On Mon, 2018-01-15 at 13:48 -0700, Alex Rousskov wrote:
>
> That statement does not compute in the current context: A transparent
> proxy has many disadvantages over a forward/explicit proxy,
Sure. But it has advantages also.
> but both
> transparent and forward/explicit proxies have
On Mon, 2018-01-15 at 12:26 -0700, Alex Rousskov wrote:
>
> What about the transparent proxy part?
I already have that, but that is becoming more or less useless in the
everything-https world we are heading towards since you can't
transparently proxy https. AFAIU.
> if Squid closed a CONNECT
On Mon, 2018-01-15 at 10:56 -0700, Alex Rousskov wrote:
> On 01/15/2018 08:40 AM, Brian J. Murrell wrote:
> > On Fri, 2018-01-12 at 21:34 -0700, Alex Rousskov wrote:
> > > In that case, there are two HTTP connections in play:
> > >
> > > 1. An HTTP conn
On Mon, 2018-01-15 at 16:06 +, Rafael Akchurin wrote:
> Hello Brian,
Hi,
> *but* the same 200 of tabs loads just fine from FF and the same Squid
> on the same machine at the same time - so might be a Chrome
> issue/architecture?
Interesting. I'm not sure how I would do it, but it would be
On Fri, 2018-01-12 at 21:34 -0700, Alex Rousskov wrote:
> In that case, there are two HTTP
> connections
> in play:
>
> 1. An HTTP connection from the client to the origin server.
By this do you mean to say there is a connection from the client,
through the proxy server to the origin server?
On Sat, 2018-01-13 at 13:15 +1300, Amos Jeffries wrote:
>
> What do you mean "not available for?
I mean, will not actually result in a persistent connection -- a socket
that is reused for multiple HTTP transactions. I suppose for CONNECT
it would mean either multiple CONNECTs within a single
I am noticing that my Squid 3.5.20 installation is not utilizing
persistent connections with a Chrome browser user. My Squid
configuration is not disabling the default status of persistent
connections being enabled.
I can see Chrome including "Proxy-Connection: keep-alive" in it's
request and
On Mon, 2015-06-15 at 06:47 +1200, Amos Jeffries wrote:
1)
I have confirmed my suspicion that your IPv6 routing is a bit broken.
I'm not sure I agree with you entirely on that (more below)...
The IPv6 address is in a private IP range fc00::/7.
Oh damn. It's a ULA address. I did not even
On Sat, 2015-06-13 at 21:49 +1200, Amos Jeffries wrote:
On 12/06/2015 11:48 p.m., Brian J. Murrell wrote:
On Fri, 2015-06-12 at 10:13 +1200, Amos Jeffries wrote:
see http://readlist.com/lists/squid-cache.org/squid-users/11/58405.html
Of course, I did see the rest of the messages
On Fri, 2015-06-12 at 10:13 +1200, Amos Jeffries wrote:
see http://readlist.com/lists/squid-cache.org/squid-users/11/58405.html
Of course, I did see the rest of the messages in the thread. I'm not
sure what I'm supposed to be seeing in that particular message though
other than 3.4.3 worked
At least from here, irc.bcwireless.net:6667 is non-functional
(connection times out) on IPv6 but works on IPv4:
# telnet irc.bcwireless.net 6667
Trying fcaa:8ef7:51b9:8f04:58f1:7364:e16e:fe2f...
telnet: connect to address fcaa:8ef7:51b9:8f04:58f1:7364:e16e:fe2f: Connection
timed out
Trying
On Tue, 2013-12-31 at 23:28 +1300, Amos Jeffries wrote:
Order IS important.
Ahhh. This is interesting then.
Each rule depends on what the rules above it do and whether their side
effects change the state depended on by the weird-acting ACL.
This seems a strange situation to me. But so
Hello,
I've come across a recurring issue where Squid (3.2.1) will deny replies
(TCP_DENIED_REPLY/403) purely based on where in the rule list (which is
all allows with one deny at the end) the rule is.
For example, with the following rule list:
http_reply_access allow redirect
http_reply_access
On Tue, 2013-12-24 at 13:42 +, Markus Moeller wrote:
Hi Brian,
Hi Markus,
Based on my knowledge it is not possible to use negotiate ( Kerberos or
NTLM ) without AD/Samba.
Yeah, I guess I mis-represented my limitations. I don't mind setting up
a Samba PDC if that's necessary. Where
[ Changed the subject to get down to the more basic issue ]
On Tue, 2013-12-24 at 16:20 +1300, Amos Jeffries wrote:
This is not an assumption from the documentation. NTLM protocol
*requires* a DC to operate.
TL;DR: Do windows machines *have* to join a domain in order to use NTLM
with Squid?
On Sun, 2013-12-22 at 09:52 +0200, Nikolai Gorchilov wrote:
Hi Brian,
Hi Nikolai,
Do you add CFLAGS/CXXFLAGS/etc while ./configure?
Well, *I* don't but Ubuntu's (Debian's in reality, I guess) build system
does. :-)
CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
.
On 22/12/13 16:55, Brian J. Murrell wrote:
Interesting. I wonder if we can be more surgical and figure out which
one(s) are causing the problems? I suppose I can start though by
removing them all and seeing if that is my problem also.
Sadly, removing all CFLAGS/CXXFLAGS options done
Per my previous message, it seems that if I want to have Negotiate
authentication for my Linux machines (which use Kerberos in my network),
I have to support Negotiate for the Windows machines, even though they
don't actually use Kerberos. It seems they want to use NTLMSSP when
they are offered
I have a network of Linux machines that all use Kerberos to authenticate
and then use those Kerberos tickets for other network services including
squid 3[.2]. This all works swimmingly.
Now enter the first Windows machine onto the network. It's Windows 8
FWIW.
I don't really care for this
On Mon, 2013-12-16 at 15:08 +1300, Amos Jeffries wrote:
It is not quite complete yet, you also need to use --disable-eui.
Oh, that's a pity. Using MAC addresses is the only sane way to handle
IPv6 devices on your LAN given that they want to use randomized source
addresses which change after a
On Mon, 2013-12-16 at 15:08 +1300, Amos Jeffries wrote:
I have a patch that fixes some of these at
http://master.squid-cache.org/~amosjeffries/patches/squid-3_relocation_PIC_PIE_error.patch
It is not quite complete yet, you also need to use --disable-eui.
I'm sure you know this but
I'm trying to build squid 3.4.1 on Ubuntu LTS 12.04 and getting:
libtool: link: g++ -I/usr/include/libxml2 -Wall -Wpointer-arith -Wwrite-strings
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -m64 -g -O2 -fPIE
-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security
Is there any way with Squid3 to send back a 407 response when a request
is unauthenticated and the response fails to match any http_reply_access
rules?
The situation is that the content might be allowed for authenticated
users but not unauthenticated but a 403 doesn't prompt their browser to
ask
I've upgraded from 3.0.19 to 3.2.1 due to bug 2305. But it seems I
have simply traded one problem for another.
The problem that I am having is that requesting some URLs from squid
leaves the client waiting, forever. For example:
XXX
If I force a cache reload with squidclient's -r the URL will
I have the following configured for authentication in my squid 3.1.1 server:
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic program /usr/lib/squid3/pam_auth
auth_param basic children 3
auth_param
On Sun, 2009-11-01 at 21:52 +0100, Henrik Nordstrom wrote:
A temporary workaround if the automatic failover doesn't work
I was able to get the failover to work by installing an ip6tables rule
on the squid box:
Chain OUTPUT (policy ACCEPT 29M packets, 24G bytes)
pkts bytes target prot
I have a Squid 3.1 server here in my IPv6 enabled network.
Unfortunately my IPv6 ISP has gone down but I still have IPv4 Internet
connectivity.
Is there any way I can disable Squid from wanting to connect to IPv6
websites, while still allowing IPv6 requests from clients?
Thanx!
b.
On Sat, 2009-10-31 at 12:00 +1300, Amos Jeffries wrote:
An option to simply turn IPv6 off is not possible at run time. A rebuild
of Squid is needed to fully disable IPv6.
:-( But I don't even really want to disable IPv6. My clients use IPv6
to access squid.
As long as there is no global
On Thu, 2009-10-29 at 23:58 +0100, Henrik Nordstrom wrote:
Either using url_rewrite_program and an url rewriter/redirector helper,
or by using http_access deny + deny_info.
Ahhh. deny_info is interesting. I guess there is no manipulating the
url that caused the deny, i.e. to customize the
It would be nice to have SNMP counters that tracked cache hits and
misses in terms of the number of bytes. This would allow me to see
effective my proxy was at avoiding network traffic.
That said, I'm unsure how I would account for requests to a web servers
to test for object freshness, given
On Thu, 2009-04-02 at 11:35 +1200, Amos Jeffries wrote:
IIRC, non-cachable objects larger than max_object_size_in_memory get a
disk object saved for the transition buffer then released when completed
whether they need it or not. One of the inefficiencies we are working
towards killing.
OK.
I am using Squid 3.0.STABLE10 and seeing something strange.
I recently increased the filesystem that my cache is on by about 5x.
It's now showing:
FilesystemSize Used Avail Use% Mounted on
/dev/mapper/rootvol-http_cache
9.9G 1.6G 7.8G 17% /var/spool/squid3
On Wed, 01 Apr 2009 05:37:04 -0400, Brian J. Murrell wrote:
On Wed, 2009-04-01 at 05:37 -0400, Brian J. Murrell wrote:
Why would such a static object be removed from the cache when there is
so much space available.
Here's an even more interesting example:
1238597521.686 RELEASE 00 000142CA
open (in seconds).
^
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
On Tue, 2007-10-09 at 09:45 -0400, Brian J. Murrell wrote:
Probably because I have not actually rolled my own but am using the
squid3 package in Ubuntu Feisty. :-) Hrm, even the soon-to-be-released
Gutsy only has 3.0.PRE6-1. I guess the maintainer is not keeping close
with releases. I
.
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
On Tue, 2007-10-09 at 10:18 -0300, Thiago Cruz wrote:
Hi Brian,
Hi Thiago,
Why don't you try squid-3.0.RC1?
Probably because I have not actually rolled my own but am using the
squid3 package in Ubuntu Feisty. :-) Hrm, even the soon-to-be-released
Gutsy only has 3.0.PRE6-1. I guess the
if I am missing something.
Thanx,
b.
[1] i.e. for computer maintenance -- where computers don't have accounts
for proxy access -- or worse, applications that don't support proxy
authentication)
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
signature.asc
Description
computer is your Microsoft Windows server.
Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
On Sat, 2006-12-16 at 21:21 -0500, Brian J. Murrell wrote:
Probably, a helper supporting this native KRB5 blob is ideal,
It has further occurred to me, that ntlm_auth *has* to be the helper
that supports this native KRB5 Negotiate goop, unless one can ensure
that no AD authenticating windows
On Tue, 2006-12-19 at 12:14 +0800, Adrian Chadd wrote:
On Mon, Dec 18, 2006, Brian J. Murrell wrote:
This is probably staring to grow a little OT for this list though.
Nope, its definitely not off-topic for the list.
I think I just meant the discussion on how to make firefox on linux do
server.
Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
that this is the only piece missing.
Much appreciate your input on answering this though.
b.
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
Goop(tm) doesn't it?
b.
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
44 matches
Mail list logo