[squid-users] Re: parent problem - TCP_MISS/403 from parent
I suspect, you might have some statement like never_direct / always_direct in the squid.conf of first squid with some ACL, which does not match any more. To get a clear picture, pls publish both of actual squid.conf, anonymized. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/parent-problem-TCP-MISS-403-from-parent-tp4667444p4667445.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] squid yum install
On 08/29/2014 07:33 AM, Lawrence Pingree wrote: Does anyone know who builds the latest versions of squid RPMs for Opensuse? I would love to upgrade but can't. I have a build node for opensuse and I will add it to the build list for next week. Eliezer
[squid-users] Open StoreID http interface from ngtech.
Inspired by unveiltech.com I have tried to write a StoreID http interface and to try to help cache\de-duplicate couple websites. The helpers I have written can be found at: http://www1.ngtech.co.il/squid/storeid/ng-storeid.pl http://www1.ngtech.co.il/squid/storeid/ng-storeid.py http://www1.ngtech.co.il/squid/storeid/ng-storeid.rb The interface supports keep-alive http connections if you want to use it in your helper. The helpers use concurrency and only with concurrency. Example settings for storeid in squid: #START store_id_program /opt/storeid/ng-storeid.rb store_id_children 25 startup=10 idle=5 concurrency=50 acl storeiddoms dstdomain .youtube.com .googlevideo.com .vimeo.com .media-imdb.com store_id_access allow storeiddoms !CONNECT store_id_access deny all refresh_pattern -i ^http:\/\/[a-zA-Z0-9\-\_\.]+\.squid\.internal\/.* 3600 95% 86400 reload-into-ims ignore-reload ignore-no-store ignore-private #END About the service: - The service do not guaranteed to provide what you want or need. - The service is in testing\debugging state for now and until future notice. - The service is gathering information for analysis and statistics. - The service is open for anyone to use with some certain basic constrains of the hardware and spare bandwidth of the service provider. - Keep in mind that for now there is DOS monitoring on the service and you can get white-listed via email request. - The service is not 100% bullet proof and will might get down for maintenance at the first stages of operation.(updated helper with failure detection and crash prevention will be provided later). - The service do not and will not ever help to de-duplicate\cache or analyze in-appropriate content in any form or format. In the case you want me to analyze a specific website for StoreID compatibility feel free to contact me via my email and I will provide you with the changes needed for the purpose of analyzing it(not promising it is possible for any website). Any Comments are more then just welcomed, Eliezer Croitoru
[squid-users] Fwd: access.log destinatin server ip
-- Forwarded message -- From: Manuel Ramirez Montero manuel.rami...@grupoica.com Date: 2014-08-29 13:40 GMT+02:00 Subject: access.log destinatin server ip To: squid-users@squid-cache.org Hi, first of all i would like to excuse my limited English.I´m newby with Squid and i need to see in the access.log the destination server ip. My squid version is 2.7. I have this logformat directive: logformat ipdestino %a %ui %un [%tl] %A %rm %ru HTTP/%rv %Hs %st %Ss:%Sh cache_access_log /logs_squid/access.log ipdestino. With this logformat i see the destination ip but sometimes, in some log lines , this value is not showed: 10.23.11.243 - user[29/Aug/2014:13:23:33 +0200] - GET http://www.cassa.cat/taps/templates/business_pro/images/s5_scroll_arrow.png HTTP/1.1 304 324 TCP_IMS_HIT:NONE 10.23.11.243 - user [29/Aug/2014:13:23:33 +0200] 37.152.88.16 GET http://www.cassa.cat/taps/templates/business_pro/js/s5_columns_equalizer.js HTTP/1.1 304 261 TCP_MISS:DIRECT What is the reason in the first line the destination ip is not displayed and in the next line yes? Thanks in advance Regards
Re: [squid-users] Fwd: access.log destinatin server ip
On Friday 29 August 2014 at 13:43:27 (EU time), Manuel Ramirez Montero wrote: Hi, 10.23.11.243 - user[29/Aug/2014:13:23:33 +0200] - GET http://www.cassa.cat/taps/templates/business_pro/images/s5_scroll_arrow.png HTTP/1.1 304 324 TCP_IMS_HIT:NONE 10.23.11.243 - user [29/Aug/2014:13:23:33 +0200] 37.152.88.16 GET http://www.cassa.cat/taps/templates/business_pro/js/s5_columns_equalizer.js HTTP/1.1 304 261 TCP_MISS:DIRECT What is the reason in the first line the destination ip is not displayed and in the next line yes? The first line shows TCP_IMS_HIT:NONE meaning that the required object was found in the local cache and returned to the client from there, and no connection was made to the remote server, therefore there is no IP address to show having been contacted. The second line shows TCP_MISS:DIRECT meaning that there was no matching object found in the local cache, and the content was requested directly from the remote server, therefore the IP address of the server which was contacted is shown. Regards, Antony. -- Ramdisk is not an installation procedure. Please reply to the list; please *don't* CC me.
Re: [squid-users] Re: parent problem - TCP_MISS/403 from parent
29.08.2014 15:34, Dmitry Melekhov пишет: 29.08.2014 10:45, babajaga пишет: I suspect, you might have some statement like never_direct / always_direct in the squid.conf of first squid with some ACL, which does not match any more. To get a clear picture, pls publish both of actual squid.conf, anonymized. Well, in this case there will be just no requests to parent, right? Anyway , configs are attached. Sorry, configs are too large... :-( I can't attach them here :-( So main question is- if I see request on external squid- then never_direct or always_direct are not responsible, right?
Re: [squid-users] Fwd: access.log destinatin server ip
Ok thank you so much. will i see only this field empty when the objet is in the local cache or may happend in other situation like if the destination ip is in the ip address cache? thanks 2014-08-29 13:53 GMT+02:00 Antony Stone antony.st...@squid.open.source.it: On Friday 29 August 2014 at 13:43:27 (EU time), Manuel Ramirez Montero wrote: Hi, 10.23.11.243 - user[29/Aug/2014:13:23:33 +0200] - GET http://www.cassa.cat/taps/templates/business_pro/images/s5_scroll_arrow.png HTTP/1.1 304 324 TCP_IMS_HIT:NONE 10.23.11.243 - user [29/Aug/2014:13:23:33 +0200] 37.152.88.16 GET http://www.cassa.cat/taps/templates/business_pro/js/s5_columns_equalizer.js HTTP/1.1 304 261 TCP_MISS:DIRECT What is the reason in the first line the destination ip is not displayed and in the next line yes? The first line shows TCP_IMS_HIT:NONE meaning that the required object was found in the local cache and returned to the client from there, and no connection was made to the remote server, therefore there is no IP address to show having been contacted. The second line shows TCP_MISS:DIRECT meaning that there was no matching object found in the local cache, and the content was requested directly from the remote server, therefore the IP address of the server which was contacted is shown. Regards, Antony. -- Ramdisk is not an installation procedure. Please reply to the list; please *don't* CC me.
[squid-users] Re: parent problem - TCP_MISS/403 from parent
Yes. You might also try on inner squid.conf: cache_peer 127.0.0.1 parent8092 0 no-digest no-query no-net-db-exchange assuming, you only have one upstream proxy. Outer squid.conf should have NO intercept/transparent in http_port. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/parent-problem-TCP-MISS-403-from-parent-tp4667444p4667452.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: parent problem - TCP_MISS/403 from parent
29.08.2014 16:21, babajaga пишет: Yes. You might also try on inner squid.conf: cache_peer 127.0.0.1 parent8092 0 no-digest no-query no-net-db-exchange I get the same TCP_MISS/403 on parent with this :-( assuming, you only have one upstream proxy. Outer squid.conf should have NO intercept/transparent in http_port. Yes, sure, as I wrote it works if I connects to outer squid from browser, it just doesn't want to process request from another squid. I tried to reverse havp config- and it process requests from havp , really from internal squid+havp. Looks very strange- it somehow know that these requests are from squid and don't want to forward them...
Re: [squid-users] Fwd: access.log destinatin server ip
Thanks again Antony 2014-08-29 14:26 GMT+02:00 Antony Stone antony.st...@squid.open.source.it: On Friday 29 August 2014 at 14:15:32 (EU time), Manuel Ramírez wrote: Ok thank you so much. will i see only this field empty when the objet is in the local cache or may happend in other situation like if the destination ip is in the ip address cache? There is no IP address cache. Basically, you will see a destination server IP address if a destination server was contacted. You will not see an IP address if a destination server was not contacted. Reasons for not contacting a destination server might include the object being in the local cache (as in this example) or the request being passed to another proxy (which then decides whether to contact the destination server itself, but this proxy definitely doesn't). 2014-08-29 13:53 GMT+02:00 Antony Stone antony.st...@squid.open.source.it: On Friday 29 August 2014 at 13:43:27 (EU time), Manuel Ramirez Montero wrote: Hi, 10.23.11.243 - user[29/Aug/2014:13:23:33 +0200] - GET http://www.cassa.cat/taps/templates/business_pro/images/s5_scroll_arrow. png HTTP/1.1 304 324 TCP_IMS_HIT:NONE 10.23.11.243 - user [29/Aug/2014:13:23:33 +0200] 37.152.88.16 GET http://www.cassa.cat/taps/templates/business_pro/js/s5_columns_equalizer .js HTTP/1.1 304 261 TCP_MISS:DIRECT What is the reason in the first line the destination ip is not displayed and in the next line yes? The first line shows TCP_IMS_HIT:NONE meaning that the required object was found in the local cache and returned to the client from there, and no connection was made to the remote server, therefore there is no IP address to show having been contacted. The second line shows TCP_MISS:DIRECT meaning that there was no matching object found in the local cache, and the content was requested directly from the remote server, therefore the IP address of the server which was contacted is shown. -- What is this talk of software release? Our software evolves and matures until it is capable of escape, leaving a bloody trail of designers and quality assurance people in its wake. Please reply to the list; please *don't* CC me.
Re: [squid-users] Squid 3.3.13 is available
Hello, will this be available as rpm for CentOS 6.x? Thanks, Walter On 27.08.2014 18:40, Amos Jeffries wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.3.13 release! This release is a security fix release resolving a major vulnerability found in the prior Squid releases. REMINDER: This and older releases are already deprecated by Squid-3.4 availablility. The major changes to be aware of: * CVE-2014-3609 : SQUID-2014:2 Denial of service in request processing http://www.squid-cache.org/Advisories/SQUID-2014_2.txt This vulnerability allows any client who is allowed to use the proxy to perform a denial of service attack on Squid. This issue is particularly impacting reverse-proxy installations. A simple squid.conf workaround is available for quick use and those unable to upgrade. See the Advisory notice for details. See the ChangeLog for the full list of changes in this and earlier releases. All users are urged to upgrade as soon as possible. Please remember to run squid -k parse when testing upgrade to a new version of Squid. It will audit your configuration files and report any identifiable issues the new release will have in your installation before you press go. We are still removing the infamous Bungled Config halting points and adding checks, so if something is not identified please report it. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.3/RELEASENOTES.html when you are ready to make the switch to Squid-3.3 Upgrade tip: squid -k parse is starting to display even more useful hints about squid.conf changes. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.3/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.3/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJT/gnhAAoJELJo5wb/XPRjxbQH/j8yDWmRKHoeEttXmci9vXUY 2HMUloJjC7AMDkMWM9CaPebwNsLeTQEmtoQ5DtnxhPZA/QcXCf+sjWQNv+Kyrpx8 f6psq3jMVXn+xgDHeDd1EvBa+a3XqYkRp7tKxz4IDsIGxfja5L7W39PGV6ErHlMa b4U674R7GJM9xLpj6sfeKWoW2xhv7620i7Zk8ZZVpYH/mwgxW7TRjYmev4YVnixC XG+f0ExseElc+fNvvc2bGsXKgQBAy1S1DjxnagQ+FrIEyT4R9nUge4YC6G0JPmbW 73XMx9blJp5jby7WgKD+YLufJbJAY4TdT6mETN4TwYecaoy/2vZJ/wxW/6TLLis= =kP6w -END PGP SIGNATURE- -- Mit freundlichen Grüßen, Best regards, Mes salutations distinguées, Ing. Walter Höhlhubmer _/ _/ _/_/ _/ _/ _/_/ Lederergasse 47a/7 _/ _/ _/_/ A-4020 Linz a. d. Donau _/ _/ _/ _/_/_/_/ Austria / EUROPE _/_/_/_/_/ _/_/ _/_/ _/_/ _/_/ [+43 664 951 83 72]_/ _/ _/_/ smime.p7s Description: S/MIME Cryptographic Signature
Re: [squid-users] Squid 3.3.13 is available
Hey Walter, This is the plan for now. It will probably happen next week. Eliezer On 08/29/2014 03:46 PM, Walter H. wrote: Hello, will this be available as rpm for CentOS 6.x? Thanks, Walter
[squid-users] Re: parent problem - TCP_MISS/403 from parent
I remember a bug, I detected in my favourite squid2.7, also in a sandwiched config, with another proxy inbetween: It was not possible to have both squids listen on 127.0.0.1:a/b; had to use 127.0.0.1:a; 127.0.0.2:b To be pragmatic: Whats the purpose of having two squids directly coupled ? Why not to use just one ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/parent-problem-TCP-MISS-403-from-parent-tp4667444p4667458.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: parent problem - TCP_MISS/403 from parent
On 29.08.2014 18:17, babajaga wrote: I remember a bug, I detected in my favourite squid2.7, also in a sandwiched config, with another proxy inbetween: It was not possible to have both squids listen on 127.0.0.1:a/b; had to use 127.0.0.1:a; 127.0.0.2:b That's what I have- one listens on 8090 another one on 8092. So this is not problem. What I can't understand now what is difference between firefox request - which works, and squid request- on which squid says that it is missed, I have to look into traffic :-) To be pragmatic: Whats the purpose of having two squids directly coupled ? At least three :-) first, afaik, icap doesn't check cached content, so first squid can cache, second checks for viruses. second, authentication- first squid is for users, so it requires auth, second don't, it's practical from logging reason. third, first squid has redirector, so user's can be banned from pron ;-) , second not. Why not to use just one ?
Re: [squid-users] Fwd: access.log destinatin server ip
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Have you considered using the Squid native log format instead of the Apache common web server log format? Squid native format is designed for logging information about both client and server. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUAJsRAAoJELJo5wb/XPRjA3IH/iu20Lo5A8nbg/qLN0jsAZcI OQ+vlL6+VdqAcnjKkGpjHN256HZh6m3cALiXfBpU5yh0zXR0Gc1oWfj7EhwQ1aLM bAUOV1XSxxRfFUcDtOtGNGQs18AOivrGgCZlFaVhAqOO0FRkBQuyY3PrgQ+5L0ic ifbbP4Sza/HESRT1im0gsF1LPI8NrrI9yVtCvNlAlj/Izk8eKuJFQ8GMLlKMIzE8 OktuWIPXSwmAZMxDwMJH7nlQETol0dZNxAlYIrfG7b7o4i/9ouYu64hX9msRAFQh ojJi6Awo02jN2Jqam7NH5KylqH36gfyvl+dqlDv3rrbjVCL/V9PLaUFLx0KjBMc= =m1P6 -END PGP SIGNATURE-
[squid-users] Re: source address ip spoofing
Hi Amos, You're right. That was the reason of my question here. I thought maybe there is a way to do it and I don't see it. The drive behind this question is related to the illegal activities that some users can perform behind the proxy coverage. We wanted to avoid storage of access logs but keep the network design we use now. Thank you for all the details and the help, Julian -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/source-address-ip-spoofing-tp4667417p4667461.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] squid yum install
Awesome! Thank you. Will that roll into their prod repositories? -Original Message- From: Eliezer Croitoru [mailto:elie...@ngtech.co.il] Sent: Friday, August 29, 2014 1:46 AM To: squid-users@squid-cache.org Cc: Lawrence Pingree Subject: Re: [squid-users] squid yum install On 08/29/2014 07:33 AM, Lawrence Pingree wrote: Does anyone know who builds the latest versions of squid RPMs for Opensuse? I would love to upgrade but can't. I have a build node for opensuse and I will add it to the build list for next week. Eliezer
[squid-users] Forward Proxy Mode HTTPS Connect with invalid server certificate
Dear Team! My problem is about using squid in the forward proxy mode. Squid Version 3.3.8 under openSUSE 13.1 in conjunction with squidguard The general function everythings works well. But if any client in our LAN try to connect to a https-Site that have a invalid server certificate (the URL of the cert is other than the URL of the site) the proxy refuse the connection. If the cert is valid everything is OK. That is the reason and how should I configure squid to use invalide certs, because we must us it for our webmail-server, which is on a server-farm, which have other certs than our website. Thanks E. Deffner