RE: [squid-users] PINNED or not PINNED ?
Hi -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : lundi 2 décembre 2013 22:28 À : squid-users@squid-cache.org Objet : Re: [squid-users] PINNED or not PINNED ? >Can you upgrade to 3.3 series or later release please? Nop Never succeeded to do so, to much change need to be done in my SQUID.CONF to make it running (AD authentification, ACL, and Dansguardian...). I spent days and days to try without success... >The authentication logics have had major re-writes in 3.2 and the >pinning/persistence logics >got a rewrite in 3.3 with several bugs fixed (including one >about wrong tags being logged when pinned). Amos
[squid-users] PINNED or not PINNED ?
Hi, On a SQUID 3.1.23, we use Active Directory Authentification, with some user/group definition. I'm trying to access with 2 different user a web site that need some authentication. With these two nearly identical user (except the name, they belong to the same AD group), one work, the other not... On the same PC (mine)/. Any Idea where to look ? Here is the log: user1 working, user2 not. root@metis (0) lun. déc. 02 14:31:28 /etc/squid3>tail -f /var/log/squid3/access.log|grep 10.2.41.1 1385991126.828 0 10.2.41.1 TCP_DENIED/407 2404 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports - NONE/- text/html ** here come the Auth box from IE ** 1385991131.345 13 10.2.41.1 TCP_MISS/401 2072 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 DIRECT/193.251.215.217 text/html 1385991144.805 20 10.2.41.1 TCP_MISS/401 2208 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 DIRECT/193.251.215.217 text/html 1385991144.834 23 10.2.41.1 TCP_MISS/301 568 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 PINNED/193.251.215.217 text/html 1385991144.893 15 10.2.41.1 TCP_MISS/401 2072 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports/ user1 PINNED/193.251.215.217 text/html 1385991144.985 49 10.2.41.1 TCP_MISS/401 2272 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports/ user1 DIRECT/193.251.215.217 text/html 1385991145.020 21 10.2.41.1 TCP_MISS/200 756 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports/ user1 PINNED/193.251.215.217 text/html 1385991145.368 16 10.2.41.1 TCP_MISS/401 2072 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports/main.asp? Jvernet PINNED/193.251.215.217 text/html ^C root@metis (0) lun. déc. 02 14:32:25 /etc/squid3> root@metis (0) lun. déc. 02 14:33:03 /etc/squid3>tail -f /var/log/squid3/access.log|grep 10.2.41.1 1385991188.009 0 10.2.41.1 TCP_DENIED/407 2404 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports - NONE/- text/html 1385991216.316 42 10.2.41.1 TCP_MISS/401 2235 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html 1385991229.107 17 10.2.41.1 TCP_MISS/401 2307 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html 1385991229.146 34 10.2.41.1 TCP_MISS/401 2054 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html 1385991230.492 26 10.2.41.1 TCP_MISS/401 2307 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html 1385991230.528 31 10.2.41.1 TCP_MISS/401 2054 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html 1385991231.172 26 10.2.41.1 TCP_MISS/401 2307 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html 1385991231.216 40 10.2.41.1 TCP_MISS/401 2054 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html An extract of my squid.conf http_port 3128 acl NOCACHE url_regex -i "/etc/squid3/nocache.url" cache deny NOCACHE ... acl Authenticated proxy_auth REQUIRED acl directaccess external ad_group www-directaccess
RE: [squid-users] running squid by only one eth
Mine work with only one interface (actually two, because we use teaming ethernet card for backup in case of failure of one of them), what's the problem ??? Jérôme VERNET BELAMBRA HOLDING Responsable Réseaux et Télécoms 01 77 70 93 56 - 06 87 75 72 07 -Message d'origine- De : Squidblacklist [mailto:webmas...@squidblacklist.org] Envoyé : jeudi 25 avril 2013 09:30 À : squid-users@squid-cache.org Objet : Re: [squid-users] running squid by only one eth On Thu, 25 Apr 2013 00:01:05 -0700 "ma~sha" wrote: > Hi all, > Is it possible to run squid by only one eth, for example eth0 only? If > this is possible how do I do it? > thx > Of course you can "run squid with one interface" you just wont have any uplink/internet. If you are going to do this, one way would be the obvious that you need to setup vlans for multiple addresses on your single interface. However, this will likely require a switch that supports vlans via serveral available options. Its clearly going to be easier, in my mind, to simply add another interface to your machine if those resources & options are not available to you. Perhaps someone else has insight into other options. - Signed, Fix Nichols http://www.squidblacklist.org
RE: [squid-users] RE: Upgrading SQUID from 3.1.6 to 3.1.23 -working now-
ar/spool/squid3 client_persistent_connections on server_persistent_connections on detect_broken_pconn on pipeline_prefetch on -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : jeudi 4 avril 2013 13:28 À : squid-users@squid-cache.org Objet : Re: [squid-users] RE: Upgrading SQUID from 3.1.6 to 3.1.23 -working now- On 4/04/2013 9:56 p.m., Vernet Jerome wrote: >>> Now, I will try 3.3. Lot of change have to be made in my squid.conf. > Managed to have a build OK, but with my squid.conf, it do not work at > all with >>> dansguardian and ntlm_auth. >> What do you mean? what is the new problem? > Well, ntlm_auth (or) and AD2003 group access ACL do not work anymore > like it was done in my 3.1 config. Removed. > Then, the way the configuration was done (not by me) to make work > Dansguardian and SQUID do not work anymore (see my previous squid.conf > message). You said you had them together, but I see no details in this thread about how they were connected. Squid and DG are completely separate proxies, so there are a few ways to set them up and several ways to do auth through each of those setups. Erm. "SQUID" is an electonic curcuit type. ;-) > For the moment, I cannot figure how I can make it work again with > SQUID 3.3. There should be no difference. But if you can share the config details I'm happy to have a look at it for you. Amos
RE: [squid-users] RE: Upgrading SQUID from 3.1.6 to 3.1.23 -working now-
>> Now, I will try 3.3. Lot of change have to be made in my squid.conf. Managed to have a build OK, but with my squid.conf, it do not work at all with >>dansguardian and ntlm_auth. >What do you mean? what is the new problem? Well, ntlm_auth (or) and AD2003 group access ACL do not work anymore like it was done in my 3.1 config. Removed. Then, the way the configuration was done (not by me) to make work Dansguardian and SQUID do not work anymore (see my previous squid.conf message). For the moment, I cannot figure how I can make it work again with SQUID 3.3. J. VERNET
RE: [squid-users] RE: Upgrading SQUID from 3.1.6 to 3.1.23 - not working-
Hi, I've just (re)discovered the -dn option It was a simple problem of missing files (why there is no clear messages in the logs ??? Mystery). 2013/04/03 18:17:22| Starting Squid Cache version 3.1.23 for i486-pc-linux-gnu... 2013/04/03 18:17:22| Process ID 5608 2013/04/03 18:17:22| With 1024 file descriptors available 2013/04/03 18:17:22| Initializing IP Cache... 2013/04/03 18:17:22| DNS Socket created at [::], FD 7 2013/04/03 18:17:22| DNS Socket created at 0.0.0.0, FD 8 2013/04/03 18:17:22| Adding nameserver from /etc/resolv.conf 2013/04/03 18:17:22| Adding nameserver from /etc/resolv.conf 2013/04/03 18:17:22| Adding nameserver from /etc/resolv.conf 2013/04/03 18:17:22| Adding domain .intra from /etc/resolv.conf 2013/04/03 18:17:22| helperOpenServers: Starting 8/8 'ntlm_auth' processes 2013/04/03 18:17:22| helperOpenServers: Starting 5/5 'wbinfo_group.pl' processes 2013/04/03 18:17:22| errorpage.cc(293) errorTryLoadText: '/var/hera/squiderrors/ERR_SECURE_CONNECT_FAIL': (2) No such file or directory 2013/04/03 18:17:22| errorpage.cc(293) errorTryLoadText: '/var/hera/squiderrors/ERR_PRECONDITION_FAILED': (2) No such file or directory 2013/04/03 18:17:22| errorpage.cc(293) errorTryLoadText: '/usr/share/squid3/errors/templates/ERR_PRECONDITION_FAILED': (2) No such file or directory 2013/04/03 18:22:41| errorpage.cc(293) errorTryLoadText: '/var/hera/squiderrors/ERR_ESI': (2) No such file or directory 2013/04/03 18:22:41| errorpage.cc(293) errorTryLoadText: '/var/hera/squiderrors/ERR_ICAP_FAILURE': (2) No such file or directory 2013/04/03 18:22:41| errorpage.cc(293) errorTryLoadText: '/var/hera/squiderrors/ERR_UNSUP_HTTPVERSION': (2) No such file or directory 2013/04/03 18:22:41| errorpage.cc(293) errorTryLoadText: '/var/hera/squiderrors/ERR_GATEWAY_FAILURE': (2) No such file or directory 2013/04/03 18:22:41| errorpage.cc(293) errorTryLoadText: '/usr/share/squid3/errors/templates/ERR_GATEWAY_FAILURE': (2) No such file or directory FATAL: failed to find or read error text file. It's OK now, thanks for help ! Unfortunatly, 3.1.23 do not help for bugs we have (like on http://entreprises.edf.com, where with squid nothing will display). Now, I will try 3.3. Lot of change have to be made in my squid.conf. Managed to have a build OK, but with my squid.conf, it do not work at all with dansguardian and ntlm_auth. JV -Message d'origine- De : babajaga [mailto:augustus_me...@yahoo.de] Envoyé : mercredi 3 avril 2013 15:14 À : squid-users@squid-cache.org Objet : [squid-users] RE: Upgrading SQUID from 3.1.6 to 3.1.23 - not working- Then my next guess is a problem regarding access rights. (I hate this stuff since the time, it was invented on DEC/VMS) I would try to give 777 to all files/dirs, which are used by squid. OR (not so brutal) start squid with full debug using squid -X -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Upgrading-SQUID-from-3-1-6-to-3-1-23-tp4659259p4659345.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] RE: Upgrading SQUID from 3.1.6 to 3.1.23 - not working-
Just after starting squid 3.1.23, nothing. It quit immediatly. Jérôme VERNET BELAMBRA HOLDING Responsable Réseaux et Télécoms 01 77 70 93 56 - 06 87 75 72 07 -Message d'origine- De : babajaga [mailto:augustus_me...@yahoo.de] Envoyé : mercredi 3 avril 2013 13:18 À : squid-users@squid-cache.org Objet : [squid-users] RE: Upgrading SQUID from 3.1.6 to 3.1.23 - not working- What is in /var/log/squid3/cache.log after start of squid ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Upgrading-SQUID-from-3-1-6-to-3-1-23-tp4659259p4659342.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] RE: Upgrading SQUID from 3.1.6 to 3.1.23 - not working-
-Message d'origine- De : babajaga [mailto:augustus_me...@yahoo.de] Envoyé : mercredi 3 avril 2013 00:36 À : squid-users@squid-cache.org Objet : [squid-users] RE: Upgrading SQUID from 3.1.6 to 3.1.23 - not working- Hi, >>3.1.23 ask for a missing files mime.conf, wich I created empty.< >Not a good idea. > >You should find the file /src/mime.conf.default in the squid-sources. > >Then do >cp /src/mime.conf.default /etc/squid/mime.conf > >And (re-)start squid. It's not enough. Still "exited with status 1". I cannot see anything more. Even if I try /usr/sbin/squid -YC -f /etc/squid3/squid.conf by hand (and not from init.d script) I do not havec any information why squid quit. Any help ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Upgrading-SQUID-from-3-1-6-to-3-1-23-tp4659259p4659333.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Upgrading SQUID from 3.1.6 to 3.1.23 - not working-
Envoyé de mon iPhone Le 2 avr. 2013 à 19:25, "Helmut Hullen" a écrit : > Hallo, Vernet, > > Du meintest am 02.04.13: > >> So I tried to replace the Debian SQUID3 3.1.6 binary with my build >> of SQUID 3.1.23 and had *no luck*. > > The actual version is 3.3.3 ... I now but i do not have time to try to make it working in our configuration. But I want at least to have the latest 3.1 version to see if it help to get ride of surfing problems. Any help to see why squid exit so fast? How can I enable more traces? I also have only one server to make my tests with 1000 users > > Viele Gruesse! > Helmut
RE: [squid-users] Upgrading SQUID from 3.1.6 to 3.1.23 - not working-
x27; '--enable-linux-netfilter' 'build_alias=i486-linux-gnu' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=' 'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g -Wall -O2' --with-squid=/home/sysres01/squid3/squid-3.1.23 root@metis (0) mar. avril 02 18:22:44 Squid.conf /etc/init.d>more /etc/squid3/squid.conf http_port 3128 cache_peer 127.0.0.1 parent 8080 7 no-query no-digest no-netdb-exchange acl NOBEL url_regex -i "/etc/squid3/nocache.url" cache deny NOBEL cache_mem 512 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 32 MB minimum_object_size 0 KB maximum_object_size_in_memory 256 KB # 256 KB ipcache_size 4096 ipcache_low 90 ipcache_high 95 fqdncache_size 4096 cache_replacement_policy heap LFUDA memory_replacement_policy heap LFUDA cache_dir ufs /var/spool/squid3 3120 16 256 cache_access_log /var/log/squid3/access.log cache_log /var/log/squid3/cache.log cache_store_log none emulate_httpd_log off log_mime_hdrs off debug_options ALL,1 33,0 29,1 log_fqdn on client_netmask 255.255.255.255 #ftp_user proxy@XXX #ftp_list_width 128 #ftp_passive on #ftp_sanitycheck on dns_retransmit_interval 2 seconds #JV 18/10/2011 pour corsica dns_timeout 20 secondes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 8 auth_param basic realm X.INTRA auth_param basic credentialsttl 4 hours auth_param basic casesensitive off external_acl_type ad_group %LOGIN /usr/lib/squid3/wbinfo_group.pl authenticate_cache_garbage_interval 1 hour authenticate_ttl 1 hour authenticate_ip_ttl 3600 seconds request_header_max_size 200 KB refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 quick_abort_min -1 KB quick_abort_max 128 KB quick_abort_pct 95 negative_ttl 1 minutes positive_dns_ttl 6 hours negative_dns_ttl 2 minute range_offset_limit 0 KB connect_timeout 4 minute request_timeout 5 minutes persistent_request_timeout 60 second shutdown_lifetime 10 seconds #acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 # https acl SSL_ports port 8000 # https acl SSL_ports port 8080 # https acl SSL_ports port 873 # rsync acl Safe_ports port 80 4280 # http acl Safe_ports port 8000 8080 # http acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny CONNECT !SSL_ports http_access allow CONNECT SSL_ports acl proxy dst 192.168.1.5/32 http_access allow proxy http_access deny to_localhost acl Authenticated proxy_auth REQUIRED acl directaccess external ad_group www-directaccess acl activefilter external ad_group www-activefilter acl directurls dstdomain "/etc/squid3/directurls" http_access allow directurls always_direct allow directurls http_access allow localhost acl restrictedfilter01 external ad_group www-restricted01 acl restrictedfilter02 external ad_group www-restricted02 acl goodsites01 url_regex "/etc/squid3/contentlist01" acl goodsites02 url_regex "/etc/squid3/contentlist02" http_access deny !Safe_ports activefilter http_access deny !Safe_ports restrictedfilter01 http_access deny !Safe_ports restrictedfilter02 http_access allow goodsites01 restrictedfilter01 http_access allow goodsites02 restrictedfilter02 http_access allow directaccess always_direct allow directaccess http_access allow activefilter http_access allow directaccess SSL_ports http_access allow activefilter SSL_ports http_access deny restrictedfilter01 http_access deny restrictedfilter02 http_access deny !Authenticated !localhost http_access deny all http_reply_access allow all icp_access allow all #cache_peer_access puck allow activefilter #cache_peer_access puck deny all reply_header_max_size 20 KB cache_mgr exploitation_...@belambra.fr cache_effective_user proxy cache_effective_group proxy visible_hostname belambra cachemgr_passwd proxyvvfmgr all always_direct allow localhost always_direct allow directurls never_direct allow activefilter forwarded_for off never_direct deny all error_directory /var/hera/squiderrors coredump_dir /var/spool/squid3 client_persistent_connections on server_persistent_connections on detect_broken_pconn on pipeline_prefetch on Jérôme VERNET BELAMBRA HOLDING Responsable Réseaux et Télécoms 01 77 70 93 56 - 06 87 75 72 07 -Message d'origine- De : Eliezer Croitoru [mailto:elie...@ngtech.co.il] Envoyé : vendredi 29 mars 2013 12:01 À : squid-users@squid-cache.org Objet : Re: [squid-users] Upgrading SQUID from 3.1.6 to 3.1.23 On 03/28/2013 07:02 PM, Vernet Jerome wrote: > My question: can I simply: > -stop SQUID3/dansguardian > -swap binary (/usr/sbin/squid3) with the new version -start > SQUID3/dansguardian ? > > Is there something to put somewhere else ? Helpers ? > > Will it work like that ? If something fail, can I simply get the old > squid3(.1.6) binary ? > > Furthermore, upgrading from 3.1 to 3.2 (and may be 3.3) is a difficult task ? > Is it worth ? > > Thanks for help What? I cannot understand what you have done. restarted? can you please share iptables + squid.conf + "squid -v". how are you using dansguardian + squid exactly? Thanks, Eliezer
[squid-users] Upgrading SQUID from 3.1.6 to 3.1.23
Hi, We have a squid/dansguardian configuration here, under debian 2.6.32. The Debian distribution do not have any version of squid greater than 3.1.6. So I took squid's 3.1.23 sources and build it (successfully), using the same ./configure options than current squid3 -v give. We also use ntlm_auth and wbinfo.pl to authenticate users. My question: can I simply: -stop SQUID3/dansguardian -swap binary (/usr/sbin/squid3) with the new version -start SQUID3/dansguardian ? Is there something to put somewhere else ? Helpers ? Will it work like that ? If something fail, can I simply get the old squid3(.1.6) binary ? Furthermore, upgrading from 3.1 to 3.2 (and may be 3.3) is a difficult task ? Is it worth ? Thanks for help Jérôme VERNET BELAMBRA HOLDING Responsable Réseaux et Télécoms 01 77 70 93 56 - 06 87 75 72 07