[squid-users] Squid 3.1 with Tproxy and WCCP on Cisco 3550

[mudasirmirza]

Hi,

I am working on setting up Squid 3.1 with Tproxy using WCCP on Cisco 3550.

Configs that I am using is below

Router and Proxy both are on Public IPs, traffic coming in from clients are
also Public IP
But for some reason the Router Identifier IP is showing as Local IP which is
being used to access router from local network. 

=
[root@proxy squid]# cat squid.conf
##start of config

http_port 3127 tproxy

icp_port 3130
icp_query_timeout 5000

pid_filename /var/run/squid-3127.pid
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy.local
unique_hostname proxy.local
cache_mgr noc@proxy.local

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
logfile_rotate 1
shutdown_lifetime 10 seconds

acl localnet src X.X.X.X/X#  Public IP range for clients
acl squidlocal src 127.0.0.1

uri_whitespace strip
request_header_max_size 120 KB
dns_nameservers 127.0.0.1
cache_mem 8 GB
maximum_object_size_in_memory 1 MB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
max_filedesc 65500

cache_dir aufs /cache1 85 64 256 max-size=20971520
cache_dir aufs /cache2 85 64 256 max-size=20971520
cache_dir aufs /cache3 85 64 256 max-size=20971520
cache_dir aufs /cache4 85 64 256 max-size=20971520

minimum_object_size 512 bytes
maximum_object_size 100 MB
offline_mode off
cache_swap_low 98
cache_swap_high 99


# No redirector configured

*wccp2_router  192.168.50.4
wccp2_rebuild_wait off
wccp2_forwarding_method 2
wccp2_return_method 1
wccp2_assignment_method 1
*
# Setup some default acls
acl all src all
acl localhost src 127.0.0.1/255.255.255.255
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3128 3127
1025-65535
acl sslports port 443 563 81
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl dynamic urlpath_regex cgi-bin \?

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

# Allow local network(s) on interface(s)
http_access allow localnet
http_access allow squidlocal

# Default block all to be sure
http_access deny all

qos_flows local-hit=0x30
qos_flows sibling-hit=0x31
qos_flows parent-hit=0x32

##end of config
=

*Router config related to WCCP*


Switch-3550#sh ru

ip wccp web-cache

interface FastEthernet0/15
 description PPTP-Server
 no switchport
 ip address X.X.X.X 255.255.255.252
 ip wccp web-cache redirect in

interface GigabitEthernet0/2
 description ***Squid-Proxy***
 no switchport
 ip address X.X.X.X 255.255.255.248



Switch-3550#sh ip wccp
Global WCCP information:
Router information:
Router Identifier:   192.168.50.4
Protocol Version:2.0

Service Identifier: web-cache
Number of Service Group Clients: 0
Number of Service Group Routers: 0
Total Packets s/w Redirected:0
  Process:   0
  CEF:   0
Redirect access-list:-none-
Total Packets Denied Redirect:   0
Total Packets Unassigned:0
Group access-list:   -none-
Total Messages Denied to Group:  0
Total Authentication failures:   0
Total Bypassed Packets Received: 0

Switch-3550#
=


As I am new to WCCP with Squid, I do not know a great detail of configuring
WCCP and Squid.

With above config, I do not see any traffic being redirected to squid.

Any help is greatly appreciated.




-
Regards,
Mudasir Mirza
--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-1-with-Tproxy-and-WCCP-on-Cisco-3550-tp4662987.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] Squid-3.1 failed to select source

[Doug]

Hello,

# squid3 -k parse
2013/04/29 10:10:15| Processing Configuration File:
/etc/squid3/squid.conf (depth 0)

This is the info it gives.

2013/4/29 Amos Jeffries :
> On 28/04/2013 8:55 p.m., Doug wrote:
>>
>> Hello,
>>
>> I have the reverse proxy config as:
>>
>>   cache_peer  175.6.1.216  parent  80 0  no-query  originserver
>> name=caiyuan
>> acl resdomain dstdomain  www.52caiyuan.com www.52huayuan.cn
>> 52caiyuan.com 52huayuan.cn huayuan.52caiyuan.com
>> cache_peer_access caiyuan allow resdomain
>
> What does "squid -k parse" throw out at you?
>
> I would expect some warnings about something to do with splay trees.
> Which means ...
>
>
>> When accessing to the cache, the domains www.52caiyuan.com and
>> 52caiyuan.com work fine.
>> But huayuan.52caiyuan.com got failed, the cache.log says:
>>
>>   2013/04/28 16:36:13| Failed to select source for
>> 'http://huayuan.52caiyuan.com/'
>> 2013/04/28 16:36:13|   always_direct = 0
>> 2013/04/28 16:36:13|never_direct = 1
>> 2013/04/28 16:36:13|timedout = 0
>
>
> The latest version should work much better. There is a package of 3.3.3 now
> available in the Debian sid repository you should try out.
>
> Amos
>

Re: [squid-users] Squid-3.1 failed to select source

[Amos Jeffries]

On 28/04/2013 8:55 p.m., Doug wrote:

Hello,

I have the reverse proxy config as:

  cache_peer  175.6.1.216  parent  80 0  no-query  originserver name=caiyuan
acl resdomain dstdomain  www.52caiyuan.com www.52huayuan.cn
52caiyuan.com 52huayuan.cn huayuan.52caiyuan.com
cache_peer_access caiyuan allow resdomain

What does "squid -k parse" throw out at you?

I would expect some warnings about something to do with splay trees.
Which means ...


When accessing to the cache, the domains www.52caiyuan.com and
52caiyuan.com work fine.
But huayuan.52caiyuan.com got failed, the cache.log says:

  2013/04/28 16:36:13| Failed to select source for
'http://huayuan.52caiyuan.com/'
2013/04/28 16:36:13|   always_direct = 0
2013/04/28 16:36:13|never_direct = 1
2013/04/28 16:36:13|timedout = 0


The latest version should work much better. There is a package of 3.3.3 
now available in the Debian sid repository you should try out.


Amos

[squid-users] Squid-3.1 failed to select source

[Doug]

Hello,

I have the reverse proxy config as:

 cache_peer  175.6.1.216  parent  80 0  no-query  originserver name=caiyuan
acl resdomain dstdomain  www.52caiyuan.com www.52huayuan.cn
52caiyuan.com 52huayuan.cn huayuan.52caiyuan.com
cache_peer_access caiyuan allow resdomain

When accessing to the cache, the domains www.52caiyuan.com and
52caiyuan.com work fine.
But huayuan.52caiyuan.com got failed, the cache.log says:

 2013/04/28 16:36:13| Failed to select source for
'http://huayuan.52caiyuan.com/'
2013/04/28 16:36:13|   always_direct = 0
2013/04/28 16:36:13|never_direct = 1
2013/04/28 16:36:13|timedout = 0

 For the same originserver, why some domains work but some not?

The squid and OS version:

 Squid Cache: Version 3.1.6
Debian GNU/Linux 6.0

(apt-get install squid3)

Can you help? thanks.

Re: [squid-users] Squid 3.1 Client Source Port Identity Awareness

[Amos Jeffries]

On 24.10.2012 07:55, Alexander.Eck wrote:

Hi everyone,

is it possible to have squid use the same Source Port to connect to 
the Web=

server as the client uses to connect to squid ?



No. One gets errors when bind() is used on an already open port.
connect() and sendto() do not supply the OS with IP:port details.




My problem is the following setup:

Various Citrix Server
URL Filtering with Identity Awareness
Squid 3.1 as Cache Proxy

I had to install a Terminal Server Identity Agent on every Citrix 
Server to=

 distinguish the users.

The Identity Agent assigns port ranges to every user, to distinguish 
them.



Problem is:
In my firewall logs i can see the identity of the user for the 
request from=
 the citrix server to the proxy (proxy is in the dmz). But i can't 
see the =

identity from the request from the proxy to the Internet.

My guess is, that this is because squid isn't using the same Source 
Port as=

 the client, or is not forwarding the Source Port.


"client" also does not mean what you think it means. Squid is a client 
in HTTP and can generate new or different requests along with those 
aggregated from its inbound clients.


HTTP/1.1 is also stateless with multiplexing and pipelines. Any 
outgoing connection can be shared by requests received between multiple 
inbound client connections. There is no relationship between inbound and 
outbound - adding a stateful relationship (pinning) degrades performance 
a LOT.


How does your fancy client identification system correlate them 
cheeses?


PS: the TCP/IP firewall level is not a good place to log HTTP level 
client details.




Did anybody try something similiar and got it working ?  Is squid 
capable o=

f doing this or do i have an error in reasoning about my setup ?

Any help is appreciated :)



Amos

Re: [squid-users] Squid 3.1 Client Source Port Identity Awareness

[Eliezer Croitoru]

On 10/23/2012 8:55 PM, alexander@heidelberg.de wrote:

Any help is appreciated:)





Best Regards





Alex

Take a peek at TPROXY.
if you can share your squid.conf you can get better help.
(notice that your email looks bad with lots of spaces)

Regards,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer  ngtech.co.il

[squid-users] Squid 3.1 Client Source Port Identity Awareness

[Alexander.Eck]

Hi everyone,





is it possible to have squid use the same Source Port to connect to the Web=


server as the client uses to connect to squid ?





My problem is the following setup:





Various Citrix Server


URL Filtering with Identity Awareness


Squid 3.1 as Cache Proxy





I had to install a Terminal Server Identity Agent on every Citrix Server to=


 distinguish the users.





The Identity Agent assigns port ranges to every user, to distinguish them.








Problem is:


In my firewall logs i can see the identity of the user for the request from=


 the citrix server to the proxy (proxy is in the dmz). But i can't see the =


identity from the request from the proxy to the Internet.





My guess is, that this is because squid isn't using the same Source Port as=


 the client, or is not forwarding the Source Port.





Did anybody try something similiar and got it working ?  Is squid capable o=


f doing this or do i have an error in reasoning about my setup ?





Any help is appreciated :)





Best Regards





Alex

Re: [squid-users] Squid 3.1 vmware.com access

[Amos Jeffries]

On 20/09/2012 11:46 p.m., Bambang Sumitra wrote:



On Sep 20, 2012 5:12 PM, "Amos Jeffries" > wrote:

>
> On 20/09/2012 7:03 p.m., Bambang Sumitra wrote:
>>
>> Hi All,
>>
>> I'am using Squid Cache: Version 3.1.19 on ubuntu 12.04, and i have
>> problem accessing vmware.com , its never 
complete load, always showing

>> white blank page, i have try with different browser also, firefox,
>> chrome and IE
>>
>>
>> here is my squid config
>>
>> -- squid config
>> --
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32  ::1
>> acl to_localhost dst 127.0.0.0/8  0.0.0.0/32 
 ::1
>> acl localnet src 192.168.0.0/16  # RFC1918 
possible internal network

>> acl SSL_ports port 443
>> acl Safe_ports port 80  # http
>> acl Safe_ports port 21  # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70  # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535  # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localnet
>> http_access allow localhost
>> http_access deny all
>> http_port 192.168.1.3:3128  transparent
>> cache_dir aufs /squid-cache/squid 1 16 256
>> coredump_dir /squid-cache/squid
>> refresh_pattern ^ftp:   144020% 10080
>> refresh_pattern ^gopher:14400%  1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
>> refresh_pattern (Release|Packages(.gz)*)$  0 20% 2880
>> refresh_pattern .   0   20% 4320
>>
>> # custom config
>> logfile_rotate 10
>> cache_mem 1024 MB
>> pipeline_prefetch on
>> dns_nameservers 192.168.1.1 8.8.8.8 8.8.4.4
>>
>> acl langsung dstdomain .vmware.com 
>> always_direct allow langsung
>>
>> ## quinto lab configuration
>> icap_enable on
>> icap_preview_enable on
>> icap_preview_size 4096
>> icap_persistent_connections on
>> icap_send_client_ip on
>> icap_send_client_username on
>> icap_client_username_header X-Client-Username
>> icap_service qlproxy1 reqmod_precache bypass=0 
icap://127.0.0.1:1344/reqmod 
>> icap_service qlproxy2 respmod_precache bypass=0 
icap://127.0.0.1:1344/respmod 

>> adaptation_access qlproxy1 allow all
>> adaptation_access qlproxy2 allow all
>> -- squid config
>> --
>>
>>
>> -- access.log clip
>> --
>
>
>> 1348124282.802 158646 192.168.1.65 TCP_MISS/200 338 GET
>> http://www.vmware.com/files/templates/inc/baynote_global.js - NONE/-
>> application/javascript
>> 1348124283.102 159150 192.168.1.65 TCP_MISS/200 338 GET
>> http://www.vmware.com/files/templates/inc/baynote_observer.js - NONE/-
>> application/javascript
>
>
> It looks like it may be these which take 159 seconds *each* before 
they timeout and 338 bytes are returned to the client. No server is 
contacted. Everything else is only a few milliseconds.

>
> Amos

Hi Amos,

Thank you for replying on my issue.
do you have any idea what is causing squid to timeout?
I have test to by pass squid and i can open vmware.com 
 with no problem and its open so fast.




No idea. Its very strange. A MISS where no server was contacted 
("NONE/-") resulting in a 200 response with 338 bytes of data.
Unless that 200 response is coming out of the ICAP RESPMOD for some 
unknown reason?


Amos

Re: [squid-users] Squid 3.1 vmware.com access

[Amos Jeffries]

On 20/09/2012 7:03 p.m., Bambang Sumitra wrote:

Hi All,

I'am using Squid Cache: Version 3.1.19 on ubuntu 12.04, and i have
problem accessing vmware.com, its never complete load, always showing
white blank page, i have try with different browser also, firefox,
chrome and IE


here is my squid config

-- squid config
--
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 192.168.1.3:3128 transparent
cache_dir aufs /squid-cache/squid 1 16 256
coredump_dir /squid-cache/squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern .   0   20% 4320

# custom config
logfile_rotate 10
cache_mem 1024 MB
pipeline_prefetch on
dns_nameservers 192.168.1.1 8.8.8.8 8.8.4.4

acl langsung dstdomain .vmware.com
always_direct allow langsung

## quinto lab configuration
icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all
-- squid config
--


-- access.log clip
--



1348124282.802 158646 192.168.1.65 TCP_MISS/200 338 GET
http://www.vmware.com/files/templates/inc/baynote_global.js - NONE/-
application/javascript
1348124283.102 159150 192.168.1.65 TCP_MISS/200 338 GET
http://www.vmware.com/files/templates/inc/baynote_observer.js - NONE/-
application/javascript


It looks like it may be these which take 159 seconds *each* before they 
timeout and 338 bytes are returned to the client. No server is 
contacted. Everything else is only a few milliseconds.


Amos

[squid-users] Squid 3.1 vmware.com access

[Bambang Sumitra]

Hi All,

I'am using Squid Cache: Version 3.1.19 on ubuntu 12.04, and i have
problem accessing vmware.com, its never complete load, always showing
white blank page, i have try with different browser also, firefox,
chrome and IE


here is my squid config

-- squid config
--
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 192.168.1.3:3128 transparent
cache_dir aufs /squid-cache/squid 1 16 256
coredump_dir /squid-cache/squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern .   0   20% 4320

# custom config
logfile_rotate 10
cache_mem 1024 MB
pipeline_prefetch on
dns_nameservers 192.168.1.1 8.8.8.8 8.8.4.4

acl langsung dstdomain .vmware.com
always_direct allow langsung

## quinto lab configuration
icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all
-- squid config
--


-- access.log clip
--

1348124124.131  2 192.168.1.65 TCP_HIT/200 1271 GET
http://www.vmware.com/files/include/shadowbox/vmw_cust.js - NONE/-
application/javascript
1348124124.135277 192.168.1.65 TCP_REFRESH_UNMODIFIED/200 1481 GET
http://www.vmware.com/files/templates/inc/oo_engine.js -
DIRECT/96.16.179.51 application/javascri
pt
1348124124.287198 192.168.1.65 TCP_REFRESH_UNMODIFIED/200 1924 GET
http://www.vmware.com/files/include/ga/downloads-tracker.js -
DIRECT/96.16.179.51 application/jav
ascript
1348124124.431277 192.168.1.65 TCP_REFRESH_UNMODIFIED/200 2886 GET
http://www.vmware.com/files/include/common_min.js -
DIRECT/96.16.179.51 application/javascript
1348124282.802 158646 192.168.1.65 TCP_MISS/200 338 GET
http://www.vmware.com/files/templates/inc/baynote_global.js - NONE/-
application/javascript
1348124283.102 159150 192.168.1.65 TCP_MISS/200 338 GET
http://www.vmware.com/files/templates/inc/baynote_observer.js - NONE/-
application/javascript
1348124297.668396 192.168.1.65 TCP_MISS/301 704 GET
http://vmware.com/ - DIRECT/165.193.233.120 text/html
1348124297.876 33 192.168.1.65 TCP_HIT/200 15735 GET
http://www.vmware.com/ - NONE/- text/html
1348124297.968  2 192.168.1.65 TCP_HIT/200 6185 GET
http://www.vmware.com/files/include/ga/ga-code.js - NONE/-
application/javascript
1348124297.994 13 192.168.1.65 TCP_HIT/200 88191 GET
http://www.vmware.com/files/templates/inc/library_framework.js -
NONE/- application/javascript
1348124298.000  3 192.168.1.65 TCP_HIT/200 371 GET
http://www.vmware.com/files/templates/inc/s_define.js - NONE/-
application/javascript
1348124298.002 20 192.168.1.65 TCP_HIT/200 137831 GET
http://www.vmware.com/files/templates/inc/fce.css - NONE/- text/css
1348124298.022  1 192.168.1.65 TCP_HIT/200 2619 GET
http://www.vmware.com/files/js/demand.js - NONE/-
application/javascript
1348124298.054  2 192.168.1.65 TCP_HIT/200 2338 GET
http://www.vmware.com/files/include/shadowbox303/shadowbox.css -
NONE/- text/css
1348124298.064  9 192.168.1.65 TCP_HIT/200 106044 GET
http://www.vmware.com/files/include/location-popup/jquery.tools.min.jq164.js
- NONE/- application/javascript
1348124298.119  6 192.168.1.65 TCP_HIT/200 65355 GET
http://www.vmware.com/files/include/shadowbox303/shadowbox.js - NONE/-
application/javascript
1348124298.130  2 192.168.1.65 TCP_HIT/200 3886 GET
http://www.vmware.com/files/include/location-popup/geo_redirect_min.js
- NONE/- application/javascript
1348124298.132  2 192.168.1.65 TCP_HIT/200 6294 GET
http://www.vmware.com/files/include/location-popup/location-popup-api.js
- N

Re: [squid-users] Squid 3.1.x and Kemp loadbalancer.

[Amos Jeffries]

On 20.06.2012 22:40, Josef Karliak wrote:

Hi there,
  we use Kemp loadbalancer for balancing proxy (active-backup). All
users has set IP of kemp loadbalancer. But in the squid access_log is
IP of the loadbalancer, I want there an IP of the user that is
accessing the web pages (we use webalizer for analyzing top browsing
users).
  My logformat defined in squid.conf:
logformat combined %>a %ui %un [%{%d/%b/%Y:%H:%M:%S +}tl] \
  "%rm %ru HTTP/%rv" >Hs %h" "%{User-Agent}>h" 
%Ss:%Sh


  Do I've some bad variable in the logformat ?



Your format is accurate.

The kemp load balancer apparently operates in one of two ways:

 layer 4, using NAT alteration of packets before delivery to the Squid 
box. The real clients addresses are gone. There is no recovery possible.


 layer 7, using a proxy which itself makes HTTP requests through Squid. 
So it is the one and only *client* to Squid. It *might* be able to set 
X-Forwarded-For headers and inform Squid about the clients original IP 
address. If so configure:


  acl kemp src ... IP of kemp load balancer(s)
  follow_x_forwarded_for allow kempID
  follow_x_forwarded_for deny all



NOTE: You have the alternative option of active-passive load balancing 
in a PAC file which is performed directly in the client browser.



Amos

[squid-users] Squid 3.1.x and Kemp loadbalancer.

[Josef Karliak]

  Hi there,
  we use Kemp loadbalancer for balancing proxy (active-backup). All  
users has set IP of kemp loadbalancer. But in the squid access_log is  
IP of the loadbalancer, I want there an IP of the user that is  
accessing the web pages (we use webalizer for analyzing top browsing  
users).

  My logformat defined in squid.conf:
logformat combined %>a %ui %un [%{%d/%b/%Y:%H:%M:%S +}tl] \
  "%rm %ru HTTP/%rv" >Hs %h" "%{User-Agent}>h" %Ss:%Sh

  Do I've some bad variable in the logformat ?
  Thank you very much and best regards
  J.Karliak

--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)
policy and check. If you've problem with sending emails to me, start
using email origin methods mentioned above. Thank you.


This message was sent using IMP, the Internet Messaging Program.



biny5iAWtCFdJ.bin
Description: Veřejný PGP klíč

Re: [squid-users] Squid 3.1 and https ssl aes256 issue

[Amos Jeffries]

On 03.06.2012 22:23, alextouch wrote:

Hi

this is my first post... last month I installed a linux ubuntu server 
12.04
LTS machine with Squid3 in my organization. This machine works as a 
proxy

(not transparent proxy) for the web access from clients.
Proxy is connected to a gateway for internet connection.
Clients are configured so that all web (http, https, ftp, socks) 
trafic goes

through the squid proxy.
All works fine, clients are able to access to all type of internet 
trafic,

including https sites encrypted with aes128 (like gmail, or
https://www1.directatrading.com/).
But no client is able to access to sites encrypted with aes256 (like
https://www.unicredit.it/)... the browser locks with "Connecting to
https://www..."; and nothing else is displayed on the browser 
itself.
I searched the net but I wasn't able to find a thread about this 
issue.
squid.conf is the original one, I added only support for delay-pools 
and
acls to deny some client to access to certain sites. But even with 
these

options disabled, the problem is still present.

Does anyone have any idea?


In the standard setup like this Squid has nothing to do with the SSL or 
TLS operations. The browser simply opens a CONNECT tunnel through Squid. 
The encryption details are negotiated directly between the browser and 
origin server.


It is most likely that your clients browsers or SSL libraries are 
missing AES-256 support or are getting stuck negotiating to use a 
version of TLS/SSL which supports it.


Amos

[squid-users] Squid 3.1 and https ssl aes256 issue

[alextouch]

Hi 

this is my first post... last month I installed a linux ubuntu server 12.04
LTS machine with Squid3 in my organization. This machine works as a proxy
(not transparent proxy) for the web access from clients. 
Proxy is connected to a gateway for internet connection. 
Clients are configured so that all web (http, https, ftp, socks) trafic goes
through the squid proxy. 
All works fine, clients are able to access to all type of internet trafic,
including https sites encrypted with aes128 (like gmail, or
https://www1.directatrading.com/). 
But no client is able to access to sites encrypted with aes256 (like
https://www.unicredit.it/)... the browser locks with "Connecting to
https://www..."; and nothing else is displayed on the browser itself. 
I searched the net but I wasn't able to find a thread about this issue. 
squid.conf is the original one, I added only support for delay-pools and
acls to deny some client to access to certain sites. But even with these
options disabled, the problem is still present. 

Does anyone have any idea? 

Thank you. 
Alex

--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-1-and-https-ssl-aes256-issue-tp4655249.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] Squid 3.1 and TPROXY 4 Problems

[Amos Jeffries]

On 5/05/2012 7:58 p.m., Dave Blakey wrote:

Hi all,
  I'm busy working on a tproxy setup with the latest squid on Ubuntu
12.04; tproxy is enabled, squid is compiled with tproxy support etc.
The difference with this setup is that traffic is being sent to the
host using route-map on a cisco as opposed to WCCP but it seems that
should work. Unfortunately it seems there is very little documentation
about the latest tproxy+squid3.1 setup method - but this is what I
have --

# IP
ip -f inet rule add fwmark 1 lookup 100
ip -f inet route add local default dev eth0 table 100

# Sysctl
echo 1>  /proc/sys/net/ipv4/ip_forward
echo 2>  /proc/sys/net/ipv4/conf/default/rp_filter
echo 2>  /proc/sys/net/ipv4/conf/all/rp_filter
echo 0>  /proc/sys/net/ipv4/conf/eth0/rp_filter

# IP Tables
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129


In squid.conf the relevant line for http_port 3129 tproxy is set etc.
With this setup I get hits on the iptables rules, and see a request in
the access log but it fails to fill it, it also looks very strange --

1336146295.076  56266 x.x.x.x TCP_MISS/000 0 GET
http://www.google.com/url? - DIRECT/www.google.com -
1336146337.969  42875 x.x.x.x TCP_MISS/000 0 GET
http://www.google.com/url? - DIRECT/www.google.com -

As you can see it's a TCP_MISS/000 and the DIRECT/www.google.com in my
experience should have an IP not a hostname? Additionally the sizes
seem very weird. The client just hangs.


Depends on your squid version, the 3.2+ are IP-only there the older ones 
display FQDN when its available and log_fqdn is on.
Size is zero because upstream was contacted, but things went bad before 
any bytes were transferred to the client.


This is the usual log signature for a forwarding loop. With TPROXY those 
are a greater risk than with NAT, and harder to track down. You may need 
to take a very close look at the TCP packets in the different network 
link places and see what is going on. NP: port number is the only way to 
identify cleint and server connections apart at the TCP/IP level.





Should this setup be working or is there some obvious error?


I'm not entirely sure about the rp_filter sysctl. I've had trouble on 
recent Debian myself with TPROXY hanging. It may be worth experimenting 
with those a bit.


Amos

[squid-users] Squid 3.1 and TPROXY 4 Problems

[Dave Blakey]

Hi all,
 I'm busy working on a tproxy setup with the latest squid on Ubuntu
12.04; tproxy is enabled, squid is compiled with tproxy support etc.
The difference with this setup is that traffic is being sent to the
host using route-map on a cisco as opposed to WCCP but it seems that
should work. Unfortunately it seems there is very little documentation
about the latest tproxy+squid3.1 setup method - but this is what I
have --

# IP
ip -f inet rule add fwmark 1 lookup 100
ip -f inet route add local default dev eth0 table 100

# Sysctl
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

# IP Tables
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129


In squid.conf the relevant line for http_port 3129 tproxy is set etc.
With this setup I get hits on the iptables rules, and see a request in
the access log but it fails to fill it, it also looks very strange --

1336146295.076  56266 x.x.x.x TCP_MISS/000 0 GET
http://www.google.com/url? - DIRECT/www.google.com -
1336146337.969  42875 x.x.x.x TCP_MISS/000 0 GET
http://www.google.com/url? - DIRECT/www.google.com -

As you can see it's a TCP_MISS/000 and the DIRECT/www.google.com in my
experience should have an IP not a hostname? Additionally the sizes
seem very weird. The client just hangs.

Should this setup be working or is there some obvious error?

Thank you in advance
Dave

[squid-users] Squid 3.1 and TPROXY 4 Problems

[Dave]

Hi all,
 I'm busy working on a tproxy setup with the latest squid on Ubuntu
12.04; tproxy is enabled, squid is compiled with tproxy support etc.
The difference with this setup is that traffic is being sent to the
host using route-map on a cisco as opposed to WCCP but it seems that
should work. Unfortunately it seems there is very little documentation
about the latest tproxy+squid3.1 setup method - but this is what I
have --

# IP
ip -f inet rule add fwmark 1 lookup 100
ip -f inet route add local default dev eth0 table 100

# Sysctl
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

# IP Tables
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129


In squid.conf the relevant line for http_port 3129 tproxy is set etc.
With this setup I get hits on the iptables rules, and see a request in
the access log but it fails to fill it, it also looks very strange --

1336146295.076  56266 69.77.128.218 TCP_MISS/000 0 GET
http://www.google.com/url? - DIRECT/www.google.com -
1336146337.969  42875 69.77.128.218 TCP_MISS/000 0 GET
http://www.google.com/url? - DIRECT/www.google.com -

As you can see it's a TCP_MISS/000 and the DIRECT/www.google.com in my
experience should have an IP not a hostname? Additionally the sizes
seem very weird. The client just hangs.

Should this setup be working or is there some obvious error?

Thank you in advance
Dave

[squid-users] Squid 3.1 + Accel conf + ETag = ignoring ETag

[Daniele Segato]

Hi,

I'm experimenting with squid and a service I'm writing.

my service compute ETag and return it along with other Http headers:

Headers returned by a request to my service:

HTTP/1.1 200 OK
Content-Language: it
Cache-Control: public, max-age=60, s-maxage=60
ETag: "32b71ecde17592a1d6ef696f5ae78216"
Last-Modified: Fri, 27 Apr 2012 14:09:08 GMT
Date: Fri, 27 Apr 2012 17:43:52 GMT
Vary: Accept, Accept-Language
Age: 0
Content-Type: application/json;charset=UTF-8
Content-Length: 932
Server: Jetty(6.1.21)


here's what's happen if I pass
If-Modified-Since: Fri, 27 Apr 2012 14:09:08 GMT

HTTP/1.1 304 Not Modified
Content-Language: it
Cache-Control: public, max-age=60, s-maxage=60
ETag: "32b71ecde17592a1d6ef696f5ae78216"
Last-Modified: Fri, 27 Apr 2012 14:09:08 GMT
Date: Fri, 27 Apr 2012 17:44:49 GMT
Vary: Accept, Accept-Language
Age: 0
Content-Type: application/json;charset=UTF-8
Content-Length: 932
Server: Jetty(6.1.21)



And if pass:
If-None-Match: "32b71ecde17592a1d6ef696f5ae78216"

HTTP/1.1 304 Not Modified
Content-Language: it
Cache-Control: public, max-age=60, s-maxage=60
ETag: "32b71ecde17592a1d6ef696f5ae78216"
Last-Modified: Fri, 27 Apr 2012 14:09:08 GMT
Date: Fri, 27 Apr 2012 17:46:20 GMT
Vary: Accept, Accept-Language
Age: 0
Content-Type: application/json;charset=UTF-8
Content-Length: 932
Server: Jetty(6.1.21)



Nothing special...
But squid is not sending me the "If-None-Match" header

I have situation where the Last-Modified date doesn't change, the ETag 
work in identifying what's a 304 and what's not.
The last modified date check fails there (give 304 when the content has 
been actually modified).



So I need squid to give me If-None-Match

is there some config to enable?
Am I doing something wrong?

thanks,
Daniele

[squid-users] Squid 3.1: access.log did not log authenticated members

[David Touzeau]

Dear

I have tested all log formats on my squid 3.1.19 and member information 
still "IP   -   - "

eg:  192.168.1.212 - - [

Is it normal ?

I notice that using squid 3.2 log correctly members uid in access.log

Best regards

Re: [squid-users] squid 3.1 and HTTPS (and probably ipv6)

[Amos Jeffries]

On 13.03.2012 22:10, Eugene M. Zheganin wrote:

Hi.

I'm using squid 3.1.x on FreeBSD. Squid is built from ports.

Recently I was hit by a weird issue: my users cannot open HTTPS
pages. This is not something constant - if they hit the F5 button in
browser, the pages are loading, sometimes showing the message like
'Unable to connect. Firefox can't establish a connection to the 
server

at access.ripe.net.' (for example. most of them are using FF). In the
same time plain HTTP pages are working fine.

I did some investigation and it appears like squid really thinks it
cannot connect to HTTPS-enabled web server:




As you guessed this does seem to be a stack issue. Dual-stack systems 
can be configured to operate as hybrid stacks or as split stacks (two 
distinct socket handling paths). Recently there has been a trend away 
from the simpler hybrid stacks towards split stacks.


Squid-3.1 was written for hybrid stacks with v4-mapping ability. When 
run on stack without mapping (split) it cannot reset the FD protocol to 
switch stack types. Workaround/Support for split stacks has been added 
incrementally across the 3.1 series, with some of the deeper changes 
only in 3.2.




===Cut===


2012/03/13 14:08:39.661| ipcache_nbgethostbyname: HIT for 
'access.ripe.net'


Found the site IPs.

assuming: connect to the first one (IPv6).


2012/03/13 14:08:39.662| ipcacheMarkBadAddr: access.ripe.net
[2001:67c:2e8:22::c100:685]:443


 Didn't work. Mark it bad.


2012/03/13 14:08:39.662| ipcacheCycleAddr: access.ripe.net now at
193.0.6.133 (2 of 2)
2012/03/13 14:08:39.662| commResetFD: Reset socket FD 14->16 : 
family=28
2012/03/13 14:08:39.662| commResetFD: Reset socket FD 14->16 : 
family=28


Reset the socket FD to convert for the new IP (v4).

assuming: socket still IPv6 and trying to use for IPv4?
assuming: connect to this IP also failed.

2012/03/13 14:08:39.662| ipcache_nbgethostbyname: Name 
'access.ripe.net'.
2012/03/13 14:08:39.662| ipcache_nbgethostbyname: HIT for 
'access.ripe.net'
2012/03/13 14:08:39.662| commResetFD: Reset socket FD 14->16 : 
family=28
2012/03/13 14:08:39.662| commResetFD: Reset socket FD 14->16 : 
family=28


 Reset the socket FD (again).. Bit strange that this is still "14->16".


2012/03/13 14:08:39.662| ipcacheCycleAddr: access.ripe.net now at
193.0.6.133 (2 of 2)
2012/03/13 14:08:39.662| ipcache_nbgethostbyname: Name 
'access.ripe.net'.
2012/03/13 14:08:39.662| ipcache_nbgethostbyname: HIT for 
'access.ripe.net'

2012/03/13 14:08:39.662| ipcacheMarkAllGood: Changing ALL
access.ripe.net addrs to OK (1/2 bad)


Failed a second time. tries > number of IPs (huh? 3 or 2 tries?)

Instead of retrying yet again, cycle the IPs ...


2012/03/13 14:08:39.662| errorpage.cc(1051) BuildContent: No existing
error page language negotiated for ERR_CONNECT_FAIL. Using default
error file.


... and respond with error.


===Cut==

But why ? I did some telnetting from this server to the
access.ripe.net:443, and it succeeded like 10 from 10 times (squid
error rate is far more frequent). The only thing that bothers me is
that telnet also first tries ipv6 too, but then switches to the ipv4,
and connects.

Now some suggestions (probably a shot in the dark). This only happens
on an ipv6-enabled machines, but without actual ipv6 connectivity (no
ipv6 default route or no public ipv6 address, for example I have
unique-local addresses for the testing purposes). In the same time
this issue can be easily solved by restoring the ipv6 connectivity to
the outer world. So, can it be some dual-stack behavior bug ? Or is 
it

'by design' ? Do I need to report it ?



Squid opens an IPv6 socket by default, attempts the IPv6 destination 
(route down, IPv6 socket). Fails. Then attempts to reset the socket 
protocol family and contact the IPv4 destination (route fine, IPv6 
socket [oops!]).
You can avoid this in 3.1 by enabling v4-mapping capability in your 
kernel or using "tcp_outgoing_address 0.0.0.0" to force the sockets to 
be IPv4-only from the start. 3.2 series has better split-stack support 
so should have this behaviour problem fixed now.



Amos

[squid-users] squid 3.1 and HTTPS (and probably ipv6)

[Eugene M. Zheganin]

Hi.

I'm using squid 3.1.x on FreeBSD. Squid is built from ports.

Recently I was hit by a weird issue: my users cannot open HTTPS pages. 
This is not something constant - if they hit the F5 button in browser, 
the pages are loading, sometimes showing the message like 'Unable to 
connect. Firefox can't establish a connection to the server at 
access.ripe.net.' (for example. most of them are using FF). In the same 
time plain HTTP pages are working fine.


I did some investigation and it appears like squid really thinks it 
cannot connect to HTTPS-enabled web server:


===Cut===
2012/03/13 14:08:39.661| ACL::ChecklistMatches: result for 'all' is 1
2012/03/13 14:08:39.661| ACLList::matches: result is true
2012/03/13 14:08:39.661| aclmatchAclList: 0x285e4810 returning true (AND 
list satisfied)
2012/03/13 14:08:39.661| ACLChecklist::markFinished: 0x285e4810 
checklist processing finished
2012/03/13 14:08:39.661| ACLChecklist::check: 0x285e4810 match found, 
calling back with 1

2012/03/13 14:08:39.661| ACLChecklist::checkCallback: 0x285e4810 answer=1
2012/03/13 14:08:39.661| peerCheckAlwaysDirectDone: 1
2012/03/13 14:08:39.661| peerSelectFoo: 'CONNECT access.ripe.net'
2012/03/13 14:08:39.661| peerSelectFoo: direct = DIRECT_YES
2012/03/13 14:08:39.661| The AsyncCall SomeCommConnectHandler 
constructed, this=0x286e6740 [call1916]
2012/03/13 14:08:39.661| commConnectStart: FD 14, cb 0x286e6740*1, 
access.ripe.net:443
2012/03/13 14:08:39.661| The AsyncCall SomeCloseHandler constructed, 
this=0x2956c2c0 [call1917]

2012/03/13 14:08:39.661| ipcache_nbgethostbyname: Name 'access.ripe.net'.
2012/03/13 14:08:39.661| ipcache_nbgethostbyname: HIT for 'access.ripe.net'
2012/03/13 14:08:39.662| ipcacheMarkBadAddr: access.ripe.net 
[2001:67c:2e8:22::c100:685]:443
2012/03/13 14:08:39.662| ipcacheCycleAddr: access.ripe.net now at 
193.0.6.133 (2 of 2)

2012/03/13 14:08:39.662| commResetFD: Reset socket FD 14->16 : family=28
2012/03/13 14:08:39.662| commResetFD: Reset socket FD 14->16 : family=28
2012/03/13 14:08:39.662| FilledChecklist.cc(168) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x285e4810

2012/03/13 14:08:39.662| ACLChecklist::~ACLChecklist: destroyed 0x285e4810
2012/03/13 14:08:39.662| FilledChecklist.cc(168) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x285e4910

2012/03/13 14:08:39.662| ACLChecklist::~ACLChecklist: destroyed 0x285e4910
2012/03/13 14:08:39.662| The AsyncCall SomeCommReadHandler constructed, 
this=0x28ce9100 [call1918]
2012/03/13 14:08:39.662| leaving SomeCommReadHandler(FD 150, 
data=0x286b6710, size=4, buf=0x28d1e000)

2012/03/13 14:08:39.662| ipcache_nbgethostbyname: Name 'access.ripe.net'.
2012/03/13 14:08:39.662| ipcache_nbgethostbyname: HIT for 'access.ripe.net'
2012/03/13 14:08:39.662| commResetFD: Reset socket FD 14->16 : family=28
2012/03/13 14:08:39.662| commResetFD: Reset socket FD 14->16 : family=28
2012/03/13 14:08:39.662| ipcacheCycleAddr: access.ripe.net now at 
193.0.6.133 (2 of 2)

2012/03/13 14:08:39.662| ipcache_nbgethostbyname: Name 'access.ripe.net'.
2012/03/13 14:08:39.662| ipcache_nbgethostbyname: HIT for 'access.ripe.net'
2012/03/13 14:08:39.662| ipcacheMarkAllGood: Changing ALL 
access.ripe.net addrs to OK (1/2 bad)

2012/03/13 14:08:39.662| commConnectCallback: FD 14
2012/03/13 14:08:39.662| comm.cc(1195) commSetTimeout: FD 14 timeout -1
2012/03/13 14:08:39.662| comm.cc(1206) commSetTimeout: FD 14 timeout -1
2012/03/13 14:08:39.662| comm.cc(934) will call 
SomeCommConnectHandler(FD 14, errno=22, flag=-8, data=0x28f6bdd0, ) 
[call1916]

2012/03/13 14:08:39.662| commConnectFree: FD 14
2012/03/13 14:08:39.662| entering SomeCommConnectHandler(FD 14, 
errno=22, flag=-8, data=0x28f6bdd0, )
2012/03/13 14:08:39.662| AsyncCall.cc(32) make: make call 
SomeCommConnectHandler [call1916]

2012/03/13 14:08:39.662| errorSend: FD 12, err=0x28f995d0
2012/03/13 14:08:39.662| errorpage.cc(1051) BuildContent: No existing 
error page language negotiated for ERR_CONNECT_FAIL. Using default error 
file.

===Cut==

But why ? I did some telnetting from this server to the 
access.ripe.net:443, and it succeeded like 10 from 10 times (squid error 
rate is far more frequent). The only thing that bothers me is that 
telnet also first tries ipv6 too, but then switches to the ipv4, and 
connects.


Now some suggestions (probably a shot in the dark). This only happens on 
an ipv6-enabled machines, but without actual ipv6 connectivity (no ipv6 
default route or no public ipv6 address, for example I have unique-local 
addresses for the testing purposes). In the same time this issue can be 
easily solved by restoring the ipv6 connectivity to the outer world. So, 
can it be some dual-stack behavior bug ? Or is it 'by design' ? Do I 
need to report it ?


Thanks.
Eugene.

Re: [squid-users] squid 3.1 - endless loop IIS webserver

[Amos Jeffries]

On 12/03/2012 6:53 p.m., kadvar wrote:

Hi,

I have searched for other posts with the same problem but the workarounds
that worked for them did'nt work for me. I am trying to configure a squid
reverse proxy with ssl support. I have squid on 192.168.124.41 with apache
on 127.0.0.1 on the same box. I also have two other webservers (1 apache, 1
IIS). Squid is configured to direct any requests for asp pages to iis and
the rest to the apache machine.

I have also configured squid to use https, the programmer has set up a 302
redirect on the iis machine so that visiting http://example.com/Login.aspx
redirects to https://example.com/Login.aspx. Squid redirects fine but after
that gives me a "The page isn't redirecting properly". Running wget shows
that squid is going into an endless loop. I have reproduced squid.conf and
also the wget output below.

$wget --no-check http://192.168.124.41/Login.aspx
--2012-03-12 11:06:53--  http://192.168.124.41/Login.aspx
Connecting to 192.168.124.41:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://example.com/Login.aspx [following]
--2012-03-12 11:06:53--  https://example.com/Login.aspx
Resolving example.com... 192.168.124.41
Connecting to example.com|192.168.124.41|:443... connected.
WARNING: cannot verify example.com’s certificate, issued by
“/C=IN/ST=AP/L=Default City/O=Default Company
Ltd/CN=example.com/emailAddress=ad...@example.com”:
   Unable to locally verify the issuer’s authority.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://example.com/memberplanet/Login.aspx [following]

and so on..


The problem is that Squid is sending HTTPS traffic to an HTTP port on 
IIS. Requests to origin servers do not include anything specifically 
saying HTTPS or HTTPS. The server tells that from the port its receiving 
the request on.


There is a trick you can add to your squid.conf to split traffic between 
two ports on the IIS peer




##
squid.conf
#
http_port 192.168.124.41:80 accel defaultsite=example.com

https_port 192.168.124.41:443 accel
cert=/usr/newrprgate/CertAuth/testcert.cert
key=/usr/newrprgate/CertAuth/testkey.pem defaultsite=example.com

acl rx_aspx urlpath_regex -i \.asp[x]*


acl HTTPS proto HTTPS


cache_peer 192.168.124.169 parent 80 0 no-query no-digest originserver
name=aspserver

cache_peer_access aspserver deny HTTPS


cache_peer_access aspserver allow rx_aspx
cache_peer_access aspserver deny all


cache_peer 192.168.124.169 parent 443 0 no-query no-digest originserver 
name=aspserverSSL

cache_peer_access aspserverSSL allow  HTTPS rx_aspx
cache_peer_access aspserverSSL deny all




cache_peer 127.0.0.1 parent 80 0 no-query originserver name=wb1
cache_peer_access wb1 deny rx_aspx

acl origin_servers dstdomain .example.com
http_access allow origin_servers
http_access deny all
###

I'd appreciate it if someone could give me some clues as to what I'm doing
wrong.



That should fix the looping.

Amos

[squid-users] squid 3.1 - endless loop IIS webserver

[kadvar]

Hi,

I have searched for other posts with the same problem but the workarounds
that worked for them did'nt work for me. I am trying to configure a squid
reverse proxy with ssl support. I have squid on 192.168.124.41 with apache
on 127.0.0.1 on the same box. I also have two other webservers (1 apache, 1
IIS). Squid is configured to direct any requests for asp pages to iis and
the rest to the apache machine.

I have also configured squid to use https, the programmer has set up a 302
redirect on the iis machine so that visiting http://example.com/Login.aspx
redirects to https://example.com/Login.aspx. Squid redirects fine but after
that gives me a "The page isn't redirecting properly". Running wget shows
that squid is going into an endless loop. I have reproduced squid.conf and
also the wget output below.

$wget --no-check http://192.168.124.41/Login.aspx
--2012-03-12 11:06:53--  http://192.168.124.41/Login.aspx
Connecting to 192.168.124.41:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://example.com/Login.aspx [following]
--2012-03-12 11:06:53--  https://example.com/Login.aspx
Resolving example.com... 192.168.124.41
Connecting to example.com|192.168.124.41|:443... connected.
WARNING: cannot verify example.com’s certificate, issued by
“/C=IN/ST=AP/L=Default City/O=Default Company
Ltd/CN=example.com/emailAddress=ad...@example.com”:
  Unable to locally verify the issuer’s authority.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://example.com/memberplanet/Login.aspx [following]
 
and so on..

##
squid.conf
#
http_port 192.168.124.41:80 accel defaultsite=example.com

https_port 192.168.124.41:443 accel
cert=/usr/newrprgate/CertAuth/testcert.cert
key=/usr/newrprgate/CertAuth/testkey.pem defaultsite=example.com

acl rx_aspx urlpath_regex -i \.asp[x]*

cache_peer 192.168.124.169 parent 80 0 no-query no-digest originserver
name=aspserver
cache_peer_access aspserver allow rx_aspx
cache_peer_access aspserver deny all

cache_peer 127.0.0.1 parent 80 0 no-query originserver name=wb1
cache_peer_access wb1 deny rx_aspx

acl origin_servers dstdomain .example.com
http_access allow origin_servers
http_access deny all
###

I'd appreciate it if someone could give me some clues as to what I'm doing
wrong.

Thanks,
Adi

--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-1-endless-loop-IIS-webserver-tp4465329p4465329.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] Squid 3.1.x and detect/disable http tunneling over proxe web sites

[Helmut Hullen]

Hallo, Josef,

Du meintest am 08.03.12:

>is it able to detect somehow (and disable) tunneling http regular
> web thru proxy web sites ?  For example porn web site thru
> "hidemyass.com". There are a lot of web proxies, couldn't locate
> everyone and disable it :). How do you solve it ?

I use "squidGuard" with its database p.e. for porn and/or proxies. It's  
simple to use it under "squid".

Viele Gruesse!
Helmut

Re: [squid-users] Squid 3.1.x and detect/disable http tunneling over proxe web sites

[Amos Jeffries]

On 9/03/2012 1:01 a.m., Josef Karliak wrote:

  Good afternoon,
  is it able to detect somehow (and disable) tunneling http regular 
web thru proxy web sites ?  For example porn web site thru 
"hidemyass.com". There are a lot of web proxies, couldn't locate 
everyone and disable it :). How do you solve it ?

  Thanks and best regards
  J.K.



It is not possible to get them all. You can look for public lists and/or 
commercial lists. Even so it is a full time job or more just to stay 
updated.


The better solution is to work out policies that the users can agree to 
and willing to work within. Educate where possible about why you do the 
things you need to do and what the benefits are for the users in 
following along. And get management on-side to assist with enforcing 
restrictions when people are caught going against the agreement. A 
policy without teeth is just so much hot air.


Compare your network setup against 
http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Recommended_network_configuration 
to see if you have missed a useful layer.


Amos

[squid-users] Squid 3.1.x and detect/disable http tunneling over proxe web sites

[Josef Karliak]

  Good afternoon,
  is it able to detect somehow (and disable) tunneling http regular  
web thru proxy web sites ?  For example porn web site thru  
"hidemyass.com". There are a lot of web proxies, couldn't locate  
everyone and disable it :). How do you solve it ?

  Thanks and best regards
  J.K.

--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)
policy and check. If you've problem with sending emails to me, start
using email origin methods mentioned above. Thank you.


This message was sent using IMP, the Internet Messaging Program.



binF6si6Z1q7C.bin
Description: Veřejný PGP klíč

Re: [squid-users] squid 3.1.x with IIS SharePoint as back-end.

[巍俊葛]

Thanks Amos,

Currently, we use a VM ( vmware) to host a RHEL with squid running.
I change the back-end site with only an IIS test web site which is
hosted on the same IIS system.
And it's just a png image file. And it seem working.

On RHEL side, there is no limitations on outgoing on iptables rules.

Regards,
~Kimi


On 12/01/2012, Amos Jeffries  wrote:
> On 12.01.2012 02:28, kimi ge wrote:
>> Hi Amos,
>>
>> Really appreciate your help.
>>
>> I did changes with your sugguestion.
>>
>> Some debug logs are here:
>>
>> 2012/01/11 13:21:58.167| The request GET
>> http://ids-ams.elabs.eds.com/
>> is ALLOWED, because it matched 'origin_servers'
>>
>> 2012/01/11 13:21:58.168| client_side_request.cc(547)
>> clientAccessCheck2: No adapted_http_access configuration.
>>
>> 2012/01/11 13:21:58.168| The request GET
>> http://ids-ams.elabs.eds.com/
>> is ALLOWED, because it matched 'origin_servers'
>>
>> 2012/01/11 13:21:58.170| ipcacheMarkBadAddr:
>> wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80
>>
>> 2012/01/11 13:21:58.171| TCP connection to
>> wtestsm1.asiapacific.hpqcorp.net/80 failed
>>
>
> There you go. Squid unable to even connect to the IIS server using TCP.
>
> Bit strange that it should use 404 instead of 500 status. But that TCP
> connection failure is the problem.
>
> 
>> My squid environment information:
>> RHEL6.0 64bit.
>> squid v 3.1.4
>
> A very outdated Squid release version, even for RHEL (which are on
> 3.1.8 or so now).
>
> * start with checking your firewall and packet routing configurations
> to ensure that Squid outgoing traffic is actually allowed and able to
> connect to IIS.
>
>   * if that does not resolve the problem, please try a newer 3.1
> release. You will likely have to self-build or use non-RHEL RPM, there
> seem to be no recent packages for RHEL.
>
>
> Amos
>
>

Re: [squid-users] squid 3.1.x with IIS SharePoint as back-end.

[Amos Jeffries]

On 12.01.2012 02:28, kimi ge wrote:

Hi Amos,

Really appreciate your help.

I did changes with your sugguestion.

Some debug logs are here:

2012/01/11 13:21:58.167| The request GET 
http://ids-ams.elabs.eds.com/

is ALLOWED, because it matched 'origin_servers'

2012/01/11 13:21:58.168| client_side_request.cc(547)
clientAccessCheck2: No adapted_http_access configuration.

2012/01/11 13:21:58.168| The request GET 
http://ids-ams.elabs.eds.com/

is ALLOWED, because it matched 'origin_servers'

2012/01/11 13:21:58.170| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80

2012/01/11 13:21:58.171| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed



There you go. Squid unable to even connect to the IIS server using TCP.

Bit strange that it should use 404 instead of 500 status. But that TCP 
connection failure is the problem.




My squid environment information:
RHEL6.0 64bit.
squid v 3.1.4


A very outdated Squid release version, even for RHEL (which are on 
3.1.8 or so now).


* start with checking your firewall and packet routing configurations 
to ensure that Squid outgoing traffic is actually allowed and able to 
connect to IIS.


 * if that does not resolve the problem, please try a newer 3.1 
release. You will likely have to self-build or use non-RHEL RPM, there 
seem to be no recent packages for RHEL.



Amos

Re: [squid-users] squid 3.1.x with IIS SharePoint as back-end.

[巍俊葛]

Hi Amos,

Really appreciate your help.

I did changes with your sugguestion.

Some debug logs are here:

2012/01/11 13:21:58.167| The request GET http://ids-ams.elabs.eds.com/
is ALLOWED, because it matched 'origin_servers'

2012/01/11 13:21:58.168| client_side_request.cc(547)
clientAccessCheck2: No adapted_http_access configuration.

2012/01/11 13:21:58.168| The request GET http://ids-ams.elabs.eds.com/
is ALLOWED, because it matched 'origin_servers'

2012/01/11 13:21:58.170| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80

2012/01/11 13:21:58.171| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed

2012/01/11 13:21:58.171| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/

2012/01/11 13:21:58.177| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80

2012/01/11 13:21:58.177| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed

2012/01/11 13:21:58.177| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/

2012/01/11 13:21:58.183| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80

2012/01/11 13:21:58.184| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed

2012/01/11 13:21:58.184| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/

2012/01/11 13:21:58.190| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80

2012/01/11 13:21:58.191| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed

2012/01/11 13:21:58.191| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/

2012/01/11 13:21:58.197| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80

2012/01/11 13:21:58.197| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed

2012/01/11 13:21:58.197| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/

2012/01/11 13:21:58.203| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80

2012/01/11 13:21:58.204| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed

2012/01/11 13:21:58.204| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/

2012/01/11 13:21:58.210| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80

2012/01/11 13:21:58.210| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed

2012/01/11 13:21:58.210| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/

2012/01/11 13:21:58.216| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80

2012/01/11 13:21:58.216| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed

2012/01/11 13:21:58.217| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/

2012/01/11 13:21:58.222| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80

2012/01/11 13:21:58.223| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed

2012/01/11 13:21:58.223| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/

2012/01/11 13:21:58.229| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80

2012/01/11 13:21:58.229| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed

2012/01/11 13:21:58.229| Detected DEAD Parent: main

2012/01/11 13:21:58.229| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/

2012/01/11 13:21:58.235| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80

2012/01/11 13:21:58.236| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 failed

2012/01/11 13:21:58.236| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 dead

2012/01/11 13:21:58.236| fwdServerClosed: FD 11 http://ids-ams.elabs.eds.com/

2012/01/11 13:21:58.238| The reply for GET
http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'all'

2012/01/11 13:21:58.240| ConnStateData::swanSong: FD 9

2012/01/11 13:22:07.406| The request GET http://ids-ams.elabs.eds.com/
is ALLOWED, because it matched 'origin_servers'

2012/01/11 13:22:07.406| client_side_request.cc(547)
clientAccessCheck2: No adapted_http_access configuration.

2012/01/11 13:22:07.406| The request GET http://ids-ams.elabs.eds.com/
is ALLOWED, because it matched 'origin_servers'

2012/01/11 13:22:07.407| ipcacheMarkBadAddr:
wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80

2012/01/11 13:22:07.408| Failed to select source for
'http://ids-ams.elabs.eds.com/'

2012/01/11 13:22:07.408|   always_direct = 0

2012/01/11 13:22:07.408|never_direct = 0

2012/01/11 13:22:07.408|timedout = 0

2012/01/11 13:22:07.410| The reply for GET
http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'all'

2012/01/11 13:22:07.410| TCP connection to
wtestsm1.asiapacific.hpqcorp.net/80 dead

2012/01/11 13:22:07.412| ConnStateData::swanSong: FD 9

2012/01/11 13:22:09.381| The request GET http://ids-ams.elabs.eds.com/
is ALLOWED, because it matched 'origin_servers'

2012/01/11 13:22:09.381| client_side_request.cc(547)
clientAccessCheck2: No adapted_http_access configuration.

2012/01/11 13:22:09.381| The request GET http://ids-ams.elabs.eds.com/
is ALLOWED, because it matched 'origin_servers'

2012/01/11 13:22:09.383| ipcacheMarkBadAddr:
wtestsm1.asiapacific.h

Re: [squid-users] squid 3.1.x with IIS SharePoint as back-end.

[Amos Jeffries]

On 11/01/2012 8:46 p.m., kimi ge(巍俊葛) wrote:

Thanks Amos.

I did the lynx test on back-end web site on squid system like this:
sudo lynx http://wtestsm1.asiapacific.hpqcorp.net

First, it show the message:
Alert!: Invalid header 'WWW-Authenticate: NTLM'

Then it show the following message.
Show the 401 message body? (y/n)


Aha. NTLM authentication. Very probaby that login=PASS then.



For the domain auth, I mean the back-end web site need corp domain
user to be accessed.
I put this in this way, if I log on with my corp domain on my laptop,
then I could acces IIS Share Point without any credentials window pop
up. If not, I have to input my domain account on credentials window to
access the Share Point Site.


The following is my squid configuration about this case which I ignore
some default sections.
#added by kimi
acl hpnet src 16.0.0.0/8# RFC1918 possible internal network
#added by kimi
acl origin_servers dstdomain ids-ams.elabs.eds.com
http_access allow origin_servers
http_access allow hpnet

http_port 192.85.142.88:80 accel defaultsite=ids-ams.elabs.eds.com
connection-auth=on

forwarded_for on

request_header_access WWW-Authenticate allow all


This is not needed. The Squid default is to relay www-auth headers 
through. www-authenticate is a reply header anyway, to inform the client 
agent what types of auth it can use.




cache_peer wtestsm1.asiapacific.hpqcorp.net parent 80 0 no-query
no-digest originserver name=main connection-auth=on login=PASS


"connection-auth=on" should be enough. Try without login=PASS.



cache_peer_domain main .elabs.eds.com

hierarchy_stoplist cgi-bin ?

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

cache_dir aufs /data/squid/cache 12000 64 256
cache_mem 1024 MB
maximum_object_size_in_memory 1024 KB
maximum_object_size 51200 KB

visible_hostname ids-ams.elabs.eds.com
debug_options ALL,5
http_access deny all

While let squid be running, I do test like this
http://ids-ams.elabs.eds.com

The 404 error page is shown.


Okay. Which error page?  Squid sends three different ones with that 
status code. Invalid request or Invalid URL or something else?



That's why I am wondering squid could be as reverse-proxy with IIS
SharePoint as back-end?


It can be. There is normally no trouble. But the newer features MS have 
been adding for IPv6 and cloud support recently are not widely tested yet.


Amos

[squid-users] R: [squid-users] squid 3.1.x with IIS SharePoint as back-end.

[Guido Serassio]

Hi,

Look at this bug:
http://bugs.squid-cache.org/show_bug.cgi?id=3141

Likely it's the same problem.
I hope that it will be fixed in the incoming 3.2.

Regards

Guido Serassio
Acme Consulting S.r.l.
Microsoft Silver Certified Partner
VMware Professional Partner
Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135   Fax. : +39.011.9781115
Email: guido.seras...@acmeconsulting.it
WWW: http://www.acmeconsulting.it


> -Messaggio originale-
> Da: kimi ge(巍俊葛) [mailto:weiju...@gmail.com]
> Inviato: mercoledì 11 gennaio 2012 8.47
> A: Amos Jeffries
> Cc: squid-users@squid-cache.org
> Oggetto: Re: [squid-users] squid 3.1.x with IIS SharePoint as back-end.
> 
> Thanks Amos.
> 
> I did the lynx test on back-end web site on squid system like this:
> sudo lynx http://wtestsm1.asiapacific.hpqcorp.net
> 
> First, it show the message:
> Alert!: Invalid header 'WWW-Authenticate: NTLM'
> 
> Then it show the following message.
> Show the 401 message body? (y/n)
> 
> For the domain auth, I mean the back-end web site need corp domain
> user to be accessed.
> I put this in this way, if I log on with my corp domain on my laptop,
> then I could acces IIS Share Point without any credentials window pop
> up. If not, I have to input my domain account on credentials window to
> access the Share Point Site.
> 
> 
> The following is my squid configuration about this case which I ignore
> some default sections.
> #added by kimi
> acl hpnet src 16.0.0.0/8# RFC1918 possible internal network
> #added by kimi
> acl origin_servers dstdomain ids-ams.elabs.eds.com
> http_access allow origin_servers
> http_access allow hpnet
> 
> http_port 192.85.142.88:80 accel defaultsite=ids-ams.elabs.eds.com
> connection-auth=on
> 
> forwarded_for on
> 
> request_header_access WWW-Authenticate allow all
> 
> cache_peer wtestsm1.asiapacific.hpqcorp.net parent 80 0 no-query
> no-digest originserver name=main connection-auth=on login=PASS
> 
> cache_peer_domain main .elabs.eds.com
> 
> hierarchy_stoplist cgi-bin ?
> 
> coredump_dir /var/spool/squid
> 
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320
> 
> cache_dir aufs /data/squid/cache 12000 64 256
> cache_mem 1024 MB
> maximum_object_size_in_memory 1024 KB
> maximum_object_size 51200 KB
> 
> visible_hostname ids-ams.elabs.eds.com
> debug_options ALL,5
> http_access deny all
> 
> While let squid be running, I do test like this
> http://ids-ams.elabs.eds.com
> 
> The 404 error page is shown.
> That's why I am wondering squid could be as reverse-proxy with IIS
> SharePoint as back-end?
> 
> Thanks,
> ~Kimi
> 
> 
> 
> On 11/01/2012, Amos Jeffries  wrote:
> > On 11/01/2012 6:28 p.m., kimi ge(巍俊葛) wrote:
> >> Hi,
> >>
> >>   I have an issue to make squid 3.1.x to work with IIS SharePoint as
> the
> >>   back-end.
> >> The details are listed below.
> >>
> >> 1. squid 3.1.x is running as a reverse-proxy.
> >> 2. The back-end is IIS SharePoint Site with domain authentication
> >> required.
> >>   That means only the valid domain user could access this SharePoint
> site.
> >>   The issue is it always return 404 error page. And the logon window is
> >>   not prompted.
> >
> > What is this "domain authentication" you mention? All of the HTTP auth
> > mechanisms count as "domain auth" to a reverse proxy, and none of them
> > are named "Domain".
> >
> >>
> >>   My question is whether squid supports this kind of case or not?
> >>   If supports, how should I do configuration on squid.conf file?
> >>
> >>   Thanks in advance.
> >>   ~Kimi
> >
> > 404 status is about the resource being requested _not existing_. Login
> > only operates when there is something to be authorized fetching. So I
> > think auth is not relevant at this point in your testing.
> >
> > Probably the URL being passed to IIS is not what you are expecting to be
> > passed and IIS is not setup to handle it. You will need to share your
> > squid.conf details for more help.
> >
> > Amos
> >

Re: [squid-users] squid 3.1.x with IIS SharePoint as back-end.

[巍俊葛]

Thanks Amos.

I did the lynx test on back-end web site on squid system like this:
sudo lynx http://wtestsm1.asiapacific.hpqcorp.net

First, it show the message:
Alert!: Invalid header 'WWW-Authenticate: NTLM'

Then it show the following message.
Show the 401 message body? (y/n)

For the domain auth, I mean the back-end web site need corp domain
user to be accessed.
I put this in this way, if I log on with my corp domain on my laptop,
then I could acces IIS Share Point without any credentials window pop
up. If not, I have to input my domain account on credentials window to
access the Share Point Site.


The following is my squid configuration about this case which I ignore
some default sections.
#added by kimi
acl hpnet src 16.0.0.0/8# RFC1918 possible internal network
#added by kimi
acl origin_servers dstdomain ids-ams.elabs.eds.com
http_access allow origin_servers
http_access allow hpnet

http_port 192.85.142.88:80 accel defaultsite=ids-ams.elabs.eds.com
connection-auth=on

forwarded_for on

request_header_access WWW-Authenticate allow all

cache_peer wtestsm1.asiapacific.hpqcorp.net parent 80 0 no-query
no-digest originserver name=main connection-auth=on login=PASS

cache_peer_domain main .elabs.eds.com

hierarchy_stoplist cgi-bin ?

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

cache_dir aufs /data/squid/cache 12000 64 256
cache_mem 1024 MB
maximum_object_size_in_memory 1024 KB
maximum_object_size 51200 KB

visible_hostname ids-ams.elabs.eds.com
debug_options ALL,5
http_access deny all

While let squid be running, I do test like this
http://ids-ams.elabs.eds.com

The 404 error page is shown.
That's why I am wondering squid could be as reverse-proxy with IIS
SharePoint as back-end?

Thanks,
~Kimi



On 11/01/2012, Amos Jeffries  wrote:
> On 11/01/2012 6:28 p.m., kimi ge(巍俊葛) wrote:
>> Hi,
>>
>>   I have an issue to make squid 3.1.x to work with IIS SharePoint as the
>>   back-end.
>> The details are listed below.
>>
>> 1. squid 3.1.x is running as a reverse-proxy.
>> 2. The back-end is IIS SharePoint Site with domain authentication
>> required.
>>   That means only the valid domain user could access this SharePoint site.
>>   The issue is it always return 404 error page. And the logon window is
>>   not prompted.
>
> What is this "domain authentication" you mention? All of the HTTP auth
> mechanisms count as "domain auth" to a reverse proxy, and none of them
> are named "Domain".
>
>>
>>   My question is whether squid supports this kind of case or not?
>>   If supports, how should I do configuration on squid.conf file?
>>
>>   Thanks in advance.
>>   ~Kimi
>
> 404 status is about the resource being requested _not existing_. Login
> only operates when there is something to be authorized fetching. So I
> think auth is not relevant at this point in your testing.
>
> Probably the URL being passed to IIS is not what you are expecting to be
> passed and IIS is not setup to handle it. You will need to share your
> squid.conf details for more help.
>
> Amos
>

Re: [squid-users] squid 3.1.x with IIS SharePoint as back-end.

[Amos Jeffries]

On 11/01/2012 6:28 p.m., kimi ge(巍俊葛) wrote:

Hi,

  I have an issue to make squid 3.1.x to work with IIS SharePoint as the
  back-end.
The details are listed below.

1. squid 3.1.x is running as a reverse-proxy.
2. The back-end is IIS SharePoint Site with domain authentication required.
  That means only the valid domain user could access this SharePoint site.
  The issue is it always return 404 error page. And the logon window is
  not prompted.


What is this "domain authentication" you mention? All of the HTTP auth 
mechanisms count as "domain auth" to a reverse proxy, and none of them 
are named "Domain".




  My question is whether squid supports this kind of case or not?
  If supports, how should I do configuration on squid.conf file?

  Thanks in advance.
  ~Kimi


404 status is about the resource being requested _not existing_. Login 
only operates when there is something to be authorized fetching. So I 
think auth is not relevant at this point in your testing.


Probably the URL being passed to IIS is not what you are expecting to be 
passed and IIS is not setup to handle it. You will need to share your 
squid.conf details for more help.


Amos

[squid-users] squid 3.1.x with IIS SharePoint as back-end.

[巍俊葛]

Hi,

 I have an issue to make squid 3.1.x to work with IIS SharePoint as the
 back-end.
The details are listed below.

1. squid 3.1.x is running as a reverse-proxy.
2. The back-end is IIS SharePoint Site with domain authentication required.
 That means only the valid domain user could access this SharePoint site.
 The issue is it always return 404 error page. And the logon window is
 not prompted.

 My question is whether squid supports this kind of case or not?
 If supports, how should I do configuration on squid.conf file?

 Thanks in advance.
 ~Kimi

Re: [squid-users] Squid 3.1.x and authentification against AD Windows 2008R2

[Amos Jeffries]

On 19/12/2011 9:00 p.m., Josef Karliak wrote:

  Hi there,
  We may plan to active authorization for users to the internet 
against Windows AD, running on Windows server 2008R2. I'm running 
squid on opensuse 11.4 64-bit. I've found some how-to, many of them 
solve it by ntlm-auth (not in opensuse, but there is a similar named 
"ntlm_smb_lm_auth" for squid i suppose


Nope. ntlm_smb_lm_auth does does the ancient LM-over-SMB protocol (using 
HTTP "NTLM" auth scheme) for with Windows98/CE/ME and similar older 
software and considered dangerous to use in todays network environment. 
NTLM is best done using the ntlm_auth helper from Samba project.  An 
even better alternative if you can use it is Kerberos authentication, 
which is supported by WindowsXP SP2 and later software.



). Another choice is over ldap.
  What is better ? What are your expericiences or recomentations ? And 
- please - some step-by-step how-to ...


LDAP is just the interface to the credentials database. It can be used 
with most of the auth schemes in HTTP.


The recommendation in this area is to go with whichever AD interface you 
are most familiar with and can implement securely. Pick the auth 
scheme(s) to suit your needs, then find which helper(s) plug the two 
together.



http://wiki.squid-cache.org/Features/Authentication has the overview of 
how auth works for Squid and link for more info and the config examples.


Amos

[squid-users] Squid 3.1.x and authentification against AD Windows 2008R2

[Josef Karliak]

  Hi there,
  We may plan to active authorization for users to the internet  
against Windows AD, running on Windows server 2008R2. I'm running  
squid on opensuse 11.4 64-bit. I've found some how-to, many of them  
solve it by ntlm-auth (not in opensuse, but there is a similar named  
"ntlm_smb_lm_auth" for squid i suppose). Another choice is over ldap.
  What is better ? What are your expericiences or recomentations ?  
And - please - some step-by-step how-to ...

   Thanks and best regards
   J.Karliak.


--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.



This message was sent using IMP, the Internet Messaging Program.



bin3WTxbKD372.bin
Description: Veřejný PGP klíč

Re: [squid-users] Squid 3.1.x and right configuration parameters for tmpfs 8GB

[Amos Jeffries]

On 2/12/2011 11:10 p.m., Josef Karliak wrote:

  Hi,
  I use 64-bit machine, HP DL380 G7. I thought that it should be 
better to use tmpfs (part of the memory). After reboot it is clean and 
empty, squid creates directories again automaticaly.
  So you recommend use a few of disk capacity and set caching to 
memory only ?


Yes.

Amos

Re: [squid-users] Squid 3.1.x and right configuration parameters for tmpfs 8GB

[Josef Karliak]

  Hi,
  I use 64-bit machine, HP DL380 G7. I thought that it should be  
better to use tmpfs (part of the memory). After reboot it is clean and  
empty, squid creates directories again automaticaly.

  So you recommend use a few of disk capacity and set caching to memory only ?
  Thanks
  J.K.

Cituji Matus UHLAR - fantomas :


On 01.12.11 15:05, Josef Karliak wrote:
I wanna use tmpfs for squid cache, is 8GB enough or too big ? We've  
about 3000 computers behind squid, for OS is 16GB sufficient,  
that's why I used 8GB for squid tmpfs.


what is the point of using tmpfs as squid cache? I think using only  
memory cache would be much more efficient (unless you are running  
32-bit squid).

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759





--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.



This message was sent using IMP, the Internet Messaging Program.



bingmJR7DCdNs.bin
Description: Veřejný PGP klíč

Re: [squid-users] Squid 3.1.x and right configuration parameters for tmpfs 8GB

[Amos Jeffries]

On 2/12/2011 5:13 a.m., Matus UHLAR - fantomas wrote:

On 01.12.11 15:05, Josef Karliak wrote:
 I wanna use tmpfs for squid cache, is 8GB enough or too big ? We've 
about 3000 computers behind squid, for OS is 16GB sufficient, that's 
why I used 8GB for squid tmpfs.


what is the point of using tmpfs as squid cache? I think using only 
memory cache would be much more efficient (unless you are running 
32-bit squid).


Yes, consider the purpose of why a disk cache is better than RAM cache: 
objects are not erased when Squid or the system restarts.


==> tmpfs data is erased when Squid or the system restarts. So why bother?

All you gain from tmpfs is a drop in speed accessing the data, from RAM 
speeds down to the Disk speeds. Whether it is SSD or HDD that is slower 
than RAM.


Amos

Re: [squid-users] Squid 3.1.x and right configuration parameters for tmpfs 8GB

[Matus UHLAR - fantomas]

On 01.12.11 15:05, Josef Karliak wrote:
 I wanna use tmpfs for squid cache, is 8GB enough or too big ? We've 
about 3000 computers behind squid, for OS is 16GB sufficient, that's 
why I used 8GB for squid tmpfs.


what is the point of using tmpfs as squid cache? I think using only memory 
cache would be much more efficient (unless you are running 32-bit 
squid).

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759

[squid-users] Squid 3.1.x and right configuration parameters for tmpfs 8GB

[Josef Karliak]

  Hi there,
  I wanna use tmpfs for squid cache, is 8GB enough or too big ? We've  
about 3000 computers behind squid, for OS is 16GB sufficient, that's  
why I used 8GB for squid tmpfs.

  Thanks for answers.
  J.K.

--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.



This message was sent using IMP, the Internet Messaging Program.



bintAm4HGUw0T.bin
Description: Veřejný PGP klíč

Re: [squid-users] Squid 3.1 NTLM Passthrough (SSO) to IIS with Firefox

[E.S. Rosenberg]

Firefox on windows machines that are not in "the domain" by us only
worked properly when we switched it to using it's own NTLM
implementation instead of the native one, this is done by setting
network.auth.force-generic-ntlm to true

I am no big NTLM/AD guru (my field is the linux/unix machines in our
school), but from what I gleaned Mozilla encourages *not* using their
ntlm implementation since they see it as less secure than using the
native implementation, but I could be wrong here if anyone can
enlighten me I'd be happy :).

As far as I recall on a windows machine when using native NTLM and not
in the domain you also have to add the domain part in front of the
username because otherwise it sends the local machine name as the
'domain' (ie domain\username), but I think even with that it still
would continue to pop up when using native instead of mozilla.

I also have noticed that when using ntlm-auth on a client that is not
in the domain (windows/linux) you may be presented with multiple
authentication dialogs when you start to browse, my theory on that has
always been that the browser sent multiple request and squid replied
to each request with a 407 and since the browser doesn't have
authentication details yet it fires up a dialog for every 407
received.

Hopefully this was helpful, good luck,
Eli

2011/11/8 Bartschies, Thomas :
>
> Hi,
>
> I should add that were running squid NOT in transparent mode and that the 
> proxy port is 8080 and NOT 80 as one may have guessed.
> I don't know any other firefox config settings than the ones I've already 
> mentioned, with the exception of the network settings for
> kerberos authentication. The squid traces clearly show, that NTLM 
> authentication is used, so kerberos shouldn't be relevant.
>
> Here is an excerpt from my config, without some access rules and acls. Even 
> without the cache_peer, no change.
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl SSL_ports port 443 1025-65535 22
> acl Safe_ports port 80 81 83 85 # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443 22      # https, snews
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 631         # cups
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> http_access deny msnmessenger
> http_access deny to_localhost
> http_access allow localhost
> http_access allow manager localhost
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow all
> cache_peer 10.x.x.x parent 8080 3130 no-query default
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> http_reply_access deny aim_http
> http_reply_access allow all
> icp_access allow localnet
> icp_access deny all
> htcp_access allow localnet
> htcp_access deny all
> http_port 8080 connection-auth=on
> hierarchy_stoplist cgi-bin ?
> cache_mem 500 MB
> cache_dir aufs /var/spool/squid 2000 16 256
> maximum_object_size 1 KB
> ftp_list_width 64
> url_rewrite_children 15
> url_rewrite_access deny localhost
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern (cgi-bin|\?)    0       0%      0
> refresh_pattern .               0       20%     4320
> quick_abort_pct 95
> negative_dns_ttl 1 seconds
> request_header_access Accept-Encoding deny support.microsoft.com
> reply_header_access Accept-Encoding deny support.microsoft.com
> forward_timeout 15 minutes
> request_timeout 30 minutes
> shutdown_lifetime 10 seconds
> client_persistent_connections on
> server_persistent_connections on
> log_icp_queries off
> error_directory /usr/share/squid/errors/de
> always_direct allow local-intranet
> icap_enable off
> icap_preview_enable on
> icap_preview_size 128
> icap_send_client_ip on
> dns_nameservers 127.0.0.1 212.202.215.1 212.202.215.2
> ignore_unknown_nameservers off
> forwarded_for off
> pipeline_prefetch off
> ignore_expect_100 on
>
> Regards, Thomas
>
> -Ursprüngliche Nachricht-
> Von: Amos Jeffries [mailto:squ...@treenet.co.nz]
> Gesendet: Dienstag, 8. November 2011 13:45
> An: squid-users@squid-cache.org
> Betreff: Re: [squid-users] Squid 3.1 NTLM Passthrough (SSO) to IIS with 
> Firefox
>
> On 9/11/2011 1:11 a.m., Bartschies, Thomas wrote:
>> Hi,
>>
>> our setup is:
>> Firefox 7.0.1, Squid 3.1.16 and 

Re: [squid-users] Squid 3.1 NTLM Passthrough (SSO) to IIS with Firefox

[Bartschies, Thomas]

Hi,

I should add that were running squid NOT in transparent mode and that the proxy 
port is 8080 and NOT 80 as one may have guessed.
I don't know any other firefox config settings than the ones I've already 
mentioned, with the exception of the network settings for
kerberos authentication. The squid traces clearly show, that NTLM 
authentication is used, so kerberos shouldn't be relevant.

Here is an excerpt from my config, without some access rules and acls. Even 
without the cache_peer, no change.

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 443 1025-65535 22
acl Safe_ports port 80 81 83 85 # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 22  # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 631 # cups
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny msnmessenger
http_access deny to_localhost
http_access allow localhost
http_access allow manager localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
cache_peer 10.x.x.x parent 8080 3130 no-query default
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
http_reply_access deny aim_http
http_reply_access allow all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 8080 connection-auth=on
hierarchy_stoplist cgi-bin ?
cache_mem 500 MB
cache_dir aufs /var/spool/squid 2000 16 256
maximum_object_size 1 KB
ftp_list_width 64
url_rewrite_children 15
url_rewrite_access deny localhost
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern (cgi-bin|\?)0   0%  0
refresh_pattern .   0   20% 4320
quick_abort_pct 95
negative_dns_ttl 1 seconds
request_header_access Accept-Encoding deny support.microsoft.com
reply_header_access Accept-Encoding deny support.microsoft.com
forward_timeout 15 minutes
request_timeout 30 minutes
shutdown_lifetime 10 seconds
client_persistent_connections on
server_persistent_connections on
log_icp_queries off
error_directory /usr/share/squid/errors/de
always_direct allow local-intranet
icap_enable off
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
dns_nameservers 127.0.0.1 212.202.215.1 212.202.215.2
ignore_unknown_nameservers off
forwarded_for off
pipeline_prefetch off
ignore_expect_100 on

Regards, Thomas

-Ursprüngliche Nachricht-
Von: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Gesendet: Dienstag, 8. November 2011 13:45
An: squid-users@squid-cache.org
Betreff: Re: [squid-users] Squid 3.1 NTLM Passthrough (SSO) to IIS with Firefox

On 9/11/2011 1:11 a.m., Bartschies, Thomas wrote:
> Hi,
>
> our setup is:
> Firefox 7.0.1, Squid 3.1.16 and Sharepoint Server on IIS.
> In Firefox we've set already:
> network.automatic-ntlm-auth.trusted-uris to the server address
> network.automatic-ntlm-auth.allow-proxies = true (default)
>
> in squid.conf, we've tried some combinations of the following settings,
> having the current settings this way:
> client_persistent_connections on
> server_persistent_connections on

Right the above need to be on for NTLM to work properly.

> pipeline_prefetch off
>
> Every time we try to connect to the sharepoint site, the browser
> authentication box pops up. Even when we supply
> correct credentials, the request for them pops up again. Making it
> impossible to logon to the site.
>
> Internet Explorer 8/9 works fine. Google Chrome 15 also requests
> credentials once and then logon works.
>
> First question is: Should this even work with Firefox, or is it known
> not to?

It is known to work as seamlessly as IE when setup properly.

This sounds like

>
> If it should work, what other settings we've possibly missed?

There is nothing special for Firefox. Since the other browsers are 
working fine (through the proxy?) it suggests a config issue setting up 
firefox.

>
> Connection pinning seems to be working, if I'm reading the traces
> correctly. Sharepoint answers with HTTP Code 401.
>
> Our Proxy Setup is open. There are absolutely no client address
> restrictions and we're also not using proxy authentication.
> So there's not ntlm_auth helper in use.
>
> Kind regards,
> Thomas

Amos

Re: [squid-users] Squid 3.1 NTLM Passthrough (SSO) to IIS with Firefox

[Amos Jeffries]

On 9/11/2011 1:11 a.m., Bartschies, Thomas wrote:

Hi,

our setup is:
Firefox 7.0.1, Squid 3.1.16 and Sharepoint Server on IIS.
In Firefox we've set already:
network.automatic-ntlm-auth.trusted-uris to the server address
network.automatic-ntlm-auth.allow-proxies = true (default)

in squid.conf, we've tried some combinations of the following settings,
having the current settings this way:
client_persistent_connections on
server_persistent_connections on


Right the above need to be on for NTLM to work properly.


pipeline_prefetch off

Every time we try to connect to the sharepoint site, the browser
authentication box pops up. Even when we supply
correct credentials, the request for them pops up again. Making it
impossible to logon to the site.

Internet Explorer 8/9 works fine. Google Chrome 15 also requests
credentials once and then logon works.

First question is: Should this even work with Firefox, or is it known
not to?


It is known to work as seamlessly as IE when setup properly.

This sounds like



If it should work, what other settings we've possibly missed?


There is nothing special for Firefox. Since the other browsers are 
working fine (through the proxy?) it suggests a config issue setting up 
firefox.




Connection pinning seems to be working, if I'm reading the traces
correctly. Sharepoint answers with HTTP Code 401.

Our Proxy Setup is open. There are absolutely no client address
restrictions and we're also not using proxy authentication.
So there's not ntlm_auth helper in use.

Kind regards,
Thomas


Amos

[squid-users] Squid 3.1 NTLM Passthrough (SSO) to IIS with Firefox

[Bartschies, Thomas]

Hi,

our setup is:
Firefox 7.0.1, Squid 3.1.16 and Sharepoint Server on IIS. 
In Firefox we've set already:
network.automatic-ntlm-auth.trusted-uris to the server address
network.automatic-ntlm-auth.allow-proxies = true (default)

in squid.conf, we've tried some combinations of the following settings,
having the current settings this way:
client_persistent_connections on
server_persistent_connections on
pipeline_prefetch off

Every time we try to connect to the sharepoint site, the browser
authentication box pops up. Even when we supply
correct credentials, the request for them pops up again. Making it
impossible to logon to the site.

Internet Explorer 8/9 works fine. Google Chrome 15 also requests
credentials once and then logon works.

First question is: Should this even work with Firefox, or is it known
not to?

If it should work, what other settings we've possibly missed?

Connection pinning seems to be working, if I'm reading the traces
correctly. Sharepoint answers with HTTP Code 401.

Our Proxy Setup is open. There are absolutely no client address
restrictions and we're also not using proxy authentication.
So there's not ntlm_auth helper in use.

Kind regards,
Thomas

Re: [squid-users] squid 3.1 (w/ TPROXY/WCCP) and increased 502 and 206 codes

[Amos Jeffries]

On 23/07/11 04:24, Ritter, Nicholas wrote:

I should add one important point. When the error occurs, it is most
often not affecting the entire site nor transaction. This is to say that
I can visit a site, get content, and then at some point fill out a form
on the site, which then generates the 502. I don't want anyone to assume
that the 502 is being generated because of an obvious path connectivity
error where the site being surfed was down all along.

I should also not that I am not running any unique refresh patterns in
the squid.conf.

-Original Message-
From: Ritter, Nicholas [mailto:nicholas.rit...@americantv.com]
Sent: Friday, July 22, 2011 11:16 AM
To: squid-users@squid-cache.org
Subject: [squid-users] squid 3.1 (w/ TPROXY/WCCP) and increased 502 and
206 codes

I am doing extended testing of a CentOS v6 TPROXY/SQUID3/WCCP setup and
I noticing higher than usual TCP_MISS/502 codes. I am also seeing some
206 codes, but it is the 502s that are much higher than normal. I think
it is transport related inside the TPROXY/SQUID side of things but I am
not sure.

I am seeing the 502 codes on both gets and posts. Can anyone provide
more insight on this condition and what/where I should start
troubleshooting?


With the message presented in that 502 error page. 502 is sent on 
several outbound connection problems from TCP connect through to reply 
parsing.




I am running the stock CentOS v6 kernel (2.6.32-71.29.1) and Squid
3.1.10 as package by RHEL 6 (specifically a RHEL 6 rebuilt source rpm of
squid-3.1.10-1.el6.

Should update to the more recent release of squid 3.1 as a starting
point?



Always a good choice to know if its been fixed. Though I don't recall 
anything major having changed since .10 regarding connectivity.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.14
  Beta testers wanted for 3.2.0.9

RE: [squid-users] squid 3.1 (w/ TPROXY/WCCP) and increased 502 and 206 codes

[Ritter, Nicholas]

I should add one important point. When the error occurs, it is most
often not affecting the entire site nor transaction. This is to say that
I can visit a site, get content, and then at some point fill out a form
on the site, which then generates the 502. I don't want anyone to assume
that the 502 is being generated because of an obvious path connectivity
error where the site being surfed was down all along.

I should also not that I am not running any unique refresh patterns in
the squid.conf.

-Original Message-
From: Ritter, Nicholas [mailto:nicholas.rit...@americantv.com] 
Sent: Friday, July 22, 2011 11:16 AM
To: squid-users@squid-cache.org
Subject: [squid-users] squid 3.1 (w/ TPROXY/WCCP) and increased 502 and
206 codes

I am doing extended testing of a CentOS v6 TPROXY/SQUID3/WCCP setup and
I noticing higher than usual TCP_MISS/502 codes. I am also seeing some
206 codes, but it is the 502s that are much higher than normal. I think
it is transport related inside the TPROXY/SQUID side of things but I am
not sure.

I am seeing the 502 codes on both gets and posts. Can anyone provide
more insight on this condition and what/where I should start
troubleshooting?

I am running the stock CentOS v6 kernel (2.6.32-71.29.1) and Squid
3.1.10 as package by RHEL 6 (specifically a RHEL 6 rebuilt source rpm of
squid-3.1.10-1.el6.

Should update to the more recent release of squid 3.1 as a starting
point?

Nick

[squid-users] squid 3.1 (w/ TPROXY/WCCP) and increased 502 and 206 codes

[Ritter, Nicholas]

I am doing extended testing of a CentOS v6 TPROXY/SQUID3/WCCP setup and
I noticing higher than usual TCP_MISS/502 codes. I am also seeing some
206 codes, but it is the 502s that are much higher than normal. I think
it is transport related inside the TPROXY/SQUID side of things but I am
not sure.

I am seeing the 502 codes on both gets and posts. Can anyone provide
more insight on this condition and what/where I should start
troubleshooting?

I am running the stock CentOS v6 kernel (2.6.32-71.29.1) and Squid
3.1.10 as package by RHEL 6 (specifically a RHEL 6 rebuilt source rpm of
squid-3.1.10-1.el6.

Should update to the more recent release of squid 3.1 as a starting
point?

Nick

Re: [squid-users] Squid 3.1 failover problem from IPv6 to IPv4?

[Amos Jeffries]

On 23/06/11 01:44, Peter Olsson wrote:

Hello!

We use Squid 3.1.12 on a couple of servers with IPv4 and IPv6.
The servers are FreeBSD 8.1. Squid is installed from ports.

This works fine, except for this web: www.informator.se
www.informator.se has an  address, but it doesn't seem to
listen to it. Eventually the browser times out with this error:
(51) Network is unreachable



On BSD you should only it this if the site has no A address either. 
split-stack 3.1 uses IPv4-only links to servers unless the hack you 
found (below) is added.



But shouldn't Squid try the IPv4 address when the IPv6 address
fails? If so, there is maybe something wrong with our config.
The only IPv6 specific config we have is this (taken from the
release notes of Squid 3.1):
acl to_ipv6 dst ipv6
http_access allow to_ipv6 !all
tcp_outgoing_address x:x:x::x to_ipv6
tcp_outgoing_address x.x.x.x !to_ipv6

Is the failure on www.informator.se a bug/feature in Squid,
or is the problem in our setup/config?


That hack requires its http_access line to be run. So preferrably that 
is placed at the top of http_access list. This ensures that the 
destination IP is always resolved early in processing and with luck 
available to the outgoing address selection.


The solution to all these split-stack problems has just hit 3.2 series 
this week in 3.2.0.9. We are working through the bunch of unexpected 
problems right now. Any help welcome.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.9 and 3.1.12.3

[squid-users] Squid 3.1 failover problem from IPv6 to IPv4?

[Peter Olsson]

Hello!

We use Squid 3.1.12 on a couple of servers with IPv4 and IPv6.
The servers are FreeBSD 8.1. Squid is installed from ports.

This works fine, except for this web: www.informator.se
www.informator.se has an  address, but it doesn't seem to
listen to it. Eventually the browser times out with this error:
(51) Network is unreachable

But shouldn't Squid try the IPv4 address when the IPv6 address
fails? If so, there is maybe something wrong with our config.
The only IPv6 specific config we have is this (taken from the
release notes of Squid 3.1):
acl to_ipv6 dst ipv6
http_access allow to_ipv6 !all
tcp_outgoing_address x:x:x::x to_ipv6
tcp_outgoing_address x.x.x.x !to_ipv6

Is the failure on www.informator.se a bug/feature in Squid,
or is the problem in our setup/config?

Thanks!

-- 
Peter Olssonp...@leissner.se

Re: [squid-users] squid 3.1.

[Amos Jeffries]

On 12/06/11 06:28, Shenavandeh wrote:

Hi Amos,

Thanks for your time and nice comments on the config file

It is impossible for me to use "debug_options ALL,6" under such load.
log file  grows wildly and easily eats the whole hard disk !
Any other solutions to capture the log?



There are two tricky alternatives.

One is the -l command line option to send the log to syslog. You need a 
syslog server that can handle the traffic though.


The other is using -X (which generates a huge lot more log 
unfortunately) and piping the results out to somewhere that can handle it.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.8 and 3.1.12.2

Re: [squid-users] squid 3.1.

[Shenavandeh]

Hi Amos,

Thanks for your time and nice comments on the config file

It is impossible for me to use "debug_options ALL,6" under such load.
log file  grows wildly and easily eats the whole hard disk !
Any other solutions to capture the log?

Yours Faithfully,
---
Amir H Shenavandeh




On 11 June 2011 10:35, Amos Jeffries  wrote:
> On 11/06/11 05:39, Shenavandeh wrote:
>>
>> Hi,
>>
>> I have a squid installation that crashes twice a day under the load of
>> 7 Mbps bandwidth with the following message in squid.out with no
>> specific traces in cache.log
>>
>> Startup: Fri Jun 10 15:46:20
>> dying from an unhandled exception: !theConsumer
>> terminate called after throwing an instance of 'TextException'
>>   what():  !theConsumer
>> Startup: Fri Jun 10 19:55:29
>>
>> It is compiled using following options:
>>  sbin]# ./squid -v
>> Squid Cache: Version 3.1.12.1
>> configure options:  '--enable-linux-netfilter'
>> '--enable-storeio=ufs,aufs' '--enable-poll'
>> '--enable-x-accelerator-vary' '--enable-follow-x-forwarded-for'
>> '--enable-ssl' '--enable-snmp' '--enable-removal-policies'
>> '--enable-gnuregex' '--with-large-files' '--enable-async-io'
>> 'CFLAGS=-DNUMTHREADS=300' --with-squid=/root/squid-3.1.12.1
>> --enable-ltdl-convenience
>>
>> the platform is as follows:
>>
>> CPU :4 cores of  Intel(R) Xeon(R) CPU           E5504  @ 2.00GHz
>> RAM : 8GB
>> OS: CentOS 5.6 :
>> Kernel: Linux version 2.6.25 compiled with tproxy option.
>>
>> the Squid configuration:
>>
>> cache_mem 4000 MB
>>
>> dead_peer_timeout 30 seconds
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> no_cache deny QUERY
>
> hierarchy_stoplist and the QUERY bits are outdated. It is worth removing
> these.
>
>>
>> maximum_object_size 50 MB
>> maximum_object_size_in_memory 500 KB
>> minimum_object_size 0 KB
>>
>> cache_replacement_policy heap LFUDA
>> memory_replacement_policy heap LRU
>>
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32 ::1
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>
>>
>> acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
>> acl localnet src fc00::/7       # RFC 4193 local private network range
>> acl localnet src fe80::/10      # RFC 4291 link-local (directly
>> plugged) machines
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80        # http
>> acl Safe_ports port 21        # ftp
>> acl Safe_ports port 443        # https
>> acl Safe_ports port 70        # gopher
>> acl Safe_ports port 210        # wais
>> acl Safe_ports port 1025-65535    # unregistered ports
>> acl Safe_ports port 280        # http-mgmt
>> acl Safe_ports port 488        # gss-http
>> acl Safe_ports port 591        # filemaker
>> acl Safe_ports port 777        # multiling http
>> acl CONNECT method CONNECT
>>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow to_localhost
>
> This is dangerous.
>  to_localhost is designed to match a class of attack signatures and prevent
> DoS. It is intended for use in a "deny" line.
>
>>
>>
>> http_access allow localhost
>> http_access allow localnet
>> http_access allow to_localhost
>
> A second "allow to_localhost" is useless. The first will stop processing
> when it gets tested and matches.
>
>>
>> http_access deny all
>>
>> http_port 3128 tproxy
>>
>> hierarchy_stoplist cgi-bin ?
>
> repeat directive, worth removing.
>
>>
>> cache_dir aufs /cache 24000 16 256
>>
>> coredump_dir cache
>>
>> # Add any of your own refresh_pattern entries above these.
>> refresh_pattern ^ftp:        1440    20%    10080
>> refresh_pattern ^gopher:    1440    0%    1440
>> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
>> refresh_pattern .        0    20%    4320
>>
>> cache_effective_user squid
>> cache_effective_group squid
>>
>> half_closed_clients off
>> buffered_logs on
>> client_db off
>> quick_abort_max 0 KB
>> quick_abort_min 0 KB
>> memory_pools off
>>
>> cache_swap_high 95%
>> cache_swap_low 90
>> logfile_rotate 10%
>
> logfile_rotate is not a percentage. It is a count of many log files to keep.
> A new one is generated ever time you run "squid -k rotate"
>
>>
>> visible_hostname        Cache
>
> Interesting FQDN.
>
> The admin@Cache contact address for example, does not resolve here.
>
>>
>> quick_abort_min 32 KB
>> quick_abort_max 32 KB
>> quick_abort_pct 95
>>
>> negative_ttl 3 minutes
>> positive_dns_ttl 6 hours
>>
>> pipeline_prefetch on
>>
>> acl snmpkey snmp_community public
>> snmp_port 3401
>> snmp_access allow snmpkey localhost
>> snmp_access deny all
>>
>> refresh_pattern -i
>> \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv|mpg|wma|ogg|wmv|asx|asf)$
>> 26 90% 260009 override-expire
>> refresh_pattern -i
>> \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf|uxx)$ 26
>> 90% 260009 override-exp

Re: [squid-users] squid 3.1.

[Amos Jeffries]

On 11/06/11 05:39, Shenavandeh wrote:

Hi,

I have a squid installation that crashes twice a day under the load of
7 Mbps bandwidth with the following message in squid.out with no
specific traces in cache.log

Startup: Fri Jun 10 15:46:20
dying from an unhandled exception: !theConsumer
terminate called after throwing an instance of 'TextException'
   what():  !theConsumer
Startup: Fri Jun 10 19:55:29

It is compiled using following options:
  sbin]# ./squid -v
Squid Cache: Version 3.1.12.1
configure options:  '--enable-linux-netfilter'
'--enable-storeio=ufs,aufs' '--enable-poll'
'--enable-x-accelerator-vary' '--enable-follow-x-forwarded-for'
'--enable-ssl' '--enable-snmp' '--enable-removal-policies'
'--enable-gnuregex' '--with-large-files' '--enable-async-io'
'CFLAGS=-DNUMTHREADS=300' --with-squid=/root/squid-3.1.12.1
--enable-ltdl-convenience

the platform is as follows:

CPU :4 cores of  Intel(R) Xeon(R) CPU   E5504  @ 2.00GHz
RAM : 8GB
OS: CentOS 5.6 :
Kernel: Linux version 2.6.25 compiled with tproxy option.

the Squid configuration:

cache_mem 4000 MB

dead_peer_timeout 30 seconds
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


hierarchy_stoplist and the QUERY bits are outdated. It is worth removing 
these.




maximum_object_size 50 MB
maximum_object_size_in_memory 500 KB
minimum_object_size 0 KB

cache_replacement_policy heap LFUDA
memory_replacement_policy heap LRU

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1


acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl localnet src 192.168.0.0/16# RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow to_localhost


This is dangerous.
 to_localhost is designed to match a class of attack signatures and 
prevent DoS. It is intended for use in a "deny" line.





http_access allow localhost
http_access allow localnet
http_access allow to_localhost


A second "allow to_localhost" is useless. The first will stop processing 
when it gets tested and matches.




http_access deny all

http_port 3128 tproxy

hierarchy_stoplist cgi-bin ?


repeat directive, worth removing.



cache_dir aufs /cache 24000 16 256

coredump_dir cache

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320

cache_effective_user squid
cache_effective_group squid

half_closed_clients off
buffered_logs on
client_db off
quick_abort_max 0 KB
quick_abort_min 0 KB
memory_pools off

cache_swap_high 95%
cache_swap_low 90
logfile_rotate 10%


logfile_rotate is not a percentage. It is a count of many log files to 
keep. A new one is generated ever time you run "squid -k rotate"




visible_hostnameCache


Interesting FQDN.

The admin@Cache contact address for example, does not resolve here.



quick_abort_min 32 KB
quick_abort_max 32 KB
quick_abort_pct 95

negative_ttl 3 minutes
positive_dns_ttl 6 hours

pipeline_prefetch on

acl snmpkey snmp_community public
snmp_port 3401
snmp_access allow snmpkey localhost
snmp_access deny all

refresh_pattern -i
\.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv|mpg|wma|ogg|wmv|asx|asf)$
26 90% 260009 override-expire
refresh_pattern -i
\.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf|uxx)$ 26
90% 260009 override-expire


These refresh_pattern lines are useless. The query and dot patterns 
above catch all URL in existence. Squid never gets past them to match these.





I would be most grateful if somebody helps me out.
Yours Faithfully,
---
Amir H Sh


A few seconds search in bugzilla shows this:
 http://bugs.squid-cache.org/show_bug.cgi?id=3117

Perhapse you can help provide a trace (debug_options ALL,6) and help 
track down where it is coming from.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.8 and 3.1.12.2

[squid-users] squid 3.1.

[Shenavandeh]

Hi,

I have a squid installation that crashes twice a day under the load of
7 Mbps bandwidth with the following message in squid.out with no
specific traces in cache.log

Startup: Fri Jun 10 15:46:20
dying from an unhandled exception: !theConsumer
terminate called after throwing an instance of 'TextException'
  what():  !theConsumer
Startup: Fri Jun 10 19:55:29

It is compiled using following options:
 sbin]# ./squid -v
Squid Cache: Version 3.1.12.1
configure options:  '--enable-linux-netfilter'
'--enable-storeio=ufs,aufs' '--enable-poll'
'--enable-x-accelerator-vary' '--enable-follow-x-forwarded-for'
'--enable-ssl' '--enable-snmp' '--enable-removal-policies'
'--enable-gnuregex' '--with-large-files' '--enable-async-io'
'CFLAGS=-DNUMTHREADS=300' --with-squid=/root/squid-3.1.12.1
--enable-ltdl-convenience

the platform is as follows:

CPU :4 cores of  Intel(R) Xeon(R) CPU   E5504  @ 2.00GHz
RAM : 8GB
OS: CentOS 5.6 :
Kernel: Linux version 2.6.25 compiled with tproxy option.

the Squid configuration:

cache_mem 4000 MB

dead_peer_timeout 30 seconds
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

maximum_object_size 50 MB
maximum_object_size_in_memory 500 KB
minimum_object_size 0 KB

cache_replacement_policy heap LFUDA
memory_replacement_policy heap LRU

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1


acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl localnet src 192.168.0.0/16# RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow to_localhost


http_access allow localhost
http_access allow localnet
http_access allow to_localhost

http_access deny all

http_port 3128 tproxy

hierarchy_stoplist cgi-bin ?

cache_dir aufs /cache 24000 16 256

coredump_dir cache

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320

cache_effective_user squid
cache_effective_group squid

half_closed_clients off
buffered_logs on
client_db off
quick_abort_max 0 KB
quick_abort_min 0 KB
memory_pools off

cache_swap_high 95%
cache_swap_low 90
logfile_rotate 10%

visible_hostnameCache

quick_abort_min 32 KB
quick_abort_max 32 KB
quick_abort_pct 95

negative_ttl 3 minutes
positive_dns_ttl 6 hours

pipeline_prefetch on

acl snmpkey snmp_community public
snmp_port 3401
snmp_access allow snmpkey localhost
snmp_access deny all

refresh_pattern -i
\.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv|mpg|wma|ogg|wmv|asx|asf)$
26 90% 260009 override-expire
refresh_pattern -i
\.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf|uxx)$ 26
90% 260009 override-expire


I would be most grateful if somebody helps me out.
Yours Faithfully,
---
Amir H Sh

Re: [squid-users] squid 3.1 android ebuddy

[Amos Jeffries]

On 26/04/11 12:19, Gerson Barreiros wrote:

Hi,

I'm using Squid 3.1.12.1 (Amos ppa-maverick) and i got some weird problem.

Users with Android2 can't get 'ebuddy' to work, but for iPhone users,
it works. (?)

I've made an exception on firewall (for 38.99.73.0/24) to ebuddy
connections skip squid, now it works for both.

Anyone know anything related? My squid.conf don't block nothing
related to ebuddy.


Can you diagnose anything about it from cache.log and/or access.log? 
from the app error message?


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1

[squid-users] squid 3.1 android ebuddy

[Gerson Barreiros]

Hi,

I'm using Squid 3.1.12.1 (Amos ppa-maverick) and i got some weird problem.

Users with Android2 can't get 'ebuddy' to work, but for iPhone users,
it works. (?)

I've made an exception on firewall (for 38.99.73.0/24) to ebuddy
connections skip squid, now it works for both.

Anyone know anything related? My squid.conf don't block nothing
related to ebuddy.

Re: [squid-users] Squid 3.1.x do not open certain sites

[Francesco]

>   * do they get an HTTP error message from squid loading the base page
> HTML object?
>   * does the flash object get pulled in okay?
>- we can look at these and see what is broken if either is a bad
> transfer.

Hi Amos, and thank you again!

The answer is generated by squid and it is: Zero sized reply, when
accessing itinerari.mondodlegusto.it

See you!
Francesco

Re: [squid-users] Squid 3.1.x do not open certain sites

[Amos Jeffries]

On 24/03/11 23:44, Francesco wrote:



  Site looks okay from here.
  http://redbot.org/?descend=True&uri=http://itinerari.mondodelgusto.it/

  Of course, there is no page content. Just a flash media object and a
  stat counter.
  So there could be something broken in the site code where the HTTP
  tools can't identify.


Hi Amos,
thank you for your reply!

But, there is a way to tell Squid to let view this, and others, website?
Users complaint that, at home, they can surf this and others site!


Depends on why they can;t get to it...

 * do they get an HTTP error message from squid loading the base page 
HTML object?

 * does the flash object get pulled in okay?
  - we can look at these and see what is broken if either is a bad 
transfer.


 * does the page content displayed by the flash object not show up or 
otherwise display badly?

  - nothing we can do about this. It is a website bad-code problem.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.11
  Beta testers wanted for 3.2.0.5

Re: [squid-users] Squid 3.1.x do not open certain sites

[Francesco]

>  Site looks okay from here.
>  http://redbot.org/?descend=True&uri=http://itinerari.mondodelgusto.it/
>
>  Of course, there is no page content. Just a flash media object and a
>  stat counter.
>  So there could be something broken in the site code where the HTTP
>  tools can't identify.

Hi Amos,
thank you for your reply!

But, there is a way to tell Squid to let view this, and others, website?
Users complaint that, at home, they can surf this and others site!

Thank you again!!!

Francesco, from Italy

Re: [squid-users] Squid 3.1.x do not open certain sites

[Amos Jeffries]

On Mon, 21 Mar 2011 13:42:47 +0100 (CET), Francesco wrote:

Hello,

some website, perhaps not compliant with W3C standard?, are not 
accessible

by users with Squid proxy set into browser's connection.

For example, one of this is: http://itinerari.mondodelgusto.it
It waits for some seconds, and then the connections hangs...

Is there a workaroung, bugfix?

Thanks you!!!
Francesco


Site looks okay from here.
http://redbot.org/?descend=True&uri=http://itinerari.mondodelgusto.it/

Of course, there is no page content. Just a flash media object and a 
stat counter.
So there could be something broken in the site code where the HTTP 
tools can't identify.


Amos

[squid-users] Squid 3.1.x do not open certain sites

[Francesco]

Hello,

some website, perhaps not compliant with W3C standard?, are not accessible
by users with Squid proxy set into browser's connection.

For example, one of this is: http://itinerari.mondodelgusto.it
It waits for some seconds, and then the connections hangs...

Is there a workaroung, bugfix?

Thanks you!!!
Francesco

[squid-users] Squid 3.1 and winbind 3.4.7 permissions issue on winbindd_privileged

[Go Wow]

Hi,

 I'm trying squid 3.1.10 with ntlm and kerberos. The kinit, klist
process works good even net join is working. The problem im facing is
when trying to start winbind service and using wbinfo. Always the
service is not starting giving the error message

lib/util_sock.c:1771(create_pipe_sock)   invalid permissions on socket
directory /var/run/samba/winbindd_privileged
winbindd/winbindd.c:1412(main)  winbindd_setup_listeners() failed


Right now the ownership of /var/run/samba/winbindd_privileged is set
to proxy:winbindd_priv with permissions of 0777 (for testing only),
still the service doesn't start. I made the change of permissions to
reflect in the service script also, /etc/init.d/winbind. I'm using
ubuntu 10.04 (lucid).

On the side note, after editing the winbind service script, when I run
this command "sudo update-rc.d winbind start 21 2 3 4 5 . " I get a
warning saying

update-rc.d: warning: winbind stop runlevel arguments (none) do not
match LSB Default-Stop values (0 1 6)

System start/stop links for /etc/init.d/winbind already exist.



Is there a known solution for this issue?


Regards

Re: [squid-users] Squid 3.1 SSL bump and tarnsparent mode

[Amos Jeffries]

On Tue, 8 Mar 2011 17:10:43 +0100 (CET), Francesco wrote:

Hello,

by activating SSL bump in Squid 3.1, is it possible to transparent 
proxy

https request?



No. It is not.


I have read some documentation and posts, but i have not clear if it
possible, with browser warning, or not...

Any workaround/ideas?


WPAD "transparent configuration" for browsers. Both DNS and DHCP 
methods are recommended for best browser coverage.

http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Fully_Automatically_Configuring_Browsers_for_WPAD

Amos

[squid-users] Squid 3.1 SSL bump and tarnsparent mode

[Francesco]

Hello,

by activating SSL bump in Squid 3.1, is it possible to transparent proxy
https request?

I have read some documentation and posts, but i have not clear if it
possible, with browser warning, or not...

Any workaround/ideas?

Thank you!
Francesco

Re: [squid-users] Squid 3.1 reverse proxy to OWA on IIS7

[Gordon McKee]

Hi

Okay - sorry I am just using our website as a test - it is on the same
server as the exchange box and is reverse proxied.  Browse the site and you
will see what I mean (how slow it is).  Something is going on causing the
images to be sent really slowly.  www.optimalprofit.com  is the website and
www.optimalprofit.com/owa is the exchange domain.  The exchange login page
should be really fast - it take about 4 min to load.  If I browse to the
site internally it is really fast.

I am kind of clucking at straws as to what it wrong.  Text comes down fast
and images are really slow.  SQUID worked a treat with version 2.6, but 2.7,
3.0 and 3.1 all make the reverse proxy really slow.

Many thanks

Gordon

-Original Message- 
From: Amos Jeffries

Sent: Monday, February 28, 2011 9:38 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid 3.1 reverse proxy to OWA on IIS7

On Mon, 28 Feb 2011 16:18:27 -, Gordon McKee wrote:

Hi

The "GET / HTTP/1.1" returns:

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: www.optimalprofit.com
Connection: Close


:) I hope not. That is the initial request.



and the "GET /images/op-hwynit-ad1.gif HTTP/1.1" to pull an image
file returns:

HTTP/1.0 200 OK
Content-Type: image/gif
Content-Encoding: gzip
Last-Modified: Wed, 08 Dec 2004 15:34:12 GMT
Accept-Ranges: bytes
ETag: "a0d3e25d3bddc41:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 28 Feb 2011 16:13:28 GMT
Content-Length: 264171
X-Cache: MISS from kursk.gdmckee.home
Via: 1.0 kursk.gdmckee.home (squid/3.1.11)
Connection: close

I have tried the telnet codes to access the OWA folder and the
scripts come back very fast and the images take for every.  Not sure
what is going wrong.


It's 258 KB after compression and not being cached. Size may have
something to do with it if the scripts are much smaller.


Amos 

Re: [squid-users] Squid 3.1 reverse proxy to OWA on IIS7

[Amos Jeffries]

On Mon, 28 Feb 2011 16:18:27 -, Gordon McKee wrote:

Hi

The "GET / HTTP/1.1" returns:

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: www.optimalprofit.com
Connection: Close


:) I hope not. That is the initial request.



and the "GET /images/op-hwynit-ad1.gif HTTP/1.1" to pull an image
file returns:

HTTP/1.0 200 OK
Content-Type: image/gif
Content-Encoding: gzip
Last-Modified: Wed, 08 Dec 2004 15:34:12 GMT
Accept-Ranges: bytes
ETag: "a0d3e25d3bddc41:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 28 Feb 2011 16:13:28 GMT
Content-Length: 264171
X-Cache: MISS from kursk.gdmckee.home
Via: 1.0 kursk.gdmckee.home (squid/3.1.11)
Connection: close

I have tried the telnet codes to access the OWA folder and the
scripts come back very fast and the images take for every.  Not sure
what is going wrong.


It's 258 KB after compression and not being cached. Size may have 
something to do with it if the scripts are much smaller.



Amos

Re: [squid-users] Squid 3.1 reverse proxy to OWA on IIS7

[Gordon McKee]

Hi

The "GET / HTTP/1.1" returns:

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: www.optimalprofit.com
Connection: Close

and the "GET /images/op-hwynit-ad1.gif HTTP/1.1" to pull an image file 
returns:


HTTP/1.0 200 OK
Content-Type: image/gif
Content-Encoding: gzip
Last-Modified: Wed, 08 Dec 2004 15:34:12 GMT
Accept-Ranges: bytes
ETag: "a0d3e25d3bddc41:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 28 Feb 2011 16:13:28 GMT
Content-Length: 264171
X-Cache: MISS from kursk.gdmckee.home
Via: 1.0 kursk.gdmckee.home (squid/3.1.11)
Connection: close

I have tried the telnet codes to access the OWA folder and the scripts come 
back very fast and the images take for every.  Not sure what is going wrong.


Many thanks

Gordon


-Original Message- 
From: Amos Jeffries

Sent: Monday, February 28, 2011 12:19 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid 3.1 reverse proxy to OWA on IIS7

On Sun, 27 Feb 2011 17:19:33 -, Gordon McKee wrote:

Hi

I had FreeBSD 6.3 and squid 2.6 running fine reverse proxying my OWA
server. I have now upgraded to FreeBSD 8 and squid 3.1 as the old
software was getting rather old.  I have copied the config file off
the old server on the the new server.  All is working except OWA.  The
images come down very very slowly (it does work really slowly).

I was thinking it might be a DNS issue, but if I telnet (outside
network) to www.optimalprofit.com 80 and enter:
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: www.optimalprofit.com
Connection: Close

the page comes back really fast, but if I telnet to
www.optimalprofit.com 80 and enter (to get a gif file off the server):

GET /images/op-hwynit-ad1.gif HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: www.optimalprofit.com
Connection: Close

the text comes back really really slowly.  I am not sure what is
wrong as even my mobile connects in and over active sync and picks up
my emails just fine.  I have tried different browsers and they don't
make any difference.


What are the reply headers for each of these tests?

Amos

Re: [squid-users] Squid 3.1 reverse proxy to OWA on IIS7

[Amos Jeffries]

On Sun, 27 Feb 2011 17:19:33 -, Gordon McKee wrote:

Hi

I had FreeBSD 6.3 and squid 2.6 running fine reverse proxying my OWA
server. I have now upgraded to FreeBSD 8 and squid 3.1 as the old
software was getting rather old.  I have copied the config file off
the old server on the the new server.  All is working except OWA.  
The

images come down very very slowly (it does work really slowly).

I was thinking it might be a DNS issue, but if I telnet (outside
network) to www.optimalprofit.com 80 and enter:
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: www.optimalprofit.com
Connection: Close

the page comes back really fast, but if I telnet to
www.optimalprofit.com 80 and enter (to get a gif file off the 
server):


GET /images/op-hwynit-ad1.gif HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: www.optimalprofit.com
Connection: Close

the text comes back really really slowly.  I am not sure what is
wrong as even my mobile connects in and over active sync and picks up
my emails just fine.  I have tried different browsers and they don't
make any difference.


What are the reply headers for each of these tests?

Amos

[squid-users] Squid 3.1 reverse proxy to OWA on IIS7

[Gordon McKee]

Hi

I had FreeBSD 6.3 and squid 2.6 running fine reverse proxying my OWA server. 
I have now upgraded to FreeBSD 8 and squid 3.1 as the old software was 
getting rather old.  I have copied the config file off the old server on the 
the new server.  All is working except OWA.  The images come down very very 
slowly (it does work really slowly).


I was thinking it might be a DNS issue, but if I telnet (outside network) to 
www.optimalprofit.com 80 and enter:

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: www.optimalprofit.com
Connection: Close

the page comes back really fast, but if I telnet to www.optimalprofit.com 80 
and enter (to get a gif file off the server):


GET /images/op-hwynit-ad1.gif HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: www.optimalprofit.com
Connection: Close

the text comes back really really slowly.  I am not sure what is wrong as 
even my mobile connects in and over active sync and picks up my emails just 
fine.  I have tried different browsers and they don't make any difference.


I have tried squid 2.7 and 3 and I get the same issue.  Can't try 2. as 
there is no port on FreeBSD 8 anymore!!


Any help is much appreciated.

Gordon

RE: [squid-users] Squid 3.1 youtube caching

[Amos Jeffries]

On Thu, 3 Feb 2011 10:03:03 +0530, Saurabh Agarwal
 wrote:
> Hi Luis
> 
> I have recently successfully cached youtube videos using
Squid-2.7.Stable7
> and posted the solution on squid mailing list as well. I tested it
> yesterday and youtube videos were still being cached.

AFAICT your 23rd Nov 2010 posted configuration differs from the wiki
example by:
 * passing every single URL passing through your proxy goes to the
storeurl program (not just the relevant YT URLs)
 * ignoring updates and changes to the HTML pages (forcing people to think
profiles are not being updated etc)
 * ignoring users force-refresh (so that if somebody does notice a page
problem caused by the above they can't manually force the cache to update
the page)

None of these have any obvious or explained reasons relating to the .FLV
video which is the only relevant piece to be de-duplicated.

Your re-writer adds two interesting URLs to the altered pot.

 * If that generate_204 is what I think then you are preventing users from
fast-forwarding videos, forcing them to re-download the entire thing from
cache if they try.

 * the "docid=" pages. Can you explain what those are and how their URLs
result in a .FLV object response?



I'm ignoring the 10th Nov and 1st Nov and April and July and August
configurations because YT change their URLs occasionally. That is the point
of using the wiki to publish latest details instead of a long-term mailing
list.

 If you find the wiki setup is not working please get yourself an editing
account and add a message to the *Discussion* page outlining the YT
operations which are being missed and what changes will catch them. When
somebody can independently verify their success we add the changes to the
main config.


> For Squid3.1 I have
> not tried yet.

3.x do not yet have the storeurl feature these hacks all rely upon.

Amos

RE: [squid-users] Squid 3.1 youtube caching

[Saurabh Agarwal]

Hi Luis

I have recently successfully cached youtube videos using Squid-2.7.Stable7 and 
posted the solution on squid mailing list as well. I tested it yesterday and 
youtube videos were still being cached. For Squid3.1 I have not tried yet.

Please do a google for squid mails with subject "Caching youtube videos 
problem/ always getting TCP_MISS"

Regards,
Saurabh

-Original Message-
From: Luis Daniel Lucio Quiroz [mailto:luis.daniel.lu...@gmail.com] 
Sent: Thursday, February 03, 2011 12:09 AM
To: Hasanen AL-Bana
Cc: Clemente Aguiar; squid-users@squid-cache.org
Subject: Re: [squid-users] Squid 3.1 youtube caching

Le mercredi 2 février 2011 12:29:58, Hasanen AL-Bana a écrit :
> No need for ICAP , storeurl script should be enough.
> The problem is that youtube internal links are changing from time to
> time, so we need to update our scripts from time to time.
> 
> On Wed, Feb 2, 2011 at 8:23 PM, Clemente Aguiar
> 
>  wrote:
> > Qua, 2011-02-02 às 10:01 -0600, Luis Daniel Lucio Quiroz escreveu:
> > > Le mercredi 2 février 2011 09:49:23, Clemente Aguiar a écrit :
> > > > I am running squid 3.1.9, and I would like to know if this version is
> > > > able to cache youtube content?
> > > > 
> > > > I did check the wiki
> > > > (http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube)
> > > > and I must say that it is not clear what bits applies to version 3.1.
> > > > 
> > > > Can somebody give me some pointers to what exactly I should
> > > > configure.
> > > > 
> > > > Thanks,
> > > > Clemente
> > > 
> > > Clemente,
> > > 
> > > there is a non 100% sure probability because 3.1 laks 2.7 capabilities,
> > > the only way for now is:
> > > use 2.7
> > > user an ICAP server capable to manage those types of urls
> > > 
> > > Regards,
> > > 
> > > LD
> > 
> > Ok, thanks.
> > 
> > Maybe somebody should make that (perfectly) clear in the wiki ... and
> > maybe add an example on how to implement ICAP server.
> > 
> > Well, now for the next question. Which ICAP server and how to implement?
> > Can you help me?
> > 
> > Regards,
> > Clemente

store_url is for 2.7 not for 3.1, he must use 3.1+ icap if he want to get 
similar results

i can recomend you i-cap for linuxbut it lacks what you want, how ever it 
has some templates so you can code the things you want

LD

Re: [squid-users] Squid 3.1 youtube caching

[Luis Daniel Lucio Quiroz]

Le mercredi 2 février 2011 12:29:58, Hasanen AL-Bana a écrit :
> No need for ICAP , storeurl script should be enough.
> The problem is that youtube internal links are changing from time to
> time, so we need to update our scripts from time to time.
> 
> On Wed, Feb 2, 2011 at 8:23 PM, Clemente Aguiar
> 
>  wrote:
> > Qua, 2011-02-02 às 10:01 -0600, Luis Daniel Lucio Quiroz escreveu:
> > > Le mercredi 2 février 2011 09:49:23, Clemente Aguiar a écrit :
> > > > I am running squid 3.1.9, and I would like to know if this version is
> > > > able to cache youtube content?
> > > > 
> > > > I did check the wiki
> > > > (http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube)
> > > > and I must say that it is not clear what bits applies to version 3.1.
> > > > 
> > > > Can somebody give me some pointers to what exactly I should
> > > > configure.
> > > > 
> > > > Thanks,
> > > > Clemente
> > > 
> > > Clemente,
> > > 
> > > there is a non 100% sure probability because 3.1 laks 2.7 capabilities,
> > > the only way for now is:
> > > use 2.7
> > > user an ICAP server capable to manage those types of urls
> > > 
> > > Regards,
> > > 
> > > LD
> > 
> > Ok, thanks.
> > 
> > Maybe somebody should make that (perfectly) clear in the wiki ... and
> > maybe add an example on how to implement ICAP server.
> > 
> > Well, now for the next question. Which ICAP server and how to implement?
> > Can you help me?
> > 
> > Regards,
> > Clemente

store_url is for 2.7 not for 3.1, he must use 3.1+ icap if he want to get 
similar results

i can recomend you i-cap for linuxbut it lacks what you want, how ever it 
has some templates so you can code the things you want

LD

Re: [squid-users] Squid 3.1 youtube caching

[Hasanen AL-Bana]

No need for ICAP , storeurl script should be enough.
The problem is that youtube internal links are changing from time to
time, so we need to update our scripts from time to time.

On Wed, Feb 2, 2011 at 8:23 PM, Clemente Aguiar
 wrote:
>
> Qua, 2011-02-02 às 10:01 -0600, Luis Daniel Lucio Quiroz escreveu:
> > Le mercredi 2 février 2011 09:49:23, Clemente Aguiar a écrit :
> > > I am running squid 3.1.9, and I would like to know if this version is
> > > able to cache youtube content?
> > >
> > > I did check the wiki
> > > (http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube)
> > > and I must say that it is not clear what bits applies to version 3.1.
> > >
> > > Can somebody give me some pointers to what exactly I should configure.
> > >
> > > Thanks,
> > > Clemente
> >
> > Clemente,
> >
> > there is a non 100% sure probability because 3.1 laks 2.7 capabilities, the
> > only way for now is:
> > use 2.7
> > user an ICAP server capable to manage those types of urls
> >
> > Regards,
> >
> > LD
>
> Ok, thanks.
>
> Maybe somebody should make that (perfectly) clear in the wiki ... and
> maybe add an example on how to implement ICAP server.
>
> Well, now for the next question. Which ICAP server and how to implement?
> Can you help me?
>
> Regards,
> Clemente
>
>

Re: [squid-users] Squid 3.1 youtube caching

[Clemente Aguiar]

Qua, 2011-02-02 às 10:01 -0600, Luis Daniel Lucio Quiroz escreveu:
> Le mercredi 2 février 2011 09:49:23, Clemente Aguiar a écrit :
> > I am running squid 3.1.9, and I would like to know if this version is
> > able to cache youtube content?
> > 
> > I did check the wiki
> > (http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube)
> > and I must say that it is not clear what bits applies to version 3.1.
> > 
> > Can somebody give me some pointers to what exactly I should configure.
> > 
> > Thanks,
> > Clemente
> 
> Clemente,
> 
> there is a non 100% sure probability because 3.1 laks 2.7 capabilities, the 
> only way for now is:
> use 2.7
> user an ICAP server capable to manage those types of urls
> 
> Regards,
> 
> LD

Ok, thanks.

Maybe somebody should make that (perfectly) clear in the wiki ... and
maybe add an example on how to implement ICAP server.

Well, now for the next question. Which ICAP server and how to implement?
Can you help me?

Regards,
Clemente

Re: [squid-users] Squid 3.1 youtube caching

[Luis Daniel Lucio Quiroz]

Le mercredi 2 février 2011 09:49:23, Clemente Aguiar a écrit :
> I am running squid 3.1.9, and I would like to know if this version is
> able to cache youtube content?
> 
> I did check the wiki
> (http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube)
> and I must say that it is not clear what bits applies to version 3.1.
> 
> Can somebody give me some pointers to what exactly I should configure.
> 
> Thanks,
> Clemente

Clemente,

there is a non 100% sure probability because 3.1 laks 2.7 capabilities, the 
only way for now is:
use 2.7
user an ICAP server capable to manage those types of urls

Regards,

LD

[squid-users] Squid 3.1 youtube caching

[Clemente Aguiar]

I am running squid 3.1.9, and I would like to know if this version is
able to cache youtube content?

I did check the wiki
(http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube)
and I must say that it is not clear what bits applies to version 3.1.

Can somebody give me some pointers to what exactly I should configure.

Thanks,
Clemente

Re: [squid-users] squid-3.1 couldn't be installed.

[Orestes Leal R.]

I think that you must just install the package Perl::DBI and you're done.

LeaL



Dear all,

I have a problem of installing of squid-3.1.8-1

when I installed 'squid' on Redhat 5.2, I had the erre message in
cache.log, "Failed dependencies: per (DBI) is needed by
squid-3.1.8-1.el5.x86_64.

Please, let me know its reason.

best regards. J.





--
Using Opera's revolutionary email client: http://www.opera.com/mail/

[squid-users] squid-3.1 couldn't be installed.

[Seok Jiwoo]

Dear all,

I have a problem of installing of squid-3.1.8-1

when I installed 'squid' on Redhat 5.2, I had the erre message in
cache.log, "Failed dependencies: per (DBI) is needed by
squid-3.1.8-1.el5.x86_64.

Please, let me know its reason.

best regards. J.

Re: [squid-users] squid-3.1 client POST buffering

[Graham Keeling]

On Wed, Dec 01, 2010 at 11:40:52AM +, Graham Keeling wrote:
> Hello,
> 
> I am convinced that this is a serious bug, so I have entered a proper bug
> report.
> 
> It is bug 3113:
> 
> http://bugs.squid-cache.org/show_bug.cgi?id=3113

I have created a simple patch that seems to fix the problem for me on
squid-3.1.9, and I have attached it to the bug report.

Re: [squid-users] squid-3.1 client POST buffering

[Graham Keeling]

Hello,

I am convinced that this is a serious bug, so I have entered a proper bug
report.

It is bug 3113:

http://bugs.squid-cache.org/show_bug.cgi?id=3113

Re: [squid-users] squid-3.1 client POST buffering

[Graham Keeling]

On Tue, Nov 30, 2010 at 11:31:45AM +, Graham Keeling wrote:
> On Tue, Nov 30, 2010 at 09:46:47PM +1300, Amos Jeffries wrote:
> > On 30/11/10 21:23, Oguz Yilmaz wrote:
> >> On Tue, Nov 30, 2010 at 10:05 AM, Amos Jeffries  
> >> wrote:
> >>> On 30/11/10 04:04, Oguz Yilmaz wrote:
> 
>  Graham,
> 
>  This is the best explanation I have seen about ongoing upload problem
>  in proxy chains where squid is one part of the chain.
> 
>  On our systems, we use Squid 3.0.STABLE25. Before squid a
>  dansguardian(DG) proxy exist to filter. Results of my tests:
> 
>  1-
>  DG+Squid 2.6.STABLE12: No problem of uploading
>  DG+Squid 3.0.STABLE25: Problematic
>  DG+Squid 3.1.8: Problematic
>  DG+Squid 3.2.0.2: Problematic
> 
>  2- We have mostly prıblems with the sites with web based upload status
>  viewers. Like rapidshare, youtube etc...
> 
>  3- If Squid is the only proxy, no problem of uploading.
> 
>  4- ead_ahead_gap 16 KB does not resolv the problem
> 
> 
>  Dear Developers,
> 
>  Can you propose some other workarounds for us to test? The problem is
>  encountered with most active sites of the net, unfortunately.
> >>>
> >>> This sounds like the same problem as
> >>> http://bugs.squid-cache.org/show_bug.cgi?id=3017
> >>
> >
> > Sorry, crossing bug reports in my head.
> >
> > This one is closer to the suck-everything behaviour you have seen:
> > http://bugs.squid-cache.org/show_bug.cgi?id=2910
> >
> > both have an outside chance of working.
> 
> I have tried both suggestions, and neither of them make a difference
> (changes to BodyPipe.h and client_side_request.cc).
> 
> I am keen to try any further suggestions, or provide you with debug output,
> or whatever you like. 
> 
> This problem is extremely easy for me to reproduce.
> It happens without any authentication, and with squid as the only proxy 
> between
> my browser and the website.
> 
> Shall I enter a proper bug report?

To demonstrate the problem happening, I set on 'debug_options 33,2' and
re-ran my test. This shows that ConnStateData::makeSpaceAvailable() in
client_side.cc will eat memory forever.
I can turn on more debug if needed, but others should be able to easily
reproduce this.

2010/11/30 11:57:17.482| growing request buffer: notYetUsed=4095 size=8192
2010/11/30 11:57:17.483| growing request buffer: notYetUsed=8191 size=16384
2010/11/30 11:57:17.483| growing request buffer: notYetUsed=16383 size=32768
2010/11/30 11:57:17.484| growing request buffer: notYetUsed=32767 size=65536
2010/11/30 11:57:17.486| growing request buffer: notYetUsed=65535 size=131072
2010/11/30 11:57:17.488| growing request buffer: notYetUsed=131071 size=262144
2010/11/30 11:57:17.506| growing request buffer: notYetUsed=262143 size=524288
2010/11/30 11:57:17.533| growing request buffer: notYetUsed=524287 size=1048576
2010/11/30 11:57:17.586| growing request buffer: notYetUsed=1048575 size=2097152
2010/11/30 11:57:17.692| growing request buffer: notYetUsed=2097151 size=4194304
2010/11/30 11:57:17.884| growing request buffer: notYetUsed=4194303 size=8388608
2010/11/30 11:57:18.308| growing request buffer: notYetUsed=8388607 
size=16777216
2010/11/30 11:57:19.136| growing request buffer: notYetUsed=16777215 
size=33554432
2010/11/30 11:57:20.792| growing request buffer: notYetUsed=33554431 
size=67108864
2010/11/30 11:57:23.957| growing request buffer: notYetUsed=67108863 
size=134217728
2010/11/30 11:57:31.176| growing request buffer: notYetUsed=134217727 
size=268435456
2010/11/30 11:57:58.433| growing request buffer: notYetUsed=268435455 
size=536870912
...

Re: [squid-users] squid-3.1 client POST buffering

[Graham Keeling]

On Tue, Nov 30, 2010 at 09:46:47PM +1300, Amos Jeffries wrote:
> On 30/11/10 21:23, Oguz Yilmaz wrote:
>> On Tue, Nov 30, 2010 at 10:05 AM, Amos Jeffries  wrote:
>>> On 30/11/10 04:04, Oguz Yilmaz wrote:

 Graham,

 This is the best explanation I have seen about ongoing upload problem
 in proxy chains where squid is one part of the chain.

 On our systems, we use Squid 3.0.STABLE25. Before squid a
 dansguardian(DG) proxy exist to filter. Results of my tests:

 1-
 DG+Squid 2.6.STABLE12: No problem of uploading
 DG+Squid 3.0.STABLE25: Problematic
 DG+Squid 3.1.8: Problematic
 DG+Squid 3.2.0.2: Problematic

 2- We have mostly prıblems with the sites with web based upload status
 viewers. Like rapidshare, youtube etc...

 3- If Squid is the only proxy, no problem of uploading.

 4- ead_ahead_gap 16 KB does not resolv the problem


 Dear Developers,

 Can you propose some other workarounds for us to test? The problem is
 encountered with most active sites of the net, unfortunately.
>>>
>>> This sounds like the same problem as
>>> http://bugs.squid-cache.org/show_bug.cgi?id=3017
>>
>
> Sorry, crossing bug reports in my head.
>
> This one is closer to the suck-everything behaviour you have seen:
> http://bugs.squid-cache.org/show_bug.cgi?id=2910
>
> both have an outside chance of working.

I have tried both suggestions, and neither of them make a difference
(changes to BodyPipe.h and client_side_request.cc).

I am keen to try any further suggestions, or provide you with debug output,
or whatever you like. 

This problem is extremely easy for me to reproduce.
It happens without any authentication, and with squid as the only proxy between
my browser and the website.

Shall I enter a proper bug report?

Re: [squid-users] squid-3.1 client POST buffering

[Oguz Yilmaz]

--
Oguz YILMAZ



On Tue, Nov 30, 2010 at 10:46 AM, Amos Jeffries  wrote:
> On 30/11/10 21:23, Oguz Yilmaz wrote:
>>
>> On Tue, Nov 30, 2010 at 10:05 AM, Amos Jeffries
>>  wrote:
>>>
>>> On 30/11/10 04:04, Oguz Yilmaz wrote:

 Graham,

 This is the best explanation I have seen about ongoing upload problem
 in proxy chains where squid is one part of the chain.

 On our systems, we use Squid 3.0.STABLE25. Before squid a
 dansguardian(DG) proxy exist to filter. Results of my tests:

 1-
 DG+Squid 2.6.STABLE12: No problem of uploading
 DG+Squid 3.0.STABLE25: Problematic
 DG+Squid 3.1.8: Problematic
 DG+Squid 3.2.0.2: Problematic

 2- We have mostly prıblems with the sites with web based upload status
 viewers. Like rapidshare, youtube etc...

 3- If Squid is the only proxy, no problem of uploading.

 4- ead_ahead_gap 16 KB does not resolv the problem


 Dear Developers,

 Can you propose some other workarounds for us to test? The problem is
 encountered with most active sites of the net, unfortunately.
>>>
>>> This sounds like the same problem as
>>> http://bugs.squid-cache.org/show_bug.cgi?id=3017
>>
>
> Sorry, crossing bug reports in my head.
>
> This one is closer to the suck-everything behaviour you have seen:
> http://bugs.squid-cache.org/show_bug.cgi?id=2910
>
> both have an outside chance of working.
>

I have tried the patch proposed (BodyPipe.h). However does not work.
Note: My system is based on Linux os.

>>
>> In my tests, no NTLM auth was used.
>> The browser has proxy confguration targeting DG and DG uses squid as
>> provider proxy. If you think it will work,  I can try the patch
>> located in the bug case.
>> Upload will stop at about 1MB, so is it about SQUID_TCP_SO_RCVBUF?
>
> AIUI, Squid is supposed to read SQUID_TCP_SO_RCVBUF + read_ahead_gap and
> wait for some of that to pass on to the server before grabbing some more.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.9
>  Beta testers wanted for 3.2.0.3
>

Re: [squid-users] squid-3.1 client POST buffering

[Amos Jeffries]

On 30/11/10 21:23, Oguz Yilmaz wrote:

On Tue, Nov 30, 2010 at 10:05 AM, Amos Jeffries  wrote:

On 30/11/10 04:04, Oguz Yilmaz wrote:


Graham,

This is the best explanation I have seen about ongoing upload problem
in proxy chains where squid is one part of the chain.

On our systems, we use Squid 3.0.STABLE25. Before squid a
dansguardian(DG) proxy exist to filter. Results of my tests:

1-
DG+Squid 2.6.STABLE12: No problem of uploading
DG+Squid 3.0.STABLE25: Problematic
DG+Squid 3.1.8: Problematic
DG+Squid 3.2.0.2: Problematic

2- We have mostly prıblems with the sites with web based upload status
viewers. Like rapidshare, youtube etc...

3- If Squid is the only proxy, no problem of uploading.

4- ead_ahead_gap 16 KB does not resolv the problem


Dear Developers,

Can you propose some other workarounds for us to test? The problem is
encountered with most active sites of the net, unfortunately.


This sounds like the same problem as
http://bugs.squid-cache.org/show_bug.cgi?id=3017




Sorry, crossing bug reports in my head.

This one is closer to the suck-everything behaviour you have seen:
http://bugs.squid-cache.org/show_bug.cgi?id=2910

both have an outside chance of working.



In my tests, no NTLM auth was used.
The browser has proxy confguration targeting DG and DG uses squid as
provider proxy. If you think it will work,  I can try the patch
located in the bug case.
Upload will stop at about 1MB, so is it about SQUID_TCP_SO_RCVBUF?


AIUI, Squid is supposed to read SQUID_TCP_SO_RCVBUF + read_ahead_gap and 
wait for some of that to pass on to the server before grabbing some more.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3

Re: [squid-users] squid-3.1 client POST buffering

[Oguz Yilmaz]

On Tue, Nov 30, 2010 at 10:05 AM, Amos Jeffries  wrote:
> On 30/11/10 04:04, Oguz Yilmaz wrote:
>>
>> Graham,
>>
>> This is the best explanation I have seen about ongoing upload problem
>> in proxy chains where squid is one part of the chain.
>>
>> On our systems, we use Squid 3.0.STABLE25. Before squid a
>> dansguardian(DG) proxy exist to filter. Results of my tests:
>>
>> 1-
>> DG+Squid 2.6.STABLE12: No problem of uploading
>> DG+Squid 3.0.STABLE25: Problematic
>> DG+Squid 3.1.8: Problematic
>> DG+Squid 3.2.0.2: Problematic
>>
>> 2- We have mostly prıblems with the sites with web based upload status
>> viewers. Like rapidshare, youtube etc...
>>
>> 3- If Squid is the only proxy, no problem of uploading.
>>
>> 4- ead_ahead_gap 16 KB does not resolv the problem
>>
>>
>> Dear Developers,
>>
>> Can you propose some other workarounds for us to test? The problem is
>> encountered with most active sites of the net, unfortunately.
>
> This sounds like the same problem as
> http://bugs.squid-cache.org/show_bug.cgi?id=3017


In my tests, no NTLM auth was used.
The browser has proxy confguration targeting DG and DG uses squid as
provider proxy. If you think it will work,  I can try the patch
located in the bug case.
Upload will stop at about 1MB, so is it about SQUID_TCP_SO_RCVBUF?


>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.9
>  Beta testers wanted for 3.2.0.3
>

Re: [squid-users] squid-3.1 client POST buffering

[Amos Jeffries]

On 30/11/10 04:04, Oguz Yilmaz wrote:

Graham,

This is the best explanation I have seen about ongoing upload problem
in proxy chains where squid is one part of the chain.

On our systems, we use Squid 3.0.STABLE25. Before squid a
dansguardian(DG) proxy exist to filter. Results of my tests:

1-
DG+Squid 2.6.STABLE12: No problem of uploading
DG+Squid 3.0.STABLE25: Problematic
DG+Squid 3.1.8: Problematic
DG+Squid 3.2.0.2: Problematic

2- We have mostly prıblems with the sites with web based upload status
viewers. Like rapidshare, youtube etc...

3- If Squid is the only proxy, no problem of uploading.

4- ead_ahead_gap 16 KB does not resolv the problem


Dear Developers,

Can you propose some other workarounds for us to test? The problem is
encountered with most active sites of the net, unfortunately.


This sounds like the same problem as 
http://bugs.squid-cache.org/show_bug.cgi?id=3017


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3

Re: [squid-users] squid-3.1 client POST buffering

[Oguz Yilmaz]

Graham,

This is the best explanation I have seen about ongoing upload problem
in proxy chains where squid is one part of the chain.

On our systems, we use Squid 3.0.STABLE25. Before squid a
dansguardian(DG) proxy exist to filter. Results of my tests:

1-
DG+Squid 2.6.STABLE12: No problem of uploading
DG+Squid 3.0.STABLE25: Problematic
DG+Squid 3.1.8: Problematic
DG+Squid 3.2.0.2: Problematic

2- We have mostly prıblems with the sites with web based upload status
viewers. Like rapidshare, youtube etc...

3- If Squid is the only proxy, no problem of uploading.

4- ead_ahead_gap 16 KB does not resolv the problem


Dear Developers,

Can you propose some other workarounds for us to test? The problem is
encountered with most active sites of the net, unfortunately.


Best Regards,

--
Oguz YILMAZ


On Thu, Nov 25, 2010 at 6:36 PM, Graham Keeling  wrote:
>
> Hello,
>
> I have upgraded to squid-3.1 recently, and found a change of behaviour.
> I have been using dansguardian in front of squid.
>
> It appears to be because squid now buffers uploaded POST data slightly
> differently.
> In versions < 3.1, it would take some data, send it through to the website,
> and then ask for some more.
> In 3.1 version, it appears to take as much from the client as it can without
> waiting for what it has already got to be uploaded to the website.
>
> This means that dansguardian quickly uploads all the data into squid, and
> then waits for a reply, which is a long time in coming because squid still
> has to upload everything to the website.
> And then dansguardian times out on squid after two minutes.
>
>
> I noticed the following squid configuration option. Perhaps what I need is
> a similar thing for buffering data sent from the client.
>
> #  TAG: read_ahead_gap  buffer-size
> #       The amount of data the cache will buffer ahead of what has been
> #       sent to the client when retrieving an object from another server.
> #Default:
> # read_ahead_gap 16 KB
>
> Comments welcome!
>
> Graham.
>

Re: [squid-users] squid-3.1 client POST buffering

[Amos Jeffries]

On 27/11/10 05:10, Graham Keeling wrote:

On Thu, Nov 25, 2010 at 04:36:49PM +, Graham Keeling wrote:

Hello,

I have upgraded to squid-3.1 recently, and found a change of behaviour.
I have been using dansguardian in front of squid.

It appears to be because squid now buffers uploaded POST data slightly
differently.
In versions<  3.1, it would take some data, send it through to the website,
and then ask for some more.
In 3.1 version, it appears to take as much from the client as it can without
waiting for what it has already got to be uploaded to the website.

This means that dansguardian quickly uploads all the data into squid, and
then waits for a reply, which is a long time in coming because squid still
has to upload everything to the website.
And then dansguardian times out on squid after two minutes.


I noticed the following squid configuration option. Perhaps what I need is
a similar thing for buffering data sent from the client.

#  TAG: read_ahead_gap  buffer-size
#   The amount of data the cache will buffer ahead of what has been
#   sent to the client when retrieving an object from another server.
#Default:
# read_ahead_gap 16 KB

Comments welcome!

Graham.



Upon further experimentation, I have found that squid-3.1.x (specifically,
I have tried squid-3.1.8 and squid-3.1.9) behaves very badly with POST uploads.

It just increases the input buffer forever, until the upload is finished, or
the machine runs out of memory.

This problem exists when connecting directly to squid without dansguardian
in the way.

This problem doesn't exist on my old squid-2.5 installation.



Buffer max is 64KB. I'm thinking this is related to 
http://bugs.squid-cache.org/show_bug.cgi?id=2910


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3

Re: [squid-users] squid-3.1 client POST buffering

[Graham Keeling]

On Thu, Nov 25, 2010 at 04:36:49PM +, Graham Keeling wrote:
> Hello,
> 
> I have upgraded to squid-3.1 recently, and found a change of behaviour.
> I have been using dansguardian in front of squid.
> 
> It appears to be because squid now buffers uploaded POST data slightly
> differently.
> In versions < 3.1, it would take some data, send it through to the website,
> and then ask for some more.
> In 3.1 version, it appears to take as much from the client as it can without
> waiting for what it has already got to be uploaded to the website.
> 
> This means that dansguardian quickly uploads all the data into squid, and
> then waits for a reply, which is a long time in coming because squid still
> has to upload everything to the website.
> And then dansguardian times out on squid after two minutes.
> 
> 
> I noticed the following squid configuration option. Perhaps what I need is
> a similar thing for buffering data sent from the client.
> 
> #  TAG: read_ahead_gap  buffer-size
> #   The amount of data the cache will buffer ahead of what has been
> #   sent to the client when retrieving an object from another server.
> #Default:
> # read_ahead_gap 16 KB
> 
> Comments welcome!
> 
> Graham.


Upon further experimentation, I have found that squid-3.1.x (specifically,
I have tried squid-3.1.8 and squid-3.1.9) behaves very badly with POST uploads.

It just increases the input buffer forever, until the upload is finished, or
the machine runs out of memory.

This problem exists when connecting directly to squid without dansguardian
in the way.

This problem doesn't exist on my old squid-2.5 installation.

[squid-users] squid-3.1 client POST buffering

[Graham Keeling]

Hello,

I have upgraded to squid-3.1 recently, and found a change of behaviour.
I have been using dansguardian in front of squid.

It appears to be because squid now buffers uploaded POST data slightly
differently.
In versions < 3.1, it would take some data, send it through to the website,
and then ask for some more.
In 3.1 version, it appears to take as much from the client as it can without
waiting for what it has already got to be uploaded to the website.

This means that dansguardian quickly uploads all the data into squid, and
then waits for a reply, which is a long time in coming because squid still
has to upload everything to the website.
And then dansguardian times out on squid after two minutes.


I noticed the following squid configuration option. Perhaps what I need is
a similar thing for buffering data sent from the client.

#  TAG: read_ahead_gap  buffer-size
#   The amount of data the cache will buffer ahead of what has been
#   sent to the client when retrieving an object from another server.
#Default:
# read_ahead_gap 16 KB

Comments welcome!

Graham.

Re: [squid-users] Squid 3.1 with MRTG, Not able to get Graphs- squid upgraded to 3.1.8 ( Resolved at last)

[Babu Chaliyath]

Hi List,
At last I could get the MRTG running with squid 3.1.8, though it took
much time. Will be writing a howto soon regarding how to set up mrtg
on FreeBSD.
It was the SNMP_util.pm gave all the trouble as the port maintainers
did some changes of merging. Those who are breaking head with mrtg
kindly have p5-SNMP_Session port to be installed additionally and save
the time.
Hope that may help someone in future.

Thank you so much to those took their valuable time to reply to my
silly doubts and cleared and guided me.

Regards
Babs

On 10/4/10, Babu Chaliyath  wrote:
>> It's well worth upgrading to 3.1.8. Many of the 3.1 betas had broken
>> SNMP.
>>
>> Also check that the squid.mib being loaded came from the 3.1 install.
>>
>> We now have a full map of what the OID are and what versions they work
>> for. You may find this useful:
>> http://wiki.squid-cache.org/Features/Snmp#Squid_OIDs
>>
>>
>> Amos
>> --
>> Please be using
>>Current Stable Squid 2.7.STABLE9 or 3.1.8
>>Beta testers wanted for 3.2.0.2
>>
>
> Hi List,
> As suggested by Amos, I have upgraded the squid box to 3.1.8 and
> everything is working fine except the graph part with mrtg.
> mrtg version :mrtg-2.16.4
>
> My mrtg.cfg is as below
>
> LoadMIBs: /usr/local/etc/mrtg/squid.mib
> EnableIPv6: no
> WorkDir: /usr/local/www/apache22/data
> Options[_]: bits,growright
>
> Target[proxy-hit]: cacheHttpHits&cacheServerRequests:pub...@127.0.0.1:3401
> MaxBytes[proxy-hit]: 10
> Title[proxy-hit]: HTTP Hits
> Suppress[proxy-hit]: y
> LegendI[proxy-hit]: HTTP hits
> LegendO[proxy-hit]: HTTP requests
> Legend1[proxy-hit]: HTTP hits
> Legend2[proxy-hit]: HTTP requests
> YLegend[proxy-hit]: perminute
> ShortLegend[proxy-hit]: req/min
> Options[proxy-hit]: nopercent, perminute, dorelpercent, unknaszero,
> growright, pngdate
> #PNGTitle[proxy-hit]: Proxy Hits
>
> Target[proxy-srvkbinout]:
> cacheServerInKb&cacheServerOutKb:pub...@127.0.0.1:3401
> MaxBytes[proxy-srvkbinout]: 76800
> Title[proxy-srvkbinout]: Cache Server Traffic In/Out
> Suppress[proxy-srvkbinout]: y
> LegendI[proxy-srvkbinout]: Traffic In
> LegendO[proxy-srvkbinout]: Traffic Out
> Legend1[proxy-srvkbinout]: Traffic In
> Legend2[proxy-srvkbinout]: Traffic Out
> YLegend[proxy-srvkbinout]: per minute
> ShortLegend[proxy-srvkbinout]: b/min
> kMG[proxy-srvkbinout]: k,M,G,T
> kilo[proxy-srvkbinout]: 1024
> Options[proxy-srvkbinout]: nopercent, perminute, unknaszero, growright,
> pngdate
>
> I have verified that squid snmp is working through the following command
>
> #snmpget -On -m /usr/local/etc/mrtg/squid.mib -v 2c -c public
> 127.0.0.1:3401 cacheHttpHits cacheServerRequests cacheServerInKb
> cacheServerOutKb cacheUptime CacheSoftware cacheVersionId
>
> This gives me results without any errors so snmp part of squid is
> working fine I think
> Now when I run mrtg I could see the following errors in mrtg.log file
>
> 010-10-04 12:37:33 -- Started mrtg with config
> '/usr/local/etc/mrtg/mrtg.cfg'
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheHttpHits
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheServerRequests
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheUptime
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheSoftware
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheVersionId
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Use of uninitialized value $ret[-2] in
> concatenation (.) or string at /usr/local/bin/mrtg line 2261.
> 2010-10-04 12:37:33 -- Use of uninitialized value $ret[-1] in
> concatenation (.) or string at /usr/local/bin/mrtg line 2261.
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheServerInKb
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheServerOutKb
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheUptime
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheSoftware
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Unknown SNMP var cacheVersionId
>  at /usr/local/bin/mrtg line 2242
> 2010-10-04 12:37:33 -- Use of uninitialized value $ret[-2] in
> concatenation (.) or string at /usr/local/bin/mrtg line 2261.
> 2010-10-04 12:37:33 -- Use of uninitialized value $ret[-1] in
> concatenation (.) or string at /usr/local/bin/mrtg line 2261.
> 2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR:
> Target[proxy-hit][_IN_] ' $target->[0]{$mode} ' did not eval into
> defined data
> 2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR:
> Target[proxy-hit][_OUT_] ' $target->[0]{$mode} ' did not eval into
> defined data
> 2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR:
> Target[proxy-srvkbinout][_IN_] ' $target->[1]{$mode} ' did not eval
> into defined data
> 2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR:
> Target[proxy-srvkbinout][_OUT_] ' $target->[1]{$mode} ' did not eval
> into defined data
>
> All I could make out from these

Re: [squid-users] Squid 3.1 with MRTG, Not able to get Graphs- squid upgraded to 3.1.8

[Babu Chaliyath]

> It's well worth upgrading to 3.1.8. Many of the 3.1 betas had broken SNMP.
>
> Also check that the squid.mib being loaded came from the 3.1 install.
>
> We now have a full map of what the OID are and what versions they work
> for. You may find this useful:
> http://wiki.squid-cache.org/Features/Snmp#Squid_OIDs
>
>
> Amos
> --
> Please be using
>Current Stable Squid 2.7.STABLE9 or 3.1.8
>Beta testers wanted for 3.2.0.2
>

Hi List,
As suggested by Amos, I have upgraded the squid box to 3.1.8 and
everything is working fine except the graph part with mrtg.
mrtg version :mrtg-2.16.4

My mrtg.cfg is as below

LoadMIBs: /usr/local/etc/mrtg/squid.mib
EnableIPv6: no
WorkDir: /usr/local/www/apache22/data
Options[_]: bits,growright

Target[proxy-hit]: cacheHttpHits&cacheServerRequests:pub...@127.0.0.1:3401
MaxBytes[proxy-hit]: 10
Title[proxy-hit]: HTTP Hits
Suppress[proxy-hit]: y
LegendI[proxy-hit]: HTTP hits
LegendO[proxy-hit]: HTTP requests
Legend1[proxy-hit]: HTTP hits
Legend2[proxy-hit]: HTTP requests
YLegend[proxy-hit]: perminute
ShortLegend[proxy-hit]: req/min
Options[proxy-hit]: nopercent, perminute, dorelpercent, unknaszero,
growright, pngdate
#PNGTitle[proxy-hit]: Proxy Hits

Target[proxy-srvkbinout]: cacheServerInKb&cacheServerOutKb:pub...@127.0.0.1:3401
MaxBytes[proxy-srvkbinout]: 76800
Title[proxy-srvkbinout]: Cache Server Traffic In/Out
Suppress[proxy-srvkbinout]: y
LegendI[proxy-srvkbinout]: Traffic In
LegendO[proxy-srvkbinout]: Traffic Out
Legend1[proxy-srvkbinout]: Traffic In
Legend2[proxy-srvkbinout]: Traffic Out
YLegend[proxy-srvkbinout]: per minute
ShortLegend[proxy-srvkbinout]: b/min
kMG[proxy-srvkbinout]: k,M,G,T
kilo[proxy-srvkbinout]: 1024
Options[proxy-srvkbinout]: nopercent, perminute, unknaszero, growright, pngdate

I have verified that squid snmp is working through the following command

#snmpget -On -m /usr/local/etc/mrtg/squid.mib -v 2c -c public
127.0.0.1:3401 cacheHttpHits cacheServerRequests cacheServerInKb
cacheServerOutKb cacheUptime CacheSoftware cacheVersionId

This gives me results without any errors so snmp part of squid is
working fine I think
Now when I run mrtg I could see the following errors in mrtg.log file

010-10-04 12:37:33 -- Started mrtg with config '/usr/local/etc/mrtg/mrtg.cfg'
2010-10-04 12:37:33 -- Unknown SNMP var cacheHttpHits
 at /usr/local/bin/mrtg line 2242
2010-10-04 12:37:33 -- Unknown SNMP var cacheServerRequests
 at /usr/local/bin/mrtg line 2242
2010-10-04 12:37:33 -- Unknown SNMP var cacheUptime
 at /usr/local/bin/mrtg line 2242
2010-10-04 12:37:33 -- Unknown SNMP var cacheSoftware
 at /usr/local/bin/mrtg line 2242
2010-10-04 12:37:33 -- Unknown SNMP var cacheVersionId
 at /usr/local/bin/mrtg line 2242
2010-10-04 12:37:33 -- Use of uninitialized value $ret[-2] in
concatenation (.) or string at /usr/local/bin/mrtg line 2261.
2010-10-04 12:37:33 -- Use of uninitialized value $ret[-1] in
concatenation (.) or string at /usr/local/bin/mrtg line 2261.
2010-10-04 12:37:33 -- Unknown SNMP var cacheServerInKb
 at /usr/local/bin/mrtg line 2242
2010-10-04 12:37:33 -- Unknown SNMP var cacheServerOutKb
 at /usr/local/bin/mrtg line 2242
2010-10-04 12:37:33 -- Unknown SNMP var cacheUptime
 at /usr/local/bin/mrtg line 2242
2010-10-04 12:37:33 -- Unknown SNMP var cacheSoftware
 at /usr/local/bin/mrtg line 2242
2010-10-04 12:37:33 -- Unknown SNMP var cacheVersionId
 at /usr/local/bin/mrtg line 2242
2010-10-04 12:37:33 -- Use of uninitialized value $ret[-2] in
concatenation (.) or string at /usr/local/bin/mrtg line 2261.
2010-10-04 12:37:33 -- Use of uninitialized value $ret[-1] in
concatenation (.) or string at /usr/local/bin/mrtg line 2261.
2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR:
Target[proxy-hit][_IN_] ' $target->[0]{$mode} ' did not eval into
defined data
2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR:
Target[proxy-hit][_OUT_] ' $target->[0]{$mode} ' did not eval into
defined data
2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR:
Target[proxy-srvkbinout][_IN_] ' $target->[1]{$mode} ' did not eval
into defined data
2010-10-04 12:37:33 -- 2010-10-04 12:37:33: ERROR:
Target[proxy-srvkbinout][_OUT_] ' $target->[1]{$mode} ' did not eval
into defined data

All I could make out from these error was mrtg not reading squid.mib
file. Am I right?
Now I am stuck and I suspect a broken mrtg? or  did I go wrong
somewhere? Do kindly let me know what went wrong and how to proceed
further.
Thanx in advance
Babs

Re: [squid-users] Squid 3.1 with MRTG, Not able to get Graphs

[Amos Jeffries]

On 09/09/10 21:38, Babu Chaliyath wrote:

2010/9/9 Henrik Nordström:

tor 2010-09-09 klockan 11:36 +0530 skrev Babu Chaliyath:

Hi List,
I am trying to get mrtg graphing of my squid box running freebsd 7.2
with squid 3.1.0.13, I was able to get the mrtg while running 2.6
version of squid, but once  moved to 3.1 version, I am not able to get
the mrtg graph at all, I would greatly appreciate if any
suggestions/clues what might have gone wrong on my mrtg setup.


I did not see any reference to the Squid MIB from your mrtg config.

Regards
Henrik




Ooops! I missed  "LoadMIBs: /usr/local/etc/mrtg/squid.mib" line while
pasting it in my mail, yes it is there in my mrtg.cfg
btw mib.txt file is renamed as squid.mib.

Thanx for that quick reply
Regards
Babs



It's well worth upgrading to 3.1.8. Many of the 3.1 betas had broken SNMP.

Also check that the squid.mib being loaded came from the 3.1 install.

We now have a full map of what the OID are and what versions they work 
for. You may find this useful:

http://wiki.squid-cache.org/Features/Snmp#Squid_OIDs


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.8
  Beta testers wanted for 3.2.0.2

Re: [squid-users] Squid 3.1 with MRTG, Not able to get Graphs

[Babu Chaliyath]

2010/9/9 Henrik Nordström :
> tor 2010-09-09 klockan 11:36 +0530 skrev Babu Chaliyath:
>> Hi List,
>> I am trying to get mrtg graphing of my squid box running freebsd 7.2
>> with squid 3.1.0.13, I was able to get the mrtg while running 2.6
>> version of squid, but once  moved to 3.1 version, I am not able to get
>> the mrtg graph at all, I would greatly appreciate if any
>> suggestions/clues what might have gone wrong on my mrtg setup.
>
> I did not see any reference to the Squid MIB from your mrtg config.
>
> Regards
> Henrik
>
>

Ooops! I missed  "LoadMIBs: /usr/local/etc/mrtg/squid.mib" line while
pasting it in my mail, yes it is there in my mrtg.cfg
btw mib.txt file is renamed as squid.mib.

Thanx for that quick reply
Regards
Babs

Re: [squid-users] Squid 3.1 with MRTG, Not able to get Graphs

[Henrik Nordström]

tor 2010-09-09 klockan 11:36 +0530 skrev Babu Chaliyath:
> Hi List,
> I am trying to get mrtg graphing of my squid box running freebsd 7.2
> with squid 3.1.0.13, I was able to get the mrtg while running 2.6
> version of squid, but once  moved to 3.1 version, I am not able to get
> the mrtg graph at all, I would greatly appreciate if any
> suggestions/clues what might have gone wrong on my mrtg setup.

I did not see any reference to the Squid MIB from your mrtg config.

Regards
Henrik

[squid-users] Squid 3.1 with MRTG, Not able to get Graphs

[Babu Chaliyath]

Hi List,
I am trying to get mrtg graphing of my squid box running freebsd 7.2
with squid 3.1.0.13, I was able to get the mrtg while running 2.6
version of squid, but once  moved to 3.1 version, I am not able to get
the mrtg graph at all, I would greatly appreciate if any
suggestions/clues what might have gone wrong on my mrtg setup.

System details as follows
OS verion FreeBSD 7.2
Squid version 3.1.0.13
mrtg version 2.16.2
my mrtg.cfg

##MRTG Configuration file ###
WorkDir: /home/www/mrtg/
Options[_]: bits,growright
logFormat: rrdtool

Target[proxy-hit]: cacheHttpHits&cacheServerRequests:pub...@localhost:3401
MaxBytes[proxy-hit]: 10
Title[proxy-hit]: HTTP Hits
Suppress[proxy-hit]: y
LegendI[proxy-hit]: HTTP hits
LegendO[proxy-hit]: HTTP requests
Legend1[proxy-hit]: HTTP hits
Legend2[proxy-hit]: HTTP requests
YLegend[proxy-hit]: perminute
ShortLegend[proxy-hit]: req/min
Options[proxy-hit]: nopercent, perminute, dorelpercent, unknaszero,
growright, pngdate
PNGTitle[proxy-hit]: Proxy Hits

Target[proxy-srvkbinout]: cacheServerInKb&cacheServerOutKb:pub...@localhost:3401
MaxBytes[proxy-srvkbinout]: 76800
Title[proxy-srvkbinout]: Cache Server Traffic In/Out
Suppress[proxy-srvkbinout]: y
LegendI[proxy-srvkbinout]: Traffic In
LegendO[proxy-srvkbinout]: Traffic Out
Legend1[proxy-srvkbinout]: Traffic In
Legend2[proxy-srvkbinout]: Traffic Out
YLegend[proxy-srvkbinout]: per minute
ShortLegend[proxy-srvkbinout]: b/min
kMG[proxy-srvkbinout]: k,M,G,T
kilo[proxy-srvkbinout]: 1024
Options[proxy-srvkbinout]: nopercent, perminute, unknaszero, growright, pngdate
PNGTitle[proxy-srvkbinout]: Proxy Traffic In/Out

## End of MRTG Configuration ###

Kindly note that I can successfully run the following command too

#snmpwalk -m /usr/local/etc/squid/mib.txt -v2c -Cc -c public
localhost:3401 .1.3.6.1.4.1.3495.1.1

SQUID-MIB::cacheSysVMsize.0 = INTEGER: 16348
SQUID-MIB::cacheSysStorage.0 = INTEGER: 7535652
SQUID-MIB::cacheUptime.0 = Timeticks: (162270170) 18 days, 18:45:01.70

Pls let me know how can I get the graphing started
Thanx & Regards
Babs

Re: [squid-users] Squid 3.1 supporting NTLMv1 and v2 using negotiate

[Henrik Nordström]

mån 2010-06-21 klockan 19:11 +1000 skrev Rob Price:
> I have authentication via negotiate_kerb_auth working a charm, with a
> secondary helper for basic  via ntlm_auth
> 
> This works a charm. However the negotiate_kerb_auth helper only supports
> NTLMv2 and this causes some applications, mostly Web Conferencing
> applications, Live Meeting, WebEx etc, to fail authentication due to sending
> NTLMv1.

squid_kerb_auth do not support NTLM at all, only Kerberos.

Samba ntlm_auth supports NTLM version 1 & 2, plus Basic auth.

Your can run Squid with

Basic -> ntlm_auth
NTLM -> ntlm_auth
Negotiate -> squid_kerb_auth

which should cover pretty much all HTTP clients.

Regards
Henrik

[squid-users] Squid 3.1 supporting NTLMv1 and v2 using negotiate

[Rob Price]

I have authentication via negotiate_kerb_auth working a charm, with a
secondary helper for basic  via ntlm_auth

This works a charm. However the negotiate_kerb_auth helper only supports
NTLMv2 and this causes some applications, mostly Web Conferencing
applications, Live Meeting, WebEx etc, to fail authentication due to sending
NTLMv1.
I could add the sites involved to the "no auth" destinations, but would much
rather get the authentication working correctly.

I have seen some speculation that there may be a new negotiate helper in the
pipeline that will support both v1 and v2, is this true? 
If not, has anybody got 3.1 working with negotiate and a combination of
other helpers with such applications?

Thanks

Rob

Re: [squid-users] Squid 3.1 and strange "Bad header encountered" error

[David B.]

Le 08/06/2010 11:12, Amos Jeffries a écrit :
> David B. wrote:
>> Hi Squid users,
>>
>> I think I need some help to understand a new error with squid. :(
>> I've got several squid boxes, all in 3.0 branch (reverse proxy cache).
>> All is ok.
>>
>> Now, I've tried to upgrade one (and only one boxe) to 3.1 branch
>> (Starting Squid Cache version 3.1.3 for x86_64-pc-linux-gnu...).
>> This a debian package of squid.
>>
>> Several times a day, the new squid 3.1 give me theses errors :
>> 2010/06/07 20:14:15| WARNING: HTTP: Invalid Response: Bad header
>> encountered from http://mypeer_example.com/myimg.gif
>>  AKA
>> mypeer_example.com
>> .myimg.gif
>>
>> No errors like thos on all other 3.0 squid boxes.
>> No error or warning on the cache peer farm. :(
>>
>> This user seems to have a similar issue.
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582270
>>
>> Any idea ?
>>
>
> Bug in 3.1.3. Resolved in 3.1.4.
>
> Amos
Thank you Amos !

Re: [squid-users] Squid 3.1 and strange "Bad header encountered" error

[Amos Jeffries]

David B. wrote:

Hi Squid users,

I think I need some help to understand a new error with squid. :(
I've got several squid boxes, all in 3.0 branch (reverse proxy cache).
All is ok.

Now, I've tried to upgrade one (and only one boxe) to 3.1 branch
(Starting Squid Cache version 3.1.3 for x86_64-pc-linux-gnu...).
This a debian package of squid.

Several times a day, the new squid 3.1 give me theses errors :
2010/06/07 20:14:15| WARNING: HTTP: Invalid Response: Bad header
encountered from http://mypeer_example.com/myimg.gif
 AKA
mypeer_example.com
.myimg.gif

No errors like thos on all other 3.0 squid boxes.
No error or warning on the cache peer farm. :(

This user seems to have a similar issue.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582270

Any idea ?



Bug in 3.1.3. Resolved in 3.1.4.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.4