Re: [squid-users] Squid with squidguard

[Alex K]

Thank you Amos for the feedback.

I did see an example online using ACL and that tricked me.
Removing the allow line, now squid is logging that squidguard is started
(though no squidguard processes are listed, it could be due to that I have
not tested yet with actual traffic)

I will check also ufdbguard as it seems promising.

Thanx,
Alex

On Thu, Apr 26, 2018 at 4:02 AM, Amos Jeffries  wrote:

> On 25/04/18 23:44, Alex K wrote:
> > Hi all,
> >
> > I was using a squid (3.1.20) + squidguard setup (to filter out several
> > site categories) on Debian 7 and the setup worked. The squidguard was
> > invoked from squid.conf as below:
> >
> > redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> > redirect_children 7
> >
> > I am now testing the setup on Debian 9 (with squid 3.5.23) with the
> > following lines in squid.conf:
> >
> > url_rewrite_access allow
>
> There are no ACLs on the above line. So it cannot match anything. The
> implicit default applies instead. Implicit default after any "allow"
> line is "deny all".
>
> Also, you did not configure any allow/deny previously. So why add it now?
>
> > url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.
> conf
> > url_rewrite_children 5
> >
> > But I get at squid logs:
> >
> > 2018/04/24 12:06:57 kid1| helperOpenServers: Starting 0/5 'squidGuard'
> > processes
> > 2018/04/24 12:06:57 kid1| helperOpenServers: No 'squidGuard' processes
> > needed.
>
> No traffic is allowed to go to the helper. So no SG processes necessary.
> Squid is correct.
>
>
> >
> > Seems that squid is ignoring and not starting squidguard.
> > I have read also some have mentioned that squidguard is not maintained
> > anymore.
> >
> > Any idea on the above?> Any better alternative to squidguard that you
> recommend?
>
> ufdbguard is much better than the outdated and no longer maintained
> SquidGuard (but is not packaged on Debian).
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with squidguard

[Amos Jeffries]

On 25/04/18 23:44, Alex K wrote:
> Hi all,
> 
> I was using a squid (3.1.20) + squidguard setup (to filter out several
> site categories) on Debian 7 and the setup worked. The squidguard was
> invoked from squid.conf as below:
> 
> redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> redirect_children 7
> 
> I am now testing the setup on Debian 9 (with squid 3.5.23) with the
> following lines in squid.conf:
> 
> url_rewrite_access allow

There are no ACLs on the above line. So it cannot match anything. The
implicit default applies instead. Implicit default after any "allow"
line is "deny all".

Also, you did not configure any allow/deny previously. So why add it now?

> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> url_rewrite_children 5
> 
> But I get at squid logs:
> 
> 2018/04/24 12:06:57 kid1| helperOpenServers: Starting 0/5 'squidGuard'
> processes
> 2018/04/24 12:06:57 kid1| helperOpenServers: No 'squidGuard' processes
> needed.

No traffic is allowed to go to the helper. So no SG processes necessary.
Squid is correct.


> 
> Seems that squid is ignoring and not starting squidguard.
> I have read also some have mentioned that squidguard is not maintained
> anymore.
> 
> Any idea on the above?> Any better alternative to squidguard that you 
> recommend?

ufdbguard is much better than the outdated and no longer maintained
SquidGuard (but is not packaged on Debian).

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid and squidGuard redirect

[Marcus Kool]

Hi Vieri,

I suggest to replace squidGuard with ufdbGuard.
Then you can set
   ufdb-debug-filter 1
or
   ufdb-debug-filter 2  # very verbose
in ufdbGuard.conf and see exactly what happens.

Note that squidguard has no maintenance for over 5 years and ufdbGuard has 
regular maintenance.

Marcus


On 08/11/17 12:23, Vieri wrote:

Hi,

I have this in my SG config:

acl {
default {
pass allowed !disallowed all
redirect http://squidserver/proxy-error/
}
}

 From a LAN client browser I can access and display the page at 
http://squidserver/proxy-error/ (direct access).

However, when SG is triggered and should send that redirect to the client 
browser, the client times out after a while, and displays Squid's 
ERR_CONNECT_FAIL with squidserver's IP address in the details.

I don't see anything useful in both Squid and SquidGuard's logs.

What could I try?

Thanks,

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

RE: [squid-users] Squid and Squidguard using high disk IO

[Rafael Akchurin]

Hello Kaya,

May I recommend to try using qlproxy together with your Squid? 
Qlproxy is an ICAP web filtering which may in your particular case do better as 
Squid Guard. At least you may give it a try to compare if the disk io goes down.

Best regards,
Raf

-Original Message-
From: Kaya Saman [mailto:kayasa...@gmail.com] 
Sent: Saturday, November 09, 2013 4:58 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Squid and Squidguard using high disk IO

Hi,

I'm wondering if anyone has any ideas on this one.

Basically I have created a standard Squid proxy using Squid 3.3.8 built from 
OpenBSD ports - OS version is OpenBSD 5.4 Current.

Additionally from ports as well I have installed squidGuard 1.4p6.


The configuration seems ok as everything is working; the acls setup in 
squidGuard are redirecting to the proper blocked page when unwanted 
information is embedded in a site: eg. ads, p%rn.

Here is the rule list:

dest ads {
 domainlist blacklists/ads/domains
 urllistblacklists/ads/urls
}

dest adv {
 domainlist blacklists/adv/domains
 urllistblacklists/adv/urls
}

dest spyware {
 domainlist blacklists/spyware/domains
 urllistblacklists/spyware/urls
}

dest porn {
 domainlist blacklists/porn/domains
 urllistblacklists/porn/urls
 expressionlist blacklists/porn/expressions
 # Logged info is anonymized to protect users' privacy
 log anonymous  dest/porn.log
}

acl {
 lan {
 # The built-in 'in-addr' destination group matches any IP address.
 pass !ads !adv !porn all
 }
 default {
 # Default deny to reject unknown clients
 pass none
 redirect  http://127.0.0.1/blocked.html

 }
}

I removed the spyware option from the 'lan' acl as I'm trying to debug 
currently

squidGuard is called by Squid using these lines in the squid.conf:

# Path to the redirector program
url_rewrite_program   /usr/local/bin/squidGuard

# Number of redirector processes to spawn url_rewrite_children  500

# To prevent loops, don't send requests from localhost to the redirector
url_rewrite_accessdeny  localhost


The issue I'm currently seeing is that the disk IO process is hammered???

The 'lan' clients are therefor unable to access the web through the proxy.

Running 'top' and 'ps' I can see that squidGuard has spawned many processes 
which seems to be causing the high IO usage.

The systems' hardware is quite powerful with 8GB RAM and a Xeon E5 CPU @3.6GHz, 
currently being tested with 3x lan machines.


What can I do to improve performance with this?


Is this line too high: url_rewrite_children  500

or simply have a misconfigured something?


I additionally have 'c-icap' running with squidclamav coupled to clamd 
in case that is of importance - not using the squidGuard line in the 
squidclamav.conf file!!!

Basically how can I get the IO usage down and get the system to work again?

- the logs don't indicate anything outside of 'starting squidGuard 
process' many times.


Regards,


Kaya

Re: [squid-users] Squid and Squidguard using high disk IO

[Eliezer Croitoru]

Hey,

Notes inside.

On 11/09/2013 05:58 PM, Kaya Saman wrote:


What can I do to improve performance with this?


Is this line too high: url_rewrite_children  500

YES!!


or simply have a misconfigured something?




I additionally have 'c-icap' running with squidclamav coupled to clamd
in case that is of importance - not using the squidGuard line in the
squidclamav.conf file!!!

Basically how can I get the IO usage down and get the system to work again?

For how many users exactly?
Just a note that I am not in a favor of any OS by default but I would 
feel better Using Linux.




- the logs don't indicate anything outside of 'starting squidGuard
process' many times.
The basic assumption of using 500 child process is that you have atleast 
100 CPUs.

SquidGuard was design for performance which is lots of urls per sec.
It can be tested just to clear the point out.
for example in a rate of 1500k requests per second you should not have a 
need in more then 40-50 children.
In practice it works a bit different speed since there is a speed limit 
on STDIN and STDOUT which slows down the speed of squid and squidguard 
communication blocking the whole squid instance(in a way).


If you need basic url filtering you can use ICAP which has an option to 
run as a standalone service outside of squid settings and machine.


I have written in the past a small ICAP service for the favor of 
requests manipulation and filtering.
I have never finished it in a level I was happy with but the basic code 
can be seen here:

https://github.com/elico/echelon

I know for a fact that ICAP interface adds concurrency by the nature 
of it using TCP.


This is not the place to ask about concurrency in squidguard which can 
allow the usage of square less processes(children) for more requests.


In order to find the right number of children start with 40 and see if 
it fits you and then see what is the bottle neck in the whole setup.


Eliezer

Re: [squid-users] Squid and Squidguard using high disk IO

[Kaya Saman]

On 11/09/2013 05:04 PM, Rafael Akchurin wrote:

Hello Kaya,

May I recommend to try using qlproxy together with your Squid?
Qlproxy is an ICAP web filtering which may in your particular case do better as 
Squid Guard. At least you may give it a try to compare if the disk io goes down.

Best regards,
Raf


I'll take a look at it - thanks!

I was also thinking about using Adzapper but I'll do more reading and 
figure out which is the best one for my setup.



Is this line too high: url_rewrite_children 500
YES!! 


Oops the guide I was working from suggested that.


Basically how can I get the IO usage down and get the system to work 
again?

For how many users exactly?
Just a note that I am not in a favor of any OS by default but I would 
feel better Using Linux. 


At the moment I'm just testing with one user! Using sqtop I can see that 
there are 30+ connections being passed to Squid.


But overall this runs on my main router; hence I can't use Linux due to 
the fact that the router is running OpenBSD and needs some special stuff 
from the OS.



In order to find the right number of children start with 40 and see if 
it fits you and then see what is the bottle neck in the whole setup.


Eliezer 


I tried 5 and it was a bit better but not too much I just cranked it 
up to 40 now.


I also disabled DNS lookups from squidclamav.conf which seems to have 
helped a bit though still am experiencing issues. :-(



As mentioned above I am thinking of running Adzapper and then chaining 
squidGuard on that; though it might just be squidclamav that's causing 
this???


The issue seems to get resolved after stopping Squid, then killing the 
remaining squidguard processes so it's really confusing as to where to 
look for the bottleneck.


Regards,


Kaya





-Original Message-
From: Kaya Saman [mailto:kayasa...@gmail.com]
Sent: Saturday, November 09, 2013 4:58 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Squid and Squidguard using high disk IO

Hi,

I'm wondering if anyone has any ideas on this one.

Basically I have created a standard Squid proxy using Squid 3.3.8 built from 
OpenBSD ports - OS version is OpenBSD 5.4 Current.

Additionally from ports as well I have installed squidGuard 1.4p6.


The configuration seems ok as everything is working; the acls setup in squidGuard are 
redirecting to the proper blocked page when unwanted information is embedded 
in a site: eg. ads, p%rn.

Here is the rule list:

dest ads {
  domainlist blacklists/ads/domains
  urllistblacklists/ads/urls
}

dest adv {
  domainlist blacklists/adv/domains
  urllistblacklists/adv/urls
}

dest spyware {
  domainlist blacklists/spyware/domains
  urllistblacklists/spyware/urls
}

dest porn {
  domainlist blacklists/porn/domains
  urllistblacklists/porn/urls
  expressionlist blacklists/porn/expressions
  # Logged info is anonymized to protect users' privacy
  log anonymous  dest/porn.log
}

acl {
  lan {
  # The built-in 'in-addr' destination group matches any IP address.
  pass !ads !adv !porn all
  }
  default {
  # Default deny to reject unknown clients
  pass none
  redirect  http://127.0.0.1/blocked.html

  }
}

I removed the spyware option from the 'lan' acl as I'm trying to debug 
currently

squidGuard is called by Squid using these lines in the squid.conf:

# Path to the redirector program
url_rewrite_program   /usr/local/bin/squidGuard

# Number of redirector processes to spawn url_rewrite_children  500

# To prevent loops, don't send requests from localhost to the redirector
url_rewrite_accessdeny  localhost


The issue I'm currently seeing is that the disk IO process is hammered???

The 'lan' clients are therefor unable to access the web through the proxy.

Running 'top' and 'ps' I can see that squidGuard has spawned many processes 
which seems to be causing the high IO usage.

The systems' hardware is quite powerful with 8GB RAM and a Xeon E5 CPU @3.6GHz, 
currently being tested with 3x lan machines.


What can I do to improve performance with this?


Is this line too high: url_rewrite_children  500

or simply have a misconfigured something?


I additionally have 'c-icap' running with squidclamav coupled to clamd
in case that is of importance - not using the squidGuard line in the
squidclamav.conf file!!!

Basically how can I get the IO usage down and get the system to work again?

- the logs don't indicate anything outside of 'starting squidGuard
process' many times.


Regards,


Kaya

Re: [squid-users] Squid and Squidguard using high disk IO

[Kaya Saman]

Just found this is Squid cache log:

2013/11/09 19:28:25 kid1| /var/squid/cache/04/7A: (24) Too many open files
2013/11/09 19:31:31 kid1| WARNING: All 20/20 redirector processes are busy.
2013/11/09 19:31:31 kid1| WARNING: 20 pending requests queued
2013/11/09 19:31:31 kid1| WARNING: Consider increasing the number of 
redirector processes in your config file.



The cache size is 2GB though that shouldn't affect performance as 
far as I understand.


On 11/09/2013 05:23 PM, Eliezer Croitoru wrote:

Hey,

Notes inside.

On 11/09/2013 05:58 PM, Kaya Saman wrote:


What can I do to improve performance with this?


Is this line too high: url_rewrite_children  500

YES!!


or simply have a misconfigured something?




I additionally have 'c-icap' running with squidclamav coupled to clamd
in case that is of importance - not using the squidGuard line in the
squidclamav.conf file!!!

Basically how can I get the IO usage down and get the system to work 
again?

For how many users exactly?
Just a note that I am not in a favor of any OS by default but I would 
feel better Using Linux.




- the logs don't indicate anything outside of 'starting squidGuard
process' many times.
The basic assumption of using 500 child process is that you have 
atleast 100 CPUs.

SquidGuard was design for performance which is lots of urls per sec.
It can be tested just to clear the point out.
for example in a rate of 1500k requests per second you should not have 
a need in more then 40-50 children.
In practice it works a bit different speed since there is a speed 
limit on STDIN and STDOUT which slows down the speed of squid and 
squidguard communication blocking the whole squid instance(in a way).


If you need basic url filtering you can use ICAP which has an option 
to run as a standalone service outside of squid settings and machine.


I have written in the past a small ICAP service for the favor of 
requests manipulation and filtering.
I have never finished it in a level I was happy with but the basic 
code can be seen here:

https://github.com/elico/echelon

I know for a fact that ICAP interface adds concurrency by the nature 
of it using TCP.


This is not the place to ask about concurrency in squidguard which can 
allow the usage of square less processes(children) for more requests.


In order to find the right number of children start with 40 and see if 
it fits you and then see what is the bottle neck in the whole setup.


Eliezer

Re: [squid-users] Squid and Squidguard using high disk IO

[Loïc BLOT]

Hello Kaya,
first, don't forget to look at sysctl kern.maxfiles values. 
Also improve daemon FD values in login.conf for squid. Don't forget each
connection is a FD (1 connection for the client, 1 for the transaction
to remote site, somes for the caching).

Also to improve performances of squidguard, i stored all blacklists DB
to a memory fs (mfs) this improve massively squidguard performance
I have wrote an article to improve squid perfs on OpenBSD:
http://www.unix-experience.fr/2013/monter-un-proxy-cache-performant-avec-squid-et-openbsd/



-- 
Best regards,
Loïc BLOT, 
UNIX systems, security and network engineer
http://www.unix-experience.fr



Le samedi 09 novembre 2013 à 19:39 +, Kaya Saman a écrit :
 Just found this is Squid cache log:
 
 2013/11/09 19:28:25 kid1| /var/squid/cache/04/7A: (24) Too many open files
 2013/11/09 19:31:31 kid1| WARNING: All 20/20 redirector processes are busy.
 2013/11/09 19:31:31 kid1| WARNING: 20 pending requests queued
 2013/11/09 19:31:31 kid1| WARNING: Consider increasing the number of 
 redirector processes in your config file.
 
 
 The cache size is 2GB though that shouldn't affect performance as 
 far as I understand.
 
 On 11/09/2013 05:23 PM, Eliezer Croitoru wrote:
  Hey,
 
  Notes inside.
 
  On 11/09/2013 05:58 PM, Kaya Saman wrote:
 
  What can I do to improve performance with this?
 
 
  Is this line too high: url_rewrite_children  500
  YES!!
 
  or simply have a misconfigured something?
 
 
  I additionally have 'c-icap' running with squidclamav coupled to clamd
  in case that is of importance - not using the squidGuard line in the
  squidclamav.conf file!!!
 
  Basically how can I get the IO usage down and get the system to work 
  again?
  For how many users exactly?
  Just a note that I am not in a favor of any OS by default but I would 
  feel better Using Linux.
 
 
  - the logs don't indicate anything outside of 'starting squidGuard
  process' many times.
  The basic assumption of using 500 child process is that you have 
  atleast 100 CPUs.
  SquidGuard was design for performance which is lots of urls per sec.
  It can be tested just to clear the point out.
  for example in a rate of 1500k requests per second you should not have 
  a need in more then 40-50 children.
  In practice it works a bit different speed since there is a speed 
  limit on STDIN and STDOUT which slows down the speed of squid and 
  squidguard communication blocking the whole squid instance(in a way).
 
  If you need basic url filtering you can use ICAP which has an option 
  to run as a standalone service outside of squid settings and machine.
 
  I have written in the past a small ICAP service for the favor of 
  requests manipulation and filtering.
  I have never finished it in a level I was happy with but the basic 
  code can be seen here:
  https://github.com/elico/echelon
 
  I know for a fact that ICAP interface adds concurrency by the nature 
  of it using TCP.
 
  This is not the place to ask about concurrency in squidguard which can 
  allow the usage of square less processes(children) for more requests.
 
  In order to find the right number of children start with 40 and see if 
  it fits you and then see what is the bottle neck in the whole setup.
 
  Eliezer
 


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] Squid and Squidguard using high disk IO

[Marcus Kool]

On Sat, Nov 09, 2013 at 11:16:12PM +0100, Loïc BLOT wrote:
 Hello Kaya,
 first, don't forget to look at sysctl kern.maxfiles values. 
 Also improve daemon FD values in login.conf for squid. Don't forget each
 connection is a FD (1 connection for the client, 1 for the transaction
 to remote site, somes for the caching).
 
 Also to improve performances of squidguard, i stored all blacklists DB
 to a memory fs (mfs) this improve massively squidguard performance

If the disk I/O is really the bottleneck, consider ufdbGuard.
ufdbGuard loads the URL database in memory and easily does
25,000 URL lookups/sec, much more than you will ever need.

Marcus

 I have wrote an article to improve squid perfs on OpenBSD:
 http://www.unix-experience.fr/2013/monter-un-proxy-cache-performant-avec-squid-et-openbsd/
 
 
 
 -- 
 Best regards,
 Loïc BLOT, 
 UNIX systems, security and network engineer
 http://www.unix-experience.fr
 
 
 
 Le samedi 09 novembre 2013 à 19:39 +, Kaya Saman a écrit :
  Just found this is Squid cache log:
  
  2013/11/09 19:28:25 kid1| /var/squid/cache/04/7A: (24) Too many open files
  2013/11/09 19:31:31 kid1| WARNING: All 20/20 redirector processes are busy.
  2013/11/09 19:31:31 kid1| WARNING: 20 pending requests queued
  2013/11/09 19:31:31 kid1| WARNING: Consider increasing the number of 
  redirector processes in your config file.
  
  
  The cache size is 2GB though that shouldn't affect performance as 
  far as I understand.
  
  On 11/09/2013 05:23 PM, Eliezer Croitoru wrote:
   Hey,
  
   Notes inside.
  
   On 11/09/2013 05:58 PM, Kaya Saman wrote:
  
   What can I do to improve performance with this?
  
  
   Is this line too high: url_rewrite_children  500
   YES!!
  
   or simply have a misconfigured something?
  
  
   I additionally have 'c-icap' running with squidclamav coupled to clamd
   in case that is of importance - not using the squidGuard line in the
   squidclamav.conf file!!!
  
   Basically how can I get the IO usage down and get the system to work 
   again?
   For how many users exactly?
   Just a note that I am not in a favor of any OS by default but I would 
   feel better Using Linux.
  
  
   - the logs don't indicate anything outside of 'starting squidGuard
   process' many times.
   The basic assumption of using 500 child process is that you have 
   atleast 100 CPUs.
   SquidGuard was design for performance which is lots of urls per sec.
   It can be tested just to clear the point out.
   for example in a rate of 1500k requests per second you should not have 
   a need in more then 40-50 children.
   In practice it works a bit different speed since there is a speed 
   limit on STDIN and STDOUT which slows down the speed of squid and 
   squidguard communication blocking the whole squid instance(in a way).
  
   If you need basic url filtering you can use ICAP which has an option 
   to run as a standalone service outside of squid settings and machine.
  
   I have written in the past a small ICAP service for the favor of 
   requests manipulation and filtering.
   I have never finished it in a level I was happy with but the basic 
   code can be seen here:
   https://github.com/elico/echelon
  
   I know for a fact that ICAP interface adds concurrency by the nature 
   of it using TCP.
  
   This is not the place to ask about concurrency in squidguard which can 
   allow the usage of square less processes(children) for more requests.
  
   In order to find the right number of children start with 40 and see if 
   it fits you and then see what is the bottle neck in the whole setup.
  
   Eliezer
  

Re: [squid-users] Squid and Squidguard using high disk IO

[Kaya Saman]

Thanks so much for all the advise and responses :-)

I decided to try Dansguardian.

Currently I have a working model setup though it needs a bit of tuning 
and tweaking but good news is that I am using the SquidGuard blacklists 
so all is pretty much good!!



Have been testing; performance is phenomenal though sometimes when Squid 
can't connect to a site properly in order to populate the cache etc... 
the pages might need a bit of refreshing however, I consider those as 
just teething problems.



So yeah NET - NAT - Squid + c-icap + Clamd - Dansguardian - PF 
is how things look like now :-)



Regards,


Kaya


On 11/09/2013 10:37 PM, Marcus Kool wrote:

On Sat, Nov 09, 2013 at 11:16:12PM +0100, Loïc BLOT wrote:

Hello Kaya,
first, don't forget to look at sysctl kern.maxfiles values.
Also improve daemon FD values in login.conf for squid. Don't forget each
connection is a FD (1 connection for the client, 1 for the transaction
to remote site, somes for the caching).

Also to improve performances of squidguard, i stored all blacklists DB
to a memory fs (mfs) this improve massively squidguard performance

If the disk I/O is really the bottleneck, consider ufdbGuard.
ufdbGuard loads the URL database in memory and easily does
25,000 URL lookups/sec, much more than you will ever need.

Marcus


I have wrote an article to improve squid perfs on OpenBSD:
http://www.unix-experience.fr/2013/monter-un-proxy-cache-performant-avec-squid-et-openbsd/



--
Best regards,
Loïc BLOT,
UNIX systems, security and network engineer
http://www.unix-experience.fr



Le samedi 09 novembre 2013 à 19:39 +, Kaya Saman a écrit :

Just found this is Squid cache log:

2013/11/09 19:28:25 kid1| /var/squid/cache/04/7A: (24) Too many open files
2013/11/09 19:31:31 kid1| WARNING: All 20/20 redirector processes are busy.
2013/11/09 19:31:31 kid1| WARNING: 20 pending requests queued
2013/11/09 19:31:31 kid1| WARNING: Consider increasing the number of
redirector processes in your config file.


The cache size is 2GB though that shouldn't affect performance as
far as I understand.

On 11/09/2013 05:23 PM, Eliezer Croitoru wrote:

Hey,

Notes inside.

On 11/09/2013 05:58 PM, Kaya Saman wrote:

What can I do to improve performance with this?


Is this line too high: url_rewrite_children  500

YES!!


or simply have a misconfigured something?



I additionally have 'c-icap' running with squidclamav coupled to clamd
in case that is of importance - not using the squidGuard line in the
squidclamav.conf file!!!

Basically how can I get the IO usage down and get the system to work
again?

For how many users exactly?
Just a note that I am not in a favor of any OS by default but I would
feel better Using Linux.


- the logs don't indicate anything outside of 'starting squidGuard
process' many times.

The basic assumption of using 500 child process is that you have
atleast 100 CPUs.
SquidGuard was design for performance which is lots of urls per sec.
It can be tested just to clear the point out.
for example in a rate of 1500k requests per second you should not have
a need in more then 40-50 children.
In practice it works a bit different speed since there is a speed
limit on STDIN and STDOUT which slows down the speed of squid and
squidguard communication blocking the whole squid instance(in a way).

If you need basic url filtering you can use ICAP which has an option
to run as a standalone service outside of squid settings and machine.

I have written in the past a small ICAP service for the favor of
requests manipulation and filtering.
I have never finished it in a level I was happy with but the basic
code can be seen here:
https://github.com/elico/echelon

I know for a fact that ICAP interface adds concurrency by the nature
of it using TCP.

This is not the place to ask about concurrency in squidguard which can
allow the usage of square less processes(children) for more requests.

In order to find the right number of children start with 40 and see if
it fits you and then see what is the bottle neck in the whole setup.

Eliezer

Re: [squid-users] Squid and Squidguard.

[Beto Moreno]

Guys thanks for sharing your knowledge, u clear my mind :-)

On Wed, Jun 12, 2013 at 8:40 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 13/06/2013 3:23 a.m., Beto Moreno wrote:

 Hi.

 Guys I have small experience with squid, now need to learn how to use
 squidguard.

 My doubts are:

 1) U have squidrunning with your ACL, groups, users and rules, once u
 setup squidguard what is order?
 squid - rules them squidguard - rules or
 squidguard rules them squid - rules?


 Squidguard is a separate programs.

 * Squid ACLs determine whether a transaction is processed, and how that
 processing is performed.
 * Squidguard ACLs determine whether or not Squidguard tells Squid to alter
 the URL mid-transaction. Nothing more.

 All ACLs in both are run. Squid main http_access, adaptation systems and
 url_rewrite_access ACLs are run before squidguard. The url_rewrite_access
 ACLs determine whether squidguard is used *at all*. squidguard is contacted
 and does its thing. Then the remainder of the Squid ones are run depending
 on whether they need to on the new URL.


 2) Squidguard is a URL redirector, them squid ACL stuff will continue
 working?


 Yes.


 3) Squid ACL tool can be replace with squidguard or they are totally
 different?


 Totally different. Although some people use URL-rewriting and redirection to
 act like a proxy denial service - what actually happens there is a
 *successful* response with content message saying failure. It is worth
 avoiding the confusion and complexity whenever possible.

 Amos

Re: [squid-users] Squid and Squidguard.

[Bruno Santos]

Hi !

I've squid and squidguard working with no problem.

The squid ACLs keep working (I have machine and users ACLS - denying access to 
the machines and users to internet)
and ACLs related to web browsing (denied pages) in squidguard.

You can also do this with squid or vice-versa.


Cheers,

Bruno Santos

- Original Message -
From: Beto Moreno pam...@gmail.com
To: squid-users@squid-cache.org
Sent: Wednesday, June 12, 2013 4:23:30 PM
Subject: [squid-users] Squid and Squidguard.

Hi.

Guys I have small experience with squid, now need to learn how to use
squidguard.

My doubts are:

1) U have squidrunning with your ACL, groups, users and rules, once u
setup squidguard what is order?
squid - rules them squidguard - rules or
squidguard rules them squid - rules?

2) Squidguard is a URL redirector, them squid ACL stuff will continue working?

3) Squid ACL tool can be replace with squidguard or they are totally different?

Sorry to ask this, I'm a little confuse here, thanks for your time!!!

--




Use Open Source Software
Human knowledge belongs to the world
Bruno Santos
bvsan...@ulscb.min-saude.pt
http://www.twitter.com/feiticeir0
Tel: +351 962 753 053
Divisão de Informática
informat...@ulscb.min-saude.pt
Tel: +351 272 000 155
Fax: +351 272 000 257
Unidade Local de Saúde de Castelo Branco, E.P.E.
ge...@ulscb.min-saude.pt
Tel: +351 272 000 272
Fax: +351 272 000 257

Re: [squid-users] Squid and Squidguard.

[Amos Jeffries]

On 13/06/2013 3:23 a.m., Beto Moreno wrote:

Hi.

Guys I have small experience with squid, now need to learn how to use
squidguard.

My doubts are:

1) U have squidrunning with your ACL, groups, users and rules, once u
setup squidguard what is order?
squid - rules them squidguard - rules or
squidguard rules them squid - rules?


Squidguard is a separate programs.

* Squid ACLs determine whether a transaction is processed, and how that 
processing is performed.
* Squidguard ACLs determine whether or not Squidguard tells Squid to 
alter the URL mid-transaction. Nothing more.


All ACLs in both are run. Squid main http_access, adaptation systems and 
url_rewrite_access ACLs are run before squidguard. The 
url_rewrite_access ACLs determine whether squidguard is used *at all*. 
squidguard is contacted and does its thing. Then the remainder of the 
Squid ones are run depending on whether they need to on the new URL.



2) Squidguard is a URL redirector, them squid ACL stuff will continue working?


Yes.


3) Squid ACL tool can be replace with squidguard or they are totally different?


Totally different. Although some people use URL-rewriting and 
redirection to act like a proxy denial service - what actually happens 
there is a *successful* response with content message saying failure. 
It is worth avoiding the confusion and complexity whenever possible.


Amos

Re: [squid-users] squid with squidguard issue

[jeffrey j donovan]

On Mar 5, 2012, at 8:40 AM, Muhammad Yousuf Khan wrote:

 can some one plz help. i followed
 http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny
 squid 2.7 and squidguard 1.2.0
 
 i write the below line at the end of squid.conf
 redirect_program /usr/bin/squidGuard

okay

 
 i denied ads in squidGuard.conf and addme.com is a domain which i
 am sure is in the list of blocklist database.
 now when i go to addme.com it just open the website (which i dont want 
 though)
 
 here is squidGuard.conf rule.
 
 dest adult {
domainlist  ads/domains
 #   urllist /var/lib/squidguard/db/blacklists/porn/urls
 #   expressionlist  adult/expressions
redirecthttp://google.com
 
 }

you need to supply a source and destination. basically who is allowed to access 
squidguard. and then tell squidguard what to do with the clients 
request,..allow or deny.

eg; 
dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log


#
# SOURCE ADDRESSES:

src admin {
ip  10.1.1.1
}

src fooclients {
ip  10.132.0.0/16 10.155.0.0/16 
}

src freedomzone { 
ip  10.154.1.0/24 10.154.2.0/24
}
# DESTINATION CLASSES:
#
dest whitelist {
domainlist  whitelist/domains
}
dest education {
domainlist education/schools/domains
urllist education/schools/urls
}
dest denied {
domainlist  denied/domains
urllist denied/urls
redirecthttp://10.0.2.3/surfb1.html
log deniedaccess.log
}

acl {
admin {
pass any
}

fooclients {
passwhitelist education !denied any
} else {
pass any
}
freedomzone {
passwhitelist education !pornexp !porn any
redirect http://staff2.beth.k12.pa.us/index.html
} else {
pass any
}

default {
pass none
redirect http://10.0.2.3/index.html
}
}




 
 here is squidguard log. /var/log/squid/squidGuard.log
 
 2012-03-05 08:06:53 [4180] squidGuard 1.2.0 started (1330952813.099)
 2012-03-05 08:06:53 [4180] recalculating alarm in 30187 seconds
 2012-03-05 08:06:53 [4180] squidGuard ready for requests (1330952813.101)
 2012-03-05 08:06:53 [4182] destblock good missing active content, set inactive
 2012-03-05 08:06:53 [4182] destblock local missing active content, set 
 inactive
 2012-03-05 08:06:53 [4182] init domainlist /var/lib/squidguard/db/ads/domains
 2012-03-05 08:06:53 [4182] loading dbfile 
 /var/lib/squidguard/db/ads/domains.db
 2012-03-05 08:06:53 [4182] squidGuard 1.2.0 started (1330952813.107)
 2012-03-05 08:06:53 [4182] recalculating alarm in 30187 seconds
 2012-03-05 08:06:53 [4182] squidGuard ready for requests (1330952813.108)
 
 here is access.log.the thing which is making me confuse that redirect
 tag is not present which suppose to be there. however i can not find
 any redirect tag in default 2.7 squid.conf file. can u please tell me
 what is going on and how can i redirect or can solve the issue
 
 1330953994.304640 10.51.100.240 TCP_CLIENT_REFRESH_MISS/200 1910
 GET http://www.addme.com/favicon.ico - DIRECT/69.43.161.4 image/x-icon
 
 
 Thanks,

Re: [squid-users] squid with squidguard issue

[Benjamin E. Nichols]

Well you could use squids built in blacklist capabilities instead of
adding complexity by trying to us squidGard or DansGuardian,
particularly if your a noob at squid. Ive taken a look at them and
decided that its too much effort to try and implement, Rather, this is
how ive done it.


Try this instead, its what I do.

created a blacklist file, and place it somewhere, mine is in my squid dir

/etc/squid3/squid-block.acl  (u can name it whatever u want of course)

add a few test entries to this file in the following format

.pornsite.com
.unwantedsite.com
.whatevershit.com
.someshitwebsite.com

the . will ensure thatwww.pornsite.com  or any subdomain is also blocked.


So next add these  lines to your squid.conf

#blacklist by haxradio.com==

acl blacklist dstdomain /etc/squid3/squid-block.acl
http_access deny blacklist

#==

then do

squid3 +k reconfigure   (assuming that your running squid3.x series)

Voila, you are blocking sites using a black list my friend.

btw, just ignore the stupid warning messages. they do not affect the
functionality of this feature and ive learned
to just ignore them.

Thanks to Amos for  helping me to properly do this.





On 03/05/2012 05:19 PM, jeffrey j donovan wrote:

On Mar 5, 2012, at 8:40 AM, Muhammad Yousuf Khan wrote:

   

can some one plz help. i followed
http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny
squid 2.7 and squidguard 1.2.0

i write the below line at the end of squid.conf
redirect_program /usr/bin/squidGuard
 

okay

   

i denied ads in squidGuard.conf and addme.com is a domain which i
am sure is in the list of blocklist database.
now when i go to addme.com it just open the website (which i dont want though)

here is squidGuard.conf rule.

dest adult {
domainlist  ads/domains
#   urllist /var/lib/squidguard/db/blacklists/porn/urls
#   expressionlist  adult/expressions
redirecthttp://google.com

}
 

you need to supply a source and destination. basically who is allowed to access 
squidguard. and then tell squidguard what to do with the clients 
request,..allow or deny.

eg;
dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log


#
# SOURCE ADDRESSES:

src admin {
ip  10.1.1.1
}

src fooclients {
ip  10.132.0.0/16 10.155.0.0/16
}

src freedomzone {
ip  10.154.1.0/24 10.154.2.0/24
}
# DESTINATION CLASSES:
#
dest whitelist {
domainlist  whitelist/domains
}
dest education {
domainlist education/schools/domains
urllist education/schools/urls
}
dest denied {
domainlist  denied/domains
urllist denied/urls
redirecthttp://10.0.2.3/surfb1.html
log deniedaccess.log
}

acl {
admin {
pass any
}

fooclients {
passwhitelist education !denied any
} else {
pass any
}
freedomzone {
passwhitelist education !pornexp !porn any
redirect http://staff2.beth.k12.pa.us/index.html
} else {
pass any
}

default {
pass none
redirect http://10.0.2.3/index.html
}
}




   

here is squidguard log. /var/log/squid/squidGuard.log

2012-03-05 08:06:53 [4180] squidGuard 1.2.0 started (1330952813.099)
2012-03-05 08:06:53 [4180] recalculating alarm in 30187 seconds
2012-03-05 08:06:53 [4180] squidGuard ready for requests (1330952813.101)
2012-03-05 08:06:53 [4182] destblock good missing active content, set inactive
2012-03-05 08:06:53 [4182] destblock local missing active content, set inactive
2012-03-05 08:06:53 [4182] init domainlist /var/lib/squidguard/db/ads/domains
2012-03-05 08:06:53 [4182] loading dbfile /var/lib/squidguard/db/ads/domains.db
2012-03-05 08:06:53 [4182] squidGuard 1.2.0 started (1330952813.107)
2012-03-05 08:06:53 [4182] recalculating alarm in 30187 seconds
2012-03-05 08:06:53 [4182] squidGuard ready for requests (1330952813.108)

here is access.log.the thing which is making me confuse that redirect
tag is not present which suppose to be there. however i can not find
any redirect tag in default 2.7 squid.conf file. can u please tell me
what is going on and how can i redirect or can solve the issue

1330953994.304640 10.51.100.240 TCP_CLIENT_REFRESH_MISS/200 1910
GET http://www.addme.com/favicon.ico - DIRECT/69.43.161.4 image/x-icon


Thanks,
 
   

RE: Re: [squid-users] Squid 2.7 + SquidGuard + Squidclamav

[childrenofchaos]

Hey,

The Servertraffic is less then 300KB/s. In this Company working 20 Peoples and 
some guys listening to internet Radio.

Is there a Command for getting Squid status Stats like Usage of Redirectors and 
Dns request or something like that?
If Squid tells cans lookup hostname -  dns error and i can get a dns respond 
with dig google.de
what can it be, that Squid cant lookup?

I think: if i restart Squid, all Cache and other things get cleaned, so there 
must be something that is full, e.g. any Queue
because after restart it worked.

Thanks for spending time on this

 -Ursprüngliche Nachricht-
 Von: Eliezer Croitoru 
 Gesendet: Do. 14.04.11 (01:02)
 An: squid-users@squid-cache.org
 Betreff: Re: [squid-users] Squid 2.7 + SquidGuard + Squidclamav
 
 On 13/04/2011 22:06, childrenofch...@freenet.de wrote:
 
  Hey,
 
  The configuration listet above, runs longer 1 year without an
 probs.
  Now we get the Squid Message: Timeout - DNS Error.
 
  first step i tried: dig google.de from the squid maschine. No
 probs.
  i saw in the cache.log that all url_rewrite_children are busy, so i
 screwd em up from 8 to 16.
 
 how much traffic this server has?
 if the url rewrite children are busy it's means too much usage or
 inefficient rewriter.
 if you need some help with the rewriter i can mange to build you a
 great
 one that based on java.
 my java url rewriters works on one server with a log of traffic with
 only 2 child and works much more efficient then many others.
 
 Eliezer
  Okey one Day later: DNS Error, and at this Time, no prob with the
 url_rewrite_children.
  now i added some dns Server and the google dns Server (8.8.8.8)
 which should be up, and what i recieved today :/
  dns Error.
  After squid restart all works fine, no probles comes up in the logs
 (in all logs) but after a day, the messaged blow up again.
 
  now i added dns_nameserver in the squid.conf but no idea any more?
 
  thanks for spending time on this.
 
 
 
 
  ---
  freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de
  Jetzt
 http://mail.freenet.de/produkte/basic/index.html?pid=10111947018 mit
 1 GB Speicher und Profi-Spamschutz sichern!
 
 
 
 -Ursprüngliche Nachricht Ende-




---
freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de
Jetzt http://mail.freenet.de/produkte/basic/index.html?pid=10111947018 mit 1 GB 
Speicher und Profi-Spamschutz sichern!

Re: [squid-users] Squid 2.7 + SquidGuard + Squidclamav

[Chad Naugle]

Personally, I would setup a caching-only instance of BIND on the proxy,
and using that for DNS, or using your internal DNS system on your
network, rather than depending on an outside source for all of your
DNS.

 childrenofch...@freenet.de 4/13/2011 3:06 PM 
Hey,

The configuration listet above, runs longer 1 year without an probs.
Now we get the Squid Message: Timeout - DNS Error.

first step i tried: dig google.de from the squid maschine. No probs.
i saw in the cache.log that all url_rewrite_children are busy, so i
screwd em up from 8 to 16.

Okey one Day later: DNS Error, and at this Time, no prob with the
url_rewrite_children.
now i added some dns Server and the google dns Server (8.8.8.8) which
should be up, and what i recieved today :/
dns Error.
After squid restart all works fine, no probles comes up in the logs (in
all logs) but after a day, the messaged blow up again.

now i added dns_nameserver in the squid.conf but no idea any more?

thanks for spending time on this.




---
freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de
Jetzt http://mail.freenet.de/produkte/basic/index.html?pid=10111947018
mit 1 GB Speicher und Profi-Spamschutz sichern!


Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use, or distribution of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.

RE: Re: [squid-users] Squid 2.7 + SquidGuard + Squidclamav

[Chad Naugle]

Does your internal DNS configuration use the root method, or does it
forward to your ISP's DNS?  I've noticed strange behavior (Notably DNS
timeouts) recently with using the root method at one of my branch
offices, and had to ditch it for the ISP forwarders ...  In my case,
it seemed to have something to do with IPv6 results from the root
servers, and it was causing BIND to timeout, but the second query of the
same website came back instantly.

 childrenofch...@freenet.de 4/13/2011 4:21 PM 
hey,

i did that already :(
and now i get the same error on my on squid maschine 
can´t see anything in the logfiles

 -Ursprüngliche Nachricht-
 Von: Chad Naugle 
 Gesendet: Mi. 13.04.11 (22:03)
 An: childrenofch...@freenet.de, squid-users@squid-cache.org 
 Betreff: Re: [squid-users] Squid 2.7 + SquidGuard + Squidclamav
 
 Personally, I would setup a caching-only instance of BIND on the
 proxy,
 and using that for DNS, or using your internal DNS system on your
 network, rather than depending on an outside source for all of your
 DNS.
 
   4/13/2011 3:06 PM 
 Hey,
 
 The configuration listet above, runs longer 1 year without an probs.
 Now we get the Squid Message: Timeout - DNS Error.
 
 first step i tried: dig google.de from the squid maschine. No probs.
 i saw in the cache.log that all url_rewrite_children are busy, so i
 screwd em up from 8 to 16.
 
 Okey one Day later: DNS Error, and at this Time, no prob with the
 url_rewrite_children.
 now i added some dns Server and the google dns Server (8.8.8.8)
which
 should be up, and what i recieved today :/
 dns Error.
 After squid restart all works fine, no probles comes up in the logs
 (in
 all logs) but after a day, the messaged blow up again.
 
 now i added dns_nameserver in the squid.conf but no idea any more?
 
 thanks for spending time on this.
 
 
 
 
 ---
 freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de
 Jetzt
 http://mail.freenet.de/produkte/basic/index.html?pid=10111947018 
 mit 1 GB Speicher und Profi-Spamschutz sichern!
 
 
 Travel Impressions made the following annotations
 -
 This message and any attachments are solely for the intended
 recipient
 and may contain confidential or privileged information.  If you are
 not
 the intended recipient, any disclosure, copying, use, or
distribution
 of
 the information included in this message and any attachments is
 prohibited.  If you have received this communication in error,
please
 notify us by reply e-mail and immediately and permanently delete
this
 message and any attachments.
 Thank you.
 
 
 -Ursprüngliche Nachricht Ende-




---
freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de
Jetzt http://mail.freenet.de/produkte/basic/index.html?pid=10111947018
mit 1 GB Speicher und Profi-Spamschutz sichern!


Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use, or distribution of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.

Re: [squid-users] Squid 2.7 + SquidGuard + Squidclamav

[Eliezer Croitoru]

On 13/04/2011 22:06, childrenofch...@freenet.de wrote:


Hey,

The configuration listet above, runs longer 1 year without an probs.
Now we get the Squid Message: Timeout - DNS Error.

first step i tried: dig google.de from the squid maschine. No probs.
i saw in the cache.log that all url_rewrite_children are busy, so i screwd em 
up from 8 to 16.


how much traffic this server has?
if the url rewrite children are busy it's means too much usage or 
inefficient rewriter.
if you need some help with the rewriter i can mange to build you a great 
one that based on java.
my java url rewriters works on one server with a log of traffic with 
only 2 child and works much more efficient then many others.


Eliezer

Okey one Day later: DNS Error, and at this Time, no prob with the 
url_rewrite_children.
now i added some dns Server and the google dns Server (8.8.8.8) which should be 
up, and what i recieved today :/
dns Error.
After squid restart all works fine, no probles comes up in the logs (in all 
logs) but after a day, the messaged blow up again.

now i added dns_nameserver in the squid.conf but no idea any more?

thanks for spending time on this.




---
freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de
Jetzt http://mail.freenet.de/produkte/basic/index.html?pid=10111947018 mit 1 GB 
Speicher und Profi-Spamschutz sichern!

Re: [squid-users] squid 3 squidguard

[Amos Jeffries]

On Mon, 15 Nov 2010 20:54:23 +0100, Marco Schuth ma...@it-schuth.net
wrote:
 Hey,
 
 With squid3, how i have to enable squidGuard ?
 Redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
 Or
 url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf 
 
 the Squid Page refer from redirect_program to url_rewrite_programe, but
 with
 both it does not work for me
 
 thanks a lot!

url_rewrite_* are preferred. The other is old and deprecated. Up to 3.1
there is no difference in the two.

Please define does not work. We can only help if you provide details
about what is going wrong.

Amos

Re: [squid-users] squid 3 squidguard

[Helmut Hullen]

Hallo, Marco,

Du meintest am 15.11.10:

 With squid3, how i have to enable squidGuard ?

Which distribution? squid3 sounds like a very special distribution.

 Redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
 Or
 url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

 the Squid Page refer from redirect_program to url_rewrite_programe,
 but with both it does not work for me

Here (self compiled on slackware base): no problem.

squid-3.1.8
squidguard-1.4

Viele Gruesse!
Helmut

Re: [squid-users] Squid and squidguard

[donovan jeffrey j]

On Aug 12, 2010, at 12:10 PM, Mamadou Touré wrote:

 Hi,
 all when configuring squid for squidguard.
 we have :
 
 redirect_program /usr/bin/squidGuard
 redirect_children 10
 
 what mean redirect_children.
 
 and value should have for squid wich manage about 100 clients.
 
 regards.
 

it means how many squidguard instances should squid spawn.

/usr/local/bin/squidguard
/usr/local/bin/squidguard
/usr/local/bin/squidguard
/usr/local/bin/squidguard
/usr/local/bin/squidguard


watch your processes ie Top or netstat, and watch how many are being used. then 
you can adjust accordingly. 10 is usually just fine.
I have a case where i have thousands of connections so i run 100 redirects. 
Your squid logs will also tell you if your running out.

-j

RE: [squid-users] Squid and squidguard

[Joseph L. Casale]

what mean redirect_children.

First hit on goggle explains it well:)
Its in the config manual:

Tag Nameredirect_children
Usage   redirect_children number

Description
This tag is used to set the number of redirect processes to spawn
Default redirect_children 5

Example
redirect_children 10

Caution
If you start too few Squid will have to wait for them to process a back log of 
URLs, slowing it down. If you start too many they will use RAM and other system 
resources.

Re: [squid-users] squid rewrite squidguard

[FRLinux]

On Mon, May 31, 2010 at 11:25 PM, Joseph L. Casale
jcas...@activenetwerx.com wrote:
 Check the first two directives in your conf, see who can write
 there.

Hello, Thanks for your reply, I have some rights issues but even when
i assign the right permissions (ie. squid), it still cannot read them:

2010-06-01 10:31:19 [17307] New setting: dbhome: /var/lib/squidguard
2010-06-01 10:31:19 [17307] New setting: logdir: /var/log/squid
2010-06-01 10:31:19 [17307] init domainlist
/var/lib/squidguard/blacklists/ads/domains
2010-06-01 10:31:19 [17307] loading dbfile
/var/lib/squidguard/blacklists/ads/domains.db
2010-06-01 10:31:19 [17307] Error db_open: Permission denied
2010-06-01 10:31:19 [17307] Going into emergency mode

I'll mail the squidguard list, thanks for your help.
Steph

RE: [squid-users] squid rewrite squidguard

[Joseph L. Casale]

2010-05-31 16:17:31 [2785] squidGuard 1.3 started (1275319051.335)
2010-05-31 16:17:31 [2785] squidGuard ready for requests (1275319051.340)
2010-05-31 16:17:31 [2785] source not found
2010-05-31 16:17:31 [2785] no ACL matching source, using default
http://proxy.cp.mydomain.com/block.html 192.168.6.66/- - -
2010-05-31 16:17:31 [2785] squidGuard stopped (1275319051.341)

But when running within Squid, it does not seem to be taking it? Did I
miss anything in the squid.conf file ? I looked online and couldn't
spot any error.

FWIW, there is a squidguard mailing list that is pretty helpful.

Your problem is permissions almost certainly, you ran this and the
db creation as root (or someone), so now the user that squid runs
the rewriter as does not have any access privs to the log files
and/or bl/db's...

Check the first two directives in your conf, see who can write
there.

HTH,
jlc

Re: [squid-users] squid and squidGuard

[Henrik Nordstrom]

ons 2010-03-03 klockan 13:09 +0100 skrev Jaap Cammeraat:
 Hi,
 
 
 I'm using squid-3.0.STABLE20
 And running squidGuard 1.4
 
 
 When I do a test in my shell I get the answer I want:
 
 
 sh-3.2# echo http://playboy.com 127.0.0.1/ - - GET | 
 /usr/local/squidGuard/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf 
 -d

Don't run SquidGuard as root.. you need to test as your
cache_effective_user (the user Squid and any configured helpers runs at
after starting up).

It's very likely you have a permssion issue where the running user can
not access the SquidGuard data..

Regards
Henrik

Re: [squid-users] squid and squidguard

[Marcus Kool]

Ismail,

ufdbGuard is free.
It can be used with a free URL database and
with a commercial database.

-Marcus


İsmail ÖZATAY wrote:

Marcus Kool yazmış:

Hi Ismail,

I would add a redirect statement to the int_net acl rule.

observation: blocking porn without blocking proxies is the same as 
blocking nothing.

You might want to try ufdbGuard: it is faster than squidguard, and has
additional features for enforcing Google SafeSearch and verifying
HTTPS traffic (certificates and optionally blocking HTTPS to IP 
addresses instead of FQDNs).


-Marcus


İsmail ÖZATAY wrote:

Hi ,
I am using 2.6.STABLE6 on CentOS 5.2 + squidguard 1.3  p1,p2,p3 + 
berkeley db 2.7. Everything seems ok without any problem but when i 
use redirect_program in squid.conf my internal network connect 
bypassing the squidguard. I searched something but can not fix it ? 
Can anybody help me ? Here is my config;


squidGuard.conf
-
logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db

src int_net {
   ip 192.168.0.0/24
}
dest porn {
   domainlist BL/porn/domains
   urllistBL/porn/urls
}
acl {
   int_net {
   pass !porn all
   }
   default { pass none
   redirect http://www.google.com.tr
   }
}



squid.conf
---
http_port 0.0.0.0:3128
acl all src 0.0.0.0/0.0.0.0
redirect_program /usr/local/bin/squidGuard -c 
/usr/local/squidGuard/squidGuard.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports








Also i saw that this is a commercial product. Do you know any free 
software like this ?

Re: [squid-users] squid and squidguard

[Joop Beris]

On Tuesday 26 August 2008 02:34:22 pm İsmail ÖZATAY wrote:
 Hi ,
 I am using 2.6.STABLE6 on CentOS 5.2 + squidguard 1.3  p1,p2,p3 +
 berkeley db 2.7. Everything seems ok without any problem but when i use
 redirect_program in squid.conf my internal network connect bypassing the
 squidguard. I searched something but can not fix it ? Can anybody help
 me ? Here is my config;

snip

Hi Ismail,

Have a look at your squidGuard.log. Usually squidguard is very verbose when 
something is not working.
Usually the problem lies in wrong permissions on the squidguard db files. Make 
sure the user squid is running under, can read the db files.

HTH,

Joop

 
Dit bericht is gescand op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.
Mailscanner door http://www.prosolit.nl
Professional Solutions fot IT

Re: [squid-users] squid and squidguard

[Marcus Kool]

Hi Ismail,

I would add a redirect statement to the int_net acl rule.

observation: blocking porn without blocking proxies is the same as blocking 
nothing.
You might want to try ufdbGuard: it is faster than squidguard, and has
additional features for enforcing Google SafeSearch and verifying
HTTPS traffic (certificates and optionally blocking HTTPS to IP addresses 
instead of FQDNs).

-Marcus


İsmail ÖZATAY wrote:

Hi ,
I am using 2.6.STABLE6 on CentOS 5.2 + squidguard 1.3  p1,p2,p3 + 
berkeley db 2.7. Everything seems ok without any problem but when i use 
redirect_program in squid.conf my internal network connect bypassing the 
squidguard. I searched something but can not fix it ? Can anybody help 
me ? Here is my config;


squidGuard.conf
-
logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db

src int_net {
   ip 192.168.0.0/24
}
dest porn {
   domainlist BL/porn/domains
   urllistBL/porn/urls
}
acl {
   int_net {
   pass !porn all
   }
   default { pass none
   redirect http://www.google.com.tr
   }
}



squid.conf
---
http_port 0.0.0.0:3128
acl all src 0.0.0.0/0.0.0.0
redirect_program /usr/local/bin/squidGuard -c 
/usr/local/squidGuard/squidGuard.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

Re: [squid-users] squid and squidguard

[İsmail ÖZATAY]

Marcus Kool yazmış:

Hi Ismail,

I would add a redirect statement to the int_net acl rule.

observation: blocking porn without blocking proxies is the same as 
blocking nothing.

You might want to try ufdbGuard: it is faster than squidguard, and has
additional features for enforcing Google SafeSearch and verifying
HTTPS traffic (certificates and optionally blocking HTTPS to IP 
addresses instead of FQDNs).


-Marcus


İsmail ÖZATAY wrote:

Hi ,
I am using 2.6.STABLE6 on CentOS 5.2 + squidguard 1.3  p1,p2,p3 + 
berkeley db 2.7. Everything seems ok without any problem but when i 
use redirect_program in squid.conf my internal network connect 
bypassing the squidguard. I searched something but can not fix it ? 
Can anybody help me ? Here is my config;


squidGuard.conf
-
logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db

src int_net {
   ip 192.168.0.0/24
}
dest porn {
   domainlist BL/porn/domains
   urllistBL/porn/urls
}
acl {
   int_net {
   pass !porn all
   }
   default { pass none
   redirect http://www.google.com.tr
   }
}



squid.conf
---
http_port 0.0.0.0:3128
acl all src 0.0.0.0/0.0.0.0
redirect_program /usr/local/bin/squidGuard -c 
/usr/local/squidGuard/squidGuard.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports









Hi Marcus i will try ufdbGuard.

Regards

ismail

Re: [squid-users] squid and squidguard

[İsmail ÖZATAY]

Marcus Kool yazmış:

Hi Ismail,

I would add a redirect statement to the int_net acl rule.

observation: blocking porn without blocking proxies is the same as 
blocking nothing.

You might want to try ufdbGuard: it is faster than squidguard, and has
additional features for enforcing Google SafeSearch and verifying
HTTPS traffic (certificates and optionally blocking HTTPS to IP 
addresses instead of FQDNs).


-Marcus


İsmail ÖZATAY wrote:

Hi ,
I am using 2.6.STABLE6 on CentOS 5.2 + squidguard 1.3  p1,p2,p3 + 
berkeley db 2.7. Everything seems ok without any problem but when i 
use redirect_program in squid.conf my internal network connect 
bypassing the squidguard. I searched something but can not fix it ? 
Can anybody help me ? Here is my config;


squidGuard.conf
-
logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db

src int_net {
   ip 192.168.0.0/24
}
dest porn {
   domainlist BL/porn/domains
   urllistBL/porn/urls
}
acl {
   int_net {
   pass !porn all
   }
   default { pass none
   redirect http://www.google.com.tr
   }
}



squid.conf
---
http_port 0.0.0.0:3128
acl all src 0.0.0.0/0.0.0.0
redirect_program /usr/local/bin/squidGuard -c 
/usr/local/squidGuard/squidGuard.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports








Also i saw that this is a commercial product. Do you know any free 
software like this ?

Re: [squid-users] squid and squidguard

[Indunil Jayasooriya]

 Also i saw that this is a commercial product. Do you know any free
 software like this ?

 What about this?
Pls try

 http://www.shallalist.de/



-- 
Thank you
Indunil Jayasooriya

Re: [squid-users] squid or squidguard blocking google redirections

[Amos Jeffries]

[EMAIL PROTECTED] wrote:


Hi,

Cannot say if its squid rules or the squidGuard itself blocking 
following url for google.


http://www.google.com/url?sa=


I have removed www.google.com/url from my blacklist but now browser 
after trying it just stops and does nothing.


Any clue/help will be appreciated :-)


Yes clues would be appreciated. Such as:
  which version of squid are you running?

and many other bits of info about the failed requests, from the 
cache.log squid writes.


Amos
--
Please use Squid 2.6.STABLE20 or 3.0.STABLE5

Re: [squid-users] squid, blacklists ,squidguard doesnt work

[Martin A. Brooks]

[EMAIL PROTECTED] wrote:

When i removed porn file or porn file  1 MB then squid work fine
  


As each child will need to read that file, you're looking at a 
significant memory overhead.  Either install more memory in the server, 
or keep the file down to a reasonable size.


--

Martin A. Brooks | http://www.antibodymx.net/ | Anti-spam  anti-virus
   Consultant| e: [EMAIL PROTECTED]   | filtering. Inoculate
 antibodymx.net  | m: +447896578023   | your mail system.

Re: [squid-users] squid, blacklists ,squidguard doesnt work

[Henrik Nordstrom]

tis 2007-03-20 klockan 16:31 +0200 skrev [EMAIL PROTECTED]:
 Hi
 I installed squid  2.5.STABLE6 on Centos 4.4
 
 I have a blacklist file, size more than 4 Megabytes
 
 acl in squid.conf look like
 
 acl porn url_regex -i /etc/squid/porn

Uhm... 4 Megabytes of regex expressions? Are you really really sure
that's what you have?

I suspect you are abusing the wrong acl type here... quite likely a lot
of that blacklist should go into a dstdomain acl..

What does the content of this blacklist look like?

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] Squid and SquidGuard retsarting. Why?

[Henrik Nordstrom]

ons 2006-07-12 klockan 15:22 +0100 skrev Brian Gregory:

 Squid is set up to run 5 squidGuard processes. When we boot Suse it 
 takes 15-20 minutes with lots of disk thrashing for the 5 squidGuards to 
 read in the blacklists and build their tables.

This will be much faster if you let squidGuard build it's lookup db.

 Much of the time it works fine but every now and then for no obvious 
 reason, squid decides it needs to start more squidGuard processes which 
 effectively cuts off all web access.

helper processes are restarted

  when squid -k rotate is run
  when squid -k reconfigure is run
  when more than 50% of the helpers have crashed
  if Squid crashes or is restarted

  I'm not sure exactly what happens, 

See cache.log for information on why the helpers was restarted.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] Squid and SquidGuard retsarting. Why?

[Brian Gregory]

Dwayne Hottinger wrote:

Quoting Brian Gregory [EMAIL PROTECTED]:


We have a Linux box running Suse 10.0 set up as a router and web proxy
with filtering sharing our DSL connection between 7 Windows XP
computers. It's running squid and squidGuard with a very large blacklist
of forbidden URLs and phrases.

Because we basically have no money the Suse box is an old 400MHz Pentium
II PC with only 256MB of RAM and this isn't likely to change in the near
future, except that I might be able to get some more RAM if necessary.

Squid is set up to run 5 squidGuard processes. When we boot Suse it
takes 15-20 minutes with lots of disk thrashing for the 5 squidGuards to
read in the blacklists and build their tables. During this time the web
proxy is non functional so we usually leave the Suse box running 24/7 to
avoid having to wait for it.

Much of the time it works fine but every now and then for no obvious
reason, squid decides it needs to start more squidGuard processes which
effectively cuts off all web access. I'm not sure exactly what happens,
maybe sometimes it just kills the existing squidGuards and starts new
ones but it sometimes seems to end running 10 squidGuards and thrashing
the disk hard for ages leaving the users with no web access.

When it's all running properly free -m seems to indicated that there is
enough memory:

  total   used   free sharedbufferscached
Mem:   250246  3  0 51   126
-/+ buffers/cache: 68181
Swap:  400  2397



Does anyone know what's going on and how to stop it happening?

--

Brian Gregory.
[EMAIL PROTECTED]

Computer Room Volunteer.
Therapy Centre.
Prospect Park Hospital.



How big are your access.log files?  There is a 2gb limit on Squid.  I would
definately think about adding more memory to the box though.  You should be
able to pick up PC 100 memory fairly cheap.
--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools



Part of the problem may be log file rotation which appears to be set to 
restart squid at the moment.


However this does not explain why I sometimes find that it is running 10 
squidGuard processes when my squid.conf specifies 5.


--

Brian Gregory.
[EMAIL PROTECTED]

Computer Room Volunteer.
Therapy Centre.
Prospect Park Hospital.

Re: [squid-users] Squid and SquidGuard retsarting. Why?

[Dwayne Hottinger]

Quoting Brian Gregory [EMAIL PROTECTED]:

 We have a Linux box running Suse 10.0 set up as a router and web proxy
 with filtering sharing our DSL connection between 7 Windows XP
 computers. It's running squid and squidGuard with a very large blacklist
 of forbidden URLs and phrases.

 Because we basically have no money the Suse box is an old 400MHz Pentium
 II PC with only 256MB of RAM and this isn't likely to change in the near
 future, except that I might be able to get some more RAM if necessary.

 Squid is set up to run 5 squidGuard processes. When we boot Suse it
 takes 15-20 minutes with lots of disk thrashing for the 5 squidGuards to
 read in the blacklists and build their tables. During this time the web
 proxy is non functional so we usually leave the Suse box running 24/7 to
 avoid having to wait for it.

 Much of the time it works fine but every now and then for no obvious
 reason, squid decides it needs to start more squidGuard processes which
 effectively cuts off all web access. I'm not sure exactly what happens,
 maybe sometimes it just kills the existing squidGuards and starts new
 ones but it sometimes seems to end running 10 squidGuards and thrashing
 the disk hard for ages leaving the users with no web access.

 When it's all running properly free -m seems to indicated that there is
 enough memory:

   total   used   free sharedbufferscached
 Mem:   250246  3  0 51   126
 -/+ buffers/cache: 68181
 Swap:  400  2397



 Does anyone know what's going on and how to stop it happening?

 --

 Brian Gregory.
 [EMAIL PROTECTED]

 Computer Room Volunteer.
 Therapy Centre.
 Prospect Park Hospital.


How big are your access.log files?  There is a 2gb limit on Squid.  I would
definately think about adding more memory to the box though.  You should be
able to pick up PC 100 memory fairly cheap.
--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4

[Rönnblom Janåke /Teknous]

Hi!

Im running squidguard-1.2.0 on RHEL4 and Ubuntu Dapper Flight 4 and squid
doesn't
crash, however it does fill up /var/tmp but I do an squid reload every
night to reconfigure
the squidgard and at that time I rm -f /var/tmp/BDB* before reloading
squid.

So far it has been running stable for me. If you want to be safe you
should probably stop
squid before cleaning /var/tmp/BDB* and then start it.

-

From: Sushil Deore [EMAIL PROTECTED]
Date: Wed, 8 Mar 2006 00:56:55 +0530 (IST)

Hello,

 
  I have installed squid-3.0-PRE3-20060114 with squidGuard-1.2 with
berkeley
  db-4.0 on Fedora Core-4.
 
  It generates some BDB*(for ex.BDB00854) files in /var/tmp/ which
subsequently
  crashes squid. As squidGuard-1.2 is preferred with Berkeley DB-2.X but
  Berkeley DB-4.0 comes with FC-4.

 Squidguard does not prefer DB-2.X; it requires it. Squidguard
 does not support DB-4.0

You are true, can you please suggest me any alternative that can be used
inplace of squidGuard on FC-4 with squid-3.0/squid-2.5?

  How can I stop squid from crashing? Is there anything I am missing out
in
  the setup. Any recommendation on the actual packages(squid/squidGuard
or
  any else/Berkeley DB) I should use with FC-4?

Thanks in advance. 

=
Janåke Rönnblom
IT avdelningen, Teknous, Skellefteå Kommun
Assistentgatan 23
931 77 Skelleftea (Sweden)
-
Phone  : +46-910-58 54 24
Mobile : 070-397 07 43
Fax: +46-910-58 54 99
URL: http://skeria.skelleftea.se
-
Those who do not understand Unix are condemned to reinvent it, poorly.
-- Henry Spencer

Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4

[Henrik Nordstrom]

tor 2006-03-09 klockan 10:14 +0100 skrev Rönnblom Janåke /Teknous:
 Hi!
 
 Im running squidguard-1.2.0 on RHEL4 and Ubuntu Dapper Flight 4 and squid
 doesn't
 crash, however it does fill up /var/tmp but I do an squid reload every
 night to reconfigure
 the squidgard and at that time I rm -f /var/tmp/BDB* before reloading
 squid.

You should rebuild the DB files statically. See the SquidGuard
documentation.

This will both keep the DB files under control and significantly speed
up startup.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4

[Rönnblom Janåke /Teknous]

Henrik Nordstrom [EMAIL PROTECTED] skrev den 9 mars 2006
klockan 10:40 +:
You should rebuild the DB files statically. See the SquidGuard
documentation.

Ah, you mean running squidguard once with -C all to create db files?

I forgot to switch to this mode when entering into production so thanks
for the tip!

=
Janåke Rönnblom
IT avdelningen, Teknous, Skellefteå Kommun
Assistentgatan 23
931 77 Skelleftea (Sweden)
-
Phone  : +46-910-58 54 24
Mobile : 070-397 07 43
Fax: +46-910-58 54 99
URL: http://skeria.skelleftea.se
-
Those who do not understand Unix are condemned to reinvent it, poorly.
-- Henry Spencer

Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4

[Sushil Deore]

Hello,

 
  I have installed squid-3.0-PRE3-20060114 with squidGuard-1.2 with berkeley
  db-4.0 on Fedora Core-4.
 
  It generates some BDB*(for ex.BDB00854) files in /var/tmp/ which 
  subsequently
  crashes squid. As squidGuard-1.2 is preferred with Berkeley DB-2.X but
  Berkeley DB-4.0 comes with FC-4.

 Squidguard does not prefer DB-2.X; it requires it. Squidguard
 does not support DB-4.0

You are true, can you please suggest me any alternative that can be used
inplace of squidGuard on FC-4 with squid-3.0/squid-2.5?


  How can I stop squid from crashing? Is there anything I am missing out in
  the setup. Any recommendation on the actual packages(squid/squidGuard or
  any else/Berkeley DB) I should use with FC-4?


Thanks in advance.

-- Sushil.

Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4

[Henrik Nordstrom]

ons 2006-03-08 klockan 00:56 +0530 skrev Sushil Deore:

 You are true, can you please suggest me any alternative that can be used
 inplace of squidGuard on FC-4 with squid-3.0/squid-2.5?

What do you want the redirector to do?

But seriously, SquidGuard does work fine with DB4. You just need to
patch it a little. See their homepage.

You can also find prebuilt RPMs for FC-4 from rpmforge / Dag Wieers,
already including the DB4 patch, automatic log rotation and more..

The reason why DB4 support isn't included in the SquidGuard distribution
is that SquidGuard is no longer actively maintained by it's authors. But
this does not make it less functional once you get it running..

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4

[Nikos Zaharioudakis]

On 3/5/06, Sushil Deore [EMAIL PROTECTED] wrote:

 Hello,

 I have installed squid-3.0-PRE3-20060114 with squidGuard-1.2 with berkeley
 db-4.0 on Fedora Core-4.

 It generates some BDB*(for ex.BDB00854) files in /var/tmp/ which subsequently
 crashes squid. As squidGuard-1.2 is preferred with Berkeley DB-2.X but
 Berkeley DB-4.0 comes with FC-4.

 How can I stop squid from crashing? Is there anything I am missing out in
 the setup. Any recommendation on the actual packages(squid/squidGuard or
 any else/Berkeley DB) I should use with FC-4?

 Thanks in advance.

 -- Sushil.


How about using thise RPMs http://dag.wieers.com/home-made/squidguard/
Don't forget to take the squidguard-blacklists too

Have fun

--
3
Zaharioudakis Nikos
mob: +30 6947204063
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

Re: [squid-users] squid-3.0/squidGuard-1.2/db-4.0 on FC-4

[Mark Elsen]

 Hello,

 I have installed squid-3.0-PRE3-20060114 with squidGuard-1.2 with berkeley
 db-4.0 on Fedora Core-4.

 It generates some BDB*(for ex.BDB00854) files in /var/tmp/ which subsequently
 crashes squid. As squidGuard-1.2 is preferred with Berkeley DB-2.X but
 Berkeley DB-4.0 comes with FC-4.

Squidguard does not prefer DB-2.X; it requires it. Squidguard
does not support DB-4.0


 How can I stop squid from crashing? Is there anything I am missing out in
 the setup. Any recommendation on the actual packages(squid/squidGuard or
 any else/Berkeley DB) I should use with FC-4?

 Thanks in advance.

 -- Sushil.

Re: [squid-users] Squid with SquidGuard

[Mark Elsen]

 Actually No. (groan...)

 2006/01/26 22:00:56| helperOpenServers: Starting 5 'squidGuard' processes
 2006/01/26 22:00:56| WARNING: Cannot run
 '/usr/local/squidguard/bin/squidGuard' process.
 2006/01/26 22:00:56| WARNING: Cannot run
 '/usr/local/squidguard/bin/squidGuard' process.
 2006/01/26 22:00:56| WARNING: Cannot run
 '/usr/local/squidguard/bin/squidGuard' process.
 2006/01/26 22:00:56| WARNING: Cannot run
 '/usr/local/squidguard/bin/squidGuard' process.
 2006/01/26 22:00:56| WARNING: Cannot run
 '/usr/local/squidguard/bin/squidGuard' process.

 (From cache.log after reboot with /usr/sbin/squid in rc.local)

 Sigh...


  - Try the online test again :

 root # /usr/sbin/squid

 OK ?

 M.

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Mark Elsen wrote:

  - Try the online test again :

 root # /usr/sbin/squid

 OK ?

 M.


Yeah That still works fine.

Mark



signature.asc
Description: OpenPGP digital signature

Re: [squid-users] Squid with SquidGuard

[Mark Elsen]

 I'm running Red Hat Fedora Core 4 on an Intel Celeron (Coppermine) PC.

 [EMAIL PROTECTED] ~]$ uname -a
 Linux localhost.localdomain 2.6.14-1.1656_FC4 #1 Thu Jan 5 22:13:22 EST 2006 
 i686 i686 i386 GNU/Linux

 Is there anything else you need to know?


 Please find below a full (Level 1, ALL) log for a reboot with the 
 /usr/sbin/squid line in /etc/rc.d/rc.local.


 So , are you really sure, that the one  user who is defined as :

cache_effective_user

 in squid.conf, can execute :

   /usr/local/squidguard/bin/squidGuard

 -- Double  verify and again, if needed.

 M.

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Mark Elsen wrote:

 So , are you really sure, that the one  user who is defined as :

cache_effective_user

 in squid.conf, can execute :

   /usr/local/squidguard/bin/squidGuard

 -- Double  verify and again, if needed.

 M.

  

Hmmm. Well I *thought* I could. But see below:

[EMAIL PROTECTED] ~]$ su
Password:
[EMAIL PROTECTED] mark]# cat /etc/squid/squid.conf | grep cache_effective
#  TAG: cache_effective_user
#   to UID to squid.  If you define cache_effective_user, but not
#   cache_effective_group, Squid sets the GID to the effective
#   cache_effective_user.
#cache_effective_user squid
cache_effective_user squid
#  TAG: cache_effective_group
#cache_effective_group squid
cache_effective_group squid

Then:

[EMAIL PROTECTED] mark]# sudo -u squid /usr/sbin/squid -NCd 1
2006/01/26 18:47:49| strtokFile: /usr/share/squid/ads not found
2006/01/26 18:47:49| aclParseAclLine: WARNING: empty ACL: acl ad_sites
dstdomain /usr/share/squid/ads
2006/01/26 18:47:49| Starting Squid Cache version 2.5.STABLE11 for
i386-redhat-linux-gnu...
2006/01/26 18:47:49| Process ID 5028
2006/01/26 18:47:49| With 1024 file descriptors available
2006/01/26 18:47:49| Performing DNS Tests...
2006/01/26 18:47:49| Successful DNS name lookup tests...
2006/01/26 18:47:49| DNS Socket created at 0.0.0.0, port 32789, FD 4
2006/01/26 18:47:49| Adding nameserver 192.168.123.254 from /etc/resolv.conf
2006/01/26 18:47:49| helperOpenServers: Starting 5 'squidGuard' processes
2006/01/26 18:47:50| User-Agent logging is disabled.
2006/01/26 18:47:50| Referer logging is disabled.
2006/01/26 18:47:50| Unlinkd pipe opened on FD 14
2006/01/26 18:47:50| Swap maxSize 102400 KB, estimated 7876 objects
2006/01/26 18:47:50| Target number of buckets: 393
2006/01/26 18:47:50| Using 8192 Store buckets
2006/01/26 18:47:50| Max Mem  size: 8192 KB
2006/01/26 18:47:50| Max Swap size: 102400 KB
2006/01/26 18:47:50| Rebuilding storage in /var/spool/squid (CLEAN)
2006/01/26 18:47:50| Using Least Load store dir selection
2006/01/26 18:47:50| Set Current Directory to /var/spool/squid
2006/01/26 18:47:50| Loaded Icons.
2006/01/26 18:47:50| Accepting HTTP connections at 0.0.0.0, port 8080,
FD 16.
2006/01/26 18:47:50| Accepting ICP messages at 0.0.0.0, port 3130, FD 17.
2006/01/26 18:47:50| WCCP Disabled.
2006/01/26 18:47:50| /var/run/squid.pid: (1) Operation not permitted
FATAL: Could not write pid file

Wooahhh???

So:
[EMAIL PROTECTED] mark]# ls -la /var/run/squi*
ls: /var/run/squi*: No such file or directory

Hmmm - Strange?
[EMAIL PROTECTED] mark]# locate squid.pid
/var/run/squid.pid

So whatever squid.pid is or does it was there the last time updatedb was
run but it's not there now.

However, Squid did get past the point at which it launched squidGuard
(which seemed OK) before gracefully closing it. See squidGuard.log
(+note times):
 2006-01-26 18:47:50 [5031] squidGuard 1.2.0 started (1138301270.257)
2006-01-26 18:47:50 [5031] squidGuard ready for requests (1138301270.310)
2006-01-26 18:47:50 [5033] squidGuard 1.2.0 started (1138301270.275)
2006-01-26 18:47:50 [5033] squidGuard ready for requests (1138301270.311)
2006-01-26 18:47:50 [5029] squidGuard 1.2.0 started (1138301270.246)
2006-01-26 18:47:50 [5029] squidGuard ready for requests (1138301270.312)
2006-01-26 18:47:50 [5032] squidGuard 1.2.0 started (1138301270.290)
2006-01-26 18:47:50 [5032] squidGuard ready for requests (1138301270.313)
2006-01-26 18:47:50 [5030] squidGuard 1.2.0 started (1138301270.285)
2006-01-26 18:47:50 [5030] squidGuard ready for requests (1138301270.314)
2006-01-26 18:47:51 [5029] squidGuard stopped (1138301271.198)
2006-01-26 18:47:51 [5030] squidGuard stopped (1138301271.200)
2006-01-26 18:47:51 [5031] squidGuard stopped (1138301271.201)
2006-01-26 18:47:51 [5032] squidGuard stopped (1138301271.203)
2006-01-26 18:47:51 [5033] squidGuard stopped (1138301271.204)

Now running /usr/sbin/squid -NCd 1 as root (*NOT* sudo -u squid) works
just fine (I am not posting the output, but I ran it at 19:07) and guess
what?:
[EMAIL PROTECTED] mark]# ls -la /var/run/squid.pid
-rw-r--r--  1 root squid 5 Jan 26 19:07 /var/run/squid.pid
[EMAIL PROTECTED] mark]#

I'm *sure* this worked before however but (shrug) nevertheless - what
does it tell us?

Thanks again for all your help

Best regards

Mark



signature.asc
Description: OpenPGP digital signature

Re: [squid-users] Squid with SquidGuard

[Mark Elsen]

 [EMAIL PROTECTED] mark]# sudo -u squid /usr/sbin/squid -NCd 1
...

 That's not the way to go, and not what I asked.
 You need to make sure that the one who is defined
 as

 cache_effective_user

 can execute /squidGuard.
 Since the user is apparently called 'squid'  you need to,

 Either fully login as squid'' and test this, I advise to test it
 that way *really*.
 If you want to test it from root-originating-shells then,

 1) # su - squid
 2) squid % _path_to_squidguard/squidGuard

the latter should not give a permission error.

squid.pid contains the process id of the squid process.

Starting as 'squid' using the sudo stuff is bogus, because, indeed,
then you run into other problems such as the pid file which can not be written,
e.g. because this file is owned by root.

M.

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Mark Elsen wrote:


[EMAIL PROTECTED] mark]# sudo -u squid /usr/sbin/squid -NCd 1
...



 That's not the way to go, and not what I asked.
 You need to make sure that the one who is defined
 as

 cache_effective_user

 can execute /squidGuard.
 Since the user is apparently called 'squid'  you need to,

 Either fully login as squid'' and test this, I advise to test it
 that way *really*.
 If you want to test it from root-originating-shells then,

 1) # su - squid
 2) squid % _path_to_squidguard/squidGuard

the latter should not give a permission error.

squid.pid contains the process id of the squid process.

Starting as 'squid' using the sudo stuff is bogus, because, indeed,
then you run into other problems such as the pid file which can not be written,
e.g. because this file is owned by root.

M.

  

Sorry, My mistake - again.

[EMAIL PROTECTED] mark]# su - squid
This account is currently not available.

hmmm..

[EMAIL PROTECTED] mark]# vim /etc/passwd
   {change squid:x:23:23::/var/spool/squid:/sbin/nologin to
squid:x:23:23::/var/spool/squid:/bin/bash}

[EMAIL PROTECTED] mark]# su - squid
-bash-3.00$ /usr/local/squidguard/bin/squidGuard -d
2006-01-26 20:47:29 [6046] squidGuard 1.2.0 started (1138308449.370)
2006-01-26 20:47:29 [6046] squidGuard ready for requests (1138308449.372)

OK?

Thanks (yet) again...

Mark





signature.asc
Description: OpenPGP digital signature

Re: [squid-users] Squid with SquidGuard

[Mark Elsen]

 Sorry, My mistake - again.

 [EMAIL PROTECTED] mark]# su - squid
 This account is currently not available.

 hmmm..

 [EMAIL PROTECTED] mark]# vim /etc/passwd
{change squid:x:23:23::/var/spool/squid:/sbin/nologin to
 squid:x:23:23::/var/spool/squid:/bin/bash}

 [EMAIL PROTECTED] mark]# su - squid
 -bash-3.00$ /usr/local/squidguard/bin/squidGuard -d
 2006-01-26 20:47:29 [6046] squidGuard 1.2.0 started (1138308449.370)
 2006-01-26 20:47:29 [6046] squidGuard ready for requests (1138308449.372)

 OK?

 Thanks (yet) again...


  Ok, and now, since the status of the squid account in the pw file
was changed you should, simply (only) ,try :

   root #  _path_to_squid/squid

Check whether this works.

M.

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Mark Elsen wrote:

Sorry, My mistake - again.

[EMAIL PROTECTED] mark]# su - squid
This account is currently not available.

hmmm..

[EMAIL PROTECTED] mark]# vim /etc/passwd
   {change squid:x:23:23::/var/spool/squid:/sbin/nologin to
squid:x:23:23::/var/spool/squid:/bin/bash}

[EMAIL PROTECTED] mark]# su - squid
-bash-3.00$ /usr/local/squidguard/bin/squidGuard -d
2006-01-26 20:47:29 [6046] squidGuard 1.2.0 started (1138308449.370)
2006-01-26 20:47:29 [6046] squidGuard ready for requests (1138308449.372)

OK?

Thanks (yet) again...




  Ok, and now, since the status of the squid account in the pw file
was changed you should, simply (only) ,try :

   root #  _path_to_squid/squid

Check whether this works.

M.

  

[EMAIL PROTECTED] mark]# whereis squid
squid: /usr/sbin/squid /etc/squid /usr/lib/squid /usr/share/squid
/usr/share/man /man8/squid.8.gz
[EMAIL PROTECTED] mark]# /usr/sbin/squid
[EMAIL PROTECTED] mark]# ps -ef | grep squid
[EMAIL PROTECTED] mark]# ps -ef | grep squid
root  6017  5105  0 20:46 pts/300:00:00 su - squid
squid 6018  6017  0 20:46 pts/300:00:00 -bash
root  6195 1  0 21:11 ?00:00:00 /usr/sbin/squid
squid 6197  6195  0 21:11 ?00:00:00 (squid)
squid 6198  6197  0 21:11 ?00:00:00 (squidGuard) -c
/etc/squidguard.conf
squid 6199  6197  0 21:11 ?00:00:00 (squidGuard) -c
/etc/squidguard.conf
squid 6200  6197  0 21:11 ?00:00:00 (squidGuard) -c
/etc/squidguard.conf
squid 6201  6197  0 21:11 ?00:00:00 (squidGuard) -c
/etc/squidguard.conf
squid 6202  6197  0 21:11 ?00:00:00 (squidGuard) -c
/etc/squidguard.conf
squid 6203  6197  0 21:11 ?00:00:00 (unlinkd)
root  6209  5055  0 21:12 pts/200:00:00 grep squid
[EMAIL PROTECTED] mark]#

Looking good...

Logs (both /var/log/squid/cache.log 
/var/log/squidguard/squidGuard.log) also show squid + squidGuard started OK

What now?

Mark



signature.asc
Description: OpenPGP digital signature

Re: [squid-users] Squid with SquidGuard

[Mark Elsen]

 [EMAIL PROTECTED] mark]# whereis squid
 squid: /usr/sbin/squid /etc/squid /usr/lib/squid /usr/share/squid
 /usr/share/man /man8/squid.8.gz
 [EMAIL PROTECTED] mark]# /usr/sbin/squid
 [EMAIL PROTECTED] mark]# ps -ef | grep squid
 [EMAIL PROTECTED] mark]# ps -ef | grep squid
 root  6017  5105  0 20:46 pts/300:00:00 su - squid
 squid 6018  6017  0 20:46 pts/300:00:00 -bash
 root  6195 1  0 21:11 ?00:00:00 /usr/sbin/squid
 squid 6197  6195  0 21:11 ?00:00:00 (squid)
 squid 6198  6197  0 21:11 ?00:00:00 (squidGuard) -c
 /etc/squidguard.conf
 squid 6199  6197  0 21:11 ?00:00:00 (squidGuard) -c
 /etc/squidguard.conf
 squid 6200  6197  0 21:11 ?00:00:00 (squidGuard) -c
 /etc/squidguard.conf
 squid 6201  6197  0 21:11 ?00:00:00 (squidGuard) -c
 /etc/squidguard.conf
 squid 6202  6197  0 21:11 ?00:00:00 (squidGuard) -c
 /etc/squidguard.conf
 squid 6203  6197  0 21:11 ?00:00:00 (unlinkd)
 root  6209  5055  0 21:12 pts/200:00:00 grep squid
 [EMAIL PROTECTED] mark]#

 Looking good...

 Logs (both /var/log/squid/cache.log 
 /var/log/squidguard/squidGuard.log) also show squid + squidGuard started OK

 What now?


Same test , but now, from /etc/rc.d/rc.local.
(involves system restart)

Should work too now.

M.

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Mark Elsen wrote:

What now?




Same test , but now, from /etc/rc.d/rc.local.
(involves system restart)

Should work too now.


  

Actually No. (groan...)

2006/01/26 22:00:56| helperOpenServers: Starting 5 'squidGuard' processes
2006/01/26 22:00:56| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/26 22:00:56| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/26 22:00:56| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/26 22:00:56| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/26 22:00:56| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.

(From cache.log after reboot with /usr/sbin/squid in rc.local)

Sigh...

Mark



signature.asc
Description: OpenPGP digital signature

RE: [squid-users] Squid with SquidGuard

[Brian Phillips]

 Actually No. (groan...)
 
 2006/01/26 22:00:56| helperOpenServers: Starting 5 'squidGuard'
 processes 2006/01/26 22:00:56| WARNING: Cannot run
 '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56|
 WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process.
 2006/01/26 22:00:56| WARNING: Cannot run
 '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56|
 WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process.
 2006/01/26 22:00:56| WARNING: Cannot run
 '/usr/local/squidguard/bin/squidGuard' process.   
 
 (From cache.log after reboot with /usr/sbin/squid in rc.local)
 
 Sigh...
 
 Mark

Can you also try it with your service squid start or whatever init script
you have available?

Brian

Re: [squid-users] Squid with SquidGuard

[Mark Elsen]

 If I put the command
 /usr/sbin/squid -NC
 in my /etc/rc.d/rc.local file it hangs the system on reboot!

   You can not use it like that in rc.local, that way of SQUID starting  is ment
to be used from the command line, and intended for problem solving tasks.
Use squid -h to understand the meaning of these flags
For rc.local just use :

   _path_to_squid/squid

afterwards, check cache.log , watchout for FATAL errors, if

I think it's something to do with the cache (/var/spool/squid).
Whatever caused it, the only remedy was to power off and reboot with a
rescue disk  comment out the line in /etc/rc.d/rc.local.

 Interestingly, if I try the command /usr/sbin/squid on its own with no 
 switches, the system starts OK but I get the same old error (WARNING: Cannot 
 run '/usr/bin/squidGuard' process.) and squidGuard is not running.

 So what on earth is going on?

 We need to re-iterate ;

 On the command line :

   # squid -NCd 1

check whether this works, again.

Then just put startup command in rc.local the way I explained.
Check cache.log

M.

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Mark Elsen wrote:

If I put the command
/usr/sbin/squid -NC
in my /etc/rc.d/rc.local file it hangs the system on reboot!



   You can not use it like that in rc.local, that way of SQUID starting  is 
 ment
to be used from the command line, and intended for problem solving tasks.
Use squid -h to understand the meaning of these flags
For rc.local just use :

   _path_to_squid/squid

afterwards, check cache.log , watchout for FATAL errors, if

  

I think it's something to do with the cache (/var/spool/squid).


Whatever caused it, the only remedy was to power off and reboot with a
rescue disk  comment out the line in /etc/rc.d/rc.local.
  

Interestingly, if I try the command /usr/sbin/squid on its own with no 
switches, the system starts OK but I get the same old error (WARNING: Cannot 
run '/usr/bin/squidGuard' process.) and squidGuard is not running.

So what on earth is going on?



 We need to re-iterate ;

 On the command line :

   # squid -NCd 1

check whether this works, again.

Then just put startup command in rc.local the way I explained.
Check cache.log

M.

  

Hi Mark, Hi List,

Sorry, I explained myself badly. I did put /usr/sbin/squid -NC in
rc.local at first which caused the crash. The next thing I did (after
restoring the system) was to read the -h comments (slap myself) and put
just the command /usr/sbin/squid in rc.local. As I point out above
(badly worded):

Interestingly, if I try the command /usr/sbin/squid on its own with no 
switches, the system starts OK but I get the same old error (WARNING: 
Cannot run '/usr/bin/squidGuard' process.) and squidGuard is not running.

without the -NC switches the command /usr/sbin/squid in rc.local
starts OK but does not start squidGuard - and gives exactly the same
errors in cache.log as I've been getting all along when starting squid
with /sbin/service squid start.

The only thing that gives me hope is the fact that /usr/sbin/squid -NCd
1 from the command line does in fact work (and I've just tried it again
to be sure!).

So. To be clear:
/usr/sbin/squid -NCd 1 from the command line works just fine;
/usr/sbin/squid in /etc/rc.d/rc.local does not; and produces the same
error as
/sbin/service squid start from the command line.

Apologies for the confusion.

What next?

Thanks again (I *really* appreciate your help)

Mark





signature.asc
Description: OpenPGP digital signature

Re: [squid-users] Squid with SquidGuard

[Mark Elsen]

 So. To be clear:
 /usr/sbin/squid -NCd 1 from the command line works just fine;
 /usr/sbin/squid in /etc/rc.d/rc.local does not; and produces the same
 error as
 /sbin/service squid start from the command line.

 Apologies for the confusion.

 What next?


In both cases, the working and the not working case,
can you check :

   squidGuard.log

anything weird in there ?

M.

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Mark Elsen wrote:




So. To be clear:
/usr/sbin/squid -NCd 1 from the command line works just fine;
/usr/sbin/squid in /etc/rc.d/rc.local does not; and produces the same
error as
/sbin/service squid start from the command line.

Apologies for the confusion.

What next?




In both cases, the working and the not working case,
can you check :

   squidGuard.log

anything weird in there ?

M.

  

Nope.
In the working case everything seems just fine:
2006-01-24 21:32:37 [11225] squidGuard 1.2.0 started (1138138357.409)
2006-01-24 21:32:37 [11225] squidGuard ready for requests (1138138357.481)
2006-01-24 21:32:37 [11223] squidGuard 1.2.0 started (1138138357.433)
2006-01-24 21:32:37 [11223] squidGuard ready for requests (1138138357.482)
2006-01-24 21:32:37 [11224] squidGuard 1.2.0 started (1138138357.435)
2006-01-24 21:32:37 [11224] squidGuard ready for requests (1138138357.483)
2006-01-24 21:32:37 [11221] squidGuard 1.2.0 started (1138138357.506)
2006-01-24 21:32:37 [11221] squidGuard ready for requests (1138138357.508)
2006-01-24 21:32:37 [11222] squidGuard 1.2.0 started (1138138357.519)
2006-01-24 21:32:37 [11222] squidGuard ready for requests (1138138357.521)
2006-01-24 22:11:05 [11221] squidGuard stopped (1138140665.526)
2006-01-24 22:11:05 [11222] squidGuard stopped (1138140665.528)
2006-01-24 22:11:05 [11223] squidGuard stopped (1138140665.530)
2006-01-24 22:11:05 [11224] squidGuard stopped (1138140665.531)
2006-01-24 22:11:05 [11225] squidGuard stopped (1138140665.533)
(I started with /usr/sbin/squid -NCd 1 did some tests and closed with
CTRL-C)

In the non-working case - cold boot with /usr/sbin/squid in rc.local -
you can see the results too (i.e. *nothing at all* written to
squidGuard.log).



Hurumph...

Thanks again

Mark



signature.asc
Description: OpenPGP digital signature

Re: [squid-users] Squid with SquidGuard

[Mark Elsen]

 Nope.
 In the working case everything seems just fine:
 2006-01-24 21:32:37 [11225] squidGuard 1.2.0 started (1138138357.409)
 2006-01-24 21:32:37 [11225] squidGuard ready for requests (1138138357.481)
 2006-01-24 21:32:37 [11223] squidGuard 1.2.0 started (1138138357.433)
 2006-01-24 21:32:37 [11223] squidGuard ready for requests (1138138357.482)
 2006-01-24 21:32:37 [11224] squidGuard 1.2.0 started (1138138357.435)
 2006-01-24 21:32:37 [11224] squidGuard ready for requests (1138138357.483)
 2006-01-24 21:32:37 [11221] squidGuard 1.2.0 started (1138138357.506)
 2006-01-24 21:32:37 [11221] squidGuard ready for requests (1138138357.508)
 2006-01-24 21:32:37 [11222] squidGuard 1.2.0 started (1138138357.519)
 2006-01-24 21:32:37 [11222] squidGuard ready for requests (1138138357.521)
 2006-01-24 22:11:05 [11221] squidGuard stopped (1138140665.526)
 2006-01-24 22:11:05 [11222] squidGuard stopped (1138140665.528)
 2006-01-24 22:11:05 [11223] squidGuard stopped (1138140665.530)
 2006-01-24 22:11:05 [11224] squidGuard stopped (1138140665.531)
 2006-01-24 22:11:05 [11225] squidGuard stopped (1138140665.533)
 (I started with /usr/sbin/squid -NCd 1 did some tests and closed with
 CTRL-C)

 In the non-working case - cold boot with /usr/sbin/squid in rc.local -
 you can see the results too (i.e. *nothing at all* written to
 squidGuard.log).


 -   In the command-line case, was  SQUID started from the root account ?

 - What's in cache.log (full log), for the failing case ?

 M.

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Hello Chaps,

I'm still struggling (and still failing) to to squidGuard to work with
squid. For those of you who have not been following each gripping
instalment of this thread here is a quick recap...

I can run squid very happily on my FC4 machine. I have tried installing
squidGuard by RPM, by Yum and finally from source. I have (I think)
changed all the file ownerships and permissions that I should have done
and yet I have always got (and still get) the same error when I include
squidGuard as a redirector in squid:

2006/01/14 21:36:07| helperOpenServers: Starting 5 'squidGuard'
processes
2006/01/14 21:36:07| comm_open: FD 6 is a new socket
2006/01/14 21:36:07| fd_open FD 6 squidGuard
2006/01/14 21:36:07| comm_open: FD 7 is a new socket
2006/01/14 21:36:07| fd_open FD 7 squidGuard
2006/01/14 21:36:07| ipcCreate: prfd FD 7
2006/01/14 21:36:07| ipcCreate: pwfd FD 7
2006/01/14 21:36:07| ipcCreate: crfd FD 6
2006/01/14 21:36:07| ipcCreate: cwfd FD 6
2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32990
2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32989
2006/01/14 21:36:07| ipcCreate: FD 6 listening...
2006/01/14 21:36:07| leave_suid: PID 12881 called
2006/01/14 21:36:07| leave_suid: PID 12881 giving up root priveleges
forever
2006/01/14 21:36:07| ipcCreate: calling accept on FD 6
2006/01/14 21:36:07| comm_close: FD 6
2006/01/14 21:36:07| commCallCloseHandlers: FD 6
2006/01/14 21:36:07| fd_close FD 6 squidGuard
2006/01/14 21:36:07| connect FD 7: (13) Permission denied
2006/01/14 21:36:07| comm_close: FD 7
2006/01/14 21:36:07| commCallCloseHandlers: FD 7
2006/01/14 21:36:07| fd_close FD 7 squidGuard
2006/01/14 21:36:07| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.


The Permission denied message has led me down the file ownership /
permissions route; but I am able to run squidGuard from the command line
with the sudo command:
[EMAIL PROTECTED] bin]# sudo -u squid /usr/local/squidguard/bin/squidGuard -d
2006-01-22 18:30:36 [14702] squidGuard 1.2.0 started (1137954636.066)
2006-01-22 18:30:36 [14702] squidGuard ready for requests (1137954636.096)


Now, after some Googling, I see that this problem (or at least similar
problems) can be caused by a firewall on the loopback interface. Do you
think this is the cause of my problem? (I posted my Iptables output in
an earlier post).

However, as a test, I temporarily disabled the firewall and
unfortunately still got the same problem. That is the firewall on this
FC4 machine... I am connected to the Internet via a wireless connection
which has its own firewall - but surely that should not affect this (or
should it?)

What should my next step be?

Dying of frustration here.

Many thanks for your patience...

Mark



signature.asc
Description: OpenPGP digital signature

Re: [squid-users] Squid with SquidGuard

[Mark Elsen]

 Now, after some Googling, I see that this problem (or at least similar
 problems) can be caused by a firewall on the loopback interface. Do you
 think this is the cause of my problem? (I posted my Iptables output in
 an earlier post).

 However, as a test, I temporarily disabled the firewall and
 unfortunately still got the same problem.

That may not be enough in a context where the Firewalling software was
started and then stopped. Residual rules and or states may still affect the
loopback interface.

Can you, for instance, 'ping localhost' with success ?

 That is the firewall on this
 FC4 machine... I am connected to the Internet via a wireless connection
 which has its own firewall - but surely that should not affect this (or
 should it?)

 What should my next step be?


  Set the firewalling functions off , wherever this needs to be done,
  and *restart* the system.
  Check whether you can ping the localhost (itself).

  M.

 Dying of frustration here.

 Many thanks for your patience...

 Mark

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Mark Elsen wrote:

That may not be enough in a context where the Firewalling software was
started and then stopped. Residual rules and or states may still affect the
loopback interface.

Can you, for instance, 'ping localhost' with success ?
  

Yup...
Even with the firewall up and running:
[EMAIL PROTECTED] bin]# ping localhost
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=0 ttl=64
time=0.339 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64
time=0.260 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64
time=0.260 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64
time=0.261 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=4 ttl=64
time=0.251 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=5 ttl=64
time=0.260 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=6 ttl=64
time=0.252 ms

--- localhost.localdomain ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6008ms
rtt min/avg/max/mdev = 0.251/0.269/0.339/0.028 ms, pipe 2

  Set the firewalling functions off , wherever this needs to be done,
  and *restart* the system.
  Check whether you can ping the localhost (itself).

  

I haven't tried restarting yet - but given that ping localhost works
with the firewall(s) in place do you still think that this is my problem?

I still think that the Permission denied message is caused by file
ownership problems - but where?

Thanks
Mark



signature.asc
Description: OpenPGP digital signature

Re: [squid-users] Squid with SquidGuard

[Mark Elsen]

 I haven't tried restarting yet - but given that ping localhost works
 with the firewall(s) in place do you still think that this is my problem?

  It could still be, so the restarting with all Firewalling off should
still be tried.


 I still think that the Permission denied message is caused by file
 ownership problems - but where?



 There shouldn't be if SquidGuard runs under the same user as squid
(defined in squid.conf).
 Btw, do you start SQUID as root ?
 Even if no privileged port is used for http-receiving,  I would still
start as root. I am
 not sure whether this inter process communication , which goes via
 the loopback interface , may need root privilege to create the socket.

 I am not sure about that.

 M.

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Mark Elsen wrote:

I haven't tried restarting yet - but given that ping localhost works
with the firewall(s) in place do you still think that this is my problem?



  It could still be, so the restarting with all Firewalling off should
still be tried.
  

Well I've just tried it with Iptables/Firestarter turned off + cold
restart - and still the same thing. I can't work out what to do with my
wireless router firewall (to be honest firewalls are a bit of a black
art as far as I am concerned) but all references to LAN are
192.168.123.xxx as far as I can see.

  

I still think that the Permission denied message is caused by file
ownership problems - but where?





 There shouldn't be if SquidGuard runs under the same user as squid
(defined in squid.conf).
 Btw, do you start SQUID as root ?
 Even if no privileged port is used for http-receiving,  I would still
start as root. I am
 not sure whether this inter process communication , which goes via
 the loopback interface , may need root privilege to create the socket.

 I am not sure about that.

 M.
  

Both cache_effective_user and cache_effective_group in squid.conf are
set to squid. Every file I can think of that is even remotely
connected with squidGuard is set to chown squid.squid.

Squid is started automatically in runlevel 5. If I start it myself I use
the command:
/sbin/service squid start (or stop, or restart)
as root.

Any ideas?



signature.asc
Description: OpenPGP digital signature

Re: [squid-users] Squid with SquidGuard

[Mark Elsen]

...

 Squid is started automatically in runlevel 5. If I start it myself I use
 the command:
 /sbin/service squid start (or stop, or restart)
 as root.


  Try to start  it more natively, what does :

   root #   path_to_squid/squid -NCd 1

  gives ?

  (You are lucky , the snooker is on a break :-)

  M.

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Mark Elsen wrote:

...

Squid is started automatically in runlevel 5. If I start it myself I use
the command:
/sbin/service squid start (or stop, or restart)
as root.




  Try to start  it more natively, what does :

   root #   path_to_squid/squid -NCd 1

  gives ?
  


Well Now! - *That's Interesting!*

It Works!

[EMAIL PROTECTED] mark]# /sbin/service squid stop
Stopping squid: .  [  OK  ]

[EMAIL PROTECTED] mark]# /usr/sbin/squid -NCd 1
2006/01/22 23:18:30| Starting Squid Cache version 2.5.STABLE11 for
i386-redhat-linux-gnu...
2006/01/22 23:18:30| Process ID 3644
2006/01/22 23:18:30| With 1024 file descriptors available
2006/01/22 23:18:30| Performing DNS Tests...
2006/01/22 23:18:30| Successful DNS name lookup tests...
2006/01/22 23:18:30| DNS Socket created at 0.0.0.0, port 32772, FD 4
2006/01/22 23:18:30| Adding nameserver 192.168.123.254 from /etc/resolv.conf
2006/01/22 23:18:30| helperOpenServers: Starting 5 'squidGuard' processes
...etc

So what exactly does that tell us?
How can I get it so that it works when started automatically?

  (You are lucky , the snooker is on a break :-)

  M.

  

Sorry to take a while to get back to you - I was watching Foyle's War :-)

Thanks so much! Now I think I'm making progress...

Thanks again

Mark



signature.asc
Description: OpenPGP digital signature

RE: [squid-users] Squid with SquidGuard

[Ben Tanner]

 If I run squidGuard on its own as root it seems to work. Is there any
 way I can try to run it as user squid from the command line 
 to see if
 I get any more information? Trying su squid obviously 
 didn't work (but
 I had to try it anyway).

Are you familiar with the sudo command?

Whilst root you should be able to do something like:

% sudo -u squid squidguard

And that will execute the command as squid.

Hope that helps,

Ben

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Quoting from my own message...
Mark Sansome wrote:

2006/01/14 21:36:07| comm_open: FD 7 is a new socket
2006/01/14 21:36:07| fd_open FD 7 squidGuard
2006/01/14 21:36:07| ipcCreate: prfd FD 7
2006/01/14 21:36:07| ipcCreate: pwfd FD 7
2006/01/14 21:36:07| ipcCreate: crfd FD 6
2006/01/14 21:36:07| ipcCreate: cwfd FD 6
2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32990
2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32989
2006/01/14 21:36:07| ipcCreate: FD 6 listening...
2006/01/14 21:36:07| leave_suid: PID 12881 called
2006/01/14 21:36:07| leave_suid: PID 12881 giving up root priveleges
forever
2006/01/14 21:36:07| ipcCreate: calling accept on FD 6
2006/01/14 21:36:07| comm_close: FD 6
2006/01/14 21:36:07| commCallCloseHandlers: FD 6
2006/01/14 21:36:07| fd_close FD 6 squidGuard
2006/01/14 21:36:07| connect FD 7: (13) Permission denied
2006/01/14 21:36:07| comm_close: FD 7
2006/01/14 21:36:07| commCallCloseHandlers: FD 7
2006/01/14 21:36:07| fd_close FD 7 squidGuard
2006/01/14 21:36:07| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.

I guess the important line here is connect FD 7: (13) Permission denied

My question is how do I find out *exactly* what is being denied? I have
followed every guide I can find, read every HowTo, scanned every FAQ and
followed all the instructions on file ownership and permissions. Almost
everything to do with squidGuard has file ownerships of squid.squid and
still I get this error

If I run squidGuard on its own as root it seems to work. Is there any
way I can try to run it as user squid from the command line to see if
I get any more information? Trying su squid obviously didn't work (but
I had to try it anyway).

Is there anything else I can try?

Hoping you can help

Thanks

Mark



signature.asc
Description: OpenPGP digital signature

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Brian Phillips wrote:

'su - squid'

It COMPLETELY sets you as the squid user.

Are you starting squid as root?  Or are you using the init scripts?  Or are
you just running it on the command line as squid/proxy?


  

If I try as a non-privileged user:
[EMAIL PROTECTED] ~]$ su - squid
Password:
su: incorrect password
(Don't know what the squid password is - should I? Can I find out?)

If I try as root:
[EMAIL PROTECTED] mark]# su - squid /usr/local/squidguard/bin/squidGuard
-c /etc/squidguard.conf
This account is currently not available.
[EMAIL PROTECTED] mark]#
[EMAIL PROTECTED] mark]# su - squid
This account is currently not available.
[EMAIL PROTECTED] mark]#

Hmmm... *Should* that work?

I start squid either by rebooting or with the command /sbin/service
squid restart [or start or stop] (as root).
Whichever way, it will start quite happily but will still list the same
error in cache.log and the proxy will not work. Taking the
redirect_program /usr/local/squidguard/bin/squidGuard -c
/etc/squidguard.conf line out of squid.conf and restarting will allow
squid to work properly.

I can start squidGuard from the command line (as root) with the command:
[EMAIL PROTECTED] mark]#  /usr/local/squidguard/bin/squidGuard -d

which gives the response:
2006-01-16 21:31:01 [16626] squidGuard 1.2.0 started (1137447061.766)
2006-01-16 21:31:01 [16626] squidGuard ready for requests (1137447061.806)

(although I have to CTRL-c to get back to the command line - is that
normal?)

So - if my reasoning is correct, I can start squidGuard as root, but
when squid tries to launch it, it fails because it does not have the
right permissions somewhere or other. As you can see above I don't seem
to be able to pretend to be squid myself so that I can start it from the
command line and see what information I get...

Any ideas?

Thanks again

Mark



signature.asc
Description: OpenPGP digital signature

RE: [squid-users] Squid with SquidGuard

[Brian Phillips]

 [EMAIL PROTECTED] mark]# su - squid
 This account is currently not available.
 [EMAIL PROTECTED] mark]#
 Hmmm... *Should* that work?

Kind of.  It shouldn't work because the system has not given a shell to the
user 'squid' (protecting the system against possible security risks.)  It
should work because squid will be used later to run squidGuard.

I start squid in a similar fashion and this is what 'ps -ef' shows us:

root  1996 1  0 14:14 ?00:00:00 /usr/sbin/squid -D -sYC
proxy 1998  1996  0 14:14 ?00:00:00 (squid) -D -sYC
proxy 2008  1998  0 14:14 ?00:00:00 (squidGuard) -c
/etc/squid/squid
proxy 2009  1998  0 14:14 ?00:00:00 (squidGuard) -c
/etc/squid/squid
proxy 2010  1998  0 14:14 ?00:00:00 (squidGuard) -c
/etc/squid/squid

You can see that squid runs as root, but then the parent process is ran as
proxy (the same user as squid on your machine).  This same proxy user
runs squidGuard.  (side note: I can 'su - proxy' and get a prompt on my
machine. )  

That could be why your machine is not allowing squidGuard to start.  A way
for you to find out would be to give a shell to squid and then try and log
in again as squid.  If you get a prompt such as [EMAIL PROTECTED] ~]$ then
you know squid has a shell, and you should go back to root user and run
your 'service squid start' and see if that removes the error from cache.log.
If not, restore your /etc/passwd file to what it was before this test and
we'll keep looking for why squidGuard starts with errors.

brian  

RE: [squid-users] Squid with SquidGuard

[Brian Phillips]

Do:

# ls -l /usr/bin/squidGuard

And tell us what the permissions are (paste em here.)





2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process.
2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process.
2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process.
2006/01/07 23:51:03| WARNING: Cannot run '/usr/bin/squidGuard' process.

No matter what I do I cannot seem to get SquidGuard to start from within
Squid.

What am I doing wrong?

Can I get any more detailed output as to *exactly* why Squid can't run
squidGuard?

Any ideas?

Thanks in advance

Mark

RE: [squid-users] Squid with SquidGuard

[Brian E. Conklin]

 -Original Message-
 From: Mark Sansome [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, January 12, 2006 2:21 PM
 To: squid-users@squid-cache.org
 Subject: [squid-users] Squid with SquidGuard
 
 
 Hello chaps,
 
 I know that this is a Squid mailing list and not the 
 SquidGuard list - by I have exhausted the help of the good 
 folks on the SquidGuard list...
 
 I actually have Squid up and running and am very happy with it :)
 however, I *do* want to use squidGuard with it too.
 
 Squid runs on a FC4 machine dealing with the proxy requests 
 of my small home network. 
 
 I have tried installing squidGuard from RPM, Yum, and by 
 installing from source. All fail to work with squid.
 
 I have tried squidGuard with the simplest of SquidGuard.conf files :
 
 logdir /var/log/squidguard
 acl {
 default {
 pass all
 }
 }
 
 and the command:
 # /usr/bin/squidGuard -d
 2006-01-07 23:54:38 [28284] squidGuard 1.2.0 started (1136678078.397)
 2006-01-07 23:54:38 [28284] squidGuard ready for requests 
 (1136678078.400)
 
 seems to show that squidGuard is happy...
 
 However, as soon as I put the line:
 redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
 into squid.conf everything goes wrong.
 
 In /var/log/squid/cache.log I find the following:
 2006/01/07 23:51:03| helperOpenServers: Starting 5 
 'squidGuard' processes
 2006/01/07 23:51:03| WARNING: Cannot run 
 '/usr/bin/squidGuard' process.
 2006/01/07 23:51:03| WARNING: Cannot run 
 '/usr/bin/squidGuard' process.
 2006/01/07 23:51:03| WARNING: Cannot run 
 '/usr/bin/squidGuard' process.
 2006/01/07 23:51:03| WARNING: Cannot run 
 '/usr/bin/squidGuard' process.
 2006/01/07 23:51:03| WARNING: Cannot run 
 '/usr/bin/squidGuard' process.
 
 No matter what I do I cannot seem to get SquidGuard to start 
 from within
 Squid.
 
 What am I doing wrong?
 
 Can I get any more detailed output as to *exactly* why Squid 
 can't run squidGuard?
 
 Any ideas?

I found much more help (including a better howto and trouble shooting
section) at http://www.maynidea.com/squidguard/

Brian E. Conklin, MCP+I, MCSE
Director of Information Services
voice: 360-427-3423
fax: 360-427-9599

 
 Thanks in advance
 
 Mark
 
 
=
Mason General Hospital
901 Mt. View Drive
PO Box 1668
Shelton, WA 98584
http://www.masongeneral.com
(360) 426-1611
=
This message is intended for the sole use of the individual and entity
to whom it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you
are not the addressee nor authorized to receive for the addressee, you
are hereby notified that you may not use, copy, disclose or distribute
to anyone this message or any information contained in the message. If
you have received this message in error, please immediately notify the
sender and delete the message.

Replying to this message constitutes consent to electronic monitoring
of this message.

Thank you.

Re: [squid-users] Squid with SquidGuard

[Mark Sansome]

Brian E. Conklin wrote:

-Original Message-
From: Mark Sansome [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 12, 2006 2:21 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Squid with SquidGuard


Hello chaps,

I know that this is a Squid mailing list and not the 
SquidGuard list - by I have exhausted the help of the good 
folks on the SquidGuard list...

I actually have Squid up and running and am very happy with it :)
however, I *do* want to use squidGuard with it too.

Squid runs on a FC4 machine dealing with the proxy requests 
of my small home network. 

I have tried installing squidGuard from RPM, Yum, and by 
installing from source. All fail to work with squid.

I have tried squidGuard with the simplest of SquidGuard.conf files :

logdir /var/log/squidguard
acl {
default {
pass all
}
}

and the command:
# /usr/bin/squidGuard -d
2006-01-07 23:54:38 [28284] squidGuard 1.2.0 started (1136678078.397)
2006-01-07 23:54:38 [28284] squidGuard ready for requests 
(1136678078.400)

seems to show that squidGuard is happy...

However, as soon as I put the line:
redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
into squid.conf everything goes wrong.

In /var/log/squid/cache.log I find the following:
2006/01/07 23:51:03| helperOpenServers: Starting 5 
'squidGuard' processes
2006/01/07 23:51:03| WARNING: Cannot run 
'/usr/bin/squidGuard' process.
2006/01/07 23:51:03| WARNING: Cannot run 
'/usr/bin/squidGuard' process.
2006/01/07 23:51:03| WARNING: Cannot run 
'/usr/bin/squidGuard' process.
2006/01/07 23:51:03| WARNING: Cannot run 
'/usr/bin/squidGuard' process.
2006/01/07 23:51:03| WARNING: Cannot run 
'/usr/bin/squidGuard' process.

No matter what I do I cannot seem to get SquidGuard to start 
from within
Squid.

What am I doing wrong?

Can I get any more detailed output as to *exactly* why Squid 
can't run squidGuard?

Any ideas?



I found much more help (including a better howto and trouble shooting
section) at http://www.maynidea.com/squidguard/

Brian E. Conklin, MCP+I, MCSE
Director of Information Services
voice: 360-427-3423
fax: 360-427-9599

  

Thanks in advance

Mark




=

Brian C.

Thanks Brian,

That was one of the many resources I used. I too found it useful and
when I tried installing from source (last resort) I followed his
step-by-step guide *exactly* - Still didn't work...

Brian P.

Thanks Brian,

Brian Phillips wrote:

Do:

# ls -l /usr/bin/squidGuard

And tell us what the permissions are (paste em here.)


Since I wrote my message (it's an edited form of the one I sent to the
squidGuard mailing list) I have uninstalled that (RPM) version of
squidGuard and installed from source. The current version is therefore
in /usr/local/squidguard/bin/

It gives me:
[EMAIL PROTECTED] mark]# ls -la /usr/local/squidguard/bin/squidGuard
-rwxr-xr-x  1 squid squid 731596 Jan 11 14:18
/usr/local/squidguard/bin/squidGuard

I have tried changing ownerships and permissions of every file I can
think of and followed every guide I can find...

Any help gratefully received...

Thanks again.

Mark




signature.asc
Description: OpenPGP digital signature

RE: [squid-users] Squid with SquidGuard

[Laurikainen, Tuukka]

Hi Brian,

Suppose you have tried this already, but does squidguard generate its
own log files (the logdir directive in squidGuard.conf)? If not, try to 

#touch /path/to/logdir/squidGuard.log

, make sure the logfile has correct permissions (could be 644
squid:squid in your case) and see if it helps.

Regards,

Tuukka

 -Original Message-
 From: Mark Sansome [mailto:[EMAIL PROTECTED]
 Sent: Thursday, January 12, 2006 11:51 PM
 To: Brian E. Conklin
 Cc: squid-users@squid-cache.org
 Subject: Re: [squid-users] Squid with SquidGuard
 
 Brian E. Conklin wrote:
 
 -Original Message-
 From: Mark Sansome [mailto:[EMAIL PROTECTED]
 Sent: Thursday, January 12, 2006 2:21 PM
 To: squid-users@squid-cache.org
 Subject: [squid-users] Squid with SquidGuard
 
 
 Hello chaps,
 
 I know that this is a Squid mailing list and not the
 SquidGuard list - by I have exhausted the help of the good
 folks on the SquidGuard list...
 
 I actually have Squid up and running and am very happy with it :)
 however, I *do* want to use squidGuard with it too.
 
 Squid runs on a FC4 machine dealing with the proxy requests
 of my small home network.
 
 I have tried installing squidGuard from RPM, Yum, and by
 installing from source. All fail to work with squid.
 
 I have tried squidGuard with the simplest of SquidGuard.conf files :
 
 logdir /var/log/squidguard
 acl {
 default {
 pass all
 }
 }
 
 and the command:
 # /usr/bin/squidGuard -d
 2006-01-07 23:54:38 [28284] squidGuard 1.2.0 started
(1136678078.397)
 2006-01-07 23:54:38 [28284] squidGuard ready for requests
 (1136678078.400)
 
 seems to show that squidGuard is happy...
 
 However, as soon as I put the line:
 redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
 into squid.conf everything goes wrong.
 
 In /var/log/squid/cache.log I find the following:
 2006/01/07 23:51:03| helperOpenServers: Starting 5
 'squidGuard' processes
 2006/01/07 23:51:03| WARNING: Cannot run
 '/usr/bin/squidGuard' process.
 2006/01/07 23:51:03| WARNING: Cannot run
 '/usr/bin/squidGuard' process.
 2006/01/07 23:51:03| WARNING: Cannot run
 '/usr/bin/squidGuard' process.
 2006/01/07 23:51:03| WARNING: Cannot run
 '/usr/bin/squidGuard' process.
 2006/01/07 23:51:03| WARNING: Cannot run
 '/usr/bin/squidGuard' process.
 
 No matter what I do I cannot seem to get SquidGuard to start
 from within
 Squid.
 
 What am I doing wrong?
 
 Can I get any more detailed output as to *exactly* why Squid
 can't run squidGuard?
 
 Any ideas?
 
 
 
 I found much more help (including a better howto and trouble shooting
 section) at http://www.maynidea.com/squidguard/
 
 Brian E. Conklin, MCP+I, MCSE
 Director of Information Services
 voice: 360-427-3423
 fax: 360-427-9599
 
 
 
 Thanks in advance
 
 Mark
 
 
 
 
 =
 
 Brian C.
 
 Thanks Brian,
 
 That was one of the many resources I used. I too found it useful and
 when I tried installing from source (last resort) I followed his
 step-by-step guide *exactly* - Still didn't work...
 
 Brian P.
 
 Thanks Brian,
 
 Brian Phillips wrote:
 
 Do:
 
 # ls -l /usr/bin/squidGuard
 
 And tell us what the permissions are (paste em here.)
 
 
 Since I wrote my message (it's an edited form of the one I sent to the
 squidGuard mailing list) I have uninstalled that (RPM) version of
 squidGuard and installed from source. The current version is therefore
 in /usr/local/squidguard/bin/
 
 It gives me:
 [EMAIL PROTECTED] mark]# ls -la /usr/local/squidguard/bin/squidGuard
 -rwxr-xr-x  1 squid squid 731596 Jan 11 14:18
 /usr/local/squidguard/bin/squidGuard
 
 I have tried changing ownerships and permissions of every file I can
 think of and followed every guide I can find...
 
 Any help gratefully received...
 
 Thanks again.
 
 Mark
 

RE: [squid-users] Squid and Squidguard

[Elsen Marc]

 
 Hi,
 
 I'm using squidguard with squid to filtrate the websites our users are
 accessing. But I'm wondering one thing, does squid caches the error
 pages returned by squidguard?
 I explain : when a user try to access a porn site, squidguard 
 returns a
 forbidden page but as this page is seen as if returned from the porn
 site, does squid cache this page?

  - Squid doesn't cache page(s), only (web) objects.
  - The squidguard redirector returns an url being returned for squid to
fetch as a substitute for the blocked site, if so configured.
This url is then fetched by squid, and it's own freshness info, will
apply as to whether squid will cache it and related objects or not.

 If so, this would mean that the error page is cached many times as
 different sites...
 

  Can't understand that argument. But remember also, squid does not
know about 'pages'
  
  M.

RE: [squid-users] Squid and Squidguard

[SXB6300 Mailing]

Thx for the info.
What I was trying to explain, was :
For example if we take xxxsite1.com and xxxsite2.com, when a user try to access 
these 2 sites, squidguard will return an error.php with a specific msg and for 
example a gif file. What I was wondering, was : will this gif be stored two 
times in the cache? (as an object of xxxsite1 and as one of xxxsite2)

Btw, I received the new hardware and configured it using the hints you gave me 
(reiserfs, aufs, ...) and with is a part of the tweeking. But the improve
in the perf are significant (this morning we reached 92req/s with only 50% cpu 
utilisation on one cpu).
Thx!!!

Pierre-E

-Message d'origine-
De : Elsen Marc [mailto:[EMAIL PROTECTED] 
Envoyé : lundi 4 avril 2005 15:16
À : SXB6300 Mailing; squid-users@squid-cache.org
Objet : RE: [squid-users] Squid and Squidguard


 
 Hi,
 
 I'm using squidguard with squid to filtrate the websites our users are
 accessing. But I'm wondering one thing, does squid caches the error
 pages returned by squidguard?
 I explain : when a user try to access a porn site, squidguard 
 returns a
 forbidden page but as this page is seen as if returned from the porn
 site, does squid cache this page?

  - Squid doesn't cache page(s), only (web) objects.
  - The squidguard redirector returns an url being returned for squid to
fetch as a substitute for the blocked site, if so configured.
This url is then fetched by squid, and it's own freshness info, will
apply as to whether squid will cache it and related objects or not.

 If so, this would mean that the error page is cached many times as
 different sites...
 

  Can't understand that argument. But remember also, squid does not
know about 'pages'
  
  M.

RE: [squid-users] Squid and Squidguard

[Elsen Marc]

 
 
 Thx for the info.
 What I was trying to explain, was :
 For example if we take xxxsite1.com and xxxsite2.com, when a 
 user try to access these 2 sites, squidguard will return an 
 error.php with a specific msg and for example a gif file. 
 What I was wondering, was : will this gif be stored two times 
 in the cache? (as an object of xxxsite1 and as one of xxxsite2)
 

 The squidguard redirector, 'only' returns a different
 url for a blocked site. Which is then fetched by squid, due
 to the nature of it's redirector interface and how it works.

 All of this 'next step' is completely independend of
 'xxxsite1.com' and 'xxxsite2.com'.
 So the question is kind of irrelevant.

 M.

Re: [squid-users] squid or squidguard for acls

[Henrik Nordstrom]

On Thu, 15 Jul 2004, Luis Miguel wrote:

 Hi all, I see squid supporting all acls types that squidguard have

Nearly, but not all. Squid does not have a good equivalence of the urllist 
acl type in SquidGuard.

 are there any good reason to use squidguard for filtering purposes
 instead of squid acls?

If you can use the Squid ACLs these are generally more efficient. For
large installations the overhead of just calling SquidGuard is
significant, no matter how fast SquidGuard itself is.

In both using large lists of regex expressions is a performance killer. 
All other kinds of ACLs perform good.

Regards
Henrik

RE: [squid-users] squid or squidguard for acls

[Henrik Nordstrom]

On Thu, 15 Jul 2004, Chris Perreault wrote:

 In normal proxy mode a redirector can redirect users to an error page
 whenever they attempt to reach a blacklisted site.

So can deny_info in squid.conf.

Regards
Henrik

RE: [squid-users] squid or squidguard for acls

[Chris Perreault]

Squidguard is a redirector, allowing things like the following, in
accelerator mode:

src theusers {
ip 0.0.0.0 - 255.255.255.255
)
rew get_local {
[EMAIL PROTECTED]/[EMAIL PROTECTED]://10.87.0.2/[EMAIL PROTECTED]
[EMAIL PROTECTED]/[EMAIL PROTECTED]://10.87.0.3/[EMAIL PROTECTED] 
}
acl {
theusers {
rewrite get_local
pass all
}

www.website.com/lna traffic goes to one server, www.website.com/tws_inet
points to another webserver. The end user thinks its one big webserver when
it's actually multiple back end servers.

In normal proxy mode a redirector can redirect users to an error page
whenever they attempt to reach a blacklisted site.

Chris Perreault



-Original Message-
From: Luis Miguel [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 15, 2004 12:18 PM
To: [EMAIL PROTECTED]
Subject: [squid-users] squid or squidguard for acls


Hi all, I see squid supporting all acls types that squidguard have, are
there any good reason to use squidguard for filtering purposes instead 
of squid acls?


Regards.

Re: [squid-users] Squid 3.0 + squidguard + sarg

[Henrik Nordstrom]

On Fri, 6 Feb 2004, Harry Crowder wrote:

 When squidguard blocks a site it redirects squid to an error page.  The
 access.log for squid reports the page as a TCP_MISS/403.  Is there a setting
 in squid.con, squidguard.conf, or sarg.conf that I can change the
 TCP_MISS/403 to TCP_DENIED for reporting purposes?

By using squid access controls instead.

Or you could filter TCP_MISS/403 with no hierarchy code and replace them 
with TCP_DENIED.

Regards
Henrik

RE: [squid-users] Squid 3.0 + squidguard + sarg

[Harry Crowder]

thank you

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: Friday, February 06, 2004 5:03 PM
To: Harry Crowder
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] Squid 3.0 + squidguard + sarg


On Fri, 6 Feb 2004, Harry Crowder wrote:

 When squidguard blocks a site it redirects squid to an error page.  The
 access.log for squid reports the page as a TCP_MISS/403.  Is there a
setting
 in squid.con, squidguard.conf, or sarg.conf that I can change the
 TCP_MISS/403 to TCP_DENIED for reporting purposes?

By using squid access controls instead.

Or you could filter TCP_MISS/403 with no hierarchy code and replace them
with TCP_DENIED.

Regards
Henrik