Re: [squid-users] Squid giving (21) Is a directory error
Hey Ricardo, Squid 2.7 is not under maintenance for a very long time and it's recommended to use newer versions such as 3.3 at least. 3.4.5 version of squid is production ready but since there are new features inside this branch some may not feel comfort to use this new code untested for their environment. I recommend on any transition from old version to new version first make a test to verify that all your needs are compatible with the newer version. You can always ask here for guidance about testing and verification to make sure you are not alone in the process. What OS are you using? What Kernel? note that many already use 3.4.5 and can compare your version to their. For me google works and many other sites. it seems like a non usual issue which needs further testing. Lets try to first fill the missing details about the environment. Eliezer On 05/15/2014 07:56 AM, Ricardo Lucca wrote: Hi there, I recently installed the squid and I tried the minimal configuration in a virtual machine. The squid gives access to other machine, but it keeps failing with a error (21) Is a directory when I tried access the www.google.com.br. I replaced the version 3.4.5 with the version 3.2 and 3.1 and all get the same error. The version 2.7 worked well. Can it be my configuration mistake or it is a bug? I used the squid.conf.default that came in the source. I managed to get the log of this error: 2014/05/13 19:14:00.603| comm.cc(1114) connect: to 173.194.42.183:80 2014/05/13 19:14:00.603| comm_connect_addr: connecting socket 12 to 173.194.42.183:80 (want family: 2) 2014/05/13 19:14:00.603| comm_connect_addr: sock=12, addrinfo( flags=4, family=2, socktype=1, protocol=6, addr=0x112ff70, addrlen=16 ) 2014/05/13 19:14:00.603| connect FD 12: (-1) (21) Is a directory 2014/05/13 19:14:00.603| connecting to: 173.194.42.183:80 2014/05/13 19:14:00.603| comm.cc(1147) connect: FD 12: * - try again I compiled this version of the squid myself running: $ ./configure --enable-ssl --disable-ipv6 make Another question, is the version 3.4.5 suitable for production use? Or it is recommend the use of version 2.7 yet? Thanks
Re: [squid-users] Unhandled exception: c
On 15/05/2014 7:37 a.m., Alex Crow wrote: Hi, Is this any good at all or do I need ro provide more? It seems a trivial issue to restart a browser but the bigwigs are climbing all over me now! Cheers Alex On 12/05/14 16:22, Alex Crow wrote: Hi Amos, New backtrace - I hope this helps! #3 0x005279d1 in CbcPointerConnStateData::operator- (this=value optimized out) at base/CbcPointer.h:147 c = value optimized out #4 0x0057238e in FwdState::initiateSSL (this=0x80f14ba8) at forward.cc:827 hostname = 0x80e6d7e8 secure.flashtalking.com isConnectRequest = value optimized out peer = value optimized out fd = 812 __FUNCTION__ = initiateSSL peeked_cert = value optimized out ssl = 0x940e87e0 sslContext = value optimized out #5 0x005725e3 in FwdState::connectDone (this=0x80f14ba8, conn=..., status=value optimized out, xerrno=0) at forward.cc:895 __FUNCTION__ = connectDone Bit of a strange trace there. It is in forward.cc which does not exist in any 3.3 or later release of Squid. Correlating to your info about it being 3.2.11. But is using variables isConnectRequest and peeked_cert which only exist in the 3.HEAD releases of Squid. So your Squid is patched in the area of code crashing. Time to direct this bug at the vendor who backported that patch for you. Amos
[squid-users] Fwd: Squid never (s)quits
Hi guys, (I understand squid has two processes, the second one for a control proccess.) I cannot get squid to stop with ..squid3 stop. Cache.log simply says Squid is already running! Process ID . Killing the processes manually works fine. Parsing my conf file shows no errors. Is there something else I can check? It's not a massive problem as -k -reconfigure works fine. Thanks! Nico
Re: [squid-users] Fwd: Squid never (s)quits
What is the command you have used to try to shutdown squid and what OS are you using? Eliezer On 05/15/2014 01:24 PM, Nico Snyman wrote: Hi guys, (I understand squid has two processes, the second one for a control proccess.) I cannot get squid to stop with ..squid3 stop. Cache.log simply says Squid is already running! Process ID . Killing the processes manually works fine. Parsing my conf file shows no errors. Is there something else I can check? It's not a massive problem as -k -reconfigure works fine. Thanks! Nico
Re: [squid-users] configuring Eliezer RPMs for CentOS 6 for SMP
Hi Eliezer, I have an updated version of my policy file. It prevents an AVC when stopping or reloading squid. Hope you noticed the wrong name for the original file: it was supposed to be squid-*smp*.te, not squid-*snmp*.te. :-) Here's the new file: --- squid-smp.te --- module squid-smp 1.1; # for ipc channels between kids/workers require { type var_run_t; type squid_t; class sock_file { create write unlink }; } allow squid_t var_run_t:sock_file { create write unlink }; allow squid_t var_run_t:sock_file create; # for shm used by cache_mem and rock store(?) require { type squid_t; type tmpfs_t; class dir { remove_name add_name write }; class file { unlink create }; } allow squid_t tmpfs_t:dir { remove_name write add_name }; allow squid_t tmpfs_t:file { unlink create }; --- end of squid-snmp.te --- I have not tested it with squid development releases (3.5) only with your 3.4.x rpms. But please write me if you need any help with SELinux in the future. I'm not an expert, but as I do have to use it in enforcing mode, I'll probably get the same issues. []s, Fernando Lozano Hey Fernandno, First thanks! It indeed helps a lot since there were issues I didn't knew how to look at. I am hoping to release the RPM next week but I will include the selinux rules only on the next release due to the overhead of packing it. I might be able to package it in another external package not related directly to squid package and which seems reasonable for me. About the ulimit related issue: It's an option to use sysconfig for this option and I will consider it in the next releases. Eliezer
Re: [squid-users] Fwd: Squid never (s)quits
Squid version: squid3-3.3.8 Ubuntu 13.10 inside Virtualbox 4.3.6 On Thu, May 15, 2014 at 1:07 PM, Eliezer Croitoru elie...@ngtech.co.il wrote: What is the command you have used to try to shutdown squid and what OS are you using? Eliezer On 05/15/2014 01:24 PM, Nico Snyman wrote: Hi guys, (I understand squid has two processes, the second one for a control proccess.) I cannot get squid to stop with ..squid3 stop. Cache.log simply says Squid is already running! Process ID . Killing the processes manually works fine. Parsing my conf file shows no errors. Is there something else I can check? It's not a massive problem as -k -reconfigure works fine. Thanks! Nico
Re: [squid-users] Squid giving (21) Is a directory error
Hi there, $ uname -a Linux localhost 3.2.54 #1 SMP Mon Apr 7 12:40:28 GMT 2014 x86_64 GNU/Linux The gcc version is 4.7.1. Ricardo Lucca On Thu, May 15, 2014 at 3:54 AM, Eliezer Croitoru elie...@ngtech.co.il wrote: Hey Ricardo, Squid 2.7 is not under maintenance for a very long time and it's recommended to use newer versions such as 3.3 at least. 3.4.5 version of squid is production ready but since there are new features inside this branch some may not feel comfort to use this new code untested for their environment. I recommend on any transition from old version to new version first make a test to verify that all your needs are compatible with the newer version. You can always ask here for guidance about testing and verification to make sure you are not alone in the process. What OS are you using? What Kernel? note that many already use 3.4.5 and can compare your version to their. For me google works and many other sites. it seems like a non usual issue which needs further testing. Lets try to first fill the missing details about the environment. Eliezer On 05/15/2014 07:56 AM, Ricardo Lucca wrote: Hi there, I recently installed the squid and I tried the minimal configuration in a virtual machine. The squid gives access to other machine, but it keeps failing with a error (21) Is a directory when I tried access the www.google.com.br. I replaced the version 3.4.5 with the version 3.2 and 3.1 and all get the same error. The version 2.7 worked well. Can it be my configuration mistake or it is a bug? I used the squid.conf.default that came in the source. I managed to get the log of this error: 2014/05/13 19:14:00.603| comm.cc(1114) connect: to 173.194.42.183:80 2014/05/13 19:14:00.603| comm_connect_addr: connecting socket 12 to 173.194.42.183:80 (want family: 2) 2014/05/13 19:14:00.603| comm_connect_addr: sock=12, addrinfo( flags=4, family=2, socktype=1, protocol=6, addr=0x112ff70, addrlen=16 ) 2014/05/13 19:14:00.603| connect FD 12: (-1) (21) Is a directory 2014/05/13 19:14:00.603| connecting to: 173.194.42.183:80 2014/05/13 19:14:00.603| comm.cc(1147) connect: FD 12: * - try again I compiled this version of the squid myself running: $ ./configure --enable-ssl --disable-ipv6 make Another question, is the version 3.4.5 suitable for production use? Or it is recommend the use of version 2.7 yet? Thanks
Re: [squid-users] configuring Eliezer RPMs for CentOS 6 for SMP
On Thu, May 15, 2014 at 8:08 PM, ferna...@lozano.eti.br wrote: I have not tested it with squid development releases (3.5) only with your 3.4.x rpms. But please write me if you need any help with SELinux in the future. I'm not an expert, but as I do have to use it in enforcing mode, I'll probably get the same issues. Not answering this thread, but would like to ask some related points for anyone who may be listening in: 1. RPMs. For practically everything else, I use RPMs for installation. For Squid, I've moved away from this approach. Standard RPMs still provide only 3.1.10. Non-standard RPMs, you have no idea where the next one is coming from, or whether it suits your needs. If you compile-your-own, you get the version you want, anytime you want. Plus it is very useful to add the odd debugs here and there to narrow down any issues, if nothing more. And have the flexibility of having different versions in different /usr/local directories to upgrade/downgrade anytime you want (or more specifically if you need to). 2. SELinux With Squid, normally you don't let end-users on the same server. In you don't have end-users on the same server, from a technical point of view, SELinux doesn't add value. If you have end-users on the same box, you probably have other issues to deal with first.
[squid-users] logformat and timestamp in 3.4.5
Hi all, In 3.4.4 i was using this in my logformat %{%Y-%m-%d %H:%M}tl to show my timestamps info like : 2014-05-15 11:59 That don't works anymore in 3.4.5 and it shows me the default timestamp : 15/May/2014:11:56:32 -0300 Someone can help me to solve this issue ?
Re: [squid-users] Unhandled exception: c
Hi Thanks for that. This is odd because I compiled .debs myself from the source using the debian folder from an older version of squid as a template. I'm pretty sure I cleaned out the debian/patches folder and removed the lines in the rules file before building, but I will check this. Alex On 15/05/14 08:06, Amos Jeffries wrote: On 15/05/2014 7:37 a.m., Alex Crow wrote: Hi, Is this any good at all or do I need ro provide more? It seems a trivial issue to restart a browser but the bigwigs are climbing all over me now! Cheers Alex On 12/05/14 16:22, Alex Crow wrote: Hi Amos, New backtrace - I hope this helps! #3 0x005279d1 in CbcPointerConnStateData::operator- (this=value optimized out) at base/CbcPointer.h:147 c = value optimized out #4 0x0057238e in FwdState::initiateSSL (this=0x80f14ba8) at forward.cc:827 hostname = 0x80e6d7e8 secure.flashtalking.com isConnectRequest = value optimized out peer = value optimized out fd = 812 __FUNCTION__ = initiateSSL peeked_cert = value optimized out ssl = 0x940e87e0 sslContext = value optimized out #5 0x005725e3 in FwdState::connectDone (this=0x80f14ba8, conn=..., status=value optimized out, xerrno=0) at forward.cc:895 __FUNCTION__ = connectDone Bit of a strange trace there. It is in forward.cc which does not exist in any 3.3 or later release of Squid. Correlating to your info about it being 3.2.11. But is using variables isConnectRequest and peeked_cert which only exist in the 3.HEAD releases of Squid. So your Squid is patched in the area of code crashing. Time to direct this bug at the vendor who backported that patch for you. Amos
Re: [squid-users] configuring Eliezer RPMs for CentOS 6 for SMP
On 05/15/2014 04:29 PM, csn233 wrote: 2. SELinux With Squid, normally you don't let end-users on the same server. In you don't have end-users on the same server, from a technical point of view, SELinux doesn't add value. If you have end-users on the same box, you probably have other issues to deal with first. You are right about it but note that squid is a tiny service which allows and provides cache. There are many places which a proxy on a mainframe is there to help enforce couple policies and allowing access to resources that otherwise cannot be accessed. So for a 40+- CPUs\cores(real) system that can let more then 100 people have a nice desktop with good performance for work purposes (no videos). So indeed in many cases the proxy admin is the only one that works on it but this is not the whole world. Eliezer
[squid-users] Intercept HTTPS without using certificates - Just apply a QoS on the connexion
Hi there, I need to install squid to apply a QoS in a private network with the delay pool. In fact, this network offer a public WIFI, so that's not possible to configure a proxy on clients. Is it possible to intercept HTTPS connexion, apply a Delay Pool and forward the request without decipher the SSL packet ? Thanks ! -- Antoine KLEIN
Re: [squid-users] Intercept HTTPS without using certificates - Just apply a QoS on the connexion
Em 15/05/14 14:59, Antoine Klein escreveu: Hi there, I need to install squid to apply a QoS in a private network with the delay pool. In fact, this network offer a public WIFI, so that's not possible to configure a proxy on clients. Is it possible to intercept HTTPS connexion, apply a Delay Pool and forward the request without decipher the SSL packet ? I really dont think that's possible. Anyway, you can always use your Linux (or whatever OS you're using) QoS tools to acchieve something similar to delay pools but on NATted connections. You can have squid intercepting TCP/80 connections and apply delay pools, the TCP/443 (and all other indeed) connections can be throttled by QoS SO tools. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
Re: [squid-users] Intercept HTTPS without using certificates - Just apply a QoS on the connexion
Ok thanks, it could be a good idea ! Do you know if we can apply a QoS with the bucket concept of delay pool using the Linux QoS Tools ? 2014-05-15 14:41 GMT-04:00 Leonardo Rodrigues leolis...@solutti.com.br: Em 15/05/14 14:59, Antoine Klein escreveu: Hi there, I need to install squid to apply a QoS in a private network with the delay pool. In fact, this network offer a public WIFI, so that's not possible to configure a proxy on clients. Is it possible to intercept HTTPS connexion, apply a Delay Pool and forward the request without decipher the SSL packet ? I really dont think that's possible. Anyway, you can always use your Linux (or whatever OS you're using) QoS tools to acchieve something similar to delay pools but on NATted connections. You can have squid intercepting TCP/80 connections and apply delay pools, the TCP/443 (and all other indeed) connections can be throttled by QoS SO tools. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- Antoine KLEIN
Re: [squid-users] Intercept HTTPS without using certificates - Just apply a QoS on the connexion
Hi, Welcome to the practically incomprehensible world of QoS on Linux - look up LARTC and then feel the fear! It's really powerful but even after 14 years of managing Linux gateways I still prefer you just use shorewall to take away the complexity - and you are welcome to call me lazy ;-) Alex On 15/05/14 20:04, Antoine Klein wrote: Ok thanks, it could be a good idea ! Do you know if we can apply a QoS with the bucket concept of delay pool using the Linux QoS Tools ? 2014-05-15 14:41 GMT-04:00 Leonardo Rodrigues leolis...@solutti.com.br: Em 15/05/14 14:59, Antoine Klein escreveu: Hi there, I need to install squid to apply a QoS in a private network with the delay pool. In fact, this network offer a public WIFI, so that's not possible to configure a proxy on clients. Is it possible to intercept HTTPS connexion, apply a Delay Pool and forward the request without decipher the SSL packet ? I really dont think that's possible. Anyway, you can always use your Linux (or whatever OS you're using) QoS tools to acchieve something similar to delay pools but on NATted connections. You can have squid intercepting TCP/80 connections and apply delay pools, the TCP/443 (and all other indeed) connections can be throttled by QoS SO tools. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
Re: [squid-users] Unhandled exception: c
Grr, I apologise profusely. The server does run 3.3.11, *not* 3.2.11, Had a couple of nights being waken up by our devs askng about DNS... However - i just downloaded squid-3.3.12-20140309-r12678, unpacked it, and see this: root@user-ThinkPad-T61p:/home/user/Downloads/squid-3.3.12-20140309-r12678# find -name forward.cc ./src/forward.cc So the source file still exists in 3.3.11, and is referenced in Makefile.in/.am: root@user-ThinkPad-T61p:/home/user/Downloads/squid-3.3.12-20140309-r12678# grep -r forward.cc * ChangeLog: - Bug 3111: Mid-term fix for the forward.cc err assertion src/Makefile.in:forward.cc forward.h fqdncache.h fqdncache.cc ftp.h ftp.cc \ src/Makefile.in:forward.cc fqdncache.h fqdncache.cc ftp.h ftp.cc gopher.h \ src/Makefile.in:FileMap.h filemap.cc forward.cc fqdncache.h fqdncache.cc ftp.h \ src/Makefile.in:FileMap.h filemap.cc forward.cc fqdncache.h fqdncache.cc ftp.h \ src/Makefile.in:tests/stub_fatal.cc fd.h fd.cc fde.cc forward.cc fqdncache.h \ src/Makefile.in:forward.cc fqdncache.h fqdncache.cc ftp.h ftp.cc gopher.h \ src/Makefile.in:forward.cc fqdncache.h fqdncache.cc ftp.h ftp.cc gopher.h \ src/Makefile.in:FileMap.h filemap.cc forward.cc forward.h fqdncache.h \ src/Makefile.in:forward.cc \ src/Makefile.in:forward.cc \ src/Makefile.in:forward.cc \ src/Makefile.in:forward.cc \ src/Makefile.in:forward.cc \ src/Makefile.in:forward.cc \ src/Makefile.am:forward.cc \ src/Makefile.am:forward.cc \ src/Makefile.am:forward.cc \ src/Makefile.am:forward.cc \ src/Makefile.am:forward.cc \ src/Makefile.am:forward.cc \ src/Makefile.am:forward.cc \ Again I'm sorry about giving you the wrong version, but I'm really scratching my head now as you did say that forward.cc should not be used in 3.3, However I've also done this: root@user-ThinkPad-T61p:/home/user/Downloads/squid-3.3.12-20140309-r12678# grep -ri isconnectreq * src/forward.cc:const bool isConnectRequest = !request-clientConnectionManager-port-spoof_client_ip src/forward.cc:if (request-flags.sslPeek !isConnectRequest) { src/forward.cc:const bool isConnectRequest = !request-clientConnectionManager-port-spoof_client_ip src/forward.cc:if (!request-flags.sslPeek || isConnectRequest) src/client_side.cc:const bool isConnectRequest = !port-spoof_client_ip !port-intercepted; src/client_side.cc:if (intendedDest.IsAnyAddr() || isConnectRequest) and the isConnectRequest is still there! Am I really missing something here? Do I need to adjust my debain rules file or similar? Cheers Alex On 15/05/14 17:51, Alex Crow wrote: Hi Thanks for that. This is odd because I compiled .debs myself from the source using the debian folder from an older version of squid as a template. I'm pretty sure I cleaned out the debian/patches folder and removed the lines in the rules file before building, but I will check this. Alex On 15/05/14 08:06, Amos Jeffries wrote: On 15/05/2014 7:37 a.m., Alex Crow wrote: Hi, Is this any good at all or do I need ro provide more? It seems a trivial issue to restart a browser but the bigwigs are climbing all over me now! Cheers Alex On 12/05/14 16:22, Alex Crow wrote: Hi Amos, New backtrace - I hope this helps! #3 0x005279d1 in CbcPointerConnStateData::operator- (this=value optimized out) at base/CbcPointer.h:147 c = value optimized out #4 0x0057238e in FwdState::initiateSSL (this=0x80f14ba8) at forward.cc:827 hostname = 0x80e6d7e8 secure.flashtalking.com isConnectRequest = value optimized out peer = value optimized out fd = 812 __FUNCTION__ = initiateSSL peeked_cert = value optimized out ssl = 0x940e87e0 sslContext = value optimized out #5 0x005725e3 in FwdState::connectDone (this=0x80f14ba8, conn=..., status=value optimized out, xerrno=0) at forward.cc:895 __FUNCTION__ = connectDone Bit of a strange trace there. It is in forward.cc which does not exist in any 3.3 or later release of Squid. Correlating to your info about it being 3.2.11. But is using variables isConnectRequest and peeked_cert which only exist in the 3.HEAD releases of Squid. So your Squid is patched in the area of code crashing. Time to direct this bug at the vendor who backported that patch for you. Amos
[squid-users] Re: Squid in a WiFi Captive portal scenario
Not yet, but as I heard about this stuff, at least for apple, looks like I am forced to have a look at it soon. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-in-a-WiFi-Captive-portal-scenario-tp4665950p4665978.html Sent from the Squid - Users mailing list archive at Nabble.com.