[squid-users] Blocking game sites with squid
Hi, I have to block game sites with squid and only have ACL filtering for now. So how can all do this? I dont have an URL list for game sites now Regards
[squid-users] sslBump Certificate Error
Dear List, 1) cd /home/user/Desktop 2) /usr/lib/ssl/misc/CA.pl -newca 3) openssl req -new -nodes -x509 -keyout ca.key -out ca.crt -days 3650 4) openssl req -new -nodes -keyout key.key -out key.req 5) openssl ca -policy policy_anything -days 3650 -out key.crt -infiles key.req I created certificates needed for sslbump from the process as cited over here http://www.techienuggets.com/commentList.jsp?tx=48105tx=48105d-49653-p=2 In my earlier step i just ran 3,4,5 step which resulted in 5 step generating an error,so i had to bring in the 2nd step. It generated 5 files ca.key, ca.crt, key.key, key.req, key.crt and a folder named demoCA,i have already used a)ca.crt with key.key b)ca.crt with key.crt c)key.crt with key.key combinations but unable to succeed in the command https_port 3129 transparent sslBump cert= key= resulting into Failed to acquire SSL certificate error. Any ideas? Thanks In Advance, Anand Your Mail works best with the New Yahoo Optimized IE8. Get it NOW! http://downloads.yahoo.com/in/internetexplorer/
[squid-users] Tproxy vs Squid Transparent For Gtalk
Dear List, I dont know what is the status of the gtalk binary problem but as i last read for the post from Amos i think the problem is not yet solved, Amos if you have read this, requesting you to comment on the present status, i was using squid3.1 for sslBump and was wondering that if Tproxy is able to solve the gtalk problem, moreover will it be able to allow acl on HTTPS. I dont have a cisco router in my enviroment and i was just going through the configuration which raised a question that what i would be using at wccp2_router y.y.y.y and as i dont have the router,how i would be doing this ip wccp 80 ip wccp 90 int fasteth0 --ip wccp 80 redirect out (gateway to internet) int fasteth1 --ip wccp 90 redirect out (my client gateway) int fasteth3 --ip wccp redirect exclude in (squid-box attached here) i am in an ADSL enviroment with the beetel basic router cum modem,and i am trying to use my linux machine as a router. Any Ideas? Thanks, Anand Your Mail works best with the New Yahoo Optimized IE8. Get it NOW! http://downloads.yahoo.com/in/internetexplorer/
Re: [squid-users] stats per cache_peer
Chris Robertson wrote: Struzik Wojciech wrote: Is it possible to get any kind of statistic per cache_peer (squid 2.7 stable7) for example: bandwidth usage, transfered data ??? Thanks in advance for any help :) The log analyzer scalar.awk provides statistics on hierarchy requests and traffic. Chris Or the SNMP interface Peer table: http://wiki.squid-cache.org/Features/Snmp Or the CacheMgr interface textual reports. squidclient mgr:server_list Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15
Re: [squid-users] Tproxy vs Squid Transparent For Gtalk
anand phulwani wrote: Dear List, I dont know what is the status of the gtalk binary problem but as i last read for the post from Amos i think the problem is not yet solved, Amos if you have read this, requesting you to comment on the present status, i was using squid3.1 for sslBump and was wondering that if Tproxy is able to solve the gtalk problem, moreover will it be able to allow acl on HTTPS. Maybe. I'm not going to advise you to do it though. Least of all in public and writing. There are plenty of other applications to use than gtalk. Most of whom don't encrypt. I dont have a cisco router in my enviroment and i was just going through the configuration which raised a question that what i would be using at wccp2_router y.y.y.y and as i dont have the router,how i would be doing this ip wccp 80 ip wccp 90 int fasteth0 --ip wccp 80 redirect out (gateway to internet) int fasteth1 --ip wccp 90 redirect out (my client gateway) int fasteth3 --ip wccp redirect exclude in (squid-box attached here) WCCP _will_not_ redirect HTTPS. By design. i am in an ADSL enviroment with the beetel basic router cum modem,and i am trying to use my linux machine as a router. Linux machine a router can pass arbitrary packets to Squid. No WCCP or Cisco involved. Just make sure the content is the HTTP protocol format that Squid can process. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15
Re: [squid-users] Blocking game sites with squid
a bv wrote: Hi, I have to block game sites with squid and only have ACL filtering for now. So how can all do this? I dont have an URL list for game sites now You will need one to begin. Step one is entering the list of sites or IPs into an ACL. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15
Re: [squid-users] Do not cache 302 !!
Chris Robertson wrote: Amos Jeffries wrote: Youenn Boussard wrote: Hello the list, I put this directive in my squid.conf : acl redirect rep_header Location . no_cache deny redirect So I expect that all response with Location header will be not cache. Or when the first url is HTTP/1.1 302 Moved Temporarily Date: Thu, 28 Jan 2010 10:42:26 GMT ... Expires: Fri, 29 Jan 2010 10:42:22 GMT Location: ... Cache-Control: max-age=3D86400, s-maxage=3D86400, public, proxy-revalidate Content-Type: text/html;charset=3Dutf-8 ... X-Cache: MISS from ... X-Cache-Lookup: MISS from ...:3128 Via: 1.0 ...:3128 (squid/2.6.STABLE23) And the second : HTTP/1.1 302 Moved Temporarily Date: Thu, 28 Jan 2010 10:42:26 GMT ... Expires: Fri, 29 Jan 2010 10:42:22 GMT Location: ... Cache-Control: max-age=3D86400, s-maxage=3D86400, public, proxy-revalidate Content-Type: text/html;charset=3Dutf-8 Age: 30 X-Cache: HIT from frdplirzof1 X-Cache-Lookup: HIT from frdplirzof1:3128 Via: 1.0 ... (squid/2.6.STABLE23) So the rule doesn't work. I don't why ? Does .* instead of . in the rule work better? Probably not. There appears to be a space between Location and the period. Yeah. The squid.conf doc syntax says 'Header-Name regex-pattern as two separate items. Which in Squid is space separated. I was just wondering if regex did something nasty and took a single . and omitted the otherwise implicit .* pre/suff-ix when a plain . was given. A single dot does work for refresh_pattern though so no I was thinking badly when I wrote that. (Not sure myself, your version is supposed to match) Wouldn't acl redirect http_status 302 work as an alternative (without the need to run the regex engine). Not in 2.6. That old obsolete release we don't support anymore. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15
Re: [squid-users] config of squid to use external proxy
Clemente Aguiar wrote: - Mensagem Original- De: Clemente Aguiar clemente.agu...@madeiratecnopolo.pt Para: Amos Jeffries squ...@treenet.co.nz Cc: squid-users@squid-cache.org Assunto: Re: [squid-users] config of squid to use external proxy Data: Thu, 28 Jan 2010 15:15:43 + Sex, 2010-01-29 às 03:32 +1300, Amos Jeffries escreveu: Clemente Aguiar wrote: I want to config my transparent squid to use an external proxy (with user/password) authentication when accessing a specific set of sites. At present the situation is as follows: When I want to access a specific site, say www.example.com, I am required to set my browser proxy settings to use an external proxy, for instance proxy.external.com port 8080, and then I am required to enter a user and password. Basically the site www.example.com is only accessible through this proxy which is external to our site. On our site we have our own squid box configured as transparent cache (using WCCPv2), so what I would like is to be able to access www.example.com (transparently), i.e. without having to change my browser proxy settings. Can anybody help me with the squid config? Two possible solutions: 1) requires a single login using Basic auth to the parent. shared by all users of the child proxy. cache_peer login=Username:Password 2) permits for a variation of usernames, but Password is not retrievable. Requires a helper that returns OK user=Foo when handed an IP address and th parent proxy to accept the same password fro all users (anonymous login with username tracking ) external_acl_type ... cache_peer ... login=PASS or external_acl_type ... cache_peer ... login=*:FixedPassword Amos Thanks. I tried this and it seems to work. Is this correct? cache_peer proxy.external.com parent 8080 0 no-query login=user:pass acl example_acl dstdomain .example.com cache_peer_access proxy.external.com allow example_acl never_direct allow example_acl Yes Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15
Re: [squid-users] Squid, Exchange 2007 RPC, certificates and the rabbit hole
Brett Lymn wrote: On Fri, Jan 29, 2010 at 03:21:04AM +1300, Amos Jeffries wrote: NOTE: The Squid wiki was written for Exchange 2003. I _know_ things have changed somewhat for Exchange 2007. If there is anyone out there who got this working or wants to try, _please_ let us know what to update in the wiki. Exchange 2007 seems to just work for me. I just took my working reverse proxy config that was talking to 2003 and used that to set up a reverse proxy for 2007. Thank you. Was this with HTTPS-front-end or with full pass-thru? Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15
Re: [squid-users] cache_peer selection
Dieter Bloms wrote: Hi, On Wed, Jan 27, Soporte Técnico AlemNet wrote: How can i make cache_peer selection for blocks of ip of my network ? Example. 192.168.0.xxx i want to use cache_peer 172.16.1.1 192.168.1.xxx i want to use cache_peer 172.16.1.2 192.168.1.xxx i want to use DIRECT this has to be done in the browser (not proxy). A proxy.pac file may help you. Have a look at http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/web-browser-auto-proxy-configuration.html No Dieter. Read again.. :) cache_peer selection by source is done with src type ACLs and cache_peer_access. As described in the FAQ and configuration file documentation http://wiki.squid-cache.org/SquidFaq/SquidAcl http://www.squid-cache.org/Doc/config/cache_peer_access/ Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15
[squid-users] Squid + ldap_auth + transparent
Hi, i configured a squid to auth at my Active directory. I was working fine when i set proxy manually. When i try to make it in production i got only TCP_DENIED. How can i configure it on transparent mode + ldap_auth This is my squid.conf: http://187.8.216.250/squid.conf thanks
RE: [squid-users] Squid 3.0 stable20 crash
Coredump with debugging, more to come warning: Can not parse XML syscalls information; XML support was disabled at compile time. GNU gdb (Gentoo 7.0 p2) 7.0 Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-pc-linux-gnu. For bug reporting instructions, please see: http://bugs.gentoo.org/... Reading symbols from /usr/sbin/squid...done. [New Thread 27059] [New Thread 27061] [New Thread 27060] [New Thread 27063] [New Thread 27062] [New Thread 27065] [New Thread 27092] [New Thread 27066] [New Thread 27067] [New Thread 27064] [New Thread 27069] [New Thread 27074] [New Thread 27097] [New Thread 27093] [New Thread 27071] [New Thread 27105] [New Thread 27072] [New Thread 27068] [New Thread 27076] [New Thread 27077] [New Thread 27102] [New Thread 27075] [New Thread 27104] [New Thread 27106] [New Thread 27079] [New Thread 27073] [New Thread 27101] [New Thread 27078] [New Thread 27111] [New Thread 27081] [New Thread 27098] [New Thread 27116] [New Thread 27086] [New Thread 27080] [New Thread 27115] [New Thread 27083] [New Thread 27114] [New Thread 27084] [New Thread 27120] [New Thread 27089] [New Thread 27118] [New Thread 27122] [New Thread 27121] [New Thread 27117] [New Thread 27087] [New Thread 27108] [New Thread 27107] [New Thread 27109] [New Thread 27082] [New Thread 27099] [New Thread 27119] [New Thread 27094] [New Thread 27100] [New Thread 27113] [New Thread 27110] [New Thread 27088] [New Thread 27103] [New Thread 27096] [New Thread 27091] [New Thread 27112] [New Thread 27090] [New Thread 27095] [New Thread 27085] [New Thread 27070] warning: Can't read pathname for load map: Input/output error. Reading symbols from /lib/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /usr/lib/libssl.so.0.9.8...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libssl.so.0.9.8 Reading symbols from /usr/lib/libcrypto.so.0.9.8...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libcrypto.so.0.9.8 Reading symbols from /lib/librt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/librt.so.1 Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done. Loaded symbols for /lib/libpthread.so.0 Reading symbols from /lib/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libresolv.so.2 Reading symbols from /lib/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/libstdc++.so.6...(no debugging symbols found)...done. Loaded symbols for /usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/libstdc++.so.6 Reading symbols from /lib/libm.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libgcc_s.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libgcc_s.so.1 Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libz.so.1 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib/libnss_compat.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libnss_compat.so.2 Reading symbols from /lib/libnss_nis.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libnss_nis.so.2 Reading symbols from /lib/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /lib/libnss_dns.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libnss_dns.so.2 Core was generated by `/usr/sbin/squid -N -f /etc/squid/squid-fe-8082.conf'. Program terminated with signal 11, Segmentation fault. #0 0x004df490 in SplayNodemem_node*::start (this=Cannot access memory at address 0x7fffac383ff8 ) at ../include/splay.h:123 123 ../include/splay.h: No such file or directory. in ../include/splay.h (gdb) backtrace #0 0x004df490 in SplayNodemem_node*::start (this=Cannot access memory at address 0x7fffac383ff8 ) at ../include/splay.h:123 #1 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6a9f0) at ../include/splay.h:126 #2 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6aa10) at ../include/splay.h:126 #3 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6aa30) at ../include/splay.h:126 #4 0x004df4b5 in SplayNodemem_node*::start (this=0x3fc6aa50) at
Re: [squid-users] Tproxy vs Squid Transparent For Gtalk
Dear List, So Does That Mean Transparent Squid And Gtalk Is Not Possible As Of Now? Thanks, Anand The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/
[squid-users] squid-3.1.0.15 and WCCPv1
Hello, I am trying to upgrade my squid from 2.5 to 3.1. I have got all my old configuration working on 3.1, except... I am coming across a problem with WCCPv1. 172.16.13.56 is the address of the squid box. 172.16.13.2 is the address of the cisco router. I have wccp_router=172.16.13.2 in my squid.conf. squid-2.5 connects to UDP port 2048, I get replies, and everything else then works. Here is a tcpdump of the initial connection: 16:12:13.404466 IP 172.16.13.56.2048 172.16.13.2.2048: UDP, length 52 16:12:13.406764 IP 172.16.13.2.2048 172.16.13.56.2048: UDP, length 64 But, squid-3.1 looks like it is trying to connect to UDP port 0 on the cisco. Here is the equivalent tcpdump with squid-3.1: 15:59:10.093415 IP 172.16.13.56.2048 172.16.13.2.0: UDP, length 52 15:59:10.094423 IP 172.16.13.2 172.16.13.56: ICMP 172.16.13.2 udp port 0 unreachable, length I have looked at the src/wccp.c for squid-2.5, and it is clear that the port is being set to 2048 for the connection to the router. I have also looked at the source for 2.6, 2.7 and 3.0 (src/wccp.cc for this version). In all those, it appears to be setting the port on the outgoing connection. However, in the 3.1 source, it doesn't. Is this a bug? Has anybody got WCCPv1 working with squid-3.1?
[squid-users] Configuring Squid on a MAC
I have installed squid 3.0 on a MAC mini running Leopard 10.5.8. I would like to configure squid to act 1. as a proxy 2. as a web cache How do I go about this Am using webmin as a GUI tool for configuring squid. -- View this message in context: http://n4.nabble.com/Configuring-Squid-on-a-MAC-tp1415380p1415380.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: squid_ldap_auth with two or more domain-controllers?
Hi all, Any hints about this question? 2010/1/11 Tom Tux tomtu...@gmail.com: I configured our squid to authenticate with squid_ldap_auth squid_ldap_group against an active-directory. With the parameter -h [ip-address of domain-controller], I'm able to define one ore more of our ldapservers (domain-controllers) for querying. But the setting with the specified failover-dc seems not really to work. How can I define a 2nd or a third domain-controller, if the request to the first domain-controller fails? How can I define a query-timeout? Thanks a lot. Tom
[squid-users] Fwd: squid_ldap_auth with two or more domain-controllers?
Hi all, Any hints about this question? Thanks a lot. -- Forwarded message -- From: Tom Tux tomtu...@gmail.com Date: 2010/1/11 Subject: squid_ldap_auth with two or more domain-controllers? To: squid-users squid-users@squid-cache.org I configured our squid to authenticate with squid_ldap_auth squid_ldap_group against an active-directory. With the parameter -h [ip-address of domain-controller], I'm able to define one ore more of our ldapservers (domain-controllers) for querying. But the setting with the specified failover-dc seems not really to work. How can I define a 2nd or a third domain-controller, if the request to the first domain-controller fails? How can I define a query-timeout? Thanks a lot. Tom
Re: [squid-users] squid-3.1.0.15 and WCCPv1
On Fri, Jan 29, 2010 at 11:35:00AM +, Graham Keeling wrote: Hello, I am trying to upgrade my squid from 2.5 to 3.1. I have got all my old configuration working on 3.1, except... I am coming across a problem with WCCPv1. 172.16.13.56 is the address of the squid box. 172.16.13.2 is the address of the cisco router. I have wccp_router=172.16.13.2 in my squid.conf. squid-2.5 connects to UDP port 2048, I get replies, and everything else then works. Here is a tcpdump of the initial connection: 16:12:13.404466 IP 172.16.13.56.2048 172.16.13.2.2048: UDP, length 52 16:12:13.406764 IP 172.16.13.2.2048 172.16.13.56.2048: UDP, length 64 But, squid-3.1 looks like it is trying to connect to UDP port 0 on the cisco. Here is the equivalent tcpdump with squid-3.1: 15:59:10.093415 IP 172.16.13.56.2048 172.16.13.2.0: UDP, length 52 15:59:10.094423 IP 172.16.13.2 172.16.13.56: ICMP 172.16.13.2 udp port 0 unreachable, length I have looked at the src/wccp.c for squid-2.5, and it is clear that the port is being set to 2048 for the connection to the router. I have also looked at the source for 2.6, 2.7 and 3.0 (src/wccp.cc for this version). In all those, it appears to be setting the port on the outgoing connection. However, in the 3.1 source, it doesn't. Is this a bug? Has anybody got WCCPv1 working with squid-3.1? Further information: I've now tried squid-3.0.STABLE21, and WCCPv1 worked fine. Conclusion: WCCPv1 is broken in squid-3.1. Is this the correct list to be reporting this to?
Re: [squid-users] squid-3.1.0.15 and WCCPv1
On Fri, Jan 29, 2010 at 03:59:29PM +, Graham Keeling wrote: On Fri, Jan 29, 2010 at 11:35:00AM +, Graham Keeling wrote: Hello, I am trying to upgrade my squid from 2.5 to 3.1. I have got all my old configuration working on 3.1, except... I am coming across a problem with WCCPv1. 172.16.13.56 is the address of the squid box. 172.16.13.2 is the address of the cisco router. I have wccp_router=172.16.13.2 in my squid.conf. squid-2.5 connects to UDP port 2048, I get replies, and everything else then works. Here is a tcpdump of the initial connection: 16:12:13.404466 IP 172.16.13.56.2048 172.16.13.2.2048: UDP, length 52 16:12:13.406764 IP 172.16.13.2.2048 172.16.13.56.2048: UDP, length 64 But, squid-3.1 looks like it is trying to connect to UDP port 0 on the cisco. Here is the equivalent tcpdump with squid-3.1: 15:59:10.093415 IP 172.16.13.56.2048 172.16.13.2.0: UDP, length 52 15:59:10.094423 IP 172.16.13.2 172.16.13.56: ICMP 172.16.13.2 udp port 0 unreachable, length I have looked at the src/wccp.c for squid-2.5, and it is clear that the port is being set to 2048 for the connection to the router. I have also looked at the source for 2.6, 2.7 and 3.0 (src/wccp.cc for this version). In all those, it appears to be setting the port on the outgoing connection. However, in the 3.1 source, it doesn't. Is this a bug? Has anybody got WCCPv1 working with squid-3.1? Further information: I've now tried squid-3.0.STABLE21, and WCCPv1 worked fine. Conclusion: WCCPv1 is broken in squid-3.1. Is this the correct list to be reporting this to? My squid-3.1 WCCPv1 appears to work with the attached patch that I just made. diff -u -r1.1 wccp.cc --- src/wccp.cc 22 Dec 2009 13:54:53 - 1.1 +++ src/wccp.cc 29 Jan 2010 16:19:46 - @@ -146,6 +146,7 @@ } Config.Wccp.address.SetPort(WCCP_PORT); +Config.Wccp.router.SetPort(WCCP_PORT); theWccpConnection = comm_open_listener(SOCK_DGRAM, IPPROTO_UDP,
Re: [squid-users] Restrict access to proxies by IP
Thanks Chris. I read the FAQ and saw how to limit URLs by IP but not how to authorize proxy access by ACL. Any further suggestions? On Thu, Jan 28, 2010 at 2:06 PM, Chris Robertson crobert...@gci.net wrote: ad...@mynovanet.com wrote: We have several clients using select proxies. Currently we authorize all users in Squid: acl localnet src 123.45.67.89 (user1) 123.45.67.90 (user2) 123.45.68.10 (user3) Then we give them each a list of proxies they may use. However, because all proxies are consecutive it is easy for them to use more proxies than they are authorized to use. I'm wondering if there is a way to restrict in Squid which proxies they are authorized to use. Yes. Have a look at the FAQ section on ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl). TIA! Chris
[squid-users] squid help: https, ftp problem
good evening squid support team, i have problems with connection to https and ftp sites with squid :( my squid.conf file is in attachement. thanks to regard david c. heitmann #Netzwerkverbindungen http_port 192.168.10.10:8080 http_port 192.168.10.10:3128 #ICP Protokoll icp_port 0 #Speichergroesse cache_mem 64 MB ipcache_size 5000 #Logfile- und Cache-Verzeichnisse cache_dir ufs /var/cache/squid 100 16 256 #Logfile-Path cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log #Prozess-ID-Datei pid_filename /var/run/squid.pid #Logging der IP-Adresse oder Rechner-Names log_fqdn on #eMail Adresse des Admins cache_mgr da...@lafourmi.de #Standartuser und -gruppe cache_effective_user squid cache_effective_group squid #Vollstaendiger Rechnername visible_hostname proxyfuck #Anonymisieren der IP-Adresse forwarded_for off #AntiVirus redirect_program /usr/bin/squidvir.pl #Authentifiyierung mittels Passwortdatei auth_param basic program /usr/lib/squid/ncsa_auth /squid/users/.pass auth_param basic realm Authentifizierung am ProxyServer Lafourmi auth_param basic children 10 auth_param basic credentialsttl 2 hours auth_param basic casesensitive off authenticate_cache_garbage_interval 3600 seconds authenticate_ttl 1 hour authenticate_ip_ttl 3600 seconds acl passwd proxy_auth REQUIRED acl login_users proxy_auth /etc/squid/users acl login_admin proxy_auth /etc/squid/admin #Bestimmte Objekte nicht speichern acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY #Access Control Lists (ACL) acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl laf src 192.168.10.0/255.255.255.0 acl manager proto cache_object acl Safe_ports port 407 #login acl SSL_ports port 443 #ssl acl SSL_ports port 563 #snews acl SSL_ports port 995 #rsync acl Safe_ports port 80 #http acl Safe_ports port 20 #ftp_up acl Safe_ports port 21 #ftp_down acl Safe_ports port 22 #ssh acl Safe_ports port 443 #https acl Safe_ports port 563 #snews acl Safe_ports port 70 #gopher acl Safe_ports port 210 #wais acl Safe_ports port 1025-65535 #unregistered ports acl Safe_ports port 280 #http-mgmt acl Safe_ports port 488 #gss-http acl Safe_ports port 591 #filemaker acl Safe_ports port 777 #multiling http acl Safe_ports port 66 #socks acl Safe_ports port 110 #pop3 acl Safe_ports port 25 #smtp acl Safe_ports port 465 #smtp acl Safe_ports port 587 #smtp acl Safe_ports port 143 #imap acl Safe_ports port 993 #imap acl Safe_ports port 631 #cups acl Safe_ports port 1863 #msn acl Safe_ports port 7001 #msn acl Safe_ports port 9#msn acl Safe_ports port 3-65535 #msn acl Safe_ports port 5000-65535 #msn acl Safe_ports port 1025-65535 #msn acl Safe_ports port 1503 #msn acl Safe_ports port 3389 #msn acl Safe_ports port 49152-65535 #msn acl Safe_ports port 5061 #msn acl Safe_ports port 1025-65535 #msn #acl PURGE method PURGE acl CONNECT method CONNECT #Gesperrte Ausdrücke acl gesperrt url_regex -i /etc/squid/gesperrt http_access allow login_users http_access allow login_admin #http_access allow PURGE localhost http_access allow manager localhost http_access allow laf !gesperrt #http_access deny PURGE http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all #cache_peer Firewall-Proxy parent 8080 3128 #never_direct allow all #Bestimmte URLs ausschliessen #acl banner url_regex ^http://banner[0-9]*\.z #http_access deny banner #Laden von Dateien verhindern, wenn abgebrochen wurde quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 100
[squid-users] ICAP and ISTag header
I am wondering how the ISTag header is used by the squid 3. Will the change of the ISTag cause all cache to be invalid or just the cache of the requested url become invalid? In the code, it seems the IStag is only parsed on Options. Thanks Ming -- Ming Fu | Senior Developer WatchGuard Technologies, Inc. | www.watchguard.com (905)-804-1855 ext 229 fm...@watchguard.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Get red. Get secured.
[squid-users] Check bandwidth
Is there anyway to monitor the current bandwidth in use by a user (NCSA auth) on squid? Occasionally we get a user downloading too many videos at once, which blocks bandwidth to other users on the network. As I have no idea which user it is until the end of the day (SARG reports), we just restart the squid server to disconnect their downloads - not ideal. _ Send us your Hotmail stories and be featured in our newsletter http://clk.atdmt.com/UKM/go/195013117/direct/01/
[squid-users] monitor bandwidth
Is there anyway to monitor the current bandwidth in use by a user (NCSA auth) on squid? Occasionally we get a user downloading too many videos at once, which blocks bandwidth to other users on the network. As I have no idea which user it is until the end of the day (SARG reports), we just restart the squid server to disconnect their downloads - not ideal. _ We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
[squid-users] Transparent SSL proxy w/ client-side certificates
Hello all. I have a question regarding the use of client-side certificates through a transparent SSL proxy (Squid or otherwise). Is this possible? I've configured Squid 3.1.0.15 as a transparent SSL proxy and that works. Browsers complain about name mismatches but that's expected without dynamic cert generation. However, when I attempt to visit a URL which requires authentication via a client certificate, the resulting page from Squid shows a Read Error with the following text: The system returned: [No Error] An error condition occurred while reading data from the network. Please retry your request. I don't see anything in Squid's logfiles nor do I see anything on the console. I'm running Squid in the foreground and I'm passing passing 'd9' for debugging information. This is certainly not an ideal configuration but at the moment I can't change the parameters of the problem. My task is to determine whether it is possible to make such a configuration work. (I do have the luxury of disregarding the untrusted authority and name mismatch errors on the client.) It seems plausible that since Squid is effectively a man in the middle, it could acquire the client certificate and relay that to the target to complete the request. Whether this is currently feasible in Squid is a separate matter but at a high level I can't think of an obvious problem with the basic approach. Again, I would rather not be in the business of intercepting SSL in the first place but at the moment I can't change that. Thanks in advance for any thoughts. Regards, Damon smime.p7s Description: S/MIME cryptographic signature
[squid-users] Squid complaining of not able to find libssl.so.
Hi Forum, I am facing this wierd in starting squid I have the squid compiled with ssl enabled $ ./configure --enable-ssl --with-openssl=/usr/local/ssl $ make $ make install The compilation all works fine but when I execute the squid it complains of not able to find the libssl.so.0.9.8. This is despite the fact that the mentioned library is there on the system with the dir properly appended to LD_LIBRARY_PATH $ locate libssl.so.0.9.8 /home/rnair/squid_files/openssl-0.9.8b/libssl.so.0.9.8 /lib/libssl.so.0.9.8 /lib/libssl.so.0.9.8e /lib64/libssl.so.0.9.8e /usr/local/ssl/lib/libssl.so.0.9.8 $ echo $LD_LIBRARY_PATH /lib:/lib64:/usr/lib:/usr/lib64:/usr/local/lib:/usr/local/ssl/lib $ /usr/local/squid/sbin/squid -C -d1 -f /home/rnair/squid_files/squid.conf (squid): error while loading shared libraries: libssl.so.0.9.8: cannot open shared object file: No such file or directory $ (squid): error while loading shared libraries: libssl.so.0.9.8: cannot open shared object file: No such file or directory (squid): error while loading shared libraries: libssl.so.0.9.8: cannot open shared object file: No such file or directory (squid): error while loading shared libraries: libssl.so.0.9.8: cannot open shared object file: No such file or directory (squid): error while loading shared libraries: libssl.so.0.9.8: cannot open shared object file: No such file or directory I know this more of an environment issue but can somebody enlighten me why squid is not able to find the lib despite the library being present there. Regards, Rajesh Nair