RE: [squid-users] Quick question
Interesting, so on ext4 (which is what I am using) there's no performance differences between using different numbers? "Convert your dreams to achievable and realistic goals, this way the journey is satisfying and progressive." - LP Best regards, The Geek Guy Lawrence Pingree http://www.lawrencepingree.com/resume/ Author of "The Manager's Guide to Becoming Great" http://www.Management-Book.com -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Tuesday, August 5, 2014 6:28 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Quick question > -Original Message- > From: Lawrence Pingree > > I have a 175 gigabyte cache file system. What would be the optimal L1 and L2 > cache dirs allocated for this cache size to perform well? > On 6/08/2014 11:52 a.m., Lawrence Pingree wrote: > Anyone? That depends on the OS filesystem underlying the cache, and the size of objects in it. The L1/L2 settings matter on FS which have a per-directory limit on inode entries, or need to scan the full list on each file open/stat event (I think that was FAT32, NTFS, maybe ext2, maybe old unix FS). On FS which do not do those two things they are just an admin convenience. Amos smime.p7s Description: S/MIME cryptographic signature
Re: [squid-users] Quick question
> -Original Message- > From: Lawrence Pingree > > I have a 175 gigabyte cache file system. What would be the optimal L1 and L2 > cache dirs allocated for this cache size to perform well? > On 6/08/2014 11:52 a.m., Lawrence Pingree wrote: > Anyone? That depends on the OS filesystem underlying the cache, and the size of objects in it. The L1/L2 settings matter on FS which have a per-directory limit on inode entries, or need to scan the full list on each file open/stat event (I think that was FAT32, NTFS, maybe ext2, maybe old unix FS). On FS which do not do those two things they are just an admin convenience. Amos
RE: [squid-users] Quick question
Anyone? "Convert your dreams to achievable and realistic goals, this way the journey is satisfying and progressive." - LP Best regards, The Geek Guy Lawrence Pingree http://www.lawrencepingree.com/resume/ Author of "The Manager's Guide to Becoming Great" http://www.Management-Book.com -Original Message- From: Lawrence Pingree [mailto:geek...@geek-guy.com] Sent: Monday, August 4, 2014 10:38 PM To: squid-users@squid-cache.org Subject: [squid-users] Quick question I have a 175 gigabyte cache file system. What would be the optimal L1 and L2 cache dirs allocated for this cache size to perform well? Best regards, Lawrence Pingree Author of "The Manager's Guide to Becoming Great" http://www.Management-Book.com - sent from my mobile BYOD please excuse any typos smime.p7s Description: S/MIME cryptographic signature
Re: [squid-users] quick question about squid proxy
On Tue, 9 Aug 2011 17:45:10 -0400, Nathan Rice wrote: Hello all, I apologize if I missed this when I was perusing the squid documentation. I am looking for caching proxy with the ability to transparently authenticate at a remote site on behalf of users. For example, a user requests page X, which requires a password; the squid server fetches this page on behalf of the user, providing canned credentials when required; squid then serves this page to the user without requiring any password. Is this possible with squid? If so, could someone kindly point me to the relevant section of the documentation? Thank you, Nathan Rice Site credentials are normally restricted very strictly to browser->website communication and the proxy does not take part. That said, for specific site(s) you can configure an explicit originserver cache_peer link to the web server. Using the login= option to send credentials for all requests down that link. http://www.squid-cache.org/Doc/cofnig/cache_peer These are restricted to insecure Basic auth credentials in all squid. Latest releases extend this to include Negotiate/Kerberos auth as mentioned in that doc. NOTE that in any event the user is never actually authenticated. What goes down the link may in fact be multiple interleaved "users" on the receiving side of Squid. The only thing that type of auth validates is that the request came through your Squid. Be careful. Amos
Re: [squid-users] Quick question: AuthNTLMUserRequest::authenticate: need to ask helper
On 02/10/10 02:38, Timothy Webb wrote: How do I remove myself from the squid list? Iinstructions are listed here: http://www.squid-cache.org/Support/mailing-lists.html#squid-users Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2
Re: [squid-users] Quick question: AuthNTLMUserRequest::authenticate: need to ask helper
For a proxy serving 300 users - doesn't seem extreme. 2010/10/01 11:08:48| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 11:11:09| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 11:12:27| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 11:14:14| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 11:16:15| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 11:35:52| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 13:37:26| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 13:38:12| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 13:38:21| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 13:38:33| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 13:39:10| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 14:22:08| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 14:24:16| AuthNTLMUserRequest::authenticate: need to ask helper Out of interest is it possible to see the total amount of connecting IPs (or users..) for one day; IPs being unique. So if, at the end of today, I wanted to say 'today there were 60 unique IPs' that used the proxy.. Or is that more a job for Calamaris or other reporter..? Nick Squid3.20STABLE, RHEL5.3x86 On 01/10/2010 13:10, "Amos Jeffries" wrote: >On 01/10/10 23:46, Nick Cairncross wrote: >> Is the cache.log entry AuthNTLMUserRequest::authenticate: need to ask >>helper just informational to say a user request has come in and needs to >>be handed to the ntlm helper? >> >> Seems obvious but I just wanted to checkŠ > >Yes. > >Is it occuring a lot? I'm not sure it should be at that information >level. It seems to be one of the regular auth actions instead of an >important problem. > >Amos >-- >Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.8 > Beta testers wanted for 3.2.0.2 The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Quick question: AuthNTLMUserRequest::authenticate: need to ask helper
On 01/10/10 23:46, Nick Cairncross wrote: Is the cache.log entry AuthNTLMUserRequest::authenticate: need to ask helper just informational to say a user request has come in and needs to be handed to the ntlm helper? Seems obvious but I just wanted to check… Yes. Is it occuring a lot? I'm not sure it should be at that information level. It seems to be one of the regular auth actions instead of an important problem. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2
Re: [squid-users] Quick question about squid serving images
Angelo Höngens wrote: Run this on your squid machine (example, assuming your squid listens on port 80): squidclient -p 80 -h apacheserver http://domain/image.jpg | head -n 15 Increase or decrease the 'head -n X' value to show all the headers, but not to return the binary content. For future reference, making a HEAD request is probably a better bet... squidclient -p 80 -h apacheserver -m HEAD http://domain/image.jpg ...as that JUST requests the headers, not the whole object. No need to filter out unwanted binary data. Chris
Re: [squid-users] Quick question about squid serving images
On 19-11-2009 12:14, NublaII Lists wrote: > Hi Angelo, and thanks for your answer > > I believe I have it set up correctly on the apache side: this is what I get > > apache response > > HTTP/1.1 200 OK > Date: Thu, 19 Nov 2009 09:50:25 GMT > Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch > Last-Modified: Wed, 16 Sep 2009 07:34:31 GMT > ETag: "83e24a-347a-473acedfa0fc0" > Accept-Ranges: bytes > Content-Length: 13434 > Cache-Control: max-age=604800, public > Expires: Thu, 26 Nov 2009 09:50:25 GMT > Connection: close > Content-Type: image/png > > And I think squid gets a hit, so I obviously have it configured > incorrectly, because I still get a hit on the apache logs... Would you > take a look at it if I post it? > > This is the squid response on first hit > > HTTP/1.0 200 OK > Date: Thu, 19 Nov 2009 10:10:25 GMT > Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch > Last-Modified: Thu, 19 Nov 2009 09:55:07 GMT > ETag: "9a25a1-497c-478b65aa534c0" > Accept-Ranges: bytes > Content-Length: 18812 > Cache-Control: max-age=604800, public > Expires: Thu, 26 Nov 2009 10:10:25 GMT > Content-Type: image/jpeg > X-Cache-Lookup: MISS from squid.example.com:80 > Via: 1.1 squid.example.com:80 (squid/2.7.STABLE6) > Connection: close > > This is the squid response on first hit > > HTTP/1.0 200 OK > Date: Thu, 19 Nov 2009 10:10:25 GMT > Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch > Last-Modified: Thu, 19 Nov 2009 09:55:07 GMT > ETag: "9a25a1-497c-478b65aa534c0" > Accept-Ranges: bytes > Content-Length: 18812 > Cache-Control: max-age=604800, public > Expires: Thu, 26 Nov 2009 10:10:25 GMT > Content-Type: image/jpeg > X-Cache-Lookup: HIT from squid.example.com:80 > Via: 1.1 squid.example.com:80 (squid/2.7.STABLE6) > Connection: close > > Thanks again Looks good, the second response via squid looks like a hit. What does the iis log look like? It could be that squid thinks the object is not fresh, and tries to find out if the object has changed since. -- With kind regards, Angelo Höngens systems administrator MCSE on Windows 2003 MCSE on Windows 2000 MS Small Business Specialist -- NetMatch tourism internet software solutions Ringbaan Oost 2b 5013 CA Tilburg +31 (0)13 5811088 +31 (0)13 5821239 a.hong...@netmatch.nl www.netmatch.nl --
Re: [squid-users] Quick question about squid serving images
Hi Angelo, and thanks for your answer I believe I have it set up correctly on the apache side: this is what I get apache response HTTP/1.1 200 OK Date: Thu, 19 Nov 2009 09:50:25 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch Last-Modified: Wed, 16 Sep 2009 07:34:31 GMT ETag: "83e24a-347a-473acedfa0fc0" Accept-Ranges: bytes Content-Length: 13434 Cache-Control: max-age=604800, public Expires: Thu, 26 Nov 2009 09:50:25 GMT Connection: close Content-Type: image/png And I think squid gets a hit, so I obviously have it configured incorrectly, because I still get a hit on the apache logs... Would you take a look at it if I post it? This is the squid response on first hit HTTP/1.0 200 OK Date: Thu, 19 Nov 2009 10:10:25 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch Last-Modified: Thu, 19 Nov 2009 09:55:07 GMT ETag: "9a25a1-497c-478b65aa534c0" Accept-Ranges: bytes Content-Length: 18812 Cache-Control: max-age=604800, public Expires: Thu, 26 Nov 2009 10:10:25 GMT Content-Type: image/jpeg X-Cache-Lookup: MISS from squid.example.com:80 Via: 1.1 squid.example.com:80 (squid/2.7.STABLE6) Connection: close This is the squid response on first hit HTTP/1.0 200 OK Date: Thu, 19 Nov 2009 10:10:25 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch Last-Modified: Thu, 19 Nov 2009 09:55:07 GMT ETag: "9a25a1-497c-478b65aa534c0" Accept-Ranges: bytes Content-Length: 18812 Cache-Control: max-age=604800, public Expires: Thu, 26 Nov 2009 10:10:25 GMT Content-Type: image/jpeg X-Cache-Lookup: HIT from squid.example.com:80 Via: 1.1 squid.example.com:80 (squid/2.7.STABLE6) Connection: close Thanks again
Re: [squid-users] Quick question about squid serving images
Angelo Höngens wrote: On 19-11-2009 9:46, NublaII Lists wrote: I have squid configured (working on it ;)) as a reverse proxy. My understanding (and I can be wrong) is that once I request an image, next requests for that image will not reach the web server in any way until it expires, either manually or reaches end of life... is that correct? If you would have configured everything correctly, yes.. I am asking because I can see on my apache logs a ton of hits on images that squid should be caching, and still arrive to the www server, so either I don't have it configured properly or I don't really understand how squid works on reverse proxy mode ;) It should work like you say, but either squid is not configured correctly, or the application tells squid not to cache. Squid decides what it can cache, based on the response headers from the apache application. Post those headers. The squidclient tool is really useful. Run this on your squid machine (example, assuming your squid listens on port 80): squidclient -p 80 -h apacheserver http://domain/image.jpg | head -n 15 Increase or decrease the 'head -n X' value to show all the headers, but not to return the binary content. It should return something like this: HTTP/1.1 200 OK Cache-Control: public Content-Type: image/jpeg Expires: Thu, 19 Nov 2009 09:08:51 GMT Last-Modified: Thu, 19 Nov 2009 04:51:23 GMT Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Thu, 19 Nov 2009 08:54:51 GMT Connection: close Content-Length: 2845 Based on these response headers, Squid decides to cache or not. Particularly interesting is the 'Cache-Control' header. From there on, google further ;) The tool provided by Yahoo! at http://www.redbot.org or the IRCache cacheability engine prodvide useful reports for identifying what a proxy can and cannot do with any given public URL. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.14
Re: [squid-users] Quick question about squid serving images
On 19-11-2009 9:46, NublaII Lists wrote: > I have squid configured (working on it ;)) as a reverse proxy. > > My understanding (and I can be wrong) is that once I request an image, > next requests for that image will not reach the web server in any way > until it expires, either manually or reaches end of life... is that > correct? If you would have configured everything correctly, yes.. > I am asking because I can see on my apache logs a ton of hits on > images that squid should be caching, and still arrive to the www > server, so either I don't have it configured properly or I don't > really understand how squid works on reverse proxy mode ;) It should work like you say, but either squid is not configured correctly, or the application tells squid not to cache. Squid decides what it can cache, based on the response headers from the apache application. Post those headers. The squidclient tool is really useful. Run this on your squid machine (example, assuming your squid listens on port 80): squidclient -p 80 -h apacheserver http://domain/image.jpg | head -n 15 Increase or decrease the 'head -n X' value to show all the headers, but not to return the binary content. It should return something like this: HTTP/1.1 200 OK Cache-Control: public Content-Type: image/jpeg Expires: Thu, 19 Nov 2009 09:08:51 GMT Last-Modified: Thu, 19 Nov 2009 04:51:23 GMT Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Thu, 19 Nov 2009 08:54:51 GMT Connection: close Content-Length: 2845 Based on these response headers, Squid decides to cache or not. Particularly interesting is the 'Cache-Control' header. From there on, google further ;) -- With kind regards, Angelo Höngens systems administrator MCSE on Windows 2003 MCSE on Windows 2000 MS Small Business Specialist -- NetMatch tourism internet software solutions Ringbaan Oost 2b 5013 CA Tilburg +31 (0)13 5811088 +31 (0)13 5821239 a.hong...@netmatch.nl www.netmatch.nl --
Re: [squid-users] Quick question on using squid as a reverse proxy
On Fri, Apr 25, 2008 at 04:05:19PM -0400, Steven Pfister wrote: > > Does Apache + mod_security allow reverse proxying to https servers? The > server is using both http and https currently, and I don't know enough > about the actual server to know if doing everything over http is feasible. Apache supports SSL just fine in any direction. You should google or ask more in Apache lists. > Does squid do reverse proxying for https servers? Does it have anything > like mod_security? I've read a little about squidguard... is that > something I want to look at? If you want to do anything more "serious" than checking for URLs, you need mod_security, it has lots of ready rules if you are not able to come up with your own. SquidGuard is nothing more than a URL blocker. Squid cannot do anything more than simple checks on URL or headers.
Re: [squid-users] Quick question on using squid as a reverse proxy
fre 2008-04-25 klockan 09:51 -0400 skrev Steven Pfister: > Does squid as it's installed do any kind of checking of URLs for signs of > attacks, or does something additional need to be installed (and what's > popular for that)? Squid checks that the request is a properly formed HTTP request, which stops a large number of bad things, but not all. Additionally you can apply several types of ACLs to further restrict the forwarded traffic based on - method - requested URL (pattern) - HTTP request headers (pattern) Regards Henrik
Re: [squid-users] Quick question on using squid as a reverse proxy
Does Apache + mod_security allow reverse proxying to https servers? The server is using both http and https currently, and I don't know enough about the actual server to know if doing everything over http is feasible. Does squid do reverse proxying for https servers? Does it have anything like mod_security? I've read a little about squidguard... is that something I want to look at? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email [EMAIL PROTECTED] >>> Henrik K <[EMAIL PROTECTED]> 4/25/2008 10:15 AM >>> On Fri, Apr 25, 2008 at 09:51:53AM -0400, Steven Pfister wrote: > > Does squid as it's installed do any kind of checking of URLs for signs of > attacks, or does something additional need to be installed (and what's > popular for that)? More likely you would want to use Apache with mod_security as reverse proxy. Exactly made for that purpose.
Re: [squid-users] Quick question on using squid as a reverse proxy
Steven Pfister wrote: > Besides taking away direct access to the webserver (and any vulnerabilities > it may have) and providing some caching for static content, what are some > other advantages of using squid this way? I'm trying to help put together a > security recommendation. > Squid can terminate an SSL connection and then speak HTTP to the real server, allowing you to secure the outside access without having to SSL-enable all inside access. If you do this with multiple servers, you can use a single wildcard SSL certificate on the squid box to cover all your inside servers, which saves money. We do this. -- CONFIDENTIALITY NOTICE: This e-mail message,including any attachments,is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient,please contact the sender by reply e-mail and destroy all copies of the original message. begin:vcard fn:Ben Hollingsworth n:Hollingsworth;Ben org:BryanLGH Medical Center;Information Technology adr:;;1600 S. 48th St.;Lincoln;NE;68506-1275;USA email;internet:[EMAIL PROTECTED] title:Systems Programmer tel;work:402-481-8582 tel;fax:402-481-8354 url:http://www.bryanlgh.org version:2.1 end:vcard
Re: [squid-users] Quick question on using squid as a reverse proxy
Thank you... I'll definitely check into that. Is there any where that lists a minimum hardware spec for using Apache that way? --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email [EMAIL PROTECTED] >>> Henrik K <[EMAIL PROTECTED]> 4/25/2008 10:15 AM >>> On Fri, Apr 25, 2008 at 09:51:53AM -0400, Steven Pfister wrote: > > Does squid as it's installed do any kind of checking of URLs for signs of > attacks, or does something additional need to be installed (and what's > popular for that)? More likely you would want to use Apache with mod_security as reverse proxy. Exactly made for that purpose.
Re: [squid-users] Quick question on using squid as a reverse proxy
On Fri, Apr 25, 2008 at 09:51:53AM -0400, Steven Pfister wrote: > > Does squid as it's installed do any kind of checking of URLs for signs of > attacks, or does something additional need to be installed (and what's > popular for that)? More likely you would want to use Apache with mod_security as reverse proxy. Exactly made for that purpose.
RE: [squid-users] Quick question about an cache.log issue
> Thanks Amos, the tool (http://squid.treenet.co.nz/cf.check/) was very > ... enlightening. I think this squid newbie will work through some > of the errors and warnings before I post back. :) > It's new code and still undergoing some extensions. Some items listed as 'not present version X' actually are present, but have not had checks added to the tool yet. Also, some ACL logics are beyond its ability to discern for now. So I still like to check the output manually and both fix it and give you slightly better feedback than it would. Amos
RE: [squid-users] Quick question about an cache.log issue
Thanks Amos, the tool (http://squid.treenet.co.nz/cf.check/) was very ... enlightening. I think this squid newbie will work through some of the errors and warnings before I post back. :) Thanks Eric Young -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Monday, November 05, 2007 3:33 PM To: Eric Young Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Quick question about an cache.log issue > In my cache.log I am getting > > Looks to me like: > > 2007/11/05 09:23:42| The request GET http://cp.slalom.com/ is DENIED, > because it matched 'password' someone forgot their password. or browsers first request for the item. > 2007/11/05 09:23:42| The reply for GET http://cp.slalom.com/ is ALLOWED, > because it matched 'password' remembered password, or browser passed it on this time. > 2007/11/05 09:23:42| The request GET http://cp.slalom.com/ is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for GET http://cp.slalom.com/ is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request GET http://cp.slalom.com/ is ALLOWED, > because it matched 'ProxyUsers' > > 2007/11/05 09:23:42| The reply for GET http://cp.slalom.com/ is ALLOWED, > because it matched 'all' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'ProxyUsers' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'ProxyUsers' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'ProxyUsers' > > > > In my conf I only see two lines that have password in them > > > > # Use domain authentication (-G for domain global group) > > external_acl_type win_domain_group ttl=120 %LOGIN > e:/squid/libexec/mswin_check_lm_group.exe -G > > > > # Users must be in the ProxyUsers group in AD (individual users no > groups) > > acl ProxyUsers external win_domain_group ProxyAccess > > acl NoProxyUsers external win_domain_group NoProxyAccess > > > > # Require password for user account > > acl password proxy_auth REQUIRED > > > > http_access allow password ProxyUsers > > > > Do I have conflicting lines in my conf that would cause this behavior or > are these normal entries for cache.log? Everything in cache.log is normal for cache.log. Whether they are normal entries under your configuration is a more knotty question. Without knowing the rest of the squid.conf we can't answer whether any of the unknown lines are conflicting. The one access line you have listed could only cause: - allowed because of 'ProxyUsers' - denied because of 'ProxyUsers' give http://squid.treenet.co.nz/cf.check/ a post me the Ref:. Amos
Re: [squid-users] Quick question about an cache.log issue
> In my cache.log I am getting > > Looks to me like: > > 2007/11/05 09:23:42| The request GET http://cp.slalom.com/ is DENIED, > because it matched 'password' someone forgot their password. or browsers first request for the item. > 2007/11/05 09:23:42| The reply for GET http://cp.slalom.com/ is ALLOWED, > because it matched 'password' remembered password, or browser passed it on this time. > 2007/11/05 09:23:42| The request GET http://cp.slalom.com/ is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for GET http://cp.slalom.com/ is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request GET http://cp.slalom.com/ is ALLOWED, > because it matched 'ProxyUsers' > > 2007/11/05 09:23:42| The reply for GET http://cp.slalom.com/ is ALLOWED, > because it matched 'all' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'ProxyUsers' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'ProxyUsers' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is DENIED, > because it matched 'password' > > 2007/11/05 09:23:42| The reply for CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'password' > > 2007/11/05 09:23:42| The request CONNECT cp.slalom.com:443 is ALLOWED, > because it matched 'ProxyUsers' > > > > In my conf I only see two lines that have password in them > > > > # Use domain authentication (-G for domain global group) > > external_acl_type win_domain_group ttl=120 %LOGIN > e:/squid/libexec/mswin_check_lm_group.exe -G > > > > # Users must be in the ProxyUsers group in AD (individual users no > groups) > > acl ProxyUsers external win_domain_group ProxyAccess > > acl NoProxyUsers external win_domain_group NoProxyAccess > > > > # Require password for user account > > acl password proxy_auth REQUIRED > > > > http_access allow password ProxyUsers > > > > Do I have conflicting lines in my conf that would cause this behavior or > are these normal entries for cache.log? Everything in cache.log is normal for cache.log. Whether they are normal entries under your configuration is a more knotty question. Without knowing the rest of the squid.conf we can't answer whether any of the unknown lines are conflicting. The one access line you have listed could only cause: - allowed because of 'ProxyUsers' - denied because of 'ProxyUsers' give http://squid.treenet.co.nz/cf.check/ a post me the Ref:. Amos
Re: [squid-users] Quick question about dynamic delay pools - current status
ons 2006-02-15 klockan 16:37 +0200 skrev laurentiu r: > Hi everyone, > Just a quick question about the dynamic delay pools. Apologies if it > has been asked before - it must have been - but I've looked into the > mail archives and didn't seem to find indication as to what's the > current status in this matter. > > I saw that at some point there was a fuss on this list about a patch > for making the delay pools 'dynamic', in the sense that a pool with > high a traffic rate could borrow unused bandwidth from other delay > pools. And some suggestions were made to developers (Henrik Nordstrom) > to inlcude the patch in the official releases. > > Well, has it been included? Is it in the 2.5Stable12 version? If not, > what's the way to go for those who need to enable dynamic delay pools > in Squid? It has not been included as no patch has been submitted by it's authors to the Squid developers. Note: Squid-2.5 is feature frozen, so to get included the patch needs to be for Squid-3 (what will become Squid-3.0). The delay pools in Squid-3 has been reworked quite a bit, but I am at this stage not sure if a functionality similar to the dynamic delay pools is available as I have not been involved in this part of Squid-3. But you (or others) are very welcome to start playing with Squid-3 in your labs to try out all the new cool features. Just don't do it on your production servers as there still is a bit to go for a production release of Squid-3.0. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Quick question
Simon Bryan wrote: > > Hi all, > If I have two delay pools setup and a request does not match any of the acls > for either pool what happens to that request? It is not delayed. Regards Henrik