Re: [squid-users] Squid with squidguard
Thank you Amos for the feedback. I did see an example online using ACL and that tricked me. Removing the allow line, now squid is logging that squidguard is started (though no squidguard processes are listed, it could be due to that I have not tested yet with actual traffic) I will check also ufdbguard as it seems promising. Thanx, Alex On Thu, Apr 26, 2018 at 4:02 AM, Amos Jeffrieswrote: > On 25/04/18 23:44, Alex K wrote: > > Hi all, > > > > I was using a squid (3.1.20) + squidguard setup (to filter out several > > site categories) on Debian 7 and the setup worked. The squidguard was > > invoked from squid.conf as below: > > > > redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf > > redirect_children 7 > > > > I am now testing the setup on Debian 9 (with squid 3.5.23) with the > > following lines in squid.conf: > > > > url_rewrite_access allow > > There are no ACLs on the above line. So it cannot match anything. The > implicit default applies instead. Implicit default after any "allow" > line is "deny all". > > Also, you did not configure any allow/deny previously. So why add it now? > > > url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard. > conf > > url_rewrite_children 5 > > > > But I get at squid logs: > > > > 2018/04/24 12:06:57 kid1| helperOpenServers: Starting 0/5 'squidGuard' > > processes > > 2018/04/24 12:06:57 kid1| helperOpenServers: No 'squidGuard' processes > > needed. > > No traffic is allowed to go to the helper. So no SG processes necessary. > Squid is correct. > > > > > > Seems that squid is ignoring and not starting squidguard. > > I have read also some have mentioned that squidguard is not maintained > > anymore. > > > > Any idea on the above?> Any better alternative to squidguard that you > recommend? > > ufdbguard is much better than the outdated and no longer maintained > SquidGuard (but is not packaged on Debian). > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid with squidguard
On 25/04/18 23:44, Alex K wrote: > Hi all, > > I was using a squid (3.1.20) + squidguard setup (to filter out several > site categories) on Debian 7 and the setup worked. The squidguard was > invoked from squid.conf as below: > > redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf > redirect_children 7 > > I am now testing the setup on Debian 9 (with squid 3.5.23) with the > following lines in squid.conf: > > url_rewrite_access allow There are no ACLs on the above line. So it cannot match anything. The implicit default applies instead. Implicit default after any "allow" line is "deny all". Also, you did not configure any allow/deny previously. So why add it now? > url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf > url_rewrite_children 5 > > But I get at squid logs: > > 2018/04/24 12:06:57 kid1| helperOpenServers: Starting 0/5 'squidGuard' > processes > 2018/04/24 12:06:57 kid1| helperOpenServers: No 'squidGuard' processes > needed. No traffic is allowed to go to the helper. So no SG processes necessary. Squid is correct. > > Seems that squid is ignoring and not starting squidguard. > I have read also some have mentioned that squidguard is not maintained > anymore. > > Any idea on the above?> Any better alternative to squidguard that you > recommend? ufdbguard is much better than the outdated and no longer maintained SquidGuard (but is not packaged on Debian). Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid with squidguard
Hi all, I was using a squid (3.1.20) + squidguard setup (to filter out several site categories) on Debian 7 and the setup worked. The squidguard was invoked from squid.conf as below: redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf redirect_children 7 I am now testing the setup on Debian 9 (with squid 3.5.23) with the following lines in squid.conf: url_rewrite_access allow url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf url_rewrite_children 5 But I get at squid logs: 2018/04/24 12:06:57 kid1| helperOpenServers: Starting 0/5 'squidGuard' processes 2018/04/24 12:06:57 kid1| helperOpenServers: No 'squidGuard' processes needed. Seems that squid is ignoring and not starting squidguard. I have read also some have mentioned that squidguard is not maintained anymore. Any idea on the above? Any better alternative to squidguard that you recommend? thanx, Alex ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid and squidGuard redirect
Hi Vieri, I suggest to replace squidGuard with ufdbGuard. Then you can set ufdb-debug-filter 1 or ufdb-debug-filter 2 # very verbose in ufdbGuard.conf and see exactly what happens. Note that squidguard has no maintenance for over 5 years and ufdbGuard has regular maintenance. Marcus On 08/11/17 12:23, Vieri wrote: Hi, I have this in my SG config: acl { default { pass allowed !disallowed all redirect http://squidserver/proxy-error/ } } From a LAN client browser I can access and display the page at http://squidserver/proxy-error/ (direct access). However, when SG is triggered and should send that redirect to the client browser, the client times out after a while, and displays Squid's ERR_CONNECT_FAIL with squidserver's IP address in the details. I don't see anything useful in both Squid and SquidGuard's logs. What could I try? Thanks, Vieri ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid and squidGuard redirect
Hi, I have this in my SG config: acl { default { pass allowed !disallowed all redirect http://squidserver/proxy-error/ } } From a LAN client browser I can access and display the page at http://squidserver/proxy-error/ (direct access). However, when SG is triggered and should send that redirect to the client browser, the client times out after a while, and displays Squid's ERR_CONNECT_FAIL with squidserver's IP address in the details. I don't see anything useful in both Squid and SquidGuard's logs. What could I try? Thanks, Vieri ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid and Squidguard using high disk IO
Hi, I'm wondering if anyone has any ideas on this one. Basically I have created a standard Squid proxy using Squid 3.3.8 built from OpenBSD ports - OS version is OpenBSD 5.4 Current. Additionally from ports as well I have installed squidGuard 1.4p6. The configuration seems ok as everything is working; the acls setup in squidGuard are redirecting to the proper blocked page when unwanted information is embedded in a site: eg. ads, p%rn. Here is the rule list: dest ads { domainlist blacklists/ads/domains urllistblacklists/ads/urls } dest adv { domainlist blacklists/adv/domains urllistblacklists/adv/urls } dest spyware { domainlist blacklists/spyware/domains urllistblacklists/spyware/urls } dest porn { domainlist blacklists/porn/domains urllistblacklists/porn/urls expressionlist blacklists/porn/expressions # Logged info is anonymized to protect users' privacy log anonymous dest/porn.log } acl { lan { # The built-in 'in-addr' destination group matches any IP address. pass !ads !adv !porn all } default { # Default deny to reject unknown clients pass none redirect http://127.0.0.1/blocked.html } } I removed the spyware option from the 'lan' acl as I'm trying to debug currently squidGuard is called by Squid using these lines in the squid.conf: # Path to the redirector program url_rewrite_program /usr/local/bin/squidGuard # Number of redirector processes to spawn url_rewrite_children 500 # To prevent loops, don't send requests from localhost to the redirector url_rewrite_accessdeny localhost The issue I'm currently seeing is that the disk IO process is hammered??? The 'lan' clients are therefor unable to access the web through the proxy. Running 'top' and 'ps' I can see that squidGuard has spawned many processes which seems to be causing the high IO usage. The systems' hardware is quite powerful with 8GB RAM and a Xeon E5 CPU @3.6GHz, currently being tested with 3x lan machines. What can I do to improve performance with this? Is this line too high: url_rewrite_children 500 or simply have a misconfigured something? I additionally have 'c-icap' running with squidclamav coupled to clamd in case that is of importance - not using the squidGuard line in the squidclamav.conf file!!! Basically how can I get the IO usage down and get the system to work again? - the logs don't indicate anything outside of 'starting squidGuard process' many times. Regards, Kaya
RE: [squid-users] Squid and Squidguard using high disk IO
Hello Kaya, May I recommend to try using qlproxy together with your Squid? Qlproxy is an ICAP web filtering which may in your particular case do better as Squid Guard. At least you may give it a try to compare if the disk io goes down. Best regards, Raf -Original Message- From: Kaya Saman [mailto:kayasa...@gmail.com] Sent: Saturday, November 09, 2013 4:58 PM To: squid-users@squid-cache.org Subject: [squid-users] Squid and Squidguard using high disk IO Hi, I'm wondering if anyone has any ideas on this one. Basically I have created a standard Squid proxy using Squid 3.3.8 built from OpenBSD ports - OS version is OpenBSD 5.4 Current. Additionally from ports as well I have installed squidGuard 1.4p6. The configuration seems ok as everything is working; the acls setup in squidGuard are redirecting to the proper blocked page when unwanted information is embedded in a site: eg. ads, p%rn. Here is the rule list: dest ads { domainlist blacklists/ads/domains urllistblacklists/ads/urls } dest adv { domainlist blacklists/adv/domains urllistblacklists/adv/urls } dest spyware { domainlist blacklists/spyware/domains urllistblacklists/spyware/urls } dest porn { domainlist blacklists/porn/domains urllistblacklists/porn/urls expressionlist blacklists/porn/expressions # Logged info is anonymized to protect users' privacy log anonymous dest/porn.log } acl { lan { # The built-in 'in-addr' destination group matches any IP address. pass !ads !adv !porn all } default { # Default deny to reject unknown clients pass none redirect http://127.0.0.1/blocked.html } } I removed the spyware option from the 'lan' acl as I'm trying to debug currently squidGuard is called by Squid using these lines in the squid.conf: # Path to the redirector program url_rewrite_program /usr/local/bin/squidGuard # Number of redirector processes to spawn url_rewrite_children 500 # To prevent loops, don't send requests from localhost to the redirector url_rewrite_accessdeny localhost The issue I'm currently seeing is that the disk IO process is hammered??? The 'lan' clients are therefor unable to access the web through the proxy. Running 'top' and 'ps' I can see that squidGuard has spawned many processes which seems to be causing the high IO usage. The systems' hardware is quite powerful with 8GB RAM and a Xeon E5 CPU @3.6GHz, currently being tested with 3x lan machines. What can I do to improve performance with this? Is this line too high: url_rewrite_children 500 or simply have a misconfigured something? I additionally have 'c-icap' running with squidclamav coupled to clamd in case that is of importance - not using the squidGuard line in the squidclamav.conf file!!! Basically how can I get the IO usage down and get the system to work again? - the logs don't indicate anything outside of 'starting squidGuard process' many times. Regards, Kaya
Re: [squid-users] Squid and Squidguard using high disk IO
Hey, Notes inside. On 11/09/2013 05:58 PM, Kaya Saman wrote: What can I do to improve performance with this? Is this line too high: url_rewrite_children 500 YES!! or simply have a misconfigured something? I additionally have 'c-icap' running with squidclamav coupled to clamd in case that is of importance - not using the squidGuard line in the squidclamav.conf file!!! Basically how can I get the IO usage down and get the system to work again? For how many users exactly? Just a note that I am not in a favor of any OS by default but I would feel better Using Linux. - the logs don't indicate anything outside of 'starting squidGuard process' many times. The basic assumption of using 500 child process is that you have atleast 100 CPUs. SquidGuard was design for performance which is lots of urls per sec. It can be tested just to clear the point out. for example in a rate of 1500k requests per second you should not have a need in more then 40-50 children. In practice it works a bit different speed since there is a speed limit on STDIN and STDOUT which slows down the speed of squid and squidguard communication blocking the whole squid instance(in a way). If you need basic url filtering you can use ICAP which has an option to run as a standalone service outside of squid settings and machine. I have written in the past a small ICAP service for the favor of requests manipulation and filtering. I have never finished it in a level I was happy with but the basic code can be seen here: https://github.com/elico/echelon I know for a fact that ICAP interface adds concurrency by the nature of it using TCP. This is not the place to ask about concurrency in squidguard which can allow the usage of square less processes(children) for more requests. In order to find the right number of children start with 40 and see if it fits you and then see what is the bottle neck in the whole setup. Eliezer
Re: [squid-users] Squid and Squidguard using high disk IO
On 11/09/2013 05:04 PM, Rafael Akchurin wrote: Hello Kaya, May I recommend to try using qlproxy together with your Squid? Qlproxy is an ICAP web filtering which may in your particular case do better as Squid Guard. At least you may give it a try to compare if the disk io goes down. Best regards, Raf I'll take a look at it - thanks! I was also thinking about using Adzapper but I'll do more reading and figure out which is the best one for my setup. Is this line too high: url_rewrite_children 500 YES!! Oops the guide I was working from suggested that. Basically how can I get the IO usage down and get the system to work again? For how many users exactly? Just a note that I am not in a favor of any OS by default but I would feel better Using Linux. At the moment I'm just testing with one user! Using sqtop I can see that there are 30+ connections being passed to Squid. But overall this runs on my main router; hence I can't use Linux due to the fact that the router is running OpenBSD and needs some special stuff from the OS. In order to find the right number of children start with 40 and see if it fits you and then see what is the bottle neck in the whole setup. Eliezer I tried 5 and it was a bit better but not too much I just cranked it up to 40 now. I also disabled DNS lookups from squidclamav.conf which seems to have helped a bit though still am experiencing issues. :-( As mentioned above I am thinking of running Adzapper and then chaining squidGuard on that; though it might just be squidclamav that's causing this??? The issue seems to get resolved after stopping Squid, then killing the remaining squidguard processes so it's really confusing as to where to look for the bottleneck. Regards, Kaya -Original Message- From: Kaya Saman [mailto:kayasa...@gmail.com] Sent: Saturday, November 09, 2013 4:58 PM To: squid-users@squid-cache.org Subject: [squid-users] Squid and Squidguard using high disk IO Hi, I'm wondering if anyone has any ideas on this one. Basically I have created a standard Squid proxy using Squid 3.3.8 built from OpenBSD ports - OS version is OpenBSD 5.4 Current. Additionally from ports as well I have installed squidGuard 1.4p6. The configuration seems ok as everything is working; the acls setup in squidGuard are redirecting to the proper blocked page when unwanted information is embedded in a site: eg. ads, p%rn. Here is the rule list: dest ads { domainlist blacklists/ads/domains urllistblacklists/ads/urls } dest adv { domainlist blacklists/adv/domains urllistblacklists/adv/urls } dest spyware { domainlist blacklists/spyware/domains urllistblacklists/spyware/urls } dest porn { domainlist blacklists/porn/domains urllistblacklists/porn/urls expressionlist blacklists/porn/expressions # Logged info is anonymized to protect users' privacy log anonymous dest/porn.log } acl { lan { # The built-in 'in-addr' destination group matches any IP address. pass !ads !adv !porn all } default { # Default deny to reject unknown clients pass none redirect http://127.0.0.1/blocked.html } } I removed the spyware option from the 'lan' acl as I'm trying to debug currently squidGuard is called by Squid using these lines in the squid.conf: # Path to the redirector program url_rewrite_program /usr/local/bin/squidGuard # Number of redirector processes to spawn url_rewrite_children 500 # To prevent loops, don't send requests from localhost to the redirector url_rewrite_accessdeny localhost The issue I'm currently seeing is that the disk IO process is hammered??? The 'lan' clients are therefor unable to access the web through the proxy. Running 'top' and 'ps' I can see that squidGuard has spawned many processes which seems to be causing the high IO usage. The systems' hardware is quite powerful with 8GB RAM and a Xeon E5 CPU @3.6GHz, currently being tested with 3x lan machines. What can I do to improve performance with this? Is this line too high: url_rewrite_children 500 or simply have a misconfigured something? I additionally have 'c-icap' running with squidclamav coupled to clamd in case that is of importance - not using the squidGuard line in the squidclamav.conf file!!! Basically how can I get the IO usage down and get the system to work again? - the logs don't indicate anything outside of 'starting squidGuard process' many times. Regards, Kaya
Re: [squid-users] Squid and Squidguard using high disk IO
Just found this is Squid cache log: 2013/11/09 19:28:25 kid1| /var/squid/cache/04/7A: (24) Too many open files 2013/11/09 19:31:31 kid1| WARNING: All 20/20 redirector processes are busy. 2013/11/09 19:31:31 kid1| WARNING: 20 pending requests queued 2013/11/09 19:31:31 kid1| WARNING: Consider increasing the number of redirector processes in your config file. The cache size is 2GB though that shouldn't affect performance as far as I understand. On 11/09/2013 05:23 PM, Eliezer Croitoru wrote: Hey, Notes inside. On 11/09/2013 05:58 PM, Kaya Saman wrote: What can I do to improve performance with this? Is this line too high: url_rewrite_children 500 YES!! or simply have a misconfigured something? I additionally have 'c-icap' running with squidclamav coupled to clamd in case that is of importance - not using the squidGuard line in the squidclamav.conf file!!! Basically how can I get the IO usage down and get the system to work again? For how many users exactly? Just a note that I am not in a favor of any OS by default but I would feel better Using Linux. - the logs don't indicate anything outside of 'starting squidGuard process' many times. The basic assumption of using 500 child process is that you have atleast 100 CPUs. SquidGuard was design for performance which is lots of urls per sec. It can be tested just to clear the point out. for example in a rate of 1500k requests per second you should not have a need in more then 40-50 children. In practice it works a bit different speed since there is a speed limit on STDIN and STDOUT which slows down the speed of squid and squidguard communication blocking the whole squid instance(in a way). If you need basic url filtering you can use ICAP which has an option to run as a standalone service outside of squid settings and machine. I have written in the past a small ICAP service for the favor of requests manipulation and filtering. I have never finished it in a level I was happy with but the basic code can be seen here: https://github.com/elico/echelon I know for a fact that ICAP interface adds concurrency by the nature of it using TCP. This is not the place to ask about concurrency in squidguard which can allow the usage of square less processes(children) for more requests. In order to find the right number of children start with 40 and see if it fits you and then see what is the bottle neck in the whole setup. Eliezer
Re: [squid-users] Squid and Squidguard using high disk IO
Hello Kaya, first, don't forget to look at sysctl kern.maxfiles values. Also improve daemon FD values in login.conf for squid. Don't forget each connection is a FD (1 connection for the client, 1 for the transaction to remote site, somes for the caching). Also to improve performances of squidguard, i stored all blacklists DB to a memory fs (mfs) this improve massively squidguard performance I have wrote an article to improve squid perfs on OpenBSD: http://www.unix-experience.fr/2013/monter-un-proxy-cache-performant-avec-squid-et-openbsd/ -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le samedi 09 novembre 2013 à 19:39 +, Kaya Saman a écrit : Just found this is Squid cache log: 2013/11/09 19:28:25 kid1| /var/squid/cache/04/7A: (24) Too many open files 2013/11/09 19:31:31 kid1| WARNING: All 20/20 redirector processes are busy. 2013/11/09 19:31:31 kid1| WARNING: 20 pending requests queued 2013/11/09 19:31:31 kid1| WARNING: Consider increasing the number of redirector processes in your config file. The cache size is 2GB though that shouldn't affect performance as far as I understand. On 11/09/2013 05:23 PM, Eliezer Croitoru wrote: Hey, Notes inside. On 11/09/2013 05:58 PM, Kaya Saman wrote: What can I do to improve performance with this? Is this line too high: url_rewrite_children 500 YES!! or simply have a misconfigured something? I additionally have 'c-icap' running with squidclamav coupled to clamd in case that is of importance - not using the squidGuard line in the squidclamav.conf file!!! Basically how can I get the IO usage down and get the system to work again? For how many users exactly? Just a note that I am not in a favor of any OS by default but I would feel better Using Linux. - the logs don't indicate anything outside of 'starting squidGuard process' many times. The basic assumption of using 500 child process is that you have atleast 100 CPUs. SquidGuard was design for performance which is lots of urls per sec. It can be tested just to clear the point out. for example in a rate of 1500k requests per second you should not have a need in more then 40-50 children. In practice it works a bit different speed since there is a speed limit on STDIN and STDOUT which slows down the speed of squid and squidguard communication blocking the whole squid instance(in a way). If you need basic url filtering you can use ICAP which has an option to run as a standalone service outside of squid settings and machine. I have written in the past a small ICAP service for the favor of requests manipulation and filtering. I have never finished it in a level I was happy with but the basic code can be seen here: https://github.com/elico/echelon I know for a fact that ICAP interface adds concurrency by the nature of it using TCP. This is not the place to ask about concurrency in squidguard which can allow the usage of square less processes(children) for more requests. In order to find the right number of children start with 40 and see if it fits you and then see what is the bottle neck in the whole setup. Eliezer signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid and Squidguard using high disk IO
On Sat, Nov 09, 2013 at 11:16:12PM +0100, Loïc BLOT wrote: Hello Kaya, first, don't forget to look at sysctl kern.maxfiles values. Also improve daemon FD values in login.conf for squid. Don't forget each connection is a FD (1 connection for the client, 1 for the transaction to remote site, somes for the caching). Also to improve performances of squidguard, i stored all blacklists DB to a memory fs (mfs) this improve massively squidguard performance If the disk I/O is really the bottleneck, consider ufdbGuard. ufdbGuard loads the URL database in memory and easily does 25,000 URL lookups/sec, much more than you will ever need. Marcus I have wrote an article to improve squid perfs on OpenBSD: http://www.unix-experience.fr/2013/monter-un-proxy-cache-performant-avec-squid-et-openbsd/ -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le samedi 09 novembre 2013 à 19:39 +, Kaya Saman a écrit : Just found this is Squid cache log: 2013/11/09 19:28:25 kid1| /var/squid/cache/04/7A: (24) Too many open files 2013/11/09 19:31:31 kid1| WARNING: All 20/20 redirector processes are busy. 2013/11/09 19:31:31 kid1| WARNING: 20 pending requests queued 2013/11/09 19:31:31 kid1| WARNING: Consider increasing the number of redirector processes in your config file. The cache size is 2GB though that shouldn't affect performance as far as I understand. On 11/09/2013 05:23 PM, Eliezer Croitoru wrote: Hey, Notes inside. On 11/09/2013 05:58 PM, Kaya Saman wrote: What can I do to improve performance with this? Is this line too high: url_rewrite_children 500 YES!! or simply have a misconfigured something? I additionally have 'c-icap' running with squidclamav coupled to clamd in case that is of importance - not using the squidGuard line in the squidclamav.conf file!!! Basically how can I get the IO usage down and get the system to work again? For how many users exactly? Just a note that I am not in a favor of any OS by default but I would feel better Using Linux. - the logs don't indicate anything outside of 'starting squidGuard process' many times. The basic assumption of using 500 child process is that you have atleast 100 CPUs. SquidGuard was design for performance which is lots of urls per sec. It can be tested just to clear the point out. for example in a rate of 1500k requests per second you should not have a need in more then 40-50 children. In practice it works a bit different speed since there is a speed limit on STDIN and STDOUT which slows down the speed of squid and squidguard communication blocking the whole squid instance(in a way). If you need basic url filtering you can use ICAP which has an option to run as a standalone service outside of squid settings and machine. I have written in the past a small ICAP service for the favor of requests manipulation and filtering. I have never finished it in a level I was happy with but the basic code can be seen here: https://github.com/elico/echelon I know for a fact that ICAP interface adds concurrency by the nature of it using TCP. This is not the place to ask about concurrency in squidguard which can allow the usage of square less processes(children) for more requests. In order to find the right number of children start with 40 and see if it fits you and then see what is the bottle neck in the whole setup. Eliezer
Re: [squid-users] Squid and Squidguard using high disk IO
Thanks so much for all the advise and responses :-) I decided to try Dansguardian. Currently I have a working model setup though it needs a bit of tuning and tweaking but good news is that I am using the SquidGuard blacklists so all is pretty much good!! Have been testing; performance is phenomenal though sometimes when Squid can't connect to a site properly in order to populate the cache etc... the pages might need a bit of refreshing however, I consider those as just teething problems. So yeah NET - NAT - Squid + c-icap + Clamd - Dansguardian - PF is how things look like now :-) Regards, Kaya On 11/09/2013 10:37 PM, Marcus Kool wrote: On Sat, Nov 09, 2013 at 11:16:12PM +0100, Loïc BLOT wrote: Hello Kaya, first, don't forget to look at sysctl kern.maxfiles values. Also improve daemon FD values in login.conf for squid. Don't forget each connection is a FD (1 connection for the client, 1 for the transaction to remote site, somes for the caching). Also to improve performances of squidguard, i stored all blacklists DB to a memory fs (mfs) this improve massively squidguard performance If the disk I/O is really the bottleneck, consider ufdbGuard. ufdbGuard loads the URL database in memory and easily does 25,000 URL lookups/sec, much more than you will ever need. Marcus I have wrote an article to improve squid perfs on OpenBSD: http://www.unix-experience.fr/2013/monter-un-proxy-cache-performant-avec-squid-et-openbsd/ -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le samedi 09 novembre 2013 à 19:39 +, Kaya Saman a écrit : Just found this is Squid cache log: 2013/11/09 19:28:25 kid1| /var/squid/cache/04/7A: (24) Too many open files 2013/11/09 19:31:31 kid1| WARNING: All 20/20 redirector processes are busy. 2013/11/09 19:31:31 kid1| WARNING: 20 pending requests queued 2013/11/09 19:31:31 kid1| WARNING: Consider increasing the number of redirector processes in your config file. The cache size is 2GB though that shouldn't affect performance as far as I understand. On 11/09/2013 05:23 PM, Eliezer Croitoru wrote: Hey, Notes inside. On 11/09/2013 05:58 PM, Kaya Saman wrote: What can I do to improve performance with this? Is this line too high: url_rewrite_children 500 YES!! or simply have a misconfigured something? I additionally have 'c-icap' running with squidclamav coupled to clamd in case that is of importance - not using the squidGuard line in the squidclamav.conf file!!! Basically how can I get the IO usage down and get the system to work again? For how many users exactly? Just a note that I am not in a favor of any OS by default but I would feel better Using Linux. - the logs don't indicate anything outside of 'starting squidGuard process' many times. The basic assumption of using 500 child process is that you have atleast 100 CPUs. SquidGuard was design for performance which is lots of urls per sec. It can be tested just to clear the point out. for example in a rate of 1500k requests per second you should not have a need in more then 40-50 children. In practice it works a bit different speed since there is a speed limit on STDIN and STDOUT which slows down the speed of squid and squidguard communication blocking the whole squid instance(in a way). If you need basic url filtering you can use ICAP which has an option to run as a standalone service outside of squid settings and machine. I have written in the past a small ICAP service for the favor of requests manipulation and filtering. I have never finished it in a level I was happy with but the basic code can be seen here: https://github.com/elico/echelon I know for a fact that ICAP interface adds concurrency by the nature of it using TCP. This is not the place to ask about concurrency in squidguard which can allow the usage of square less processes(children) for more requests. In order to find the right number of children start with 40 and see if it fits you and then see what is the bottle neck in the whole setup. Eliezer
Re: [squid-users] Squid and Squidguard.
Guys thanks for sharing your knowledge, u clear my mind :-) On Wed, Jun 12, 2013 at 8:40 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 13/06/2013 3:23 a.m., Beto Moreno wrote: Hi. Guys I have small experience with squid, now need to learn how to use squidguard. My doubts are: 1) U have squidrunning with your ACL, groups, users and rules, once u setup squidguard what is order? squid - rules them squidguard - rules or squidguard rules them squid - rules? Squidguard is a separate programs. * Squid ACLs determine whether a transaction is processed, and how that processing is performed. * Squidguard ACLs determine whether or not Squidguard tells Squid to alter the URL mid-transaction. Nothing more. All ACLs in both are run. Squid main http_access, adaptation systems and url_rewrite_access ACLs are run before squidguard. The url_rewrite_access ACLs determine whether squidguard is used *at all*. squidguard is contacted and does its thing. Then the remainder of the Squid ones are run depending on whether they need to on the new URL. 2) Squidguard is a URL redirector, them squid ACL stuff will continue working? Yes. 3) Squid ACL tool can be replace with squidguard or they are totally different? Totally different. Although some people use URL-rewriting and redirection to act like a proxy denial service - what actually happens there is a *successful* response with content message saying failure. It is worth avoiding the confusion and complexity whenever possible. Amos
[squid-users] Squid and Squidguard.
Hi. Guys I have small experience with squid, now need to learn how to use squidguard. My doubts are: 1) U have squidrunning with your ACL, groups, users and rules, once u setup squidguard what is order? squid - rules them squidguard - rules or squidguard rules them squid - rules? 2) Squidguard is a URL redirector, them squid ACL stuff will continue working? 3) Squid ACL tool can be replace with squidguard or they are totally different? Sorry to ask this, I'm a little confuse here, thanks for your time!!!
Re: [squid-users] Squid and Squidguard.
Hi ! I've squid and squidguard working with no problem. The squid ACLs keep working (I have machine and users ACLS - denying access to the machines and users to internet) and ACLs related to web browsing (denied pages) in squidguard. You can also do this with squid or vice-versa. Cheers, Bruno Santos - Original Message - From: Beto Moreno pam...@gmail.com To: squid-users@squid-cache.org Sent: Wednesday, June 12, 2013 4:23:30 PM Subject: [squid-users] Squid and Squidguard. Hi. Guys I have small experience with squid, now need to learn how to use squidguard. My doubts are: 1) U have squidrunning with your ACL, groups, users and rules, once u setup squidguard what is order? squid - rules them squidguard - rules or squidguard rules them squid - rules? 2) Squidguard is a URL redirector, them squid ACL stuff will continue working? 3) Squid ACL tool can be replace with squidguard or they are totally different? Sorry to ask this, I'm a little confuse here, thanks for your time!!! -- Use Open Source Software Human knowledge belongs to the world Bruno Santos bvsan...@ulscb.min-saude.pt http://www.twitter.com/feiticeir0 Tel: +351 962 753 053 Divisão de Informática informat...@ulscb.min-saude.pt Tel: +351 272 000 155 Fax: +351 272 000 257 Unidade Local de Saúde de Castelo Branco, E.P.E. ge...@ulscb.min-saude.pt Tel: +351 272 000 272 Fax: +351 272 000 257
Re: [squid-users] Squid and Squidguard.
On 13/06/2013 3:23 a.m., Beto Moreno wrote: Hi. Guys I have small experience with squid, now need to learn how to use squidguard. My doubts are: 1) U have squidrunning with your ACL, groups, users and rules, once u setup squidguard what is order? squid - rules them squidguard - rules or squidguard rules them squid - rules? Squidguard is a separate programs. * Squid ACLs determine whether a transaction is processed, and how that processing is performed. * Squidguard ACLs determine whether or not Squidguard tells Squid to alter the URL mid-transaction. Nothing more. All ACLs in both are run. Squid main http_access, adaptation systems and url_rewrite_access ACLs are run before squidguard. The url_rewrite_access ACLs determine whether squidguard is used *at all*. squidguard is contacted and does its thing. Then the remainder of the Squid ones are run depending on whether they need to on the new URL. 2) Squidguard is a URL redirector, them squid ACL stuff will continue working? Yes. 3) Squid ACL tool can be replace with squidguard or they are totally different? Totally different. Although some people use URL-rewriting and redirection to act like a proxy denial service - what actually happens there is a *successful* response with content message saying failure. It is worth avoiding the confusion and complexity whenever possible. Amos
[squid-users] squid with squidguard issue
can some one plz help. i followed http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny squid 2.7 and squidguard 1.2.0 i write the below line at the end of squid.conf redirect_program /usr/bin/squidGuard i denied ads in squidGuard.conf and addme.com is a domain which i am sure is in the list of blocklist database. now when i go to addme.com it just open the website (which i dont want though) here is squidGuard.conf rule. dest adult { domainlist ads/domains # urllist /var/lib/squidguard/db/blacklists/porn/urls # expressionlist adult/expressions redirecthttp://google.com } here is squidguard log. /var/log/squid/squidGuard.log 2012-03-05 08:06:53 [4180] squidGuard 1.2.0 started (1330952813.099) 2012-03-05 08:06:53 [4180] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4180] squidGuard ready for requests (1330952813.101) 2012-03-05 08:06:53 [4182] destblock good missing active content, set inactive 2012-03-05 08:06:53 [4182] destblock local missing active content, set inactive 2012-03-05 08:06:53 [4182] init domainlist /var/lib/squidguard/db/ads/domains 2012-03-05 08:06:53 [4182] loading dbfile /var/lib/squidguard/db/ads/domains.db 2012-03-05 08:06:53 [4182] squidGuard 1.2.0 started (1330952813.107) 2012-03-05 08:06:53 [4182] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4182] squidGuard ready for requests (1330952813.108) here is access.log.the thing which is making me confuse that redirect tag is not present which suppose to be there. however i can not find any redirect tag in default 2.7 squid.conf file. can u please tell me what is going on and how can i redirect or can solve the issue 1330953994.304640 10.51.100.240 TCP_CLIENT_REFRESH_MISS/200 1910 GET http://www.addme.com/favicon.ico - DIRECT/69.43.161.4 image/x-icon Thanks,
Re: [squid-users] squid with squidguard issue
On Mar 5, 2012, at 8:40 AM, Muhammad Yousuf Khan wrote: can some one plz help. i followed http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny squid 2.7 and squidguard 1.2.0 i write the below line at the end of squid.conf redirect_program /usr/bin/squidGuard okay i denied ads in squidGuard.conf and addme.com is a domain which i am sure is in the list of blocklist database. now when i go to addme.com it just open the website (which i dont want though) here is squidGuard.conf rule. dest adult { domainlist ads/domains # urllist /var/lib/squidguard/db/blacklists/porn/urls # expressionlist adult/expressions redirecthttp://google.com } you need to supply a source and destination. basically who is allowed to access squidguard. and then tell squidguard what to do with the clients request,..allow or deny. eg; dbhome /usr/local/squidGuard/db logdir /usr/local/squidGuard/log # # SOURCE ADDRESSES: src admin { ip 10.1.1.1 } src fooclients { ip 10.132.0.0/16 10.155.0.0/16 } src freedomzone { ip 10.154.1.0/24 10.154.2.0/24 } # DESTINATION CLASSES: # dest whitelist { domainlist whitelist/domains } dest education { domainlist education/schools/domains urllist education/schools/urls } dest denied { domainlist denied/domains urllist denied/urls redirecthttp://10.0.2.3/surfb1.html log deniedaccess.log } acl { admin { pass any } fooclients { passwhitelist education !denied any } else { pass any } freedomzone { passwhitelist education !pornexp !porn any redirect http://staff2.beth.k12.pa.us/index.html } else { pass any } default { pass none redirect http://10.0.2.3/index.html } } here is squidguard log. /var/log/squid/squidGuard.log 2012-03-05 08:06:53 [4180] squidGuard 1.2.0 started (1330952813.099) 2012-03-05 08:06:53 [4180] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4180] squidGuard ready for requests (1330952813.101) 2012-03-05 08:06:53 [4182] destblock good missing active content, set inactive 2012-03-05 08:06:53 [4182] destblock local missing active content, set inactive 2012-03-05 08:06:53 [4182] init domainlist /var/lib/squidguard/db/ads/domains 2012-03-05 08:06:53 [4182] loading dbfile /var/lib/squidguard/db/ads/domains.db 2012-03-05 08:06:53 [4182] squidGuard 1.2.0 started (1330952813.107) 2012-03-05 08:06:53 [4182] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4182] squidGuard ready for requests (1330952813.108) here is access.log.the thing which is making me confuse that redirect tag is not present which suppose to be there. however i can not find any redirect tag in default 2.7 squid.conf file. can u please tell me what is going on and how can i redirect or can solve the issue 1330953994.304640 10.51.100.240 TCP_CLIENT_REFRESH_MISS/200 1910 GET http://www.addme.com/favicon.ico - DIRECT/69.43.161.4 image/x-icon Thanks,
Re: [squid-users] squid with squidguard issue
Well you could use squids built in blacklist capabilities instead of adding complexity by trying to us squidGard or DansGuardian, particularly if your a noob at squid. Ive taken a look at them and decided that its too much effort to try and implement, Rather, this is how ive done it. Try this instead, its what I do. created a blacklist file, and place it somewhere, mine is in my squid dir /etc/squid3/squid-block.acl (u can name it whatever u want of course) add a few test entries to this file in the following format .pornsite.com .unwantedsite.com .whatevershit.com .someshitwebsite.com the . will ensure thatwww.pornsite.com or any subdomain is also blocked. So next add these lines to your squid.conf #blacklist by haxradio.com== acl blacklist dstdomain /etc/squid3/squid-block.acl http_access deny blacklist #== then do squid3 +k reconfigure (assuming that your running squid3.x series) Voila, you are blocking sites using a black list my friend. btw, just ignore the stupid warning messages. they do not affect the functionality of this feature and ive learned to just ignore them. Thanks to Amos for helping me to properly do this. On 03/05/2012 05:19 PM, jeffrey j donovan wrote: On Mar 5, 2012, at 8:40 AM, Muhammad Yousuf Khan wrote: can some one plz help. i followed http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny squid 2.7 and squidguard 1.2.0 i write the below line at the end of squid.conf redirect_program /usr/bin/squidGuard okay i denied ads in squidGuard.conf and addme.com is a domain which i am sure is in the list of blocklist database. now when i go to addme.com it just open the website (which i dont want though) here is squidGuard.conf rule. dest adult { domainlist ads/domains # urllist /var/lib/squidguard/db/blacklists/porn/urls # expressionlist adult/expressions redirecthttp://google.com } you need to supply a source and destination. basically who is allowed to access squidguard. and then tell squidguard what to do with the clients request,..allow or deny. eg; dbhome /usr/local/squidGuard/db logdir /usr/local/squidGuard/log # # SOURCE ADDRESSES: src admin { ip 10.1.1.1 } src fooclients { ip 10.132.0.0/16 10.155.0.0/16 } src freedomzone { ip 10.154.1.0/24 10.154.2.0/24 } # DESTINATION CLASSES: # dest whitelist { domainlist whitelist/domains } dest education { domainlist education/schools/domains urllist education/schools/urls } dest denied { domainlist denied/domains urllist denied/urls redirecthttp://10.0.2.3/surfb1.html log deniedaccess.log } acl { admin { pass any } fooclients { passwhitelist education !denied any } else { pass any } freedomzone { passwhitelist education !pornexp !porn any redirect http://staff2.beth.k12.pa.us/index.html } else { pass any } default { pass none redirect http://10.0.2.3/index.html } } here is squidguard log. /var/log/squid/squidGuard.log 2012-03-05 08:06:53 [4180] squidGuard 1.2.0 started (1330952813.099) 2012-03-05 08:06:53 [4180] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4180] squidGuard ready for requests (1330952813.101) 2012-03-05 08:06:53 [4182] destblock good missing active content, set inactive 2012-03-05 08:06:53 [4182] destblock local missing active content, set inactive 2012-03-05 08:06:53 [4182] init domainlist /var/lib/squidguard/db/ads/domains 2012-03-05 08:06:53 [4182] loading dbfile /var/lib/squidguard/db/ads/domains.db 2012-03-05 08:06:53 [4182] squidGuard 1.2.0 started (1330952813.107) 2012-03-05 08:06:53 [4182] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4182] squidGuard ready for requests (1330952813.108) here is access.log.the thing which is making me confuse that redirect tag is not present which suppose to be there. however i can not find any redirect tag in default 2.7 squid.conf file. can u please tell me what is going on and how can i redirect or can solve the issue 1330953994.304640 10.51.100.240 TCP_CLIENT_REFRESH_MISS/200 1910 GET http://www.addme.com/favicon.ico - DIRECT/69.43.161.4 image/x-icon Thanks,
RE: Re: [squid-users] Squid 2.7 + SquidGuard + Squidclamav
Hey, The Servertraffic is less then 300KB/s. In this Company working 20 Peoples and some guys listening to internet Radio. Is there a Command for getting Squid status Stats like Usage of Redirectors and Dns request or something like that? If Squid tells cans lookup hostname - dns error and i can get a dns respond with dig google.de what can it be, that Squid cant lookup? I think: if i restart Squid, all Cache and other things get cleaned, so there must be something that is full, e.g. any Queue because after restart it worked. Thanks for spending time on this -Ursprüngliche Nachricht- Von: Eliezer Croitoru Gesendet: Do. 14.04.11 (01:02) An: squid-users@squid-cache.org Betreff: Re: [squid-users] Squid 2.7 + SquidGuard + Squidclamav On 13/04/2011 22:06, childrenofch...@freenet.de wrote: Hey, The configuration listet above, runs longer 1 year without an probs. Now we get the Squid Message: Timeout - DNS Error. first step i tried: dig google.de from the squid maschine. No probs. i saw in the cache.log that all url_rewrite_children are busy, so i screwd em up from 8 to 16. how much traffic this server has? if the url rewrite children are busy it's means too much usage or inefficient rewriter. if you need some help with the rewriter i can mange to build you a great one that based on java. my java url rewriters works on one server with a log of traffic with only 2 child and works much more efficient then many others. Eliezer Okey one Day later: DNS Error, and at this Time, no prob with the url_rewrite_children. now i added some dns Server and the google dns Server (8.8.8.8) which should be up, and what i recieved today :/ dns Error. After squid restart all works fine, no probles comes up in the logs (in all logs) but after a day, the messaged blow up again. now i added dns_nameserver in the squid.conf but no idea any more? thanks for spending time on this. --- freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de Jetzt http://mail.freenet.de/produkte/basic/index.html?pid=10111947018 mit 1 GB Speicher und Profi-Spamschutz sichern! -Ursprüngliche Nachricht Ende- --- freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de Jetzt http://mail.freenet.de/produkte/basic/index.html?pid=10111947018 mit 1 GB Speicher und Profi-Spamschutz sichern!
[squid-users] Squid 2.7 + SquidGuard + Squidclamav
Hey, The configuration listet above, runs longer 1 year without an probs. Now we get the Squid Message: Timeout - DNS Error. first step i tried: dig google.de from the squid maschine. No probs. i saw in the cache.log that all url_rewrite_children are busy, so i screwd em up from 8 to 16. Okey one Day later: DNS Error, and at this Time, no prob with the url_rewrite_children. now i added some dns Server and the google dns Server (8.8.8.8) which should be up, and what i recieved today :/ dns Error. After squid restart all works fine, no probles comes up in the logs (in all logs) but after a day, the messaged blow up again. now i added dns_nameserver in the squid.conf but no idea any more? thanks for spending time on this. --- freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de Jetzt http://mail.freenet.de/produkte/basic/index.html?pid=10111947018 mit 1 GB Speicher und Profi-Spamschutz sichern!
Re: [squid-users] Squid 2.7 + SquidGuard + Squidclamav
Personally, I would setup a caching-only instance of BIND on the proxy, and using that for DNS, or using your internal DNS system on your network, rather than depending on an outside source for all of your DNS. childrenofch...@freenet.de 4/13/2011 3:06 PM Hey, The configuration listet above, runs longer 1 year without an probs. Now we get the Squid Message: Timeout - DNS Error. first step i tried: dig google.de from the squid maschine. No probs. i saw in the cache.log that all url_rewrite_children are busy, so i screwd em up from 8 to 16. Okey one Day later: DNS Error, and at this Time, no prob with the url_rewrite_children. now i added some dns Server and the google dns Server (8.8.8.8) which should be up, and what i recieved today :/ dns Error. After squid restart all works fine, no probles comes up in the logs (in all logs) but after a day, the messaged blow up again. now i added dns_nameserver in the squid.conf but no idea any more? thanks for spending time on this. --- freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de Jetzt http://mail.freenet.de/produkte/basic/index.html?pid=10111947018 mit 1 GB Speicher und Profi-Spamschutz sichern! Travel Impressions made the following annotations - This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you.
RE: Re: [squid-users] Squid 2.7 + SquidGuard + Squidclamav
Does your internal DNS configuration use the root method, or does it forward to your ISP's DNS? I've noticed strange behavior (Notably DNS timeouts) recently with using the root method at one of my branch offices, and had to ditch it for the ISP forwarders ... In my case, it seemed to have something to do with IPv6 results from the root servers, and it was causing BIND to timeout, but the second query of the same website came back instantly. childrenofch...@freenet.de 4/13/2011 4:21 PM hey, i did that already :( and now i get the same error on my on squid maschine can´t see anything in the logfiles -Ursprüngliche Nachricht- Von: Chad Naugle Gesendet: Mi. 13.04.11 (22:03) An: childrenofch...@freenet.de, squid-users@squid-cache.org Betreff: Re: [squid-users] Squid 2.7 + SquidGuard + Squidclamav Personally, I would setup a caching-only instance of BIND on the proxy, and using that for DNS, or using your internal DNS system on your network, rather than depending on an outside source for all of your DNS. 4/13/2011 3:06 PM Hey, The configuration listet above, runs longer 1 year without an probs. Now we get the Squid Message: Timeout - DNS Error. first step i tried: dig google.de from the squid maschine. No probs. i saw in the cache.log that all url_rewrite_children are busy, so i screwd em up from 8 to 16. Okey one Day later: DNS Error, and at this Time, no prob with the url_rewrite_children. now i added some dns Server and the google dns Server (8.8.8.8) which should be up, and what i recieved today :/ dns Error. After squid restart all works fine, no probles comes up in the logs (in all logs) but after a day, the messaged blow up again. now i added dns_nameserver in the squid.conf but no idea any more? thanks for spending time on this. --- freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de Jetzt http://mail.freenet.de/produkte/basic/index.html?pid=10111947018 mit 1 GB Speicher und Profi-Spamschutz sichern! Travel Impressions made the following annotations - This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you. -Ursprüngliche Nachricht Ende- --- freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de Jetzt http://mail.freenet.de/produkte/basic/index.html?pid=10111947018 mit 1 GB Speicher und Profi-Spamschutz sichern! Travel Impressions made the following annotations - This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you.
Re: [squid-users] Squid 2.7 + SquidGuard + Squidclamav
On 13/04/2011 22:06, childrenofch...@freenet.de wrote: Hey, The configuration listet above, runs longer 1 year without an probs. Now we get the Squid Message: Timeout - DNS Error. first step i tried: dig google.de from the squid maschine. No probs. i saw in the cache.log that all url_rewrite_children are busy, so i screwd em up from 8 to 16. how much traffic this server has? if the url rewrite children are busy it's means too much usage or inefficient rewriter. if you need some help with the rewriter i can mange to build you a great one that based on java. my java url rewriters works on one server with a log of traffic with only 2 child and works much more efficient then many others. Eliezer Okey one Day later: DNS Error, and at this Time, no prob with the url_rewrite_children. now i added some dns Server and the google dns Server (8.8.8.8) which should be up, and what i recieved today :/ dns Error. After squid restart all works fine, no probles comes up in the logs (in all logs) but after a day, the messaged blow up again. now i added dns_nameserver in the squid.conf but no idea any more? thanks for spending time on this. --- freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de Jetzt http://mail.freenet.de/produkte/basic/index.html?pid=10111947018 mit 1 GB Speicher und Profi-Spamschutz sichern!
[squid-users] squid 3 squidguard
Hey, With squid3, how i have to enable squidGuard ? Redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf Or url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf the Squid Page refer from redirect_program to url_rewrite_programe, but with both it does not work for me thanks a lot!
Re: [squid-users] squid 3 squidguard
On Mon, 15 Nov 2010 20:54:23 +0100, Marco Schuth ma...@it-schuth.net wrote: Hey, With squid3, how i have to enable squidGuard ? Redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf Or url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf the Squid Page refer from redirect_program to url_rewrite_programe, but with both it does not work for me thanks a lot! url_rewrite_* are preferred. The other is old and deprecated. Up to 3.1 there is no difference in the two. Please define does not work. We can only help if you provide details about what is going wrong. Amos
Re: [squid-users] squid 3 squidguard
Hallo, Marco, Du meintest am 15.11.10: With squid3, how i have to enable squidGuard ? Which distribution? squid3 sounds like a very special distribution. Redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf Or url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf the Squid Page refer from redirect_program to url_rewrite_programe, but with both it does not work for me Here (self compiled on slackware base): no problem. squid-3.1.8 squidguard-1.4 Viele Gruesse! Helmut
Re: [squid-users] Squid and squidguard
On Aug 12, 2010, at 12:10 PM, Mamadou Touré wrote: Hi, all when configuring squid for squidguard. we have : redirect_program /usr/bin/squidGuard redirect_children 10 what mean redirect_children. and value should have for squid wich manage about 100 clients. regards. it means how many squidguard instances should squid spawn. /usr/local/bin/squidguard /usr/local/bin/squidguard /usr/local/bin/squidguard /usr/local/bin/squidguard /usr/local/bin/squidguard watch your processes ie Top or netstat, and watch how many are being used. then you can adjust accordingly. 10 is usually just fine. I have a case where i have thousands of connections so i run 100 redirects. Your squid logs will also tell you if your running out. -j
[squid-users] Squid and squidguard
Hi, all when configuring squid for squidguard. we have : redirect_program /usr/bin/squidGuard redirect_children 10 what mean redirect_children. and value should have for squid wich manage about 100 clients. regards.
RE: [squid-users] Squid and squidguard
what mean redirect_children. First hit on goggle explains it well:) Its in the config manual: Tag Nameredirect_children Usage redirect_children number Description This tag is used to set the number of redirect processes to spawn Default redirect_children 5 Example redirect_children 10 Caution If you start too few Squid will have to wait for them to process a back log of URLs, slowing it down. If you start too many they will use RAM and other system resources.
Re: [squid-users] squid rewrite squidguard
On Mon, May 31, 2010 at 11:25 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: Check the first two directives in your conf, see who can write there. Hello, Thanks for your reply, I have some rights issues but even when i assign the right permissions (ie. squid), it still cannot read them: 2010-06-01 10:31:19 [17307] New setting: dbhome: /var/lib/squidguard 2010-06-01 10:31:19 [17307] New setting: logdir: /var/log/squid 2010-06-01 10:31:19 [17307] init domainlist /var/lib/squidguard/blacklists/ads/domains 2010-06-01 10:31:19 [17307] loading dbfile /var/lib/squidguard/blacklists/ads/domains.db 2010-06-01 10:31:19 [17307] Error db_open: Permission denied 2010-06-01 10:31:19 [17307] Going into emergency mode I'll mail the squidguard list, thanks for your help. Steph
[squid-users] squid rewrite squidguard
Hello, I have Squid 3.1.3 running on a server very happily. I am trying to get squidguard to run with it. So at the top of the squid.conf file i put: url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf Then squidguard has: # # CONFIG FILE FOR SQUIDGUARD # dbhome /var/lib/squidguard logdir /var/log/squid dest ads { domainlist blacklists/ads/domains urllist blacklists/ads/urls } acl { default { pass!ads all redirect http://proxy.mydomain.com/block.html } } When running a local test, like: echo http://www.cafzone.net 192.168.6.66/ - - GET | squidGuard -c /etc/squid/squidguard.conf -d It works accordingly: 2010-05-31 16:17:31 [2785] squidGuard 1.3 started (1275319051.335) 2010-05-31 16:17:31 [2785] squidGuard ready for requests (1275319051.340) 2010-05-31 16:17:31 [2785] source not found 2010-05-31 16:17:31 [2785] no ACL matching source, using default http://proxy.cp.mydomain.com/block.html 192.168.6.66/- - - 2010-05-31 16:17:31 [2785] squidGuard stopped (1275319051.341) But when running within Squid, it does not seem to be taking it? Did I miss anything in the squid.conf file ? I looked online and couldn't spot any error. Thanks in advance, Steph
RE: [squid-users] squid rewrite squidguard
2010-05-31 16:17:31 [2785] squidGuard 1.3 started (1275319051.335) 2010-05-31 16:17:31 [2785] squidGuard ready for requests (1275319051.340) 2010-05-31 16:17:31 [2785] source not found 2010-05-31 16:17:31 [2785] no ACL matching source, using default http://proxy.cp.mydomain.com/block.html 192.168.6.66/- - - 2010-05-31 16:17:31 [2785] squidGuard stopped (1275319051.341) But when running within Squid, it does not seem to be taking it? Did I miss anything in the squid.conf file ? I looked online and couldn't spot any error. FWIW, there is a squidguard mailing list that is pretty helpful. Your problem is permissions almost certainly, you ran this and the db creation as root (or someone), so now the user that squid runs the rewriter as does not have any access privs to the log files and/or bl/db's... Check the first two directives in your conf, see who can write there. HTH, jlc
[squid-users] squid and squidGuard
Hi, I'm using squid-3.0.STABLE20 And running squidGuard 1.4 When I do a test in my shell I get the answer I want: sh-3.2# echo http://playboy.com 127.0.0.1/ - - GET | /usr/local/squidGuard/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf -d 2010-03-03 12:26:10 [77887] New setting: dbhome: /usr/local/squidGuard/db 2010-03-03 12:26:10 [77887] New setting: logdir: /usr/local/squidGuard/log 2010-03-03 12:26:10 [77887] init domainlist /usr/local/squidGuard/db/porn/domains 2010-03-03 12:26:10 [77887] loading dbfile /usr/local/squidGuard/db/porn/domains.db 2010-03-03 12:26:10 [77887] init urllist /usr/local/squidGuard/db/porn/urls 2010-03-03 12:26:10 [77887] loading dbfile /usr/local/squidGuard/db/porn/urls.db 2010-03-03 12:26:10 [77887] squidGuard 1.4 started (1267615570.064) 2010-03-03 12:26:10 [77887] squidGuard ready for requests (1267615570.065) 2010-03-03 12:26:10 [77887] source not found 2010-03-03 12:26:10 [77887] no ACL matching source, using default http://www.google.nl 127.0.0.1/- - - 2010-03-03 12:26:10 [77887] squidGuard stopped (1267615570.065) sh-3.2# When I use the following lines in my squid.conf it doensn't work: url_rewrite_program /usr/local/squidGuard/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf url_rewrite_children 8 Any thoughts? Regards, Jaap Cammeraat
Re: [squid-users] squid and squidGuard
ons 2010-03-03 klockan 13:09 +0100 skrev Jaap Cammeraat: Hi, I'm using squid-3.0.STABLE20 And running squidGuard 1.4 When I do a test in my shell I get the answer I want: sh-3.2# echo http://playboy.com 127.0.0.1/ - - GET | /usr/local/squidGuard/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf -d Don't run SquidGuard as root.. you need to test as your cache_effective_user (the user Squid and any configured helpers runs at after starting up). It's very likely you have a permssion issue where the running user can not access the SquidGuard data.. Regards Henrik
[squid-users] Squid and SquidGuard Blacklist just Warning
Hi everyone, I´m searching for an solution that only warn users if they enter an website which is on the Blacklist. Have anyone some idea how I can realize this ?? It would be look like : User enter www.denied.com - squid redirect to squidquard - squidguard redirect to an local website with an button I would enter this site - if user click this button he could enter the website Thanks a lot Ralph Jarosch ZIB Zentraler IT-Betrieb Niedersächsische Justiz - Technisches Betriebszentrum - Ralph Jarosch Schlossplatz 2 29221 Celle Tel.: +49 (5141) 206-145 Mobil: +49 (162) 9069470 E-Mail: [EMAIL PROTECTED] Intranet: http://intra.zib.niedersachsen.de
Re: [squid-users] squid and squidguard
Ismail, ufdbGuard is free. It can be used with a free URL database and with a commercial database. -Marcus İsmail ÖZATAY wrote: Marcus Kool yazmış: Hi Ismail, I would add a redirect statement to the int_net acl rule. observation: blocking porn without blocking proxies is the same as blocking nothing. You might want to try ufdbGuard: it is faster than squidguard, and has additional features for enforcing Google SafeSearch and verifying HTTPS traffic (certificates and optionally blocking HTTPS to IP addresses instead of FQDNs). -Marcus İsmail ÖZATAY wrote: Hi , I am using 2.6.STABLE6 on CentOS 5.2 + squidguard 1.3 p1,p2,p3 + berkeley db 2.7. Everything seems ok without any problem but when i use redirect_program in squid.conf my internal network connect bypassing the squidguard. I searched something but can not fix it ? Can anybody help me ? Here is my config; squidGuard.conf - logdir /usr/local/squidGuard/log dbhome /usr/local/squidGuard/db src int_net { ip 192.168.0.0/24 } dest porn { domainlist BL/porn/domains urllistBL/porn/urls } acl { int_net { pass !porn all } default { pass none redirect http://www.google.com.tr } } squid.conf --- http_port 0.0.0.0:3128 acl all src 0.0.0.0/0.0.0.0 redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports Also i saw that this is a commercial product. Do you know any free software like this ?
[squid-users] squid and squidguard
Hi , I am using 2.6.STABLE6 on CentOS 5.2 + squidguard 1.3 p1,p2,p3 + berkeley db 2.7. Everything seems ok without any problem but when i use redirect_program in squid.conf my internal network connect bypassing the squidguard. I searched something but can not fix it ? Can anybody help me ? Here is my config; squidGuard.conf - logdir /usr/local/squidGuard/log dbhome /usr/local/squidGuard/db src int_net { ip 192.168.0.0/24 } dest porn { domainlist BL/porn/domains urllistBL/porn/urls } acl { int_net { pass !porn all } default { pass none redirect http://www.google.com.tr } } squid.conf --- http_port 0.0.0.0:3128 acl all src 0.0.0.0/0.0.0.0 redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports
Re: [squid-users] squid and squidguard
On Tuesday 26 August 2008 02:34:22 pm İsmail ÖZATAY wrote: Hi , I am using 2.6.STABLE6 on CentOS 5.2 + squidguard 1.3 p1,p2,p3 + berkeley db 2.7. Everything seems ok without any problem but when i use redirect_program in squid.conf my internal network connect bypassing the squidguard. I searched something but can not fix it ? Can anybody help me ? Here is my config; snip Hi Ismail, Have a look at your squidGuard.log. Usually squidguard is very verbose when something is not working. Usually the problem lies in wrong permissions on the squidguard db files. Make sure the user squid is running under, can read the db files. HTH, Joop Dit bericht is gescand op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. Mailscanner door http://www.prosolit.nl Professional Solutions fot IT
Re: [squid-users] squid and squidguard
Hi Ismail, I would add a redirect statement to the int_net acl rule. observation: blocking porn without blocking proxies is the same as blocking nothing. You might want to try ufdbGuard: it is faster than squidguard, and has additional features for enforcing Google SafeSearch and verifying HTTPS traffic (certificates and optionally blocking HTTPS to IP addresses instead of FQDNs). -Marcus İsmail ÖZATAY wrote: Hi , I am using 2.6.STABLE6 on CentOS 5.2 + squidguard 1.3 p1,p2,p3 + berkeley db 2.7. Everything seems ok without any problem but when i use redirect_program in squid.conf my internal network connect bypassing the squidguard. I searched something but can not fix it ? Can anybody help me ? Here is my config; squidGuard.conf - logdir /usr/local/squidGuard/log dbhome /usr/local/squidGuard/db src int_net { ip 192.168.0.0/24 } dest porn { domainlist BL/porn/domains urllistBL/porn/urls } acl { int_net { pass !porn all } default { pass none redirect http://www.google.com.tr } } squid.conf --- http_port 0.0.0.0:3128 acl all src 0.0.0.0/0.0.0.0 redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports
Re: [squid-users] squid and squidguard
Marcus Kool yazmış: Hi Ismail, I would add a redirect statement to the int_net acl rule. observation: blocking porn without blocking proxies is the same as blocking nothing. You might want to try ufdbGuard: it is faster than squidguard, and has additional features for enforcing Google SafeSearch and verifying HTTPS traffic (certificates and optionally blocking HTTPS to IP addresses instead of FQDNs). -Marcus İsmail ÖZATAY wrote: Hi , I am using 2.6.STABLE6 on CentOS 5.2 + squidguard 1.3 p1,p2,p3 + berkeley db 2.7. Everything seems ok without any problem but when i use redirect_program in squid.conf my internal network connect bypassing the squidguard. I searched something but can not fix it ? Can anybody help me ? Here is my config; squidGuard.conf - logdir /usr/local/squidGuard/log dbhome /usr/local/squidGuard/db src int_net { ip 192.168.0.0/24 } dest porn { domainlist BL/porn/domains urllistBL/porn/urls } acl { int_net { pass !porn all } default { pass none redirect http://www.google.com.tr } } squid.conf --- http_port 0.0.0.0:3128 acl all src 0.0.0.0/0.0.0.0 redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports Hi Marcus i will try ufdbGuard. Regards ismail
Re: [squid-users] squid and squidguard
Marcus Kool yazmış: Hi Ismail, I would add a redirect statement to the int_net acl rule. observation: blocking porn without blocking proxies is the same as blocking nothing. You might want to try ufdbGuard: it is faster than squidguard, and has additional features for enforcing Google SafeSearch and verifying HTTPS traffic (certificates and optionally blocking HTTPS to IP addresses instead of FQDNs). -Marcus İsmail ÖZATAY wrote: Hi , I am using 2.6.STABLE6 on CentOS 5.2 + squidguard 1.3 p1,p2,p3 + berkeley db 2.7. Everything seems ok without any problem but when i use redirect_program in squid.conf my internal network connect bypassing the squidguard. I searched something but can not fix it ? Can anybody help me ? Here is my config; squidGuard.conf - logdir /usr/local/squidGuard/log dbhome /usr/local/squidGuard/db src int_net { ip 192.168.0.0/24 } dest porn { domainlist BL/porn/domains urllistBL/porn/urls } acl { int_net { pass !porn all } default { pass none redirect http://www.google.com.tr } } squid.conf --- http_port 0.0.0.0:3128 acl all src 0.0.0.0/0.0.0.0 redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports Also i saw that this is a commercial product. Do you know any free software like this ?
Re: [squid-users] squid and squidguard
Also i saw that this is a commercial product. Do you know any free software like this ? What about this? Pls try http://www.shallalist.de/ -- Thank you Indunil Jayasooriya
[squid-users] squid or squidguard blocking google redirections
Hi, Cannot say if its squid rules or the squidGuard itself blocking following url for google. http://www.google.com/url?sa= I have removed www.google.com/url from my blacklist but now browser after trying it just stops and does nothing. Any clue/help will be appreciated :-) regards
Re: [squid-users] squid or squidguard blocking google redirections
[EMAIL PROTECTED] wrote: Hi, Cannot say if its squid rules or the squidGuard itself blocking following url for google. http://www.google.com/url?sa= I have removed www.google.com/url from my blacklist but now browser after trying it just stops and does nothing. Any clue/help will be appreciated :-) Yes clues would be appreciated. Such as: which version of squid are you running? and many other bits of info about the failed requests, from the cache.log squid writes. Amos -- Please use Squid 2.6.STABLE20 or 3.0.STABLE5
[squid-users] squid, blacklists ,squidguard doesnt work
Hi I installed squid 2.5.STABLE6 on Centos 4.4 I have a blacklist file, size more than 4 Megabytes acl in squid.conf look like acl porn url_regex -i /etc/squid/porn http_access deny porn When i started squid , /etc/init.d/squid start Stopping squid: .. Starting squid:[FAILED] I give this error in /var/log/messages Mar 20 15:25:33 lnx squid[21380]: Squid Parent: child process 21382 exited withstatus 0 Mar 20 15:26:40 lnx squid[21709]: fork failed: (12) Cannot allocate memory Mar 20 15:26:40 lnx squid[21709]: Squid Parent: child process -1 started Mar 20 15:26:40 lnx squid[21709]: Squid Parent: child process -1 exited due to signal 68 Mar 20 15:26:43 lnx squid[21709]: Squid Parent: child process -1 started Mar 20 15:26:43 lnx squid[21709]: Squid Parent: child process -1 exited due to signal 68 Mar 20 15:26:46 lnx squid[21709]: Squid Parent: child process -1 started Mar 20 15:26:46 lnx squid[21709]: Squid Parent: child process -1 exited due to signal 68 Mar 20 15:26:49 lnx squid[21709]: Squid Parent: child process -1 started Mar 20 15:26:49 lnx squid[21709]: Squid Parent: child process -1 exited due to signal 68 Mar 20 15:26:52 lnx squid[21709]: Squid Parent: child process -1 started Mar 20 15:26:52 lnx squid[21709]: Squid Parent: child process -1 exited due to signal 68 When i removed porn file or porn file 1 MB then squid work fine
Re: [squid-users] squid, blacklists ,squidguard doesnt work
[EMAIL PROTECTED] wrote: When i removed porn file or porn file 1 MB then squid work fine As each child will need to read that file, you're looking at a significant memory overhead. Either install more memory in the server, or keep the file down to a reasonable size. -- Martin A. Brooks | http://www.antibodymx.net/ | Anti-spam anti-virus Consultant| e: [EMAIL PROTECTED] | filtering. Inoculate antibodymx.net | m: +447896578023 | your mail system.
Re: [squid-users] squid, blacklists ,squidguard doesnt work
tis 2007-03-20 klockan 16:31 +0200 skrev [EMAIL PROTECTED]: Hi I installed squid 2.5.STABLE6 on Centos 4.4 I have a blacklist file, size more than 4 Megabytes acl in squid.conf look like acl porn url_regex -i /etc/squid/porn Uhm... 4 Megabytes of regex expressions? Are you really really sure that's what you have? I suspect you are abusing the wrong acl type here... quite likely a lot of that blacklist should go into a dstdomain acl.. What does the content of this blacklist look like? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Squid + ClamAV + squidGuard
Hi, do you use anybody this configuration? squid-2.5.STABLE10-5.2 clamav-0.88.4-0.1 squidGuard-1.2.0-390 part of squid.conf: redirect_program /usr/sbin/SquidClamAV_Redirector.py -c /etc/squid/SquidClamAV_Redirector.conf redirect_children 10 part of SquidClamAV_Redirector.conf: ThirdPartyRedirectors = /usr/sbin/squidGuard Is it good configuration? I need proxy for cca 500 users. What is recommended HW for cca 500 users? Marek
Re: [squid-users] Squid and SquidGuard retsarting. Why?
ons 2006-07-12 klockan 15:22 +0100 skrev Brian Gregory: Squid is set up to run 5 squidGuard processes. When we boot Suse it takes 15-20 minutes with lots of disk thrashing for the 5 squidGuards to read in the blacklists and build their tables. This will be much faster if you let squidGuard build it's lookup db. Much of the time it works fine but every now and then for no obvious reason, squid decides it needs to start more squidGuard processes which effectively cuts off all web access. helper processes are restarted when squid -k rotate is run when squid -k reconfigure is run when more than 50% of the helpers have crashed if Squid crashes or is restarted I'm not sure exactly what happens, See cache.log for information on why the helpers was restarted. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid and SquidGuard retsarting. Why?
Dwayne Hottinger wrote: Quoting Brian Gregory [EMAIL PROTECTED]: We have a Linux box running Suse 10.0 set up as a router and web proxy with filtering sharing our DSL connection between 7 Windows XP computers. It's running squid and squidGuard with a very large blacklist of forbidden URLs and phrases. Because we basically have no money the Suse box is an old 400MHz Pentium II PC with only 256MB of RAM and this isn't likely to change in the near future, except that I might be able to get some more RAM if necessary. Squid is set up to run 5 squidGuard processes. When we boot Suse it takes 15-20 minutes with lots of disk thrashing for the 5 squidGuards to read in the blacklists and build their tables. During this time the web proxy is non functional so we usually leave the Suse box running 24/7 to avoid having to wait for it. Much of the time it works fine but every now and then for no obvious reason, squid decides it needs to start more squidGuard processes which effectively cuts off all web access. I'm not sure exactly what happens, maybe sometimes it just kills the existing squidGuards and starts new ones but it sometimes seems to end running 10 squidGuards and thrashing the disk hard for ages leaving the users with no web access. When it's all running properly free -m seems to indicated that there is enough memory: total used free sharedbufferscached Mem: 250246 3 0 51 126 -/+ buffers/cache: 68181 Swap: 400 2397 Does anyone know what's going on and how to stop it happening? -- Brian Gregory. [EMAIL PROTECTED] Computer Room Volunteer. Therapy Centre. Prospect Park Hospital. How big are your access.log files? There is a 2gb limit on Squid. I would definately think about adding more memory to the box though. You should be able to pick up PC 100 memory fairly cheap. -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools Part of the problem may be log file rotation which appears to be set to restart squid at the moment. However this does not explain why I sometimes find that it is running 10 squidGuard processes when my squid.conf specifies 5. -- Brian Gregory. [EMAIL PROTECTED] Computer Room Volunteer. Therapy Centre. Prospect Park Hospital.
Re: AW: [squid-users] Squid and SquidGuard retsarting. Why?
[EMAIL PROTECTED] wrote: Please read the documentation for squidguard. In short: You should build a squidguard-database containing your blacklists one time. After that squidguard should start within a few seconds. Mit freundlichem Gruß/Yours sincerely Werner Rost GMT-FIR - Netzwerk ZF Boge Elastmetall GmbH Friesdorfer Str. 175 53175 Bonn Deutschland/Germany Telefon/Phone +49 228 3825 - 420 Telefax/Fax +49 228 3825 - 398 [EMAIL PROTECTED] Ok I found some documentation that says the -C listfile parameter builds a pre-built database but there doesn't seem to be any info on how to use a pre-build database. Maybe all will become clear if I experiment a bit.
AW: AW: [squid-users] Squid and SquidGuard retsarting. Why?
Define the location of the pre-built databas in the configuration file of squidguard. Example: destination porn { domainlistporn/domains urllist porn/urls expressionlistporn/expressions log porn.log } Mit freundlichem Gruß/Yours sincerely Werner Rost GMT-FIR - Netzwerk ZF Boge Elastmetall GmbH Friesdorfer Str. 175 53175 Bonn Deutschland/Germany Telefon/Phone +49 228 3825 - 420 Telefax/Fax +49 228 3825 - 398 [EMAIL PROTECTED] -Ursprüngliche Nachricht- Von: Brian Gregory [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 13. Juli 2006 13:11 An: squid-users@squid-cache.org Betreff: Re: AW: [squid-users] Squid and SquidGuard retsarting. Why? [EMAIL PROTECTED] wrote: Please read the documentation for squidguard. In short: You should build a squidguard-database containing your blacklists one time. After that squidguard should start within a few seconds. Mit freundlichem Gruß/Yours sincerely Werner Rost GMT-FIR - Netzwerk ZF Boge Elastmetall GmbH Friesdorfer Str. 175 53175 Bonn Deutschland/Germany Telefon/Phone +49 228 3825 - 420 Telefax/Fax +49 228 3825 - 398 [EMAIL PROTECTED] Ok I found some documentation that says the -C listfile parameter builds a pre-built database but there doesn't seem to be any info on how to use a pre-build database. Maybe all will become clear if I experiment a bit.
Re: AW: AW: [squid-users] Squid and SquidGuard retsarting. Why?
[EMAIL PROTECTED] wrote: Define the location of the pre-built databas in the configuration file of squidguard. Example: destination porn { domainlistporn/domains urllist porn/urls expressionlistporn/expressions log porn.log } Mit freundlichem Gruß/Yours sincerely Werner Rost GMT-FIR - Netzwerk ZF Boge Elastmetall GmbH Friesdorfer Str. 175 53175 Bonn Deutschland/Germany Telefon/Phone +49 228 3825 - 420 Telefax/Fax +49 228 3825 - 398 [EMAIL PROTECTED] I think I've got it working now, it certainly starts up much quicker even when I configure 10 squidGuard processes. I have set up the following running on a weekly cron job as root to download new blacklists and create the database just once a week (watch out for the line wraps): # This is Brian's blacklist update script cd ~ rm -f -f bl.tar.gz wget -O bl.tar.gz http://ftp.tdcnorge.no/pub/www/proxy/squidGuard/contrib/blacklists.tar.gz tar --ungzip --extract --exclude=*.diff --directory=/var/lib/squidGuard/db --verbose -f bl.tar.gz rm -f -f bl.tar.gz wget -O bl.tar.gz ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz tar --ungzip --extract --exclude=*.diff --directory=/var/lib/squidGuard/db --verbose -f bl.tar.gz rm -f -f bl.tar.gz chown -R squid:nogroup /var/lib/squidGuard/db /usr/sbin/squidGuard -C all chown -R squid:nogroup /var/lib/squidGuard/db /usr/sbin/squid -k reconfigure #Script Ends The squid.conf file seems to be okay exactly as it was. The squidGuard processes seem to know to use the databases rather than the text files. Does this look reasonable? -- Brian Gregory. [EMAIL PROTECTED] Computer Room Volunteer. Therapy Centre. Prospect Park Hospital.
[squid-users] Squid and SquidGuard retsarting. Why?
We have a Linux box running Suse 10.0 set up as a router and web proxy with filtering sharing our DSL connection between 7 Windows XP computers. It's running squid and squidGuard with a very large blacklist of forbidden URLs and phrases. Because we basically have no money the Suse box is an old 400MHz Pentium II PC with only 256MB of RAM and this isn't likely to change in the near future, except that I might be able to get some more RAM if necessary. Squid is set up to run 5 squidGuard processes. When we boot Suse it takes 15-20 minutes with lots of disk thrashing for the 5 squidGuards to read in the blacklists and build their tables. During this time the web proxy is non functional so we usually leave the Suse box running 24/7 to avoid having to wait for it. Much of the time it works fine but every now and then for no obvious reason, squid decides it needs to start more squidGuard processes which effectively cuts off all web access. I'm not sure exactly what happens, maybe sometimes it just kills the existing squidGuards and starts new ones but it sometimes seems to end running 10 squidGuards and thrashing the disk hard for ages leaving the users with no web access. When it's all running properly free -m seems to indicated that there is enough memory: total used free sharedbufferscached Mem: 250246 3 0 51 126 -/+ buffers/cache: 68181 Swap: 400 2397 Does anyone know what's going on and how to stop it happening? -- Brian Gregory. [EMAIL PROTECTED] Computer Room Volunteer. Therapy Centre. Prospect Park Hospital.
Re: [squid-users] Squid and SquidGuard retsarting. Why?
Quoting Brian Gregory [EMAIL PROTECTED]: We have a Linux box running Suse 10.0 set up as a router and web proxy with filtering sharing our DSL connection between 7 Windows XP computers. It's running squid and squidGuard with a very large blacklist of forbidden URLs and phrases. Because we basically have no money the Suse box is an old 400MHz Pentium II PC with only 256MB of RAM and this isn't likely to change in the near future, except that I might be able to get some more RAM if necessary. Squid is set up to run 5 squidGuard processes. When we boot Suse it takes 15-20 minutes with lots of disk thrashing for the 5 squidGuards to read in the blacklists and build their tables. During this time the web proxy is non functional so we usually leave the Suse box running 24/7 to avoid having to wait for it. Much of the time it works fine but every now and then for no obvious reason, squid decides it needs to start more squidGuard processes which effectively cuts off all web access. I'm not sure exactly what happens, maybe sometimes it just kills the existing squidGuards and starts new ones but it sometimes seems to end running 10 squidGuards and thrashing the disk hard for ages leaving the users with no web access. When it's all running properly free -m seems to indicated that there is enough memory: total used free sharedbufferscached Mem: 250246 3 0 51 126 -/+ buffers/cache: 68181 Swap: 400 2397 Does anyone know what's going on and how to stop it happening? -- Brian Gregory. [EMAIL PROTECTED] Computer Room Volunteer. Therapy Centre. Prospect Park Hospital. How big are your access.log files? There is a 2gb limit on Squid. I would definately think about adding more memory to the box though. You should be able to pick up PC 100 memory fairly cheap. -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools
Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4
Hi! Im running squidguard-1.2.0 on RHEL4 and Ubuntu Dapper Flight 4 and squid doesn't crash, however it does fill up /var/tmp but I do an squid reload every night to reconfigure the squidgard and at that time I rm -f /var/tmp/BDB* before reloading squid. So far it has been running stable for me. If you want to be safe you should probably stop squid before cleaning /var/tmp/BDB* and then start it. - From: Sushil Deore [EMAIL PROTECTED] Date: Wed, 8 Mar 2006 00:56:55 +0530 (IST) Hello, I have installed squid-3.0-PRE3-20060114 with squidGuard-1.2 with berkeley db-4.0 on Fedora Core-4. It generates some BDB*(for ex.BDB00854) files in /var/tmp/ which subsequently crashes squid. As squidGuard-1.2 is preferred with Berkeley DB-2.X but Berkeley DB-4.0 comes with FC-4. Squidguard does not prefer DB-2.X; it requires it. Squidguard does not support DB-4.0 You are true, can you please suggest me any alternative that can be used inplace of squidGuard on FC-4 with squid-3.0/squid-2.5? How can I stop squid from crashing? Is there anything I am missing out in the setup. Any recommendation on the actual packages(squid/squidGuard or any else/Berkeley DB) I should use with FC-4? Thanks in advance. = Janåke Rönnblom IT avdelningen, Teknous, Skellefteå Kommun Assistentgatan 23 931 77 Skelleftea (Sweden) - Phone : +46-910-58 54 24 Mobile : 070-397 07 43 Fax: +46-910-58 54 99 URL: http://skeria.skelleftea.se - Those who do not understand Unix are condemned to reinvent it, poorly. -- Henry Spencer
Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4
tor 2006-03-09 klockan 10:14 +0100 skrev Rönnblom Janåke /Teknous: Hi! Im running squidguard-1.2.0 on RHEL4 and Ubuntu Dapper Flight 4 and squid doesn't crash, however it does fill up /var/tmp but I do an squid reload every night to reconfigure the squidgard and at that time I rm -f /var/tmp/BDB* before reloading squid. You should rebuild the DB files statically. See the SquidGuard documentation. This will both keep the DB files under control and significantly speed up startup. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4
Henrik Nordstrom [EMAIL PROTECTED] skrev den 9 mars 2006 klockan 10:40 +: You should rebuild the DB files statically. See the SquidGuard documentation. Ah, you mean running squidguard once with -C all to create db files? I forgot to switch to this mode when entering into production so thanks for the tip! = Janåke Rönnblom IT avdelningen, Teknous, Skellefteå Kommun Assistentgatan 23 931 77 Skelleftea (Sweden) - Phone : +46-910-58 54 24 Mobile : 070-397 07 43 Fax: +46-910-58 54 99 URL: http://skeria.skelleftea.se - Those who do not understand Unix are condemned to reinvent it, poorly. -- Henry Spencer
Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4
Hello, I have installed squid-3.0-PRE3-20060114 with squidGuard-1.2 with berkeley db-4.0 on Fedora Core-4. It generates some BDB*(for ex.BDB00854) files in /var/tmp/ which subsequently crashes squid. As squidGuard-1.2 is preferred with Berkeley DB-2.X but Berkeley DB-4.0 comes with FC-4. Squidguard does not prefer DB-2.X; it requires it. Squidguard does not support DB-4.0 You are true, can you please suggest me any alternative that can be used inplace of squidGuard on FC-4 with squid-3.0/squid-2.5? How can I stop squid from crashing? Is there anything I am missing out in the setup. Any recommendation on the actual packages(squid/squidGuard or any else/Berkeley DB) I should use with FC-4? Thanks in advance. -- Sushil.
Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4
ons 2006-03-08 klockan 00:56 +0530 skrev Sushil Deore: You are true, can you please suggest me any alternative that can be used inplace of squidGuard on FC-4 with squid-3.0/squid-2.5? What do you want the redirector to do? But seriously, SquidGuard does work fine with DB4. You just need to patch it a little. See their homepage. You can also find prebuilt RPMs for FC-4 from rpmforge / Dag Wieers, already including the DB4 patch, automatic log rotation and more.. The reason why DB4 support isn't included in the SquidGuard distribution is that SquidGuard is no longer actively maintained by it's authors. But this does not make it less functional once you get it running.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4
Hello, I have installed squid-3.0-PRE3-20060114 with squidGuard-1.2 with berkeley db-4.0 on Fedora Core-4. It generates some BDB*(for ex.BDB00854) files in /var/tmp/ which subsequently crashes squid. As squidGuard-1.2 is preferred with Berkeley DB-2.X but Berkeley DB-4.0 comes with FC-4. How can I stop squid from crashing? Is there anything I am missing out in the setup. Any recommendation on the actual packages(squid/squidGuard or any else/Berkeley DB) I should use with FC-4? Thanks in advance. -- Sushil.
Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4
On 3/5/06, Sushil Deore [EMAIL PROTECTED] wrote: Hello, I have installed squid-3.0-PRE3-20060114 with squidGuard-1.2 with berkeley db-4.0 on Fedora Core-4. It generates some BDB*(for ex.BDB00854) files in /var/tmp/ which subsequently crashes squid. As squidGuard-1.2 is preferred with Berkeley DB-2.X but Berkeley DB-4.0 comes with FC-4. How can I stop squid from crashing? Is there anything I am missing out in the setup. Any recommendation on the actual packages(squid/squidGuard or any else/Berkeley DB) I should use with FC-4? Thanks in advance. -- Sushil. How about using thise RPMs http://dag.wieers.com/home-made/squidguard/ Don't forget to take the squidguard-blacklists too Have fun -- 3 Zaharioudakis Nikos mob: +30 6947204063 A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4
Hello, I have installed squid-3.0-PRE3-20060114 with squidGuard-1.2 with berkeley db-4.0 on Fedora Core-4. It generates some BDB*(for ex.BDB00854) files in /var/tmp/ which subsequently crashes squid. As squidGuard-1.2 is preferred with Berkeley DB-2.X but Berkeley DB-4.0 comes with FC-4. Squidguard does not prefer DB-2.X; it requires it. Squidguard does not support DB-4.0 How can I stop squid from crashing? Is there anything I am missing out in the setup. Any recommendation on the actual packages(squid/squidGuard or any else/Berkeley DB) I should use with FC-4? Thanks in advance. -- Sushil.
AW: AW: [squid-users] Squid with SquidGuard
You didn't forget to create the entry S99squid in /sbin/rc3.d using the command ln -s ...? Werner Rost -Ursprüngliche Nachricht- Von: Mark Sansome [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 27. Januar 2006 19:13 An: Rost Werner ZFBE GMT-ISN Cc: [EMAIL PROTECTED]; squid-users@squid-cache.org; Mark Elsen Betreff: Re: AW: [squid-users] Squid with SquidGuard [EMAIL PROTECTED] wrote: Suqid and squidguard work fine for me. There are 2 scripts: /sbin/init.d/squid (yep, OS is Tru64): case $1 in 'start') echo Starting SQUID ... nohup /sbin/init.d/squid_start ;; snip and /sbin/init.d/squid_start: #!/bin/sh su - squid -c '/usr/local/squid/sbin/squid -D' and an entry in /sbin/rc3.d: lrwxrwxrwx 1 root bin 15 Aug 20 2002 S99squid - ../init.d/squid Voila, this works. After a reboot squid and squidguard are running. Hope this helps a little bit. Werner Rost GMT-FIR - Netzwerk Well I had high hopes for this. I worked through it step-by-step changing the relevant file locations to match my system - even putting in some echo comments to trace where I was and, Hey Presto! It worked from the command line... Note: I had to change the /etc/rc.d/init.d/squid_start script to read su - squid --command=`/usr/sbin/squid -D` (with backticks) for it to work (Although I think the -D switch is unnecessary because, if I read my init.d/squid script correctly, it calls /etc/sysconfig/squid which sets it as default). So. Now I can run /sbin/service squid start and squid will start together with squidGuard. Full of hope, I rebooted (having first removed the entry from /etc/rc.d/rc.local). No joy... still the same error. To use the vernacular - This is doing my head in! Thanks and best regards Mark
Re: [squid-users] Squid with SquidGuard
Actually No. (groan...) 2006/01/26 22:00:56| helperOpenServers: Starting 5 'squidGuard' processes 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. (From cache.log after reboot with /usr/sbin/squid in rc.local) Sigh... - Try the online test again : root # /usr/sbin/squid OK ? M.
Re: [squid-users] Squid with SquidGuard
Mark Elsen wrote: - Try the online test again : root # /usr/sbin/squid OK ? M. Yeah That still works fine. Mark signature.asc Description: OpenPGP digital signature
Re: AW: [squid-users] Squid with SquidGuard
[EMAIL PROTECTED] wrote: Suqid and squidguard work fine for me. There are 2 scripts: /sbin/init.d/squid (yep, OS is Tru64): case $1 in 'start') echo Starting SQUID ... nohup /sbin/init.d/squid_start ;; snip and /sbin/init.d/squid_start: #!/bin/sh su - squid -c '/usr/local/squid/sbin/squid -D' and an entry in /sbin/rc3.d: lrwxrwxrwx 1 root bin 15 Aug 20 2002 S99squid - ../init.d/squid Voila, this works. After a reboot squid and squidguard are running. Hope this helps a little bit. Werner Rost GMT-FIR - Netzwerk Well I had high hopes for this. I worked through it step-by-step changing the relevant file locations to match my system - even putting in some echo comments to trace where I was and, Hey Presto! It worked from the command line... Note: I had to change the /etc/rc.d/init.d/squid_start script to read su - squid --command=`/usr/sbin/squid -D` (with backticks) for it to work (Although I think the -D switch is unnecessary because, if I read my init.d/squid script correctly, it calls /etc/sysconfig/squid which sets it as default). So. Now I can run /sbin/service squid start and squid will start together with squidGuard. Full of hope, I rebooted (having first removed the entry from /etc/rc.d/rc.local). No joy... still the same error. To use the vernacular - This is doing my head in! Thanks and best regards Mark signature.asc Description: OpenPGP digital signature
Re: [squid-users] Squid with SquidGuard
I'm running Red Hat Fedora Core 4 on an Intel Celeron (Coppermine) PC. [EMAIL PROTECTED] ~]$ uname -a Linux localhost.localdomain 2.6.14-1.1656_FC4 #1 Thu Jan 5 22:13:22 EST 2006 i686 i686 i386 GNU/Linux Is there anything else you need to know? Please find below a full (Level 1, ALL) log for a reboot with the /usr/sbin/squid line in /etc/rc.d/rc.local. So , are you really sure, that the one user who is defined as : cache_effective_user in squid.conf, can execute : /usr/local/squidguard/bin/squidGuard -- Double verify and again, if needed. M.
Re: [squid-users] Squid with SquidGuard
Mark Elsen wrote: So , are you really sure, that the one user who is defined as : cache_effective_user in squid.conf, can execute : /usr/local/squidguard/bin/squidGuard -- Double verify and again, if needed. M. Hmmm. Well I *thought* I could. But see below: [EMAIL PROTECTED] ~]$ su Password: [EMAIL PROTECTED] mark]# cat /etc/squid/squid.conf | grep cache_effective # TAG: cache_effective_user # to UID to squid. If you define cache_effective_user, but not # cache_effective_group, Squid sets the GID to the effective # cache_effective_user. #cache_effective_user squid cache_effective_user squid # TAG: cache_effective_group #cache_effective_group squid cache_effective_group squid Then: [EMAIL PROTECTED] mark]# sudo -u squid /usr/sbin/squid -NCd 1 2006/01/26 18:47:49| strtokFile: /usr/share/squid/ads not found 2006/01/26 18:47:49| aclParseAclLine: WARNING: empty ACL: acl ad_sites dstdomain /usr/share/squid/ads 2006/01/26 18:47:49| Starting Squid Cache version 2.5.STABLE11 for i386-redhat-linux-gnu... 2006/01/26 18:47:49| Process ID 5028 2006/01/26 18:47:49| With 1024 file descriptors available 2006/01/26 18:47:49| Performing DNS Tests... 2006/01/26 18:47:49| Successful DNS name lookup tests... 2006/01/26 18:47:49| DNS Socket created at 0.0.0.0, port 32789, FD 4 2006/01/26 18:47:49| Adding nameserver 192.168.123.254 from /etc/resolv.conf 2006/01/26 18:47:49| helperOpenServers: Starting 5 'squidGuard' processes 2006/01/26 18:47:50| User-Agent logging is disabled. 2006/01/26 18:47:50| Referer logging is disabled. 2006/01/26 18:47:50| Unlinkd pipe opened on FD 14 2006/01/26 18:47:50| Swap maxSize 102400 KB, estimated 7876 objects 2006/01/26 18:47:50| Target number of buckets: 393 2006/01/26 18:47:50| Using 8192 Store buckets 2006/01/26 18:47:50| Max Mem size: 8192 KB 2006/01/26 18:47:50| Max Swap size: 102400 KB 2006/01/26 18:47:50| Rebuilding storage in /var/spool/squid (CLEAN) 2006/01/26 18:47:50| Using Least Load store dir selection 2006/01/26 18:47:50| Set Current Directory to /var/spool/squid 2006/01/26 18:47:50| Loaded Icons. 2006/01/26 18:47:50| Accepting HTTP connections at 0.0.0.0, port 8080, FD 16. 2006/01/26 18:47:50| Accepting ICP messages at 0.0.0.0, port 3130, FD 17. 2006/01/26 18:47:50| WCCP Disabled. 2006/01/26 18:47:50| /var/run/squid.pid: (1) Operation not permitted FATAL: Could not write pid file Wooahhh??? So: [EMAIL PROTECTED] mark]# ls -la /var/run/squi* ls: /var/run/squi*: No such file or directory Hmmm - Strange? [EMAIL PROTECTED] mark]# locate squid.pid /var/run/squid.pid So whatever squid.pid is or does it was there the last time updatedb was run but it's not there now. However, Squid did get past the point at which it launched squidGuard (which seemed OK) before gracefully closing it. See squidGuard.log (+note times): 2006-01-26 18:47:50 [5031] squidGuard 1.2.0 started (1138301270.257) 2006-01-26 18:47:50 [5031] squidGuard ready for requests (1138301270.310) 2006-01-26 18:47:50 [5033] squidGuard 1.2.0 started (1138301270.275) 2006-01-26 18:47:50 [5033] squidGuard ready for requests (1138301270.311) 2006-01-26 18:47:50 [5029] squidGuard 1.2.0 started (1138301270.246) 2006-01-26 18:47:50 [5029] squidGuard ready for requests (1138301270.312) 2006-01-26 18:47:50 [5032] squidGuard 1.2.0 started (1138301270.290) 2006-01-26 18:47:50 [5032] squidGuard ready for requests (1138301270.313) 2006-01-26 18:47:50 [5030] squidGuard 1.2.0 started (1138301270.285) 2006-01-26 18:47:50 [5030] squidGuard ready for requests (1138301270.314) 2006-01-26 18:47:51 [5029] squidGuard stopped (1138301271.198) 2006-01-26 18:47:51 [5030] squidGuard stopped (1138301271.200) 2006-01-26 18:47:51 [5031] squidGuard stopped (1138301271.201) 2006-01-26 18:47:51 [5032] squidGuard stopped (1138301271.203) 2006-01-26 18:47:51 [5033] squidGuard stopped (1138301271.204) Now running /usr/sbin/squid -NCd 1 as root (*NOT* sudo -u squid) works just fine (I am not posting the output, but I ran it at 19:07) and guess what?: [EMAIL PROTECTED] mark]# ls -la /var/run/squid.pid -rw-r--r-- 1 root squid 5 Jan 26 19:07 /var/run/squid.pid [EMAIL PROTECTED] mark]# I'm *sure* this worked before however but (shrug) nevertheless - what does it tell us? Thanks again for all your help Best regards Mark signature.asc Description: OpenPGP digital signature
Re: [squid-users] Squid with SquidGuard
[EMAIL PROTECTED] mark]# sudo -u squid /usr/sbin/squid -NCd 1 ... That's not the way to go, and not what I asked. You need to make sure that the one who is defined as cache_effective_user can execute /squidGuard. Since the user is apparently called 'squid' you need to, Either fully login as squid'' and test this, I advise to test it that way *really*. If you want to test it from root-originating-shells then, 1) # su - squid 2) squid % _path_to_squidguard/squidGuard the latter should not give a permission error. squid.pid contains the process id of the squid process. Starting as 'squid' using the sudo stuff is bogus, because, indeed, then you run into other problems such as the pid file which can not be written, e.g. because this file is owned by root. M.
Re: [squid-users] Squid with SquidGuard
Mark Elsen wrote: [EMAIL PROTECTED] mark]# sudo -u squid /usr/sbin/squid -NCd 1 ... That's not the way to go, and not what I asked. You need to make sure that the one who is defined as cache_effective_user can execute /squidGuard. Since the user is apparently called 'squid' you need to, Either fully login as squid'' and test this, I advise to test it that way *really*. If you want to test it from root-originating-shells then, 1) # su - squid 2) squid % _path_to_squidguard/squidGuard the latter should not give a permission error. squid.pid contains the process id of the squid process. Starting as 'squid' using the sudo stuff is bogus, because, indeed, then you run into other problems such as the pid file which can not be written, e.g. because this file is owned by root. M. Sorry, My mistake - again. [EMAIL PROTECTED] mark]# su - squid This account is currently not available. hmmm.. [EMAIL PROTECTED] mark]# vim /etc/passwd {change squid:x:23:23::/var/spool/squid:/sbin/nologin to squid:x:23:23::/var/spool/squid:/bin/bash} [EMAIL PROTECTED] mark]# su - squid -bash-3.00$ /usr/local/squidguard/bin/squidGuard -d 2006-01-26 20:47:29 [6046] squidGuard 1.2.0 started (1138308449.370) 2006-01-26 20:47:29 [6046] squidGuard ready for requests (1138308449.372) OK? Thanks (yet) again... Mark signature.asc Description: OpenPGP digital signature
Re: [squid-users] Squid with SquidGuard
Sorry, My mistake - again. [EMAIL PROTECTED] mark]# su - squid This account is currently not available. hmmm.. [EMAIL PROTECTED] mark]# vim /etc/passwd {change squid:x:23:23::/var/spool/squid:/sbin/nologin to squid:x:23:23::/var/spool/squid:/bin/bash} [EMAIL PROTECTED] mark]# su - squid -bash-3.00$ /usr/local/squidguard/bin/squidGuard -d 2006-01-26 20:47:29 [6046] squidGuard 1.2.0 started (1138308449.370) 2006-01-26 20:47:29 [6046] squidGuard ready for requests (1138308449.372) OK? Thanks (yet) again... Ok, and now, since the status of the squid account in the pw file was changed you should, simply (only) ,try : root # _path_to_squid/squid Check whether this works. M.
Re: [squid-users] Squid with SquidGuard
Mark Elsen wrote: Sorry, My mistake - again. [EMAIL PROTECTED] mark]# su - squid This account is currently not available. hmmm.. [EMAIL PROTECTED] mark]# vim /etc/passwd {change squid:x:23:23::/var/spool/squid:/sbin/nologin to squid:x:23:23::/var/spool/squid:/bin/bash} [EMAIL PROTECTED] mark]# su - squid -bash-3.00$ /usr/local/squidguard/bin/squidGuard -d 2006-01-26 20:47:29 [6046] squidGuard 1.2.0 started (1138308449.370) 2006-01-26 20:47:29 [6046] squidGuard ready for requests (1138308449.372) OK? Thanks (yet) again... Ok, and now, since the status of the squid account in the pw file was changed you should, simply (only) ,try : root # _path_to_squid/squid Check whether this works. M. [EMAIL PROTECTED] mark]# whereis squid squid: /usr/sbin/squid /etc/squid /usr/lib/squid /usr/share/squid /usr/share/man /man8/squid.8.gz [EMAIL PROTECTED] mark]# /usr/sbin/squid [EMAIL PROTECTED] mark]# ps -ef | grep squid [EMAIL PROTECTED] mark]# ps -ef | grep squid root 6017 5105 0 20:46 pts/300:00:00 su - squid squid 6018 6017 0 20:46 pts/300:00:00 -bash root 6195 1 0 21:11 ?00:00:00 /usr/sbin/squid squid 6197 6195 0 21:11 ?00:00:00 (squid) squid 6198 6197 0 21:11 ?00:00:00 (squidGuard) -c /etc/squidguard.conf squid 6199 6197 0 21:11 ?00:00:00 (squidGuard) -c /etc/squidguard.conf squid 6200 6197 0 21:11 ?00:00:00 (squidGuard) -c /etc/squidguard.conf squid 6201 6197 0 21:11 ?00:00:00 (squidGuard) -c /etc/squidguard.conf squid 6202 6197 0 21:11 ?00:00:00 (squidGuard) -c /etc/squidguard.conf squid 6203 6197 0 21:11 ?00:00:00 (unlinkd) root 6209 5055 0 21:12 pts/200:00:00 grep squid [EMAIL PROTECTED] mark]# Looking good... Logs (both /var/log/squid/cache.log /var/log/squidguard/squidGuard.log) also show squid + squidGuard started OK What now? Mark signature.asc Description: OpenPGP digital signature
Re: [squid-users] Squid with SquidGuard
[EMAIL PROTECTED] mark]# whereis squid squid: /usr/sbin/squid /etc/squid /usr/lib/squid /usr/share/squid /usr/share/man /man8/squid.8.gz [EMAIL PROTECTED] mark]# /usr/sbin/squid [EMAIL PROTECTED] mark]# ps -ef | grep squid [EMAIL PROTECTED] mark]# ps -ef | grep squid root 6017 5105 0 20:46 pts/300:00:00 su - squid squid 6018 6017 0 20:46 pts/300:00:00 -bash root 6195 1 0 21:11 ?00:00:00 /usr/sbin/squid squid 6197 6195 0 21:11 ?00:00:00 (squid) squid 6198 6197 0 21:11 ?00:00:00 (squidGuard) -c /etc/squidguard.conf squid 6199 6197 0 21:11 ?00:00:00 (squidGuard) -c /etc/squidguard.conf squid 6200 6197 0 21:11 ?00:00:00 (squidGuard) -c /etc/squidguard.conf squid 6201 6197 0 21:11 ?00:00:00 (squidGuard) -c /etc/squidguard.conf squid 6202 6197 0 21:11 ?00:00:00 (squidGuard) -c /etc/squidguard.conf squid 6203 6197 0 21:11 ?00:00:00 (unlinkd) root 6209 5055 0 21:12 pts/200:00:00 grep squid [EMAIL PROTECTED] mark]# Looking good... Logs (both /var/log/squid/cache.log /var/log/squidguard/squidGuard.log) also show squid + squidGuard started OK What now? Same test , but now, from /etc/rc.d/rc.local. (involves system restart) Should work too now. M.
Re: [squid-users] Squid with SquidGuard
Mark Elsen wrote: What now? Same test , but now, from /etc/rc.d/rc.local. (involves system restart) Should work too now. Actually No. (groan...) 2006/01/26 22:00:56| helperOpenServers: Starting 5 'squidGuard' processes 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. (From cache.log after reboot with /usr/sbin/squid in rc.local) Sigh... Mark signature.asc Description: OpenPGP digital signature
RE: [squid-users] Squid with SquidGuard
Actually No. (groan...) 2006/01/26 22:00:56| helperOpenServers: Starting 5 'squidGuard' processes 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. (From cache.log after reboot with /usr/sbin/squid in rc.local) Sigh... Mark Can you also try it with your service squid start or whatever init script you have available? Brian
AW: [squid-users] Squid with SquidGuard
Suqid and squidguard work fine for me. There are 2 scripts: /sbin/init.d/squid (yep, OS is Tru64): case $1 in 'start') echo Starting SQUID ... nohup /sbin/init.d/squid_start ;; snip and /sbin/init.d/squid_start: #!/bin/sh su - squid -c '/usr/local/squid/sbin/squid -D' and an entry in /sbin/rc3.d: lrwxrwxrwx 1 root bin 15 Aug 20 2002 S99squid - ../init.d/squid Voila, this works. After a reboot squid and squidguard are running. Hope this helps a little bit. Werner Rost GMT-FIR - Netzwerk ZF Boge Elastmetall GmbH Friesdorfer Str. 175, 53175 Bonn, Deutschland/Germany Telefon/Phone +49 228 3825 - 420 Telefax/Fax +49 228 3825 - 398 [EMAIL PROTECTED] -Ursprüngliche Nachricht- Von: Brian Phillips [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 27. Januar 2006 00:16 An: 'Mark Sansome' Cc: squid-users@squid-cache.org Betreff: RE: [squid-users] Squid with SquidGuard Actually No. (groan...) 2006/01/26 22:00:56| helperOpenServers: Starting 5 'squidGuard' processes 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. (From cache.log after reboot with /usr/sbin/squid in rc.local) Sigh... Mark Can you also try it with your service squid start or whatever init script you have available? Brian
Re: [squid-users] Squid with SquidGuard
If I put the command /usr/sbin/squid -NC in my /etc/rc.d/rc.local file it hangs the system on reboot! You can not use it like that in rc.local, that way of SQUID starting is ment to be used from the command line, and intended for problem solving tasks. Use squid -h to understand the meaning of these flags For rc.local just use : _path_to_squid/squid afterwards, check cache.log , watchout for FATAL errors, if I think it's something to do with the cache (/var/spool/squid). Whatever caused it, the only remedy was to power off and reboot with a rescue disk comment out the line in /etc/rc.d/rc.local. Interestingly, if I try the command /usr/sbin/squid on its own with no switches, the system starts OK but I get the same old error (WARNING: Cannot run '/usr/bin/squidGuard' process.) and squidGuard is not running. So what on earth is going on? We need to re-iterate ; On the command line : # squid -NCd 1 check whether this works, again. Then just put startup command in rc.local the way I explained. Check cache.log M.
Re: [squid-users] Squid with SquidGuard
Mark Elsen wrote: If I put the command /usr/sbin/squid -NC in my /etc/rc.d/rc.local file it hangs the system on reboot! You can not use it like that in rc.local, that way of SQUID starting is ment to be used from the command line, and intended for problem solving tasks. Use squid -h to understand the meaning of these flags For rc.local just use : _path_to_squid/squid afterwards, check cache.log , watchout for FATAL errors, if I think it's something to do with the cache (/var/spool/squid). Whatever caused it, the only remedy was to power off and reboot with a rescue disk comment out the line in /etc/rc.d/rc.local. Interestingly, if I try the command /usr/sbin/squid on its own with no switches, the system starts OK but I get the same old error (WARNING: Cannot run '/usr/bin/squidGuard' process.) and squidGuard is not running. So what on earth is going on? We need to re-iterate ; On the command line : # squid -NCd 1 check whether this works, again. Then just put startup command in rc.local the way I explained. Check cache.log M. Hi Mark, Hi List, Sorry, I explained myself badly. I did put /usr/sbin/squid -NC in rc.local at first which caused the crash. The next thing I did (after restoring the system) was to read the -h comments (slap myself) and put just the command /usr/sbin/squid in rc.local. As I point out above (badly worded): Interestingly, if I try the command /usr/sbin/squid on its own with no switches, the system starts OK but I get the same old error (WARNING: Cannot run '/usr/bin/squidGuard' process.) and squidGuard is not running. without the -NC switches the command /usr/sbin/squid in rc.local starts OK but does not start squidGuard - and gives exactly the same errors in cache.log as I've been getting all along when starting squid with /sbin/service squid start. The only thing that gives me hope is the fact that /usr/sbin/squid -NCd 1 from the command line does in fact work (and I've just tried it again to be sure!). So. To be clear: /usr/sbin/squid -NCd 1 from the command line works just fine; /usr/sbin/squid in /etc/rc.d/rc.local does not; and produces the same error as /sbin/service squid start from the command line. Apologies for the confusion. What next? Thanks again (I *really* appreciate your help) Mark signature.asc Description: OpenPGP digital signature
Re: [squid-users] Squid with SquidGuard
So. To be clear: /usr/sbin/squid -NCd 1 from the command line works just fine; /usr/sbin/squid in /etc/rc.d/rc.local does not; and produces the same error as /sbin/service squid start from the command line. Apologies for the confusion. What next? In both cases, the working and the not working case, can you check : squidGuard.log anything weird in there ? M.
Re: [squid-users] Squid with SquidGuard
Mark Elsen wrote: So. To be clear: /usr/sbin/squid -NCd 1 from the command line works just fine; /usr/sbin/squid in /etc/rc.d/rc.local does not; and produces the same error as /sbin/service squid start from the command line. Apologies for the confusion. What next? In both cases, the working and the not working case, can you check : squidGuard.log anything weird in there ? M. Nope. In the working case everything seems just fine: 2006-01-24 21:32:37 [11225] squidGuard 1.2.0 started (1138138357.409) 2006-01-24 21:32:37 [11225] squidGuard ready for requests (1138138357.481) 2006-01-24 21:32:37 [11223] squidGuard 1.2.0 started (1138138357.433) 2006-01-24 21:32:37 [11223] squidGuard ready for requests (1138138357.482) 2006-01-24 21:32:37 [11224] squidGuard 1.2.0 started (1138138357.435) 2006-01-24 21:32:37 [11224] squidGuard ready for requests (1138138357.483) 2006-01-24 21:32:37 [11221] squidGuard 1.2.0 started (1138138357.506) 2006-01-24 21:32:37 [11221] squidGuard ready for requests (1138138357.508) 2006-01-24 21:32:37 [11222] squidGuard 1.2.0 started (1138138357.519) 2006-01-24 21:32:37 [11222] squidGuard ready for requests (1138138357.521) 2006-01-24 22:11:05 [11221] squidGuard stopped (1138140665.526) 2006-01-24 22:11:05 [11222] squidGuard stopped (1138140665.528) 2006-01-24 22:11:05 [11223] squidGuard stopped (1138140665.530) 2006-01-24 22:11:05 [11224] squidGuard stopped (1138140665.531) 2006-01-24 22:11:05 [11225] squidGuard stopped (1138140665.533) (I started with /usr/sbin/squid -NCd 1 did some tests and closed with CTRL-C) In the non-working case - cold boot with /usr/sbin/squid in rc.local - you can see the results too (i.e. *nothing at all* written to squidGuard.log). Hurumph... Thanks again Mark signature.asc Description: OpenPGP digital signature
Re: [squid-users] Squid with SquidGuard
Nope. In the working case everything seems just fine: 2006-01-24 21:32:37 [11225] squidGuard 1.2.0 started (1138138357.409) 2006-01-24 21:32:37 [11225] squidGuard ready for requests (1138138357.481) 2006-01-24 21:32:37 [11223] squidGuard 1.2.0 started (1138138357.433) 2006-01-24 21:32:37 [11223] squidGuard ready for requests (1138138357.482) 2006-01-24 21:32:37 [11224] squidGuard 1.2.0 started (1138138357.435) 2006-01-24 21:32:37 [11224] squidGuard ready for requests (1138138357.483) 2006-01-24 21:32:37 [11221] squidGuard 1.2.0 started (1138138357.506) 2006-01-24 21:32:37 [11221] squidGuard ready for requests (1138138357.508) 2006-01-24 21:32:37 [11222] squidGuard 1.2.0 started (1138138357.519) 2006-01-24 21:32:37 [11222] squidGuard ready for requests (1138138357.521) 2006-01-24 22:11:05 [11221] squidGuard stopped (1138140665.526) 2006-01-24 22:11:05 [11222] squidGuard stopped (1138140665.528) 2006-01-24 22:11:05 [11223] squidGuard stopped (1138140665.530) 2006-01-24 22:11:05 [11224] squidGuard stopped (1138140665.531) 2006-01-24 22:11:05 [11225] squidGuard stopped (1138140665.533) (I started with /usr/sbin/squid -NCd 1 did some tests and closed with CTRL-C) In the non-working case - cold boot with /usr/sbin/squid in rc.local - you can see the results too (i.e. *nothing at all* written to squidGuard.log). - In the command-line case, was SQUID started from the root account ? - What's in cache.log (full log), for the failing case ? M.
Re: [squid-users] Squid with SquidGuard
Hello Chaps, I'm still struggling (and still failing) to to squidGuard to work with squid. For those of you who have not been following each gripping instalment of this thread here is a quick recap... I can run squid very happily on my FC4 machine. I have tried installing squidGuard by RPM, by Yum and finally from source. I have (I think) changed all the file ownerships and permissions that I should have done and yet I have always got (and still get) the same error when I include squidGuard as a redirector in squid: 2006/01/14 21:36:07| helperOpenServers: Starting 5 'squidGuard' processes 2006/01/14 21:36:07| comm_open: FD 6 is a new socket 2006/01/14 21:36:07| fd_open FD 6 squidGuard 2006/01/14 21:36:07| comm_open: FD 7 is a new socket 2006/01/14 21:36:07| fd_open FD 7 squidGuard 2006/01/14 21:36:07| ipcCreate: prfd FD 7 2006/01/14 21:36:07| ipcCreate: pwfd FD 7 2006/01/14 21:36:07| ipcCreate: crfd FD 6 2006/01/14 21:36:07| ipcCreate: cwfd FD 6 2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32990 2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32989 2006/01/14 21:36:07| ipcCreate: FD 6 listening... 2006/01/14 21:36:07| leave_suid: PID 12881 called 2006/01/14 21:36:07| leave_suid: PID 12881 giving up root priveleges forever 2006/01/14 21:36:07| ipcCreate: calling accept on FD 6 2006/01/14 21:36:07| comm_close: FD 6 2006/01/14 21:36:07| commCallCloseHandlers: FD 6 2006/01/14 21:36:07| fd_close FD 6 squidGuard 2006/01/14 21:36:07| connect FD 7: (13) Permission denied 2006/01/14 21:36:07| comm_close: FD 7 2006/01/14 21:36:07| commCallCloseHandlers: FD 7 2006/01/14 21:36:07| fd_close FD 7 squidGuard 2006/01/14 21:36:07| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. The Permission denied message has led me down the file ownership / permissions route; but I am able to run squidGuard from the command line with the sudo command: [EMAIL PROTECTED] bin]# sudo -u squid /usr/local/squidguard/bin/squidGuard -d 2006-01-22 18:30:36 [14702] squidGuard 1.2.0 started (1137954636.066) 2006-01-22 18:30:36 [14702] squidGuard ready for requests (1137954636.096) Now, after some Googling, I see that this problem (or at least similar problems) can be caused by a firewall on the loopback interface. Do you think this is the cause of my problem? (I posted my Iptables output in an earlier post). However, as a test, I temporarily disabled the firewall and unfortunately still got the same problem. That is the firewall on this FC4 machine... I am connected to the Internet via a wireless connection which has its own firewall - but surely that should not affect this (or should it?) What should my next step be? Dying of frustration here. Many thanks for your patience... Mark signature.asc Description: OpenPGP digital signature
Re: [squid-users] Squid with SquidGuard
Now, after some Googling, I see that this problem (or at least similar problems) can be caused by a firewall on the loopback interface. Do you think this is the cause of my problem? (I posted my Iptables output in an earlier post). However, as a test, I temporarily disabled the firewall and unfortunately still got the same problem. That may not be enough in a context where the Firewalling software was started and then stopped. Residual rules and or states may still affect the loopback interface. Can you, for instance, 'ping localhost' with success ? That is the firewall on this FC4 machine... I am connected to the Internet via a wireless connection which has its own firewall - but surely that should not affect this (or should it?) What should my next step be? Set the firewalling functions off , wherever this needs to be done, and *restart* the system. Check whether you can ping the localhost (itself). M. Dying of frustration here. Many thanks for your patience... Mark
Re: [squid-users] Squid with SquidGuard
Mark Elsen wrote: That may not be enough in a context where the Firewalling software was started and then stopped. Residual rules and or states may still affect the loopback interface. Can you, for instance, 'ping localhost' with success ? Yup... Even with the firewall up and running: [EMAIL PROTECTED] bin]# ping localhost PING localhost.localdomain (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=0 ttl=64 time=0.339 ms 64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.260 ms 64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.260 ms 64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64 time=0.261 ms 64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=4 ttl=64 time=0.251 ms 64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=5 ttl=64 time=0.260 ms 64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=6 ttl=64 time=0.252 ms --- localhost.localdomain ping statistics --- 7 packets transmitted, 7 received, 0% packet loss, time 6008ms rtt min/avg/max/mdev = 0.251/0.269/0.339/0.028 ms, pipe 2 Set the firewalling functions off , wherever this needs to be done, and *restart* the system. Check whether you can ping the localhost (itself). I haven't tried restarting yet - but given that ping localhost works with the firewall(s) in place do you still think that this is my problem? I still think that the Permission denied message is caused by file ownership problems - but where? Thanks Mark signature.asc Description: OpenPGP digital signature
Re: [squid-users] Squid with SquidGuard
I haven't tried restarting yet - but given that ping localhost works with the firewall(s) in place do you still think that this is my problem? It could still be, so the restarting with all Firewalling off should still be tried. I still think that the Permission denied message is caused by file ownership problems - but where? There shouldn't be if SquidGuard runs under the same user as squid (defined in squid.conf). Btw, do you start SQUID as root ? Even if no privileged port is used for http-receiving, I would still start as root. I am not sure whether this inter process communication , which goes via the loopback interface , may need root privilege to create the socket. I am not sure about that. M.
Re: [squid-users] Squid with SquidGuard
Mark Elsen wrote: I haven't tried restarting yet - but given that ping localhost works with the firewall(s) in place do you still think that this is my problem? It could still be, so the restarting with all Firewalling off should still be tried. Well I've just tried it with Iptables/Firestarter turned off + cold restart - and still the same thing. I can't work out what to do with my wireless router firewall (to be honest firewalls are a bit of a black art as far as I am concerned) but all references to LAN are 192.168.123.xxx as far as I can see. I still think that the Permission denied message is caused by file ownership problems - but where? There shouldn't be if SquidGuard runs under the same user as squid (defined in squid.conf). Btw, do you start SQUID as root ? Even if no privileged port is used for http-receiving, I would still start as root. I am not sure whether this inter process communication , which goes via the loopback interface , may need root privilege to create the socket. I am not sure about that. M. Both cache_effective_user and cache_effective_group in squid.conf are set to squid. Every file I can think of that is even remotely connected with squidGuard is set to chown squid.squid. Squid is started automatically in runlevel 5. If I start it myself I use the command: /sbin/service squid start (or stop, or restart) as root. Any ideas? signature.asc Description: OpenPGP digital signature
Re: [squid-users] Squid with SquidGuard
... Squid is started automatically in runlevel 5. If I start it myself I use the command: /sbin/service squid start (or stop, or restart) as root. Try to start it more natively, what does : root # path_to_squid/squid -NCd 1 gives ? (You are lucky , the snooker is on a break :-) M.
Re: [squid-users] Squid with SquidGuard
Mark Elsen wrote: ... Squid is started automatically in runlevel 5. If I start it myself I use the command: /sbin/service squid start (or stop, or restart) as root. Try to start it more natively, what does : root # path_to_squid/squid -NCd 1 gives ? Well Now! - *That's Interesting!* It Works! [EMAIL PROTECTED] mark]# /sbin/service squid stop Stopping squid: . [ OK ] [EMAIL PROTECTED] mark]# /usr/sbin/squid -NCd 1 2006/01/22 23:18:30| Starting Squid Cache version 2.5.STABLE11 for i386-redhat-linux-gnu... 2006/01/22 23:18:30| Process ID 3644 2006/01/22 23:18:30| With 1024 file descriptors available 2006/01/22 23:18:30| Performing DNS Tests... 2006/01/22 23:18:30| Successful DNS name lookup tests... 2006/01/22 23:18:30| DNS Socket created at 0.0.0.0, port 32772, FD 4 2006/01/22 23:18:30| Adding nameserver 192.168.123.254 from /etc/resolv.conf 2006/01/22 23:18:30| helperOpenServers: Starting 5 'squidGuard' processes ...etc So what exactly does that tell us? How can I get it so that it works when started automatically? (You are lucky , the snooker is on a break :-) M. Sorry to take a while to get back to you - I was watching Foyle's War :-) Thanks so much! Now I think I'm making progress... Thanks again Mark signature.asc Description: OpenPGP digital signature
RE: [squid-users] Squid with SquidGuard
If I run squidGuard on its own as root it seems to work. Is there any way I can try to run it as user squid from the command line to see if I get any more information? Trying su squid obviously didn't work (but I had to try it anyway). Are you familiar with the sudo command? Whilst root you should be able to do something like: % sudo -u squid squidguard And that will execute the command as squid. Hope that helps, Ben
Re: [squid-users] Squid with SquidGuard
Quoting from my own message... Mark Sansome wrote: 2006/01/14 21:36:07| comm_open: FD 7 is a new socket 2006/01/14 21:36:07| fd_open FD 7 squidGuard 2006/01/14 21:36:07| ipcCreate: prfd FD 7 2006/01/14 21:36:07| ipcCreate: pwfd FD 7 2006/01/14 21:36:07| ipcCreate: crfd FD 6 2006/01/14 21:36:07| ipcCreate: cwfd FD 6 2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32990 2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32989 2006/01/14 21:36:07| ipcCreate: FD 6 listening... 2006/01/14 21:36:07| leave_suid: PID 12881 called 2006/01/14 21:36:07| leave_suid: PID 12881 giving up root priveleges forever 2006/01/14 21:36:07| ipcCreate: calling accept on FD 6 2006/01/14 21:36:07| comm_close: FD 6 2006/01/14 21:36:07| commCallCloseHandlers: FD 6 2006/01/14 21:36:07| fd_close FD 6 squidGuard 2006/01/14 21:36:07| connect FD 7: (13) Permission denied 2006/01/14 21:36:07| comm_close: FD 7 2006/01/14 21:36:07| commCallCloseHandlers: FD 7 2006/01/14 21:36:07| fd_close FD 7 squidGuard 2006/01/14 21:36:07| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. I guess the important line here is connect FD 7: (13) Permission denied My question is how do I find out *exactly* what is being denied? I have followed every guide I can find, read every HowTo, scanned every FAQ and followed all the instructions on file ownership and permissions. Almost everything to do with squidGuard has file ownerships of squid.squid and still I get this error If I run squidGuard on its own as root it seems to work. Is there any way I can try to run it as user squid from the command line to see if I get any more information? Trying su squid obviously didn't work (but I had to try it anyway). Is there anything else I can try? Hoping you can help Thanks Mark signature.asc Description: OpenPGP digital signature
Re: [squid-users] Squid with SquidGuard
Brian Phillips wrote: 'su - squid' It COMPLETELY sets you as the squid user. Are you starting squid as root? Or are you using the init scripts? Or are you just running it on the command line as squid/proxy? If I try as a non-privileged user: [EMAIL PROTECTED] ~]$ su - squid Password: su: incorrect password (Don't know what the squid password is - should I? Can I find out?) If I try as root: [EMAIL PROTECTED] mark]# su - squid /usr/local/squidguard/bin/squidGuard -c /etc/squidguard.conf This account is currently not available. [EMAIL PROTECTED] mark]# [EMAIL PROTECTED] mark]# su - squid This account is currently not available. [EMAIL PROTECTED] mark]# Hmmm... *Should* that work? I start squid either by rebooting or with the command /sbin/service squid restart [or start or stop] (as root). Whichever way, it will start quite happily but will still list the same error in cache.log and the proxy will not work. Taking the redirect_program /usr/local/squidguard/bin/squidGuard -c /etc/squidguard.conf line out of squid.conf and restarting will allow squid to work properly. I can start squidGuard from the command line (as root) with the command: [EMAIL PROTECTED] mark]# /usr/local/squidguard/bin/squidGuard -d which gives the response: 2006-01-16 21:31:01 [16626] squidGuard 1.2.0 started (1137447061.766) 2006-01-16 21:31:01 [16626] squidGuard ready for requests (1137447061.806) (although I have to CTRL-c to get back to the command line - is that normal?) So - if my reasoning is correct, I can start squidGuard as root, but when squid tries to launch it, it fails because it does not have the right permissions somewhere or other. As you can see above I don't seem to be able to pretend to be squid myself so that I can start it from the command line and see what information I get... Any ideas? Thanks again Mark signature.asc Description: OpenPGP digital signature
RE: [squid-users] Squid with SquidGuard
[EMAIL PROTECTED] mark]# su - squid This account is currently not available. [EMAIL PROTECTED] mark]# Hmmm... *Should* that work? Kind of. It shouldn't work because the system has not given a shell to the user 'squid' (protecting the system against possible security risks.) It should work because squid will be used later to run squidGuard. I start squid in a similar fashion and this is what 'ps -ef' shows us: root 1996 1 0 14:14 ?00:00:00 /usr/sbin/squid -D -sYC proxy 1998 1996 0 14:14 ?00:00:00 (squid) -D -sYC proxy 2008 1998 0 14:14 ?00:00:00 (squidGuard) -c /etc/squid/squid proxy 2009 1998 0 14:14 ?00:00:00 (squidGuard) -c /etc/squid/squid proxy 2010 1998 0 14:14 ?00:00:00 (squidGuard) -c /etc/squid/squid You can see that squid runs as root, but then the parent process is ran as proxy (the same user as squid on your machine). This same proxy user runs squidGuard. (side note: I can 'su - proxy' and get a prompt on my machine. ) That could be why your machine is not allowing squidGuard to start. A way for you to find out would be to give a shell to squid and then try and log in again as squid. If you get a prompt such as [EMAIL PROTECTED] ~]$ then you know squid has a shell, and you should go back to root user and run your 'service squid start' and see if that removes the error from cache.log. If not, restore your /etc/passwd file to what it was before this test and we'll keep looking for why squidGuard starts with errors. brian
[squid-users] Squid with SquidGuard
Hello chaps, I know that this is a Squid mailing list and not the SquidGuard list - by I have exhausted the help of the good folks on the SquidGuard list... I actually have Squid up and running and am very happy with it :) however, I *do* want to use squidGuard with it too. Squid runs on a FC4 machine dealing with the proxy requests of my small home network. I have tried installing squidGuard from RPM, Yum, and by installing from source. All fail to work with squid. I have tried squidGuard with the simplest of SquidGuard.conf files : logdir /var/log/squidguard acl { default { pass all } } and the command: # /usr/bin/squidGuard -d 2006-01-07 23:54:38 [28284] squidGuard 1.2.0 started (1136678078.397) 2006-01-07 23:54:38 [28284] squidGuard ready for requests (1136678078.400) seems to show that squidGuard is happy... However, as soon as I put the line: redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf into squid.conf everything goes wrong. In /var/log/squid/cache.log I find the following: 2006/01/07 23:51:03| helperOpenServers: Starting 5 'squidGuard' processes 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. No matter what I do I cannot seem to get SquidGuard to start from within Squid. What am I doing wrong? Can I get any more detailed output as to *exactly* why Squid can't run squidGuard? Any ideas? Thanks in advance Mark signature.asc Description: OpenPGP digital signature
RE: [squid-users] Squid with SquidGuard
Do: # ls -l /usr/bin/squidGuard And tell us what the permissions are (paste em here.) 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. No matter what I do I cannot seem to get SquidGuard to start from within Squid. What am I doing wrong? Can I get any more detailed output as to *exactly* why Squid can't run squidGuard? Any ideas? Thanks in advance Mark
RE: [squid-users] Squid with SquidGuard
-Original Message- From: Mark Sansome [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 2:21 PM To: squid-users@squid-cache.org Subject: [squid-users] Squid with SquidGuard Hello chaps, I know that this is a Squid mailing list and not the SquidGuard list - by I have exhausted the help of the good folks on the SquidGuard list... I actually have Squid up and running and am very happy with it :) however, I *do* want to use squidGuard with it too. Squid runs on a FC4 machine dealing with the proxy requests of my small home network. I have tried installing squidGuard from RPM, Yum, and by installing from source. All fail to work with squid. I have tried squidGuard with the simplest of SquidGuard.conf files : logdir /var/log/squidguard acl { default { pass all } } and the command: # /usr/bin/squidGuard -d 2006-01-07 23:54:38 [28284] squidGuard 1.2.0 started (1136678078.397) 2006-01-07 23:54:38 [28284] squidGuard ready for requests (1136678078.400) seems to show that squidGuard is happy... However, as soon as I put the line: redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf into squid.conf everything goes wrong. In /var/log/squid/cache.log I find the following: 2006/01/07 23:51:03| helperOpenServers: Starting 5 'squidGuard' processes 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. No matter what I do I cannot seem to get SquidGuard to start from within Squid. What am I doing wrong? Can I get any more detailed output as to *exactly* why Squid can't run squidGuard? Any ideas? I found much more help (including a better howto and trouble shooting section) at http://www.maynidea.com/squidguard/ Brian E. Conklin, MCP+I, MCSE Director of Information Services voice: 360-427-3423 fax: 360-427-9599 Thanks in advance Mark = Mason General Hospital 901 Mt. View Drive PO Box 1668 Shelton, WA 98584 http://www.masongeneral.com (360) 426-1611 = This message is intended for the sole use of the individual and entity to whom it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the addressee nor authorized to receive for the addressee, you are hereby notified that you may not use, copy, disclose or distribute to anyone this message or any information contained in the message. If you have received this message in error, please immediately notify the sender and delete the message. Replying to this message constitutes consent to electronic monitoring of this message. Thank you.
Re: [squid-users] Squid with SquidGuard
Brian E. Conklin wrote: -Original Message- From: Mark Sansome [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 2:21 PM To: squid-users@squid-cache.org Subject: [squid-users] Squid with SquidGuard Hello chaps, I know that this is a Squid mailing list and not the SquidGuard list - by I have exhausted the help of the good folks on the SquidGuard list... I actually have Squid up and running and am very happy with it :) however, I *do* want to use squidGuard with it too. Squid runs on a FC4 machine dealing with the proxy requests of my small home network. I have tried installing squidGuard from RPM, Yum, and by installing from source. All fail to work with squid. I have tried squidGuard with the simplest of SquidGuard.conf files : logdir /var/log/squidguard acl { default { pass all } } and the command: # /usr/bin/squidGuard -d 2006-01-07 23:54:38 [28284] squidGuard 1.2.0 started (1136678078.397) 2006-01-07 23:54:38 [28284] squidGuard ready for requests (1136678078.400) seems to show that squidGuard is happy... However, as soon as I put the line: redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf into squid.conf everything goes wrong. In /var/log/squid/cache.log I find the following: 2006/01/07 23:51:03| helperOpenServers: Starting 5 'squidGuard' processes 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. No matter what I do I cannot seem to get SquidGuard to start from within Squid. What am I doing wrong? Can I get any more detailed output as to *exactly* why Squid can't run squidGuard? Any ideas? I found much more help (including a better howto and trouble shooting section) at http://www.maynidea.com/squidguard/ Brian E. Conklin, MCP+I, MCSE Director of Information Services voice: 360-427-3423 fax: 360-427-9599 Thanks in advance Mark = Brian C. Thanks Brian, That was one of the many resources I used. I too found it useful and when I tried installing from source (last resort) I followed his step-by-step guide *exactly* - Still didn't work... Brian P. Thanks Brian, Brian Phillips wrote: Do: # ls -l /usr/bin/squidGuard And tell us what the permissions are (paste em here.) Since I wrote my message (it's an edited form of the one I sent to the squidGuard mailing list) I have uninstalled that (RPM) version of squidGuard and installed from source. The current version is therefore in /usr/local/squidguard/bin/ It gives me: [EMAIL PROTECTED] mark]# ls -la /usr/local/squidguard/bin/squidGuard -rwxr-xr-x 1 squid squid 731596 Jan 11 14:18 /usr/local/squidguard/bin/squidGuard I have tried changing ownerships and permissions of every file I can think of and followed every guide I can find... Any help gratefully received... Thanks again. Mark signature.asc Description: OpenPGP digital signature
RE: [squid-users] Squid with SquidGuard
Hi Brian, Suppose you have tried this already, but does squidguard generate its own log files (the logdir directive in squidGuard.conf)? If not, try to #touch /path/to/logdir/squidGuard.log , make sure the logfile has correct permissions (could be 644 squid:squid in your case) and see if it helps. Regards, Tuukka -Original Message- From: Mark Sansome [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 11:51 PM To: Brian E. Conklin Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid with SquidGuard Brian E. Conklin wrote: -Original Message- From: Mark Sansome [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 2:21 PM To: squid-users@squid-cache.org Subject: [squid-users] Squid with SquidGuard Hello chaps, I know that this is a Squid mailing list and not the SquidGuard list - by I have exhausted the help of the good folks on the SquidGuard list... I actually have Squid up and running and am very happy with it :) however, I *do* want to use squidGuard with it too. Squid runs on a FC4 machine dealing with the proxy requests of my small home network. I have tried installing squidGuard from RPM, Yum, and by installing from source. All fail to work with squid. I have tried squidGuard with the simplest of SquidGuard.conf files : logdir /var/log/squidguard acl { default { pass all } } and the command: # /usr/bin/squidGuard -d 2006-01-07 23:54:38 [28284] squidGuard 1.2.0 started (1136678078.397) 2006-01-07 23:54:38 [28284] squidGuard ready for requests (1136678078.400) seems to show that squidGuard is happy... However, as soon as I put the line: redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf into squid.conf everything goes wrong. In /var/log/squid/cache.log I find the following: 2006/01/07 23:51:03| helperOpenServers: Starting 5 'squidGuard' processes 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. 2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process. No matter what I do I cannot seem to get SquidGuard to start from within Squid. What am I doing wrong? Can I get any more detailed output as to *exactly* why Squid can't run squidGuard? Any ideas? I found much more help (including a better howto and trouble shooting section) at http://www.maynidea.com/squidguard/ Brian E. Conklin, MCP+I, MCSE Director of Information Services voice: 360-427-3423 fax: 360-427-9599 Thanks in advance Mark = Brian C. Thanks Brian, That was one of the many resources I used. I too found it useful and when I tried installing from source (last resort) I followed his step-by-step guide *exactly* - Still didn't work... Brian P. Thanks Brian, Brian Phillips wrote: Do: # ls -l /usr/bin/squidGuard And tell us what the permissions are (paste em here.) Since I wrote my message (it's an edited form of the one I sent to the squidGuard mailing list) I have uninstalled that (RPM) version of squidGuard and installed from source. The current version is therefore in /usr/local/squidguard/bin/ It gives me: [EMAIL PROTECTED] mark]# ls -la /usr/local/squidguard/bin/squidGuard -rwxr-xr-x 1 squid squid 731596 Jan 11 14:18 /usr/local/squidguard/bin/squidGuard I have tried changing ownerships and permissions of every file I can think of and followed every guide I can find... Any help gratefully received... Thanks again. Mark