[squid-users] Re: confirm unsubscribe from squid-users@squid-cache.org
- Message from squid-users-h...@squid-cache.org - Date: 30 Jan 2012 15:51:42 - From: squid-users-h...@squid-cache.org Reply-To: squid-users-uc.1327938702.jjmccbbopcgnmjpgniia-azhar=citechco@squid-cache.org Subject: confirm unsubscribe from squid-users@squid-cache.org To: az...@citechco.net Hi! This is the ezmlm program. I'm managing the squid-users@squid-cache.org mailing list. I'm working for my owner, who can be reached at squid-users-ow...@squid-cache.org. This is an automated response from the squid-cache.org list server to confirm the requested action. If you have not sent the unsubscribe request below then it is safe to ignore the request. To confirm that you would like az...@citechco.net removed from the squid-users mailing list, please send an empty reply to this address: squid-users-uc.1327938702.jjmccbbopcgnmjpgniia-azhar=citechco@squid-cache.org Usually, this happens when you just hit the "reply" button. If this does not work, simply copy the address and paste it into the "To:" field of a new message. I haven't checked whether your address is currently on the mailing list. To see what address you used to subscribe, look at the messages you are receiving from the mailing list. Each message has your address hidden inside its return path; for example, m...@xdd.ff.com receives messages with return path: -mary=xdd.ff@squid-cache.org. --- Administrative commands for the squid-users list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 44185 invoked by uid 26); 30 Jan 2012 15:51:42 - Received: from mail.mail6bd.net (mx.mail6bd.net [188.165.210.212]) by squid-cache.org (8.14.3/8.14.2) with ESMTP id q0UFpeLN044169 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Mon, 30 Jan 2012 08:51:42 -0700 (MST) (envelope-from az...@citechco.net) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=citechco.net; s=6Net; h=MIME-Version:Content-Type:To:From:Message-ID:Date; bh=jjV2fi+khGcbx5lGZvAAUmEOrzRISLusNnIn+raZRdM=; b=L6BbXx1VG6Zoc6LATUP7m/antpxoBmcCW4i6J5WLXLVM+NheIjEh6vRdqFenW0jJ/QCMwLJO4uEYcL000aBd3Ta0maPs3PhH3qsOy0mhJLdUEjl1mTVg8jlZEj8YV3rC; Received: from [127.0.0.1] (helo=localhost) by mx.mail6bd.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from ) id 1Rrtcl-0004lv-Jx for squid-users-unsubscr...@squid-cache.org; Mon, 30 Jan 2012 21:58:31 +0600 Received: from fip9c11.banglalionwimax.com (fip9c11.banglalionwimax.com [180.149.9.11]) by webmail.citechco.net (Horde Framework) with HTTP; Mon, 30 Jan 2012 21:58:31 +0600 Date: Mon, 30 Jan 2012 21:58:31 +0600 Message-ID: <20120130215831.horde.exmndyvlbmjpjr4nhalw...@webmail.citechco.net> From: az...@citechco.net To: squid-users-unsubscr...@squid-cache.org User-Agent: Internet Messaging Program (IMP) H4 (5.0.15-git) Content-Type: text/plain; charset=ISO-8859-1; format=flowed; DelSp=Yes MIME-Version: 1.0 Content-Disposition: inline X-mail6bd.net-6Scan-Information: Please contact the Mail Service Provider for more information X-mail6bd.net-6Scan-ID: 1Rrtcl-0004lv-Jx X-mail6bd.net-6Scan: Found to be clean X-mail6bd.net-6Scan-SpamCheck: not spam, SpamAssassin (not cached, score=1.219, required 7, ALL_TRUSTED -1.00, BAYES_00 -1.90, EMPTY_MESSAGE 2.32, MISSING_SUBJECT 1.80) X-mail6bd.net-6Scan-SpamScore: * X-mail6bd.net-6Scan-From: az...@citechco.net X-mail6bd.net-6Scan-Watermark: 1328543916.62401@WtQHxecu1x24H21EjEgK3g X-Spam-Status: No -- This incoming message from other domain has been scanned for viruses and dangerous content by 6Scan, and is believed to be clean. -- This incoming message from other domain has been scanned for viruses anddangerous content by 6Scan, and is believed to be clean. - End
[squid-users] How to Hide Proxy detected at whatismyip.com
We have successfully installed Squid 3.1.10 with Tproxy, iptables at Fedora 14 which working perfected under PBR of router. (following instructions of http://wiki.squid-cache.org/Features/Tproxy4) We can see clients pcs inside the network browsing with tcp_hit, tcp_miss records. But when any client PC browse to whatismyip.com that time, the site shows client's fixed IP address along with detection of cache server mentioning hostname of squid server. May I know to hide that detection? =Message at whatismyip.com === Your IP Address Is: 180.X.X.X (Client Fixed IP address) Possible Proxy Detected: 1.1 cache.mydomain.com (squid/3.1.10) (cache.mydomain.com is hostname of cache server) = BR, Azhar Chowdhury
Re: [squid-users] How to Hide Proxy detected at whatismyip.com
Hi Helmut, After adding following lines in the squid.conf, the problem over. Is it the right configuration? == request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access All deny al Best Regards, Azhar Chowdhury On Tue, Apr 12, 2011 at 10:26 PM, Helmut Hullen wrote: > Hallo, AZHAR, > > Du meintest am 12.04.11: > >> We have successfully installed Squid 3.1.10 with Tproxy, iptables at >> Fedora 14 which working perfected under PBR of router. >> (following instructions of http://wiki.squid-cache.org/Features/Tprox >> y4) We can see clients pcs inside the network browsing with tcp_hit, >> tcp_miss records. But when any client PC browse to whatismyip.com >> that time, the site shows client's fixed IP address along with >> detection of cache server mentioning hostname of squid server. > > Do other websites react in the same way? > > http://myip.at > http://checkip.dyndns.org > > Viele Gruesse! > Helmut >
[squid-users] help needed on WCCP2 with squid 3.1.10
Hi, I am following http://wiki.squid-cache.org/Features/Tproxy4 strictly but failed to configure with CISCO router & WCCP2. My setup as follow: Clients PCs>-[Core switch]>>---[Edge CISCO Router with WCCP2]--->Internet || [Squid 3.1.10 with Fedora 14, iptables, tproxy] I can't configure Cisco router with following configuration as there is no other interface there (only two, one connected with core internal switch and rest with internet. Please help me. = interface GigabitEthernet0/3.100 description ADSL customers encapsulation dot1Q 502 ip address x.x.x.x y.y.y.y ip wccp 80 redirect in ip wccp 90 redirect out interface GigabitEthernet0/3.101 description Dialup customers encapsulation dot1Q 502 ip address x.x.x.x y.y.y.y ip wccp 80 redirect in ip wccp 90 redirect out interface GigabitEthernet0/3.102 description proxy servers encapsulation dot1Q 506 ip address x.x.x.x y.y.y.y ip wccp redirect exclude in = Another question, how do check gre is configured at Linux? BR, Azhar Chowdhury
Re: [squid-users] help needed on WCCP2 with squid 3.1.10
Hi Amos, OK, it was my fault that I posted before run in real network with WCCP. We are running Squid+tproxy under Policy Based routing without any major trouble (pls see below of problem are we facing). This week we will move squid from PBR to Wccp. The mentioned example based on vlan dot1q, let me dig with cisco and will raise if face any problem. 1. If we run squid with default conf file, we got cache host name in "www.whatismyip.com", to avoid that we added following in squid.conf file: forwarded_for off request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access All deny all Now, there is no cache/squid host name in "whatismyip.com", but in hotmail/live.com's email service inbox no message open, it's shown a error that another ip accessing the same page. I guess we need to add another "request_header_access" rule, any clue on it. Is "http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html"; the final list of all HEADER LIST? 2. What is safe filedescriptors value I should use? TIA, Azhar On Sun, Apr 17, 2011 at 9:01 AM, Amos Jeffries wrote: > On 17/04/11 05:14, AZHAR CHOWDHURY wrote: >> >> Hi, >> I am following http://wiki.squid-cache.org/Features/Tproxy4 strictly >> but failed to configure with CISCO router& WCCP2. >> >> My setup as follow: >> >> Clients PCs>-[Core >> switch]>>---[Edge CISCO Router with >> WCCP2]--->Internet >> || >> [Squid 3.1.10 with Fedora 14, iptables, tproxy] >> >> I can't configure Cisco router with following configuration as there >> is no other interface there (only two, one connected with core >> internal switch and rest with internet. >> Please help me. > > You have not stated anything about a problem. We cannot help unless we now > what is going wrong. > > Finding the problem can be time consuming or tricky unless you are fairly > familiar with TCP. The "Troubleshooting" section on the tproxy4 page has > many hints about what can go wrong and how to find/resolve them. > >> = >> interface GigabitEthernet0/3.100 >> description ADSL customers >> encapsulation dot1Q 502 >> ip address x.x.x.x y.y.y.y >> ip wccp 80 redirect in >> ip wccp 90 redirect out >> >> interface GigabitEthernet0/3.101 >> description Dialup customers >> encapsulation dot1Q 502 >> ip address x.x.x.x y.y.y.y >> ip wccp 80 redirect in >> ip wccp 90 redirect out >> >> interface GigabitEthernet0/3.102 >> description proxy servers >> encapsulation dot1Q 506 >> ip address x.x.x.x y.y.y.y >> ip wccp redirect exclude in >> = >> >> Another question, how do check gre is configured at Linux? > > "ip link show" > > ... lists the active interfaces. GRE should be one of them when open. > > > TPROXY and WCCP are relatively independent operations. Both equally > troublesome and complex. > > It is worth checking that TPROXY is fully operational and working before > adding WCCP tunneling on top to complicate things further. > You can test that by having the squid box as router for your workstation > instead of the Cisco. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.6 >
Re: [squid-users] help needed on WCCP2 with squid 3.1.10
Hi Amos, At first big thanks. By putting "forwarded_for transparent" and "via off", the host info at www.whatismyip.com removed and also no email view problem at hotmail or live.com. All this configuration working perfectly with Squid as router. But problem not solved with Router using Wccp2. At Linux box, I can see gre_ip module loaded. Module Size Used by ip_gre 10986 0 sit 8531 0 tunnel4 2005 1 sit xt_TPROXY 1722 0 nf_tproxy_core 1791 1 xt_TPROXY,[permanent] .. iptables configuration as follows: ip rule add fwmark 1 lookup 100 ip -f inet route add local 0.0.0.0/0 dev lo table 100 ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ... /etc/squid.conf wccp2_router 203.x.x.x wccp2_forwarding_method gre wccp2_return_method gre wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 == Please find the following router configuration for WCCP Global wccp command for router: ! ip wccp 80 ip wccp 90 ! Interfacing facing towards customers ! interface GigabitEthernet6/9 ip address x.x.x.x 255.255.255.248 secondary ip address x.x.x.23 255.255.255.0 ip access-group 125 in ip access-group 173 out no ip redirects no ip unreachables no ip proxy-arp ip wccp 80 redirect in ip wccp 90 redirect out ip route-cache flow no ip mroute-cache ! interface connected to proxy ! interface GigabitEthernet6/7 ip address 203.x.x.x 255.255.255.252 ip access-group 125 in ip access-group 173 out no ip redirects no ip unreachables no ip proxy-arp ip wccp redirect exclude in ip route-cache flow no ip mroute-cache no cdp enable After above configuration, sh ip wccp results as follows: Citechco#sh ip wccp Global WCCP information: Router information: Router Identifier: 203.x.x.x Protocol Version:2.0 Service Identifier: 80 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:9175 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Service Identifier: 90 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:1354 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 myco# Any clue where is the problem? TIA, Azhar On Mon, Apr 18, 2011 at 9:37 AM, Amos Jeffries wrote: > On Sun, 17 Apr 2011 23:21:44 +0600, AZHAR CHOWDHURY wrote: >> >> Hi Amos, >> OK, it was my fault that I posted before run in real network with >> WCCP. We are running Squid+tproxy under Policy Based routing without >> any major trouble (pls see below of problem are we facing). >> This week we will move squid from PBR to Wccp. The mentioned example >> based on vlan dot1q, let me dig with cisco and will raise if face any >> problem. >> >> 1. If we run squid with default conf file, we got cache host name in >> "www.whatismyip.com", to avoid that we added following in squid.conf >> file: >> forwarded_for off > > I think "forwarded_for" should be enough. > > Possibly also "via off". Though that is not usually required for hotmail > (may have changed, the last good analysis was a year or so ago). > > >> >> Now, there is no cache/squid host name in "whatismyip.com", but in >> hotmail/live.com's email service inbox no message open, it's shown >> a error that another ip accessing the same page. > > Does it say which one? Are you absolutely certain that TPROXY is working? > (this error will appear when WCCP is active but TPROXY fails). > >> I guess we need to add another "request_header_access" rule, any clue on >> it. >> Is "http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html"; the final >> list of all HEADER LIST? > > Hotmail with WCCP
[squid-users] WCCP2 not working with squid 3.1.10 with tproxy
Hi, We are following Squid's wiki to configure Squid 3.1.10 with TPROXY and wccp2. http://wiki.squid-cache.org/Features/Tproxy4#Minimum_Requirements_.28IPv4.29 But no fruitful result yet and nothing showing at access.log. I guess we meshed up with CISCO, following is the configuration, looking forward for correction suggestion: = ip wccp 80 ip wccp 90 ! ! ! interface GigabitEthernet6/1 description *** Connection to Core Router *** Connection to Core Route ip address 202.125.64.251 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip wccp 90 redirect out ip route-cache flow no ip mroute-cache ip ospf flood-reduction no cdp enable ! ! interface GigabitEthernet6/7 ip address 203.83.175.209 255.255.255.252 ip access-group 125 in ip access-group 173 out no ip redirects no ip unreachables no ip proxy-arp ip wccp redirect exclude in ip route-cache flow no ip mroute-cache no cdp enable ! ! interface GigabitEthernet6/9 ip address 203.191.33.23 255.255.255.0 ip access-group 125 in ip access-group 173 out no ip redirects no ip unreachables no ip proxy-arp ip wccp 80 redirect out ip route-cache flow no ip mroute-cache ip ospf flood-reduction no cdp enable ! - mynet#sh ip wccp Global WCCP information: Router information: Router Identifier: 203.83.175.251 Protocol Version:2.0 Service Identifier: 80 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:16685 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:4342 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Service Identifier: 90 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:0 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 mynet#
[squid-users] Hardware Load Balancer, Transparent Proxy
Dear Expert, I am planning to purchase a hardware load balancer (Barracuda) HTTP traffic to use with min two Squid server rs.Need help how to do it : My plan to do network scenarios as follows: Central Switch---(policy based routing : dest : 80) to hard load balancer) switch=>two Squid Proxy servers (transparent proxy)=>INTERNET On above case, conditions 1. Subs should not know 80 traffic going through Proxy servers (transparent). 2. Hard load balancer as I don't have WCCP1, WCCP2 option 3. More than 1 Proxy server in network. Need suggestions: 1. How can I deploy hard load balancer? 2. How INBOUND and OUTBOUND port 80 traffic will works in Squid servers 3. Should I use TPROXY, if so, I will use it in and out interface with client and Internet traffic? TIA, Azhar Chowdhury
[squid-users] "file descriptors" set to 1024 instead of user-defined one
Hi, I am running squid 3.0 stable 6 on Fedora core 6. When I run squid from command prompt, it's setting up "File descriptors" value to 131072 what I defined at compile time. But running at rc.local (Just put a line with path of squid exe location) set the "file descriptors" value to 1024. Squid running perfectly with all other parameters (such as wccp2 etc) whether running from rc.local or manually from console as root user. Looking forward help. TIA, Azhar Chowdhury -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] Squid server as transparent proxy and problem with Rapid Share
Hi, We are running ISP and have few cache+proxy servers running Squid as transparent. Lots of our clients have been using site like rapidshare from where they download files/program without having an account. But problem is that when a user trying to download off rapidshare it says his/her IP address (Squid server IP) already downloading a file and to wait until it is finished or ask to come back after 30 mins. How can we overcome this problem? How can we bypass totally rapidshare so rapidshare server can see the clients IP as his/her own public IP not squid server's IP address? Can any body help? Cheers Azhar -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
