Re: [squid-users] SSL bumping (again)
On 14/07/2014 5:29 p.m., Eugene M. Zheganin wrote: Hi. On 12.07.2014 14:16, Amos Jeffries wrote: Sounds like http://bugs.squid-cache.org/show_bug.cgi?id=3966 PS. 3.3 series will never get this fix. It is on the TODO list for a 3.4.7 porting attempt, but the volatile SSL-bump related infrastructure in Squid in recent years makes it unlikely to succeed. Thanks, I applied the patch, but for some reason neither the original patch, nor modified one doesn't work for me (and I'm sure I did apply the patch, because the additional code is present in the gadgets.cc). Still getting same error. Can someone confirm that the patch still fixes this ? Eugene. I believe it works for the author and one other. They may speak up here. Can you try building the 3.4.6 daily update package labled r13157 (or later) which should be available in a few hrs. Amos
Re: [squid-users] Host header forgery policy
On 15/07/2014 6:23 a.m., Edwin Marqe wrote: Hi Eliezer, I understand that, but this is pretty much the point of my e-mail. In my company we don't work with servers installed physically here, instead, we rent servers to a company. We use 2 nameservers for our clients, and the IT company uses others and additionally they don't allow to change them and they're restricted to their net... So I don't know what else can I do. If there is a fully controlled routing path between your and the suppliers networks you can arrange for policy routing to route the port 80 packets to their proxy where the NAT can happen. Otherwise you require some form of tunnel over which the packets can be transferred without altering the IP level address:port details on the packets. GRE, VPN, stunnel, ssh are the four common methods of doing that. (NP: I have just updated the Host forgery wiki page to mention tunnels as alternative to policy routing, sorry that was an oversight). I also have an experimental patch underway to support the Haproxy designed PROXY protocol. If you can convince the supplier to patch their Squid proxy with it you could setup a haproxy on your network to do the capture and relay through them. We don't have a specific configuration for the google.com DNS entry, so I don't really know why Squid says it's pointing to a local address. Because you are using NAT on the packets. DNAT re-writes the destination-IP:port to the ones you select. Squid on a remote box has no access to the kernels internal NAT table of the machine doing the NAT. That is required to identify that this was actually a NAT'd packet, and what the original details are. Therefore to avoid the security vulnerability we must assume that the destination IP is correct (its not) when validating. Squid acts transparent and connects to that IP whenever Host fails to validate (which it always will in this case) so that at worst the client can still get through to where it would connect without Squid having done anything. N your case that means connecting to itself ... and things barf. Amos
[squid-users] Confusing external acl, reply_body_max_size and EXT_LOG combo issue
Hi, Im having some confusing trouble with an external acl based reply_body_max_size setup, but only when the ext_log is brought into things. I have an external acl setup as such: external_acl_type response_size_type ttl=300 children-startup=2 children-idle=1 children-max=10 %URI %EXT_LOG %TAG python max_file_size_ext_acl.py which is used to check against some external data to cache the response for the reply_body_max_size directive to use, an example of which is this: acl response_size_31 external response_size_type 31 10.0.1.26 http_access allow response_size_31 reply_body_max_size 31 MB response_size_31 now this works perfectly fine, no issues what so ever, until the external acl alters the EXT_LOG (and passes it back), pretty much any alteration to the ext_log data causes squid to basically ignore the answer it gets back from the external acl and continue on. The external acl can take in the ext_log and pass it untouched out the other side no issues too, so it doesnt appear to be simply the fact its passing the ext_log back. Im really stumped at to whats going on here, any help would be appreciated. Cameron Charles
Re: [squid-users] Confusing external acl, reply_body_max_size and EXT_LOG combo issue
On 15/07/2014 7:04 p.m., Cameron Charles wrote: Hi, Im having some confusing trouble with an external acl based reply_body_max_size setup, but only when the ext_log is brought into things. I have an external acl setup as such: external_acl_type response_size_type ttl=300 children-startup=2 children-idle=1 children-max=10 %URI %EXT_LOG %TAG python max_file_size_ext_acl.py which is used to check against some external data to cache the response for the reply_body_max_size directive to use, an example of which is this: acl response_size_31 external response_size_type 31 10.0.1.26 http_access allow response_size_31 reply_body_max_size 31 MB response_size_31 now this works perfectly fine, no issues what so ever, until the external acl alters the EXT_LOG (and passes it back), pretty much any alteration to the ext_log data causes squid to basically ignore the answer it gets back from the external acl and continue on. The external acl can take in the ext_log and pass it untouched out the other side no issues too, so it doesnt appear to be simply the fact its passing the ext_log back. Im really stumped at to whats going on here, any help would be appreciated. Cameron Charles Whats going on here is that reply_body_max_size is a fast ACL. So ACLs like external require a pre-cached helper response if they are going to match at all. When the helper is executed in http_access there is no EXT_LOG value (or TAG by the way). So the helper is being called with %URI - -. On the reply_body_max_size the http_access has aready been called. So the helper cache is checked for the lookup, but this time using the EXT_LOG value given by the previous lookup. Which probably does not exist in the cache. This workaround may work for you, it calls the helper twice in http_access where the lookup using log entry value can be waited on: http_access allow response_size_31 response_size_31 Amos
Re: [squid-users] Problem to set up multi-cpu multi-ports squid 3.3.12
On 15/07/2014 5:42 a.m., Patrick Chemla wrote: Hey Eliezer, Happy to read you. What do you call rock as cache_dir? cache_dir of type rock. But that is not relevant here. Here is squid -kparse Besides lots of warnings about config file directives tat need to be updated... 2014/07/14 17:11:33 kid1| commBind: Cannot bind socket FD 14 to [::]: (2) No such file or directory ... means Squid has access permission issues opening the SHM / shared memory UDS sockets. Amos
Re: [squid-users] Problem to set up multi-cpu multi-ports squid 3.3.12
Hi Eliezer, I have disabled SELINUX, doesn't help. shm partition is mounted OK from beginning I can't find basic_data.sh, nor on my disk after install of squid package or sources, nor using google. I am trying to compile squid-3.4.6 to add rock cache type (not included by default) but I get errors with crypto and ssl libraries : Making all in anyp make[3] : on entre dans le répertoire « /usr/local/src/squid-3.4.6/src/anyp » /bin/sh ../../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src -I../../include -I../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie -march=native -std=c++11 -c -o PortCfg.lo PortCfg.cc libtool: compile: g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src -I../../include -I../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -march=native -std=c++11 -c PortCfg.cc -fPIC -DPIC -o .libs/PortCfg.o In file included from ../../src/anyp/PortCfg.h:9:0, from PortCfg.cc:2: ../../src/ssl/gadgets.h:32:9: error: 'SSL_METHOD' does not name a type typedef SSL_METHOD * ContextMethod; ^ In file included from ../../src/anyp/PortCfg.h:9:0, from PortCfg.cc:2: ../../src/ssl/gadgets.h:76:40: error: variable or field 'X509_free_cpp' declared void CtoCpp1(X509_free, X509 *) ^ ../../src/ssl/gadgets.h:76:40: error: 'X509' was not declared in this scope ../../src/ssl/gadgets.h:76:47: error: 'a' was not declared in this scope CtoCpp1(X509_free, X509 *) ^ ../../src/ssl/gadgets.h:77:24: error: 'X509' was not declared in this scope typedef LockingPointerX509, X509_free_cpp, CRYPTO_LOCK_X509 X509_Pointer; ^ ../../src/ssl/gadgets.h:77:30: error: 'X509_free_cpp' was not declared in this scope typedef LockingPointerX509, X509_free_cpp, CRYPTO_LOCK_X509 X509_Pointer; Do you have an idea? Thanks Patrick Le 14/07/2014 22:03, Eliezer Croitoru a écrit : On 07/14/2014 08:42 PM, Patrick Chemla wrote: Hey Eliezer, Happy to read you. What do you call rock as cache_dir? Squid uses cache_dir to store objects on disk. If you don't know what it is I will refer you to the configuration pages: http://www.squid-cache.org/Doc/config/cache_dir/ Your basic issue is related to SHM and\or selinux. you can use the basic_data.sh script to get most of the needed information about your system and the issue. You need to first disable selinux or use permissive mode. Then make sure you have a SHM partition mounted. Only then squid will work with SMP support. Good Luck, Eliezer
Re: [squid-users] Re: Problem to set up multi-cpu multi-ports squid 3.3.12
Thanks for help. The problem is that I can have some external IPs and hundreds ports for each IP on the same box. Up to now, I am using virtual machines for IPs and I route the ip:ports with iptables to the right VM (hundreds ports each). There one squid instance is listening to 128 ports (squid limit). It works very well. Some customers want more power, so I need to give some VMs more cpus (I have), and run more than one squid process on the same hundreds ports. Designing loadbalanced configuration with iptables, or frontend/backend with squid for incoming hundreds ports, will get to thousands ports inside. It is possible I think, but building the configurator is something tiny. Also, configurations can change while in production with squid -k reconfigure for thousands ports. Of course I can split the ports to separate squid instances, and limit each port traffic. I need to think well about the solution. Patrick Le 15/07/2014 00:24, babajaga a écrit : Besides SMP, there is still the old fashioned option of multiple instances of squid, in a sandwich config. http://wiki.squid-cache.org/MultipleInstances Besides described port rotation, you can set up 3 squids, for example: one frontend, just doing ACLs and request dispatching (carp), and 2 backends, with real caching. This variant has the advantage avoiding double caching, which might happen in the port rotation alternative. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-to-set-up-multi-cpu-multi-ports-squid-3-3-12-tp4666906p4666915.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] 502 Bad Gateway
Hi Eliezer I have found the solution. I have change the option forwarded_for from “off” to “delete and now it’s working(option via off was ok). I have resolved also the problem with streaming video ( 06/17/2014 11:55 AM). Thank you Maurizio
Re: [squid-users] problem streaming video
Resolved. Setting option: via off forwarded_for delete Best regards, Maurizio
Re: [squid-users] 502 Bad Gateway
On 15/07/2014 1:14 a.m., ama...@tin.it wrote: Hello I have a problem with - squid-3.3.9 - squid-3.4.5 but NO problem with: - squid-2.7.stable9 - without proxy I have tested with firefox 24.6 and ie explorer 8.0. On browser the error displayed is: The following error was encountered while trying to retrieve the URL: http://www.regione.lombardia.it/ Read Error The system returned: (104) Connection reset by peer This domain seems to be amongst the set which crash if they happen to encounter any one of many valid X-Forwarded-For header contents. X-Forwarded-For: 127.0.0.1,127.0.0.1 X-Forwarded-For: ::1 X-Forwarded-For: unknown Amos
[squid-users] Squid 3.4 very high cpu usage
I've seen a February thread about this problem, but it seems that it never reached a consensus. I've just tried to migrate from 3.3.12 to 3.4.6, but almost instantly got timeout problems and 100% cpu usage by squid process. I'm using kerberos auth and external_ldap_group helpers, ssl bump, config will be attached below. Any caching (memory or on-disk) is disabled during compile-time: ./configure \ --prefix=/opt/squid \ --sysconfdir=/etc/squid \ --disable-loadable-modules \ --disable-wccp \ --disable-wccpv2 \ --disable-eui \ --disable-htcp \ --disable-select \ --disable-poll \ --with-pthreads \ --disable-storeio \ --disable-disk-io \ --disable-removal-policies \ --enable-delay-pools \ --disable-useragent-log \ --disable-referer-log \ --enable-ssl \ --enable-ssl-crtd \ --disable-cache-digests \ --enable-icap-client \ --disable-snmp \ --disable-ident-lookups \ --enable-auth \ --enable-auth-basic=LDAP,PAM \ --enable-auth-ntlm=smb_lm \ --enable-auth-negotiate=kerberos \ --enable-auth-digest=LDAP,file \ --enable-external-acl-helpers=LDAP_group \ --enable-zph-qos \ --with-openssl \ --disable-ipv6 Any ideas? Thanks in advance debug_options ALL,1 rotate=1 logfile_rotate 0 cache_mgr ad...@domain.ru visible_hostname squid.domain.ru http_port 10.1.16.19:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB cert=/etc/squid/ssl/ca-squid.domain.ru.pem options=NO_SSLv2,NO_SSLv3 dhparams=/etc/squid/ssl/dh2048.pem cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS cache_effective_user squid cache_effective_group squid # ICAP ACL acl icap_whitelisted dstdomain /etc/squid/lists/icap_domains_whitelisted.txt # ICAP scanning icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_connect_timeout 1 second icap_preview_enable on icap_preview_size 1024 icap_206_enable on icap_persistent_connections on icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req deny icap_whitelisted adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp deny icap_whitelisted adaptation_access service_resp allow all forwarded_for delete httpd_suppress_version_string on ### Error messages ### error_directory /etc/squid/errors/ru ### Cache options ### cache_mem 1024 MB cache deny all auth_param basic program /opt/squid/libexec/basic_pam_auth -n squid -t 300 -o auth_param basic children 30 startup=5 idle=5 auth_param basic credentialsttl 10800 seconds auth_param basic realm squid.domain.ru #auth_param negotiate program /opt/squid/libexec/negotiate_kerberos_auth -r -s HTTP/squid.domain...@domain.ru auth_param negotiate program /opt/squid/libexec/negotiate_kerberos_auth -r -s GSS_C_NO_NAME auth_param negotiate children 100 startup=10 idle=10 auth_param negotiate keep_alive on authenticate_cache_garbage_interval 1 hour authenticate_ttl 1 hour external_acl_type squid_ldap ttl=30 negative_ttl=30 children-max=100 children-startup=10 children-idle=5 %LOGIN /opt/squid/libexec/ext_ldap_group_acl -b OU=Users,DC=domain,DC=ru -s sub -D CN=service_ldap_ro,CN=Users,DC=domain,DC=ru -W /etc/squid/ldap.password -R -H ldap://192.168.192.18 -v 3 -S -K -f ((sAMAccountName=%u)(memberOf=%g)) acl proxy_full_access external squid_ldap CN=proxy_full_access,OU=Proxy,OU=Groups,DC=domain,DC=ru acl proxy_email_access external squid_ldap CN=proxy_email_access,OU=Proxy,OU=Groups,DC=domain,DC=ru acl proxy_hr_access external squid_ldap CN=proxy_hr_access,OU=Proxy,OU=Groups,DC=domain,DC=ru acl proxy_no_access external squid_ldap CN=proxy_no_access,OU=Proxy,OU=Groups,DC=domain,DC=ru acl proxy_no_access_expired external squid_ldap CN=Expired_Passwords,OU=Groups,DC=domain,DC=ru ### Delay Pools ### delay_pools 1 delay_class 1 4 delay_access 1 deny all delay_parameters 1 -1/-1 -1/-1 -1/-1 8000/16000 ### File lists ### include /etc/squid/lists.conf ### File ACLs ### ## Lists ## acl lists_block_dom dstdomain /etc/squid/lists/domains_blocked.txt acl lists_fun_dom dstdomain /etc/squid/lists/domains_fun.txt acl lists_job_dom dstdomain /etc/squid/lists/domains_job.txt ## Custom Lists ## acl domains_whitelisted dstdomain /etc/squid/lists/domains_whitelisted.txt acl domains_ssl_direct dstdomain /etc/squid/lists/domains_ssl_direct.txt acl domains_mail dstdomain /etc/squid/lists/domains_mail.txt acl domains_no_auth dstdomain /etc/squid/lists/domains_no_auth.txt acl ip_ssl_direct dst /etc/squid/lists/ip_ssl_direct.txt # SSL exceptions acl domains_ssl_error dstdomain
Re: [squid-users] Squid 3.4 very high cpu usage
Try without delay_pool or at least without CONNECT method and delay_pool Fred
Re: [squid-users] Squid 3.4 very high cpu usage
delay_pools are not used at all (delay_access 1 deny all), i'll try to remove them completely, but as 3.3 works fine i doubt that'll help. On 15.07.2014 19:01, FredB wrote: Try without delay_pool or at least without CONNECT method and delay_pool Fred
[squid-users] Three questions about Squid configuration
Hi there! It's been years I haven't played around with squid so I wanted to make a simple configuration just to see whether I remember the basic things, and I found two problems: I'm running: # squid3 -v Squid Cache: Version 3.3.8 1) My configuration is the default that the package provides, I just added another http_port, so now I got: http_port 3128 http_port 3127 intercept Afterwards, I setup a REDIRECT iptables rule to make anything coming to port 8080 be redirected to one of these 2 ports. If I redirect it to port 3128, everything works fine, squid actually behaves as a transparent proxy applying the http_access and acl rules correctly. But if I redirect it to port 3127, any request results in a 111 Connection refused error. This is the only one rule in my iptables, so it cannot be related to some rules misconfiguration. iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 312X I enabled debugging via the -d flag, there's absolutely nothing regarding to these requests. The access log shows the request like this: 1405450438.913 0 origin.ip TCP_MISS/503 3487 GET http://www.devels.es/ - HIER_DIRECT/machine.public.ip text/html So at this point, my questions are 2: 1.1) What could be causing this behavior? 1.2) If the default redirect port (3128) works as a transparent proxy (intercept), then what's the concept difference between both configurations? 2) There are some websites using SSL that I cannot reach using squid, resulting in a 110 Connection timed out error. One of them is Facebook: pi@rpi ~ $ telnet machine.public.ip 8080 Trying machine.public.ip... Connected to machine.public.ip. Escape character is '^]'. CONNECT www.facebook.com:443 HTTP/1.1 503 Service Unavailable Server: squid/3.3.8 Mime-Version: 1.0 Date: Tue, 15 Jul 2014 19:00:23 GMT Content-Type: text/html Content-Length: 3085 X-Squid-Error: ERR_CONNECT_FAIL 110 Vary: Accept-Language Content-Language: en [...] p id=sysmsgThe system returned: i(110) Connection timed out/i/p pThe remote host or network may be down. Please try the request again./p [...] Connection closed by foreign host. However, from the server which hosts squid, I can make a wget or curl request to facebook. I even installed the same version of squid on a local virtual machine over my computer just to test and it works, replicating exactly the same both squid and iptables config. What could be the cause of this? Thanks for the help! Regards, Nicolás
[squid-users] Monitoring bandwidth usage: good and bad news
Hi there, As stated in another thread, using the access log format st seems ineffective to measure upload bandwidth to things like Google Drive. Amos stated that this could be related to a CONNECT issue. Is anyone aware of this issue? Is there a bug report? Now the good news: I'm collecting data from squidclient mgr:usage, and all attributes client.*kbytes_in/out and the server ones seems to be correct, and accounting for HTTPS downloads and uploads. Is anyone aware of a ready-to-use monitoring tool that uses squidlcient for those metrics? []s, Fernando Lozano
[squid-users] Re: Three questions about Squid configuration
Regarding first issue: Have a look here for a correct solution: http://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource #Example for squid and NAT on same machine: iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination SQUIDIP:3128 #Replace SQUIDIP with the public IP which squid may use for its listening port and outbound connections. You are redirecting port 8080 ... That means, you have a proxy explicitly set up in the brwoser. DO not do this for transparent squid. That's the purpose of the steup :-) -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Three-questions-about-Squid-configuration-tp4666931p4666933.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: Three questions about Squid configuration
Thanks! That would indeed cover the first issue :-) I initially used redirect because somewhere I read that it's not a good idea forwarding the traffic directly to the port where squid listens and it should be pointed to another port instead and then redirected. However, working as this, it would be enough to set a firewall policy to permit just the client range of IPs. Let's see whether I can solve the second issue too... Regards! El 15/07/2014 21:21, babajaga escribió: Regarding first issue: Have a look here for a correct solution: http://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource #Example for squid and NAT on same machine: iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination SQUIDIP:3128 #Replace SQUIDIP with the public IP which squid may use for its listening port and outbound connections. You are redirecting port 8080 ... That means, you have a proxy explicitly set up in the brwoser. DO not do this for transparent squid. That's the purpose of the steup :-) -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Three-questions-about-Squid-configuration-tp4666931p4666933.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Confusing external acl, reply_body_max_size and EXT_LOG combo issue
Thanks alot, this work around does indeed work, once the ACL itself was modified to not alter the EXT_LOG the second time around, if i'm understanding correctly when an acl result is cached the ext_log it was passed is also cached essentially as part of the key used to lookup the result in the cache, why is this done that way and is there a way to disable this feature?, if its not key to squid functionality in a way i'm missing. Cameron Charles Level 1, 61 Davey St, Hobart, TAS, 7000. Phone: (03) 6165 1554 Fax: (03) 6165 1550 www.getbusi.com On 15 July 2014 17:40, Amos Jeffries squ...@treenet.co.nz wrote: On 15/07/2014 7:04 p.m., Cameron Charles wrote: Hi, Im having some confusing trouble with an external acl based reply_body_max_size setup, but only when the ext_log is brought into things. I have an external acl setup as such: external_acl_type response_size_type ttl=300 children-startup=2 children-idle=1 children-max=10 %URI %EXT_LOG %TAG python max_file_size_ext_acl.py which is used to check against some external data to cache the response for the reply_body_max_size directive to use, an example of which is this: acl response_size_31 external response_size_type 31 10.0.1.26 http_access allow response_size_31 reply_body_max_size 31 MB response_size_31 now this works perfectly fine, no issues what so ever, until the external acl alters the EXT_LOG (and passes it back), pretty much any alteration to the ext_log data causes squid to basically ignore the answer it gets back from the external acl and continue on. The external acl can take in the ext_log and pass it untouched out the other side no issues too, so it doesnt appear to be simply the fact its passing the ext_log back. Im really stumped at to whats going on here, any help would be appreciated. Cameron Charles Whats going on here is that reply_body_max_size is a fast ACL. So ACLs like external require a pre-cached helper response if they are going to match at all. When the helper is executed in http_access there is no EXT_LOG value (or TAG by the way). So the helper is being called with %URI - -. On the reply_body_max_size the http_access has aready been called. So the helper cache is checked for the lookup, but this time using the EXT_LOG value given by the previous lookup. Which probably does not exist in the cache. This workaround may work for you, it calls the helper twice in http_access where the lookup using log entry value can be waited on: http_access allow response_size_31 response_size_31 Amos
RE: [squid-users] problem streaming video
I have found that although RFC's state that you should have VIA and forwarded for headers, firewalls and intrusion detection devices are now blocking (based on their configuration of the organization) proxies that are detected using these headers as the method for detection. Best regards, The Geek Guy Lawrence Pingree http://www.lawrencepingree.com/resume/ Author of The Manager's Guide to Becoming Great http://www.Management-Book.com -Original Message- From: ama...@tin.it [mailto:ama...@tin.it] Sent: Tuesday, July 15, 2014 1:46 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] problem streaming video Resolved. Setting option: via off forwarded_for delete Best regards, Maurizio smime.p7s Description: S/MIME cryptographic signature