Hi, we are running a squid 3.4 in accel mode for one https site. We
frequently see somthing like
PUT https://domain.com/file.txt HTTP/1.1" 0 0
TCP_MISS_ABORTED:FIRSTUP_PARENT
I tried to find out what this should mean; does it tell me that the
parent did not respond in time or does this ref
We are running Squid 2.7 on a Windows Server 2003 machine. With a few
different HTTPS URL's we are getting an instantaneous "This page can't be
displayed" in Internet Explorer, doesn't matter what version of IE. In
Mozilla Firefox we get "the connection has timed out" . Doesn't even think
about
Put another way: is CPU usage enough to make anyone prefer to run a
version with a few hundred known bugs and lack of several major HTTP
features?
We have enough of a cross-section of users that you will get a very
mixed response there.
nothing to add jc
, in better
words, destination network address translation. But this means you are
exposing the backend HTTPS server with its operating system's network
stack directly to the outside.
HTH, Jakob Curdes
> The socket on FD 15 disappeared. Look elsewhere in the log for "FD
15" and it will tell you what connection was setup on that FD and what
it was requesting/responding.
Hmm, there is not really anything useful besides the lines I posted.
Ther FD 15 appears in all requests but the error only s
the reply to the forwarded request? If so, what should
this message tell me?
Any ideas?
Best regards,
Jakob Curdes
Am 26.06.2012 10:29, schrieb Vishal Agarwal:
There are port 21 and 22.
You probably mean port 20? 22 is SSH.
JC
Am 06.10.2011 12:12, schrieb Nicola Bucci:
Thanks for the quick reply, OWA works fine for me... is RPC the problem.
Anyway, here is my squid.conf:
(...)
Is there something wrong i'm doing? Or simply squid don't handle RPC over HTTP
with exchange? My goal will be to use squid instead other comme
Am 06.10.2011 11:58, schrieb Nicola Bucci:
Hi all,
i'm trying to publish exchange web services on the web trough squid 3.1 on
Debian. From my mac it works fine (mail and outlook for mac, OWA is working
fine too) but from windows machines outlook asks me every time for the
authentication creden
wait in these cases as most DNS errors get
corrected in 24 - 48 hours by the DNS owners.
HTH,
Jakob Curdes
tures/Authentication
on this page you will also find links to example. More cannot be said
without knowing what type of authentication you want.
HTH,
Jakob Curdes
ou go into production. HA is too complicated for
playing around and you can be left without internet access if you make
errors.
Best regards,
Jakob Curdes
distributed filesystem for this. This is a version 1 heartbeat
setup; we are currently experimenting with pacemaker and corosync but
are still struggling to put everything together on a CentOS 5.5 box.
HTH,
Jakob Curdes
s that they determine expiry itself.
See e.g.
http://developer.yahoo.com/performance/rules.html
HTH,
Jakob Curdes
Am 19.11.2010 19:19, schrieb Michial Thompson:
How would that actually help the situation? Wouldn't doing that still
have all the interaction with the server and it's files still coming
across the weak/slowest link?
If you have identified the slow links of you customers as the problem,
it wou
imilar way that proxies do it). If you tell
browsers and proxies to throw every item away and re-fetch it after
viewing, adding a proxy would be pointless.
Hope this helps,
Jakob Curdes
current snapshot one?
(The proxy system in question is a customer production system - don't
want to install snapshots there)
If this is the case, I'll try some sort of workaround (such as avoiding
the proxy altogether...)
Or are you saying with 3.2 it works again?
Thanks and best regards,
Jakob Curdes
an HTTP header in return.
I would have expected that squid passes on the error status or displays
its own error page as it does for http errors!?
We have a pretty standard config so I won't post it here for now. Any
ideas ? Or am I on the wrong track?
Regards, Jakob Curdes
I suppose that the origin server reacts strangely on the information
passed by squid. remember that the fact that a proxy is in the path is
normally detectable for the origin server via the request headers.
Perhaps you can try to play with header_access, but be carefull you may
easily "repair" a
Am 17.08.2010 21:29, Derek Doucette wrote:
I was wondering if anyone has ever attempted to use squid to proxy ldaps
requests to a remote site.
I haven't, but I see no reason it should not work.
Remarks:
- you will need to add the standard ldaps port to safe_ports or use port 443
for your
- browse the internet
- check that you are using the proxy by looking at the "access_log" of squid.
Hope this helps,
Jakob Curdes
, so we cannot
really help you much.
Best regards,
Jakob Curdes
an ISP network with 500 users
I have a pentium 4 Dual Core + 4 GB ram + Sata 2 160 GB
Squid 3.1.xx + bridge + tproxy + Centos 5.4 64 Bits
How many hits are you specting hits/min
if under 200 hits/min then you are okay (as my experience has shown me)
From my experience you can d
Hi
I've implemented a NTLM-authentication against a w2k3-domain.
Everything seems to work, but I've a lot of "TCP_DENIED/407"-errors in
my squid-access-log. Is this normal or what could be wrong here? Why
do I have so many TCP_DENIED/407 although every page is accessible?
This is normal a
preventing "download
on right-click". Then persuade all the users of your website to use this
piece of software and "voila".
Squid does not enter into this picture
"HTH",
Jakob Curdes
interface on its own...
Anyway, this is not a squid issue.
Hope this helps,
Jakob Curdes
Even though I have forwarded requests to each machine's SSH port
What exactly does that mean?
Yes normally when you ssh a machine internally you don't need
rerouting or forwarding
I am not saying I have forwarded the internal requests, I forwarded
requests coming from the internet
for instan
But if I turn off Squid's machine and unplug it from the network, I
have absolutely no problem accessing these servers.
What happens if you just shutdown the squid service? Does the strange
behavior remain or vanish?
JC
SMAIL-GMAIL schrieb:
Hi there,
Thanks for your reply
I don't know how much you read of my post but maybe I need to explain
a little bit more
Yes, I did read this post.
The problem is that squid is simply incapable of doing what you are
telling us - unless you configure it badly in a lot of w
TA configuration and documentation.
Another note: to me this mail sounds like you are mixing up your test
environment and your production system.
With complex pieces of software like webservers, PHP, proxies, MTAs and
so on, this is never a good idea.
HTH,
Jakob Curdes
I went through this thread:
http://www.mail-archive.com/squid-users@squid-cache.org/msg59892.html.
I also needed that IMAP to work via Squid. There was no conclusion on
that thread.
Sure there was a conclusion. A dozen people said "squid is a HTTP proxy,
not an IMAP proxy".
There are IMAP pro
Andrea Gallazzi schrieb:
Thanks Jakob for your reply.
As usual I do not agree with digital certificate. :-)
Not sure what you mean here?
Squid as reverse proxy for exchange 2010 owa and activesync.
Exchange 2010 have a certificate released from my internal CA.
That is exactly the setup I was
connection unless a self-signed cert has
been accepted into the certificate store of the operating system e.g. by
going through an IE certificate dialogue.
HTH,
Jakob Curdes
Andrea Gallazzi wrote:
> Hi,
> I have many problems to compiling squid 3.1.1 with --enable-ssl switch.
> OpenSSL is installed already on Ubuntu Server, but ./configure
> returns many errors and make not works
Remember that you need the devel stuff for compiling squid against
openssl. Chec
this helps,
Jakob Curdes
ps. I would suggest that you restrict posts to one list at a time and
that you do not CC your mails to "well known people".
We all will try to help but not every case needs to be answered or read
by Amos, Henrik et cetera.
etc. Only if you cannot find
a solution or explanation after following such a strategy you should
describe your problem to a relevant (probably not this one) mailing list.
Regards,
Jakob Curdes
a...@gmail schrieb:
Hi Again,
I do appreciate that, but some people are very restricted time wise
The way it looks I could easily spend a whole year tweaking it before
I could get everything working or maybe more :-)
Most people on the mailing list here are very restriced time-wise. This
is why
ware! This setup has other disadvantages. Before deploying such a
setup - in fact, before deploying any proxy setup in a production
enviroment - you should thoroughly test this with an environment where
failures are not critical.
Regards,
Jakob Curdes
requests from a particular machine depending on
the "browser" used.
Conclusion: 99% not a squid issue. You might ask on the ubuntu mailing
lists for help if Google does not give you enough explanation how to use
apt-get with a proxy.
HTH,
Jakob Curdes
access and then you have a hard time
from users.
HTH,
Jakob Curdes
Other way around I would have thought. The client usually makes
connection to server.
One of the reasons CONNECT is so dangerous is that the receiving
server does not need to know HTTP to communicate once the client has
setup the tunnel.
Oh, right, I did not read the OP's message correctly
If I understand you correctly, the IMAP server should wrap IMAP
responses with HTTP responses, and accept IMAP requests wrapped with
HTTP requests?
Right, but I am not aware of an IMAP server capable of doing this.
JC
in this way
as your target mailserver will not understand the protocol being delivered.
HTH,
Jakob Curdes
- sharepoint seems to rely on http 1.1
- sharepoint uses absolute URLs which would have to be rewritten (but newer
versions seem to have options to remedy that)
http://technet.microsoft.com/en-us/library/cc287848.aspx
seems to have some recipes, not specific to Squid but I expect them to
rewritten (but
newer versions seem to have options to remedy that)
Best regards,
Jakob Curdes
J. Webster schrieb:
It would seem strabge for the IP address of the source server to change
everyday as DNS addresses take a while to update and the source server company
wouldn't want their site down for more than a few seconds.
This depends on the validity of the DNS entries. Not sure if n
directly in squid.conf. You might want to
configure your provider's nameservers if you only need external name
resolution.
Hope this helps,
Jakob Curdes
Avinash Rao wrote:
Thanks for the quick response.
Could you elaborate on Firewall/NAT configurations.. is this something
to do IPTABLES.. routing it directly to the Internet Modem?
Thanks
Avinash
If you are using linux, then the answer is yes to both questions.
You need to setup rules in y
tlook (Exchange
can be configured to do so, additional config on squid required, though).
HTH,
Jakob Curdes
such proxies exist!).
Most current FTP client can operate via a HTTP proxy in the download
direction; uploads are a different issue. This should be ok for the
occasional driver download; if you use FTP seriously you should look for
a dedicated FTP proxy program.
HTH,
Jakob Curdes
Close. Squid contains an internal DNS client that knows all about how to
query and _read_ DNS protocol and does cache it according to DNS standards.
But does not relay any of its info to external programs.
Sure. But I think the question was specifically whether squid can proxy
DNS requests w
Hi,
I am in the market for a reverse proxy that does intelligent load
balancing for DNS. I've used Squid for proxy before but have not been
able to find any info on using it for DNS reverse proxy (or UDP, more
generally) -- I've searched the website and list archives but wasn't
able to find anyt
tip: always make an initial copy of the original config file, in this
way you can always verify (with diff or whatever) the changes you made.
jc
I hate to say it, but i am more confused!! All i did was add a new acl then tried to restart squid. It was then I got this error, I removed it and then re-saved so am unsure as to what else has changed. Are there any more pointers you can give me as to what I need to add to the .conf file?
j
gn0m3 schrieb:
Hi guys,
I added a new acl into the squid.conf file and now the service will not
start. I have taken out what I put in and re-saved then rebooted the server.
Still no joy. The error tells me it is in line 54 which is as follows
http_access allow manager localhost
When i launch s
Bear schrieb:
"are you joking? This is a public mailing list. Whatever you send
here, is
public by definition."
It's just my sig, I didn't even think about it.
I often wonder who on earth has the idea that putting such a signature
on every single email leaving a company has any legal meaning.
Henrik Nordstrom schrieb:
tis 2009-08-11 klockan 14:17 +0200 skrev Jakob Curdes:
- use a (commercial) product that intercepts https
Or Squid-3.1 which does the same (with some limitations).
Ouch, I again missed importand developments. Is there a configuration
example somewhere
n and needed addresses
(which makes a lot of sense as via a https connection anything could be
transported in both directions and you can't see it)
- use a (commercial) product that intercepts https
Regards,
Jakob Curdes
am looking to access it from my work PC, how can set it to allow only my
work PC?
If your work PC is "outside", then this is a firewalling question, not a
squid question, unless your work PC has a fixed public IP - and even
then it should also be a firewalling question. I was referring to acce
http_access allow all
Depending on your network layout this may be a security hole. You should
probably restrict access to what you really need if it is a produvtion
environment.
Regards,
JC
Ahmed Akkad wrote:
ok, now i have something running, but still i have a problem, please take a look
at the following configuration:
http_port 8000 accel defaultsite=localhost
cache_peer 127.0.0.1 parent 80 0 no-query originserver name=srvTomcat
cache_peer_domain srvTomcat subA.domain.com
cache_p
verse proxy with a public announced port
whereas for an internal proxy can listen on an arbitrary port since the
network is under your control!
Hope this helps,
Jakob Curdes
so not to add more to my email, I'm seeking advice about the proper
way to learn about squid from A to Z if possible...
Use it. squid is not that hard to setup if you do not have requirements
like authentication or reverse-proxying. your case sounds quite simple;
so what does not work? BTW:
u can do a
/path_to_squid/squid -v
Chances are that the path is /usr/sbin, but I am not sure as I always
use self compiled squid's.
HTH,
Jakob Curdes
s what the proxy
setup is. squid translates requests that reach it; it has no means of
preventing internet access by other ways, e.g. directly. Since you say
you can ping the destination I assume that your firewall is not
preventing access to the sites in question.
Hope this helps,
Jakob Curdes
"Exiting due to repeated failures..."
There should be more in the logs. Can you post the last 20-30 lines or so?
Often this happens when the IP and port combination that you want to use
is already occupied, but we need the logs to see more.
jc
Leonardo Rodrigues Magalhães wrote:
squid has all the caching mechanisms too.
check your TTL parameters on your squid authentication mechanism.
For example:
auth_param basic credentialsttl 300 seconds
or
external_acl_type ldap_group ttl=300 %LOGIN
Those parameters can make squid
- When we change a password on the Active Directory,
squid don't see the change before a lot of hours ...
That is an AD "feature". If you use AD groups, you can take somebody out
of the group and AD will happily repsond that the user is a group member
for several hours. You can easily ch
IMAP with the server which squid does not understand.
There are IMAP proxies out there but not on this list.
This is not a configuration problem but rather like you want to get a
translator speaking only spanish to translate from english to german -
that won't work also.
Regards,
Jakob Curdes
.. forget it, I had a NAT rule in place so the request ended up somewhere else..
tcpdump was my friend.
JC
.. I am trying to setup a RCPviaHTTP reverse proxy scenario as described in
http://wiki.squid-cache.org/ConfigExamples/SquidAndRPCOverHttp
Squid starts with my configuration (like example plus some standard
ACLs) but connections with a browser to the SSL port on the outside take
eternally and
Matt Harrison schrieb:
Hi all,
As far as the guide I have mentioned goes, my kerberos and ldap are
working perfectly and samba is joined to the domain. winbind is running
and using the ntlm helper tests from the guide it appears that
authentication for users against the AD is working.
The proble
Hi,
when trying to setup NTLM authentication against an AD controller I ran
into an issue with testing against Windows Group membership.
Here's what works:
- authorizing against AD controller via winbindd and ntlm_auth helper
from samba package
i.e. without group restrictions the authorizat
Marcos Dutra schrieb:
Hi Jakob,
I need leave two squid's running because my setup with squid +AD auth
cannot run more than 1200 connections, then I want put two server to
failover and balance connections, is it possible?
Remember isn´t proxy reverse, is a proxy with ad auth and acl by group of A
Amos Jeffries wrote:
Hi, we are using squid for quite some time as internal forward proxy.
Now we want to implement an external Exchange access "RPC via HTTP(S)".
I know there is a configuration example in the documentation, but other
than that I did not find a lot of info.
So if anybody can give
Jeff Peng wrote:
> Hi Henrik,
>
> We also use LVS + Squid setup.
> But what I want to know is, if we have only two squid for reverse proxy,
> can we setup only heartbeat for HA? (I mean don't use LVS).
> Thanks again.
>
>
If you just want to have a failover and the cache content is not that
impo
. I have one important remark: Linux HA is not
exactly "install-and-run". I strongly recommend to test the approach in
a non-production setup and emulate the failures you want to circumvent.
Otherwise, many strange things may happen. I can give more details if
interested.
Yours,
Jakob Curdes
t what the pitfalls could be that would
be great.
I found one remark saying that exchange 2007 has features that do not
work via RPC via HTTPS.
Any hints on this one? Which features could that be ?
Yours,
Jakob Curdes
that protocol. However not all FTP clients
are able to talk to such a proxy - unless it is implemented as
transparent proxy.
Yours,
Jakob Curdes
traffic as the protocols are different, regerdless on which
ports you are running the proxy. You might be able to setup a SSH tunnel
depending on site policies. Mind you, I am not suggesting that this
would be a legal or sensible thing to do.
Yoirs,
Jakob Curdes
the website will
not be accessible from inside many corporate networks, on the other hand
because NTLM has a lot of security implications and limitation when run
on a publicly accessible server.
Yours,
Jakob Curdes
k
box" and so you cannot really adapt your system to it. Another point to
make is that it hard to keep up TCP sessions for hours ongoing; you need
a controlled environment for that which you do not have between two
skype sites over the internet.
Hope this helps,
Jakob Curdes
Thank you everyone for your help. The dedicated server company where my squid
is located has just
reported to me that "we are blocking outgoing connections on tcp/3128 port for
security reasons".
Does this mean that they are a "squid unfriendly" company? Is there any reason
to block that por
th squid itself.
Yours,
Jakob Curdes
Could you advise of how I can determine if there is some firewall running?
Here is a list of running processes:
You cannot see the firewall as it is part of the kernel.
Do a
telnet localhost 3128
If you get ANY response, the port is open for the localhost, if the
command fails immediately or
Vadim Pushkin schrieb:
Has anyone on this list ever deployed a third-party tool to do what JC
suggests? I.e. block or limit file-tyransfers, inspect https traffic
so as to block/allow it based on what it is doing?
Restrict access to listed sites yes, third party no. Somebody in another
repl
My question is if I've opened myself up to an admin nightmare or am I
being smart by preventing some really bad stuff into my network?
Depends on your users necessities; in most firms I suppose there is no
absolute need to use webmail accounts from inside the company. If you
have a usage poli
granted access. These are basic security measures you will find
implemented in almost any unix program.
Hope this helps,
Jakob Curdes
Noel Manansala schrieb:
the log file has an entry that says "cache is running out of file
descriptors"
That will be your problem. Looks like you have a very large cache ?
Please _post_ the logfile entries that come in after a start attempt !
JC
Noel Manansala schrieb:
Help guys!
Well, perhaps at first you should look into your config file and find
out where your logs are.
Then make sure you have access and main logging actviated and look into
these after you restart the service.
Chances are your cache ist full or your log partition s
possible in
squid.
Sure, have a look at policy banks. If you want to limit everybody, just
include everybody in a polica bank.
You can set global limits as well as individual limits.
Hope this helps,
Jakob Curdes
-cache.org/SquidFaq/ProxyAuthentication
Hope this helps,
Jakob Curdes
I think the trick here is to *tell* the browser to go direct - as long
as
it is allowed to perform DNS lookups, it will then get the DNS error
it
normally gets, and will try again for www.xyz.com instead - which goes
through the proxy as intended. The client never actually fetches
directly -
Oh
I am told that one way to restore the automated logics done by the
browser in finding the correct host name even when using a proxy is to
use a proxy.pac file which depends on the IP of the destination site.
You could try this, haven't verified myself.
Not 100% sure how to do it but I suppose i
here is Firefox.
Glad for any hint,
Jakob Curdes
do it with
squid. You wil probably better of on the lists of mailing software
(or you hire someone to do this for you)
Yours,
Jakob Curdes
Is there e newer version anywhere? Or is there a better wildcard-purge
method in the meantime?
I don't think so. Normally most people do not maintain the cache
manually and I personally would not know a reason to do so.
Jakob Curdes
嵩陈 schrieb:
hi
I need some testing data about squid performance
We too. If you have done some testing, you might be willing to share
your data.
[And ist would help if your name would be something else than "??"].
Jakob Curdes
Noc Phibee schrieb:
Hi
anyone can say me what is the best choice in equipment for put a Squid
with Active Directory authentification + squidguard for:
for 700 simultaneous user
Use 1 mainstream pc . whatever. put one gig of ram and you're done.
and
for 5000 simultaneous user
use 1 h
I need some information to conect an squid proxy using a posgres database with
all may users and the posibility to use ntlm autentication.
That won't work. You can do ntlm auth only against a Windows Domain
controller or an AD server. This is a limitation in the NTLM "protocol".
You can do
1 - 100 of 163 matches
Mail list logo