Re: [squid-users] Squid 3.0.STABLE19 and TPROXY
On 25/04/2012 5:41 p.m., Kirk Hoganson wrote: On 04/24/2012 10:17 PM, Amos Jeffries wrote: On 25/04/2012 2:54 p.m., Kirk Hoganson wrote: I modified the squid.conf to add support for TPROXY: http_port 3128 transparent http_port 3129 tproxy Or: http_port 3128 tproxy Both changes result in the following error when attempting to start the daemon: * Starting Squid HTTP Proxy 3.0 squid3 FATAL: Bungled squid.conf line 880: http_port 3129 tproxy Squid Cache (Version 3.0.STABLE19): Terminated abnormally. CPU Usage: 0.005 seconds = 0.002 user + 0.003 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 Host: Ubuntu 10.04 Kernel: 2.6.18-028stab070.14 Is this a configuration issue? By my reading of the documentation the syntax should be correct. http://wiki.squid-cache.org/Features/Tproxy4#Minimum_Requirements_.28IPv6_and_IPv4.29 I recommend some upgrades. Ubuntu does not meet all of these requirements until the recent Natty release, and then still has some strange issues. Amos Do you know if either Debian 5.0 or CentOS 5 meet the minimum requirements? Those are currently my only other options. Kirk I'm not sure about CentOS (what kernel does it have?), but Debian 5.0 is in the same position as Ubuntu 10.04; just a few package updates away from working. Debian 6.0 is known to be Okay. Amos
[squid-users] Squid 3.0.STABLE19 and TPROXY
I modified the squid.conf to add support for TPROXY: http_port 3128 transparent http_port 3129 tproxy Or: http_port 3128 tproxy Both changes result in the following error when attempting to start the daemon: * Starting Squid HTTP Proxy 3.0 squid3 FATAL: Bungled squid.conf line 880: http_port 3129 tproxy Squid Cache (Version 3.0.STABLE19): Terminated abnormally. CPU Usage: 0.005 seconds = 0.002 user + 0.003 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 Host: Ubuntu 10.04 Kernel: 2.6.18-028stab070.14 Is this a configuration issue? By my reading of the documentation the syntax should be correct. Kirk
Re: [squid-users] Squid 3.0.STABLE19 and TPROXY
On 25/04/2012 2:54 p.m., Kirk Hoganson wrote: I modified the squid.conf to add support for TPROXY: http_port 3128 transparent http_port 3129 tproxy Or: http_port 3128 tproxy Both changes result in the following error when attempting to start the daemon: * Starting Squid HTTP Proxy 3.0 squid3 FATAL: Bungled squid.conf line 880: http_port 3129 tproxy Squid Cache (Version 3.0.STABLE19): Terminated abnormally. CPU Usage: 0.005 seconds = 0.002 user + 0.003 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 Host: Ubuntu 10.04 Kernel: 2.6.18-028stab070.14 Is this a configuration issue? By my reading of the documentation the syntax should be correct. http://wiki.squid-cache.org/Features/Tproxy4#Minimum_Requirements_.28IPv6_and_IPv4.29 I recommend some upgrades. Ubuntu does not meet all of these requirements until the recent Natty release, and then still has some strange issues. Amos
Re: [squid-users] Squid 3.0.STABLE19 and TPROXY
On 04/24/2012 10:17 PM, Amos Jeffries wrote: On 25/04/2012 2:54 p.m., Kirk Hoganson wrote: I modified the squid.conf to add support for TPROXY: http_port 3128 transparent http_port 3129 tproxy Or: http_port 3128 tproxy Both changes result in the following error when attempting to start the daemon: * Starting Squid HTTP Proxy 3.0 squid3 FATAL: Bungled squid.conf line 880: http_port 3129 tproxy Squid Cache (Version 3.0.STABLE19): Terminated abnormally. CPU Usage: 0.005 seconds = 0.002 user + 0.003 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 Host: Ubuntu 10.04 Kernel: 2.6.18-028stab070.14 Is this a configuration issue? By my reading of the documentation the syntax should be correct. http://wiki.squid-cache.org/Features/Tproxy4#Minimum_Requirements_.28IPv6_and_IPv4.29 I recommend some upgrades. Ubuntu does not meet all of these requirements until the recent Natty release, and then still has some strange issues. Amos Do you know if either Debian 5.0 or CentOS 5 meet the minimum requirements? Those are currently my only other options. Kirk
[squid-users] Squid 3.0 Stable-8 How to Hide or Spoof User Agent?
Squid 3.0 Stable-8: How to Hide or Spoof User Agent? Does anyone know how to achieve this, or what entries are required for the .conf ? I have all my lan traffic automatically routed through a transparent squid cache running squid 3.0 stable 8. And everythings working great, I just thought masking my user agents would be another nice layer of security.
Re: [squid-users] Squid 3.0 Stable-8 How to Hide or Spoof User Agent?
On 11/11/2011 12:43 p.m., someone wrote: Squid 3.0 Stable-8: How to Hide or Spoof User Agent? Does anyone know how to achieve this, or what entries are required for the .conf ? Erasure: request_header_access User-Agent deny all Spoofing (er, replacement) requires the erase above as well as a new value to insert: request_header_replace User-Agent some new text The reply_header_replace was broken in 3.0 series. You need 3.0.STABLE26 for that to work. Speakign of which, 3.0.stable8 is extremely old now. Please consider an upgrade. The current is 3.1.16 but you should at least have 3.0.STABLE26 for major security vulnerability protections. I have all my lan traffic automatically routed through a transparent squid cache running squid 3.0 stable 8. And everythings working great, I just thought masking my user agents would be another nice layer of security. It is that and also a sure way to break any websites which rely on browser detection instead of modern CSS mechanisms to present browser-specific page formats. Unfortunately these are still common. This is where the spoofing comes in. If you pick the spoofed browser carefully (for HTML and CSS compliance matching yoru agent) the damage is more restricted to sites which do that and also rely on those features your agent can't handle. NP: if you have one of the modern compliant agents anyway (Firefox, Chrome, Safari, Opera) with plugins not adding themselves toe the agent string there is much less data leakage and you dont actually have to worry about this. Amos
[squid-users] Squid 3.0.STABLE26 is available
The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.0.STABLE26 release! This release is a convenience release bundling the security and critical patches to 3.0.STABLE25 from the last 18 months. NOTICE: There have been changes to the autotools systems used for packaging since the last 3.0 release. This package may not build and has known issues with autoconf older than 2.68. Changes in this release: - Regression: header_replace for reply headers - Bug 3183: Invalid URL accepted with url host part of only '@'. - Bug 3107: ncsa_auth DES silently truncates passwords to 8 bytes - Bug 3056: comm.cc !fd_table[fd].closing() assertion from helperServerFree - Bug 2991: Wrong parameters to fcntl() in commSetCloseOnExec() - Bug 2933: Verification of the max. port number for WCCP2 dynamic service - Bug 2922: Fix assertion failed: HttpHeader.cc: Headers[id].stat.aliveCount - Regression Bug 2899: Restore lost rfc1738_unescape() data type - Regression Bug 2879: headers end finding - Bug 2876: FD_SETSIZE override not working on all Linux distributions - Check for NULL and empty strings before calling str*cmp(). - Correct parsing of large Gopher indexes The critical patches contained in this release can be found in our changeset archives at: http://www.squid-cache.org/Versions/v3/3.0/changesets/SQUID_3_0_STABLE26.html All users of Squid-3.0 are urged to upgrade as soon as possible. Preferably to the supported Squid-3.1 releases. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.0/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.0/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please ensure they exist within a supported release before filing a bug report. http://bugs.squid-cache.org/ Amos Jeffries
RE: [squid-users] Squid 3.0.STABLE26 is available
- Correct parsing of large Gopher indexes This gopher/WAIS... Does anyone use it actually? Yes maybe in 1994 or during the days of Wildcat BBS. I think developers should consider removing this code. Jenny
Re: [squid-users] Squid 3.0.STABLE26 is available
On 28/08/11 21:19, Jenny Lee wrote: - Correct parsing of large Gopher indexes This gopher/WAIS... Does anyone use it actually? Yes, there are some. gopher:// is mostly automated index stuff for archives AFAIK. 'tis a fair bit safer and simpler than read-only FTP. WAIS is only supported by Squid in the form of wais:// URLs. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.10
RE: [squid-users] Squid 3.0.STABLE26 is available
--- Date: Sun, 28 Aug 2011 23:26:25 +1200 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid 3.0.STABLE26 is available On 28/08/11 21:19, Jenny Lee wrote: - Correct parsing of large Gopher indexes This gopher/WAIS... Does anyone use it actually? Yes, there are some. I strongly doubt anyone knows what these are let alone use them. Those were long before web. The only place I hear them after 1996 is on squid. Jenny
Re: [squid-users] Squid 3.0.xx (on Opensuse) and problem with displaying www.oki.cz (Keepalive accounting)
Hi there, I've upgraded Squid to 3.1.14.xx, problem is solved (checked on two proxy servers). Third will be replaced within 2 months, so I don't upgrade Squid now. Thanks and best regards J.K. Cituji Amos Jeffries squ...@treenet.co.nz: On 29/07/11 00:05, Josef Karliak wrote: Hi and thank for your reply, but there is no progress... detect_broken_pconn if off by default squid config, but it was enabled by default suse config. I've disable it - no progress. Do you've any ideas ? I'll email to oki.cz of course ... Thanks Best regards J.Karlia. Other than report it there is nothing you can actually do. Hopefully it is not a big impact problem. Just another thing dropping connections before they can be re-used. The actual transfer has been successful this is only a problem with the persistent connection reuse (and indirectly with things like NTLM auth which rely on pconn protecting against the load). Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.10 -- Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu, zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji. My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP) policy and check. If you've problem with sending emails to me, start using email origin methods mentioned above. Thank you. This message was sent using IMP, the Internet Messaging Program. binQRRrXxoEaG.bin Description: Veřejný PGP klíč
Re: [squid-users] Squid 3.0.xx (on Opensuse) and problem with displaying www.oki.cz (Keepalive accounting)
Hi and thank for your reply, but there is no progress... detect_broken_pconn if off by default squid config, but it was enabled by default suse config. I've disable it - no progress. Do you've any ideas ? I'll email to oki.cz of course ... Thanks Best regards J.Karlia. Cituji Amos Jeffries squ...@treenet.co.nz: On 26/07/11 18:41, Josef Karliak wrote: Hi there, when I try to access to the www.oki.cz or some pages in the www.oki.com (-Suport), I couldn't load the web page. In the log I see: Jul 22 11:01:25 serrver squid[4194]: ctx: enter level 0: 'http://czech.oki.com/' Jul 22 11:01:25 serrver squid[4194]: keepaliveAccounting: Impossible keep-alive header from 'http://czech.oki.com/' I suppose that OKI switched to new pages and somehow the create bad header. Is it some way to accept it in the squid config ? Or where is a problem ? The server has asked Squid to keep the connection alive, then shoved an object into it which REQUIRES the connection to be closed immediately. You turned on detect_broken_pconn. Squid is simply obeying that directive and informing you about what it has detected. http://www.squid-cache.org/Doc/config/detect_broken_pconn/ You can report the problem behaviour to the webmaster. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.10 -- Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu, zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji. My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP) policy and check. If you've problem with sending emails to me, start using email origin methods mentioned above. Thank you. This message was sent using IMP, the Internet Messaging Program. binbAyE6HgRcx.bin Description: Veřejný PGP klíč
Re: [squid-users] Squid 3.0.xx (on Opensuse) and problem with displaying www.oki.cz (Keepalive accounting)
On 29/07/11 00:05, Josef Karliak wrote: Hi and thank for your reply, but there is no progress... detect_broken_pconn if off by default squid config, but it was enabled by default suse config. I've disable it - no progress. Do you've any ideas ? I'll email to oki.cz of course ... Thanks Best regards J.Karlia. Other than report it there is nothing you can actually do. Hopefully it is not a big impact problem. Just another thing dropping connections before they can be re-used. The actual transfer has been successful this is only a problem with the persistent connection reuse (and indirectly with things like NTLM auth which rely on pconn protecting against the load). Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.10
[squid-users] Squid 3.0.xx (on Opensuse) and problem with displaying www.oki.cz (Keepalive accounting)
Hi there, when I try to access to the www.oki.cz or some pages in the www.oki.com (-Suport), I couldn't load the web page. In the log I see: Jul 22 11:01:25 serrver squid[4194]: ctx: enter level 0: 'http://czech.oki.com/' Jul 22 11:01:25 serrver squid[4194]: keepaliveAccounting: Impossible keep-alive header from 'http://czech.oki.com/' I suppose that OKI switched to new pages and somehow the create bad header. Is it some way to accept it in the squid config ? Or where is a problem ? Thanks and best regards J.K. -- Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu, zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji. My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP) policy and check. If you've problem with sending emails to me, start using email origin methods mentioned above. Thank you. This message was sent using IMP, the Internet Messaging Program. bin0csmE74n2V.bin Description: Veřejný PGP klíč
Re: [squid-users] Squid 3.0.xx (on Opensuse) and problem with displaying www.oki.cz (Keepalive accounting)
On 26/07/11 18:41, Josef Karliak wrote: Hi there, when I try to access to the www.oki.cz or some pages in the www.oki.com (-Suport), I couldn't load the web page. In the log I see: Jul 22 11:01:25 serrver squid[4194]: ctx: enter level 0: 'http://czech.oki.com/' Jul 22 11:01:25 serrver squid[4194]: keepaliveAccounting: Impossible keep-alive header from 'http://czech.oki.com/' I suppose that OKI switched to new pages and somehow the create bad header. Is it some way to accept it in the squid config ? Or where is a problem ? The server has asked Squid to keep the connection alive, then shoved an object into it which REQUIRES the connection to be closed immediately. You turned on detect_broken_pconn. Squid is simply obeying that directive and informing you about what it has detected. http://www.squid-cache.org/Doc/config/detect_broken_pconn/ You can report the problem behaviour to the webmaster. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.10
Re: [squid-users] Squid 3.0 icap HIT
On Sat, 6 Nov 2010, Luis Enrique Sanchez Arce wrote: When squid resolve the resource from cache does not send the answer to ICAP. How I can change this behavior? You need a respmod_postcache hook, which unfortunately hasn't been implemented yet. The workaround I use is to run two separate Squid instances - one of them does all the usual caching stuff and listens only on [::1]:3129. A second Squid instance runs with caching turned off entirely, forwarding requests to [::1]:3129. The second squid instance is configured to talk to the ICAP service. All the clients connect to the second instance. My configuration for the non-caching Squid instance that talks to the ICAP server is here: https://subversion.opendium.net/trac/free/browser/thirdparty/squid/trunk/extra_sources/squid-nocache.conf This effectively provides a precache reqmod hook (reqmod_precache) and a postcache respmod hook (respmod_precache). The caching Squid would provide the same precache reqmod hook (reqmod_precache) and a precache respmod hook (respmod_precache), although I don't have a use for these myself. Its a bit nasty, but it happens to work. :) -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:st...@opendium.com Email:st...@opendium.com Phone:sip:st...@opendium.com Sales / enquiries contacts: Email:sa...@opendium.com Phone:+44-844-9791439 / sip:sa...@opendium.com Support contacts: Email:supp...@opendium.com Phone:+44-844-4844916 / sip:supp...@opendium.com
[squid-users] Squid 3.0 icap HIT
When squid resolve the resource from cache does not send the answer to ICAP. How I can change this behavior? I use squid 3.0 STABLE8 and GreasySpoon (Implementation of icap protocol)
[squid-users] squid/3.0.STABLE7 - File Desc issues
Hi, Our squid/3.0.STABLE7 is receiving the following Warnings... 2010/09/07 18:29:59| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:30:15| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:30:31| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:30:47| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:31:03| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:31:19| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:31:35| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:31:51| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors I understand that I had to File Descriptor in the squid.conf... I have changed .. /etc/squid/squid.conf added.. max_filedesc 4096 and then started the squid services again. It then came back with it didn't recognize the varible and thus wouldn't start squid. I then had the remove the varible from the config file. I am told the version of squid was found through..an RPM (redhat package manager) within Redhat I heard I might need to recompile? I know details are a little sketchy, don't know alot about Linux so you will have to forgive me there. Thanks in advance for your time. Shane
Re: [squid-users] squid/3.0.STABLE7 - File Desc issues
On Mon, 13 Sep 2010 09:01:03 +0800, veryg...@gmail.com wrote: Hi, Our squid/3.0.STABLE7 is receiving the following Warnings... 2010/09/07 18:29:59| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:30:15| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:30:31| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:30:47| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:31:03| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:31:19| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:31:35| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors 2010/09/07 18:31:51| client_side.cc(2690) WARNING! Your cache is running out of filedescriptors I understand that I had to File Descriptor in the squid.conf... I have changed .. /etc/squid/squid.conf added.. max_filedesc 4096 and then started the squid services again. It then came back with it didn't recognize the varible and thus wouldn't start squid. Yes 3.0 does not support that. Please try 3.1. Which is available on J.Skalas pages too http://people.redhat.com/jskala/squid/ I then had the remove the varible from the config file. I am told the version of squid was found through..an RPM (redhat package manager) within Redhat I heard I might need to recompile? I know details are a little sketchy, don't know alot about Linux so you will have to forgive me there. It should be enough to run ulimit -HSn 123 (where 123 is the number of filedescriptors you want). This needs to be run before building squid 3.0 and also before each time it is started. For other versions its only needed each time Squid is run. Amos
[squid-users] Squid 3.0 STABLE 19 and SPNEGO with Windows Firefox 3.6.3
Hi I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a normal (non-transparent) proxy server for a number of Windows workstations in an Active Directory environment using W2K8R2 domain controller servers running in W2K3 functional mode. I have implemented suthenitcation in Squid using the squid_kerb_auth module from Markus Moeller. Authentication is working fine for users logging in using domain credentials on domain registered workstations using both IE7 and 8 on Windows XP and Firefox 3.6.3. However, I would like to allow the occasional non-domain user to have internet access via Squid and so it would be helpful for a login dialog box to be presented. When IE 7 and 8 are used, this occurs and authentication is successful. However, with Firefox it does not and an error is returned by Squid - Access Denied. Looking at some packet dumps between the Windows workstation and Squid shows that Firefox tries a few times to auth then gives up. Enabling logging in Firefox reveals Firefox responds similarly to IE with a GET request with a Proxy-Authorization: Negotiate . header. In the Squid cache log it indicates: squid_kerb_auth: Got 'YR T1RMT...Dw==' from squid (length 59). squid_kerb_auth: received type 1 NTLM token However, unlike IE, it then gives up whereas IE then initiates a KRB5 AS-REQ to a domain controller then gets a ticket and then contacts Squid again at which point it authenticates. In the Firefox log, just before the GET request, it shows: service = fqdn.of.squid.proxy using negotiate-sspi using SPN of [HTTP/fqdn.of.squid.proxy]] AcquireCredentailsHandle() succeeded nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate] entering nsAuthSSPI::GetNextToken() InitializeSecurityContext: continue Sending a token of length 40 Then after sending the GET request and receiving the Squid 407 response it shows: nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate] entering nsAuthSSPI::GetNextToken() Cannot restart authentication sequence! Does Firefox not like the Squid HTTP1.0 Proxy-Connection: close response in response to its HTTP1.1 Proxy-Connection: keep-alive GET request? I am puzzled as to whether Squid, Firefox or IE is behaving as one would expect given the scenario? Does anyone have any ideas? If Squid and Firefox are behaving correctly but IE is doing a workaround then that is OK and I will need to live with the situation. I am happy to perform additional debug work to investigate the problem further. I have tried various settings in the Firefox about:config - network.negotiate-auth.trusted-uris configuration item, and other similar related settings mentioned in other posts but without success. Reading some Mozilla Dev postings over the last 12 months or so indicate there have been some issues with NTLM and Kerberos in various versions of Firefox but I think these have been addressed. Thanks in advance Paul Freeman __ Information from ESET Smart Security, version of virus signature database 5429 (20100906) __ The message was checked by ESET Smart Security. http://www.eset.com
Re: [squid-users] Squid 3.0 hardening
On Wed, Apr 28, 2010 at 11:07 AM, Amos Jeffries wrote: Sagar wrote: Hi All, Can anyone help me with squid 3.0 hardening checklist with benchmarks? Please explain? What type of hardening are you wanting? Sagar wrote: Hi Amos, Am looking for standard settings for hardening squid application from security point of view. For ex. if I were to do a Vulnerability assessment on squid, what all settings shud I generally check??? Firstly that the version is one of the current supported releases. They have the least bugs. Then everything that has been changed in squid.conf from the in-use versions defaults. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
[squid-users] Squid 3.0 hardening
Hi All, Can anyone help me with squid 3.0 hardening checklist with benchmarks? -- Regards. Sagar Navalkar. 9930493283
Re: [squid-users] Squid 3.0 hardening
Sagar wrote: Hi All, Can anyone help me with squid 3.0 hardening checklist with benchmarks? Please explain? What type of hardening are you wanting? Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
[squid-users] SQUID 3.0 STABLE20 +DANSGUARDIAN transparent mode (file uploads brokens)
Dear I'm using Squid + dansguardian in transparent mode. Squid and dansguardian are installed on the same computer. When using Dansguardian and uploading files more than 8Mb after severals seconds uploads are broked and navigators display a broken page error Files under 8Mb are correctly uploaded. Did anyone encounter the same problem ? here it is the squid.conf : auth_param basic credentialsttl 2 hour authenticate_ttl 1 hour authenticate_ip_ttl 60 seconds cache_effective_user squid cache_effective_group squid #- TWEEKS PERFORMANCES memory_pools off quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off buffered_logs on half_closed_clients off #- acls acl malware_block_list url_regex -i /etc/squid3/malwares.acl acl blockedsites url_regex /etc/squid3/squid-block.acl acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl CONNECT method CONNECT acl office_network src 192.168.1.0/24 #- MAIN RULES... follow_x_forwarded_for allow localhost # - SAFE ports acl Safe_ports port 80 #http acl Safe_ports port 21 #ftp acl Safe_ports port 22 #ssh acl Safe_ports port 443 563 #https, snews acl Safe_ports port 1863#msn acl Safe_ports port 70 #gopher acl Safe_ports port 210 #wais acl Safe_ports port 1025-65535 #unregistered ports acl Safe_ports port 280 #http-mgmt acl Safe_ports port 488 #gss-http acl Safe_ports port 591 #filemaker acl Safe_ports port 777 #multiling http acl Safe_ports port 631 #cups acl Safe_ports port 873 #rsync acl Safe_ports port 901 #SWAT# http_access deny malware_block_list http_access deny blockedsites http_access allow localhost http_access deny !Safe_ports http_access deny all # - ident_lookup_access hierarchy_stoplist cgi-bin ? # - General settings visible_hostname proxyweb # - time-out dead_peer_timeout 10 seconds dns_timeout 2 minutes peer_connect_timeout 3 minutes connect_timeout 1600 seconds persistent_request_timeout 3 minutes pconn_timeout 1600 seconds # - Objects limits request_body_max_size 500 MB reply_body_max_size 0 request_header_max_size 10 KB maximum_object_size 300 MB minimum_object_size 0 KB maximum_object_size_in_memory 8 KB # - timeouts #http ports http_port 23296 transparent # - Caches #cache_replacement_policy heap LFUDA cache_mem 8 MB cache_swap_high 90 cache_swap_low 95 # - DNS and ip caches ipcache_size 1024 ipcache_low 90 ipcache_high 95 fqdncache_size 1024 # - SPECIFIC DNS SERVERS debug_options ALL,1 refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 icp_port 3130 #Logs- emulate_httpd_log on coredump_dir/var/squid/cache cache_store_log /var/log/squid/store.log cache_log /var/log/squid/cache.log pid_filename/var/run/squid.pid access_log /var/log/squid/access.log cache_dir ufs /var/cache/squid 2000 16 256 # - OTHER CACHES Here it is the main dansguardian configuration file : reportinglevel = 3 groupname = 'Default rule' languagedir = '/etc/dansguardian/languages' language = 'ukenglish' loglevel = 3 logexceptionhits = 2 logfileformat = 2 loglocation = '/var/log/dansguardian/access.log' statlocation = '/var/log/dansguardian/stats' # #routing to squid proxy port : 23296 but local port is 3128 filterip = filterport = 3128 proxyip = 127.0.0.1 proxyport = 23296 originalip = off # accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl' nonstandarddelimiter = on usecustombannedimage = on custombannedimagefile = '/etc/dansguardian/transparent1x1.gif' filtergroups = 1 bannediplist = '/etc/dansguardian/bannediplist' exceptioniplist = /etc/dansguardian/exceptioniplist' banneduserlist = '/etc/dansguardian/banneduserlist' exceptionuserlist = '/etc/dansguardian/exceptionuserlist' exceptionphraselist = '/etc/dansguardian/lists/exceptionphraselist' exceptionsitelist = '/etc/dansguardian/lists/exceptionsitelist' showweightedfound = on weightedphrasemode = 2 urlcachenumber = 1000 urlcacheage = 900 scancleancache = on phrasefiltermode = 2 preservecase = 0 hexdecodecontent = off forcequicksearch = off reverseaddresslookups = off reverseclientiplookups = off logclienthostnames = off createlistcachefiles = on maxuploadsize = -1 maxcontentfiltersize = 256 maxcontentramcachescansize = 2000 maxcontentfilecachescansize = 2 filecachedir = '/tmp' deletedownloadedtempfiles = on initialtrickledelay = 20 trickledelay = 10 #downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf' downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf' #downloadmanager = '/etc/dansguardian/downloadmanagers/trickle.conf' #- AV/ICAP contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf' contentscannertimeout = 60 contentscanexceptions = off recheckreplacedurls = off forwardedfor = on
Re: [squid-users] SQUID 3.0.STABLE24 : NTLM+SAMBA/WINBINDD BH Helper detected protocol error
On Wed, 07 Apr 2010 22:44:02 +0200, David Touzeau da...@touzeau.eu wrote: Dear I have installed samba + winbidd on the Squid computer and configure it has PDC squid is compiled has : Squid Cache: Version 3.0.STABLE24 configure options: '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid3' '--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-gnuregex' '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for' '--with-maxfd=32000' '--with-large-files' '--disable-dlmalloc' '--with-pthreads' '--enable-esi' '--enable-storeio=aufs,diskd,ufs' '--with-aufs-threads=10' '--with-maxfd=16384' '--enable-useragent-log' '--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl' '--enable-basic-auth-helpers=LDAP' '--enable-truncate' '--enable-linux-netfilter' '--enable-auth=basic,digest,ntlm' '--enable-digest-auth-helpers=ldap,password' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-basic-auth-helpers=LDAP,MSNT,multi-domain-NTLM,SMB' '--enable-ntlm-auth-helpers=SMB,no_check' '--with-default-user=squid' '--enable-icap-client' '--enable-cache-digests' '--enable-icap-support' '--enable-poll' '--enable-epoll' '--enable-async-io' '--enable-delay-pools' '--enable-ssl' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions' NTLM events in debug mode are : ntlm-auth[18942](ntlm_auth.c:444): sending 'BH Helper detected protocol error' to squid ntlm-auth[18942](ntlm_auth.c:287): managing request ntlm-auth[18942](ntlm_auth.c:293): ntlm authenticator. Got 'david.touzeau 54321' from Squid ntlm-auth[18942](ntlm_auth.c:444): sending 'BH Helper detected protocol error' to squid ntlm-auth[18942](ntlm_auth.c:287): managing request ntlm-auth[18942](ntlm_auth.c:293): ntlm authenticator. Got 'david.touzeau 54321' from Squid ntlm-auth[18942](ntlm_auth.c:444): sending 'BH Helper detected protocol error' to squid ntlm-auth[18942](ntlm_auth.c:287): managing request ntlm-auth[18942](ntlm_auth.c:293): ntlm authenticator. Got 'david.touzeau 54321' from Squid ntlm-auth[18942](ntlm_auth.c:444): sending 'BH Helper detected protocol error' to squid Here it is my squid conf auth_param ntlm program /usr/lib/squid3/ntlm_auth -d WORKGROUP/debian503-http auth_param basic program /usr/lib/squid3/ntlm_auth -d WORKGROUP/debian503-http auth_param ntlm children 5 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server #- NTLM ACL settings acl ntlm_users proxy_auth REQUIRED has smb.conf is [global] workgroup=WORKGROUP netbios name=debian503-http server string=%h server disable netbios=no How can i resolve it ? Try the ntlm_auth helper provided by Samba. The squid one does not do full NTLM. Amos
[squid-users] Squid 3.0.STABLE25 is available
The Squid HTTP Proxy team is pleased to announce the availability of the Squid-3.0.STABLE25 release! This release fixes a few regression issues from earlier 3.0 releases and resolves several digest authentication issues. Digest authentication has been re-written for true compliance with standards. Resolving a number of long outstanding issues with Squid-2.x as well as Squid-3.x series. All Squid-3.0 users needing digest authentication are advised to upgrade to this release as soon as possible. Following our planned release timetable: All users of Squid-3.0 are encouraged to plan for upgrades within the year. Support for Squid-3.0 will officially cease with the release of Squid-3.1.1 which is expected to occur in 2-4 weeks. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html if and when you are ready to make the switch to Squid-3. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.0/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.0/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
[squid-users] Squid 3.0 - Problems with IE forcing a Page-Reload
Hello, we use Squid 3.0 as reverse proxy for multiple domains which are hosted on different servers. It is no problem to force a page reload with Firefox (Shift/Reload). However, with IE, it isn't possible to force Page-Reload at all. Why? Is there any special Configuration to effect Page-Reload with IE? regards jk Tolle Dekolletés oder scharfe Tatoos? Vote jetzt ... oder mach selbst mit und zeige Deine Schokoladenseite bei Topp oder Hopp von Arcor: http://www.arcor.de/rd/footer.toh
Re: [squid-users] Squid 3.0 - Problems with IE forcing a Page-Reload
mån 2010-03-01 klockan 14:23 +0100 skrev J?rgen Klein: It is no problem to force a page reload with Firefox (Shift/Reload). However, with IE, it isn't possible to force Page-Reload at all. Why? Is there any special Configuration to effect Page-Reload with IE? Depends on IE version. Some versions of IE do not indicate at all if Reload was used or not unless it's configured to use a proxy. Regards Henrik
RE: [squid-users] Squid 3.0 and blank page on www.freshports.org
Hello All, I check, that problem is appearing when I go to this site from my laptop with windows 7 installed (from firefox, opera, IE - no matter). When I connect from computer with windows XP, all ok. Any ideas? -Original Message- From: Vadim Abdulayev [mailto:serv...@elko.az] Sent: Thursday, February 25, 2010 7:53 PM To: squid-users@squid-cache.org Subject: [squid-users] Squid 3.0 and blank page on www.freshports.org Hello all, I have installed squid 3.0.STABLE24 on my FreeBSD 8.0 server in transparent mode. Everything work fine, but with www.freshports.org site I have a problem. I see the home page of the site, but when I go to the description of any program (for example: http://www.freshports.org/deskutils/znotes/ ), I see blank page. Without squid this site working fine. Connection without squid: wget -S http://www.freshports.org/deskutils/znotes/ --2010-02-25 19:25:02-- http://www.freshports.org/deskutils/znotes/ Resolving www.freshports.org... 206.127.23.226 Connecting to www.freshports.org|206.127.23.226|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Thu, 25 Feb 2010 15:25:04 GMT Server: Apache/2.2.13 (FreeBSD) mod_ssl/2.2.13 OpenSSL/0.9.8e DAV/2 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Last-Modified: Thu, 25 Feb 2010 14:22:45 GMT ETag: 2010-02-25 14:22:45 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Content-Length: 25584 Length: 25584 (25K) [text/html] Saving to: `index.html.2' 100%[==] 25,584 --.-K/s in 0.03s 2010-02-25 19:25:05 (971 KB/s) - `index.html.2' saved [25584/25584] Connection with squid: wget -S http://www.freshports.org/deskutils/znotes/ --2010-02-25 19:26:05-- http://www.freshports.org/deskutils/znotes/ Resolving www.freshports.org... 206.127.23.226 Connecting to www.freshports.org|206.127.23.226|:80... connected. HTTP request sent, awaiting response... HTTP/1.0 200 OK Date: Thu, 25 Feb 2010 15:26:07 GMT Server: Apache/2.2.13 (FreeBSD) mod_ssl/2.2.13 OpenSSL/0.9.8e DAV/2 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Last-Modified: Thu, 25 Feb 2010 14:22:45 GMT ETag: 2010-02-25 14:22:45 Content-Type: text/html X-Cache: MISS from gate.domen.local Via: 1.0 gate.domen.local (squid) Connection: close Content-Length: 0 Length: 0 [text/html] Saving to: `index.html.3' [ = ] 0 --.-K/s in 0s 2010-02-25 19:26:05 (0.00 B/s) - `index.html.3' saved [0/0] Best regards, Vadim.
[squid-users] Squid 3.0 and blank page on www.freshports.org
Hello all, I have installed squid 3.0.STABLE24 on my FreeBSD 8.0 server in transparent mode. Everything work fine, but with www.freshports.org site I have a problem. I see the home page of the site, but when I go to the description of any program (for example: http://www.freshports.org/deskutils/znotes/ ), I see blank page. Without squid this site working fine. Connection without squid: wget -S http://www.freshports.org/deskutils/znotes/ --2010-02-25 19:25:02-- http://www.freshports.org/deskutils/znotes/ Resolving www.freshports.org... 206.127.23.226 Connecting to www.freshports.org|206.127.23.226|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Thu, 25 Feb 2010 15:25:04 GMT Server: Apache/2.2.13 (FreeBSD) mod_ssl/2.2.13 OpenSSL/0.9.8e DAV/2 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Last-Modified: Thu, 25 Feb 2010 14:22:45 GMT ETag: 2010-02-25 14:22:45 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Content-Length: 25584 Length: 25584 (25K) [text/html] Saving to: `index.html.2' 100%[==] 25,584 --.-K/s in 0.03s 2010-02-25 19:25:05 (971 KB/s) - `index.html.2' saved [25584/25584] Connection with squid: wget -S http://www.freshports.org/deskutils/znotes/ --2010-02-25 19:26:05-- http://www.freshports.org/deskutils/znotes/ Resolving www.freshports.org... 206.127.23.226 Connecting to www.freshports.org|206.127.23.226|:80... connected. HTTP request sent, awaiting response... HTTP/1.0 200 OK Date: Thu, 25 Feb 2010 15:26:07 GMT Server: Apache/2.2.13 (FreeBSD) mod_ssl/2.2.13 OpenSSL/0.9.8e DAV/2 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Last-Modified: Thu, 25 Feb 2010 14:22:45 GMT ETag: 2010-02-25 14:22:45 Content-Type: text/html X-Cache: MISS from gate.domen.local Via: 1.0 gate.domen.local (squid) Connection: close Content-Length: 0 Length: 0 [text/html] Saving to: `index.html.3' [ = ] 0 --.-K/s in 0s 2010-02-25 19:26:05 (0.00 B/s) - `index.html.3' saved [0/0] Best regards, Vadim.
[squid-users] Squid 3.0 and Linux 2.6 kernel tweaks
Hi All, I searched through the mail archives and squid-cache site, but I’ve been unable to find anything that mentions any kernel tweaks that may or may not be necessary with a 2.6 kernel. I am mostly concerned with running high volume reverse proxy setups. For example, back in the Squid v 2.6 days with 2.2 or 2.4 linux kernels I see lots of recommendations for raising the file descriptor limits to 8192 or 16384. With the 2.6 kernel it seems the default kernel params (at least in RHEL5) far exceed the fd kernel tweaks people used for 2.2 or 2.4 kernels. It would seem adding the ulimit –HSn 8192 would actually be decreasing the file descriptor limits from the 2.6 kernel defaults. Also, what is the default value for –with-filedescriptors that Squid 3.0 STABLE24 supports? I don’t see that in the output of ./compile –help I’d be happy to add a wiki page addressing the following scalability topics if someone points me to the correct location. - Checking/Increasing the ephemeral port range - Checking/increasing file descriptor limits - Checking/decreasing TCP TIME_WAIT Regards, Andy Andy Litzinger ▪ Sr. Network Engineer o. 206.436.8086 ▪ f. 206.213.0606 ▪ http://www.theplatform.com
Re: [squid-users] Squid 3.0 and Linux 2.6 kernel tweaks
fre 2010-02-19 klockan 10:10 -0800 skrev Andy Litzinger: For example, back in the Squid v 2.6 days with 2.2 or 2.4 linux kernels I see lots of recommendations for raising the file descriptor limits to 8192 or 16384. With the 2.6 kernel it seems the default kernel params (at least in RHEL5) far exceed the fd kernel tweaks people used for 2.2 or 2.4 kernels. It would seem adding the ulimit –HSn 8192 would actually be decreasing the file descriptor limits from the 2.6 kernel defaults. 2.6 kernel default ulimit is 1024. Also, what is the default value for –with-filedescriptors that Squid 3.0 STABLE24 supports? I don’t see that in the output of ./compile –help On must systems the default is whatever the ulimit is set to when you run configure. I’d be happy to add a wiki page addressing the following scalability topics if someone points me to the correct location. - Checking/Increasing the ephemeral port range usually not needed unless you have many hundreds/s forwarded requests. - Checking/increasing file descriptor limits Squid tells at startup what limit it is running under. - Checking/decreasing TCP TIME_WAIT Usually not needed. Closely connected to the ephemeral port range issue mentioned above. Regards Henrik
RE: [squid-users] Squid 3.0 and Linux 2.6 kernel tweaks
fre 2010-02-19 klockan 10:10 -0800 skrev Andy Litzinger: For example, back in the Squid v 2.6 days with 2.2 or 2.4 linux kernels I see lots of recommendations for raising the file descriptor limits to 8192 or 16384. With the 2.6 kernel it seems the default kernel params (at least in RHEL5) far exceed the fd kernel tweaks people used for 2.2 or 2.4 kernels. It would seem adding the ulimit – HSn 8192 would actually be decreasing the file descriptor limits from the 2.6 kernel defaults. 2.6 kernel default ulimit is 1024. We run with stock kernels from CentOS/RHEL so I guess I meant in those the kernel and shell fd limits are way higher. Also, what is the default value for –with-filedescriptors that Squid 3.0 STABLE24 supports? I don’t see that in the output of ./compile – help On must systems the default is whatever the ulimit is set to when you run configure. Great, thanks. Is there any way to confirm this on a compiled squid, or is it best practice to define the value upon compilation? I’d be happy to add a wiki page addressing the following scalability topics if someone points me to the correct location. - Checking/Increasing the ephemeral port range usually not needed unless you have many hundreds/s forwarded requests. - Checking/increasing file descriptor limits Squid tells at startup what limit it is running under. I'm not sure I understand what you mean here. How/where does squid get this value? And I suppose I should have said checking/increasing the kernel file descriptor limits (/proc/sys/fs/file-max) and the shell file descriptor limits (ulimit -n). - Checking/decreasing TCP TIME_WAIT Usually not needed. Closely connected to the ephemeral port range issue mentioned above. I understand that TIME_WAIT and ephemeral port increases are not usually needed, but I am concerned with the case of reverse proxying thousands of very short lived requests per second. I suppose it's likely for the service to die long before I exhaust available resources, but at least I'll know I won't be bottlenecking anything. I appreciate your feedback! I do think it would be valuable for this type of qualified information to make it into the wiki somewhere. I'll look for the process to do so, but if you have any hints as to where this info should live I would love to hear them. Cheers, Andy
RE: [squid-users] Squid 3.0 and Linux 2.6 kernel tweaks
fre 2010-02-19 klockan 12:54 -0800 skrev Andy Litzinger: We run with stock kernels from CentOS/RHEL so I guess I meant in those the kernel and shell fd limits are way higher. Are you sure they are by default? It's easy to configure anyhow. On must systems the default is whatever the ulimit is set to when you run configure. Great, thanks. Is there any way to confirm this on a compiled squid, or is it best practice to define the value upon compilation? Unfortunately not. I'm not sure I understand what you mean here. How/where does squid get this value? And I suppose I should have said checking/increasing the kernel file descriptor limits (/proc/sys/fs/file-max) and the shell file descriptor limits (ulimit -n). ulimit is the primary limit. file-max is related, but the system global limit. Should be bigger than ulimit obviously. Squid reports it's current limit in cache.log at startup. I understand that TIME_WAIT and ephemeral port increases are not usually needed, but I am concerned with the case of reverse proxying thousands of very short lived requests per second. I suppose it's likely for the service to die long before I exhaust available resources, but at least I'll know I won't be bottlenecking anything. Again it depends on the traffic pattern. The important number for TIME_WAIT ports is the number of connections Squid makes to the web servers, not really the number of connections it is receiving. I appreciate your feedback! I do think it would be valuable for this type of qualified information to make it into the wiki somewhere. I'll look for the process to do so, but if you have any hints as to where this info should live I would love to hear them. Instructions how to contribute to the wiki is given on the wiki first page, second paragraph. http://wiki.squid-cache.org/ Regards Henrik
[squid-users] Squid 3.0.STABLE24 is available
The Squid HTTP Proxy team is pleased to announce the availability of the Squid-3.0.STABLE24 release! This release contains the fix for Advisory SQUID-2010:2 Remote Denial of Service in HTCP. All Squid-3.0 users needing HTCP support are advised to upgrade to this release as soon as possible. All Squid-3.0 users not needing HTCP support please check that htcp_port settings have been removed from your squid.conf file. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html if and when you are ready to make the switch to Squid-3. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.0/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.0/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
[squid-users] Squid 3.0.STABLE23 is available
The Squid HTTP Proxy team is pleased to announce the availability of the Squid-3.0.STABLE23 release! This is a correction on 3.0.STABLE22 which has now been withdrawn from circulation. The fix for Advisory SQUID-2010:1 included in the 3.0.STABLE22 bundle was incomplete. Leaving that release vulnerable. The correct fix has been included in this release. All Squid-3.0 users are urged to upgrade to this release as soon as possible. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html if and when you are ready to make the switch to Squid-3. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.0/ ftp://ftp.squid-cache.org/pub/squid-3/STABLE/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
[squid-users] Squid 3.0.STABLE22 is available
The Squid HTTP Proxy team is pleased to announce the availability of the Squid-3.0.STABLE22 release! A few large and notable changes: * Advisory SQUID-2010:1 Denial of Service issue in DNS handling is resolved by this release. * A minor regression has been resolved in configuration file parsing where an error in a sub-include was not halting Squid properly. In some setups this could result in squid starting with inconsistent configuration state. This is now fixed. * Under certain conditions of variant handling Squid was downloading entire copies of objects before passing them on to the client. This has been resolved by this release. * An upper limit has been placed on the number of external_acl_type result entries which may be cached by Squid. Under some configurations the result cache could grow to consume enormous amounts of memory. Appearing as if a memory leak was occurring. Users are reminded that the external_acl_type has a cache=N configuration setting to limit the memory used when the format options may result in numerous variations. All Squid-3.0 users are urged to upgrade to this release as soon as possible. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html if and when you are ready to make the switch to Squid-3. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.0/ ftp://ftp.squid-cache.org/pub/squid-3/STABLE/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
RE: [squid-users] Squid 3.0 stable20 crash
) at ../include/splay.h:126 #5 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6aa70) at ../include/splay.h:126 #6 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6aa90) at ../include/splay.h:126 #7 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6aab0) at ../include/splay.h:126 #8 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6aad0) at ../include/splay.h:126 #9 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6aaf0) at ../include/splay.h:126 #10 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6ab10) at ../include/splay.h:126 #11 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6ab30) at ../include/splay.h:126 #12 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6ac50) at ../include/splay.h:126 #13 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6ac70) at ../include/splay.h:126 #14 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6ac90) at ../include/splay.h:126 #15 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6acb0) at ../include/splay.h:126 #16 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6acd0) at ../include/splay.h:126 #17 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6ac20) at ../include/splay.h:126 #18 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6ab50) at ../include/splay.h:126 #19 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6ab70) at ../include/splay.h:126 #20 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6ab90) at ../include/splay.h:126 #21 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8bd00) at ../include/splay.h:126 #22 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8bd20) at ../include/splay.h:126 #23 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8bd40) at ../include/splay.h:126 #24 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8bd60) at ../include/splay.h:126 #25 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8bd80) at ../include/splay.h:126 #26 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8bda0) at ../include/splay.h:126 #27 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8bdc0) at ../include/splay.h:126 #28 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8bde0) at ../include/splay.h:126 #29 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8be00) at ../include/splay.h:126 #30 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8be20) at ../include/splay.h:126 #31 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8be40) at ../include/splay.h:126 #32 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8be60) at ../include/splay.h:126 #33 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8be80) at ../include/splay.h:126 #34 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8bea0) at ../include/splay.h:126 #35 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8bec0) at ../include/splay.h:126 #36 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8bee0) at ../include/splay.h:126 #37 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc8bf00) at ../include/splay.h:126 -Original Message- From: Kingsley Foreman [mailto:kings...@internode.com.au] Sent: Friday, 29 January 2010 5:32 AM To: Amos Jeffries; squid-users@squid-cache.org Subject: RE: [squid-users] Squid 3.0 stable20 crash I should ask, because I know someone will have a idea how to do it here rather then googling it How do you add core dumping and debug symbols when building squid? Kingsley -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Friday, 29 January 2010 12:13 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid 3.0 stable20 crash Kingsley Foreman wrote: I've been getting some crashes in squid, anything ranging from 1 per day to about 5 So far I have this information. From debugging cache.log i've replaced the url's with .. snip 2010/01/28 22:35:08.202| comm_calliocallback: 0 2010/01/28 22:35:08.202| commio_call_callback: called for 20 2010/01/28 22:35:08.202| client_side.cc(1299) clientWriteBodyComplete schedules clientWriteComplete 2010/01/28 22:35:08.202| clientWriteComplete: FD 20, sz 1878, err 0, off 1159773875, len 0x7f7d1d8afa50 2010/01/28 22:35:08.202| client_side_reply.cc(944) storeOKTransferDone out.offset=1159773605 objectLen()=1159773870 headers_sz=265 2010/01/28 22:35:08.202| clientReplyStatus: transfer is DONE 2010/01/28 22:35:08.202| clientReplyStatus: stream was not expected to complete! 2010/01/28 22:35:08.202| client_side.cc(1566) initiateClose: closing for STREAM_UNPLANNED_COMPLETE|STREAM_FAILED 2010/01/28 22:35:08.202| comm_close: FD 20 2010/01/28 22:35:08.202| commSetTimeout: FD 20 timeout -1 2010/01/28 22:35:08.202| commio_complete_callback: called for 20 (-10, 11) 2010/01/28 22:35:08.202| commio_call_callback: called for 20
[squid-users] Squid 3.0 stable20 crash
I've been getting some crashes in squid, anything ranging from 1 per day to about 5 So far I have this information. From debugging cache.log i've replaced the url's with .. 2010/01/28 22:35:08.202| clientPackMoreRanges: out: start: 1159767631 spec[0]: [0, 1159773605), len: 1159773605 debt: 5974 2010/01/28 22:35:08.202| clientStreamRead: Calling 1 with cbdata 0x7f7d1efd8620 from node 0xbdbf68 2010/01/28 22:35:08.202| store_client::copy: 239DA444F4446A2B976F900A9B348824, from 1159767896, for length 4096, cb 1, cbdata 0x7f7d1efd7568 2010/01/28 22:35:08.202| storeClientCopy2: 239DA444F4446A2B976F900A9B348824 2010/01/28 22:35:08.202| store_client::doCopy: co: 1159767896, hi: 1159773870 2010/01/28 22:35:08.202| store_client::doCopy: Copying normal from memory 2010/01/28 22:35:08.202| memCopy: [1159767896,1159771992) 2010/01/28 22:35:08.202| clientReplyContext::sendMoreData: http://, 1159771992 bytes (4096 new bytes) 2010/01/28 22:35:08.202| clientReplyContext::sendMoreData: FD 20 'http://out.offset=1159767631 2010/01/28 22:35:08.202| clientStreamCallback: Calling 1 with cbdata 0x7f7d1effb3f0 from node 0xbdbee8 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 5974 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 5974 2010/01/28 22:35:08.202| ClientSocketContext::canPackMoreRanges: returning 1 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 5974 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 5974 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 5974 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 5974 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 5974 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: was 5974 now 1878 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| comm_write: FD 20: sz 4096: hndl 1: data 0x7f7d1effa388. 2010/01/28 22:35:08.202| commHandleWrite: FD 20: off 0, sz 4096. 2010/01/28 22:35:08.202| commHandleWrite: write() returns 4096 2010/01/28 22:35:08.202| commio_complete_callback: called for 20 (0, 11) 2010/01/28 22:35:08.202| comm_iocallbackpending: 0 2010/01/28 22:35:08.202| comm_calliocallback: 0 2010/01/28 22:35:08.202| comm_calliocallback: 0 2010/01/28 22:35:08.202| commio_call_callback: called for 20 2010/01/28 22:35:08.202| client_side.cc(1299) clientWriteBodyComplete schedules clientWriteComplete 2010/01/28 22:35:08.202| clientWriteComplete: FD 20, sz 4096, err 0, off 1159771997, len 0x7f7d1d8afa50 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| ClientSocketContext::canPackMoreRanges: returning 1 2010/01/28 22:35:08.202| ClientSocketContext::pullData: FD 20 2010/01/28 22:35:08.202| ClientSocketContext::getNextRangeOffset: http offset 1159771727 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| ClientSocketContext::canPackMoreRanges: returning 1 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| clientPackMoreRanges: in: offset: 1159771727 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| clientPackMoreRanges: out: start: 1159771727 spec[0]: [0, 1159773605), len: 1159773605 debt: 1878 2010/01/28 22:35:08.202| clientStreamRead: Calling 1 with cbdata 0x7f7d1efd8620 from node 0xbdbf68 2010/01/28 22:35:08.202| store_client::copy: 239DA444F4446A2B976F900A9B348824, from 1159771992, for length 4096, cb 1, cbdata 0x7f7d1efd7568 2010/01/28 22:35:08.202| storeClientCopy2: 239DA444F4446A2B976F900A9B348824 2010/01/28 22:35:08.202| store_client::doCopy: co: 1159771992, hi: 1159773870 2010/01/28 22:35:08.202| store_client::doCopy: Copying normal from memory 2010/01/28 22:35:08.202| memCopy: [1159771992,1159776088) 2010/01/28 22:35:08.202| clientReplyContext::sendMoreData: http://.., 1159773870 bytes (1878 new bytes) 2010/01/28 22:35:08.202| clientReplyContext::sendMoreData: FD 20 'http://.. out.offset=1159771727 2010/01/28 22:35:08.202| clientStreamCallback: Calling 1 with cbdata 0x7f7d1effb3f0 from node 0xbdbee8 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| ClientSocketContext::canPackMoreRanges: returning 1 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 1878 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: was 1878 now 0 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 0 2010/01/28 22:35:08.202| HttpHdrRangeIter::debt: debt is 0 2010/01/28 22:35:08.202|
Re: [squid-users] Squid 3.0 stable20 crash
Kingsley Foreman wrote: I've been getting some crashes in squid, anything ranging from 1 per day to about 5 So far I have this information. From debugging cache.log i've replaced the url's with .. snip 2010/01/28 22:35:08.202| comm_calliocallback: 0 2010/01/28 22:35:08.202| commio_call_callback: called for 20 2010/01/28 22:35:08.202| client_side.cc(1299) clientWriteBodyComplete schedules clientWriteComplete 2010/01/28 22:35:08.202| clientWriteComplete: FD 20, sz 1878, err 0, off 1159773875, len 0x7f7d1d8afa50 2010/01/28 22:35:08.202| client_side_reply.cc(944) storeOKTransferDone out.offset=1159773605 objectLen()=1159773870 headers_sz=265 2010/01/28 22:35:08.202| clientReplyStatus: transfer is DONE 2010/01/28 22:35:08.202| clientReplyStatus: stream was not expected to complete! 2010/01/28 22:35:08.202| client_side.cc(1566) initiateClose: closing for STREAM_UNPLANNED_COMPLETE|STREAM_FAILED 2010/01/28 22:35:08.202| comm_close: FD 20 2010/01/28 22:35:08.202| commSetTimeout: FD 20 timeout -1 2010/01/28 22:35:08.202| commio_complete_callback: called for 20 (-10, 11) 2010/01/28 22:35:08.202| commio_call_callback: called for 20 2010/01/28 22:35:08.202| client_side.cc(2541) clientReadRequest FD 20 size 0 2010/01/28 22:35:08.202| commCallCloseHandlers: FD 20 2010/01/28 22:35:08.202| commCallCloseHandlers: ch-handler=1 data=0xbcb1c8 2010/01/28 22:35:08.202| ConnStateData::close: FD 20 2010/01/28 22:35:08.202| clientStreamDetach: Detaching node 0xbdbf68 2010/01/28 22:35:08.202| Freeing clientStreamNode 0xbdbf68 2010/01/28 22:35:08.202| clientStreamDetach: Calling 1 with cbdata 0x7f7d1efd8620 2010/01/28 22:35:08.202| clientStreamDetach: Detaching node 0xbdbee8 2010/01/28 22:35:08.202| Freeing clientStreamNode 0xbdbee8 2010/01/28 22:35:08.202| storeUnregister: called for '239DA444F4446A2B976F900A9B348824' 2010/01/28 22:35:08.202| storePendingNClients: returning 0 2010/01/28 22:35:08.202| StoreEntry::unlock: key '239DA444F4446A2B976F900A9B348824' count=1 2010/01/28 22:35:08.202| httpRequestFree: http://. 2010/01/28 22:35:08.203| ACLChecklist::~ACLChecklist: destroyed 0xbe7dc8 2010/01/28 22:35:08.203| cleaning hdr: 0x2530eae0 owner: 3 2010/01/28 22:35:08.203| cleaning hdr: 0x2530eae0 owner: 3 2010/01/28 22:35:08.203| StoreEntry::unlock: key '239DA444F4446A2B976F900A9B348824' count=0 2010/01/28 22:35:08.203| storePendingNClients: returning 0 2010/01/28 22:35:08.203| UFSSwapDir::dereference: referencing 0x7f7d1d8afa50 1/4125 2010/01/28 22:35:08.203| HeapKeyGen_StoreEntry_LRU: 239DA444F4446A2B976F900A9B348824 heap_age=1.00 lastref=1264672683.00 2010/01/28 22:35:08.203| HeapKeyGen_StoreEntry_LRU: url=http://. 2010/01/28 22:35:08.203| StoreEntry::purgeMem: Freeing memory-copy of 239DA444F4446A2B976F900A9B348824 2010/01/28 22:35:08.203| store.cc(378) destroyMemObject 0x1d3a9b10 2010/01/28 22:35:08.203| MemObject.cc(97) del MemObject 0x1d3a9b10 And a coredump Yay! snip Core was generated by `/usr/sbin/squid -NCd1 -f /etc/squid/squid-fe-8084.conf'. Program terminated with signal 11, Segmentation fault. #0 0x004b2170 in ?? () (gdb) bt #0 0x004b2170 in ?? () #1 0x004b2197 in ?? () #2 0x004b2197 in ?? () #3 0x004b2197 in ?? () #4 0x004b2197 in ?? () #5 0x004b2197 in ?? () #6 0x004b2197 in ?? () #7 0x004b2197 in ?? () #8 0x004b2197 in ?? () #9 0x004b2197 in ?? () #10 0x004b2197 in ?? () snip Oh fudge. Absolutely useless. Does look to be a very deep recursion problem somewhere though.. Any suggestions would be great Kingsley Step 1) will be to build or get a binary of Squid which includes both the core dumping and debug symbols. Run that through at least one crash to get a usable core. Then the stack trace in the core will provide info to use for step (2). http://wiki.squid-cache.org/SquidFaq/BugReporting Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15
RE: [squid-users] Squid 3.0 stable20 crash
I should ask, because I know someone will have a idea how to do it here rather then googling it How do you add core dumping and debug symbols when building squid? Kingsley -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Friday, 29 January 2010 12:13 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid 3.0 stable20 crash Kingsley Foreman wrote: I've been getting some crashes in squid, anything ranging from 1 per day to about 5 So far I have this information. From debugging cache.log i've replaced the url's with .. snip 2010/01/28 22:35:08.202| comm_calliocallback: 0 2010/01/28 22:35:08.202| commio_call_callback: called for 20 2010/01/28 22:35:08.202| client_side.cc(1299) clientWriteBodyComplete schedules clientWriteComplete 2010/01/28 22:35:08.202| clientWriteComplete: FD 20, sz 1878, err 0, off 1159773875, len 0x7f7d1d8afa50 2010/01/28 22:35:08.202| client_side_reply.cc(944) storeOKTransferDone out.offset=1159773605 objectLen()=1159773870 headers_sz=265 2010/01/28 22:35:08.202| clientReplyStatus: transfer is DONE 2010/01/28 22:35:08.202| clientReplyStatus: stream was not expected to complete! 2010/01/28 22:35:08.202| client_side.cc(1566) initiateClose: closing for STREAM_UNPLANNED_COMPLETE|STREAM_FAILED 2010/01/28 22:35:08.202| comm_close: FD 20 2010/01/28 22:35:08.202| commSetTimeout: FD 20 timeout -1 2010/01/28 22:35:08.202| commio_complete_callback: called for 20 (-10, 11) 2010/01/28 22:35:08.202| commio_call_callback: called for 20 2010/01/28 22:35:08.202| client_side.cc(2541) clientReadRequest FD 20 size 0 2010/01/28 22:35:08.202| commCallCloseHandlers: FD 20 2010/01/28 22:35:08.202| commCallCloseHandlers: ch-handler=1 data=0xbcb1c8 2010/01/28 22:35:08.202| ConnStateData::close: FD 20 2010/01/28 22:35:08.202| clientStreamDetach: Detaching node 0xbdbf68 2010/01/28 22:35:08.202| Freeing clientStreamNode 0xbdbf68 2010/01/28 22:35:08.202| clientStreamDetach: Calling 1 with cbdata 0x7f7d1efd8620 2010/01/28 22:35:08.202| clientStreamDetach: Detaching node 0xbdbee8 2010/01/28 22:35:08.202| Freeing clientStreamNode 0xbdbee8 2010/01/28 22:35:08.202| storeUnregister: called for '239DA444F4446A2B976F900A9B348824' 2010/01/28 22:35:08.202| storePendingNClients: returning 0 2010/01/28 22:35:08.202| StoreEntry::unlock: key '239DA444F4446A2B976F900A9B348824' count=1 2010/01/28 22:35:08.202| httpRequestFree: http://. 2010/01/28 22:35:08.203| ACLChecklist::~ACLChecklist: destroyed 0xbe7dc8 2010/01/28 22:35:08.203| cleaning hdr: 0x2530eae0 owner: 3 2010/01/28 22:35:08.203| cleaning hdr: 0x2530eae0 owner: 3 2010/01/28 22:35:08.203| StoreEntry::unlock: key '239DA444F4446A2B976F900A9B348824' count=0 2010/01/28 22:35:08.203| storePendingNClients: returning 0 2010/01/28 22:35:08.203| UFSSwapDir::dereference: referencing 0x7f7d1d8afa50 1/4125 2010/01/28 22:35:08.203| HeapKeyGen_StoreEntry_LRU: 239DA444F4446A2B976F900A9B348824 heap_age=1.00 lastref=1264672683.00 2010/01/28 22:35:08.203| HeapKeyGen_StoreEntry_LRU: url=http://. 2010/01/28 22:35:08.203| StoreEntry::purgeMem: Freeing memory-copy of 239DA444F4446A2B976F900A9B348824 2010/01/28 22:35:08.203| store.cc(378) destroyMemObject 0x1d3a9b10 2010/01/28 22:35:08.203| MemObject.cc(97) del MemObject 0x1d3a9b10 And a coredump Yay! snip Core was generated by `/usr/sbin/squid -NCd1 -f /etc/squid/squid-fe-8084.conf'. Program terminated with signal 11, Segmentation fault. #0 0x004b2170 in ?? () (gdb) bt #0 0x004b2170 in ?? () #1 0x004b2197 in ?? () #2 0x004b2197 in ?? () #3 0x004b2197 in ?? () #4 0x004b2197 in ?? () #5 0x004b2197 in ?? () #6 0x004b2197 in ?? () #7 0x004b2197 in ?? () #8 0x004b2197 in ?? () #9 0x004b2197 in ?? () #10 0x004b2197 in ?? () snip Oh fudge. Absolutely useless. Does look to be a very deep recursion problem somewhere though.. Any suggestions would be great Kingsley Step 1) will be to build or get a binary of Squid which includes both the core dumping and debug symbols. Run that through at least one crash to get a usable core. Then the stack trace in the core will provide info to use for step (2). http://wiki.squid-cache.org/SquidFaq/BugReporting Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15
[squid-users] squid 3.0 Stable20 - need help
hi, First i tried to run squid as transparent (interception) proxy that didn't work. Browsing and other internet usage became too inconsistent. too many break ups were occuring and all of a sudden browsing stop and restart after some time ranging from a 30 seconds to a few minutes. hitting F5 keys numerous times opens up the page. I used this rule from http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall to redirect traffic to squid on port 3128 #ACTION SOURCE DEST PROTODEST PORT(S) SOURCE ORIGINAL # PORT(S)DEST ACCEPT$FWnet tcp www REDIRECT loc3128 tcp www - - Now I am running as non-transparent mode. Browsing is working fine but there are a few major problems i m facing: 1. All users have to enter proxy settings in default browsers. Now some applications don't have proxy setting and some don't work with proxy servers. These applications are having great difficulty with this new proxy setting hence users getting frustrated. 2. Ideally squid should only interfere with port 80 traffic and rest of the traffic should be handled by shorewall as before but it seems like this is not happening. I am using these rules as mentioned in following link http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall with non-transparent proxy in my rules file: Squid as a Manual Proxy /etc/shorewall/rules: #ACTION SOURCE DEST PROTODEST PORT(S) ACCEPTloc $FWtcp 3128 ACCEPT$FW nettcp 80 Now I have these questions, if any one can answer, it might help me: Q-1 - Does placement of both rules above (transparent / non-transparent) in rules file is significant? I am placing these rules on first line in rules file rite now in both cases. Q-2 - Do i need to modify any other shorewall file if I install squid on same machine (firewall) as the shorewall? Q-3 - What do I need to do to let https traffic go through proxy as well? If I modify rule in 2nd line as 80,443 and chck squid access.log, TCP_DENIED shows up although SSL_Ports Safe_Ports are both allowed access explicitly in squid. Q-4: If I have a link to access as (applogy for being so kinky, but i m exhausted by config fixes b/w shorewall squid) as https://64.50.169.94:20098 Where should this traffic go, to shorewall or squid (incase 2nd line reads as 80,443) http://w.x.y.z:8080 where shud this traffic go provided that squid is listening for port 80 traffic (http). Does port 8080 in URL change its traffic type from http(port 80)? Q-5 - Do i need to setup some thing in squid to let people use a code repository running on a remote server of URL like http://w.x.y.z:8080/ requiring users to authenticate to access code? I see requests going through but returned with TCP_MISS/401 (Unauthorized) and user get an error message on application interface as you are not authorized to access this server users give correct username/pwd on the box that appears for authentication. -- Regards, Asim Ahmed Khan
[squid-users] Squid 3.0 as reverse proxy
Hi List, I use a Squid Cache version 3.0.STABLE16 as reverse proxy on an 100Mb server (hosted by Iliad) to cache my web sites running on my home connection (1024Kb Max). This configuration Works pretty fine, but I have troubles to cache some images (jpg|png) with a particular url: For example, I have a photos gallery where the link to download the original picture (biggest size) has a ? at the end: http://gallery.wenske.fr/wallpapers/holland_dream_2560x1600.jpg.html? In the access log I can see that this object is not cached: 23/Nov/2009:15:17:43 +0100.960 12372 84.207.23.135 TCP_MISS/200 1313021 GET http://gallery.wenske.fr/wallpapers/holland_dream_2560x1600.jpg.html? - DEFAULT_PARENT/sl01 image/jpeg (store.log, may be helpful: 1258985863.960 RELEASE -1 B8B54D74210C1D0090AA8E1390D77D9C 200 1258985851 1258985851 375007920 image/jpeg -1/1312295 GET http://gallery.wenske.fr/wallpapers/holland_dream_2560x1600.jpg.html?) I suppose that's due to this directive in the squid.conf: hierarchy_stoplist cgi-bin ? Is it possible to enable caching for this kind of url? Maybe with a regex? Thanks for your help, Sébastien WENSKE - the complete squid.conf - acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl all src acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow all icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all http_port 88.191.97.6:80 accel vhost acl dest_site dstdomain blog.canardwc.com gallery.wenske.fr verdin.canardwc.com acl dest_addr dst 10.0.1.5 acl dest_port port 80 cache_peer 10.0.1.5 parent 80 0 name=sl01 no-query originserver default cache_peer_access sl01 allow dest_site http_access allow dest_addr dest_port hierarchy_stoplist cgi-bin ? cache_mem 1024 MB maximum_object_size_in_memory 2048 KB memory_replacement_policy lru cache_replacement_policy lru cache_dir ufs /var/cache/squid 2048 16 256 minimum_object_size 0 KB maximum_object_size 64096 KB logformat squid %tl.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %un %Sh/%A %mt access_log /var/log/squid/reverse-proxy_access.log squid cache_log /var/log/squid/reverse-proxy_cache.log cache_store_log /var/log/squid/reverse-proxy_store.log pid_filename /var/run/reverse-proxy.pid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname sl03.wenske.local cache_mgr x #icp_port 3130 coredump_dir /var/cache
[squid-users] squid 3.0 as reverse proxy and apache log at back-end
Hi again, In my previous mail I explained that I'm using a squid reverse proxy with high bandwidth to cache my apache at home. There are connected by VPN, and I would know if it is possible to get original IP in my apache logs. Currently I see only the squid local IP: sl03.wenske.local - - [23/Nov/2009:17:39:23 +0100] GET / HTTP/1.0 200 6761 I've tried some configurqtion with forwarded-for and follow_x_forwarded_for with no success. Thanks, Sébastien WENSKE
Re: [squid-users] squid 3.0 as reverse proxy and apache log at back-end
mån 2009-11-23 klockan 17:41 +0100 skrev Sébastien WENSKE: In my previous mail I explained that I'm using a squid reverse proxy with high bandwidth to cache my apache at home. There are connected by VPN, and I would know if it is possible to get original IP in my apache logs. Yes. You need to configure Apache to log the X-Forwarded-For header sent by Squid. Regards Henrik
RE: [squid-users] squid 3.0 as reverse proxy and apache log at back-end
Many thanks Henrik! I have add these two directive in apache2.conf: LogFormat %{X-Forwarded-For}i %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ reverse_proxy and SetEnvIf X-Forwarded-For ^.*\..*\..*\..* is-forwarder And in my vhost: CustomLog /var/log/apache2/blog.log reverse_proxy env=is-forwarder CustomLog /var/log/apache2/blog.log combined env=!is-forwarder This works pretty fine. Best regards, Sébastien WENSKE -Message d'origine- De : Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Envoyé : mardi 24 novembre 2009 00:25 À : Sébastien WENSKE Cc : squid-users@squid-cache.org Objet : Re: [squid-users] squid 3.0 as reverse proxy and apache log at back-end mån 2009-11-23 klockan 17:41 +0100 skrev Sébastien WENSKE: In my previous mail I explained that I'm using a squid reverse proxy with high bandwidth to cache my apache at home. There are connected by VPN, and I would know if it is possible to get original IP in my apache logs. Yes. You need to configure Apache to log the X-Forwarded-For header sent by Squid. Regards Henrik
RE: [squid-users] squid 3.0 as reverse proxy and apache log at back-end
On Tue, 24 Nov 2009 01:27:30 +0100, Sébastien WENSKE sebast...@wenske.fr wrote: Many thanks Henrik! I have add these two directive in apache2.conf: LogFormat %{X-Forwarded-For}i %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ reverse_proxy and SetEnvIf X-Forwarded-For ^.*\..*\..*\..* is-forwarder And in my vhost: CustomLog /var/log/apache2/blog.log reverse_proxy env=is-forwarder CustomLog /var/log/apache2/blog.log combined env=!is-forwarder This works pretty fine. Careful though with XFF. I'd put quotes around it too. As ISPs move into layering NAT and proxy gateways, or if you extend your own CDN vertically, you can expect it to contain more than one IP with maybe some whitespace between them. Amos
[squid-users] Squid 3.0 Stable 19 Installation Problems
hey list, I wanted to install Squid onto a Debian system. I Have correctly configured it on a virtual machine and now wanted to deploy squid on a real computer. I am getting many errors and don't know how to solve them. At first, i copied the output of 'squid3 -v' of the VM to my real machines './configure' script. it looks like this: configure options: '--build=i486-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,coss,diskd' '--enable-removal-policies=lru,heap' '--enable-poll' '--enable-delay-pools' '--enable-cache-digests' '--enable-snmp' '--enable-htcp' '--enable-select' '--enable-carp' '--enable-large-files' '--enable-underscores' '--enable-icap-client' '--enable-auth=basic,digest,ntlm' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,getpwnam,mul ti-domain-NTLM' '--enable-ntlm-auth-helpers=SMB' '--enable-digest-auth-helpers=ldap,password' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbi nfo_group' '--with-filedescriptors=65536' '--with-default-user=proxy' '--enable-epoll' '--enable-linux-netfilter' 'build_alias=i486-linux-gnu' 'CC=cc' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXX=g++' 'CXXFLAGS=-g -O2 -g -Wall -O2' 'FFLAGS=-g -O2' This didn't work because i didn't have SASL installed. So i tried installing SASL2 using apt-get, which eventually worked fine. But rerunning the configure-script gave me the same error. I searched for a solution, but the only one i found suggested disabling SASL. This was accomplished by changing the options to this: '-enable-basic-auth-helpers=all' Then i got the error that coss is not supported by squid3. so i disabled that by deleting it from '--enable-storeio=' Now i have the problem that db_185 is not found. i have BerkeleyDB 4.8 installed though... squid_session.c:51:20: Error:db_185.h: File not found. What can i do about this? Does db_185.h have anything to do with Berkeley at all? And when i get all these compiling errors, how in the world did the people who made the image i downloaded use all these config options and still be able to get a funtioning squid?
Re: [squid-users] Squid 3.0 Stable 19 Installation Problems
On Tue, 17 Nov 2009 14:57:23 +0100, david.kauffm...@it-partner.de wrote: hey list, I wanted to install Squid onto a Debian system. I Have correctly configured it on a virtual machine and now wanted to deploy squid on a real computer. I am getting many errors and don't know how to solve them. At first, i copied the output of 'squid3 -v' of the VM to my real machines './configure' script. it looks like this: configure options: '--build=i486-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,coss,diskd' '--enable-removal-policies=lru,heap' '--enable-poll' '--enable-delay-pools' '--enable-cache-digests' '--enable-snmp' '--enable-htcp' '--enable-select' '--enable-carp' '--enable-large-files' '--enable-underscores' '--enable-icap-client' '--enable-auth=basic,digest,ntlm' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,getpwnam,mul ti-domain-NTLM' '--enable-ntlm-auth-helpers=SMB' '--enable-digest-auth-helpers=ldap,password' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbi nfo_group' '--with-filedescriptors=65536' '--with-default-user=proxy' '--enable-epoll' '--enable-linux-netfilter' 'build_alias=i486-linux-gnu' 'CC=cc' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXX=g++' 'CXXFLAGS=-g -O2 -g -Wall -O2' 'FFLAGS=-g -O2' This didn't work because i didn't have SASL installed. So i tried installing SASL2 using apt-get, which eventually worked fine. But rerunning the configure-script gave me the same error. I searched for a solution, but the only one i found suggested disabling SASL. This was accomplished by changing the options to this: '-enable-basic-auth-helpers=all' Then i got the error that coss is not supported by squid3. so i disabled that by deleting it from '--enable-storeio=' Now i have the problem that db_185 is not found. i have BerkeleyDB 4.8 installed though... squid_session.c:51:20: Error:db_185.h: File not found. What can i do about this? Does db_185.h have anything to do with Berkeley at all? And when i get all these compiling errors, how in the world did the people who made the image i downloaded use all these config options and still be able to get a funtioning squid? The package is built after installing all the build dependency packages. http://packages.debian.org/source/lenny-backports/squid3 FWIW; I recommend using the packaged versions of software on Debian. If you continue the self-build elide the options for features you are not going to use. The flags can also be dropped as the Squid build process detects the right ones for the compiler being used. Amos
[squid-users] Squid 3.0.STABLE20 is available
The Squid HTTP Proxy team is pleased to announce the availability of the Squid-3.0.STABLE20 release! This release contains a number of bug fixes on earlier releases. An outstanding issue with code 304 and code 200 replies being mixed up has now been resolved. This means requests which need to refresh cache objects will not cause temporary client software failures. New support has been added for the GNU/kFreeBSD operating system by Debian. Large file support detection has been improved to enable LFS on a wider range of systems. Digest and LDAP helpers have been reviewed and several regressions in helpers, digest transfer and LDAP TLS are now resolved. Gopher protocol has now been tested and some previously hidden regressions have been closed. ESI has been reviewed and tested. The custom parser has been fixed fro correct parsing on FreeBSD and possibly derived OS. All Squid-3.0 users are encouraged to upgrade to this release. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html if and when you are ready to make the switch to Squid-3. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.0/ ftp://ftp.squid-cache.org/pub/squid-3/STABLE/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
Re: [squid-users] squid 3.0
tis 2009-09-22 klockan 18:31 +0530 skrev vikas rawat: I will install Squid3.x from source only, and squid2.x was bydefault installed in RHEL5.0. I am not planning to run both 2.x and 3.x simultaniously. But if install 3.x and how to migrate from 2.x, OR if 3.x not give desired output how to rollback with 2.x. Please note that there is RHEL compatible packages of Squid-3.0 available. See Download - Binary distributions. Migration is 0. Make a backup copy of squid.conf 1. Install new version. (rpm -U if using the binary rpm) 2. Update squid.conf so it works with new version. See release-notes for some guidance on what needs changing. squid -k parse will also tell you. 3, Start new version. Rollback is 1. Uninstall 3.0 2. Reinstall 2.6 3. Restore the old squid.conf 4. Start 2.6 Regards Henrik
Re: [squid-users] squid 3.0
Thanks, But if i have both 2.6 and 3.0, will they not conflict. Vikas On Tue, Sep 22, 2009 at 9:40 AM, Amos Jeffries squ...@treenet.co.nz wrote: On Tue, 22 Sep 2009 09:31:52 +0530, vikas rawat rawat.vi...@gmail.com wrote: Hi, thanks, if i have both squid2.6 and squid3.0 than which would run. I mean when i will give (service squid start) which version of squid run. if i want to run squid3.0 what specific command to be fire. Whatever directory path and binary name you installed Squid-3.0 as. Also please if you are upgrading, go to the highest version (currently stable 19) available of the release being upgraded to. 3.0 has major security bugs all the way up to STABLE 18. And some big NTLM helper issues you may hit in anything older than 3.0.STABLE19. Amos vikas On Mon, Sep 21, 2009 at 11:01 PM, Jefferson Diego jeffersondie...@hotmail.com wrote: Em 21-09-2009 14:04, vikas rawat escreveu: Hi, I am using squid2.6.STABLE6-3.el5 on RHEL5.0, want to update with squid-3.0.STABLE9. could you guide me how to do that. 1. Shoudl i remove squid2.6 first and then install squid3.0. ? 2. Or should install squid3.0 w/o remove squid2.6. ? 3. Can i have both? 4. Is there any other best alternate. squid2.6 is working fince but facing problem to connecting FTP sites on IE7 and authentication with Active Directory. Thanks, Vikas 1. Not really. You can install squid3.0 in another directory (not in /usr/bin) and keep squid2.6... 2. You decide... 3. Yes, you can.
Re: [squid-users] squid 3.0
From: vikas rawat rawat.vi...@gmail.com But if i have both 2.6 and 3.0, will they not conflict. How did you install squid 3.x? from source or rpm? To keep both versions, you have to use different directories (install/conf/logs) and init.d scripts. Use ./configure --prefix=$DIR ... to compile squid 3.x and install it in directory $DIR (also see --sysconfdir) Then, copy /etc/init.d/squid and change the directories as needed. JD
Re: [squid-users] squid 3.0
John Doe wrote: From: vikas rawat rawat.vi...@gmail.com But if i have both 2.6 and 3.0, will they not conflict. How did you install squid 3.x? from source or rpm? To keep both versions, you have to use different directories (install/conf/logs) and init.d scripts. Use ./configure --prefix=$DIR ... to compile squid 3.x and install it in directory $DIR (also see --sysconfdir) Then, copy /etc/init.d/squid and change the directories as needed. JD They will also need their own squid.conf 2.x and 3.x have enough different settings and requirements to make them not able to share one. The logs and cache formats do not differ enough to be incompatible. Thats all if you wish to run them at separate times. If you wish to _run_ both versions simultaneously there are additional configuration details to be careful of keeping separate as well. The different squid.conf will help with this. see http://wiki.squid-cache.org/MultipleInstances for the list of settings that need to be unique. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: [squid-users] squid 3.0
Hi, I will install Squid3.x from source only, and squid2.x was bydefault installed in RHEL5.0. I am not planning to run both 2.x and 3.x simultaniously. But if install 3.x and how to migrate from 2.x, OR if 3.x not give desired output how to rollback with 2.x. Thanks, Vikas On Tue, Sep 22, 2009 at 1:58 PM, John Doe jd...@yahoo.com wrote: From: vikas rawat rawat.vi...@gmail.com But if i have both 2.6 and 3.0, will they not conflict. How did you install squid 3.x? from source or rpm? To keep both versions, you have to use different directories (install/conf/logs) and init.d scripts. Use ./configure --prefix=$DIR ... to compile squid 3.x and install it in directory $DIR (also see --sysconfdir) Then, copy /etc/init.d/squid and change the directories as needed. JD
[squid-users] squid 3.0
Hi, I am using squid2.6.STABLE6-3.el5 on RHEL5.0, want to update with squid-3.0.STABLE9. could you guide me how to do that. 1. Shoudl i remove squid2.6 first and then install squid3.0. ? 2. Or should install squid3.0 w/o remove squid2.6. ? 3. Can i have both? 4. Is there any other best alternate. squid2.6 is working fince but facing problem to connecting FTP sites on IE7 and authentication with Active Directory. Thanks, Vikas
Re: [squid-users] squid 3.0
Em 21-09-2009 14:04, vikas rawat escreveu: Hi, I am using squid2.6.STABLE6-3.el5 on RHEL5.0, want to update with squid-3.0.STABLE9. could you guide me how to do that. 1. Shoudl i remove squid2.6 first and then install squid3.0. ? 2. Or should install squid3.0 w/o remove squid2.6. ? 3. Can i have both? 4. Is there any other best alternate. squid2.6 is working fince but facing problem to connecting FTP sites on IE7 and authentication with Active Directory. Thanks, Vikas 1. Not really. You can install squid3.0 in another directory (not in /usr/bin) and keep squid2.6... 2. You decide... 3. Yes, you can.
Re: [squid-users] squid 3.0
Hi, thanks, if i have both squid2.6 and squid3.0 than which would run. I mean when i will give (service squid start) which version of squid run. if i want to run squid3.0 what specific command to be fire. vikas On Mon, Sep 21, 2009 at 11:01 PM, Jefferson Diego jeffersondie...@hotmail.com wrote: Em 21-09-2009 14:04, vikas rawat escreveu: Hi, I am using squid2.6.STABLE6-3.el5 on RHEL5.0, want to update with squid-3.0.STABLE9. could you guide me how to do that. 1. Shoudl i remove squid2.6 first and then install squid3.0. ? 2. Or should install squid3.0 w/o remove squid2.6. ? 3. Can i have both? 4. Is there any other best alternate. squid2.6 is working fince but facing problem to connecting FTP sites on IE7 and authentication with Active Directory. Thanks, Vikas 1. Not really. You can install squid3.0 in another directory (not in /usr/bin) and keep squid2.6... 2. You decide... 3. Yes, you can.
Re: [squid-users] squid 3.0
On Tue, 22 Sep 2009 09:31:52 +0530, vikas rawat rawat.vi...@gmail.com wrote: Hi, thanks, if i have both squid2.6 and squid3.0 than which would run. I mean when i will give (service squid start) which version of squid run. if i want to run squid3.0 what specific command to be fire. Whatever directory path and binary name you installed Squid-3.0 as. Also please if you are upgrading, go to the highest version (currently stable 19) available of the release being upgraded to. 3.0 has major security bugs all the way up to STABLE 18. And some big NTLM helper issues you may hit in anything older than 3.0.STABLE19. Amos vikas On Mon, Sep 21, 2009 at 11:01 PM, Jefferson Diego jeffersondie...@hotmail.com wrote: Em 21-09-2009 14:04, vikas rawat escreveu: Hi, I am using squid2.6.STABLE6-3.el5 on RHEL5.0, want to update with squid-3.0.STABLE9. could you guide me how to do that. 1. Shoudl i remove squid2.6 first and then install squid3.0. ? 2. Or should install squid3.0 w/o remove squid2.6. ? 3. Can i have both? 4. Is there any other best alternate. squid2.6 is working fince but facing problem to connecting FTP sites on IE7 and authentication with Active Directory. Thanks, Vikas 1. Not really. You can install squid3.0 in another directory (not in /usr/bin) and keep squid2.6... 2. You decide... 3. Yes, you can.
[squid-users] Squid 3.0.STABLE19 is available
The Squid HTTP Proxy team is pleased to announce the availability of the Squid-3.0.STABLE19 release! This release contains a large number of bug fixes on earlier releases. The most notable change is a collection of bugs within NTLM and Negotiate authentication. This release builds on many small fixes across earlier releases with a great simplification of NTLM handling. Which covers and resolves a wide array of possible issues not formally reported and a small few which were. Another fix (Bug 2745) cleans up one final annoyance left after security advisory 2009:2. This is not a critical problem, but can lead to clients receiving unnecessary errors (fail-closed) when the network is slowed by load or long-distance requests. There are also a number of other bugs fixed in this release. - Bug 2739: DNS resolver option ndots can't be parsed from resolv.conf - Bug 2734: some compile errors on Solaris - Bug 2541: Hang in 100% CPU loop while extracting header details using a delimiter other than comma - Add 0.0.0.0 as a to_localhost address - ESI: Fix libxml2 magics was failing to be detected sometimes Squid 3.0 users needing NTLM or Negotiate authentication are highly recommended to upgrade to this release at the earliest opportunity. Other 3.0 users are encouraged to upgrade as time permits. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html if and when you are ready to make the switch to Squid-3. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.0/ ftp://ftp.squid-cache.org/pub/squid-3/STABLE/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
[squid-users] squid 3.0
Hi! how do i conf squid to allow x_forwarded ? when i enable it i get proxy:/usr/sbin# squid -k check 2009/09/08 11:23:53| cache_cf.cc(346) squid.conf:657 unrecognized: 'follow_x_forwarded_for' ./configure with -enable-follow-x-forwarded-for added to squid.conf acl localhost src 127.0.0.1/32 follow_x_forwarded_for allow localhost -- Med Vänliga Hälsningar Best Regards * Anders Larsson * Systemadmin Unix/Linux * Tietoenator PN * 831 48 ÖSTERSUND * Växel:+46 (0)63 664 63 00 * Fax: +46 (0)63 664 63 20 * Tel: +46 (0)10 481 98 01 * Mobil:+46 (0)70 656 42 64 * Mail: anders.lars...@tietoenator.com ** Debian is they way to salvation --- How Hard Can It Be ---
Re: [squid-users] squid 3.0
Anders Larsson wrote: Hi! how do i conf squid to allow x_forwarded ? when i enable it i get proxy:/usr/sbin# squid -k check 2009/09/08 11:23:53| cache_cf.cc(346) squid.conf:657 unrecognized: 'follow_x_forwarded_for' ./configure with -enable-follow-x-forwarded-for added to squid.conf acl localhost src 127.0.0.1/32 follow_x_forwarded_for allow localhost That feature is not present in 3.0. It was only ported to 3.1 and later. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: [squid-users] squid 3.0
hmm ok.. thats bad. need that option or is there another way to get the ip adresses from the clients? On Tue, 2009-09-08 at 13:31 +0300, Amos Jeffries wrote: Anders Larsson wrote: Hi! how do i conf squid to allow x_forwarded ? when i enable it i get proxy:/usr/sbin# squid -k check 2009/09/08 11:23:53| cache_cf.cc(346) squid.conf:657 unrecognized: 'follow_x_forwarded_for' ./configure with -enable-follow-x-forwarded-for added to squid.conf acl localhost src 127.0.0.1/32 follow_x_forwarded_for allow localhost That feature is not present in 3.0. It was only ported to 3.1 and later. Amos -- Med Vänliga Hälsningar Best Regards * Anders Larsson * Systemadmin Unix/Linux * Tietoenator PN * 831 48 ÖSTERSUND * Växel:+46 (0)63 664 63 00 * Fax: +46 (0)63 664 63 20 * Tel: +46 (0)10 481 98 01 * Mobil:+46 (0)70 656 42 64 * Mail: anders.lars...@tietoenator.com ** Debian is they way to salvation --- How Hard Can It Be ---
Re: [squid-users] squid 3.0
Anders Larsson wrote: hmm ok.. thats bad. need that option or is there another way to get the ip adresses from the clients? The follow_x_forwarded_for allows a parent cache to read the X-Forwarded-For header for logging (and possibly for ACLs). As long as you don't disable X-Forwarded-For (http://www.squid-cache.org/Doc/config/forwarded_for/ or http://www.squid-cache.org/Doc/config/header_access/), the header will be populated by Squid. Chris
[squid-users] Squid-3.0.STABLExx and ntlm_auth
Hi, am I right that ntlm_auth (delivered with squid) supports only LM and neither NTLM nor NTLMv2 ? I'm asking because all my Win-Clients can transparently access Inet via proxy, if local security settings are send LM and NTLM. When security setting is send only NTLM (as the default for e.g. Win Server 2003 Std) cache access is denied. Thanks Chris
Re: [squid-users] Squid-3.0.STABLExx and ntlm_auth
lör 2009-08-15 klockan 13:32 + skrev Christian: Hi, am I right that ntlm_auth (delivered with squid) supports only LM and neither NTLM nor NTLMv2 ? Correct. And is why the Squid bundled helper has been renamed to ntlm_smb_lm_auth in later Squid versions to better reflect what it actually does. Because of this and several other important reasons it's highly recommended to use ntlm_auth from Samba instead. Regards Henrik
Re: [squid-users] Squid-3.0.STABLExx and ntlm_auth
Hi Hendrik, thank you for your quick response :) Regards Chris Henrik Nordstrom schrieb: lör 2009-08-15 klockan 13:32 + skrev Christian: Hi, am I right that ntlm_auth (delivered with squid) supports only LM and neither NTLM nor NTLMv2 ? Correct. And is why the Squid bundled helper has been renamed to ntlm_smb_lm_auth in later Squid versions to better reflect what it actually does. Because of this and several other important reasons it's highly recommended to use ntlm_auth from Samba instead. Regards Henrik
Re: [squid-users] Squid 3.0.STABLE17 is available
Hi, Amos Thank you for STABLE18! I'll try it! By the way, squid-3.1.0.12 also has same problem, right ? Sincerely, -- Mikio Kishi On Tue, Aug 4, 2009 at 8:15 AM, Amos Jeffriessqu...@treenet.co.nz wrote: On Tue, 4 Aug 2009 04:05:55 +0900, Mikio Kishi mki...@104.net wrote: Hi, I hope next release! When would you release STABLE18 ? Now that the fix is confirmed. Less than 24 hours. :) Amos Sincerely, -- Mikio Kishi On Sat, Aug 1, 2009 at 6:55 PM, Amos Jeffriessqu...@treenet.co.nz wrote: Amos Jeffries wrote: Thomas Meier wrote: im also have this error: 2009/07/30 09:48:16| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/30 09:48:16| assertion failed: http.cc:738: !eof 2009/07/30 09:48:19| Starting Squid Cache version 3.0.STABLE17 for sparc-sun-sol aris2.9... 2009/07/30 09:48:19| Process ID 17345 2009/07/30 09:48:19| With 32768 file descriptors available 2009/07/30 09:48:19| Performing DNS Tests... 2009/07/30 09:48:19| Successful DNS name lookup tests... 2009/07/30 09:47:38| assertion failed: http.cc:738: !eof 2009/07/30 09:48:16| assertion failed: http.cc:738: !eof 2009/07/30 09:48:46| assertion failed: http.cc:738: !eof 2009/07/30 09:48:58| assertion failed: http.cc:738: !eof 2009/07/30 09:49:44| assertion failed: http.cc:738: !eof 2009/07/30 09:49:53| assertion failed: http.cc:738: !eof 2009/07/30 09:50:02| assertion failed: http.cc:738: !eof 2009/07/30 09:51:33| assertion failed: http.cc:738: !eof 2009/07/30 09:51:39| assertion failed: http.cc:738: !eof 2009/07/30 09:51:45| assertion failed: http.cc:738: !eof 2009/07/30 09:52:26| assertion failed: http.cc:738: !eof 2009/07/30 09:53:02| assertion failed: http.cc:738: !eof 2009/07/30 09:53:12| assertion failed: http.cc:738: !eof 2009/07/30 09:53:22| assertion failed: http.cc:738: !eof 2009/07/30 09:53:30| assertion failed: http.cc:738: !eof 2009/07/30 09:54:32| assertion failed: http.cc:738: !eof 2009/07/30 09:55:35| assertion failed: http.cc:738: !eof 2009/07/30 09:57:04| assertion failed: http.cc:738: !eof 2009/07/30 09:57:41| assertion failed: http.cc:738: !eof 2009/07/30 09:57:57| assertion failed: http.cc:738: !eof 2009/07/30 09:58:22| assertion failed: http.cc:738: !eof 2009/07/30 09:59:31| assertion failed: http.cc:738: !eof 2009/07/30 09:59:44| assertion failed: http.cc:738: !eof 2009/07/30 09:59:59| assertion failed: http.cc:738: !eof 2009/07/30 10:01:13| assertion failed: http.cc:738: !eof 2009/07/30 10:01:48| assertion failed: http.cc:738: !eof 2009/07/30 10:02:29| assertion failed: http.cc:738: !eof 2009/07/30 10:02:34| assertion failed: http.cc:738: !eof 2009/07/30 10:02:41| assertion failed: http.cc:738: !eof 2009/07/30 10:03:51| assertion failed: http.cc:738: !eof back to stable 13 the good old unfixed Problem is back: 2009/07/30 11:05:05| tunnelReadServer: FD 377: read failure: (0) Error 0 2009/07/30 11:05:16| tunnelReadServer: FD 211: read failure: (0) Error 0 2009/07/30 11:05:20| tunnelReadServer: FD 462: read failure: (0) Error 0 2009/07/30 11:05:32| tunnelReadServer: FD 437: read failure: (0) Error 0 2009/07/30 11:05:36| tunnelReadServer: FD 340: read failure: (0) Error 0 2009/07/30 11:05:41| tunnelReadServer: FD 432: read failure: (0) Error 0 2009/07/30 11:06:13| assertion failed: store_client.cc:430: STORE_DISK_CLIENT = = getType() 2009/07/30 11:06:18| Starting Squid Cache version 3.0.STABLE13 for sparc-sun-sol aris2.9... On Tuesday 28 July 2009 23:22:56 Amos Jeffries wrote: The next formally bundled will be STABLE18. However the daily snapshots serve as intermediate updates on STABLE (http://www.squid-cache.org/Versions/v3/3.0/). I just have not yet had time to apply these fixes to the branch yet. 3.0.STABLE17-20090729 still crashing here (x86_64)... 2009/07/29 16:07:45| ctx: enter level 0: 'http://images.windowsmedia.com/svcswitch/MG_pt- br.xml?locale=416geoid=20version=1 1.0.6001.7004userlocale=416' 2009/07/29 16:07:45| assertion failed: http.cc:738: !eof I also applied (the patch from previous e-mail) against this version: patching file src/HttpMsg.cc patching file src/HttpReply.cc patching file src/HttpRequest.cc patching file src/pconn.cc The only solution here was downgrade to previous release... Any clue? It seems to be a fread() issue between Squid and x86_64. Disappears on i386/i686. Maybe *BSD specific as well, but there are a few reports without OS info fuzzing my info there. I plan on spending more time over the weekend adding good tracing info to find it. Okay. This gets rid of the assert and adds some debug instead. The reason for sending eof=1 when not at true EOF is not yet clear, so use carefully, but additional debugs are added when the flag is set. debug_options ... 11,9 for these. Amos -p0 for Squid-3 patches. Anyway, in the interim the case appears to have been found. I've kicked the snapshots to get one
Re: [squid-users] Squid 3.0.STABLE17 is available
Mikio Kishi wrote: Hi, Amos Thank you for STABLE18! I'll try it! By the way, squid-3.1.0.12 also has same problem, right ? Yes. And 3.1.0.13 to fix it there too. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
[squid-users] Squid 3.0.STABLE18 is available
The Squid HTTP Proxy team is pleased to announce the availability of the Squid-3.0.STABLE18 release! This release has been brought forward to resolve two issues found in the prior release. One regression and one additional vulnerability case related to advisory SQUID-2009:2. http://www.squid-cache.org/Advisories/SQUID-2009_2.txt All users of Squid-3.0 are urgently advised to move up to this release. There are also a number of other bugs fixed in this release. - Bug 2732: reply_body_max_size smaller than error page loops infinitely until out of memory - Bug 2725: pconn failure if domain or client_address are unset - Bug 2648: reserved helpers not shut down after reconfigure/rotate - Bug 2462: make check should tell when cppunit is missing Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html if and when you are ready to make the switch to Squid-3. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.0/ ftp://ftp.squid-cache.org/pub/squid-3/STABLE/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
Re: [squid-users] Squid 3.0.STABLE17 is available
Hi, I hope next release! When would you release STABLE18 ? Sincerely, -- Mikio Kishi On Sat, Aug 1, 2009 at 6:55 PM, Amos Jeffriessqu...@treenet.co.nz wrote: Amos Jeffries wrote: Thomas Meier wrote: im also have this error: 2009/07/30 09:48:16| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/30 09:48:16| assertion failed: http.cc:738: !eof 2009/07/30 09:48:19| Starting Squid Cache version 3.0.STABLE17 for sparc-sun-sol aris2.9... 2009/07/30 09:48:19| Process ID 17345 2009/07/30 09:48:19| With 32768 file descriptors available 2009/07/30 09:48:19| Performing DNS Tests... 2009/07/30 09:48:19| Successful DNS name lookup tests... 2009/07/30 09:47:38| assertion failed: http.cc:738: !eof 2009/07/30 09:48:16| assertion failed: http.cc:738: !eof 2009/07/30 09:48:46| assertion failed: http.cc:738: !eof 2009/07/30 09:48:58| assertion failed: http.cc:738: !eof 2009/07/30 09:49:44| assertion failed: http.cc:738: !eof 2009/07/30 09:49:53| assertion failed: http.cc:738: !eof 2009/07/30 09:50:02| assertion failed: http.cc:738: !eof 2009/07/30 09:51:33| assertion failed: http.cc:738: !eof 2009/07/30 09:51:39| assertion failed: http.cc:738: !eof 2009/07/30 09:51:45| assertion failed: http.cc:738: !eof 2009/07/30 09:52:26| assertion failed: http.cc:738: !eof 2009/07/30 09:53:02| assertion failed: http.cc:738: !eof 2009/07/30 09:53:12| assertion failed: http.cc:738: !eof 2009/07/30 09:53:22| assertion failed: http.cc:738: !eof 2009/07/30 09:53:30| assertion failed: http.cc:738: !eof 2009/07/30 09:54:32| assertion failed: http.cc:738: !eof 2009/07/30 09:55:35| assertion failed: http.cc:738: !eof 2009/07/30 09:57:04| assertion failed: http.cc:738: !eof 2009/07/30 09:57:41| assertion failed: http.cc:738: !eof 2009/07/30 09:57:57| assertion failed: http.cc:738: !eof 2009/07/30 09:58:22| assertion failed: http.cc:738: !eof 2009/07/30 09:59:31| assertion failed: http.cc:738: !eof 2009/07/30 09:59:44| assertion failed: http.cc:738: !eof 2009/07/30 09:59:59| assertion failed: http.cc:738: !eof 2009/07/30 10:01:13| assertion failed: http.cc:738: !eof 2009/07/30 10:01:48| assertion failed: http.cc:738: !eof 2009/07/30 10:02:29| assertion failed: http.cc:738: !eof 2009/07/30 10:02:34| assertion failed: http.cc:738: !eof 2009/07/30 10:02:41| assertion failed: http.cc:738: !eof 2009/07/30 10:03:51| assertion failed: http.cc:738: !eof back to stable 13 the good old unfixed Problem is back: 2009/07/30 11:05:05| tunnelReadServer: FD 377: read failure: (0) Error 0 2009/07/30 11:05:16| tunnelReadServer: FD 211: read failure: (0) Error 0 2009/07/30 11:05:20| tunnelReadServer: FD 462: read failure: (0) Error 0 2009/07/30 11:05:32| tunnelReadServer: FD 437: read failure: (0) Error 0 2009/07/30 11:05:36| tunnelReadServer: FD 340: read failure: (0) Error 0 2009/07/30 11:05:41| tunnelReadServer: FD 432: read failure: (0) Error 0 2009/07/30 11:06:13| assertion failed: store_client.cc:430: STORE_DISK_CLIENT = = getType() 2009/07/30 11:06:18| Starting Squid Cache version 3.0.STABLE13 for sparc-sun-sol aris2.9... On Tuesday 28 July 2009 23:22:56 Amos Jeffries wrote: The next formally bundled will be STABLE18. However the daily snapshots serve as intermediate updates on STABLE (http://www.squid-cache.org/Versions/v3/3.0/). I just have not yet had time to apply these fixes to the branch yet. 3.0.STABLE17-20090729 still crashing here (x86_64)... 2009/07/29 16:07:45| ctx: enter level 0: 'http://images.windowsmedia.com/svcswitch/MG_pt- br.xml?locale=416geoid=20version=1 1.0.6001.7004userlocale=416' 2009/07/29 16:07:45| assertion failed: http.cc:738: !eof I also applied (the patch from previous e-mail) against this version: patching file src/HttpMsg.cc patching file src/HttpReply.cc patching file src/HttpRequest.cc patching file src/pconn.cc The only solution here was downgrade to previous release... Any clue? It seems to be a fread() issue between Squid and x86_64. Disappears on i386/i686. Maybe *BSD specific as well, but there are a few reports without OS info fuzzing my info there. I plan on spending more time over the weekend adding good tracing info to find it. Okay. This gets rid of the assert and adds some debug instead. The reason for sending eof=1 when not at true EOF is not yet clear, so use carefully, but additional debugs are added when the flag is set. debug_options ... 11,9 for these. Amos -p0 for Squid-3 patches. Anyway, in the interim the case appears to have been found. I've kicked the snapshots to get one that _should_ work properly and have all the polish patches included as well. Will be built in a few hours. Give that a try first off, if any problems are found in it we go after those. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 Current Beta Squid 3.1.0.12
Re: [squid-users] Squid 3.0.STABLE17 is available
On Tue, 4 Aug 2009 04:05:55 +0900, Mikio Kishi mki...@104.net wrote: Hi, I hope next release! When would you release STABLE18 ? Now that the fix is confirmed. Less than 24 hours. :) Amos Sincerely, -- Mikio Kishi On Sat, Aug 1, 2009 at 6:55 PM, Amos Jeffriessqu...@treenet.co.nz wrote: Amos Jeffries wrote: Thomas Meier wrote: im also have this error: 2009/07/30 09:48:16| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/30 09:48:16| assertion failed: http.cc:738: !eof 2009/07/30 09:48:19| Starting Squid Cache version 3.0.STABLE17 for sparc-sun-sol aris2.9... 2009/07/30 09:48:19| Process ID 17345 2009/07/30 09:48:19| With 32768 file descriptors available 2009/07/30 09:48:19| Performing DNS Tests... 2009/07/30 09:48:19| Successful DNS name lookup tests... 2009/07/30 09:47:38| assertion failed: http.cc:738: !eof 2009/07/30 09:48:16| assertion failed: http.cc:738: !eof 2009/07/30 09:48:46| assertion failed: http.cc:738: !eof 2009/07/30 09:48:58| assertion failed: http.cc:738: !eof 2009/07/30 09:49:44| assertion failed: http.cc:738: !eof 2009/07/30 09:49:53| assertion failed: http.cc:738: !eof 2009/07/30 09:50:02| assertion failed: http.cc:738: !eof 2009/07/30 09:51:33| assertion failed: http.cc:738: !eof 2009/07/30 09:51:39| assertion failed: http.cc:738: !eof 2009/07/30 09:51:45| assertion failed: http.cc:738: !eof 2009/07/30 09:52:26| assertion failed: http.cc:738: !eof 2009/07/30 09:53:02| assertion failed: http.cc:738: !eof 2009/07/30 09:53:12| assertion failed: http.cc:738: !eof 2009/07/30 09:53:22| assertion failed: http.cc:738: !eof 2009/07/30 09:53:30| assertion failed: http.cc:738: !eof 2009/07/30 09:54:32| assertion failed: http.cc:738: !eof 2009/07/30 09:55:35| assertion failed: http.cc:738: !eof 2009/07/30 09:57:04| assertion failed: http.cc:738: !eof 2009/07/30 09:57:41| assertion failed: http.cc:738: !eof 2009/07/30 09:57:57| assertion failed: http.cc:738: !eof 2009/07/30 09:58:22| assertion failed: http.cc:738: !eof 2009/07/30 09:59:31| assertion failed: http.cc:738: !eof 2009/07/30 09:59:44| assertion failed: http.cc:738: !eof 2009/07/30 09:59:59| assertion failed: http.cc:738: !eof 2009/07/30 10:01:13| assertion failed: http.cc:738: !eof 2009/07/30 10:01:48| assertion failed: http.cc:738: !eof 2009/07/30 10:02:29| assertion failed: http.cc:738: !eof 2009/07/30 10:02:34| assertion failed: http.cc:738: !eof 2009/07/30 10:02:41| assertion failed: http.cc:738: !eof 2009/07/30 10:03:51| assertion failed: http.cc:738: !eof back to stable 13 the good old unfixed Problem is back: 2009/07/30 11:05:05| tunnelReadServer: FD 377: read failure: (0) Error 0 2009/07/30 11:05:16| tunnelReadServer: FD 211: read failure: (0) Error 0 2009/07/30 11:05:20| tunnelReadServer: FD 462: read failure: (0) Error 0 2009/07/30 11:05:32| tunnelReadServer: FD 437: read failure: (0) Error 0 2009/07/30 11:05:36| tunnelReadServer: FD 340: read failure: (0) Error 0 2009/07/30 11:05:41| tunnelReadServer: FD 432: read failure: (0) Error 0 2009/07/30 11:06:13| assertion failed: store_client.cc:430: STORE_DISK_CLIENT = = getType() 2009/07/30 11:06:18| Starting Squid Cache version 3.0.STABLE13 for sparc-sun-sol aris2.9... On Tuesday 28 July 2009 23:22:56 Amos Jeffries wrote: The next formally bundled will be STABLE18. However the daily snapshots serve as intermediate updates on STABLE (http://www.squid-cache.org/Versions/v3/3.0/). I just have not yet had time to apply these fixes to the branch yet. 3.0.STABLE17-20090729 still crashing here (x86_64)... 2009/07/29 16:07:45| ctx: enter level 0: 'http://images.windowsmedia.com/svcswitch/MG_pt- br.xml?locale=416geoid=20version=1 1.0.6001.7004userlocale=416' 2009/07/29 16:07:45| assertion failed: http.cc:738: !eof I also applied (the patch from previous e-mail) against this version: patching file src/HttpMsg.cc patching file src/HttpReply.cc patching file src/HttpRequest.cc patching file src/pconn.cc The only solution here was downgrade to previous release... Any clue? It seems to be a fread() issue between Squid and x86_64. Disappears on i386/i686. Maybe *BSD specific as well, but there are a few reports without OS info fuzzing my info there. I plan on spending more time over the weekend adding good tracing info to find it. Okay. This gets rid of the assert and adds some debug instead. The reason for sending eof=1 when not at true EOF is not yet clear, so use carefully, but additional debugs are added when the flag is set. debug_options ... 11,9 for these. Amos -p0 for Squid-3 patches. Anyway, in the interim the case appears to have been found. I've kicked the snapshots to get one that _should_ work properly and have all the polish patches included as well. Will be built in a few hours. Give that a try first off, if any problems are found in it we go after those. Amos -- Please be
Re: [squid-users] Squid 3.0.STABLE17 is available
Herbert Faleiros wrote: On Friday 31 July 2009 06:01:07 you wrote: [cut] Okay. This gets rid of the assert and adds some debug instead. The reason for sending eof=1 when not at true EOF is not yet clear, so use carefully, but additional debugs are added when the flag is set. debug_options ... 11,9 for these. Amos Hi Amos, http.cc: In member function 'void HttpStateData::processReplyHeader()': http.cc:742: error: request for member 'size' in '((HttpStateData*)this)- HttpStateData::readBuf', which is of non-class type 'MemBuf*' http.cc: In member function 'void HttpStateData::readReply(size_t, comm_err_t, int)': http.cc:1013: error: expected primary-expression before '' token make[3]: *** [http.o] Error 1 make[3]: Leaving directory `/usr/src/squid/squid-3.0.STABLE17/src' make[2]: *** [install-recursive] Error 1 make[2]: Leaving directory `/usr/src/squid/squid-3.0.STABLE17/src' make[1]: *** [install] Error 2 make[1]: Leaving directory `/usr/src/squid/squid-3.0.STABLE17/src' make: *** [install-recursive] Error 1 Do I have to apply this patch against what release? (daily snapshot?) I've had applied the other patch (to fix the previous BUG) plus this here (eof_debugs.patch) now. -- Herbert Yes, was written on the daily snapshot. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 Current Beta Squid 3.1.0.12
Re: [squid-users] Squid 3.0.STABLE17 is available
Thomas Meier wrote: im also have this error: 2009/07/30 09:48:16| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/30 09:48:16| assertion failed: http.cc:738: !eof 2009/07/30 09:48:19| Starting Squid Cache version 3.0.STABLE17 for sparc-sun-sol aris2.9... 2009/07/30 09:48:19| Process ID 17345 2009/07/30 09:48:19| With 32768 file descriptors available 2009/07/30 09:48:19| Performing DNS Tests... 2009/07/30 09:48:19| Successful DNS name lookup tests... 2009/07/30 09:47:38| assertion failed: http.cc:738: !eof 2009/07/30 09:48:16| assertion failed: http.cc:738: !eof 2009/07/30 09:48:46| assertion failed: http.cc:738: !eof 2009/07/30 09:48:58| assertion failed: http.cc:738: !eof 2009/07/30 09:49:44| assertion failed: http.cc:738: !eof 2009/07/30 09:49:53| assertion failed: http.cc:738: !eof 2009/07/30 09:50:02| assertion failed: http.cc:738: !eof 2009/07/30 09:51:33| assertion failed: http.cc:738: !eof 2009/07/30 09:51:39| assertion failed: http.cc:738: !eof 2009/07/30 09:51:45| assertion failed: http.cc:738: !eof 2009/07/30 09:52:26| assertion failed: http.cc:738: !eof 2009/07/30 09:53:02| assertion failed: http.cc:738: !eof 2009/07/30 09:53:12| assertion failed: http.cc:738: !eof 2009/07/30 09:53:22| assertion failed: http.cc:738: !eof 2009/07/30 09:53:30| assertion failed: http.cc:738: !eof 2009/07/30 09:54:32| assertion failed: http.cc:738: !eof 2009/07/30 09:55:35| assertion failed: http.cc:738: !eof 2009/07/30 09:57:04| assertion failed: http.cc:738: !eof 2009/07/30 09:57:41| assertion failed: http.cc:738: !eof 2009/07/30 09:57:57| assertion failed: http.cc:738: !eof 2009/07/30 09:58:22| assertion failed: http.cc:738: !eof 2009/07/30 09:59:31| assertion failed: http.cc:738: !eof 2009/07/30 09:59:44| assertion failed: http.cc:738: !eof 2009/07/30 09:59:59| assertion failed: http.cc:738: !eof 2009/07/30 10:01:13| assertion failed: http.cc:738: !eof 2009/07/30 10:01:48| assertion failed: http.cc:738: !eof 2009/07/30 10:02:29| assertion failed: http.cc:738: !eof 2009/07/30 10:02:34| assertion failed: http.cc:738: !eof 2009/07/30 10:02:41| assertion failed: http.cc:738: !eof 2009/07/30 10:03:51| assertion failed: http.cc:738: !eof back to stable 13 the good old unfixed Problem is back: 2009/07/30 11:05:05| tunnelReadServer: FD 377: read failure: (0) Error 0 2009/07/30 11:05:16| tunnelReadServer: FD 211: read failure: (0) Error 0 2009/07/30 11:05:20| tunnelReadServer: FD 462: read failure: (0) Error 0 2009/07/30 11:05:32| tunnelReadServer: FD 437: read failure: (0) Error 0 2009/07/30 11:05:36| tunnelReadServer: FD 340: read failure: (0) Error 0 2009/07/30 11:05:41| tunnelReadServer: FD 432: read failure: (0) Error 0 2009/07/30 11:06:13| assertion failed: store_client.cc:430: STORE_DISK_CLIENT = = getType() 2009/07/30 11:06:18| Starting Squid Cache version 3.0.STABLE13 for sparc-sun-sol aris2.9... On Tuesday 28 July 2009 23:22:56 Amos Jeffries wrote: The next formally bundled will be STABLE18. However the daily snapshots serve as intermediate updates on STABLE (http://www.squid-cache.org/Versions/v3/3.0/). I just have not yet had time to apply these fixes to the branch yet. 3.0.STABLE17-20090729 still crashing here (x86_64)... 2009/07/29 16:07:45| ctx: enter level 0: 'http://images.windowsmedia.com/svcswitch/MG_pt- br.xml?locale=416geoid=20version=1 1.0.6001.7004userlocale=416' 2009/07/29 16:07:45| assertion failed: http.cc:738: !eof I also applied (the patch from previous e-mail) against this version: patching file src/HttpMsg.cc patching file src/HttpReply.cc patching file src/HttpRequest.cc patching file src/pconn.cc The only solution here was downgrade to previous release... Any clue? It seems to be a fread() issue between Squid and x86_64. Disappears on i386/i686. Maybe *BSD specific as well, but there are a few reports without OS info fuzzing my info there. I plan on spending more time over the weekend adding good tracing info to find it. Okay. This gets rid of the assert and adds some debug instead. The reason for sending eof=1 when not at true EOF is not yet clear, so use carefully, but additional debugs are added when the flag is set. debug_options ... 11,9 for these. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 Current Beta Squid 3.1.0.12 === modified file 'src/http.cc' --- src/http.cc 2009-07-26 10:54:29 + +++ src/http.cc 2009-07-31 06:44:31 + @@ -710,42 +710,50 @@ HttpReply *newrep = new HttpReply; const bool parsed = newrep-parse(readBuf, eof, error); -if(!parsed readBuf-contentSize() 5 strncmp(readBuf-content(), HTTP/, 5) != 0){ - MemBuf *mb; - HttpReply *tmprep = new HttpReply; - tmprep-sline.version = HttpVersion(1, 0); - tmprep-sline.status = HTTP_OK; - tmprep-header.putTime(HDR_DATE, squid_curtime); - tmprep-header.putExt(X-Transformed-From, HTTP/0.9); - mb = tmprep-pack(); - newrep-parse(mb,
AW: [squid-users] Squid 3.0.STABLE17 is available
Okay. This gets rid of the assert and adds some debug instead. The reason for sending eof=1 when not at true EOF is not yet clear, so use carefully, but additional debugs are added when the flag is set. debug_options ... 11,9 for these. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 Current Beta Squid 3.1.0.12 Hi Amos, thanks for your patch ! I tried to apply it like this : squid-3.0.STABLE17/src$ patch --verbose -p1 /home/ jan/eof_debugs.patch Hmm... Looks like a unified diff to me... (Stripping trailing CRs from patch.) The text leading up to this was: -- |=== modified file 'src/http.cc' |--- src/http.cc2009-07-26 10:54:29 + |+++ src/http.cc2009-07-31 06:44:31 + -- Patching file http.cc using Plan A... Hunk #1 succeeded at 710. Hunk #2 succeeded at 1010. Hunk #3 succeeded at 1053. Hmm... Ignoring the trailing garbage. done but $ make finally fails :( http.cc: In member function 'void HttpStateData::processReplyHeader()': http.cc:742: error: request for member 'size' in '((HttpStateData*)this)-HttpStateData::readBuf', which is of non-class type 'MemBuf*' http.cc: In member function 'void HttpStateData::readReply(size_t, comm_err_t, int)': http.cc:1013: error: expected primary-expression before '' token make[3]: *** [http.o] Error 1 make[3]: Leaving directory `/usr/local/src/squid-3.0.STABLE17/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/local/src/squid-3.0.STABLE17/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/usr/local/src/squid-3.0.STABLE17/src' make: *** [all-recursive] Error 1 kind regards, Jan
Re: [squid-users] Squid 3.0.STABLE17 is available
On Friday 31 July 2009 06:01:07 you wrote: [cut] Okay. This gets rid of the assert and adds some debug instead. The reason for sending eof=1 when not at true EOF is not yet clear, so use carefully, but additional debugs are added when the flag is set. debug_options ... 11,9 for these. Amos Hi Amos, http.cc: In member function 'void HttpStateData::processReplyHeader()': http.cc:742: error: request for member 'size' in '((HttpStateData*)this)- HttpStateData::readBuf', which is of non-class type 'MemBuf*' http.cc: In member function 'void HttpStateData::readReply(size_t, comm_err_t, int)': http.cc:1013: error: expected primary-expression before '' token make[3]: *** [http.o] Error 1 make[3]: Leaving directory `/usr/src/squid/squid-3.0.STABLE17/src' make[2]: *** [install-recursive] Error 1 make[2]: Leaving directory `/usr/src/squid/squid-3.0.STABLE17/src' make[1]: *** [install] Error 2 make[1]: Leaving directory `/usr/src/squid/squid-3.0.STABLE17/src' make: *** [install-recursive] Error 1 Do I have to apply this patch against what release? (daily snapshot?) I've had applied the other patch (to fix the previous BUG) plus this here (eof_debugs.patch) now. -- Herbert
AW: [squid-users] Squid 3.0.STABLE17 is available
hi Amos, dear list, the problem Jul 30 08:56:28 squid[2888]: ctx: enter level 0: 'http://www.riehen.ch/de/images/folgelebenskultur.jpg' Jul 30 08:55:30 squid[2882]: assertion failed: http.cc:705: !eof Jul 30 08:55:30 squid[2847]: Squid Parent: child process 2882 exited due to signal 6 with status 0 Jul 30 08:55:33 squid[2847]: Squid Parent: child process 2888 started also appears also on i686 with Squid Cache version 3.1.0.12 but less frequently. I know this info is not precise helpful. I need to enable debug_options ALL,9 on my production system with real traffic. Downside is that the logs are growing up very quickly and finally the users get ErrPage: ERR_CONNECT_FAIL Err: (27) File too large on their screen. kind regards, Jan -Ursprüngliche Nachricht- Von: Amos Jeffries [mailto:squ...@treenet.co.nz] Gesendet: Donnerstag, 30. Juli 2009 03:37 An: Herbert Faleiros Cc: squid-users@squid-cache.org Betreff: Re: [squid-users] Squid 3.0.STABLE17 is available On Wed, 29 Jul 2009 16:18:16 -0300, Herbert Faleiros herb...@scwtelecom.com.br wrote: On Tuesday 28 July 2009 23:22:56 Amos Jeffries wrote: The next formally bundled will be STABLE18. However the daily snapshots serve as intermediate updates on STABLE (http://www.squid-cache.org/Versions/v3/3.0/). I just have not yet had time to apply these fixes to the branch yet. 3.0.STABLE17-20090729 still crashing here (x86_64)... 2009/07/29 16:07:45| ctx: enter level 0: 'http://images.windowsmedia.com/svcswitch/MG_pt- br.xml?locale=416geoid=20version=1 1.0.6001.7004userlocale=416' 2009/07/29 16:07:45| assertion failed: http.cc:738: !eof I also applied (the patch from previous e-mail) against this version: patching file src/HttpMsg.cc patching file src/HttpReply.cc patching file src/HttpRequest.cc patching file src/pconn.cc The only solution here was downgrade to previous release... Any clue? It seems to be a fread() issue between Squid and x86_64. Disappears on i386/i686. Maybe *BSD specific as well, but there are a few reports without OS info fuzzing my info there. I plan on spending more time over the weekend adding good tracing info to find it. Amos
AW: [squid-users] Squid 3.0.STABLE17 is available
ok I now have enabled debug_options ALL,9 on version 3.1.0.12 2009/07/30 09:23:57.897| ctx: enter level 0: 'http://www.hao-li.com/favicon.ico' 2009/07/30 09:23:57.897| processReplyHeader: key '6C931D0F6E779E11100F17D2F019B090' 2009/07/30 09:23:57.897| init-ing hdr: 0x9aa39c0 owner: 3 2009/07/30 09:23:57.897| 0x9aa39c0 lookup for 39 2009/07/30 09:23:57.897| 0x9aa39c0 lookup for 9 2009/07/30 09:23:57.897| 0x9aa39c0 lookup for 22 2009/07/30 09:23:57.897| HttpMsg.cc(157) parse: first line of HTTP message is invalid 2009/07/30 09:23:57.897| assertion failed: http.cc:705: !eof 2009/07/30 09:24:00.947| enter_suid: PID 3016 taking root priveleges 2009/07/30 09:24:00.947| CacheManager::registerAction: registering legacy config 2009/07/30 09:24:00.947| CacheManager::findAction: looking for action config 2009/07/30 09:24:00.947| Action not found. 2009/07/30 09:24:00.947| CacheManager::registerAction: registered config 2009/07/30 09:24:00.947| Memory pools are 'on'; limit: 5.000 MB 2009/07/30 09:24:00.947| CacheManager::registerAction: registering legacy comm_epoll_incoming 2009/07/30 09:24:00.947| CacheManager::findAction: looking for action comm_epoll_incoming 2009/07/30 09:24:00.947| Action not found. 2009/07/30 09:24:00.947| CacheManager::registerAction: registered comm_epoll_incoming 2009/07/30 09:24:00.947| leave_suid: PID 3016 called 2009/07/30 09:24:00.947| leave_suid: PID 3016 giving up root, becoming 'proxy' 2009/07/30 09:24:00.947| fd_open() FD 5 /squid3-log/cache.log 2009/07/30 09:24:00.947| Starting Squid Cache version 3.1.0.12 for i686-pc-linux-gnu... 2009/07/30 09:24:00.947| Process ID 3016 Is that info sufficient ? kind regards, Jan -Ursprüngliche Nachricht- Von: Zeller, Jan [mailto:jan.zel...@id.unibe.ch] Gesendet: Donnerstag, 30. Juli 2009 09:05 An: Amos Jeffries; Herbert Faleiros Cc: squid-users@squid-cache.org Betreff: AW: [squid-users] Squid 3.0.STABLE17 is available hi Amos, dear list, the problem Jul 30 08:56:28 squid[2888]: ctx: enter level 0: 'http://www.riehen.ch/de/images/folgelebenskultur.jpg' Jul 30 08:55:30 squid[2882]: assertion failed: http.cc:705: !eof Jul 30 08:55:30 squid[2847]: Squid Parent: child process 2882 exited due to signal 6 with status 0 Jul 30 08:55:33 squid[2847]: Squid Parent: child process 2888 started also appears also on i686 with Squid Cache version 3.1.0.12 but less frequently. I know this info is not precise helpful. I need to enable debug_options ALL,9 on my production system with real traffic. Downside is that the logs are growing up very quickly and finally the users get ErrPage: ERR_CONNECT_FAIL Err: (27) File too large on their screen. kind regards, Jan -Ursprüngliche Nachricht- Von: Amos Jeffries [mailto:squ...@treenet.co.nz] Gesendet: Donnerstag, 30. Juli 2009 03:37 An: Herbert Faleiros Cc: squid-users@squid-cache.org Betreff: Re: [squid-users] Squid 3.0.STABLE17 is available On Wed, 29 Jul 2009 16:18:16 -0300, Herbert Faleiros herb...@scwtelecom.com.br wrote: On Tuesday 28 July 2009 23:22:56 Amos Jeffries wrote: The next formally bundled will be STABLE18. However the daily snapshots serve as intermediate updates on STABLE (http://www.squid-cache.org/Versions/v3/3.0/). I just have not yet had time to apply these fixes to the branch yet. 3.0.STABLE17-20090729 still crashing here (x86_64)... 2009/07/29 16:07:45| ctx: enter level 0: 'http://images.windowsmedia.com/svcswitch/MG_pt- br.xml?locale=416geoid=20version=1 1.0.6001.7004userlocale=416' 2009/07/29 16:07:45| assertion failed: http.cc:738: !eof I also applied (the patch from previous e-mail) against this version: patching file src/HttpMsg.cc patching file src/HttpReply.cc patching file src/HttpRequest.cc patching file src/pconn.cc The only solution here was downgrade to previous release... Any clue? It seems to be a fread() issue between Squid and x86_64. Disappears on i386/i686. Maybe *BSD specific as well, but there are a few reports without OS info fuzzing my info there. I plan on spending more time over the weekend adding good tracing info to find it. Amos
Re: AW: [squid-users] Squid 3.0.STABLE17 is available
Zeller, Jan wrote: hi Amos, dear list, the problem It seems to be a fread() issue between Squid and x86_64. Disappears on i386/i686. Maybe *BSD specific as well, but there are a few reports without OS info fuzzing my info there. I plan on spending more time over the weekend adding good tracing info to find it. Amos I'm getting that too on FreeBSD a.ujena.net 7.2-RELEASE-p2 FreeBSD 7.2-RELEASE-p2 #0: Wed Jun 24 00:14:3 5 UTC 2009 r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 bounced back to 15 - doesn't seem to crash like 17 17: 2009/07/30 06:26:21| assertion failed: http.cc:738: !eof 2009/07/30 07:01:37| assertion failed: http.cc:738: !eof 2009/07/30 07:31:11| assertion failed: http.cc:738: !eof 2009/07/30 07:34:21| assertion failed: http.cc:738: !eof 2009/07/30 07:34:54| assertion failed: http.cc:738: !eof 2009/07/30 07:38:32| assertion failed: http.cc:738: !eof 2009/07/30 08:03:21| assertion failed: http.cc:738: !eof 2009/07/30 08:34:27| assertion failed: http.cc:738: !eof 2009/07/30 08:36:58| assertion failed: http.cc:738: !eof 2009/07/30 08:37:32| assertion failed: http.cc:738: !eof 2009/07/30 08:44:49| assertion failed: http.cc:738: !eof 2009/07/30 08:47:02| assertion failed: http.cc:738: !eof 2009/07/30 08:57:41| assertion failed: http.cc:738: !eof 2009/07/30 09:06:08| assertion failed: http.cc:738: !eof 2009/07/30 09:10:26| assertion failed: http.cc:738: !eof 2009/07/30 09:16:20| assertion failed: http.cc:738: !eof 2009/07/30 09:18:14| assertion failed: http.cc:738: !eof 2009/07/30 09:24:53| assertion failed: http.cc:738: !eof 2009/07/30 09:26:39| assertion failed: http.cc:738: !eof 2009/07/30 09:28:00| assertion failed: http.cc:738: !eof 2009/07/30 10:12:42| assertion failed: http.cc:738: !eof 2009/07/30 10:20:23| assertion failed: http.cc:738: !eof 2009/07/30 10:41:26| assertion failed: http.cc:738: !eof 2009/07/30 10:49:26| assertion failed: http.cc:738: !eof 2009/07/30 10:54:05| assertion failed: http.cc:738: !eof 2009/07/30 11:17:02| assertion failed: http.cc:738: !eof 2009/07/30 11:32:34| assertion failed: http.cc:738: !eof 2009/07/30 11:48:03| assertion failed: http.cc:738: !eof 2009/07/30 11:48:38| assertion failed: http.cc:738: !eof 2009/07/30 11:51:24| assertion failed: http.cc:738: !eof 2009/07/30 12:16:29| assertion failed: http.cc:738: !eof 2009/07/30 12:20:50| assertion failed: http.cc:738: !eof 2009/07/30 12:36:55| assertion failed: http.cc:738: !eof 2009/07/30 12:50:45| assertion failed: http.cc:738: !eof 2009/07/30 12:57:19| assertion failed: http.cc:738: !eof 2009/07/30 13:04:00| assertion failed: http.cc:738: !eof 2009/07/30 13:09:29| assertion failed: http.cc:738: !eof 2009/07/30 13:10:32| assertion failed: http.cc:738: !eof 2009/07/30 13:18:39| assertion failed: http.cc:738: !eof 2009/07/30 13:18:53| assertion failed: http.cc:738: !eof 2009/07/30 13:40:04| assertion failed: http.cc:738: !eof 2009/07/30 13:47:31| assertion failed: http.cc:738: !eof 2009/07/30 13:51:05| assertion failed: http.cc:738: !eof 2009/07/30 13:51:23| assertion failed: http.cc:738: !eof 2009/07/30 13:53:10| assertion failed: http.cc:738: !eof 2009/07/30 13:59:32| assertion failed: http.cc:738: !eof 2009/07/30 14:01:15| assertion failed: http.cc:738: !eof 2009/07/30 14:02:27| assertion failed: http.cc:738: !eof 2009/07/30 14:03:38| assertion failed: http.cc:738: !eof 2009/07/30 14:04:01| assertion failed: http.cc:738: !eof 2009/07/30 14:25:06| assertion failed: http.cc:738: !eof 2009/07/30 14:57:59| assertion failed: http.cc:738: !eof 2009/07/30 15:07:41| assertion failed: http.cc:738: !eof 2009/07/30 15:15:01| assertion failed: http.cc:738: !eof 2009/07/30 15:17:09| assertion failed: http.cc:738: !eof 2009/07/30 15:17:49| assertion failed: http.cc:738: !eof it always restarts promptly but user gets 1/2 images and sometimes error page depending on when it crashes. no good for production... ;-) my experimentation - looks like it crashes when fetching pages full of images, but the bug reports show a user making a single request and getting the error. also, i didn't notice any problems when the cache was mostly empty, crashing seemed to start happening after awhile. tried #17-7/30 and didn't help, went to #16 and wouldn't build happily so i'm using #15 at the moment, seems to work so far. well hasn't dumped core yet. (sorry, lame i know - i used to do things with and hack squid years ago, several years ago - back in the old days - but it's been a long time and today was the day to get back into it i guess.) if you need a 'fix tester' over the weekend, etc. lemme know. i'm running reverse for a moderate-traffic site. i browsed through the code tonight but it's late and i'm tired. take care, waitman
Re: [squid-users] Squid 3.0.STABLE17 is available
im also have this error: 2009/07/30 09:48:16| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/30 09:48:16| assertion failed: http.cc:738: !eof 2009/07/30 09:48:19| Starting Squid Cache version 3.0.STABLE17 for sparc-sun-sol aris2.9... 2009/07/30 09:48:19| Process ID 17345 2009/07/30 09:48:19| With 32768 file descriptors available 2009/07/30 09:48:19| Performing DNS Tests... 2009/07/30 09:48:19| Successful DNS name lookup tests... 2009/07/30 09:47:38| assertion failed: http.cc:738: !eof 2009/07/30 09:48:16| assertion failed: http.cc:738: !eof 2009/07/30 09:48:46| assertion failed: http.cc:738: !eof 2009/07/30 09:48:58| assertion failed: http.cc:738: !eof 2009/07/30 09:49:44| assertion failed: http.cc:738: !eof 2009/07/30 09:49:53| assertion failed: http.cc:738: !eof 2009/07/30 09:50:02| assertion failed: http.cc:738: !eof 2009/07/30 09:51:33| assertion failed: http.cc:738: !eof 2009/07/30 09:51:39| assertion failed: http.cc:738: !eof 2009/07/30 09:51:45| assertion failed: http.cc:738: !eof 2009/07/30 09:52:26| assertion failed: http.cc:738: !eof 2009/07/30 09:53:02| assertion failed: http.cc:738: !eof 2009/07/30 09:53:12| assertion failed: http.cc:738: !eof 2009/07/30 09:53:22| assertion failed: http.cc:738: !eof 2009/07/30 09:53:30| assertion failed: http.cc:738: !eof 2009/07/30 09:54:32| assertion failed: http.cc:738: !eof 2009/07/30 09:55:35| assertion failed: http.cc:738: !eof 2009/07/30 09:57:04| assertion failed: http.cc:738: !eof 2009/07/30 09:57:41| assertion failed: http.cc:738: !eof 2009/07/30 09:57:57| assertion failed: http.cc:738: !eof 2009/07/30 09:58:22| assertion failed: http.cc:738: !eof 2009/07/30 09:59:31| assertion failed: http.cc:738: !eof 2009/07/30 09:59:44| assertion failed: http.cc:738: !eof 2009/07/30 09:59:59| assertion failed: http.cc:738: !eof 2009/07/30 10:01:13| assertion failed: http.cc:738: !eof 2009/07/30 10:01:48| assertion failed: http.cc:738: !eof 2009/07/30 10:02:29| assertion failed: http.cc:738: !eof 2009/07/30 10:02:34| assertion failed: http.cc:738: !eof 2009/07/30 10:02:41| assertion failed: http.cc:738: !eof 2009/07/30 10:03:51| assertion failed: http.cc:738: !eof back to stable 13 the good old unfixed Problem is back: 2009/07/30 11:05:05| tunnelReadServer: FD 377: read failure: (0) Error 0 2009/07/30 11:05:16| tunnelReadServer: FD 211: read failure: (0) Error 0 2009/07/30 11:05:20| tunnelReadServer: FD 462: read failure: (0) Error 0 2009/07/30 11:05:32| tunnelReadServer: FD 437: read failure: (0) Error 0 2009/07/30 11:05:36| tunnelReadServer: FD 340: read failure: (0) Error 0 2009/07/30 11:05:41| tunnelReadServer: FD 432: read failure: (0) Error 0 2009/07/30 11:06:13| assertion failed: store_client.cc:430: STORE_DISK_CLIENT = = getType() 2009/07/30 11:06:18| Starting Squid Cache version 3.0.STABLE13 for sparc-sun-sol aris2.9... On Tuesday 28 July 2009 23:22:56 Amos Jeffries wrote: The next formally bundled will be STABLE18. However the daily snapshots serve as intermediate updates on STABLE (http://www.squid-cache.org/Versions/v3/3.0/). I just have not yet had time to apply these fixes to the branch yet. 3.0.STABLE17-20090729 still crashing here (x86_64)... 2009/07/29 16:07:45| ctx: enter level 0: 'http://images.windowsmedia.com/svcswitch/MG_pt- br.xml?locale=416geoid=20version=1 1.0.6001.7004userlocale=416' 2009/07/29 16:07:45| assertion failed: http.cc:738: !eof I also applied (the patch from previous e-mail) against this version: patching file src/HttpMsg.cc patching file src/HttpReply.cc patching file src/HttpRequest.cc patching file src/pconn.cc The only solution here was downgrade to previous release... Any clue? It seems to be a fread() issue between Squid and x86_64. Disappears on i386/i686. Maybe *BSD specific as well, but there are a few reports without OS info fuzzing my info there. I plan on spending more time over the weekend adding good tracing info to find it. Amos -- -- Thomas Meier Landeshauptstadt Muenchen Direktorium, Hauptabteilung III IT-Dienstleistungen Servicebereich Dienste Produktion Serviceteam 05 - Externe Netze und Internet Postanschrift: Herzogspitalstr. 24, 80331 Muenchen Bueroanschrift: Herzog-Wilhelm-Str. 22, Zi. 204, 80331 Muenchen Tel.: +49 89 233 25874 E-Mail thomas.me...@muenchen.de Elektronische Kommunikation mit der LhSt Muenchen - siehe: http://www.muenchen.de/ekomm
RE: [squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available
-Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, July 27, 2009 10:01 AM To: martin.pichlma...@continental-corporation.com Cc: Squid Subject: Re: [squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available Amos Jeffries wrote: martin.pichlma...@continental-corporation.com wrote: Hello all, I just compiled squid-3.0.STABLE17 and it compiled fine. Unfortunately I now get many warning messages in cache.log (still testing, not yet in productive environment): 2009/07/27 15:11:26| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:28| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:37| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:40| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:41| HttpMsg.cc(157) first line of HTTP message is invalid It seems that nearly every URL I try to access gives that warning message, for example www.arin.net, www.ripe.net, www.hp.com, www.arin.net, even www.squid-cache.org and so on. Are nearly all pages in the internet invalid or is the if-query or rather the function incorrect? The lines that produce the above warning are new in STABLE17... HttpMsg.cc -- lines 156 to 160: if (!sanityCheckStartLine(buf, hdr_len, error)) { debugs(58,1, HERE first line of HTTP message is invalid); // NP: sanityCheck sets *error return false; } Oh dear. I missed a bit in the upgrade. Thanks. This attached patch should quieten it down to only the real errors. Amos Oh foey. forget that patch. It pasted badly. Here is the real one. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 Current Beta Squid 3.1.0.12 Amos, Was this fixed on the 3.0.STABLE17 that's on the download site? Or do I still need to run this patch if I downloaded it today before installing it?
Re: [squid-users] Squid 3.0.STABLE17 is available
On Tuesday 28 July 2009 23:22:56 Amos Jeffries wrote: The next formally bundled will be STABLE18. However the daily snapshots serve as intermediate updates on STABLE (http://www.squid-cache.org/Versions/v3/3.0/). I just have not yet had time to apply these fixes to the branch yet. 3.0.STABLE17-20090729 still crashing here (x86_64)... 2009/07/29 16:07:45| ctx: enter level 0: 'http://images.windowsmedia.com/svcswitch/MG_pt- br.xml?locale=416geoid=20version=1 1.0.6001.7004userlocale=416' 2009/07/29 16:07:45| assertion failed: http.cc:738: !eof I also applied (the patch from previous e-mail) against this version: patching file src/HttpMsg.cc patching file src/HttpReply.cc patching file src/HttpRequest.cc patching file src/pconn.cc The only solution here was downgrade to previous release... Any clue? -- Herbert
RE: [squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available
On Wed, 29 Jul 2009 08:37:47 -0500, Dean Weimer dwei...@orscheln.com wrote: -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, July 27, 2009 10:01 AM To: martin.pichlma...@continental-corporation.com Cc: Squid Subject: Re: [squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available Amos Jeffries wrote: martin.pichlma...@continental-corporation.com wrote: Hello all, I just compiled squid-3.0.STABLE17 and it compiled fine. Unfortunately I now get many warning messages in cache.log (still testing, not yet in productive environment): 2009/07/27 15:11:26| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:28| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:37| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:40| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:41| HttpMsg.cc(157) first line of HTTP message is invalid It seems that nearly every URL I try to access gives that warning message, for example www.arin.net, www.ripe.net, www.hp.com, www.arin.net, even www.squid-cache.org and so on. Are nearly all pages in the internet invalid or is the if-query or rather the function incorrect? The lines that produce the above warning are new in STABLE17... HttpMsg.cc -- lines 156 to 160: if (!sanityCheckStartLine(buf, hdr_len, error)) { debugs(58,1, HERE first line of HTTP message is invalid); // NP: sanityCheck sets *error return false; } Oh dear. I missed a bit in the upgrade. Thanks. This attached patch should quieten it down to only the real errors. Amos Oh foey. forget that patch. It pasted badly. Here is the real one. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 Current Beta Squid 3.1.0.12 Amos, Was this fixed on the 3.0.STABLE17 that's on the download site? Or do I still need to run this patch if I downloaded it today before installing it? Todays snapshot you still have to patch. I don't have time for maintenance until tomorrow. Amos
Re: [squid-users] Squid 3.0.STABLE17 is available
On Wed, 29 Jul 2009 16:18:16 -0300, Herbert Faleiros herb...@scwtelecom.com.br wrote: On Tuesday 28 July 2009 23:22:56 Amos Jeffries wrote: The next formally bundled will be STABLE18. However the daily snapshots serve as intermediate updates on STABLE (http://www.squid-cache.org/Versions/v3/3.0/). I just have not yet had time to apply these fixes to the branch yet. 3.0.STABLE17-20090729 still crashing here (x86_64)... 2009/07/29 16:07:45| ctx: enter level 0: 'http://images.windowsmedia.com/svcswitch/MG_pt- br.xml?locale=416geoid=20version=1 1.0.6001.7004userlocale=416' 2009/07/29 16:07:45| assertion failed: http.cc:738: !eof I also applied (the patch from previous e-mail) against this version: patching file src/HttpMsg.cc patching file src/HttpReply.cc patching file src/HttpRequest.cc patching file src/pconn.cc The only solution here was downgrade to previous release... Any clue? It seems to be a fread() issue between Squid and x86_64. Disappears on i386/i686. Maybe *BSD specific as well, but there are a few reports without OS info fuzzing my info there. I plan on spending more time over the weekend adding good tracing info to find it. Amos
[squid-users] Antwort: Re: [squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available
Thank you Amos, your patch did the trick, it now works smoothly. I didn't have time to test yesterday, therefore sorry for my late response. Martin Amos Jeffries squ...@treenet.co.nz 27.07.2009 17:00 An martin.pichlma...@continental-corporation.com Kopie Squid squid-users@squid-cache.org Thema Re: [squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available Amos Jeffries wrote: martin.pichlma...@continental-corporation.com wrote: Hello all, I just compiled squid-3.0.STABLE17 and it compiled fine. Unfortunately I now get many warning messages in cache.log (still testing, not yet in productive environment): 2009/07/27 15:11:26| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:28| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:37| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:40| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:41| HttpMsg.cc(157) first line of HTTP message is invalid It seems that nearly every URL I try to access gives that warning message, for example www.arin.net, www.ripe.net, www.hp.com, www.arin.net, even www.squid-cache.org and so on. Are nearly all pages in the internet invalid or is the if-query or rather the function incorrect? The lines that produce the above warning are new in STABLE17... HttpMsg.cc -- lines 156 to 160: if (!sanityCheckStartLine(buf, hdr_len, error)) { debugs(58,1, HERE first line of HTTP message is invalid); // NP: sanityCheck sets *error return false; } Oh dear. I missed a bit in the upgrade. Thanks. This attached patch should quieten it down to only the real errors. Amos Oh foey. forget that patch. It pasted badly. Here is the real one. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 Current Beta Squid 3.1.0.12 === modified file 'src/HttpMsg.cc' --- src/HttpMsg.cc 2009-07-26 11:33:16 + +++ src/HttpMsg.cc 2009-07-27 13:55:53 + @@ -154,8 +154,7 @@ // sanity check the start line to see if this is in fact an HTTP message if (!sanityCheckStartLine(buf, hdr_len, error)) { -debugs(58,1, HERE first line of HTTP message is invalid); -// NP: sanityCheck sets *error +// NP: sanityCheck sets *error and sends debug warnings. return false; } === modified file 'src/HttpReply.cc' --- src/HttpReply.cc 2009-07-26 12:04:45 + +++ src/HttpReply.cc 2009-07-27 14:59:48 + @@ -446,8 +446,10 @@ // content is long enough to possibly hold a reply // 4 being magic size of a 3-digit number plus space delimiter if ( buf-contentSize() (protoPrefix.size() + 4) ) { -if (hdr_len 0) +if (hdr_len 0) { +debugs(58, 3, HttpReply::sanityCheckStartLine: Too small reply header ( hdr_len bytes)); *error = HTTP_INVALID_HEADER; +} return false; } === modified file 'src/HttpRequest.cc' --- src/HttpRequest.cc 2009-07-26 11:33:16 + +++ src/HttpRequest.cc 2009-07-27 14:59:29 + @@ -156,6 +156,7 @@ if ( buf-contentSize() 2 ) { // this is ony a real error if the headers apparently complete. if (hdr_len 0) { +debugs(58, 3, HttpRequest::sanityCheckStartLine: Too small request header ( hdr_len bytes)); *error = HTTP_INVALID_HEADER; } return false; === modified file 'src/pconn.cc' --- src/pconn.cc 2009-02-19 02:17:28 + +++ src/pconn.cc 2009-07-27 08:04:11 + @@ -188,7 +188,7 @@ else snprintf(buf, SQUIDHOSTNAMELEN * 3 + 10, %s:%d, host, (int) port); -debugs(48,6,PconnPool::key( host , port , domain , inet_ntoa(*client_address) is { buf } ); +debugs(48,6,PconnPool::key( (host?host:) , port , (domain?domain:) , (client_address?inet_ntoa(*client_address):) is { buf } ); return buf; }
[squid-users] Re: Antwort: Re: [squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available
martin.pichlma...@continental-corporation.com wrote: Thank you Amos, your patch did the trick, it now works smoothly. I didn't have time to test yesterday, therefore sorry for my late response. Martin Amos Jeffries squ...@treenet.co.nz 27.07.2009 17:00 An martin.pichlma...@continental-corporation.com Kopie Squid squid-users@squid-cache.org Thema Re: [squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available Amos Jeffries wrote: martin.pichlma...@continental-corporation.com wrote: Hello all, I just compiled squid-3.0.STABLE17 and it compiled fine. Unfortunately I now get many warning messages in cache.log (still testing, not yet in productive environment): 2009/07/27 15:11:26| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:28| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:37| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:40| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:41| HttpMsg.cc(157) first line of HTTP message is invalid It seems that nearly every URL I try to access gives that warning message, for example www.arin.net, www.ripe.net, www.hp.com, www.arin.net, even www.squid-cache.org and so on. Are nearly all pages in the internet invalid or is the if-query or rather the function incorrect? The lines that produce the above warning are new in STABLE17... HttpMsg.cc -- lines 156 to 160: if (!sanityCheckStartLine(buf, hdr_len, error)) { debugs(58,1, HERE first line of HTTP message is invalid); // NP: sanityCheck sets *error return false; } Oh dear. I missed a bit in the upgrade. Thanks. This attached patch should quieten it down to only the real errors. Amos Oh foey. forget that patch. It pasted badly. Here is the real one. Amos Thank you very much for the feedback. If you noticed, the pconn complaint others made earlier slipped into that patch too. :) Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 Current Beta Squid 3.1.0.12
Re: [squid-users] Re: Antwort: Re: [squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available
Cool. Is there going to be a STABLE17A or something, or do we have to hand-patch for now? Thanks! On Tue, Jul 28, 2009 at 12:41 AM, Amos Jeffriessqu...@treenet.co.nz wrote: martin.pichlma...@continental-corporation.com wrote: Thank you Amos, your patch did the trick, it now works smoothly. I didn't have time to test yesterday, therefore sorry for my late response. Martin Amos Jeffries squ...@treenet.co.nz 27.07.2009 17:00 An martin.pichlma...@continental-corporation.com Kopie Squid squid-users@squid-cache.org Thema Re: [squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available Amos Jeffries wrote: martin.pichlma...@continental-corporation.com wrote: Hello all, I just compiled squid-3.0.STABLE17 and it compiled fine. Unfortunately I now get many warning messages in cache.log (still testing, not yet in productive environment): 2009/07/27 15:11:26| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:28| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:37| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:40| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:41| HttpMsg.cc(157) first line of HTTP message is invalid It seems that nearly every URL I try to access gives that warning message, for example www.arin.net, www.ripe.net, www.hp.com, www.arin.net, even www.squid-cache.org and so on. Are nearly all pages in the internet invalid or is the if-query or rather the function incorrect? The lines that produce the above warning are new in STABLE17... HttpMsg.cc -- lines 156 to 160: if (!sanityCheckStartLine(buf, hdr_len, error)) { debugs(58,1, HERE first line of HTTP message is invalid); // NP: sanityCheck sets *error return false; } Oh dear. I missed a bit in the upgrade. Thanks. This attached patch should quieten it down to only the real errors. Amos Oh foey. forget that patch. It pasted badly. Here is the real one. Amos Thank you very much for the feedback. If you noticed, the pconn complaint others made earlier slipped into that patch too. :) Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 Current Beta Squid 3.1.0.12 -- -george william herbert george.herb...@gmail.com
Re: [squid-users] Re: Antwort: Re: [squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available
On Tue, 28 Jul 2009 11:54:29 -0700, George Herbert george.herb...@gmail.com wrote: Cool. Is there going to be a STABLE17A or something, or do we have to hand-patch for now? The next formally bundled will be STABLE18. However the daily snapshots serve as intermediate updates on STABLE (http://www.squid-cache.org/Versions/v3/3.0/). I just have not yet had time to apply these fixes to the branch yet. Amos Thanks! On Tue, Jul 28, 2009 at 12:41 AM, Amos Jeffriessqu...@treenet.co.nz wrote: martin.pichlma...@continental-corporation.com wrote: Thank you Amos, your patch did the trick, it now works smoothly. I didn't have time to test yesterday, therefore sorry for my late response. Martin Amos Jeffries squ...@treenet.co.nz 27.07.2009 17:00 An martin.pichlma...@continental-corporation.com Kopie Squid squid-users@squid-cache.org Thema Re: [squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available Amos Jeffries wrote: martin.pichlma...@continental-corporation.com wrote: Hello all, I just compiled squid-3.0.STABLE17 and it compiled fine. Unfortunately I now get many warning messages in cache.log (still testing, not yet in productive environment): 2009/07/27 15:11:26| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:28| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:37| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:40| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:41| HttpMsg.cc(157) first line of HTTP message is invalid It seems that nearly every URL I try to access gives that warning message, for example www.arin.net, www.ripe.net, www.hp.com, www.arin.net, even www.squid-cache.org and so on. Are nearly all pages in the internet invalid or is the if-query or rather the function incorrect? The lines that produce the above warning are new in STABLE17... HttpMsg.cc -- lines 156 to 160: if (!sanityCheckStartLine(buf, hdr_len, error)) { debugs(58,1, HERE first line of HTTP message is invalid); // NP: sanityCheck sets *error return false; } Oh dear. I missed a bit in the upgrade. Thanks. This attached patch should quieten it down to only the real errors. Amos Oh foey. forget that patch. It pasted badly. Here is the real one. Amos Thank you very much for the feedback. If you noticed, the pconn complaint others made earlier slipped into that patch too. :) Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 Current Beta Squid 3.1.0.12
[squid-users] Squid 3.0.STABLE17 is available
The Squid HTTP Proxy team is pleased to announce the availability of the Squid-3.0.STABLE17 release! This release is primarily a Security Update release. All users of Squid-3.0 are urgently advised to move up to this release. The major changes are for advisory SQUID-2009:2. This is for multiple vulnerabilities in both request and response processing. The cause is the same, but there are many variations of possible attack. http://www.squid-cache.org/Advisories/SQUID-2009_2.txt There are also a number of smaller fixes in this release with potential towards security problems. These are much harder trigger within Squid. The helper issues are primarily of concern when used by other systems than Squid. - Bug 2710: squid_kerb_auth non-terminated string - Bug 2674: Remove limit on HTTP headers read. - Bug 2659: String length overflows on append, leading to segfaults - Bug 2620: Invalid HTTP response codes causes segfault - Bug 2080: wbinfo_group.pl - false positive under certain conditions And a few more regular bugs: - Bug 2680 regression: Crash after rotate with no helpers running - Bug 2679: strsep and strtoll detection failure - Bug 1087: ESI processor not quoting attributes correctly. - Fix: issue with AUFS/UFS/DiskD writing objects to disk cache Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html if and when you are ready to make the switch to Squid-3. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.0/ ftp://ftp.squid-cache.org/pub/squid-3/STABLE/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
[squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available
Hello all, I just compiled squid-3.0.STABLE17 and it compiled fine. Unfortunately I now get many warning messages in cache.log (still testing, not yet in productive environment): 2009/07/27 15:11:26| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:28| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:37| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:37| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:37| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:37| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:37| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:38| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:38| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:38| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:38| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:38| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:38| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:38| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:38| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:38| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:40| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:41| HttpMsg.cc(157) first line of HTTP message is invalid It seems that nearly every URL I try to access gives that warning message, for example www.arin.net, www.ripe.net, www.hp.com, www.arin.net, even www.squid-cache.org and so on. Are nearly all pages in the internet invalid or is the if-query or rather the function incorrect? The lines that produce the above warning are new in STABLE17... HttpMsg.cc -- lines 156 to 160: if (!sanityCheckStartLine(buf, hdr_len, error)) { debugs(58,1, HERE first line of HTTP message is invalid); // NP: sanityCheck sets *error return false; } Maybe it has something to do with my configuration options. I complied squid with: # squid -v Squid Cache: Version 3.0.STABLE17 configure options: '--prefix=/appl' '--localstate=/var' '--with-filedescriptors=16384' '--enable-storeio=ufs,null' '--enable-auth=ntlm,basic' '--enable-external-acl-helpers=wbinfo_group' '--enable-icap-client' # uname -a Linux proxy 2.6.18-92.1.10.0.1.el5 #1 SMP Mon Aug 4 17:11:38 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux # I could shut it out with debug_options ALL,1 58,0 but don't know which other important messages I may miss. Best regards, Martin Amos Jeffries squ...@treenet.co.nz 27.07.2009 13:00 An squid-annou...@squid-cache.org, Squid squid-users@squid-cache.org Kopie Thema [squid-users] Squid 3.0.STABLE17 is available The Squid HTTP Proxy team is pleased to announce the availability of the Squid-3.0.STABLE17 release! This release is primarily a Security Update release. All users of Squid-3.0 are urgently advised to move up to this release. The major changes are for advisory SQUID-2009:2. This is for multiple vulnerabilities in both request and response processing. The cause is the same, but there are many variations of possible attack. http://www.squid-cache.org/Advisories/SQUID-2009_2.txt There are also a number of smaller fixes in this release with potential towards security problems. These are much harder trigger within Squid. The helper issues are primarily of concern when used by other systems than Squid. - Bug 2710: squid_kerb_auth non-terminated string - Bug 2674: Remove limit on HTTP headers read. - Bug 2659: String length overflows on append, leading to segfaults - Bug 2620: Invalid HTTP response codes causes segfault - Bug 2080: wbinfo_group.pl - false positive under certain conditions And a few more regular bugs: - Bug 2680 regression: Crash after rotate with no helpers running - Bug 2679: strsep and strtoll detection failure - Bug 1087: ESI processor not quoting attributes correctly. - Fix: issue with AUFS/UFS/DiskD writing objects to disk cache Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html if and when you are ready to make the switch to Squid-3. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.0/ ftp://ftp.squid-cache.org/pub/squid-3/STABLE/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
Re: [squid-users] Antwort: [squid-users] Squid 3.0.STABLE17 is available
Amos Jeffries wrote: martin.pichlma...@continental-corporation.com wrote: Hello all, I just compiled squid-3.0.STABLE17 and it compiled fine. Unfortunately I now get many warning messages in cache.log (still testing, not yet in productive environment): 2009/07/27 15:11:26| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:28| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:37| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:40| HttpMsg.cc(157) first line of HTTP message is invalid 2009/07/27 15:11:41| HttpMsg.cc(157) first line of HTTP message is invalid It seems that nearly every URL I try to access gives that warning message, for example www.arin.net, www.ripe.net, www.hp.com, www.arin.net, even www.squid-cache.org and so on. Are nearly all pages in the internet invalid or is the if-query or rather the function incorrect? The lines that produce the above warning are new in STABLE17... HttpMsg.cc -- lines 156 to 160: if (!sanityCheckStartLine(buf, hdr_len, error)) { debugs(58,1, HERE first line of HTTP message is invalid); // NP: sanityCheck sets *error return false; } Oh dear. I missed a bit in the upgrade. Thanks. This attached patch should quieten it down to only the real errors. Amos Oh foey. forget that patch. It pasted badly. Here is the real one. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 Current Beta Squid 3.1.0.12 === modified file 'src/HttpMsg.cc' --- src/HttpMsg.cc 2009-07-26 11:33:16 + +++ src/HttpMsg.cc 2009-07-27 13:55:53 + @@ -154,8 +154,7 @@ // sanity check the start line to see if this is in fact an HTTP message if (!sanityCheckStartLine(buf, hdr_len, error)) { -debugs(58,1, HERE first line of HTTP message is invalid); -// NP: sanityCheck sets *error +// NP: sanityCheck sets *error and sends debug warnings. return false; } === modified file 'src/HttpReply.cc' --- src/HttpReply.cc 2009-07-26 12:04:45 + +++ src/HttpReply.cc 2009-07-27 14:59:48 + @@ -446,8 +446,10 @@ // content is long enough to possibly hold a reply // 4 being magic size of a 3-digit number plus space delimiter if ( buf-contentSize() (protoPrefix.size() + 4) ) { -if (hdr_len 0) +if (hdr_len 0) { +debugs(58, 3, HttpReply::sanityCheckStartLine: Too small reply header ( hdr_len bytes)); *error = HTTP_INVALID_HEADER; +} return false; } === modified file 'src/HttpRequest.cc' --- src/HttpRequest.cc 2009-07-26 11:33:16 + +++ src/HttpRequest.cc 2009-07-27 14:59:29 + @@ -156,6 +156,7 @@ if ( buf-contentSize() 2 ) { // this is ony a real error if the headers apparently complete. if (hdr_len 0) { +debugs(58, 3, HttpRequest::sanityCheckStartLine: Too small request header ( hdr_len bytes)); *error = HTTP_INVALID_HEADER; } return false; === modified file 'src/pconn.cc' --- src/pconn.cc 2009-02-19 02:17:28 + +++ src/pconn.cc 2009-07-27 08:04:11 + @@ -188,7 +188,7 @@ else snprintf(buf, SQUIDHOSTNAMELEN * 3 + 10, %s:%d, host, (int) port); -debugs(48,6,PconnPool::key( host , port , domain , inet_ntoa(*client_address) is { buf } ); +debugs(48,6,PconnPool::key( (host?host:) , port , (domain?domain:) , (client_address?inet_ntoa(*client_address):) is { buf } ); return buf; }
[squid-users] squid 3.0 transparent problem
greetings i'm setting up a new squid box running 3.0 stable 16 in transparent mode. the problem is, no call ever gets to squid, unless I configure the client to look at squidip port 3128. Browser fails to connect. If I tell the system to use proxy at squidip 3128, it works fine. I have made the new transparent changes to my config. and I have redirected destined for port 80 to squid. here is my simplified config. #l acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localnet src 192.168.1.100 255.255.255.255 # http_access allow manager localhost http_access deny manager http_access allow localnet # And finally deny all other access to this proxy http_access allow all # NETWORK OPTIONS # - #http_port 3128 http_port 10.0.2.3:3128 transparent #Default: # cache_mem 8 MB cache_mem 128 MB #Default: # maximum_object_size_in_memory 8 KB maximum_object_size_in_memory 80 KB ipcache_size 1024 cache_dir ufs /usr/local/squid/var/cache 2048 16 256 maximum_object_size 40 MB access_log /usr/local/squid/var/logs/access.log cache_log /usr/local/squid/var/logs/cache.log cache_store_log /usr/local/squid/var/logs/store.log #Suggested default: refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user squid cache_effective_group wheel visible_hostname hook2 - #ipfw redirect here you can see the redirect going to the port from the client hook2:~ root# ipfw show 1 0 0 allow udp from any 626 to any dst-port 626 00500 0 0 fwd 127.0.0.1,3128 tcp from 10.135.1.100 to any dst- port 80 in recv en1 65535 559 359882 allow ip from any to any hook2:~ root# ipfw show 10 0 allow udp from any 626 to any dst-port 626 005001 64 fwd 127.0.0.1,3128 tcp from 192.168.1.100 to any dst-port 80 in recv en1 65535 3530 2143506 allow ip from any to any the client is OSX 10.5.6 leopard. browser cannot connect. any ideas ? my previous setup used these transparent options, http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on tia -jeff
Re: [squid-users] squid 3.0 transparent problem
On Mon, 27 Jul 2009 22:14:46 -0400, donovan jeffrey j dono...@beth.k12.pa.us wrote: greetings i'm setting up a new squid box running 3.0 stable 16 in transparent mode. the problem is, no call ever gets to squid, unless I configure the client to look at squidip port 3128. Browser fails to connect. If I tell the system to use proxy at squidip 3128, it works fine. I have made the new transparent changes to my config. and I have redirected destined for port 80 to squid. here is my simplified config. #l acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localnet src 192.168.1.100 255.255.255.255 # http_access allow manager localhost http_access deny manager http_access allow localnet # And finally deny all other access to this proxy http_access allow all # NETWORK OPTIONS # - #http_port 3128 http_port 10.0.2.3:3128 transparent #Default: # cache_mem 8 MB cache_mem 128 MB #Default: # maximum_object_size_in_memory 8 KB maximum_object_size_in_memory 80 KB ipcache_size 1024 cache_dir ufs /usr/local/squid/var/cache 2048 16 256 maximum_object_size 40 MB access_log /usr/local/squid/var/logs/access.log cache_log /usr/local/squid/var/logs/cache.log cache_store_log /usr/local/squid/var/logs/store.log #Suggested default: refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher: 14400% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user squid cache_effective_group wheel visible_hostname hook2 - #ipfw redirect here you can see the redirect going to the port from the client hook2:~ root# ipfw show 1 0 0 allow udp from any 626 to any dst-port 626 00500 0 0 fwd 127.0.0.1,3128 tcp from 10.135.1.100 to any dst- port 80 in recv en1 65535 559 359882 allow ip from any to any hook2:~ root# ipfw show 10 0 allow udp from any 626 to any dst-port 626 005001 64 fwd 127.0.0.1,3128 tcp from 192.168.1.100 to any dst-port 80 in recv en1 65535 3530 2143506 allow ip from any to any the client is OSX 10.5.6 leopard. browser cannot connect. any ideas ? Your firewall says its sending packets to 127.0.0.1,3128 Your new squid.conf says interception is happening on 10.0.2.3:3128 If you removed the IP or changed it to 127.0.0.1:3128 in squid.conf it would work. Amos
Re: [squid-users] squid 3.0 transparent problem
On Jul 27, 2009, at 10:37 PM, Amos Jeffries wrote: Your firewall says its sending packets to 127.0.0.1,3128 Your new squid.conf says interception is happening on 10.0.2.3:3128 If you removed the IP or changed it to 127.0.0.1:3128 in squid.conf it would work. Amos Thanks for the reply,... I just noticed that. Accepting transparently proxied HTTP connections at 10.0.2.3, port 3128, FD 10. I changed the ipfw and it works. Thanks for getting back to me. -j
[squid-users] squid-3.0.STABLE16
su-3.2# gmake Making all in lib gmake[1]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib' Making all in libTrie gmake[2]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie' gmake all-recursive gmake[3]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie' Making all in src gmake[4]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie/src' gmake[4]: Nothing to be done for `all'. gmake[4]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie/src' Making all in test gmake[4]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie/test' gmake[4]: Nothing to be done for `all'. gmake[4]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie/test' gmake[4]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie' gmake[4]: Nothing to be done for `all-am'. gmake[4]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie' gmake[3]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie' gmake[2]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie' gmake[2]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib' gmake[2]: Nothing to be done for `all-am'. gmake[2]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib' gmake[1]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib' Making all in snmplib gmake[1]: Entering directory `/usr/local/src/squid-3.0.STABLE16/snmplib' gmake[1]: Nothing to be done for `all'. gmake[1]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/snmplib' Making all in scripts gmake[1]: Entering directory `/usr/local/src/squid-3.0.STABLE16/scripts' gmake[1]: Nothing to be done for `all'. gmake[1]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/scripts' Making all in src gmake[1]: Entering directory `/usr/local/src/squid-3.0.STABLE16/src' gmake all-recursive gmake[2]: Entering directory `/usr/local/src/squid-3.0.STABLE16/src' Making all in fs gmake[3]: Entering directory `/usr/local/src/squid-3.0.STABLE16/src/fs' gmake[3]: Nothing to be done for `all'. gmake[3]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/src/fs' Making all in repl gmake[3]: Entering directory `/usr/local/src/squid-3.0.STABLE16/src/repl' gmake[3]: Nothing to be done for `all'. gmake[3]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/src/repl' Making all in auth gmake[3]: Entering directory `/usr/local/src/squid-3.0.STABLE16/src/auth' gmake[3]: Nothing to be done for `all'. gmake[3]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/src/auth' gmake[3]: Entering directory `/usr/local/src/squid-3.0.STABLE16/src' depbase=`echo client_side.o | sed 's|[^/]*$|.deps/|;s|\.o$||'`;\ g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\/usr/local/squid/etc/squid.conf\ -I. -I../include -I. -I. -I../include -I../include -I../lib/libTrie/include-Werror -Wall -Wpointer-arith -Wwrite-strings -Wcomments -g -O2 -MT client_side.o -MD -MP -MF $depbase.Tpo -c -o client_side.o client_side.cc \ mv -f $depbase.Tpo $depbase.Po cc1plus: warnings being treated as errors client_side.cc: In function 'int connKeepReadingIncompleteRequest(RefCountConnStateData)': client_side.cc:2144: warning: comparison between signed and unsigned integer expressions gmake[3]: *** [client_side.o] Error 1 gmake[3]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/src' gmake[2]: *** [all-recursive] Error 1 gmake[2]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/src' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/src' gmake: *** [all-recursive] Error 1 su-3.2# -- http://alexus.org/
Re: [squid-users] squid-3.0.STABLE16
On Wed, 22 Jul 2009 10:31:39 -0400, alexus ale...@gmail.com wrote: su-3.2# gmake Making all in lib gmake[1]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib' Making all in libTrie gmake[2]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie' gmake all-recursive gmake[3]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie' Making all in src gmake[4]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie/src' gmake[4]: Nothing to be done for `all'. gmake[4]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie/src' Making all in test gmake[4]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie/test' gmake[4]: Nothing to be done for `all'. gmake[4]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie/test' gmake[4]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie' gmake[4]: Nothing to be done for `all-am'. gmake[4]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie' gmake[3]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie' gmake[2]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib/libTrie' gmake[2]: Entering directory `/usr/local/src/squid-3.0.STABLE16/lib' gmake[2]: Nothing to be done for `all-am'. gmake[2]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib' gmake[1]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/lib' Making all in snmplib gmake[1]: Entering directory `/usr/local/src/squid-3.0.STABLE16/snmplib' gmake[1]: Nothing to be done for `all'. gmake[1]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/snmplib' Making all in scripts gmake[1]: Entering directory `/usr/local/src/squid-3.0.STABLE16/scripts' gmake[1]: Nothing to be done for `all'. gmake[1]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/scripts' Making all in src gmake[1]: Entering directory `/usr/local/src/squid-3.0.STABLE16/src' gmake all-recursive gmake[2]: Entering directory `/usr/local/src/squid-3.0.STABLE16/src' Making all in fs gmake[3]: Entering directory `/usr/local/src/squid-3.0.STABLE16/src/fs' gmake[3]: Nothing to be done for `all'. gmake[3]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/src/fs' Making all in repl gmake[3]: Entering directory `/usr/local/src/squid-3.0.STABLE16/src/repl' gmake[3]: Nothing to be done for `all'. gmake[3]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/src/repl' Making all in auth gmake[3]: Entering directory `/usr/local/src/squid-3.0.STABLE16/src/auth' gmake[3]: Nothing to be done for `all'. gmake[3]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/src/auth' gmake[3]: Entering directory `/usr/local/src/squid-3.0.STABLE16/src' depbase=`echo client_side.o | sed 's|[^/]*$|.deps/|;s|\.o$||'`;\ g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\/usr/local/squid/etc/squid.conf\ -I. -I../include -I. -I. -I../include -I../include -I../lib/libTrie/include-Werror -Wall -Wpointer-arith -Wwrite-strings -Wcomments -g -O2 -MT client_side.o -MD -MP -MF $depbase.Tpo -c -o client_side.o client_side.cc \ mv -f $depbase.Tpo $depbase.Po cc1plus: warnings being treated as errors client_side.cc: In function 'int connKeepReadingIncompleteRequest(RefCountConnStateData)': client_side.cc:2144: warning: comparison between signed and unsigned integer expressions gmake[3]: *** [client_side.o] Error 1 gmake[3]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/src' gmake[2]: *** [all-recursive] Error 1 gmake[2]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/src' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/usr/local/src/squid-3.0.STABLE16/src' gmake: *** [all-recursive] Error 1 su-3.2# http://www.squid-cache.org/Versions/v3/3.0/changesets/b9052.patch Or the daily snapshot bundle. Amos
[squid-users] Squid 3.0 STABLE16
Hi, I'm looking for the ldap_auth option for squid 3.0. all i see on the ./configure options are the following --enable-basic-auth-helpers= (OPTIONS: digest_auth, negotiate_auth, basic_auth, external_acl, ntlm_auth) --enable-auth= (OPTIONS: digest, ntlm, basic, negotiate) If someone can point me to the right direction, I would very much appreciate it. -b -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
[squid-users] squid 3.0 stable 14 terminates abnormally
subject squid version running on freebsd 7 dies and following messages is displayed. assertion failed: HttpHeader.cc:1196: Headers[id].type == ftInt64 after search mailing list i found Amos's answer to wong asking to upgrade to 15 or changes in src/HttpHeader.cc. Trying Method-1 Apply latest patch. now i have download the squid-3.0.STABLE15.patch and changed the pwd to the source files from where i had previously installed the stable 14 version, but when i apply this patch using command patch /path/squid-3.0.STABLE15.patch, it successfully hunks some files and then stops and says Hmm... The next patch looks like a unified diff to me So can any body tell me what should i do to continue On Trying Method-2 changes in src/HttpHeader.cc. after changing the said line i-e {Max-Forwards, HDR_MAX_FORWARDS, ftInt}, to become {Max-Forwards, HDR_MAX_FORWARDS, ftInt64}, i don't what to do further to tell squid adapt changes. should i run make clean make make install and it would be done!!!. Thanks in advance. .Goody.
Re: [squid-users] squid 3.0 stable 14 terminates abnormally
goody goody wrote: subject squid version running on freebsd 7 dies and following messages is displayed. assertion failed: HttpHeader.cc:1196: Headers[id].type == ftInt64 after search mailing list i found Amos's answer to wong asking to upgrade to 15 or changes in src/HttpHeader.cc. Trying Method-1 Apply latest patch. now i have download the squid-3.0.STABLE15.patch and changed the pwd to the source files from where i had previously installed the stable 14 version, but when i apply this patch using command patch /path/squid-3.0.STABLE15.patch, it successfully hunks some files and then stops and says Hmm... The next patch looks like a unified diff to me So can any body tell me what should i do to continue Hmm, not sure why that is failing. The minimal patch on STABLE14 to get the headers going again is: http://www.squid-cache.org/Versions/v3/3.0/changesets/b9001.patch It's applied with patch -p0 b9001.patch. On Trying Method-2 changes in src/HttpHeader.cc. after changing the said line i-e {Max-Forwards, HDR_MAX_FORWARDS, ftInt}, to become {Max-Forwards, HDR_MAX_FORWARDS, ftInt64}, i don't what to do further to tell squid adapt changes. should i run make clean make make install and it would be done!!!. Thanks in advance. .Goody. Yes that should be sufficient. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
[squid-users] Squid 3.0.STABLE16-RC1 is available
The Squid HTTP Proxy team is pleased to announce the availability of the Squid-3.0.STABLE16-RC1 release! This release contains only two bug fixes. The small Bug 2648 NTLM helpers not shutting down when deferred has now been tested and found useful. The larger ongoing issue of broken servers sending chunked transfer encoding to Squid 3.0 is now also fixed by this release. Due to the chunked transfer encoding changes being fairly large and the request handling not yet having wide testing usage behind it this release is marked a release candidate. Thanks are due to the Gentoo project for porting the chunked reply handling from Squid 3.1. Thanks are due to the Measurement Factory and a currently anonymous sponsor for the addition of chunked request handling. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html if and when you are ready to make the switch to Squid-3. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.0/ ftp://ftp.squid-cache.org/pub/squid-3/STABLE/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries