use of the contents of this information is prohibited. > Please notify the > sender of the delivery error by replying to this message, or > notify us by > telephone (877-633-2436, ext. 0), and then delete it from > your system. > > This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] Problem logging in to webmail site
> -Original Message- > From: Listserv [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 14, 2005 10:31 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Problem logging in to webmail site > > > Hi... I'm fairly new to all this. Inherited a set of squids > running transparently for web caching. Everything runs fine, > mostly... recently noticed that when I attempt to connect to > a certain webmail site, the login box for the site does not > pop up... the browser just tries to connect, and connect, and > connect. So I set the domain to always connect. This seems > to work when I'm connected directly to one of the caching > servers, but not when I'm just using the proxy transparently. > Any suggestions? > > This is similar to a login problem that I never got any > response on a month or so ago, so any help anyone may have > would be greatly appreciated. Thanks! > > Sean Albright My guess would be that the login box (frame) is https. Since you cannot transaprently proxy https, the requests are getting lost. You should send https requests out directly (not through the proxy). > This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] Startup fails
> -Original Message- > From: Bob Ambroso [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 08, 2005 11:20 AM > To: squid-users@squid-cache.org > Subject: RE: [squid-users] Startup fails > > > It is a url_regex acl.and calls a file stored locally that is > about 7mb. How then do I use this list of banned sites to > control access without the use of url_regex? url_regex can be very cpu intensive, especially for long lists. You will get better performance from dst or dstdomain acls. > > Thanks for any and all replies.. > > \Bob > > -Original Message- > From: Chris Robertson [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 08, 2005 9:44 AM > To: squid-users@squid-cache.org > Subject: RE: [squid-users] Startup fails > > > -Original Message- > > From: Bob Ambroso [mailto:[EMAIL PROTECTED] > > Sent: Thursday, September 08, 2005 7:46 AM > > To: squid-users@squid-cache.org > > Subject: [squid-users] Startup fails > > > > > > I have a basic squid install and I added an acl that uses a list of > > banned sites. The list is quite comprehensive (say 7mb) and > when squid > > tries to start it chugs along then fails with kerneL out of memory.. > > > > The machine I am using is a PII with 384 megs of ram. When > I use top I > > can see that while it is starting squid will use most of the ram > > (289-369 mb's of ram) till it fails... Without the text > file it start > > up no problem.. I created the list using MS notepad (not > sure if that > > is what is causing the problem but thought I would throw it out > > there..) I > > have tweaked some of the default settings without any luck. > > > > \Bob > > > > Bob Ambroso > > Whittier Public Library > > 7344 S. Washington Ave > > Whittier, CA 90602 > > (562) 464-3452 > > What does kind of ACL are you using to call this file? > "url_regex" (or indeed anything involving regex) would be > very bad in this case. > > Chris > > This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] strange problem with www.evangel.org.sg
You got it. > -Original Message- > From: Tay Teck Wee [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 07, 2005 9:57 AM > To: Sturgis, Grant; Mark Elsen > Cc: squid-users@squid-cache.org > Subject: RE: [squid-users] strange problem with www.evangel.org.sg > > > Ok, you mean if we send > > "GET /index.html HTTP/1.0" > > and get > > "HTTP/1.1 200 OK" > > means web server is broken because its a HTTP/1.1 > reply. But if I perform a similar test to most > websites, i.e. www.cnn.com, www.msn.com, etc, we will > also get a HTTP/1.1 reply. And squid does not have > problem with those sites... > > --- "Sturgis, Grant" > <[EMAIL PROTECTED]> wrote: > > > Let me try: > > > > You browser is requesting http/1.0: > > > > > Trying 203.127.19.66... > > > Connected to evangel.org.sg (203.127.19.66). > > > Escape character is '^]'. > > > GET /index.html HTTP/1.0 > > > > The server is responding in http/1.1: > > > > > HTTP/1.1 200 OK > > > Date: Wed, 07 Sep 2005 15:10:17 GMT > > > Server: Apache/2.0.49 (Unix) DAV/2 > > mod_fastcgi/2.4.2 > > > mod_ssl/2.0.49 OpenSSL/0.9.6i > > > > This is not good. Most browsers and some proxies > > deal with this, squid does not. > > > > Henrik says that http/1.1 is in the works for the > > next version of squid. > > > > Regardless of squid's capabilities, a web server > > responding like this definitely means that the web > > server is broken. > > > > You should contact that web server administrator and > > ask him to fix his server. > > > > > > > > > > > > > -Original Message- > > > From: Tay Teck Wee > > [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, September 07, 2005 9:13 AM > > > To: Mark Elsen > > > Cc: squid-users@squid-cache.org > > > Subject: Re: [squid-users] strange problem with > > www.evangel.org.sg > > > > > > > > > Sorry I really dun get your message. > > > > > > Just to clarify, pls see below for the full reply. > > I > > > truncated in my previous email(as indicated > > previously > > > as [truncated]). I cannot see anything wrong with > > the > > > reply. > > > > > > Trying 203.127.19.66... > > > Connected to evangel.org.sg (203.127.19.66). > > > Escape character is '^]'. > > > GET /index.html HTTP/1.0 > > > > > > HTTP/1.1 200 OK > > > Date: Wed, 07 Sep 2005 15:10:17 GMT > > > Server: Apache/2.0.49 (Unix) DAV/2 > > mod_fastcgi/2.4.2 > > > mod_ssl/2.0.49 OpenSSL/0.9.6i > > > ETag: "1d240-25fc-cf182300" > > > Accept-Ranges: bytes > > > Last-Modified: Wed, 07 Sep 2005 06:39:40 GMT > > > Content-Length: 9724 > > > Content-Type: text/html; charset=ISO-8859-1 > > > ETag: "1d240-25fc-cf182300" > > > Accept-Ranges: bytes > > > Connection: close > > > > > > > > > > classid="clsid:D27CDB6E-AE6D-11cf-96B8-44455354" > > > codebase="http://download.macromedia.c > > src="menufiles/menu.swf" quality="high" > > > > > > pluginspage="http://www.macromedia.com/go/getflashplayer"; > > > type="application/x-shockwave-flash" width="750" > > > he > > href="reality/impossible/impossible.html"> > > src="reality/impossible/articletitle.gif" > > width="218" > > > height="29" border="0" />> > align="left" class="webtext"> > > href="feature/elephants/elephants.html"> > > src="feature/elephants/articletitle.gif" > > width="180" > > > height="29" border="0" /> > > class="webtext"> > src="feature/elephants/indxpic.jpg" > > > width="68" height="68" hspace="5" vspace="3" > > align="left" > > > class="imageborder" > href="javascript:;" > > > > > > onclick="MM_openBrWindow('forecast/videoforecast/videoforecast > > > .html','','width=460,height=370')"> > > src="graphics/videoviewic > > width="54" height="69" align="left" > > valign=&qu
RE: [squid-users] strange problem with www.evangel.org.sg
Let me try: You browser is requesting http/1.0: > Trying 203.127.19.66... > Connected to evangel.org.sg (203.127.19.66). > Escape character is '^]'. > GET /index.html HTTP/1.0 The server is responding in http/1.1: > HTTP/1.1 200 OK > Date: Wed, 07 Sep 2005 15:10:17 GMT > Server: Apache/2.0.49 (Unix) DAV/2 mod_fastcgi/2.4.2 > mod_ssl/2.0.49 OpenSSL/0.9.6i This is not good. Most browsers and some proxies deal with this, squid does not. Henrik says that http/1.1 is in the works for the next version of squid. Regardless of squid's capabilities, a web server responding like this definitely means that the web server is broken. You should contact that web server administrator and ask him to fix his server. > -Original Message- > From: Tay Teck Wee [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 07, 2005 9:13 AM > To: Mark Elsen > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] strange problem with www.evangel.org.sg > > > Sorry I really dun get your message. > > Just to clarify, pls see below for the full reply. I > truncated in my previous email(as indicated previously > as [truncated]). I cannot see anything wrong with the > reply. > > Trying 203.127.19.66... > Connected to evangel.org.sg (203.127.19.66). > Escape character is '^]'. > GET /index.html HTTP/1.0 > > HTTP/1.1 200 OK > Date: Wed, 07 Sep 2005 15:10:17 GMT > Server: Apache/2.0.49 (Unix) DAV/2 mod_fastcgi/2.4.2 > mod_ssl/2.0.49 OpenSSL/0.9.6i > ETag: "1d240-25fc-cf182300" > Accept-Ranges: bytes > Last-Modified: Wed, 07 Sep 2005 06:39:40 GMT > Content-Length: 9724 > Content-Type: text/html; charset=ISO-8859-1 > ETag: "1d240-25fc-cf182300" > Accept-Ranges: bytes > Connection: close > > classid="clsid:D27CDB6E-AE6D-11cf-96B8-44455354" > codebase="http://download.macromedia.c src="menufiles/menu.swf" quality="high" > pluginspage="http://www.macromedia.com/go/getflashplayer"; > type="application/x-shockwave-flash" width="750" > he href="reality/impossible/impossible.html"> src="reality/impossible/articletitle.gif" width="218" > height="29" border="0" />align="left" class="webtext"> href="feature/elephants/elephants.html"> src="feature/elephants/articletitle.gif" width="180" > height="29" border="0" /> class="webtext"> width="68" height="68" hspace="5" vspace="3" align="left" > class="imageborder" onclick="MM_openBrWindow('forecast/videoforecast/videoforecast > .html','','width=460,height=370')"> src="graphics/videoviewic width="54" height="69" align="left" valign="top"> src="missions/save/indxpic.jpg" width="48" height="63" > vspace="3" class="imageborder" /> class="focustitle2"> src="graphics/realityheader2.gif" width="120" > height="15" border="0" /> width="55" height="66" align="left" valign="top"> src="reality/beautiful/indxpic.jpg" width="48" > height="63" vspace="3" class="imageborder" /> > valign="top"> width="48" height="63" vspace="3" class="imagebor > values. href="video/create2005/create2005.html"> src="graphics/videoheader2.gif" width="120" > height="15" border="0" /> width="55" height="62" align="left" valign="top"> href="video/jculture/jculture.html"> src="video/create2005/indxpic.jpg" > width="4Connection closed by foreign > host.href="reality/protect/protect.html" > />te2005.html">[view] > > --- Mark Elsen <[EMAIL PROTECTED]> wrote: > > > On 9/7/05, Tay Teck Wee <[EMAIL PROTECTED]> > > wrote: > > > Thanks Mark. > > > > > > But the server was able to respond. I did not > > include > > > the reply as it was quite long and thus I wrote > > > [truncated] previously. > > > > > > Or you noticed/saw something which I missed? > > > > > > > And the server responded indeed; but it responded > > badly. It is not allowed to reply with a http 1.1 > > formatted ´ > > message´ for a http 1.0 formatted request. > > > > -> > > > > Escape character is '^]'. > > GET /index.html HTTP/1.0 > > > > HTTP/1.1 200 OK > > > > > > M. > > > > > > > __ > Meet your soulmate! > Yahoo! Asia presents Meetic - where millions of singles > gather http://asia.yahoo.com/meetic > > This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] Squid Dies many times in one day
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Friday, September 02, 2005 2:29 AM > To: [EMAIL PROTECTED]; Sturgis, Grant; > squid-users@squid-cache.org > Subject: RE: [squid-users] Squid Dies many times in one day > > > Hi > What if you download a snapshot from squid.org and compile > yourself instead of using redhat RPM file. Thanks - LK Originally, I was using the distributed RPM from RH, and the problem was horrendous. One day I saw 45 restarts of squid. Yesterday just before I sent this message, I downloaded source from squid-cache.org, compiled and installed. The problem has been lessened significantly since then, maybe 2 or 3 of those "auto-restarts" that squid does. I don't know the details of why squid does that, but I assume it is intended and benifical. Can someone explain that? Anyway, just this morning, about 40 minutes ago, this happened in the cache.log: 2005/09/02 07:51:56| WARNING: 100 swapin MD5 mismatches 2005/09/02 07:53:18| httpReadReply: Excess data from "GET http://URL_REMOVED_TO_PROTECT_THE_GUILTY"; 2005/09/02 07:54:07| httpReadReply: Excess data from "GET http://."; 2005/09/02 07:57:08| httpReadReply: Excess data from "GET http://."; 2005/09/02 07:58:29| httpReadReply: Excess data from "GET http://."; 2005/09/02 08:00:03| httpReadReply: Excess data from "GET http://."; 2005/09/02 08:01:50| httpReadReply: Excess data from "GET http://.."; 2005/09/02 08:03:24| Starting Squid Cache version 2.5.STABLE3 for i386-redhat-linux-gnu... and similarly in /var/log/messages: Sep 2 08:03:21 proxy squid[6048]: Squid Parent: child process 6715 exited due to signal 6 Sep 2 08:03:24 proxy squid[6048]: Squid Parent: child process 8092 started Sep 2 08:05:04 proxy squid[6048]: Squid Parent: child process 8092 exited due to signal 6 Sep 2 08:05:07 proxy squid[6048]: Squid Parent: child process 8163 started Sep 2 08:05:09 proxy squid[6048]: Squid Parent: child process 8163 exited due to signal 6 Sep 2 08:05:12 proxy squid[6048]: Squid Parent: child process 8196 started Sep 2 08:05:20 proxy squid[6048]: Squid Parent: child process 8196 exited due to signal 6 Sep 2 08:05:23 proxy squid[6048]: Squid Parent: child process 8261 started Sep 2 08:05:25 proxy squid[6048]: Squid Parent: child process 8261 exited due to signal 6 Sep 2 08:05:28 proxy squid[6048]: Squid Parent: child process 8326 started Sep 2 08:05:35 proxy squid[6048]: Squid Parent: child process 8326 exited due to signal 6 Sep 2 08:05:38 proxy squid[6048]: Squid Parent: child process 8396 started Sep 2 08:08:21 proxy squid[6048]: Squid Parent: child process 8396 exited due to signal 6 Sep 2 08:08:24 proxy squid[6048]: Squid Parent: child process 8465 started . Obviously, this looks like the Bugzilla bug that Allen posted, but it is the official squid code. Grant > > -Original Message- > From: Allen Armstrong [mailto:[EMAIL PROTECTED] > Sent: Friday, September 02, 2005 9:21 AM > To: 'Sturgis, Grant'; squid-users@squid-cache.org > Subject: RE: [squid-users] Squid Dies many times in one day > > This sounds exactly the problem I am experiencing. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165367 > > > -Original Message- > > From: Allen Armstrong [mailto:[EMAIL PROTECTED] > > Sent: September 2, 2005 12:01 AM > > To: 'Sturgis, Grant'; squid-users@squid-cache.org > > Subject: RE: [squid-users] Squid Dies many times in one day > > > > Very odd. > > > > I am going through the threads here and I am starting to notice a > pattern. > > I am now starting to wonder if it isn't Redhat issue. As > my squid was > > upgrade recently via the redhat network and is also dieing. > > > > > > Ttyl, > > > > > > Allen Armstrong > > > > > > > -Original Message- > > > From: Sturgis, Grant [mailto:[EMAIL PROTECTED] > > > Sent: September 1, 2005 11:33 AM > > > To: squid-users@squid-cache.org > > > Subject: [squid-users] Squid Dies many times in one day > > > > > > Greetings List, > > > > > > I have just rebuilt our squid system (RHEL ES 3) and now Squid > (Squid > > > Cache: Version 2.5.STABLE3) dies many times every day. > > > > > > I have searched through cache.log and /var/log/messages > and haven't > > > really come up with anything. > > > > > > A couple things of note: > > > > > > From /var/log/messages: > > > > > > (five times today) > > > Sep 1 11:44:00 proxy_server squid[5562]: Exiting due to > repeated, &g
[squid-users] Squid Dies many times in one day
Greetings List, I have just rebuilt our squid system (RHEL ES 3) and now Squid (Squid Cache: Version 2.5.STABLE3) dies many times every day. I have searched through cache.log and /var/log/messages and haven't really come up with anything. A couple things of note: >From /var/log/messages: (five times today) Sep 1 11:44:00 proxy_server squid[5562]: Exiting due to repeated, frequent failures and from cache.log I don't see anything in particular cooresponding to this, but I do see several of these: httpReadReply: Excess data from "GET http:... and ctx: enter level 0: 'http:.. Any suggestions for troubleshooting or correcting this would be most appreciated. Thanks, Grant --- Pardon this: This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
[squid-users] RE: Alternatives to Transparent Proxy https
> -Original Message- > From: Sturgis, Grant > Sent: Friday, August 12, 2005 9:00 AM > To: squid-users@squid-cache.org > Subject: Alternatives to Transparent Proxy https > > > Hello all, > > It appears that it is impossible to transparent proxy HTTPS > (if you think this is not true, please let me know!). > > What are the alternatives? Do you just let users go directly > out to the web server? We are trying to avoid using PAC > files since they tend to cause problems for travelers. > > Thanks for any ideas, > > Grant > - > To clarify a bit, my concern is that malicious websites will provide service on tcp/443 (not ssl wrapped http) for the purpose of proxy avoidance or something else. Users will request this URL and will avoid our proxy and therefore content scrubbing. I wish I could allow direct connection to tcp/443 knowing that the traffic is indeed https. If it is not, shut it down and investigate. > > > Pardon this rubbish: > > This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
[squid-users] Alternatives to Transparent Proxy https
Hello all, It appears that it is impossible to transparent proxy HTTPS (if you think this is not true, please let me know!). What are the alternatives? Do you just let users go directly out to the web server? We are trying to avoid using PAC files since they tend to cause problems for travelers. Thanks for any ideas, Grant - Pardon this rubbish: This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
[squid-users] Interception Proxy / Policy Based Routing
Greetings List, I am using policy based routing to get HTTP traffic to my proxy. Basically, as network traffic traverses my router, the policy inspects the packets to see if they are tcp/80 and, if so, sends it on to my proxy. I then have iptables running on the proxy server (RH EL ES 3) to change the port from tcp/80 to tcp/3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 This all works great. Now I am trying to add some of the other ports that http(s) may use, namely tcp/443. So I add that to my router policy (and verify that the traffic is getting to my proxy with tcpdump) and add this to my iptables: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128 now iptables -t nat -L says this: Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128 REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination The problem is, https traffic doesn't go through the proxy. If I manually configure my proxy settings on my browser, it does work fine. Any suggestions for what could be going wrong and how to fix it? Thanks in advance, Grant - This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] WCCP Help Request (last time)
iptunnel add gre1 mode gre remote 10.10.254.254 local 10.10.10.211 dev eth0 10.10.254.254 is IP address of router 10.10.10.211 is eth0 on squid system then ifconfig gre1 127.0.0.2 up -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 7:03 AM To: Sturgis, Grant Cc: squid-users@squid-cache.org Subject: RE: [squid-users] WCCP Help Request (last time) On Thu, 4 Aug 2005, Sturgis, Grant wrote: > Just tried it with the current update FC3 kernel (2.6.12-1.1372_FC3) > and got the same result. How is your GRE tunnel defined? Regards Henrik This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] WCCP Help Request (last time)
Just tried it with the current update FC3 kernel (2.6.12-1.1372_FC3) and got the same result. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Thursday, August 04, 2005 5:33 AM To: Sturgis, Grant Cc: squid-users@squid-cache.org Subject: Re: [squid-users] WCCP Help Request (last time) On Wed, 3 Aug 2005, Sturgis, Grant wrote: > Should the distributed FC3 kernel and ip_gre module work? Not sure. If not the current update kernel should work. Regards Henrik This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
[squid-users] WCCP Help Request (last time)
I am going around and around on this WCCP issue and am considering giving up in favor of policy based routing. Please allow me to re-phrase my question and invite any suggestions or comments. Fedora Core 3 2.6.11-1.27_FC3 kernel ip_gre module from Fedora Core 3 Squid 2.5.STABLE10 Cisco 6506 12.1(26)E1 I followed these instructions: http://www.linux-mag.com/content/view/1957/2303/ plus including: wccp_router 10.10.254.254 in squid.conf Squid server is 10.10.10.211. Router is 10.10.254.254 tcpdump -n -i eth0 'host 10.10.254.254' shows this: 15:54:56.267637 IP 10.10.10.211.2048 > 10.10.254.254.2048: UDP, length 52 15:55:06.275774 IP 10.10.10.211.2048 > 10.10.254.254.2048: UDP, length 52 while debug ip wccp packets shows this: Aug 3 21:57:39.343 UTC: WCCP-PKT: Sending I_See_You packet to 10.10.10.211 w/ rcvd_id 02A5 Aug 3 21:57:50.295 UTC: WCCP-PKT: Sending I_See_You packet to 10.10.10.211 w/ rcvd_id 02A6 Isn't it curious that the server only shows packets going to the router and the router only shows packets going to the server? Where are the return packets? Should the distributed FC3 kernel and ip_gre module work? Any suggestions to prevent me from pulling out my hair any further are very much appreciated. Thanks, Grant -- Pardon this: This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
[squid-users] Network Topology Questions
We are having serious problems getting traffic to our squid proxy server. Currently we are using a proxy.pac file to tell browsers when to use the proxy and where to find it. Unfortunately, MSIE seems to decide randomly when (and when not) to use this file. It seems that when laptop users go home and connect to VPN, then they get two IP addresses (one for the VPN connection and one for the NIC), and the PAC file can't figure out which one to use. This is a problem because we use: if (isInNet(myIpAddress(), "10.10.0.0", "255.255.0.0")) return "PROXY 10.10.10.10:3128"; In the proxy.pac file. Funny thing is that sometimes it works and sometimes it doesn't. Anyway- I thought that WCCP would be a good solution. Problem is, I can't seem to get it to work (see earlier post or email me and I will resend). So now I am searching for alternatives. Can anyone comment on the topologies or network strategies that you are using? I am considering an in-line approach: -- --- | Internal Network | --- | Proxy | | Firewall | --- | Internet | -- --- But I don't like the idea of other outbound protocols (smtp, ssh) needing to be routed through another device. Is this a silly concern? Are there any other approaches that have worked well? Does a lot of people out there use WCCP successfully? Thanks in advance for any suggestions and comments. Grant --- Pardon this: This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
[squid-users] WCCP Setup - again
Greetings all, After a long vacation, a sysadmin quitting, and another being hired, I am finally back to my WCCP issue. I have gotten a lot of very helpful advice from several on this list, and I think I am pretty close to getting this thing running. Any suggestions or comments are most welcome. On the squid server, I have: RedHat FC3 2.6.11-1.27_FC3 squid-2.5.STABLE9-1.FC3.6 (with --enable-wccpv2) /proc/sys/net/ipv4/ip_forward = 1 squid.conf: httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on wccp_router 10.10.254.254 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptunnel add gre1 mode gre remote 10.10.254.254 local 10.10.10.211 dev eth0 ifconfig gre1 127.0.0.2 up restart squid Cisco: ip wccp version 1 ip wccp web-cache redirect-list 199 access-list 199 permit tcp 10.10.0.0 0.0.255.255 any access-list 199 deny tcp any any interface Vlan90 ip wccp web-cache redirect in For debugging, I have done this on the squid box: tcpdump -i eth0 'host 10.10.254.254' and I get: 12:49:47.783883 IP 10.10.10.211.2048 > 10.10.254.254.2048: UDP, length 52 12:49:57.785996 IP 10.10.10.211.2048 > 10.10.254.254.2048: UDP, length 52 and then on Cisco, I have done this: debug ip wccp packets and get this: Jul 28 18:37:27.749 UTC: WCCP-PKT: Sending I_See_You packet to 10.10.10.211 w/ rcvd_id 019D Jul 28 18:37:38.693 UTC: WCCP-PKT: Sending I_See_You packet to 10.10.10.211 w/ rcvd_id 019E sh ip wccp shows: Global WCCP information: Router information: Router Identifier: 10.10.254.254 Protocol Version:1.0 Service Identifier: web-cache Number of Cache Engines: 0 Number of routers: 1 Total Packets Redirected:0 Redirect access-list:199 Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 sh ip wccp web-cache detail: shows: WCCP Cache-Engine information: Web Cache ID: 0.0.0.0 Protocol Version: 0.4 State: NOT Usable Redirection: GRE Packet Return: GRE Assignment:HASH Initial Hash Info: Assigned Hash Info: Hash Allotment:0 (0.00%) Packets Redirected:0 Connect Time: 00:00:03 Thanks for reading down this far ;-) and pardon this rubbish: This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] WCCP Setup
Ok, thanks to a kind list member, I now have a squid with wccpv2. My Cisco switch is still not showing the web-cache. How do I know if / when squid is reporting to the switch? Anything other a packet trace to check this? Thanks, Grant -- > -Original Message- > From: Sturgis, Grant > Sent: Friday, June 17, 2005 11:54 AM > To: Scott Phalen; squid-users@squid-cache.org > Subject: RE: [squid-users] WCCP Setup > > > A-ha! No --enable-wccp, that's gonna be a problem. I will recompile. > > As for the kernel module, no I didn't. In the article they > say that you just need kernel 2.6.10 or later because they > included WCCP to the ip_gre module. Does that sound right? > > > > > -Original Message- > > From: Scott Phalen [mailto:[EMAIL PROTECTED] > > Sent: Friday, June 17, 2005 11:42 AM > > To: Sturgis, Grant; squid-users@squid-cache.org > > Subject: Re: [squid-users] WCCP Setup > > > > > > --Original Mail-- > > From: "Sturgis, Grant" <[EMAIL PROTECTED]> > > > > I didn't recompile squid from source, but simply used the FC3 > > RPM. Does anyone know if that package is compiled with the > > --enable-linux-netfilter and --enable-wccp options? Can you > > tell how to check? > > --- > > > > Did you compile the ip_wccp module for the 2.6 kernel? squid > > -v will display the options used to compile it. > > > > Regards, > > Scott > > > > __ > > __ > > > > No virus found in this outgoing message. > > Checked by McAfee Anti-Virus. > > > > > > This electronic message transmission is a PRIVATE > communication which contains information which may be > confidential or privileged. The information is intended > to be for the use of the individual or entity named above. If > you are not the > intended recipient, please be aware that any disclosure, > copying, distribution > or use of the contents of this information is prohibited. > Please notify the sender of the delivery error by replying > to this message, or notify us by telephone (877-633-2436, > ext. 0), and then delete it from your system. > > This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
[squid-users] RPM rebuild FC3 Error
Hello, I am trying to rebuild a src.rpm from FC3. I edited /usr/src/redhat/SPECS/squid.spec and added: --enable-wccp \ to the %configure section. I then ran rpmbuild -bb squid.spec and received the following error: + sgml2html FAQ.sgml Can't locate Text/EntityMap.pm in @INC (@INC contains: /usr/share/linuxdoc-tools/site /usr/share/linuxdoc-tools/dist /usr/share/perl5 /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/5.8.4 /usr/lib/perl5/5.8.3 /usr/lib/perl5/5.8.2 /usr/lib/perl5/5.8.1 /usr/lib/perl5/5.8.0 /usr/lib/perl5 /usr/lib64/perl5 /usr/perl5 /usr/share/linuxdoc-tools /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at /usr/share/linuxdoc-tools/LinuxDocTools/CharEnts.pm line 33. BEGIN failed--compilation aborted at /usr/share/linuxdoc-tools/LinuxDocTools/CharEnts.pm line 33. Compilation failed in require at /usr/share/linuxdoc-tools/dist/fmt_latex2e.pl line 16. BEGIN failed--compilation aborted at /usr/share/linuxdoc-tools/dist/fmt_latex2e.pl line 16. Compilation failed in require at /usr/share/linuxdoc-tools/LinuxDocTools.pm line 169. error: Bad exit status from /var/tmp/rpm-tmp.2167 (%build) Any idea what I can do to fix this? Thanks, Grant -- Pardon this: This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] WCCP Setup
A-ha! No --enable-wccp, that's gonna be a problem. I will recompile. As for the kernel module, no I didn't. In the article they say that you just need kernel 2.6.10 or later because they included WCCP to the ip_gre module. Does that sound right? > -Original Message- > From: Scott Phalen [mailto:[EMAIL PROTECTED] > Sent: Friday, June 17, 2005 11:42 AM > To: Sturgis, Grant; squid-users@squid-cache.org > Subject: Re: [squid-users] WCCP Setup > > > --Original Mail-- > From: "Sturgis, Grant" <[EMAIL PROTECTED]> > > I didn't recompile squid from source, but simply used the FC3 > RPM. Does anyone know if that package is compiled with the > --enable-linux-netfilter and --enable-wccp options? Can you > tell how to check? > --- > > Did you compile the ip_wccp module for the 2.6 kernel? squid > -v will display the options used to compile it. > > Regards, > Scott > > __ > __ > > No virus found in this outgoing message. > Checked by McAfee Anti-Virus. > > This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
[squid-users] WCCP Setup
Greetings List, I am attempting to set up WCCP with a Cisco Cat 6506 and Squid. squid-2.5.STABLE9-1.FC3.6 Fedora Core release 3 (Heidelberg) 2.6.11-1.27_FC3 I have followed the instructions from this article: http://www.linux-mag.com/content/view/1957/2303/ Which basically boils down to: echo 1 > /proc/sys/net/ipv4/ip_forward (and add to sysctl.conf) httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on in squid.conf iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptunnel add gre1 mode gre remote \ ip-address-of-router local ip-address-of-squid-cache \ dev eth0 ifconfig gre1 127.0.0.2 up Cisco> enable Cisco# config t Cisco(config)# ip wccp version 1 Cisco(config)# ip wccp web-cache Cisco(config)# int your-outgoing-interface Cisco(config-if)# ip wccp web-cache redirect out Cisco(config-if)# end Cisco# write mem But the switch still doesn't see the cache (as shown by sh ip wccp). One question that I have: I didn't recompile squid from source, but simply used the FC3 RPM. Does anyone know if that package is compiled with the --enable-linux-netfilter and --enable-wccp options? Can you tell how to check? Any other comments or suggestions are most welcome. Thanks! Grant --- Pardon this rubbish: This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] Slow Squid
> -Original Message- > From: Steve Brown [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 16, 2004 4:38 AM > To: [EMAIL PROTECTED] > Subject: Re: [squid-users] Slow Squid > > > Sturgis, Grant wrote: > > > The hardware is: > > > > Dell PE 1650 > > Are you using PERC2/3 hardware RAID? Nope, JBOD. > > I found on the similar machines we run here that the hardware RAID > performance under Linux is outrageously poor. I converted all our > machines to software raid and the performance improved from > about 15MB/s > write on a RAID5 to 75MB/s with s/w RAID. That's with 10k > SCSI drives. > > Before the change, our Squid proxies spent an awful lot of time being > I/O bound. > > Also, I split the cache into 3 cache dirs, each 8GB on a different > physical drive. Now Squid is a very happy bunny. Good ideas, thanks. > > -S > This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] Slow Squid
> > On 15.11 12:23, Sturgis, Grant wrote: > > I am writing for ideas on how I can increase the performance of my > > squid cache. > > > > I am running: > > > > cache_dir aufs on ext2 > [...] > > > The hardware is: > > > > Dell PE 1650 > > 2-Intel PIII 1133 MHz > > 4 GB RAM > > > > The symptom is that during our peak utilization periods, when HTTP > > requests get over about 750/min, the response time gets very slow, > > over 800 ms or so. I understand that squid is single > threaded, but we > > are running a number of the redirector processes and it > seems that the > > CPU workload is distributed fairly well. This is determined by > > examining /proc/stat with MRTG. Neither CPU seems to reach > above 55% > > utilization so I do not think the system is CPU bound. > > 55% is already quite much, however that is probably not the problem. > > > > One thing that is concerning: > > > > [EMAIL PROTECTED] squid]# free -m > > total used free sharedbuffers > > cached > > Mem: 3778 3756 22 0472 > > 2154 > > -/+ buffers/cache: 1129 2649 > > this says you only use a bit more than 1GB of memory. Another shot from today: [EMAIL PROTECTED] root]# free -m total used free sharedbuffers cached Mem: 3778 3758 20 0497 2194 -/+ buffers/cache: 1065 2713 Swap: 8997807 8190 Doesn't this say 807 MB of swap being used? Certainly that cannot be good. > > > Also, I do understand that reiserfs is a recommended file > system over > > ext2; do you think it will make a large difference to change this? > > yes, there is high probability that changing to > xfs/jfs/reiserfs would help you. > > > Any suggestions for things I can do to determine why my > cache is slow > > or how to make improvements in performance? > > try to see how disks are loaded using 'iostat -d 1' I don't have that command, but I will load that package (sar I believe) this afternoon. > Pardon this rubbish: This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] Slow Squid
> > You state that response time is slow, but not which. Is that > average, misses, near misses or hits? What are each of the > other rates? I am referring to the median response time for all requests. Hits range up to 800 - 900 ms during peak times. Misses range up to 1500 ms during peak times. Near misses (304 - Not Modified) range up to 800 - 900 ms during peak times. All of these fall down to acceptable levels (300 - 400 ms) during non-peak times. > > Where are you getting your CPU Utilization numbers from? > (top, squidclient mrg:info, MRTG) > CPU utilization comes from feeding an awk-ed excerpt of /proc/stat into MRTG. > What is your cache_mem line set to? cache_mem 128 MB > > How much bandwidth do you have available? How much is being used? 3 Mbps of which we usually peak at about 1600 Kbps. > > One thing that really bit me was over-use of the url_regex > acl combined with fairly complex regular expressions. That's > not likely to be the problem here, but it might be something > to look into. I do have a fair number of url_regex acls, but I think their impact would show up in CPU. > > Chris Thanks for the reply, Chris. Grant -------- > > -Original Message- > From: Sturgis, Grant [mailto:[EMAIL PROTECTED] > Sent: Monday, November 15, 2004 10:24 AM > To: [EMAIL PROTECTED] > Subject: [squid-users] Slow Squid > > > Greetings List, > > I am writing for ideas on how I can increase the performance > of my squid cache. > > I am running: > > RHEL ES 3.0 > cache_dir aufs on ext2 > squid-2.5.STABLE3-6.3E > adzapper version 3.3 with wrapzap > Two cache_dirs totalling 42.4 GB > > > The hardware is: > > Dell PE 1650 > 2-Intel PIII 1133 MHz > 4 GB RAM > > The symptom is that during our peak utilization periods, when > HTTP requests get over about 750/min, the response time gets > very slow, over 800 ms or so. I understand that squid is > single threaded, but we are running a number of the > redirector processes and it seems that the CPU workload is > distributed fairly well. This is determined by examining > /proc/stat with MRTG. Neither CPU seems to reach above 55% > utilization so I do not think the system is CPU bound. > > One thing that is concerning: > > [EMAIL PROTECTED] squid]# free -m > total used free sharedbuffers > cached > Mem: 3778 3756 22 0472 > 2154 > -/+ buffers/cache: 1129 2649 > Swap: 8997715 8282 > > Do you think this is significant? Should I adjust squid.conf > to reduce this memory usage? > > Also, I do understand that reiserfs is a recommended file > system over ext2; do you think it will make a large > difference to change this? > > Any suggestions for things I can do to determine why my cache > is slow or how to make improvements in performance? > > Thank you in advance, > > Grant > Pardon this rubbish: This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
[squid-users] Slow Squid
Greetings List, I am writing for ideas on how I can increase the performance of my squid cache. I am running: RHEL ES 3.0 cache_dir aufs on ext2 squid-2.5.STABLE3-6.3E adzapper version 3.3 with wrapzap Two cache_dirs totalling 42.4 GB The hardware is: Dell PE 1650 2-Intel PIII 1133 MHz 4 GB RAM The symptom is that during our peak utilization periods, when HTTP requests get over about 750/min, the response time gets very slow, over 800 ms or so. I understand that squid is single threaded, but we are running a number of the redirector processes and it seems that the CPU workload is distributed fairly well. This is determined by examining /proc/stat with MRTG. Neither CPU seems to reach above 55% utilization so I do not think the system is CPU bound. One thing that is concerning: [EMAIL PROTECTED] squid]# free -m total used free sharedbuffers cached Mem: 3778 3756 22 0472 2154 -/+ buffers/cache: 1129 2649 Swap: 8997715 8282 Do you think this is significant? Should I adjust squid.conf to reduce this memory usage? Also, I do understand that reiserfs is a recommended file system over ext2; do you think it will make a large difference to change this? Any suggestions for things I can do to determine why my cache is slow or how to make improvements in performance? Thank you in advance, Grant This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] cache.log errors and slow squid
> > > Sounds reasonable. This is RHEL ES 3.0 and the /etc/sysconfig/i18n > > file > > reads: > > > > LANG="en_US.UTF-8" > > SUPPORTED="en_US.UTF-8:en_US:en" > > SYSFONT="latarcyrheb-sun16" > > > > Is this where I change this? What should I change? > > Make Squid run under the C locale by setting the locale (LANG > etc) to C in > the Squid init script or sysconfig file if your init script reads a > sysconfig file. > Thank you Henrick, My /etc/sysconfig/squid file now looks like: # default squid options # -D disables initial dns checks. If you most likely will not to have an #internet connection when you start squid, uncomment this SQUID_OPTS="-D" # Time to wait for Squid to shut down when asked. Should not be necessary # most of the time. SQUID_SHUTDOWN_TIMEOUT=100 LANG=en_US.C LC_CTYPE="en_US.C" LC_NUMERIC="en_US.C" LC_TIME="en_US.C" LC_COLLATE="en_US.C" LC_MONETARY="en_US.C" LC_MESSAGES="en_US.C" LC_PAPER="en_US.C" LC_NAME="en_US.C" LC_ADDRESS="en_US.C" LC_TELEPHONE="en_US.C" LC_MEASUREMENT="en_US.C" LC_IDENTIFICATION="en_US.C" LC_ALL= > Regards > Henrik > Thanks, Grant This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] cache.log errors and slow squid
> -Original Message- > From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 19, 2004 1:10 AM > To: Sturgis, Grant > Cc: [EMAIL PROTECTED] > Subject: Re: [squid-users] cache.log errors and slow squid > > > On Mon, 18 Oct 2004, Sturgis, Grant wrote: > > > Malformed UTF-8 character (unexpected non-continuation byte 0xc8, > > immediately after start byte 0xd6) in pattern match (m//) > at (eval 1) > > line 11, line 21. > > You are using a perl based redirector which is having > problems due to your > system locale being UTF-8 based, while the redirector expects > a C locale. Sounds reasonable. This is RHEL ES 3.0 and the /etc/sysconfig/i18n file reads: LANG="en_US.UTF-8" SUPPORTED="en_US.UTF-8:en_US:en" SYSFONT="latarcyrheb-sun16" Is this where I change this? What should I change? > > Regards > Henrik > Thank you Henrik for your reply. Grant This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
[squid-users] cache.log errors and slow squid
Greetings List, Today I noticed very slow response times from squid (right now we are looking at the 60-min median response time of 1200 ms). The network and Internet connections look fine as well as DNS. I noticed several of these entries in the cache.log file: Malformed UTF-8 character (unexpected non-continuation byte 0xc8, immediately after start byte 0xd6) in pattern match (m//) at (eval 1) line 11, line 21. We are using adzapper and wrapzap (is this a perl error?). Any suggestions or comments are appreciated. Thanks, Grant PS - I have restarted squid and things look OK for the mean time. This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
[squid-users] Performance Troubleshooting
Greetings List, I recently moved our squid installation from SuSE 8 to RHEL ES 3 and the performance has decreased significantly. I am looking here for pointers of what you think may be the difference. I attempted to keep the configuration largely the same, and the hardware is 100% the same (same system). The performance with SuSE: peak median response time = .250 s peak requests per minute = 930 Now on RHEL ES 3: peak median response time > .800 s same numbers of requests per minute We are using a ton of memory, but I think we are in good shape: Page faults with physical i/o: 553 Number of HTTP requests received: 2975409 [EMAIL PROTECTED] home]$ free -m total used free sharedbuffers cached Mem: 3778 3709 69 0415 2209 -/+ buffers/cache: 1084 2694 Swap: 8997 5 8992 I am not running named on this system, so I am wondering if this is an area for improvement. How do these DNS times look?: DNS Lookups: 0.05313 0.06657 One thing that I know is different is the file system of the cache_dirs. They are now ext3 while before they were reiserfs, store io type is aufs. I did not attempt to preserve the cache_dirs so the cache before was 2 x 45 GB while the cache now has grown to only 2 x 3,259 MB (online about 2 weeks now). Does anyone have any suggestions for me? Many thanks in advance, Grant This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] .pac file/newbie guide request here
I put the .pac file on the workstations, and update it via login script. This allows me to do things like: function FindProxyForURL(url, host) { if (isInNet(myIpAddress(), "10.10.14.0", "255.255.255.0")) return "PROXY 10.10.10.10:3128"; return "DIRECT"; } which allows laptops to go home and work correctly, without a proxy server, on their broadband connection. -GS -Original Message- From: Duane Wessels [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 12:35 AM To: Renato Kalugdan Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] .pac file/newbie guide request here On Wed, 10 Dec 2003, Renato Kalugdan wrote: > Hello All, > > > I've just implemented Squid as a Proxy Server on a Lab setup at work. > > So far so good. > > My question pertains to .pac files > > Is there a guide that will allow me to comprehend this more thoroughly? > > > Where would I put such a file? On the Squid Server or on a Web Server? You would put this file on a Web server. Furthermore you need to make sure that the server returns the correct content type for the URL. You can do it in apache like this: AddType application/x-ns-proxy-autoconfig .pac Duane W. This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
RE: [squid-users] Squid and Windows Update.
I am having the exact problem (see my post from yesterday). I have created a temporary work around by adding: acl windowsupdate dstdomain .windowsupdate.microsoft.com no_cache deny windowsupdate to squid.conf. Any other ideas? Grant -Original Message- From: Mike McCall [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 7:38 AM To: [EMAIL PROTECTED] Cc: 'Palmer J.D.F.' Subject: RE: [squid-users] Squid and Windows Update. I'm having the same issue here too, which I first noticed yesterday. It looks like https://v4.windowsupdate.microsoft.com/ works though. I assume that because Squid just relays SSL traffic, whatever causes the non-secure site to break is not affected. Any ideas on a permanent fix or workaround would be appreciated, though! Mike -Original Message- From: Palmer J.D.F. [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 7:19 AM To: [EMAIL PROTECTED] Subject: [squid-users] Squid and Windows Update. Hello, I'm having a bit of an issue with Squid and Windows Update. In the last day or so we have noticed machines on campus failing to get their WUs. All goes well until I click the "scan for updates" link and then I get an error, the M$ error is the seemingly infamous '0x800a138F' error. Many pages from the search below blame the new hosting arrangements that M$ have with Akamai, stating that Akamai are also a host for many ad banners so are often blocked by admin's. http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=0x800a13 8F However we don't appear to have any rules in our squid.conf that block access to that site, neither when I log the requests from my test machine does it deny access to any of the requests; Anyway on further investigation I have retrieved another M$ error code from the WU Log file on the client PC, this is '0x800C0002' which according to M$ is "Invalid URL". I only get this problem going through the squid boxes. Another twist to this is that if I turn the cache settings off in IE do a WU scan which succeeds and then turn the cache settings back on it works fine thereafter. However it is not possible for us to turn the cache setting off all the machines here, even if it were we'd have to open up the firewall to allow port 80 access for all machines rather than just the WWW and a select few admin machines. Is this a known bug with squid? Many thanks, Jezz Palmer. Jezz Palmer. Internet Systems Officer. Library and Information Services University of Wales, Swansea Singleton Park Swansea SA2 8PP This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
[squid-users] RE: Windows Update Problem
I believe it is a squid problem since: 1. Send http traffic through squid and WU does not work. 2. Send http traffic direct (around the proxy) and WU does work. 3. Add: acl windowsupdate dstdomain .windowsupdate.microsoft.com no_cache deny windowsupdate to squid.conf and WU works fine. Am I missing something? Grant -Original Message- From: dwi amk [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 2:49 AM To: [EMAIL PROTECTED] Subject: Re: Windows Update Problem Looks like the problem not coming from squid. Try Uncle Google some search about "windows update error". I've been in the same situation lately, I just need to tools-internet options... in ie. Sturgis, Grant writes: > Greetings All, > > We have experienced an interesting problem with Windows Update. Essentially, the > service fails when the client (W2K / IE6) uses the proxy server and succeeds when it > bypasses the proxy. After you click "Scan for Updates" the web server replies with > something like (sorry I don't have the exact error in front of me) "an unknown error > has occurred". The access.log and cache.log don't show anything out of the ordinary > (access.log excerpt is below). > > I have gotten around the problem temporarily by including: > > acl windowsupdate dstdomain .windowsupdate.microsoft.com > no_cache deny windowsupdate > > in squid.conf > > The mailing list archives have some similar problems that point to cache_dir being > too small (running out of cache space) but I don't believe that is my problem: > > cache_dir aufs /usr/local/squid/cache0 48000 16 256 > cache_dir aufs /usr/local/squid/cache1 48000 16 256 > > #df -h|grep cache > /dev/sdb1 67G 37G 27G 58% /usr/local/squid/cache0 > /dev/sdc1 67G 37G 27G 58% /usr/local/squid/cache1 > > #./squid -v > > Squid Cache: Version 2.5.STABLE1-20030102 > configure options: --enable-storeio=ufs,aufs,diskd --enable-snmp > > Any suggestions would be most welcome. > > Thanks, > > Grant > - > > > > access.log excerpt: > > Tue Dec 2 15:30:36 2003 30 10.10.14.113 TCP_MEM_HIT/200 3592 GET > http://windowsupdate.microsoft.com/ - NONE/- text/html > Tue Dec 2 15:30:36 2003 32 10.10.14.113 TCP_MEM_HIT/200 2391 GET > http://windowsupdate.microsoft.com/redirect.js - NONE/- application/x-javascript > Tue Dec 2 15:30:36 2003102 10.10.14.113 TCP_MISS/302 428 GET > http://v4.windowsupdate.microsoft.com/default.asp - DIRECT/207.46.244.222 text/html > Tue Dec 2 15:30:36 2003174 10.10.14.113 TCP_MISS/200 8383 GET > http://v4.windowsupdate.microsoft.com/en/default.asp - DIRECT/65.54.249.61 text/html > Tue Dec 2 15:30:36 2003 35 10.10.14.113 TCP_MEM_HIT/200 3854 GET > http://v4.windowsupdate.microsoft.com/shared/js/Redirect.js - NONE/- > application/x-javascript > Tue Dec 2 15:30:36 2003129 10.10.14.113 TCP_HIT/200 22132 GET > http://v4.windowsupdate.microsoft.com/shared/js/top.js - NONE/- > application/x-javascript > Tue Dec 2 15:30:37 2003 51 10.10.14.113 TCP_HIT/200 520 GET > http://v4.windowsupdate.microsoft.com/shared/js/top.vbs - NONE/- text/vbscript > Tue Dec 2 15:30:37 2003106 10.10.14.113 TCP_MISS/200 1173 GET > http://v4.windowsupdate.microsoft.com/shared/js/survey.js? - DIRECT/65.54.249.61 > application/x-javascript > Tue Dec 2 15:30:37 2003136 10.10.14.113 TCP_MISS/200 1496 GET > http://v4.windowsupdate.microsoft.com/en/footer.asp - DIRECT/65.54.249.61 text/html > Tue Dec 2 15:30:37 2003188 10.10.14.113 TCP_MISS/200 7109 GET > http://v4.windowsupdate.microsoft.com/en/toc.asp? - DIRECT/65.54.249.61 text/html > Tue Dec 2 15:30:37 2003245 10.10.14.113 TCP_MISS/200 4351 GET > http://v4.windowsupdate.microsoft.com/en/mstoolbar.asp? - DIRECT/207.46.244.222 > text/html > Tue Dec 2 15:30:37 2003178 10.10.14.113 TCP_MISS/200 1872 GET > http://v4.windowsupdate.microsoft.com/en/splash.asp? - DIRECT/207.46.244.222 > text/html > Tue Dec 2 15:30:37 2003 71 10.10.14.113 TCP_MEM_HIT/200 558 GET > http://v4.windowsupdate.microsoft.com/shared/css/footer.css - NONE/- text/css > Tue Dec 2 15:30:37 2003 70 10.10.14.113 TCP_HIT/200 2656 GET > http://v4.windowsupdate.microsoft.com/shared/js/mstoolbar.js - NONE/- > application/x-javascript > Tue Dec 2 15:30:37 2003105 10.10.14.113 TCP_HIT/200 9547 GET > http://v4.windowsupdate.microsoft.com/shared/js/toc.js - NONE/- > application/x-javascript > Tue Dec 2 15:30:37 2003113 10.10.14.113 TCP_HIT/200 12615 GET > http://v4.windowsupdate.microsoft.com/shared/js/content.js - NONE/- > application/x-javascript > Tue Dec 2 15:30:37 2003 98 10.10.
[squid-users] Windows Update Problem
Greetings All, We have experienced an interesting problem with Windows Update. Essentially, the service fails when the client (W2K / IE6) uses the proxy server and succeeds when it bypasses the proxy. After you click "Scan for Updates" the web server replies with something like (sorry I don't have the exact error in front of me) "an unknown error has occurred". The access.log and cache.log don't show anything out of the ordinary (access.log excerpt is below). I have gotten around the problem temporarily by including: acl windowsupdate dstdomain .windowsupdate.microsoft.com no_cache deny windowsupdate in squid.conf The mailing list archives have some similar problems that point to cache_dir being too small (running out of cache space) but I don't believe that is my problem: cache_dir aufs /usr/local/squid/cache0 48000 16 256 cache_dir aufs /usr/local/squid/cache1 48000 16 256 #df -h|grep cache /dev/sdb1 67G 37G 27G 58% /usr/local/squid/cache0 /dev/sdc1 67G 37G 27G 58% /usr/local/squid/cache1 #./squid -v Squid Cache: Version 2.5.STABLE1-20030102 configure options: --enable-storeio=ufs,aufs,diskd --enable-snmp Any suggestions would be most welcome. Thanks, Grant - access.log excerpt: Tue Dec 2 15:30:36 2003 30 10.10.14.113 TCP_MEM_HIT/200 3592 GET http://windowsupdate.microsoft.com/ - NONE/- text/html Tue Dec 2 15:30:36 2003 32 10.10.14.113 TCP_MEM_HIT/200 2391 GET http://windowsupdate.microsoft.com/redirect.js - NONE/- application/x-javascript Tue Dec 2 15:30:36 2003102 10.10.14.113 TCP_MISS/302 428 GET http://v4.windowsupdate.microsoft.com/default.asp - DIRECT/207.46.244.222 text/html Tue Dec 2 15:30:36 2003174 10.10.14.113 TCP_MISS/200 8383 GET http://v4.windowsupdate.microsoft.com/en/default.asp - DIRECT/65.54.249.61 text/html Tue Dec 2 15:30:36 2003 35 10.10.14.113 TCP_MEM_HIT/200 3854 GET http://v4.windowsupdate.microsoft.com/shared/js/Redirect.js - NONE/- application/x-javascript Tue Dec 2 15:30:36 2003129 10.10.14.113 TCP_HIT/200 22132 GET http://v4.windowsupdate.microsoft.com/shared/js/top.js - NONE/- application/x-javascript Tue Dec 2 15:30:37 2003 51 10.10.14.113 TCP_HIT/200 520 GET http://v4.windowsupdate.microsoft.com/shared/js/top.vbs - NONE/- text/vbscript Tue Dec 2 15:30:37 2003106 10.10.14.113 TCP_MISS/200 1173 GET http://v4.windowsupdate.microsoft.com/shared/js/survey.js? - DIRECT/65.54.249.61 application/x-javascript Tue Dec 2 15:30:37 2003136 10.10.14.113 TCP_MISS/200 1496 GET http://v4.windowsupdate.microsoft.com/en/footer.asp - DIRECT/65.54.249.61 text/html Tue Dec 2 15:30:37 2003188 10.10.14.113 TCP_MISS/200 7109 GET http://v4.windowsupdate.microsoft.com/en/toc.asp? - DIRECT/65.54.249.61 text/html Tue Dec 2 15:30:37 2003245 10.10.14.113 TCP_MISS/200 4351 GET http://v4.windowsupdate.microsoft.com/en/mstoolbar.asp? - DIRECT/207.46.244.222 text/html Tue Dec 2 15:30:37 2003178 10.10.14.113 TCP_MISS/200 1872 GET http://v4.windowsupdate.microsoft.com/en/splash.asp? - DIRECT/207.46.244.222 text/html Tue Dec 2 15:30:37 2003 71 10.10.14.113 TCP_MEM_HIT/200 558 GET http://v4.windowsupdate.microsoft.com/shared/css/footer.css - NONE/- text/css Tue Dec 2 15:30:37 2003 70 10.10.14.113 TCP_HIT/200 2656 GET http://v4.windowsupdate.microsoft.com/shared/js/mstoolbar.js - NONE/- application/x-javascript Tue Dec 2 15:30:37 2003105 10.10.14.113 TCP_HIT/200 9547 GET http://v4.windowsupdate.microsoft.com/shared/js/toc.js - NONE/- application/x-javascript Tue Dec 2 15:30:37 2003113 10.10.14.113 TCP_HIT/200 12615 GET http://v4.windowsupdate.microsoft.com/shared/js/content.js - NONE/- application/x-javascript Tue Dec 2 15:30:37 2003 98 10.10.14.113 TCP_HIT/200 448 GET http://v4.windowsupdate.microsoft.com/shared/images/toc_endnode.gif - NONE/- image/gif Tue Dec 2 15:30:37 2003 98 10.10.14.113 TCP_HIT/200 1578 GET http://v4.windowsupdate.microsoft.com/shared/css/hcp.css - NONE/- text/css Tue Dec 2 15:30:37 2003139 10.10.14.113 TCP_HIT/200 1573 GET http://v4.windowsupdate.microsoft.com/shared/css/toc.css - NONE/- text/css Tue Dec 2 15:30:37 2003 51 10.10.14.113 TCP_HIT/200 5463 GET http://v4.windowsupdate.microsoft.com/shared/css/content.css - NONE/- text/css Tue Dec 2 15:30:38 2003200 10.10.14.113 TCP_HIT/200 2054 GET http://v4.windowsupdate.microsoft.com/shared/css/mstoolbar.css - NONE/- text/css Tue Dec 2 15:30:38 2003166 10.10.14.113 TCP_HIT/200 449 GET http://v4.windowsupdate.microsoft.com/shared/images/mstoolbar_curve.gif - NONE/- image/gif Tue Dec 2 15:30:38 2003168 10.10.14.113 TCP_HIT/200 6059 GET http://v4.windowsupdate.microsoft.com/shared/images/mstoolbar_icp.gif - NONE/- image/gif Tue Dec 2 15:30:38 2003 82 10.10.14.113 TCP_HIT/200 874 GET http://v4.windowsupdate.microsoft.com/shared/images/mstoolbar_ms.gif - NONE/- image/gif Tue Dec 2 15:30:38 2003192 10.10.14.113 TCP_MISS/2
[squid-users] Web app not working through proxy
Greetings All, I ran into an issue today where a web application accessed over SSL was not working through the proxy server. The users were able to log into the app but then some functionality would not work within the application. Certain fields would not appear in the web browser and then the web browser would hang and would have to be killed. As soon as I bypassed the proxy, this web app works fine. I have added an exception for this website in the PAC file for the browser, so the users are functioning as normal for now, but I would be appreciative if anyone has any ideas of things I could do to allow these users to use the proxy server for this connection. Here are excerpts from access.log and cache.log. The systems is SuSE 8.0, version 2.5.STABLE1-20030102. Access.log: 1046117295.438 2306 10.10.14.154 TCP_MISS/200 20127 CONNECT wires.theonenet.com:443 - DIRECT/159.53.238.222 - 1046117300.609 7583 10.10.14.154 TCP_MISS/200 32328 CONNECT wires.theonenet.com:443 - DIRECT/159.53.238.222 - 1046117302.317 7161 10.10.14.154 TCP_MISS/200 12249 CONNECT wires.theonenet.com:443 - DIRECT/159.53.238.222 - 1046117302.516529 10.10.14.154 TCP_MISS/200 1625 CONNECT wires.theonenet.com:443 - DIRECT/159.53.238.222 - 1046117308.507 4980 10.10.14.154 TCP_MISS/200 123549 CONNECT wires.theonenet.com:443 - DIRECT/159.53.238.222 - 1046117316.859 8335 10.10.14.154 TCP_MISS/200 77734 CONNECT wires.theonenet.com:443 - DIRECT/159.53.238.222 - 1046117346.836 29977 10.10.14.154 TCP_MISS/200 39 CONNECT wires.theonenet.com:443 - DIRECT/159.53.238.222 - 1046117346.850 44355 10.10.14.154 TCP_MISS/200 39 CONNECT wires.theonenet.com:443 - DIRECT/159.53.238.222 - 1046117346.850 46263 10.10.14.154 TCP_MISS/200 39 CONNECT wires.theonenet.com:443 - DIRECT/159.53.238.222 - 1046117346.850 44555 10.10.14.154 TCP_MISS/200 39 CONNECT wires.theonenet.com:443 - DIRECT/159.53.238.222 - Cache.log 2003/02/24 09:12:26| Ready to serve requests. 2003/02/24 11:42:57| parseHttpRequest: Requestheader contains NULL characters 2003/02/24 11:42:57| clientReadRequest: FD 115 Invalid Request 2003/02/24 11:42:57| parseHttpRequest: Requestheader contains NULL characters 2003/02/24 11:42:57| clientReadRequest: FD 131 Invalid Request 2003/02/24 12:44:09| sslReadServer: FD 118: read failure: (104) Connection reset by peer 2003/02/24 12:44:09| sslReadServer: FD 118: read failure: (104) Connection reset by peer 2003/02/24 13:13:31| sslWriteClient: FD 69: write failure: (104) Connection reset by peer. 2003/02/24 13:17:48| sslReadServer: FD 73: read failure: (104) Connection reset by peer 2003/02/24 13:17:48| sslReadServer: FD 83: read failure: (104) Connection reset by peer 2003/02/24 13:17:48| sslReadServer: FD 94: read failure: (104) Connection reset by peer Thanks. Grant Sturgis This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
[squid-users] ACL Syntax and Preference
Greetings All, Based on comments from Henrik and others, I am reconfiguring my ACLs. I have block lists downloaded from squidguard and others that are quite extensive, and I have all of them implemented as url_regex ACLs. Since a large portion of the lists are not URLs but domains and IP addresses, I am guessing that it would be smart to change the ACL type to dst or dstdomain when possible. So, my questions inviting confirmation or comment are: 1. dst and dstdomain ACLs are more advantageous than url_regex ACLs because of processing cycles necessary in regex 2. ACLs using the dst type are looking for IP addresses as elements 3. ACLs using the dstdomain type are looking for fully-qualified-domain-names as elements. 4. Is there a better way to implement a block list similar to the following: 207.231.72.88 209.123.16.9 205.241.44.90 14words.com site88.8m.com air-photo.com Thanks for your comments, Grant This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.