[squid-users] Mod-security blocking my proxy server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear All, A domain hosting site running mod-security is blocking one of my proxy server. They have provided me the following security logs for the reason. Note: I have modified the site and IP of my proxy server. Does the logs below mean that some of my clients are abusing my proxy server? [Fri Mar 9 01:24:26 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match script at THE_REQUEST [hostname somesite.com] [uri /pressrelease_details.php?id='ScRiPt%20%0a%0dalert(121446072)%3B/S cRiPt] [Fri Mar 9 01:24:27 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match script at THE_REQUEST [hostname somesite.com] [uri /pressrelease_details.php?id=/titleScRiPt%20%0a%0dalert(1853475877) %3B/ScRiPt] [Fri Mar 9 01:24:29 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match script at THE_REQUEST [hostname somesite.com] [uri /pressrelease_details.php?id=\\ScRiPt%20%0a%0dalert(1640807322)%3B /ScRiPt] [Fri Mar 9 01:24:30 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match [[:space:]]*(script|about|applet|activex|chrome)*.*(script|about|appl et|activex|chrome)[[:space:]]* at REQUEST_URI [hostname somesite.com] [uri /pressrelease_details.php?id=%00scriptalert(2038864227)%3B/script] [Fri Mar 9 01:24:32 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match script at THE_REQUEST [hostname somesite.com] [uri /pressrelease_details.php?id=--ScRiPt%20%0a%0dalert(114595006)%3B/S cRiPt] [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match /etc/passwd at REQUEST_URI [hostname somesite.com] [uri /pressrelease_details.php?id=+%26cat+/etc/passwd%26] [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match /etc/passwd at REQUEST_URI [hostname somesite.com] [uri /pressrelease_details.php?id=+%0acat+/etc/passwd%0a] Any kind of help and feedback are highly appreciated. Thanking you.. - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFF9lTsVrOl+eVhOvYRAqGcAJ9OT+UbDWAA3UMsSRbHC8zmfBWxOACcC3U6 Pr6zzwkH8HD8qdoq8kIvrVY= =u2e+ -END PGP SIGNATURE-
[squid-users] Forwarding https request to parent proxy
Dear All, I know this is not a new issue in this mailing list, and im sorry to arise this issue again. I have a private network which only has private Ipv4 address and has no gateway to the internet. I have created a one proxy server using squid ver 2.6. The topology is as shown in below figure: (USERS)[ProxyLocal][ParentProxy]Internet PC I have configured my local proxy to forward every request to the Parent Proxy since in my private network, it has no direct connection or NAT to reach Internet. My HTTP request is working fine with the current configuration, below is my configuration in squid.conf: --Configuration start---(part)-- cache_peer 172.16.51.7 parent 80803130 acl all src 0.0.0.0/0 ::/0 never_direct allow all acl manager proto cache_object acl localsite src 172.16.51.0/24 2001:d30:1214::/48 acl localhost src 127.0.0.1/32 ::1/128 acl to_localhost dst 127.0.0.0/8 ::/126 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports ---end When I try to access some https website, it returns below errors: The proxy server is refusing connections Firefox is configured to use a proxy server that is refusing connections. * Check the proxy settings to make sure that they are correct. * Contact your network administrator to make sure the proxy server is working. And I also tail -f /var/log/squid/access.log, but I didn't see any error message, seems like the squid did not receive any request. Before sending this email, I have tried to search the solution fron the http://www.squid-cache.org/mailing-lists.html and i able to find many achieves which related to my problem, but none of their solutions could solve my problem. Hope I can get some help here. Thanks in advance!!! Best regards, Simon Teh
Re: [squid-users] Mod-security blocking my proxy server
On Tue, Mar 13, 2007, Tek Bahadur Limbu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear All, A domain hosting site running mod-security is blocking one of my proxy server. They have provided me the following security logs for the reason. Note: I have modified the site and IP of my proxy server. Does the logs below mean that some of my clients are abusing my proxy server? Yup. Well, either that, or one of your clients has a hacked machine which is then issueing thse silly scripting vulnerabilities in the URI. Either way, figure out what your client is doing. Adrian [Fri Mar 9 01:24:26 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match script at THE_REQUEST [hostname somesite.com] [uri /pressrelease_details.php?id='ScRiPt%20%0a%0dalert(121446072)%3B/S cRiPt] [Fri Mar 9 01:24:27 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match script at THE_REQUEST [hostname somesite.com] [uri /pressrelease_details.php?id=/titleScRiPt%20%0a%0dalert(1853475877) %3B/ScRiPt] [Fri Mar 9 01:24:29 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match script at THE_REQUEST [hostname somesite.com] [uri /pressrelease_details.php?id=\\ScRiPt%20%0a%0dalert(1640807322)%3B /ScRiPt] [Fri Mar 9 01:24:30 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match [[:space:]]*(script|about|applet|activex|chrome)*.*(script|about|appl et|activex|chrome)[[:space:]]* at REQUEST_URI [hostname somesite.com] [uri /pressrelease_details.php?id=%00scriptalert(2038864227)%3B/script] [Fri Mar 9 01:24:32 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match script at THE_REQUEST [hostname somesite.com] [uri /pressrelease_details.php?id=--ScRiPt%20%0a%0dalert(114595006)%3B/S cRiPt] [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match /etc/passwd at REQUEST_URI [hostname somesite.com] [uri /pressrelease_details.php?id=+%26cat+/etc/passwd%26] [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match /etc/passwd at REQUEST_URI [hostname somesite.com] [uri /pressrelease_details.php?id=+%0acat+/etc/passwd%0a] Any kind of help and feedback are highly appreciated. Thanking you.. - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFF9lTsVrOl+eVhOvYRAqGcAJ9OT+UbDWAA3UMsSRbHC8zmfBWxOACcC3U6 Pr6zzwkH8HD8qdoq8kIvrVY= =u2e+ -END PGP SIGNATURE- -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level bandwidth-capped VPSes available in WA -
Re: [squid-users] Mod-security blocking my proxy server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 13 Mar 2007 15:54:03 +0800 Adrian Chadd [EMAIL PROTECTED] wrote: On Tue, Mar 13, 2007, Tek Bahadur Limbu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear All, A domain hosting site running mod-security is blocking one of my proxy server. They have provided me the following security logs for the reason. Note: I have modified the site and IP of my proxy server. Does the logs below mean that some of my clients are abusing my proxy server? Yup. Well, either that, or one of your clients has a hacked machine which is then issueing thse silly scripting vulnerabilities in the URI. Either way, figure out what your client is doing. Thanks Adrian for your quick reply. I will further investigate the offending client. Adrian [Fri Mar 9 01:24:26 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match script at THE_REQUEST [hostname somesite.com] [uri /pressrelease_details.php?id='ScRiPt%20%0a%0dalert(121446072)% 3B/S cRiPt] [Fri Mar 9 01:24:27 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match script at THE_REQUEST [hostname somesite.com] [uri /pressrelease_details.php?id=/titleScRiPt%20%0a%0dalert (1853475877) %3B/ScRiPt] [Fri Mar 9 01:24:29 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match script at THE_REQUEST [hostname somesite.com] [uri /pressrelease_details.php?id=\\ScRiPt%20%0a%0dalert (1640807322)%3B /ScRiPt] [Fri Mar 9 01:24:30 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match [[:space:]]*(script|about|applet|activex|chrome)*.*(script|about| appl et|activex|chrome)[[:space:]]* at REQUEST_URI [hostname somesite.com] [uri /pressrelease_details.php?id=%00scriptalert(2038864227)% 3B/script] [Fri Mar 9 01:24:32 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match script at THE_REQUEST [hostname somesite.com] [uri /pressrelease_details.php?id=--ScRiPt%20%0a%0dalert(114595006)% 3B/S cRiPt] [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match /etc/passwd at REQUEST_URI [hostname somesite.com] [uri /pressrelease_details.php?id=+%26cat+/etc/passwd%26] [Fri Mar 9 01:24:37 2007] [error] [client 192.168.0.18] mod_security: Access denied with code 406. Pattern match /etc/passwd at REQUEST_URI [hostname somesite.com] [uri /pressrelease_details.php?id=+%0acat+/etc/passwd%0a] Any kind of help and feedback are highly appreciated. Thanking you.. - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFF9lTsVrOl+eVhOvYRAqGcAJ9OT+UbDWAA3UMsSRbHC8zmfBWxOACcC3U6 Pr6zzwkH8HD8qdoq8kIvrVY= =u2e+ -END PGP SIGNATURE- -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level bandwidth-capped VPSes available in WA - - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFF9lv+VrOl+eVhOvYRAtRVAJ9OAiX1/O3pY+Dw2UfPXnSU99LVtQCfY3qn t93hJQ/BUqRBPQZJ0VfRCy8= =Vnmj -END PGP SIGNATURE-
Re: [squid-users] About a squid manager system
2007/3/20, Martin A. Brooks [EMAIL PROTECTED]: It sounds to me like you could benefit from using revision control software to manage the configuration files. The tool that springs to mind is Subversion (see http://subversion.tigris.org ). Subversion has a mechanism called hooks that allow you to perform arbitrary actions when a file is changed. Regards -- Martin A. Brooks | http://www.antibodymx.net/ | Anti-spam anti-virus Consultant| e: [EMAIL PROTECTED] | filtering. Inoculate antibodymx.net | m: +447896578023 | your mail system. Thank you for your reply. Maybe i did not discribe my requirement. We need a front web interface or other method)client?) to modify the all configurations of all server( or split the file and store it in database, or xml) easily. because login, vi, and logout squid box (a lot) one by one very tired. i want to split the squid.conf and store to database, so modify easily with web interface. but i don't know how to parse, split, and reassemble squid.conf with appropriate method. consider squid.conf direct syntax, modify easily with web and so on. -- Best regards Felix New
[squid-users] Multiple Proxy addresses on the same Server
I've just installed and configured the latest stable release of squid 2.6, Squid is working Fine on Fedora now .. BUT I have small problem. I have 3 IP addresses on the same server, x.x.x.x is the Main Server IP, y.y.y.y z.z.z.z are the additional IP addresses. Using any of these IP addresses is working fine. The problem is that when I use x.x.x.x , y.y.y.y z.z.z.z as the proxy address I get a reply that I'm using the main server IP which is: x.x.x.x What I need is when I use y.y.y.y I get a reply that I'm using y.y.y.y and same for z.z.z.z Any one have the solution ? Best Regards, Aldalil
Re: [squid-users] Multiple Proxy addresses on the same Server
Thanks Alexandre, Actually I don't want to make groups, I want to be free in using any of the Proxy IP addresses BUT getting the reply for the IP address that I'm using in the browser. Any idea please. Best Regards, Aldalil tcp_outgoing_address ex: acl home_clients src 10.0.0.0/8 acl corporate_clients src 192.168.0.0/23 tcp_outgoing_address yyy.yyy.yyy.yyy home_clients tcp_outgoing_address zzz.zzz.zzz.zzz corporate_clients regards. On 3/13/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I've just installed and configured the latest stable release of squid 2.6, Squid is working Fine on Fedora now .. BUT I have small problem. I have 3 IP addresses on the same server, x.x.x.x is the Main Server IP, y.y.y.y z.z.z.z are the additional IP addresses. Using any of these IP addresses is working fine. The problem is that when I use x.x.x.x , y.y.y.y z.z.z.z as the proxy address I get a reply that I'm using the main server IP which is: x.x.x.x What I need is when I use y.y.y.y I get a reply that I'm using y.y.y.y and same for z.z.z.z Any one have the solution ? Best Regards, Aldalil -- Sds. Alexandre J. Correa Onda Internet / OPinguim.net http://www.ondainternet.com.br http://www.opinguim.net
Re: [squid-users] Forwarding https request to parent proxy
check proxy configuration in firefox. where do you have cache_peer_access directive? On Tuesday 13 March 2007 08:38, chteh wrote: Dear All, I know this is not a new issue in this mailing list, and im sorry to arise this issue again. I have a private network which only has private Ipv4 address and has no gateway to the internet. I have created a one proxy server using squid ver 2.6. The topology is as shown in below figure: (USERS)[ProxyLocal][ParentProxy]Internet PC I have configured my local proxy to forward every request to the Parent Proxy since in my private network, it has no direct connection or NAT to reach Internet. My HTTP request is working fine with the current configuration, below is my configuration in squid.conf: --Configuration start---(part)-- cache_peer 172.16.51.7 parent 80803130 acl all src 0.0.0.0/0 ::/0 never_direct allow all acl manager proto cache_object acl localsite src 172.16.51.0/24 2001:d30:1214::/48 acl localhost src 127.0.0.1/32 ::1/128 acl to_localhost dst 127.0.0.0/8 ::/126 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports ---end When I try to access some https website, it returns below errors: The proxy server is refusing connections Firefox is configured to use a proxy server that is refusing connections. * Check the proxy settings to make sure that they are correct. * Contact your network administrator to make sure the proxy server is working. And I also tail -f /var/log/squid/access.log, but I didn't see any error message, seems like the squid did not receive any request. Before sending this email, I have tried to search the solution fron the http://www.squid-cache.org/mailing-lists.html and i able to find many achieves which related to my problem, but none of their solutions could solve my problem. Hope I can get some help here. Thanks in advance!!! Best regards, Simon Teh
[squid-users] ncsa_auth problem
Hi, I'm running squid 2.5.9 with debian sarge I'm having a problem with ncsa authentication: popup window appears in browser but user doesn't get authenticated though the test of ncsa_auth lib works ok. relevant config options are: auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl localnet src 192.168.128.0/24 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT acl authenticated_users proxy_auth REQUIRED http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow localnet authenticated_users http_access deny all My cache.log file: 2007/03/13 17:13:18| Starting Squid Cache version 2.5.STABLE9 for i386-debian-linux-gnu... 2007/03/13 17:13:18| Process ID 7978 2007/03/13 17:13:18| With 1024 file descriptors available 2007/03/13 17:13:18| DNS Socket created at 0.0.0.0, port 32880, FD 9 2007/03/13 17:13:18| Adding nameserver 193.125.180.2 from /etc/resolv.conf 2007/03/13 17:13:18| Adding nameserver 193.124.169.49 from /etc/resolv.conf 2007/03/13 17:13:18| Adding nameserver 212.192.168.18 from /etc/resolv.conf 2007/03/13 17:13:18| helperOpenServers: Starting 5 'ncsa_auth' processes 2007/03/13 17:13:22| User-Agent logging is disabled. 2007/03/13 17:13:22| Referer logging is disabled. 2007/03/13 17:13:22| Unlinkd pipe opened on FD 19 2007/03/13 17:13:22| Swap maxSize 102400 KB, estimated 7876 objects 2007/03/13 17:13:22| Target number of buckets: 393 2007/03/13 17:13:22| Using 8192 Store buckets 2007/03/13 17:13:22| Max Mem size: 8192 KB 2007/03/13 17:13:22| Max Swap size: 102400 KB 2007/03/13 17:13:22| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2007/03/13 17:13:22| Rebuilding storage in /var/spool/squid (CLEAN) 2007/03/13 17:13:22| Using Least Load store dir selection 2007/03/13 17:13:22| Set Current Directory to /var/spool/squid 2007/03/13 17:13:22| Loaded Icons. 2007/03/13 17:13:24| Accepting HTTP connections at 192.168.128.1, port 3128, FD 21. 2007/03/13 17:13:24| Accepting ICP messages at 0.0.0.0, port 3130, FD 22. 2007/03/13 17:13:24| HTCP Disabled. 2007/03/13 17:13:24| WCCP Disabled. 2007/03/13 17:13:24| Ready to serve requests. 2007/03/13 17:13:24| Done reading /var/spool/squid swaplog (9 entries) 2007/03/13 17:13:24| Finished rebuilding storage from disk. 2007/03/13 17:13:24| 9 Entries scanned 2007/03/13 17:13:24| 0 Invalid entries. 2007/03/13 17:13:24| 0 With invalid flags. 2007/03/13 17:13:24| 9 Objects loaded. 2007/03/13 17:13:24| 0 Objects expired. 2007/03/13 17:13:24| 0 Objects cancelled. 2007/03/13 17:13:24| 0 Duplicate URLs purged. 2007/03/13 17:13:24| 0 Swapfile clashes avoided. 2007/03/13 17:13:24| Took 2.1 seconds ( 4.3 objects/sec). 2007/03/13 17:13:24| Beginning Validation Procedure 2007/03/13 17:13:24| Completed Validation Procedure 2007/03/13 17:13:24| Validated 9 Entries 2007/03/13 17:13:24| store_swap_size = 292k 2007/03/13 17:13:25| storeLateRelease: released 0 objects 2007/03/13 17:14:38| aclCheckFast: list: 0x824a4c8 2007/03/13 17:14:38| aclMatchAclList: checking all 2007/03/13 17:14:38| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2007/03/13 17:14:38| aclMatchIp: '192.168.128.88' found 2007/03/13 17:14:38| aclMatchAclList: returning 1 2007/03/13 17:14:38| aclCheck: checking 'http_access allow purge localhost' 2007/03/13 17:14:38| aclMatchAclList: checking purge 2007/03/13 17:14:38| aclMatchAcl: checking 'acl purge method PURGE' 2007/03/13 17:14:38| aclMatchAclList: no match, returning 0 2007/03/13 17:14:38| aclCheck: checking 'http_access deny purge' 2007/03/13 17:14:38| aclMatchAclList: checking purge 2007/03/13 17:14:38| aclMatchAcl: checking 'acl purge method PURGE' 2007/03/13 17:14:38| aclMatchAclList: no match, returning 0 2007/03/13 17:14:38| aclCheck: checking 'http_access deny !Safe_ports' 2007/03/13 17:14:38| aclMatchAclList: checking !Safe_ports 2007/03/13 17:14:38| aclMatchAcl: checking 'acl Safe_ports port 80
Re: [squid-users] Squid Java problem
On 3/13/07, Tornado [EMAIL PROTECTED] wrote: Yes we are. Are there any known issues with NTLM and java? Java does not seem to support transparent authentication very well. I use ntlm_auth and had the same issue. My workaround is to add this to my squid.conf: acl Java browser Java/1.4 Java/1.5 http_access allow localhost Java # the localhost acl is because I run DG content filtering on the same box. You may need to vary this depending on the versions of Java your clients run and your setup. This allows Java scripts to be accessed unauthenticated. This fix is discussed elsewhere on this list as well. Chris
Re: [squid-users] 127.0.0.1 is their IP...
Shane A. Froebel wrote: Just recompiled squid, like so... ./configure --enable-follow-x-forwarded-for --enable-useragent-log --enable-referer-log --quiet added to squid.conf: forwarded_for on Had someone post something on the site IP came back to being 127.0.0.1 I am running on accelerator mode, if that makes any difference.
Re: [squid-users] Squid Java problem
Yes. I already implemented this and now the java based website is working fine. Thanks all. Quoting Chris Nighswonger [EMAIL PROTECTED]: On 3/13/07, Tornado [EMAIL PROTECTED] wrote: Yes we are. Are there any known issues with NTLM and java? Java does not seem to support transparent authentication very well. I use ntlm_auth and had the same issue. My workaround is to add this to my squid.conf: acl Java browser Java/1.4 Java/1.5 http_access allow localhost Java # the localhost acl is because I run DG content filtering on the same box. You may need to vary this depending on the versions of Java your clients run and your setup. This allows Java scripts to be accessed unauthenticated. This fix is discussed elsewhere on this list as well. Chris -- Click for free info to become an interior designer work for yourself http://tags.bluebottle.com/fc/CAaCMPJkcLvQD9rTPPWEhYGEaskE2lvk/
[squid-users] WCCP Module for WCCP Version 2
All, Our WCCP version 1 was running for 2 years then getting problem with hotmail.com authentication. Someone suggest me to use WCCPv2 to solve the issue. I tried to run WCCPv2 on linux 2.4.32 with wccp modules version 1.7. After configuring Squid and Cisco router (more or less was same as WCCPv1), I saw that Squid can talk to Cisco. But there are no packet were redirected. AFAIK, wccp module (v 1.7) support WCCPv2, but I am curios why the packet redirection was not happen. Currently, I don't have plan to use linux 2.6.x. Hope you would suggest me how to solve such problem with using linux 2.4.x. Your help is very appreciated and waited for. Thank you so much and best regards, Awie ===SNIP=== Global WCCP information: Router information: Router Identifier: W.X.Y.Z Protocol Version:2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:0 Redirect access-list:squid-wccp Total Packets Denied Redirect: 7346 Total Packets Unassigned:0 Group access-list: squid-cache Total Messages Denied to Group: 0 Total Authentication failures: 0
Re: [squid-users] maximum netowrk interfaces
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Henrik Nordstrom wrote: mån 2007-03-12 klockan 18:49 -0400 skrev Nicolás Ruiz: I just tested on debian with stock kernel 2.6.18: T=0; while [ $T -lt 255 ]; do echo $T; ifconfig eth0:${T} \ 192.168.${T}.1 netmask 255.255.255.0 up; T=`expr $T + 1` ; done and set up 255 virtual interfaces with no problem. Sidenote: The above does not create virtual interfaces, just labelled IP addresses on the eth0 interface. Then we're using the same term for different things (I call those virtual interfaces). How do you get around to use virtual interfaces? Somewhat related, I haven't been able to create more than 7 GRE tunnels (in case you're using WCCP). No apparent problem here.. Just created a couple of thousand wccpX gre interfaces (all unused as I have no WCCP capable router). Linux-2.6.19 Fedora Core 6. ip tunnel add wccpX mode gre device eth0 remote X.X.X.X bizarre. I just tried again with kernel 2.6.18 and it worked. I must have done something wrong. Regards Henrik - -- A: Because it destroys the flow of conversation. Q: Why is top posting dumb? - -- Juan Nicolás Ruiz| Corporación Parque Tecnológico de Mérida | Centro de Cálculo Cientifico ULA [EMAIL PROTECTED] | Avenida 4, Edif. Gral Masini, Ofic. B-32 +58-(0)274-252-4192 | Mérida - Edo. Mérida. Venezuela -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF9rMYmjsZS9ZBxv8RArBxAJwLGAQrIqIwRlDmPTgje+IE2BOL0ACfd6SX oWX9MjKcq5v78XMNoTn1FXQ= =62Cb -END PGP SIGNATURE-
Re: [squid-users] Multiple Proxy addresses on the same Server
I was wondering if there is another way allow me to use the other IP addresses of the server and getting the reply as per used IP address in the browser .. Regards, Aldalil - Original Message - From: Alexandre Correa [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 13, 2007 11:55 AM Subject: Re: [squid-users] Multiple Proxy addresses on the same Server tcp_outgoing_address ex: acl home_clients src 10.0.0.0/8 acl corporate_clients src 192.168.0.0/23 tcp_outgoing_address yyy.yyy.yyy.yyy home_clients tcp_outgoing_address zzz.zzz.zzz.zzz corporate_clients regards. On 3/13/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I've just installed and configured the latest stable release of squid 2.6, Squid is working Fine on Fedora now .. BUT I have small problem. I have 3 IP addresses on the same server, x.x.x.x is the Main Server IP, y.y.y.y z.z.z.z are the additional IP addresses. Using any of these IP addresses is working fine. The problem is that when I use x.x.x.x , y.y.y.y z.z.z.z as the proxy address I get a reply that I'm using the main server IP which is: x.x.x.x What I need is when I use y.y.y.y I get a reply that I'm using y.y.y.y and same for z.z.z.z Any one have the solution ? Best Regards, Aldalil -- Sds. Alexandre J. Correa Onda Internet / OPinguim.net http://www.ondainternet.com.br http://www.opinguim.net __ NOD32 2111 (20070313) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
Re: [squid-users] WCCP Module for WCCP Version 2
Hi, what squid version are you using and how does the wccp configuration in squid.conf look like? I am using wccp2 with a 2.4.33 kernel, squid 2.6 and cisco router. Regards, Martin On Tuesday 13 March 2007 10:11, Awie wrote: All, Our WCCP version 1 was running for 2 years then getting problem with hotmail.com authentication. Someone suggest me to use WCCPv2 to solve the issue. I tried to run WCCPv2 on linux 2.4.32 with wccp modules version 1.7. After configuring Squid and Cisco router (more or less was same as WCCPv1), I saw that Squid can talk to Cisco. But there are no packet were redirected. AFAIK, wccp module (v 1.7) support WCCPv2, but I am curios why the packet redirection was not happen. Currently, I don't have plan to use linux 2.6.x. Hope you would suggest me how to solve such problem with using linux 2.4.x. Your help is very appreciated and waited for. Thank you so much and best regards, Awie ===SNIP=== Global WCCP information: Router information: Router Identifier: W.X.Y.Z Protocol Version:2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:0 Redirect access-list:squid-wccp Total Packets Denied Redirect: 7346 Total Packets Unassigned:0 Group access-list: squid-cache Total Messages Denied to Group: 0 Total Authentication failures: 0 -- Martin Kobele Software Developer t. 519-826-5222 ext #224 f. 519-826-5228 [EMAIL PROTECTED] Netsweeper Corporate Head Office 104 Dawson Road Guelph, Ontario N1H 1A7
RE: [squid-users] Forwarding https request to parent proxy
Dear Juraj Sakala, Thanks for your reply. Would you please elaborate more on your reply, I do not really understand your context :-) If based on my understanding, I already have configured my firefox with the local proxy's IP address (Tools - Options - Advanced - Network Tab - Setting - Manual Proxy configuration - Http proxy : LocalProxy's IP port 3128 and also have checked on the Use this proxy for all protocols) Or is there any extra proxy configuration in firefox that I should check? Thanks for your reply and hope to hear from you soon. Thanks again. Best regards, Simon Teh -Original Message- From: Juraj Sakala [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 13, 2007 7:40 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Forwarding https request to parent proxy check proxy configuration in firefox. where do you have cache_peer_access directive? On Tuesday 13 March 2007 08:38, chteh wrote: Dear All, I know this is not a new issue in this mailing list, and im sorry to arise this issue again. I have a private network which only has private Ipv4 address and has no gateway to the internet. I have created a one proxy server using squid ver 2.6. The topology is as shown in below figure: (USERS)[ProxyLocal][ParentProxy]Internet PC I have configured my local proxy to forward every request to the Parent Proxy since in my private network, it has no direct connection or NAT to reach Internet. My HTTP request is working fine with the current configuration, below is my configuration in squid.conf: --Configuration start---(part)-- cache_peer 172.16.51.7 parent 80803130 acl all src 0.0.0.0/0 ::/0 never_direct allow all acl manager proto cache_object acl localsite src 172.16.51.0/24 2001:d30:1214::/48 acl localhost src 127.0.0.1/32 ::1/128 acl to_localhost dst 127.0.0.0/8 ::/126 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports ---end When I try to access some https website, it returns below errors: The proxy server is refusing connections Firefox is configured to use a proxy server that is refusing connections. * Check the proxy settings to make sure that they are correct. * Contact your network administrator to make sure the proxy server is working. And I also tail -f /var/log/squid/access.log, but I didn't see any error message, seems like the squid did not receive any request. Before sending this email, I have tried to search the solution fron the http://www.squid-cache.org/mailing-lists.html and i able to find many achieves which related to my problem, but none of their solutions could solve my problem. Hope I can get some help here. Thanks in advance!!! Best regards, Simon Teh
[squid-users] squid 2.5.9, authentication problem
debian sarge, squid 2.5.9 squid works fine without authentication, but when I try to configure basic Authentication (the same problem with digest), pop-up login window appears and then page is not loaded. I suspect that ncsa_auth process is not being started (btw, should it be in the process list when squid is running?) Access rights and paths are all correct (proxy:proxy for file containing password); ncsa_auth works ok in console (tried for proxy user too) Relevant configurations: auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl localnet src 192.168.128.0/24 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT acl authenticated_users proxy_auth REQUIRED http_access allow purge localhost http_access deny purge # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed #acl our_networks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_network http_access allow localhost http_access allow localnet authenticated_users # And finally deny all other access to this proxy http_access deny all 2007/03/13 21:38:34| authBasicConfigured: returning configured 2007/03/13 21:38:34| helperOpenServers: Starting 5 'ncsa_auth' processes 2007/03/13 21:38:35| User-Agent logging is disabled. 2007/03/13 21:38:35| Referer logging is disabled. 2007/03/13 21:38:35| Unlinkd pipe opened on FD 19 2007/03/13 21:38:35| Swap maxSize 102400 KB, estimated 7876 objects 2007/03/13 21:38:35| Target number of buckets: 393 2007/03/13 21:38:35| Using 8192 Store buckets 2007/03/13 21:38:35| Max Mem size: 8192 KB 2007/03/13 21:38:35| Max Swap size: 102400 KB 2007/03/13 21:38:35| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2007/03/13 21:38:35| Rebuilding storage in /var/spool/squid (CLEAN) 2007/03/13 21:38:35| Using Least Load store dir selection 2007/03/13 21:38:35| Set Current Directory to /var/spool/squid 2007/03/13 21:38:35| Loaded Icons. 2007/03/13 21:38:35| Accepting HTTP connections at 192.168.128.1, port 3128, FD 21. 2007/03/13 21:38:35| Accepting ICP messages at 0.0.0.0, port 3130, FD 22. 2007/03/13 21:38:35| HTCP Disabled. 2007/03/13 21:38:35| WCCP Disabled. 2007/03/13 21:38:35| Ready to serve requests. 2007/03/13 21:38:35| Done reading /var/spool/squid swaplog (0 entries) 2007/03/13 21:38:35| Finished rebuilding storage from disk. 2007/03/13 21:38:35| 0 Entries scanned 2007/03/13 21:38:35| 0 Invalid entries. 2007/03/13 21:38:35| 0 With invalid flags. 2007/03/13 21:38:35| 0 Objects loaded. 2007/03/13 21:38:35| 0 Objects expired. 2007/03/13 21:38:35| 0 Objects cancelled. 2007/03/13 21:38:35| 0 Duplicate URLs purged. 2007/03/13 21:38:35| 0 Swapfile clashes avoided. 2007/03/13 21:38:35| Took 0.4 seconds ( 0.0 objects/sec). 2007/03/13 21:38:35| Beginning Validation Procedure 2007/03/13 21:38:35| Completed Validation Procedure 2007/03/13 21:38:35| Validated 0 Entries 2007/03/13 21:38:35| store_swap_size = 0k ... 2007/03/13 21:38:44| aclMatchAclList: checking authenticated_users 2007/03/13 21:38:44| aclMatchAcl: checking 'acl authenticated_users proxy_auth REQUIRED' 2007/03/13 21:38:44| authenticateValidateUser: Validating Auth_user request '(nil)'. 2007/03/13 21:38:44| authenticateValidateUser: Auth_user_request was NULL! 2007/03/13 21:38:44| authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header. 2007/03/13 21:38:44| aclMatchAcl: returning 0 sending authentication challenge. 2007/03/13 21:38:44| aclMatchAclList: no match, returning 0 2007/03/13
[squid-users] 2.5.STABLE3 performance issues
Hello, I am a network manager at a school. I am not very versed with squid, and I inherited this installation, with the job. We have two separate instances of squid running on the same box, each looking at a different IP address. Each authenticates users against its own separate AD domain, and logs usage. I am having some performance issues with both of the instances. I have a 10Mbps pipe to the Net, but I can only get ~600kbps at any workstation, when there is no traffic. If I circumvent the proxy, I can get 9+Mbps, without a problem. Any ideas where I should begin my search for performance improvements? I can send copies of my .conf files to anybody interested in helping. They are large, as all of the descriptive text is still there. Thank you. -Steven E.
Re: [squid-users] WCCP Module for WCCP Version 2
Hi Martin, what squid version are you using and how does the wccp configuration in squid.conf look like? I'm using Suid 2.6S10. Here is the squid.conf (for WCCP section) wccp2_router W.X.Y.Z # TAG: wccp_version #Default: wccp_version 4 # TAG: wccp2_rebuild_wait #Default: # wccp2_rebuild_wait on # TAG: wccp2_forwarding_method #Default: wccp2_forwarding_method 1 # TAG: wccp2_return_method #Default: wccp2_return_method 1 # TAG: wccp2_assignment_method #Default: # wccp2_assignment_method 1 # TAG: wccp2_service #Default: wccp2_service standard 0 # TAG: wccp2_service_info #Default: # none # TAG: wccp2_weight #Default: # wccp2_weight 1 # TAG: wccp_address # TAG: wccp2_address #Default: # wccp_address 0.0.0.0 # wccp2_address 0.0.0.0 I am using wccp2 with a 2.4.33 kernel, squid 2.6 and cisco router. What version of ip_wccp module do you use? Do you compile it manually? Please advise. Thanks, Awie
Re: [squid-users] WCCP Module for WCCP Version 2
Hi, yes, we use wccp 1.7 as well. Do you have your GRE tunnel set up? If you enable the debug log on cisco and/or squid, do you see the handshakes (I_SEE_YOU, and HERE_I_AM) at all? Your squid.conf is fine. You use the standard wccp2_service which works with the web-cache service on the cisco router. I tested it with that, now I am running it with the service id 97. But that shouldn't matter. Regards, Martin On Tuesday 13 March 2007 14:09, Awie wrote: Hi Martin, what squid version are you using and how does the wccp configuration in squid.conf look like? I'm using Suid 2.6S10. Here is the squid.conf (for WCCP section) wccp2_router W.X.Y.Z # TAG: wccp_version #Default: wccp_version 4 # TAG: wccp2_rebuild_wait #Default: # wccp2_rebuild_wait on # TAG: wccp2_forwarding_method #Default: wccp2_forwarding_method 1 # TAG: wccp2_return_method #Default: wccp2_return_method 1 # TAG: wccp2_assignment_method #Default: # wccp2_assignment_method 1 # TAG: wccp2_service #Default: wccp2_service standard 0 # TAG: wccp2_service_info #Default: # none # TAG: wccp2_weight #Default: # wccp2_weight 1 # TAG: wccp_address # TAG: wccp2_address #Default: # wccp_address 0.0.0.0 # wccp2_address 0.0.0.0 I am using wccp2 with a 2.4.33 kernel, squid 2.6 and cisco router. What version of ip_wccp module do you use? Do you compile it manually? Please advise. Thanks, Awie -- Martin Kobele Software Developer t. 519-826-5222 ext #224 f. 519-826-5228 [EMAIL PROTECTED] Netsweeper Corporate Head Office 104 Dawson Road Guelph, Ontario N1H 1A7
Re: [squid-users] Multiple Proxy addresses on the same Server
Do you mean I have to add the lines below in the squid.conf or resolv.conf : iptables -t nat -A POSTROUTING -p tcp --dport 80 -j SNAT --to-source zzz.zzz.zzz.zzz yyy.yyy.yyy.yyy I tried that but it gives error for those lines ! - Original Message - From: Alexandre Correa [EMAIL PROTECTED] To: Alaa Ayad - InternetVSAT.com [EMAIL PROTECTED] Sent: Tuesday, March 13, 2007 6:25 PM Subject: Re: [squid-users] Multiple Proxy addresses on the same Server with iptables you can !! iptables -t nat -A POSTROUTING -p tcp --dport 80 -j SNAT --to-source zzz.zzz.zzz.zzz On 3/13/07, Alaa Ayad - InternetVSAT.com [EMAIL PROTECTED] wrote: I was wondering if there is another way allow me to use the other IP addresses of the server and getting the reply as per used IP address in the browser .. Regards, Aldalil - Original Message - From: Alexandre Correa [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 13, 2007 11:55 AM Subject: Re: [squid-users] Multiple Proxy addresses on the same Server tcp_outgoing_address ex: acl home_clients src 10.0.0.0/8 acl corporate_clients src 192.168.0.0/23 tcp_outgoing_address yyy.yyy.yyy.yyy home_clients tcp_outgoing_address zzz.zzz.zzz.zzz corporate_clients regards. On 3/13/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I've just installed and configured the latest stable release of squid 2.6, Squid is working Fine on Fedora now .. BUT I have small problem. I have 3 IP addresses on the same server, x.x.x.x is the Main Server IP, y.y.y.y z.z.z.z are the additional IP addresses. Using any of these IP addresses is working fine. The problem is that when I use x.x.x.x , y.y.y.y z.z.z.z as the proxy address I get a reply that I'm using the main server IP which is: x.x.x.x What I need is when I use y.y.y.y I get a reply that I'm using y.y.y.y and same for z.z.z.z Any one have the solution ? Best Regards, Aldalil
Re: [squid-users] Multiple Proxy addresses on the same Server
Hi Alex, I did the command: iptables -t nat -A POSTROUTING -p tcp --dport 80 -j SNAT --to-source zzz.zzz.zzz.zzz directly on SSH terminal. What is happining now is that I'm getting the reply for IP: zzz.zzz.zzz.zzz even if I used the IP Addresses: xxx.xxx.xxx.xxx or yyy.yyy.yyy.yyy - Original Message - From: Alexandre Correa [EMAIL PROTECTED] To: Alaa Ayad - InternetVSAT.com [EMAIL PROTECTED] Sent: Tuesday, March 13, 2007 9:52 PM Subject: Re: [squid-users] Multiple Proxy addresses on the same Server not in the squid.conf its a firewall rule for iptables !!! just execute on the console... if works fine for you... you can add this line no /etc/rc.d/rc.local to start when server restart ! regards ! On 3/13/07, Alaa Ayad - InternetVSAT.com [EMAIL PROTECTED] wrote: Do you mean I have to add the lines below in the squid.conf or resolv.conf : iptables -t nat -A POSTROUTING -p tcp --dport 80 -j SNAT --to-source zzz.zzz.zzz.zzz yyy.yyy.yyy.yyy I tried that but it gives error for those lines ! - Original Message - From: Alexandre Correa [EMAIL PROTECTED] To: Alaa Ayad - InternetVSAT.com [EMAIL PROTECTED] Sent: Tuesday, March 13, 2007 6:25 PM Subject: Re: [squid-users] Multiple Proxy addresses on the same Server with iptables you can !! iptables -t nat -A POSTROUTING -p tcp --dport 80 -j SNAT --to-source zzz.zzz.zzz.zzz On 3/13/07, Alaa Ayad - InternetVSAT.com [EMAIL PROTECTED] wrote: I was wondering if there is another way allow me to use the other IP addresses of the server and getting the reply as per used IP address in the browser .. Regards, Aldalil - Original Message - From: Alexandre Correa [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 13, 2007 11:55 AM Subject: Re: [squid-users] Multiple Proxy addresses on the same Server tcp_outgoing_address ex: acl home_clients src 10.0.0.0/8 acl corporate_clients src 192.168.0.0/23 tcp_outgoing_address yyy.yyy.yyy.yyy home_clients tcp_outgoing_address zzz.zzz.zzz.zzz corporate_clients regards. On 3/13/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I've just installed and configured the latest stable release of squid 2.6, Squid is working Fine on Fedora now .. BUT I have small problem. I have 3 IP addresses on the same server, x.x.x.x is the Main Server IP, y.y.y.y z.z.z.z are the additional IP addresses. Using any of these IP addresses is working fine. The problem is that when I use x.x.x.x , y.y.y.y z.z.z.z as the proxy address I get a reply that I'm using the main server IP which is: x.x.x.x What I need is when I use y.y.y.y I get a reply that I'm using y.y.y.y and same for z.z.z.z Any one have the solution ? Best Regards, Aldalil -- Sds. Alexandre J. Correa Onda Internet / OPinguim.net http://www.ondainternet.com.br http://www.opinguim.net __ NOD32 2112 (20070313) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
Re: [squid-users] maximum netowrk interfaces
tis 2007-03-13 klockan 10:20 -0400 skrev Nicolás Ruiz: Sidenote: The above does not create virtual interfaces, just labelled IP addresses on the eth0 interface. Then we're using the same term for different things (I call those virtual interfaces). How do you get around to use virtual interfaces? Depends on what you need them for.. A single interface may carry as many IP networks or IP addresses as you like. Addresses may be labeled with a name (i.e. eth0:label) for management reasons, but is purely optional (well, the old ifconfig command needs labels). There exists a wide variety of virtual interfaces depending on your networking needs. GRE interfaces. IPIP interfaces. 802.1q VLAN interfaces, bonding interfaces, bridge interfaces, TUN/TAP interfaces, MAC based VLAN interfaces, etc etc.. all serving different purposes in networking. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Forwarding https request to parent proxy
tis 2007-03-13 klockan 23:41 +0900 skrev chteh: If based on my understanding, I already have configured my firefox with the local proxy's IP address (Tools - Options - Advanced - Network Tab - Setting - Manual Proxy configuration - Http proxy : LocalProxy's IP port 3128 and also have checked on the Use this proxy for all protocols) Looks fine.. Or is there any extra proxy configuration in firefox that I should check? No.. Is there any errors in cache.log? Any CONNECT requests logged in access.log? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Multiple Proxy addresses on the same Server
tis 2007-03-13 klockan 12:30 +0200 skrev [EMAIL PROTECTED]: acl home_clients src 10.0.0.0/8 acl corporate_clients src 192.168.0.0/23 tcp_outgoing_address yyy.yyy.yyy.yyy home_clients tcp_outgoing_address zzz.zzz.zzz.zzz corporate_clients Actually I don't want to make groups, I want to be free in using any of the Proxy IP addresses BUT getting the reply for the IP address that I'm using in the browser. Don't top post. Same principle, but use the myaddr acl instead of src, and appropriate acl names for the context.. acl interface1 myaddr xx.xx.xx.xx tcp_outgoing_address xx.xx.xx.xx interface1 acl interface2 myaddr yy.yy.yy.yy tcp_outgoing_address yy.yy.yy.yy interface2 Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] WCCP Module for WCCP Version 2
tis 2007-03-13 klockan 14:18 -0400 skrev Martin Kobele: Hi, yes, we use wccp 1.7 as well. Do you have your GRE tunnel set up? You can't mix ip_wccp and ip_gre. The kernel can only support one GRE implementation at a time. If you load both only one will be used (probably the last loaded, but I am not sure). Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Forwarding https request to parent proxy
Dear Mr.Henrik Nordstrom, Thanks for your reply. In the access log, there is no error message and also no log messages regarding to the https request (no connect and direct). If I remove the never_direct allow all in my squid.conf, and I make my proxy connected to Internet, then everything looks fine, both HTTP and HTTPS request is working well. We have limited Global IPv4 address, and we already have one proxy (proxy A) existed which is connected to internet, so my intention make another private LAN and create a local proxy (proxy B) that forward everything to this parent proxy (Proxy A). Until today, I'm still trying to solve this problem, but running out of idea :-D Thanks! Best regards, Simon Teh -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 14, 2007 9:44 AM To: chteh Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Forwarding https request to parent proxy tis 2007-03-13 klockan 23:41 +0900 skrev chteh: If based on my understanding, I already have configured my firefox with the local proxy's IP address (Tools - Options - Advanced - Network Tab - Setting - Manual Proxy configuration - Http proxy : LocalProxy's IP port 3128 and also have checked on the Use this proxy for all protocols) Looks fine.. Or is there any extra proxy configuration in firefox that I should check? No.. Is there any errors in cache.log? Any CONNECT requests logged in access.log? Regards Henrik
Re: [squid-users] 2.5.STABLE3 performance issues
tis 2007-03-13 klockan 11:49 -0600 skrev Steven Engebretson: Any ideas where I should begin my search for performance improvements? I can send copies of my .conf files to anybody interested in helping. They are large, as all of the descriptive text is still there. Step by step, continue to the next when satisfied with the results. 1. Download speed when downloading content to the Squid server, without using the proxy. wget http://some.url/file if not satisfactory then check cabling and link negotiation capabilities. Something wrong there.. 2. Download speed when downloading content to the Squid server, while using the proxy. http_proxy=http://localhost:3128 wget http://some.url/file if not satisfactory then something wrong with your Squid. Exactly what is not easy to say from this small amount of data, but verify that the proxy server isn't short on memory and swapping (quite common error). 3. Repeat 1 above, but this time while having an active transfer from the proxy server to a lan station. wget http://some.url/file while you at the same time upload large content to a local FTP server or similar, or request large content from an http or ftp server running on the Squid server. if not satisfactory then check cabling and link negotiation capabilities. Quite likely the network connection has been negotiated wrongly and the proxy and switch does not agree on the type of network. this assumes the proxy is connected with a single NIC. If multiple NICs then you need to adjust the test such that the same NIC is being used for both requests. For reliable results it's important that the destination where data is sent is local on the LAN. The test is of the LAN connection, not the Internet, and needs to max out the NIC transmit capability to reliably detect network errors. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Forwarding https request to parent proxy
ons 2007-03-14 klockan 09:55 +0900 skrev chteh: Thanks for your reply. In the access log, there is no error message and also no log messages regarding to the https request (no connect and direct). If I remove the never_direct allow all in my squid.conf, and I make my proxy connected to Internet, then everything looks fine, both HTTP and HTTPS request is working well. Very odd.. no other changes in the two configurations? If nothing is logged in access.log then the browser isn't even attempting to send the request via the proxy. We have limited Global IPv4 address, and we already have one proxy (proxy A) existed which is connected to internet, so my intention make another private LAN and create a local proxy (proxy B) that forward everything to this parent proxy (Proxy A). And from what you have described it should work. Done this myself many times. Which Squid version btw? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] NTLM Process failure in 2.5
Hello! Guido Serassio wrote: At 23.51 28/02/2007, Matthew Smith wrote: I am seeing very similar behaviour in squid 2.5 as what is mentioned in this bug report: http://www.squid-cache.org/bugs/show_bug.cgi?id=1681 From what I can tell, the patch was only applied to 2.6. Is this because patches are no longer issued to 2.5? Or does that specific problem only effect 2.6? Sorry, but Squid 2.5 is no more maintained. Regards Guido I yanked 2.6STABLE9 from ferdora and ran it up on my box. I am seeing the same behaviour as with 2.5. All the ntlm_auth processes are all going into a reserved state (R Flag in the squidclient cache_object://127.0.0.1/ntlmauthenticator listing). Squid then dies with a FATAL: Too many queued ntlmauthenticator requests (251 on 50) Squid Cache (Version 2.6.STABLE9): Terminated abnormally. From what I can tell the patch below was applied in 2.6STABLE2 - is this the case or do I need to install the patch myself? I have a number of squid boxes using this setup at a number of sites - I have only found two sites that are behaving in this way. Is there a known ntlm client that triggers this? MSN messenger? Older versions of IE? If I am seeing a subtly different bug, what kinds of info would you need from me to help track it down? Thanks! Matt Smith
RE: [squid-users] Forwarding https request to parent proxy
Dear Mr.Henrik Nordstrom, I have upgraded my squid to be squid-2.6.STABLE9-1.fc6 and it solved my problem. I would like to say thank you to everyone in this mailing list for their help. Thanks again. Best regards, Simon Teh -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 14, 2007 10:14 AM To: chteh Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Forwarding https request to parent proxy ons 2007-03-14 klockan 09:55 +0900 skrev chteh: Thanks for your reply. In the access log, there is no error message and also no log messages regarding to the https request (no connect and direct). If I remove the never_direct allow all in my squid.conf, and I make my proxy connected to Internet, then everything looks fine, both HTTP and HTTPS request is working well. Very odd.. no other changes in the two configurations? If nothing is logged in access.log then the browser isn't even attempting to send the request via the proxy. We have limited Global IPv4 address, and we already have one proxy (proxy A) existed which is connected to internet, so my intention make another private LAN and create a local proxy (proxy B) that forward everything to this parent proxy (Proxy A). And from what you have described it should work. Done this myself many times. Which Squid version btw? Regards Henrik