[squid-users] New to Squid, Foward proxy problems with domain blocks.
Hello, as the subject says im new. Been reading a lot and some examples and i do have a weird problem where i can't block some domains. First and foremost im using the squid proxy for windows version 2.7.8 as thats the only one for windows that works for me the 3.x versions always deny requests from clients even with the default conf. I've been testing all this in a production enviroment so ... help me!! please of i will get killed soon :D. my conf for 2.7.8 is(I modifying one that comes with proxy 3-1): #Modified by Kyi Thar 15 March 2010 http_port 8080 cache_mgr helpd...@ole.com.do visible_hostname lotus.hidden hierarchy_stoplist cgi-bin ? cache_mem 64 MB cache_replacement_policy heap LFUDA cache_dir aufs c:/Squid/cache01 2000 16 256 cache_dir aufs c:/Squid/cache02 2000 16 256 cache_dir aufs c:/Squid/cache03 2000 16 256 cache_access_log c:/Squid/var/logs/access.log cache_log c:/Squid/var/logs/cache.log cache_store_log c:/Squid/var/logs/store.log mime_table c:/Squid/etc/mime.conf pid_filename c:/Squid/var/logs/squid.pid (this part here i dont know whats its use as i cant find info about it on the net) diskd_program c:/Squid/libexec/diskd.exe unlinkd_program c:/Squid/libexec/unlinkd.exe logfile_daemon c:/squid/libexec/logfile-daemon.exe forwarded_for off via off httpd_suppress_version_string on uri_whitespace strip maximum_object_size 524288 KB maximum_object_size_in_memory 1024 KB #redirect_program c:/usr/local/squidGuard/squidGuard.exe #authenication with Windows server (commented this part as i dont want users to have to log on once more in the web pages I wasnt able to stop them from doing so and my boss didnt like the extra hassle) #auth_param basic program c:/squid/libexec/mswin_auth.exe -O HIDDEN #auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe #auth_param ntlm children 5 #auth_param ntlm keep_alive on acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network (some of my computers are in this range) acl localnet src 172.16.0.0/12 # RFC1918 possible internal network (Dont use this range but i will make a DMZ for the servers with it) acl localnet src 192.168.0.0/16 # RFC1918 possible internal network (NORMAL range for users) # catch certain bugs (for example with persistent connections) and possibly # buffer-overflow or denial-of-service attacks. request_header_max_size 20 KB reply_header_max_size 20 KB #Limit upload to 2M and download to 10M (trying to stop users from uploading big files to email sites and fb and download big files as i only have 6mbps and 1mbps down/up bandwidth) request_body_max_size 2048 KB reply_body_max_size 10485760 deny localnet # compressed (i moddief this part as instead of 0 they had 10080 and instead of 10080 they had 99 those times are too big files could stay forever fresh! inside the cache) refresh_pattern -i \.gz$ 0 90% 10080 refresh_pattern -i \.cab$ 0 90% 10080 refresh_pattern -i \.bzip2$ 0 90% 10080 refresh_pattern -i \.bz2$ 0 90% 10080 refresh_pattern -i \.gz2$ 0 90% 10080 refresh_pattern -i \.tgz$ 0 90% 10080 refresh_pattern -i \.tar.gz$ 0 90% 10080 refresh_pattern -i \.zip$ 0 90% 10080 refresh_pattern -i \.rar$ 000 90% 10080 refresh_pattern -i \.tar$ 0 90% 10080 refresh_pattern -i \.ace$ 0 90% 10080 refresh_pattern -i \.7z$ 0 90% 10080 # documents refresh_pattern -i \.xls$ 0 90% 10080 refresh_pattern -i \.doc$ 0 90% 10080 refresh_pattern -i \.xlsx$ 0 90% 10080 refresh_pattern -i \.docx$ 0 90% 10080 refresh_pattern -i \.pdf$ 0 90% 10080 refresh_pattern -i \.ppt$ 0 90% 10080 refresh_pattern -i \.pptx$ 0 90% 10080 refresh_pattern -i \.rtf\?$ 0 90% 10080 # multimedia refresh_pattern -i \.mid$ 0 90% 10080 refresh_pattern -i \.wav$ 0 90% 10080 refresh_pattern -i \.viv$ 0 90% 10080 refresh_pattern -i \.mpg$ 0 90% 10080 refresh_pattern -i \.mov$ 0 90% 10080 refresh_pattern -i \.avi$ 0 90% 10080 refresh_pattern -i \.asf$ 0 90% 10080 refresh_pattern -i \.qt$ 0 90% 10080 refresh_pattern -i \.rm$ 0 90% 10080 refresh_pattern -i \.rmvb$ 0 90% 10080 refresh_pattern -i \.mpeg$ 0 90% 10080 refresh_pattern -i \.wmp$ 0 90% 10080 refresh_pattern -i \.3gp$ 0 90% 10080 refresh_pattern -i \.mp3$ 0 90% 10080 refresh_pattern -i \.mp4$ 0 90% 10080 # images refresh_pattern -i \.gif$ 0 90% 10080 refresh_pattern -i \.jpg$ 0 90% 10080 refresh_pattern -i \.png$ 0 90% 10080 refresh_pattern -i \.jpeg$ 0 90% 10080 refresh_pattern -i \.bmp$ 0 90% 10080 refresh_pattern -i \.psd$ 0 90% 10080 refresh_pattern -i \.ad$ 0 90% 10080 refresh_pattern -i \.gif\?$ 0 90% 10080 refresh_pattern -i \.jpg\?$ 0 90% 10080 refresh_pattern -i \.png\?$ 0 90% 10080 refresh_pattern -i \.jpeg\?$ 0 90% 10080 refresh_pattern -i \.psd\?$ 0 90% 10080
Re: [squid-users] New to Squid, Foward proxy problems with domain blocks.
On 3/07/2015 3:29 a.m., Augusto Gabanzo wrote: Hello, as the subject says im new. Been reading a lot and some examples and i do have a weird problem where i can't block some domains. First and foremost im using the squid proxy for windows version 2.7.8 as thats the only one for windows that works for me the 3.x versions always deny requests from clients even with the default conf. I've been testing all this in a production enviroment so ... help me!! please of i will get killed soon :D. my conf for 2.7.8 is(I modifying one that comes with proxy 3-1): Don't. 2.7 contains no built-in defaults where 3.x does. The .conf file contents need to be very different. pid_filename c:/Squid/var/logs/squid.pid (this part here i dont know whats its use as i cant find info about it on the net) http://www.squid-cache.org/Doc/config/pid_filename/ The PID is used for sending signals to the Squid process/service. #Limit upload to 2M and download to 10M (trying to stop users from uploading big files to email sites and fb and download big files as i only have 6mbps and 1mbps down/up bandwidth) request_body_max_size 2048 KB reply_body_max_size 10485760 deny localnet # compressed (i moddief this part as instead of 0 they had 10080 and instead of 10080 they had 99 those times are too big files could stay forever fresh! inside the cache) forever in HTTP is no more than 68 years. In 2.7 thats 1 year. And no, these lines only affect objects with are completely lacking Cache-Control values. Most traffic has such controls and Squid obeys them. Also, each refresh_pattern line has to be matched against a request individually. Repeating many lines causes a lot of work to be done for each request. Better to combine the patterns manually. acl fullvideo src c:/squid/etc/ipfullvideo.sq # here is a file with ips allowed to see youtube and facebook videos , media streaming acl bad_url url_regex -i c:/squid/etc/bad-sites.sq # .facebook.com .twitter.com rule to block those sites for users inside ipbloqueada So why is it a slow regex and not a fast dstdomain ? acl ipbloqueada src 192.168.1.117/32 192.168.1.179/32 192.168.1.170/32 192.168.1.15/32 # ips of 3 users that shouldnt be accessing fb and twitter. acl bad_ext urlpath_regex -i c:/squid/etc/extensiones.sq # rule to block some file extesions like .avi$, .mpg$ etc stop downloads from them even if they are smaller than 10MB (this doesn't WORK!) The regex syntax mentioned assumes the URL ends with the file extension. That is fairly uncommon. Most of the download sites these days the ext is some dynamic script like .php or .asp. Using the content-type and content-disposition headers to deliver the filename details. http_access allow localnet #let the network use the proxy http_access allow localhost #let the proxy server use itself ??( O_o i dont quite get this part.) Lets other software on the Squid server us it. Yes that includes the proxy looping traffic back at tself, but the Via header protects against that begin a problem. http_access allow manager localhost http_access deny bad_url ipbloqueada #here i want all the urls in BAD_URL from the ips IPBLOQUEADA to be denied used to work ... when i started but now it doesnt i will show a sample of the file at the end If I'm reding that comment on the ipbloqueada definition you are assuming that Facebook, Twitter etc are still using plaintext HTTP through the proxy. They dont. These days they use TLS with SPDY or HTTP/2 or QUIC or HTTPS. http_access deny bad_ext#block reading of files with those extensions. deny_info TCP_RESET bad_ext#send a tcp_reset so they dont know proxy blocked them http_reply_access deny media !fullvideo # here i try to deny access to media to all but those inside fullvideo (doesnt quite work either youtube loads and works :D) some other streaming are blocked well YT is HTTPS not HTTP now. # And finally deny all other access to this proxy http_access deny all #always_direct allow all # i feel this part is to let squidguard work, i removed it cuz it blocked youtube and many other sites i bet that was because the ads. always_direct has no effect unless cache_peer directive is used. In which case it makes the cache_peer not be used for traffic. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] New install Squid 3.3.3 dont work.
Thank you very much for your response. Exactly creating a route policy in my firewall, modifying Squid's installation, and making the NAT in the box Squid is it worked!!! Once again thank you very much for your help. 2013/5/1 Amos Jeffries squ...@treenet.co.nz: On 2/05/2013 1:42 a.m., Pablo Ruben M wrote: I have Squid's new installation 3.3.3 behind a Firewall NAT and do not achieve that it works. Placing the debug in ALL, 3 I obtain the following mistakes: HTTP/1.1 400 Bad Request Server: squid/3.3.3 Mime-Version: 1.0 Date: Wed, 01 May 2013 12:19:08 GMT Content-Type: text/html Content-Length: 3229 X-Squid-Error: ERR_INVALID_URL 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from proxy02 Via: 1.1 proxy02 (squid/3.3.3) Connection: close In the web browser I obtain: The following error was encountered while trying to retrieve the URL: / Invalid URL I have Squid's installation 2.7 working without problems. Does it change radically the installation into Squid 3? No. The changes required to make 3.2and later work are also required to make version 2.5 to 3.1 work properly. The older versiosn were just hiding the problem and allowing hackers to use the proxy unrecorded (CVE-2009-0801 is one of the effects). Solution: separate the Squid http_port from intercepted traffic from the configured proxy traffic. Also, the firewall NAT must be done on the Squid device. If the firewall device is separate from the Squid device, you require policy routing (or WCCP) to pass traffic without altering the IP details from the firewall device to the squid device where NAT can take place. Amos -- Saludos, Pablo R Maldonado
[squid-users] New install Squid 3.3.3 dont work.
I have Squid's new installation 3.3.3 behind a Firewall NAT and do not achieve that it works. Placing the debug in ALL, 3 I obtain the following mistakes: HTTP/1.1 400 Bad Request Server: squid/3.3.3 Mime-Version: 1.0 Date: Wed, 01 May 2013 12:19:08 GMT Content-Type: text/html Content-Length: 3229 X-Squid-Error: ERR_INVALID_URL 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from proxy02 Via: 1.1 proxy02 (squid/3.3.3) Connection: close In the web browser I obtain: The following error was encountered while trying to retrieve the URL: / Invalid URL I have Squid's installation 2.7 working without problems. Does it change radically the installation into Squid 3?
Re: [squid-users] New install Squid 3.3.3 dont work.
I also have the problem in the past. Use dedicated port for http_port xxx intecept/transparent This resolves the issue. If you use: http_port 3128 http_port 3128 intercept you get your error. But with: http_port 3128 http_port 3129 intercept no error ! -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mercredi 01 mai 2013 à 10:42 -0300, Pablo Ruben M a écrit : I have Squid's new installation 3.3.3 behind a Firewall NAT and do not achieve that it works. Placing the debug in ALL, 3 I obtain the following mistakes: HTTP/1.1 400 Bad Request Server: squid/3.3.3 Mime-Version: 1.0 Date: Wed, 01 May 2013 12:19:08 GMT Content-Type: text/html Content-Length: 3229 X-Squid-Error: ERR_INVALID_URL 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from proxy02 Via: 1.1 proxy02 (squid/3.3.3) Connection: close In the web browser I obtain: The following error was encountered while trying to retrieve the URL: / Invalid URL I have Squid's installation 2.7 working without problems. Does it change radically the installation into Squid 3? signature.asc Description: This is a digitally signed message part
Re: [squid-users] New install Squid 3.3.3 dont work.
On 2/05/2013 1:42 a.m., Pablo Ruben M wrote: I have Squid's new installation 3.3.3 behind a Firewall NAT and do not achieve that it works. Placing the debug in ALL, 3 I obtain the following mistakes: HTTP/1.1 400 Bad Request Server: squid/3.3.3 Mime-Version: 1.0 Date: Wed, 01 May 2013 12:19:08 GMT Content-Type: text/html Content-Length: 3229 X-Squid-Error: ERR_INVALID_URL 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from proxy02 Via: 1.1 proxy02 (squid/3.3.3) Connection: close In the web browser I obtain: The following error was encountered while trying to retrieve the URL: / Invalid URL I have Squid's installation 2.7 working without problems. Does it change radically the installation into Squid 3? No. The changes required to make 3.2and later work are also required to make version 2.5 to 3.1 work properly. The older versiosn were just hiding the problem and allowing hackers to use the proxy unrecorded (CVE-2009-0801 is one of the effects). Solution: separate the Squid http_port from intercepted traffic from the configured proxy traffic. Also, the firewall NAT must be done on the Squid device. If the firewall device is separate from the Squid device, you require policy routing (or WCCP) to pass traffic without altering the IP details from the firewall device to the squid device where NAT can take place. Amos
RE: [squid-users] New to squid
-users] New to squid On 09.05.2012 10:42, Ruiyuan Jiang wrote: Hi, all I am new to Squid. I am trying to setup squid as a reverse proxy to for MS Exchange outlook client access. I compiled squid myself (v3.1.19, Solaris 10, SPARC). I followed the configuration example on the squid web page ConfigExamples/Reverse/ExchangeRpc. # cat squid.conf snip # Squid normally listens to port 3128 https_port 156.146.1.133:443 accel cert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt defaultsite=webmail.fnpc.com cache_peer 10.105.10.20 parent 443 0 no-query originserver login=PASS ssl sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt name=exchangeServer acl EXCH dstdomain .fnpc.com cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all never_direct all EXCH http_access allow EXCH http_acces deny all ^^ typo ss miss_access allow EXCH miss_access deny all snip The cerficate file webmail_fnpc_com.crt is a valid certificate that I got from a CA. Do I need to install two certificates on the server, one for client which I would guess the official certificate (webmail_fnpc_com.crt)? Can I present the same certificate to the internal exchange server? That is what I did to all my Apache reverse proxy servers for Exchange server. The basics of it are that Squid is what interacts with the client. So the public cert needs to be presented there on https_port. What Exchange uses depends on what type of interactions happen there. It is probably safest to have self-signed certs with the self-signing CA trusted by Squid (on cache_peer) so it can verify Exchange, but this only works if the clients are not interacting directly to Exchange via other channels. NP: Squid requires PEM format certificate files. When I ran 'squid -X', I got the below message stating 1. unrecognized: 'https_port', 2. FATAL: Bungled squid.conf line 64: cache_peer 156.146.16.198 parent 443 0 no-query originserver login=PASS ssl sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt name=exchangeServer When you built squid you omitted --enable-ssl. Ensure you have openssl development library to build against and rebuild your squid. It should accept the SSL related config after that. snip 2012/05/08 17:22:11.373| parse_peer: token='ssl' ... FATAL: Bungled squid.conf line 64: cache_peer 156.146.16.198 parent 443 0 no-query originserver login=PASS ssl sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt name=exchangeServer Squid Cache (Version 3.1.19): Terminated abnormally. Amos This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited.
[squid-users] New to squid
Hi, all I am new to Squid. I am trying to setup squid as a reverse proxy to for MS Exchange outlook client access. I compiled squid myself (v3.1.19, Solaris 10, SPARC). I followed the configuration example on the squid web page ConfigExamples/Reverse/ExchangeRpc. # cat squid.conf # Recommended minimum configuration: # ##acl manager proto cache_object ##acl localhost src 127.0.0.1/32 ::1 ##acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed ##acl localnet src 10.0.0.0/8 # RFC1918 possible internal network ##acl localnet src 172.16.0.0/12# RFC1918 possible internal network ##acl localnet src 192.168.0.0/16 # RFC1918 possible internal network ##acl localnet src fc00::/7 # RFC 4193 local private network range ##acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost ##http_access allow manager localhost ##http_access deny manager # Deny requests to certain unsafe ports ##http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports ##http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed ##http_access allow localnet ##http_access allow localhost # And finally deny all other access to this proxy ##http_access allow all # Squid normally listens to port 3128 https_port 156.146.1.133:443 accel cert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt defaultsite=webmail.fnpc.com cache_peer 10.105.10.20 parent 443 0 no-query originserver login=PASS ssl sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt name=exchangeServer acl EXCH dstdomain .fnpc.com cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all never_direct all EXCH http_access allow EXCH http_acces deny all miss_access allow EXCH miss_access deny all # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /opt/squid-3.1.19/var/cache 100 16 256 # Leave coredumps in the first cache dir coredump_dir /opt/squid-3.1.19/var/cache # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 The cerficate file webmail_fnpc_com.crt is a valid certificate that I got from a CA. Do I need to install two certificates on the server, one for client which I would guess the official certificate (webmail_fnpc_com.crt)? Can I present the same certificate to the internal exchange server? That is what I did to all my Apache reverse proxy servers for Exchange server. When I ran 'squid -X', I got the below message stating 1. unrecognized: 'https_port', 2. FATAL: Bungled squid.conf line 64: cache_peer 156.146.16.198 parent 443 0 no-query originserver login=PASS ssl sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt name=exchangeServer # ./squid -X 2012/05/08 17:22:11.353| command-line -X overrides: ALL,7 2012/05/08 17:22:11.354| CacheManager::registerAction: registering legacy mem 2012/05/08 17:22:11.355| CacheManager::findAction: looking for action mem 2012/05/08 17:22:11.355| Action not found. 2012/05/08 17:22:11.355| CacheManager::registerAction: registered mem 2012/05/08 17:22:11.356| CacheManager::registerAction: registering legacy squidaio_counts 2012/05/08 17:22:11.356| CacheManager::findAction: looking for action squidaio_counts 2012/05/08 17:22:11.356| Action not found. 2012/05/08 17:22:11.357| CacheManager::registerAction: registered squidaio_counts 2012/05/08 17:22:11.357| CacheManager::registerAction: registering legacy diskd 2012/05/08 17:22:11.357| CacheManager::findAction: looking for action diskd 2012/05/08 17:22:11.358| Action not found. 2012/05/08 17:22:11.358| CacheManager::registerAction: registered diskd 2012/05/08 17:22:11.359|
Re: [squid-users] New to squid
On 09.05.2012 10:42, Ruiyuan Jiang wrote: Hi, all I am new to Squid. I am trying to setup squid as a reverse proxy to for MS Exchange outlook client access. I compiled squid myself (v3.1.19, Solaris 10, SPARC). I followed the configuration example on the squid web page ConfigExamples/Reverse/ExchangeRpc. # cat squid.conf snip # Squid normally listens to port 3128 https_port 156.146.1.133:443 accel cert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt defaultsite=webmail.fnpc.com cache_peer 10.105.10.20 parent 443 0 no-query originserver login=PASS ssl sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt name=exchangeServer acl EXCH dstdomain .fnpc.com cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all never_direct all EXCH http_access allow EXCH http_acces deny all ^^ typo ss miss_access allow EXCH miss_access deny all snip The cerficate file webmail_fnpc_com.crt is a valid certificate that I got from a CA. Do I need to install two certificates on the server, one for client which I would guess the official certificate (webmail_fnpc_com.crt)? Can I present the same certificate to the internal exchange server? That is what I did to all my Apache reverse proxy servers for Exchange server. The basics of it are that Squid is what interacts with the client. So the public cert needs to be presented there on https_port. What Exchange uses depends on what type of interactions happen there. It is probably safest to have self-signed certs with the self-signing CA trusted by Squid (on cache_peer) so it can verify Exchange, but this only works if the clients are not interacting directly to Exchange via other channels. NP: Squid requires PEM format certificate files. When I ran 'squid -X', I got the below message stating 1. unrecognized: 'https_port', 2. FATAL: Bungled squid.conf line 64: cache_peer 156.146.16.198 parent 443 0 no-query originserver login=PASS ssl sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt name=exchangeServer When you built squid you omitted --enable-ssl. Ensure you have openssl development library to build against and rebuild your squid. It should accept the SSL related config after that. snip 2012/05/08 17:22:11.373| parse_peer: token='ssl' ... FATAL: Bungled squid.conf line 64: cache_peer 156.146.16.198 parent 443 0 no-query originserver login=PASS ssl sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt name=exchangeServer Squid Cache (Version 3.1.19): Terminated abnormally. Amos
Re: [squid-users] New to Squid
On Fri, Mar 13, 2009 at 04:14:42PM +0100, Kinkie wrote: Making AD work in a firewalled environment is not really that easy (nor secure), but I'd assume that that side of things has already been covered. This is totally off-topic but the above statement is not true. What you need to do is use an IPSEC tunnel - there are MS docuemnts that describe how you can do this. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
[squid-users] New to Squid
Good afternoon, Our company is currently investigating the use of Squid as our Proxy solution (Secure Web Gateway?). I was curious if anyone out there has successfully installed and managed a Production Squid environment that would be about the complexity and size of the following (and I'd like some information on it): 1) 3,000 concurrent users 2) Three sites Primary Site: 100 Mb/sec Internet Connection Secondary Site: 30 Mb/sec Internet Connection [This is used for a DR scenario only] Tertiary Site: 45 Mb/sec Internet Connection [This is used for a DR scenario only] 3) We are a Windows 2000/2003 Domain. It's a single forest with two (2) Child Domains. There is a firewall between the two (2) child domains. 4) We need HA Pairs at each site, but because we have VMWare ESX 3.5 implemented at each site we are throwing around the idea of using 3-4 virtuals (or however many you guys would recommend) and using our DR strategy for VM's to V2V to boxes to the other two (2) sites. Your input, comments, and questions would be greatly appreciated, thanks!
Re: [squid-users] New to Squid
I know an implementation with more requirements than you need. You will need a fast disk to the squid cache. The environment I know have the cache on ram disk. I have squid separated from my AD forest by two firewalls, this isn't a problem, you need to open the required ports. On Fri, Mar 13, 2009 at 2:43 PM, sq...@zoomemail.com sq...@zoomemail.com wrote: Good afternoon, Our company is currently investigating the use of Squid as our Proxy solution (Secure Web Gateway?). I was curious if anyone out there has successfully installed and managed a Production Squid environment that would be about the complexity and size of the following (and I'd like some information on it): 1) 3,000 concurrent users 2) Three sites Primary Site: 100 Mb/sec Internet Connection Secondary Site: 30 Mb/sec Internet Connection [This is used for a DR scenario only] Tertiary Site: 45 Mb/sec Internet Connection [This is used for a DR scenario only] 3) We are a Windows 2000/2003 Domain. It's a single forest with two (2) Child Domains. There is a firewall between the two (2) child domains. 4) We need HA Pairs at each site, but because we have VMWare ESX 3.5 implemented at each site we are throwing around the idea of using 3-4 virtuals (or however many you guys would recommend) and using our DR strategy for VM's to V2V to boxes to the other two (2) sites. Your input, comments, and questions would be greatly appreciated, thanks!
Re: [squid-users] New to Squid
On Fri, Mar 13, 2009 at 2:43 PM, sq...@zoomemail.com sq...@zoomemail.com wrote: Good afternoon, Our company is currently investigating the use of Squid as our Proxy solution (Secure Web Gateway?). I was curious if anyone out there has successfully installed and managed a Production Squid environment that would be about the complexity and size of the following (and I'd like some information on it): 1) 3,000 concurrent users 2) Three sites Primary Site: 100 Mb/sec Internet Connection Secondary Site: 30 Mb/sec Internet Connection [This is used for a DR scenario only] Tertiary Site: 45 Mb/sec Internet Connection [This is used for a DR scenario only] 3) We are a Windows 2000/2003 Domain. It's a single forest with two (2) Child Domains. There is a firewall between the two (2) child domains. 4) We need HA Pairs at each site, but because we have VMWare ESX 3.5 implemented at each site we are throwing around the idea of using 3-4 virtuals (or however many you guys would recommend) and using our DR strategy for VM's to V2V to boxes to the other two (2) sites. Your input, comments, and questions would be greatly appreciated, thanks! Those numbers are not really THAT MUCH demanding (there are environments easily 10 times bigger). Making AD work in a firewalled environment is not really that easy (nor secure), but I'd assume that that side of things has already been covered. In general I'd advise AGAINST going virtual for the kind of loads squid performs, but I have no hard numbers to back this claim up. Also, if you can control your users' browsers' configuration (which would seem to be the case), having a proxy-pac-based HA solution is not hard. -- /kinkie
Re: [squid-users] New to Squid
On 13.03.09 15:00, David Rodríguez Fernández wrote: I know an implementation with more requirements than you need. You will need a fast disk to the squid cache. The environment I know have the cache on ram disk. Do you have memory cache turned off? This way it's useless to have it. I'd advise using only memory cache, but it afaik has some problems when many or big objects are there. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet.
RE: Re: [squid-users] New to Squid
Thanks for everyone's input thus far. I guess that I'll have to give you guys more (better) information so you can see exactly what we will need Squid to handle for us. At that point you can /point /laugh and tell us the better ways and then after that see how we can do what we do today to meet our current needs and then how to move towards a more ideal setup. Since we need to control user access policies, we have to authenticate them against AD and/or LDAP, so I don't see how you could ever get around that (but I'm sure you'll let me know) =D Thanks and I'll try and send some better information along. --- Original Message --- From: Kinkie[mailto:REMOVED] Sent: 3/13/2009 11:14:42 AM To : sq...@removed Cc : squid-users@squid-cache.org Subject : RE: Re: [squid-users] New to Squid On Fri, Mar 13, 2009 at 2:43 PM, sq...@removed sq...@removed wrote: Good afternoon, Our company is currently investigating the use of Squid as our Proxy solution (Secure Web Gateway?). I was curious if anyone out there has successfully installed and managed a Production Squid environment that would be about the complexity and size of the following (and I'd like some information on it): 1) 3,000 concurrent users 2) Three sites Primary Site: 100 Mb/sec Internet Connection Secondary Site: 30 Mb/sec Internet Connection [This is used for a DR scenario only] Tertiary Site: 45 Mb/sec Internet Connection [This is used for a DR scenario only] 3) We are a Windows 2000/2003 Domain. It's a single forest with two (2) Child Domains. There is a firewall between the two (2) child domains. 4) We need HA Pairs at each site, but because we have VMWare ESX 3.5 implemented at each site we are throwing around the idea of using 3-4 virtuals (or however many you guys would recommend) and using our DR strategy for VM's to V2V to boxes to the other two (2) sites. Your input, comments, and questions would be greatly appreciated, thanks! Those numbers are not really THAT MUCH demanding (there are environments easily 10 times bigger). Making AD work in a firewalled environment is not really that easy (nor secure), but I'd assume that that side of things has already been covered. In general I'd advise AGAINST going virtual for the kind of loads squid performs, but I have no hard numbers to back this claim up. Also, if you can control your users' browsers' configuration (which would seem to be the case), having a proxy-pac-based HA solution is not hard. -- /kinkie
[squid-users] new to squid
Hi all, I'm brand new to squid. Up until now I've been using apache mod_proxy with a very simple config: ProxyRequests On Proxy * Order deny,allow Deny from all Allow from 10 /Proxy Today I found out I can no longer use mod_proxy because YUM uses byteranges and apache doesn't support that. I have read over the squid config file (wow) and I have a couple of questions: 1. Does squid handle byterange requests? 2. squid seems over the top for what I need, I'm looking for something that does not cache and just allows traffic from my 10.x network to redhat network. Is there something else out there I should be looking at? 3. Could anyone provide me with a config that doesn't cache anything and just works as a proxy between clients on a 10.x network to rhn? ok, that was more then a couple of questions. I apprecite any help you guys can give me.
Re: [squid-users] new to squid
Bill Everhart wrote: Hi all, I'm brand new to squid. Up until now I've been using apache mod_proxy with a very simple config: ProxyRequests On Proxy * Order deny,allow Deny from all Allow from 10 /Proxy Today I found out I can no longer use mod_proxy because YUM uses byteranges and apache doesn't support that. I have read over the squid config file (wow) and I have a couple of questions: 1. Does squid handle byterange requests? Yes. 2. squid seems over the top for what I need, I'm looking for something that does not cache and just allows traffic from my 10.x network to redhat network. Is there something else out there I should be looking at? NAT? Otherwise check out http://www.linux.org/apps/all/Daemons/Proxy.html 3. Could anyone provide me with a config that doesn't cache anything and just works as a proxy between clients on a 10.x network to rhn? Make the following modifications to the default config file. Search for the lines... #acl our_neworks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_networks ... Modify and uncomment them. acl our_networks src 10.0.0.0/8 http_access allow our_networks Search for the lines... acl QUERY urlpath_regex cgi-bin \? cache deny QUERY ... Append the following... acl REDHAT dstdomain .redhat.com # Match all hosts in the redhat.com domain cache deny REDHAT # Don't cache content from RedHat's servers ok, that was more then a couple of questions. I apprecite any help you guys can give me. Not sure why you wouldn't want to cache replies from RHN, but there you go. The above assumes you are using Squid 2.6. If using Squid 2.5, replace all instances of cache with no_cache. Chris
Re: [squid-users] New to Squid and Linux
On Thu, 2006-08-03 at 19:24 -0400, [EMAIL PROTECTED] wrote: I have my Putty tunnel setup for local port 3128 forwarded to remote port 3128. L3128 ip.address.to.linuxbox:3128 L is for local port. Should ip.address.to.linuxbox be 127.0.0.1 also? Yes, most likely. It's the same as your proxy settings when running on the box. Regards Henrik
Re: [squid-users] New to Squid and Linux
Now it works from the local machine that is actually running squid, but when I try to SSH using Putty into the squid host I get nothing. I am forwarding port 3128 with Putty and setting the brower to use localhost:3128 for proxy. Maybe I'm understanding this wrong but I thought if I used SSH to connect to the squid host it would appear as a local connection and the acl for localhost for work. Did I totally miss that? Thanks, Michael Quoting Christoph Haas [EMAIL PROTECTED]: On Wednesday 02 August 2006 22:16, [EMAIL PROTECTED] wrote: This is what my squid.conf looks like. Does it look broke? Not at all. Just read and understand the documentation on http_access and acl. Everything else is fine. Christoph
Re: [squid-users] New to Squid and Linux
On Thursday 03 August 2006 16:46, [EMAIL PROTECTED] wrote: Now it works from the local machine that is actually running squid, but when I try to SSH using Putty into the squid host I get nothing. I am forwarding port 3128 with Putty and setting the brower to use localhost:3128 for proxy. Just point your browser to the proxy server on port 3128. SSH is not needed. Maybe I'm understanding this wrong but I thought if I used SSH to connect to the squid host it would appear as a local connection and the acl for localhost for work. SSH supports port forwarding. But that's surely not the normal mode of operation and proxy surfing. I hope it's clear that Squid is a HTTP proxy which is not at all connected to SSH. Christoph
Re: [squid-users] New to Squid and Linux
I'm trying to use SSH to tunnel my traffic to the machine that is running squid. The machines are not on the same network. Michael Quoting Christoph Haas [EMAIL PROTECTED]: On Thursday 03 August 2006 16:46, [EMAIL PROTECTED] wrote: Now it works from the local machine that is actually running squid, but when I try to SSH using Putty into the squid host I get nothing. I am forwarding port 3128 with Putty and setting the brower to use localhost:3128 for proxy. Just point your browser to the proxy server on port 3128. SSH is not needed. Maybe I'm understanding this wrong but I thought if I used SSH to connect to the squid host it would appear as a local connection and the acl for localhost for work. SSH supports port forwarding. But that's surely not the normal mode of operation and proxy surfing. I hope it's clear that Squid is a HTTP proxy which is not at all connected to SSH. Christoph
Re: [squid-users] New to Squid and Linux
I think you have the wrong acronym. Do you really want a SSL connection as in a https connection? In reading this thread you keep typing SSH, but do you really need to use is SSL. Tim --- Timothy E. Neto Computer Systems Engineer Komatsu Canada Limited Ph#: 905-625-6292 x2651725B Sismet Road Fax: 905-625-6348 Mississauga, Canada E-Mail: [EMAIL PROTECTED] L4W 1P9 --- [EMAIL PROTECTED] wrote: I'm trying to use SSH to tunnel my traffic to the machine that is running squid. The machines are not on the same network. Michael Quoting Christoph Haas [EMAIL PROTECTED]: On Thursday 03 August 2006 16:46, [EMAIL PROTECTED] wrote: Now it works from the local machine that is actually running squid, but when I try to SSH using Putty into the squid host I get nothing. I am forwarding port 3128 with Putty and setting the brower to use localhost:3128 for proxy. Just point your browser to the proxy server on port 3128. SSH is not needed. Maybe I'm understanding this wrong but I thought if I used SSH to connect to the squid host it would appear as a local connection and the acl for localhost for work. SSH supports port forwarding. But that's surely not the normal mode of operation and proxy surfing. I hope it's clear that Squid is a HTTP proxy which is not at all connected to SSH. Christoph
RE: [squid-users] New to Squid and Linux
No, I really meant SSH. I'm using Putty from work to my home linux box. Michael -Original Message- From: Tim Neto [mailto:[EMAIL PROTECTED] Sent: Thursday, August 03, 2006 1:57 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] New to Squid and Linux I think you have the wrong acronym. Do you really want a SSL connection as in a https connection? In reading this thread you keep typing SSH, but do you really need to use is SSL. Tim --- Timothy E. Neto Computer Systems Engineer Komatsu Canada Limited Ph#: 905-625-6292 x2651725B Sismet Road Fax: 905-625-6348 Mississauga, Canada E-Mail: [EMAIL PROTECTED] L4W 1P9 --- [EMAIL PROTECTED] wrote: I'm trying to use SSH to tunnel my traffic to the machine that is running squid. The machines are not on the same network. Michael Quoting Christoph Haas [EMAIL PROTECTED]: On Thursday 03 August 2006 16:46, [EMAIL PROTECTED] wrote: Now it works from the local machine that is actually running squid, but when I try to SSH using Putty into the squid host I get nothing. I am forwarding port 3128 with Putty and setting the brower to use localhost:3128 for proxy. Just point your browser to the proxy server on port 3128. SSH is not needed. Maybe I'm understanding this wrong but I thought if I used SSH to connect to the squid host it would appear as a local connection and the acl for localhost for work. SSH supports port forwarding. But that's surely not the normal mode of operation and proxy surfing. I hope it's clear that Squid is a HTTP proxy which is not at all connected to SSH. Christoph
Re: [squid-users] New to Squid and Linux
- Original Message - From: Michael J McGraw [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Thursday, August 03, 2006 9:18 PM Subject: RE: [squid-users] New to Squid and Linux No, I really meant SSH. I'm using Putty from work to my home linux box. Michael In what way do you believe that squid might be involved with this process. -- Brian Gregory. [EMAIL PROTECTED] Computer Room Volunteer. Therapy Centre. Prospect Park Hospital.
Re: [squid-users] New to Squid and Linux
tor 2006-08-03 klockan 10:46 -0400 skrev [EMAIL PROTECTED]: Now it works from the local machine that is actually running squid, but when I try to SSH using Putty into the squid host I get nothing. I am forwarding port 3128 with Putty and setting the brower to use localhost:3128 for proxy. Should work. Have done that many times. Just make sure you use the correct forwarding method, local port to remote host. Not the opposite.. local port 3128 local address 127.0.0.1 (if it can be specified) remote host 127.0.0.1 remote port 3128 Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] New to Squid and Linux
tor 2006-08-03 klockan 22:03 +0100 skrev Brian Gregory: No, I really meant SSH. I'm using Putty from work to my home linux box. Michael In what way do you believe that squid might be involved with this process. He is trying to set up a port forward of the Squid port via SSH, allowing him to connect to the Squid proxy port over SSH as he can't (or won't) connect to it directly from his station. Nothing strange, just a bit odd, but perfectly normal use of SSH the swiss army knife of networking. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] New to Squid and Linux
It works when I am sitting at the linux box but when I try to SSH into it and use the squid proxy through the tunnel I can get no where. I have my Putty tunnel setup for local port 3128 forwarded to remote port 3128. L3128 ip.address.to.linuxbox:3128 L is for local port. Should ip.address.to.linuxbox be 127.0.0.1 also? Michael Quoting Henrik Nordstrom [EMAIL PROTECTED]: tor 2006-08-03 klockan 10:46 -0400 skrev [EMAIL PROTECTED]: Now it works from the local machine that is actually running squid, but when I try to SSH using Putty into the squid host I get nothing. I am forwarding port 3128 with Putty and setting the brower to use localhost:3128 for proxy. Should work. Have done that many times. Just make sure you use the correct forwarding method, local port to remote host. Not the opposite.. local port 3128 local address 127.0.0.1 (if it can be specified) remote host 127.0.0.1 remote port 3128 Regards Henrik
[squid-users] New to Squid and Linux
I'm running Fedora Core 5 with Squid 2.5. How do I configure Squid so that I can view both http and https sites? Thanks, Michael
Re: [squid-users] New to Squid and Linux
On Wednesday 02 August 2006 21:04, [EMAIL PROTECTED] wrote: I'm running Fedora Core 5 with Squid 2.5. How do I configure Squid so that I can view both http and https sites? Unless Fedora provides a completely broken squid.conf with the installation Squid will already be able to handle HTTP and HTTPS well. Just take a look at the http_access statements to grant proper access. Christoph
Re: [squid-users] New to Squid and Linux
This is what my squid.conf looks like. Does it look broke? hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all visible_hostname venus coredump_dir /var/spool/squid Thanks, Michael Quoting Christoph Haas [EMAIL PROTECTED]: On Wednesday 02 August 2006 21:04, [EMAIL PROTECTED] wrote: I'm running Fedora Core 5 with Squid 2.5. How do I configure Squid so that I can view both http and https sites? Unless Fedora provides a completely broken squid.conf with the installation Squid will already be able to handle HTTP and HTTPS well. Just take a look at the http_access statements to grant proper access. Christoph
Re: [squid-users] New to Squid and Linux
On Wednesday 02 August 2006 22:16, [EMAIL PROTECTED] wrote: This is what my squid.conf looks like. Does it look broke? Not at all. Just read and understand the documentation on http_access and acl. Everything else is fine. Christoph
[squid-users] new to squid
Dear All, I need to set up a tranparent squid box, and want to use CentOS 4, getting squid from source is great, can anybody help me on the compile lines ? Have like 1,000 users. and a bandwidth of 4mb in / 1 mb out. Thanks a lot, Ab.
Re: [squid-users] new to squid
Actually, ./configure --help is quite sufficient at displaying compile-time options and their descriptions. I would start there. Tim Rainier Abdock [EMAIL PROTECTED] 08/17/2005 01:09 PM To squid-users@squid-cache.org cc Subject [squid-users] new to squid Dear All, I need to set up a tranparent squid box, and want to use CentOS 4, getting squid from source is great, can anybody help me on the compile lines ? Have like 1,000 users. and a bandwidth of 4mb in / 1 mb out. Thanks a lot, Ab.
Re: [squid-users] new to squid
Thanks for the reply, i did not want to compile with too many or too less options, so was not sure ! and another thing is it better to use squid from what CentOS provides or to download it and compile it. Rgds, -Original message- From: [EMAIL PROTECTED] Date: Wed, 17 Aug 2005 20:26:18 +0300 To: squid-users@squid-cache.org Subject: Re: [squid-users] new to squid Actually, ./configure --help is quite sufficient at displaying compile-time options and their descriptions. I would start there. Tim Rainier Abdock [EMAIL PROTECTED] 08/17/2005 01:09 PM To squid-users@squid-cache.org cc Subject [squid-users] new to squid Dear All, I need to set up a tranparent squid box, and want to use CentOS 4, getting squid from source is great, can anybody help me on the compile lines ? Have like 1,000 users. and a bandwidth of 4mb in / 1 mb out. Thanks a lot, Ab.
[squid-users] New to squid -- asp site login issue
I've recently inherited a set of squid caching servers... 2.5 stable 4 running on SuSE 9.x. I'm still getting up to speed on squid, and I'm having trouble with one website in particular... it's a support site with an asp login: http://12.178.161.141/Support/ From outside the cache, the URL simply pops up a login box (asp page, I believe) and then proceeds to the site, every time, so I'm fairly sure it's not the server. Going through the cache, I get some weird behavior. The browser (regardless of flavor) will spin and spin like it's trying to connect, before finally giving up the ghost with a timeout notice. Except, occassionally, it will sit and spin and then bring up the login box. Logging in, though, leads to another long delay with no website. But after that, if I open a new browser and surf to the site, it sometimes opens as if I've logged in. I've tried configuring squid not to cache the page based on the IP with no_cache and always_direct, I've added .asp to the heirarchy_stoplist, but nothing seems to have helped and nothing helpful in the logs -- just the exception notice from the no_cache. Anyone else have the same problem when they go to the site? Or better yet, can anyone suggest a solution? Thanks! Sean Albright
[squid-users] New to Squid need to upgrade to 2.5
I have inherited a Windows NT 4.0 network that is running Squid 2.3.Stable4. The issue is that 2.3Stable4 has a file upload limit of 1MB. I am needing to upgrade to 2.5 because it doesn't have the upload restriction. Just in the past week this is first I have heard of Squid, so I am needing some guidance in this upgrade process. Any help that could be provided would be greatly appreciated. Thanks, KWH __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail
Re: [squid-users] New to Squid need to upgrade to 2.5
Hi, At 16.33 08/09/2004, kmo vern wrote: I have inherited a Windows NT 4.0 network that is running Squid 2.3.Stable4. The issue is that 2.3Stable4 has a file upload limit of 1MB. I am needing to upgrade to 2.5 because it doesn't have the upload restriction. Just in the past week this is first I have heard of Squid, so I am needing some guidance in this upgrade process. Any help that could be provided would be greatly appreciated. You can find the latest binaries for Windows here: http://www.acmeconsulting.it/SquidNT.htm Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
[squid-users] New to Squid: Few questions on capability
Hello everyone. I'm new to the Squid mailing list here. Although I have a little bit of experience working with squid in the past, I haven't in awhile and was hoping to get some feedback on a couple of questions about capability options of squid. We are looking to deploy a type of proxy server to force our users to go through. Squid is a proxy that comes to mind and comes highly recommended. Some of the things we are looking for: -ability to block types of web sites, web sites etc. -can we block outgoing access by IP, or groups IP's -ability to generate log reports -ability to set logon hours We have a couple different departments that need different types of access to the internet, thus it is important that we can define rules that say which department (each department has a set range of IP's) can go where. I appreciate the help. Jason
Re: [squid-users] New to Squid: Few questions on capability
On Fri, 2 Apr 2004, Jason Williams wrote: Some of the things we are looking for: -ability to block types of web sites, web sites etc. Yes, but is a bit tedious to maintain unless you subscribe to one of the web site category databases.. but this is not Squid's fault. -can we block outgoing access by IP, or groups IP's yes. -ability to generate log reports yes. -ability to set logon hours Yes. Regards Henrik
[squid-users] New to squid
Hi, I am trying to install squid on RH9 (everything is up2date) but I keep getting this error: (squid): mimeLoadIcon: cannot parse internal URL And I am not sure why. I have googled archives and all tech docs and cannot find what this means. What am I missing? Thanks for any help in advance! Cheers, Jenn
Re: [squid-users] New to squid
On Thursday 11 September 2003 18.14, Jennifer Fountain wrote: Hi, I am trying to install squid on RH9 (everything is up2date) but I keep getting this error: (squid): mimeLoadIcon: cannot parse internal URL Hmm.. I have seen this once before. If I recall correcly this error is seen if your hostname is invalid, for example if the hostname contains underscore characters or other characters not allowed to be used in Internet host names. You can correct this by setting visible_hostname to a valid and correct host name (with domain) for your proxy service. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]