Re: [squid-users] Reg - Squid can cache the chrome OS updates.
Thanks for your valuable information Amos. Regards, Nithi On Friday 26 June 2015 10:48 AM, Amos Jeffries wrote: On 26/06/2015 4:36 p.m., Squid List wrote: Hi, Is the Squid can cache Microsoft Updates and IOS Updates? If its cache means, please help me out for cache Chrome OS updates in latest squid version that is installed in CentOS 6.6. The short answer (FWIW): Squid can (and does) cache any HTTP content which is cacheable. With the exception of 206 responses and PUT request payloads. The long answer: Whether the cached content is used depends entirely on what the client requests. It has the power to request that cached content be ignored. Whether content is cacheable depends entirely on what the server delivers. It has the power to place limits on cache times up to and including stating an object is already stale (ie not usefully cached). There are also some mechanisms which when used MAY make content completely untrustworthy or and uncacheable: * connection based authentication (NTLM, Negotiate) * traffic interception (NAT, TPROXY, SSL-Bump) * broken Vary headers (though this causes caching when it shouldn't) * I hope that explains why you wont get a clear simple answer to your question. To help any further we will need information about; - what Squid version you are using (if its not the latest 3.5 please try an upgrade), - how its configured (squid.conf without the comment lines please), - how its being used (explicit forward-, reverse-, or interception proxy) - what exactly the request messages you are trying to make into HITs are (debug_options 11,2 produces a traces of those), - what response messages the server is delivering on the MISS (the same 11,2 trace) - what Squid is logging for them (access.log entries) Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] https issues for google
Hi, Check the below acl rule in your squid configuration file to Block the particular Domain URLs and also block keywords itself. # ACL block sites acl blocksites dstdomain .youtube.com # ACL block keywords acl blockkeywords url_regex -i .youtube.com #Deny access to block keywords ACLblock sites ACL's http_access deny blockkeywords http_access deny blocksites And check the access.log file in the squid. Regards, ViSolve Squid On 10/10/2014 4:32 AM, glenn.gro...@bradnams.com.au wrote: I was able to capture the log at the time this happened to me, I got the following in the access.log: 1412895309.389 84 10.10.10.69 TCP_MISS/200 0 CONNECT www.youtube.com:443 MYADUSER DIRECT/74.125.237.160 - 1412895311.770 0 10.10.10.69 TCP_DENIED/407 3983 CONNECT www.youtube.com:443 - NONE/- text/html 1412895311.852 77 10.10.10.69 TCP_MISS/200 0 CONNECT www.youtube.com:443 MYADUSER DIRECT/74.125.237.160 - 1412895311.855 0 10.10.10.69 TCP_DENIED/407 3983 CONNECT www.youtube.com:443 - NONE/- text/html 1412895311.937 77 10.10.10.69 TCP_MISS/200 0 CONNECT www.youtube.com:443 MYADUSER DIRECT/74.125.237.160 - 1412895311.941 0 10.10.10.69 TCP_DENIED/407 3983 CONNECT www.youtube.com:443 - NONE/- text/html 1412895312.053107 10.10.10.69 TCP_MISS/200 0 CONNECT www.youtube.com:443 MYADUSER DIRECT/74.125.237.160 - 1412895312.056 0 10.10.10.69 TCP_DENIED/407 3983 CONNECT www.youtube.com:443 - NONE/- text/html 1412895312.124 65 10.10.10.69 TCP_MISS/200 0 CONNECT www.youtube.com:443 MYADUSER DIRECT/74.125.237.160 - 1412895312.680 0 10.10.10.69 TCP_DENIED/407 3983 CONNECT www.youtube.com:443 - NONE/- text/html 1412895312.765 79 10.10.10.69 TCP_MISS/200 0 CONNECT www.youtube.com:443 MYADUSER DIRECT/74.125.237.160 - 1412895312.768 0 10.10.10.69 TCP_DENIED/407 3983 CONNECT www.youtube.com:443 - NONE/- text/html 1412895312.846 74 10.10.10.69 TCP_MISS/200 0 CONNECT www.youtube.com:443 MYADUSER DIRECT/74.125.237.160 - 1412895312.851 0 10.10.10.69 TCP_DENIED/407 3983 CONNECT www.youtube.com:443 - NONE/- text/html 1412895312.927 73 10.10.10.69 TCP_MISS/200 0 CONNECT www.youtube.com:443 MYADUSER DIRECT/74.125.237.160 - 1412895312.931 0 10.10.10.69 TCP_DENIED/407 3983 CONNECT www.youtube.com:443 - NONE/- text/html Not sure why it would be saying TCP_MISS, I assume the TCP_DENIED is expected as it happens after the TCP_MISS and has no authentication information. -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of glenn.gro...@bradnams.com.au Sent: Thursday, 9 October 2014 9:04 AM To: elie...@ngtech.co.il; squid-users@lists.squid-cache.org Subject: Re: [squid-users] https issues for google Hi Eliezer, The DNS we are using is the ISP default for external, our internal domain DNS for internal. Nslookup works for all tests. I would like to update to the latest stable, but I am concerned of breaking the current setup. It took a little work to get it working correctly particularity on the multiple authentication methods working with our domain and trust. I support what has been said - to check the logs. This will likely take time as I cannot reproduce this issue on demand - and I think users are starting to not report the issue and just living with it (or it is not getting all the way to me at least). I will have to get lucky at some point on my computer and look into it then. Could squid be getting mixed up when mulipule https requests are to the same address (e.g. https://google.com.au)? Thanks, Glenn -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Eliezer Croitoru Sent: Wednesday, 8 October 2014 7:39 AM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] https issues for google -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey Glenn, Since you are not using intercept or tproxy the basic place to look at is the access.log. You can see there if the proxy is trying for example to reach an IPV6 address (by mistake). Also to make sure there is an issue you can use specific exception like the cacheadmin acl you are using to allow the cacheadmin access without authentication for the basic test. Also you are indeed using the latest CentOS 6.5 squid but since the current stable version is 3.4.8 you should try to upgrade(to something else then 3.1) due to other issues. The issue can be a network or dns related issue which was not detected until now. Please first make sure that the access.log and cache.log files are clean for errors or issues. What dns servers are you using? Eliezer On 10/07/2014 06:51 AM, glenn.gro...@bradnams.com.au wrote: Hi All, We have a weird issue where https sites apparently don't respond (get message this page can't be displayed). This mainly affects google websites and to a lesser affect youtube. It has been reported it may have affected some banking sites
Re: [squid-users] redirect all ports to squid
Spam detection software, running on the system master.squid-cache.org, has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Hi, Yes, we can redirect the ports to squid through our firewall rules. Check below lines to redirect the ports. We have some different methods to do. 1. In first Method: First, we need to machine that squid will be running on, You do not need iptables or any special kernel options on this machine, just squid. You *will*, however, need the 'http_accel' options as described above. [...] Content analysis details: (5.9 points, 5.0 required) pts rule name description -- -- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: squid-cache.org] 0.0 HTML_MESSAGE BODY: HTML included in message 1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available. [182.73.50.82 listed in bb.barracudacentral.org] 0.7 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [182.73.50.82 listed in zen.spamhaus.org] 3.6 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. ---BeginMessage--- Hi, Yes, we can redirect the ports to squid through our firewall rules. Check below lines to redirect the ports. We have some different methods to do. 1. In first Method: First, we need to machine that squid will be running on, You do not need iptables or any special kernel options on this machine, just squid. You *will*, however, need the 'http_accel' options as described above. You'll want to use the following set of commands on iptables-box: * iptables -t nat -A PREROUTING -i eth0 -s ! *squid-box* -p tcp --dport 80 -j DNAT --to *squid-box*:3128 * iptables -t nat -A POSTROUTING -o eth0 -s *local-network* -d *squid-box* -j SNAT --to *iptables-box* * iptables -A FORWARD -s *local-network* -d *squid-box* -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT 2. And have another method: * iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s *squid-box* * iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80 * ip rule add fwmark 3 table 2 * ip route add default via *squid-box* dev eth1 table 2 (OR) iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 Regards, Visolve Squid On 9/30/2014 10:11 PM, hadi wrote: It's possible to redirect all ports to squid ? thru iptables ? For example port 25 smtp,143 imap, etc... Can squid handle that. In transparent mode. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ---End Message--- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid-cache.org won't redirect to www.squid-cache.org?
Hi, The http://www.squid-cache.org/ domain web site is working fine. We have accessed the site a min ago. Regards, ViSolve Squid On 9/30/2014 1:47 PM, Neddy, NH. Nam wrote: Hi, I accidentally access squid-cache.org and get 403 Forbidden error, and am wondering why NOT redirect to WWW.squid-cache.org automatically? I'm sorry if it's intention. ~Ned ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] what AV products have ICAP support?
Hi Jason Haar, Trend micro (Stop inbound threats Secure outbound data) is one of the best Inter Scan Web Security Virtual Appliance. And also have listed other AV vendor: Samba-vscan-ICAP isilonicap AV scan (EC2) , etc.. Regards, Visolve Squid On 8/18/2014 3:00 PM, Jason Haar wrote: Hi there I've been testing out squidclamav as an ICAP service and it works well. I was wondering what other AV vendors have (linux) ICAP-capable offerings that could similarly be hooked into Squid? Thanks
Re: [squid-users] Why squid doesn't log anything when applying transparent proxy?
Check whether your browser goes through squid or not? You can find this by using the url: http://cbe.visolve.com/ If your browser goes through squid then the above url shows that the proxy detected column. Eventhough your access log is not shown anything then let us know your squid.conf file so that we will check the issue and help you out. If it is not going through squid then let us know your iptables rules. Thanks Visolve Squid Support Team On 7/5/2014 2:59 PM, Mark jensen wrote: I have deploy Transparent proxy using this tutorials: on L3 switch: http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute on centos 6.5 box ( squid ): http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect when I request the web page from one client, It returns to me, so I thought that transparent proxy works fine. but the problem is that I can't find any records in the access.log file, so it seems that the client get the page from the server directly. 1- Is the problem that squid doesn't log when it is in a transparent mode? 2- Or is the client get the page directly from the server( if so, how can I add a rule to the Iptables or an access list to forbid the client from getting the page directly from the server) ? Mark
[squid-users] Connection reset when accessing java servlet report page via squid
Hello, We have a problem with the squid when accessing a servlet page through the squid proxy. It is report page where the inputs are taken from the user and the servlet manipulates the report and present it in the page. Normally it takes around 45-60 seconds to generate the report. So we are getting the Connection reset' message in firefox and 'Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data' in chrome. But works normally without a proxy. Please suggest a solution for this issue if there is any config change need to be done. Regards, Manoj
Re: [squid-users] tproxy4, squid-2.7.stable6 doesnt work on centos 2.6.30
Johan, You have missed '--enable-linux-netfilter' option when installing squid. You should use http_port tproxy transparent and do not use tcp_outgoing_address in the squid.conf. Before compiling squid, please make sure libcap-dev is installed. Thanks ViSolve Squid Team johan firdianto wrote: dear guys, anybody here has experience implement tproxy 4 ( based on patch comes from visolve.com) on squid 2.7 stable 6?. here my configure option '--prefix=/usr/local/squid-tproxy' '--enable-gnuregex' '--enable-carp' '--with-pthreads' '--with-aio' '--with-dl' '--enable-useragent-log' '--enable-referer-log' '--enable-htcp' '--enable-arp-acl' '--enable-cache-digests' '--enable-truncate' '--enable-stacktraces' '--enable-x-accelerator-vary' '--enable-basic-auth-helpers=MSNT,NCSA,YP,getpwnam' '--enable-external-acl-helpers=ip_user,unix_group,wbinfo_group' '--enable-removal-policies=lru,heap' '--enable-auth=basic,ntlm' '--disable-ident-lookups' '--enable-follow-x-forwarded-for' '--enable-large-cache-files' '--enable-async-io' '--with-maxfd=2048000' '--enable-linux-tproxy' '--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru' '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl' '--with-openssl=/usr/kerberos' '--disable-dependency-tracking' '--with-large-files' '--enable-default-hostsfile=/etc/hosts' I already put http_port tproxy transparent in squid.conf, and also put IP of squid at tcp_outgoing_address option. no error in compiling squid, but when I dump the packet, the squid / linux doesn't spoof the IP. It use the squid box IP address rathern than client IP address. I still can browse normally, but the system doesn't spoof the IP. When I use tproxy4 on squid 3.1, it works. any clue ? Thanks. Johan
[squid-users] Squid logs into MySQL database
Hi All, We have released an earlier version of an external program( plug-in ) to log squid access to MySQL database using logfile_daemon feature in squid 2.7. The plug-in is available at : http://www.visolve.com/squid/squid-mysqllog.php Do send your comments for the improvement. Thanks, ViSolve Squid Team.
[squid-users] Tproxy v4 patch for squid 2.7 version
Hello all, Tproxy-4 patch for squid 2.7 STABLE6 is been released. Tproxy helps in IP spoofing, which means when a browser request for an URL, the client IP is sent to the webserver instead of the proxy server's IP. The patch is available at http://www.visolve.com/squid/squid-tproxy.php Thanks ViSolve Squid Team. http://www.visolve.com
Re: [squid-users] WARNING! Your cache is running out of filedescriptors -------Version 3.0.STABLE13
Probably, you can change the ulimit value and then try with --with-filedescriptors option/. /It may work. Change the ulimit value: root#ulimit -HSn 32768 or try client_persistent_connections off server_persistent_connections off in the squid.conf configuration. Regards, ViSolve Squid Team./ /Shekhar Gupta wrote: Any thoughts on this .. On Mon, Feb 23, 2009 at 4:11 PM, Shekhar Gupta shekharsaha...@gmail.com wrote: I think this is some bug as the same machine with 2.6 swuid version were not having any of these messages , I still have 3 machine on the older squid version and i upgraded 2 machine to 3.0 13 version and i am finding this problem . On Mon, Feb 23, 2009 at 3:53 PM, Amos Jeffries squ...@treenet.co.nz wrote: Shekhar Gupta wrote: Amos, I only configured it with delay pool , so you are saying that i have to recompile the squid with that option . do i have to do ant thing else apart from it like something in OS . I would hope nothing in OS is needed. But I don't know RHEL very well. The option is equivalent to --with-maxfd from 2.6. With the same usage and related settings. Amos On Mon, Feb 23, 2009 at 3:12 PM, Amos Jeffries squ...@treenet.co.nz wrote: Shekhar Gupta wrote: Guys , i tried fixing this however most of the derivatives are not working with this verision and can any one throw some light how to make this fix in Version 3.0.STABLE13 running on RHEL 5.3.. Check you are using the configure option: --with-filedescriptors=N 3.0 uses a different option name than 2.6 did. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5 -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5
Re: [squid-users] ip client list
Hi Mirza, Yes, you can do for client IP also as you have done for url_regex ACL. like acl full src /etc/squid/full.txt acl chatonly src /etc/squid/chat.txt You can mention the ip address in the respective text file one below the other. Regards Visolve Squid Team how to put IP group like acl chatting url_regex -i /etc/squid/domain.txt for domain list how about client ip ? i mean like this : acl full src 192.168.1.1 acl full src 192.168.1.5 acl chatonly src 192.168.1.3 put on one file like full.txt and chat.txt so the squid.conf is more simple
Re: [squid-users] cache_dir size
Jeff, cache_mem keeps the frequently accessed objects in RAM, while cache_dir stores the objects in disk. When you increase cache_mem, reduce the size of cache_dir. Squid requires more than 1GB of RAM for every 100 GB of cache in hard disk. Regards Visolve Squid Team. Jeff P. wrote: I have forgotten it, what's the corresponding relation between the size of cache_dir and cache_mem? thanks. --- On Fri, 11/7/08, Visolve Squid Team [EMAIL PROTECTED] wrote: From: Visolve Squid Team [EMAIL PROTECTED] Subject: Re: [squid-users] cache_dir size To: [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Date: Friday, November 7, 2008, 7:21 AM Jeff, If you have 2GB of RAM, you can use all 146GB for cache dir.
Re: [squid-users] cache_dir size
Jeff, If you have 2GB of RAM, you can use all 146GB for cache dir. Regards Visolve Squid Team. Jeff P. wrote: I have a 146G SAS harddisk with 15000 rpm, it's used for cache storage. How large is best suitable when I set up it for cache_dir? I'm running squid-3.0.9 on Linux OS. thanks.
[squid-users] Re: re[squid-users] verse proxy headache
Hello, Squid latest version is squid-2.6STABLE18. You can configure the reverse proxy easily with squid-2.6. Reverse proxy configuration in squid-2.5 : http_port 80 # Port of Squid proxy httpd_accel_host 172.16.1.115 # IP address of web server httpd_accel_port 80 # Port of web server httpd_accel_single_host on # Forward uncached requests to single host httpd_accel_with_proxy on httpd_accel_uses_host_header off For more details visit at http://www.visolve.com/squid/whitepapers/reverseproxy.php#What_is_Reverse_Proxy_Cache Reverse proxy configuration in squid-2.6 : http_port 80 vhost cache_peer webserver ip parent webserver port 0 no-query originserver Example: http_port 80 vhost cache_peer proxy.nour.net.sa parent 8080 0 no-query originserver For more Details: http://www.visolve.com/squid/squid26/contents.php Thanks, -Visolve Squid Team www.visolve.com/squid/ dirtybugg wrote: Hi please help me i am new to squid, i have squid 2.5 my squid.conf is below please help i am not able to brows our internet #Default: # http_port 3128 http_port 8080 #Default: # none #cache_peer proxy.saudi.net.sa parent 8080 3130 default no-query #cache_peer 62.149.115.12 parent 8080 3130 default no-query cache_peer proxy.nour.net.sa parent 8080 3130 default no-query #Default: # cache_dir ufs /var/spool/squid 100 16 256 cache_dir ufs /cache1 8000 16 256 cache_dir ufs /cache2 8000 16 256 #Default: # cache_access_log /var/log/squid/access.log cache_access_log /var/log/squid/access.log #Default: # pid_filename /var/run/squid.pid pid_filename /var/run/squid.pid auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl snmpsaudiedi snmp_community rtgg0v1 #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed #acl our_networks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_networks acl user_networks src 192.168.19.0/24 acl svr_networks src 192.168.17.0/24 acl dmz_networks src 62.149.115.128/25 http_access allow user_networks http_access allow svr_networks http_access allow dmz_networks icp_access allow user_networks icp_access allow svr_networks icp_access allow dmz_networks # And finally deny all other access to this proxy http_access allow localhost http_access deny all #Default: # http_reply_access allow all # #Recommended minimum configuration: # # Insert your own rules here. # # # and finally allow by default http_reply_access allow all # TAG: icp_access # Allowing or Denying access to the ICP port based on defined # access lists # # icp_access allow|deny [!]aclname ... # # See http_access for details # #Default: # icp_access deny all # #Allow ICP queries from everyone icp_access allow all #Default: # none visible_hostname proxy1 #Example: # snmp_access allow snmppublic localhost # snmp_access deny all # #Default: # snmp_access deny all snmp_access allow snmpsaudiedi user_networks snmp_access deny all
Re: [squid-users] Squid doesn’t start
Hello Balram, Check with your system name by using this command in cygwin hostname . Then based on the output , set the visible_hostname in squid configuration. Example: $ hostname admin $ visible_hostname admin Thanks, Visolve Squid Team www.visolve.com/squid/ Balram wrote: Any one could help me to run Squid in my Windows XP Prof. I am trying to start Squid with the help of Cygwin on Window XP Professional, but Squid doesn't start. Message is to set 'visible hostname'. When I put any name in 'visible_hostname'in squid.conf file, there is message-this is not qualified qualified domain name. What I have to do to start squid ? As I study squid-mailing list and other sites, I know only that many people are running squid in window XP Prof. . Thanks.
Re: [squid-users] cache_peer_access and multiple squid ports
Hello Smith, Try with the following configuration: http_port 3128 acl portA myport 3128 http_port 8090 acl portB myport 8090 cache_peer parentA.mydomain.local parent 3128 0 no-query no-digest login=PASS cache_peer_access parentA.mydomain.local deny !portA cache_peer parentB.mydomain.local parent 8090 0 no-query no-digest login=PASS cache_peer_access parentB.mydomain.local deny !portB Thanks, Visolve Squid Team www.visolve.com/squid/ Matthew Smith wrote: Hello! I have a squid box that I want to have listen on two ports for requests. I also have two parent proxies. I'd like to send requests from port A to parent A, while requests from port B should go to parent B. My config is as follows: http_port 3128 acl portA myport 3128 http_port 8090 acl portB myport 8090 cache_peer parentA.mydomain.local parent 3128 0 no-query no-digest login=PASS cache_peer_access parentA.mydomain.local allow portA cache_peer parentB.mydomain.local parent 8080 0 no-query no-digest login=PASS cache_peer_access parentB.mydomain.local allow portB access_log /var/log/squid/a_access.log squid portA access_log /var/log/squid/b_access.log squid portB Now, while the access logs print out the data as appropriate for each port, the requests on port B always seem to end up going DIRECT, while the first up requests are going to FIRST_UP_PARENT. I have tried never_direct allow portB to force portB requests to never be direct, but that does not work either... I figure I am missing something. Any help would be great. Thanks, Matt Smith
Re: [squid-users] cachemgr.cgi problem
Hello Shaun, The problem might because the location of cgi script that you have accessed. You have to follow the steps to access the cachemgr.cgi on the web. 1. copy the squid/location/libexec/cachemgr.cgi to a web accessible location (/var/www/cgi-bin/). 2. Start the apache. 3. Access link http://webserverip/cgi-bin/cachemgr.cgi Thanks, Visolve Squid Team www.visolve.com/squid/ shaun p martin wrote: Hello, I'm not having any luck using the cachemgr.cgi script. When I run it against squid, it records a tcp miss, and forwards the request to the default parent, which returns jumbled html... instead of the usual cachemgr page. Is there an acl which will tell squid how to handle this? output in acces.log: 1202333684.384179 10.1.17.54 TCP_MISS/200 25976 GET cache_object://sq01/ - DEFAULT_PARENT/xxx.xxx.xxx.xxx text/html thanks shaun
[squid-users] Squid-2.6 configuration Manual
Hello all, We have updated our Squid configuration manual for 2.6 version. It is available at http://www.visolve.com/squid/squid26/contents.php We have included examples, wherever possible, to make understanding easier. We hope our contribution would help potential squid users. Thanks, ViSolve http://www.visolve.com http://www.visolve.com/squid/squid26/contents.php
Re: [squid-users] cache log Warnings
2006/09/25 07:45:10| WARNING: Disk space over limit: 194960 KB 102400 KB 2006/09/25 07:45:21| WARNING: Disk space over limit: 187308 KB 102400 KB 2006/09/25 07:45:32| WARNING: Disk space over limit: 175636 KB 102400 KB 2006/09/25 07:45:43| WARNING: Disk space over limit: 161808 KB 102400 KB 2006/09/25 07:45:54| WARNING: Disk space over limit: 148768 KB 102400 KB 2006/09/25 07:46:05| WARNING: Disk space over limit: 141440 KB 102400 KB 2006/09/25 07:46:17| WARNING: Disk space over limit: 128740 KB 102400 KB 2006/09/25 07:46:28| WARNING: Disk space over limit: 119816 KB 102400 KB Hello , Disk space over limit might be because the swap.state file has been corrupted. Such corruption can occur on unexpected system shutdowns (power failure, kernel panic etc). This can be solve by the following 1. Shutdown squid. 2. Remove the swap.state files from your cache directories. 3. Start Squid again. It will rebuild swap.state from the cache files. Thanks, ViSolve Squid Team. www.visolve.com/squid/
Re: [squid-users] squid 2.6 and httpd_accel
peppeska wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Are this directive present in squid 2.6?? httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on I need it!! Hello, The transparent proxy setup in squid.2.6 can be done by the following configuration in squid.conf. http_port 3128 transparent Thanks, Visolve Squid Team www.visolve.com/squid
Re: [squid-users] Custom log format and client source port
Michele de Varda wrote: Hello, I have installed squid 2.5 stable 14 with the patch Squid custom log format. I need to log source client port for distinguishing client connection behind NAT/PAT networks. In the patch sintax the source client port is defined with %p but this function seems to not be yet implemented. Is it possible to know if anyone has implemented this feature? Hello Varda, You can customize the logformat easily in squid-2.6. #logformat squid %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %un %Sh/%A %mt #logformat squidmime %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %un %Sh/%A %mt [%h] [%h] #logformat common %a %ui %un [%tl] %rm %ru HTTP/%rv %Hs %st %Ss:%Sh #logformat combined %a %ui %un [%tl] %rm %ru HTTP/%rv %Hs %st %{Referer}h %{User-Agent}h %Ss:%Sh Thanks, Visolve Squid Team. www.visolve.com/squid/
Re: [squid-users] Information about cache
Ammad Shah wrote: I want to how much data is comming from cache and from Internet, i am using sarg for log analysis, is there any tool that shows me in grph/chart or in precentage. I also want to know objects in cache, and its helth. Hello Shah, You can see the squid cache hits by using MRTG. Thanks, Visolve Squid Team. www.visolve.com/squid/
Re: [squid-users] Whitelisting
[EMAIL PROTECTED] wrote: I have a list of IP addresses from which I want to allow access to a specific number of internet addresses. Can someone help get me started with this? Thanks, Tim Rainier Hello Rainer, Specific number of internet addresses are allow for list of IP address configuration can be done by using the following ACL setting in squid.conf acl IP_List src /usr/local/iplist.txt acl addresses dstdomain /usr/local/addresslist.txt http_access allow addresses IP_List Thanks, Visolve Squid Team www.visolve.com/squid/
Re: [squid-users] Problem defining external_acl_type
Peter Bengtsson wrote: # squid -N -d1 FATAL: Bungled squid.conf line 165: external_acl_type is_cacheable_type children=20 %{Cookie:__ac} %{Cookie:;__ac} %{Cookie:_ZopeId} %{Cookie:;_ZopeId} %{Authorization} %{If-None-Match} /etc/squid/squidAcl.py Squid Cache (Version 2.5.STABLE3): Terminated abnormally. Hello Bengtsson, TAG: external_acl_type This option defines external acl classes using a helper program to look up the status external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] Thanks, Visolve Squid Team, www.visolve.com/squid/
Re: [squid-users] Smart way to Block Streaming Video/audio websites
Siju George wrote: Hi, Cond some one please tell me what is the effective way for blocking streaming media from websites like 1) http://video.google.com/ 2) http://www.youtube.com/ Or atleast is there a place where I can get a list of such popular streaming websites so that I can block them? Hello Siju, The list of sites can be blocked by using the following configuration in squid.conf. acl blocked_sites dstdom_regex /usr/local/sites.txt http_access deny blocked_sites Thanks, Visolve Squid Team www.visolve.com/squid/
Re: [squid-users] acl dstdomain, bypass authorization
Dmitry Melekhov wrote: Hello! I need to allow users access some sites without authorization. If I write acl: acl 1sk dstdomain 1sk.ru http_access allow our_nets 1sk it doesn't work but if acl 1sk dst 194.186.36.214 http_access allow our_nets 1sk it works. our_nets is acl our_nets src 192.168.21.0/24 192.168.22.0/24 It is not very good to have acls based on dst ip address, because it can be changed ;-) Is it possible to use acl dstdomain in my situation? Hello, You can try with the following configuration in squid.conf acl auth_users proxy_auth REQUIRED acl page dstdomain 1sk.ru acl our_nets src 192.168.21.0/24 192.168.22.0/24 http_access allow page http_access allow auth_users our_nets Thanks, Visolve Squid Team www.visolve.com/squid/
Re: [squid-users] squid error running out of filedescriptors and others
2006/09/19 14:36:24| WARNING! Your cache is running out of filedescriptors 2006/09/19 14:36:40| WARNING! Your cache is running out of filedescriptors 2006/09/19 14:36:56| WARNING! Your cache is running out of filedescriptors 2006/09/19 14:37:12| WARNING! Your cache is running out of filedescriptors 2006/09/19 14:37:28| WARNING! Your cache is running out of filedescriptors Hello Dny, Squid might be compiled with low number of filedescriptors. So need to increase the filedescriptor value by using ulimit -HSn and recompile the squid. Thanks, Visolve Squid Team. www.visolve.com/squid/
RE: [squid-users] Compile-time options
-Original Message- From: Errol Neal [mailto:[EMAIL PROTECTED] Sent: Sunday, September 10, 2006 7:00 AM To: squid-users@squid-cache.org Subject: [squid-users] Compile-time options So many.. :) I'm very new to squid and I'm trying to read up on it as much as possible before trying to actually build a solution. Is there a definitive guide that I can be pointed to that explains each of the compile-time options for the 2.6 and 3.0 releases of squid? Thanks in advance. Hello Neal, You can see the squid compile time options by using the following command. [EMAIL PROTECTED] squid-2.5.STABLE14]#./configure --help Thanks, Visolve Squid Team www.visolve.com/squid/
RE: [squid-users] squid -k reconfigure error: (1) Operation not permitted
-Original Message- From: Jaime Solorzano B [mailto:[EMAIL PROTECTED] Sent: Friday, September 08, 2006 2:51 AM To: squid-users@squid-cache.org Subject: [squid-users] squid -k reconfigure error: (1) Operation not permitted Hello, We are using 2.5.STABLE12 version. As nobody is accessing Internet I just simply executed squid -k reconfigure and I got: [EMAIL PROTECTED]:~# squid -k reconfigure squid: ERROR: Could not send signal 1 to process 1033: (1) Operation not permitted Hello Jaime, Check your cache_effective_user directive in squid.conf and check which user id your Squid process is running under. If you start Squid as root, it will change its effective/real UID/GID to the user specified below. The default is to change to UID to nobody. If you define cache_effective_user, but not cache_effective_group, Squid sets the GID to the effective user's default group ID (taken from the password file) and supplementary group list from the from groups membership of cache_effective_user. Thanks, Visolve Squid Team www.visolve.com/squid/
RE: [squid-users] Squid takes too long to stop.
-Original Message- From: Jim John [mailto:[EMAIL PROTECTED] Sent: Friday, August 25, 2006 9:55 PM To: squid-users@squid-cache.org Subject: [squid-users] Squid takes too long to stop. Hi all. We have squid set up for transparency using shorewall, but it takes too long to stop. Can we simply direct traffic away from squid using shorewall before we stop squid instead of afterwards? Is there another way to stop squid faster and safer because our users lose connection while squid is stopping, which takes 2 minutes or so. This also happens for reload when we have squidGuard child processes running under squid. Thanks. Hello John, Check the shutdown_lifetime directive in squid.conf. shutdown_lifetime time-units When SIGTERM or SIGHUP is received, the cache is put into shutdown pending mode until all active sockets are closed. This value is the lifetime to set for all open descriptors during shutdown mode. Any active clients after this many seconds will receive a 'timeout' message. Thanks, Visolve Squid team www.visolve.com/squid/
RE: [squid-users] Problem starting squid
-Original Message- From: Robert Shatford [mailto:[EMAIL PROTECTED] Sent: Friday, September 15, 2006 12:16 AM To: squid-users@squid-cache.org Subject: [squid-users] Problem starting squid Hey guys, I don't know if I missed something in the setup of my server, but I cannot get the squid -z command to work. When I type it out, I get the message FATAL: Failed to make swap directory /usr/local/var/cache: (13) Permission denied Hello Shatford, Check the file permission for /usr/local/var/cache Thanks, Visolve Squid Team. www.visolve.com/squid/
Re: [squid-users] squid can not automatically run when system boot
wangzicai wrote: Hello everyone! I am using squid squid-2.5.stable14 in linux ws3 , when the system reboot the squid can not run automatically. How can I solve it . Hello Wangzicai, Starting squid at bootup can be done by configuring the rc scripts of your OS environment or configuring it in the /etc/rc.local file. For more info visit this page: http://www.squid-cache.org/Doc/FAQ/FAQ-3.html#ss3.6 Thanks, Visolve Squid Team www.visolve.com/squid/
Re: [squid-users] Access Denied (Newbie)
beno wrote: Hi; Here are what I believe are the pertinent lines from my squid.conf file: cache_peer 2012.vi parent 7080 2020 default no-query http_port 2020 vhost acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl Safe_ports port 80 8080 7080 transparent where 2012.vi is the name of the site, 7080 is the port to which Zope is listening for requests and 2020 is where squid is listening. I want all requests for all pages on 2012 to be passed transparently to port 7080. When I surf to that page, however, I get a squid error stating that access is denied. However, before I passed this request through squid, I got no such error and the page was correctly served. Please help me understand what I've done wrong. TIA, Hello , Check your http_access rules in squid.conf. Thanks, Visolve Squid Team http://www.visolve.com/squid/
Re: [squid-users] How to hide squid version information?
Monty Ree wrote: Hello, all. I would like to hide squid version or server information for security reason. So I set via off at squid.conf file. But via information is seen as ever. Is there any directive or method like ServerTokens at apache? Hello , Compile squid by altering the following line in squid source file src/errorpage.c. Line:69: Generated %T by %h (%s)\n In the above line %s denotes the squid version which can modified to the requirement. Thanks, Visolve Squid Team http://www.visolve.com/squid/
Re: [squid-users] Forwarding loop?
Ralf Hildebrandt wrote: We're using a intranet - squid - Dansguardian - squid - Internet setup to filter the traffic for viruses This must be the cause for this warning: Aug 27 23:18:46 proxy-cvk-2 squid[27921]: WARNING: Forwarding loop detected for: Client: 127.0.0.1 http_port: 127.0.0.1: GET http://127.0.0.1/squid-internal-periodic/store_digest HTTP/1.0^M Accept: application/cache-digest^M Accept: text/html^M Host: 127.0.0.1:3129^M Via: 0.0 wlan-proxy.charite.de:3128 (squid/2.6.STABLE3), 1.0 proxy-cvk-2-nocache.charite.de: (squid/2.6.STABLE3)^M X-Forwarded-For: unknown, unknown, 127.0.0.1^M Cache-Control: max-age=259200^M Connection: keep-alive^M X-Forwarded-For: unknown, unknown, 127.0.0.1^M ^M Aug 27 23:18:46 proxy-cvk-2 squid[27916]: temporary disabling (Not Found) digest from 127.0.0.1 How can I prevent the internal stuff from being forwarded to the parent_proxy? Hello Hildebrand, A forwarding loop is when a request passes through one proxy more than once. You can get a forwarding loop if * a cache forwards requests to itself. This might happen with interception caching (or server acceleration) configurations. * a pair or group of caches forward requests to each other. This can happen when Squid uses ICP, Cache Digests, or the ICMP RTT database to select a next-hop cache. Thanks, Visolve Squid Team www.visolve.com/squid/
Re: [squid-users] reverse proxy v2.6
dale wilhelm wrote: it appears that reverse proxy has been removed from the 2.6 version... does anyone know of a reason why this rm'd and if there is a work around??? i have the following in my config for 2.5: httpd_accel_host ( ip addr ) httpd_accel_port 8083 httpd_accel_single_host on httpd_accel_with_proxy on all httpd_accel* directives are now gone... any help would be Hello Wilhelm, Reverse proxy configuration for squid-2.6 can be done by using the following configuration in squid.conf. http_port 80 vhost cache_peer virtual parent [server listen port] 0 no-query originserver http_access allow all Thanks, Visolve Squid Team www.visolve.com/squid/
Re: [squid-users] http_port - squid 2.6
Dave wrote: Hi Old versions of squid used: http_port proxy.gdmckee.home:3128 82.36.186.17:80 When I try the same from squid 2.6 I get an error. How can I correct = this? Only using squid as a proxy server and a reverse proxy. Hello Dave, The reverse proxy for squid-2.6 is little bit different from older version. It can be done by the following modification in squid.conf http_port 80 vhost cache_peer virtual parent [server listen port] 0 no-query originserver http_access allow all Thanks, Visolve Squid Team http://www.visolve.com/squid/
Re: [squid-users] ntlm authentication
Wilson A. Galafassi Jr. wrote: Hello. Can someone tell me some good documentation or howto to use ntlm authentication with samba? Hello Galafassi, NTLM authentication is a challenge-response authentication type. NTLM is a bit different and does not obey the standard rules of HTTP connection management. The authentication is a three step (5 way) handshake per TCP connection, not per request. For more details to configure ntlm visit : http://www.visolve.com/squid/ Thanks, Visolve Squid Team http://www.visolve.com/squid/
Re: [squid-users] squid-2.6.STABLE2-20060814 -- Delay Pools Working ?..
Rayudu Madhava wrote: Sir, Delay Pools in squid 2.6 stable 2 (20060814) seems not working.. Hello Madhava, Delay pools now work again in squid-2.6STABLE3. For more details visit: http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE3-RELEASENOTES.html Thanks, Visolve Squid Team http://www.visolve.com/squid/
Re: [squid-users] almost there , just a little help needed
S t i n g r a y wrote: Well thanks to all the help you guys provided i have enabled for the first time OpenBSD + squid+ squidguard on my network, internet seems to work very fast now . thank you now i want to know how to block only specific ips specified in a file to download .exe mp3 files from internet according to my limited knowledge i have made this config , but its not working , can you please tell me whats wrong ? how should i put it ? Expression file \.(ra?m|mpe?g?|mov|movie|qt|avi|dif|dvd?|exe|mp3)($|\?) Hello Stingray, You can block the downloands for specificied IP's by using the following acl setting in squid configuration file(squid.conf). acl restricted_IPs src /usr/local/ip_list_file acl restricted_dwnlds urlpath_regex [i] \.mp3$ \.exe$ http_access deny restricted_dwnlds restricted_IPs Thanks, Visolve Squid Team http://www.visolve.com/squid/
Re: [squid-users] Authentication for Selective Users
Manish Kathuria wrote: Squid proxy server has been configured with Basic Authentication and is running perfectly. Is it possible to allow some users to bypass Authentication on the basis of their IP Addresses and/or Mac addresses under this or some other Authentication Scheme ? Hello Kathuria, Yes. It can be done by using the following configuration in squid.conf. acl allow_users src /usr/local/squid/iplist_for_allowusers http_access allow allow_users http_access allow auth_users Thanks, Visolve Squid Team http://www.visolve.com/squid/
Re: [squid-users] Increasing filedescriptors
Stuart J. Newman wrote: I am running squid 2.5.STABLE3 from Redhat in Redhat Enterprise Linux 3. I have followed the instructions to increase the number of filedescriptors to 2048 using the instructions in the FAQ. I have checked include/autoconf.h and verified that the 2048 number was in the header file. However, when I use Cachemgr to examine the number of filedescriptors, it says I have only 1024. Where have I gone wrong? Stuart J. Newman System Engineer IT Globalsat Telecommunications Voice (240) 553-9423 Fax (301) 483-4350 [EMAIL PROTECTED] www.globalsat.com Hello Newman, Squid might be compiled with 1024 filedescriptors. So need to set the ulimit -HSn 2048 and recompile the squid. Thanks, Visolve Squid Team http://www.visolve.com/squid/
Re: [squid-users] How to control the bandwidth of websites using squid?
Jamshid KP wrote: HI, In my company we are using Fedora Core 2 as Operating System and Squid-2.5and Proxy server. I wish to delay the bandwidth of somewebsites through Squid. Please help me to find out where will I put the URL of websites in Squid.conf delay the bandwidth One more matter also. Is there any other way like..creating a file and adding website URL's in that file instaead of editing squid.conf file everytime to delay the bnadwidth Hello Jamshid, Delay pools provide a way to limit the bandwidth of certain requests based on any list of criteria. The idea came from a Western Australian university who wanted to restrict student traffic costs (without affecting staff traffic, and still getting cache and local peering hits at full speed). For more details visit: http://wiki.squid-cache.org/SquidFaq/MiscFeatures?highlight=%#head-fd9b4b7ba1854a3c21796173af9d0b9aee33e376 Thanks, Visolve Squid Team http://www.visolve.com/squid/
Re: [squid-users] Squid access control problem.
Adam O'Neill wrote: I set http_access allow all (after specifying the local network with a proper subnet did not work) in addtion to http_reply_access allow all and acl Safe_ports port 80. I still receive a Access control configuration prevents your request from being allowed at this time. error when trying to browse. I assume I still have to change something in the acl, but I can't determine what. Working off a minimally modified default configuration. Current test browser is IE. Hello Adam, Consult your browser's help feature. Also, some firewalls, LAN scripts, or Internet Service Providers (ISP) prevent access to the on-line application because of the port or IP address. For more details about access list and ACL elements visit : http://wiki.squid-cache.org/SquidFaq/SquidAcl Thanks, Visolve Squid Team http://www.visolve.com/squid/
Re: [squid-users] what does it means
kashif Mazhar wrote: plz tel me what does this line means and why this is happening to my squid, As squid started unefficient after 1 day and within 4 to 5 days it goes DIE. along with many error lines i found this in it. plz let me know about it. 2006/08/08 18:06:00| idnsCheckQueue: ID 329f: giving up after 31 tries and 306.2 seconds Hello Mazhar, Check your DNS setup and cache.log messages Thanks, Visolve Squid Team http://www.visolve.com/squid/
Re: [squid-users] Ignoring certain status codes/content inspection?
Oscar Rylin wrote: Recently, one of our accelerated machines started throwing out errors, and it got me thinking. Would it be possible to have Squid not cache objects based on a status code (for instance 500/Internal server error, 403 forbidden etc)? This would be something along the lines of content-inspection, so a quick take of the flow that would happen would be: 1: Client connects to Squid and requests www.normally.cacheable/object 2: Squid notices that the object is stale and attempts to retrieve a fresh copy from the origin server 3: Origin server returns Status: 500 in the headers, and Squid defaults to serving up the stale object instead of the fresh (but broken) object Any ideas, finger-pointing or such would be greatly appreciated Hello Oscar Rylin, We guess it might be Time-to-Live (TTL) for failed requests. Certain types of failures (such as connection refused and 404 Not Found) are negatively-cached for a configurable amount of time. The default is 5 minutes. Note that this is different from negative caching of DNS lookups. Check with negative_ttl directive in squid.conf file. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] (111) connection refused ERROR FOR SITES REQUIRING LOGIN
vinayan K P wrote: Hello, Hope someone could help me. I am using a squid proxy (squid-2.5.STABLE13-1.FC4) behind another squid proxy and firewall. Hello Vinayan, If you are behind a firewall then you can't make direct connections to the outside world, so you *must* use a parent cache. Squid doesn't use ICP queries for a request if it's behind a firewall or if there is only one parent. You can use the /never_direct/ access list in /squid.conf/ to specify which requests must be forwarded to your parent cache outside the firewall, and the /always_direct/ access list to specify which requests must not be forwarded. For example, if Squid must connect directly to all servers that end with /mydomain.com/, but must use the parent for all others, you would write: acl INSIDE dstdomain .mydomain.com always_direct allow INSIDE never_direct allow all For more Details visit: http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-f7c4c667d4154ec5a9619044ef7d8ab94dfda39b -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] HTML Caching
Andrew Yoward wrote: Hi Folks, how to turn off caching of HTML? Hello Andrew, It can be done by using following ACL acl html rep_mime_type -i text/html cache deny html -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] authentication
Paul wrote: Hi, I have configure my squid with poxy_auth and all the computers which use internet use this proxy (of course I need to enter login and password), but I have a machine which is not possible to enter the password. Any one knows how can I make an exception with one user. Is it possible to avoid the squid authentication for one user or IP address. Hello Paul, Yes. You can avoid the squid authentication for one ip address by using following ACL configuration in squid.conf file. auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/passwd acl auth_users proxy_auth REQUIRED acl restricted src /usr/local/squid/iplist acl allow_user src 172.16.1.27 http_access allow allow_user http_access allow auth_users restricted -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Maybe I should not have apt-get dist-upgrade
Brent Clark wrote: Hey all This morning I came across something most strange. I upgrade from 2.5 to 2.6 via debians apt-get dist-upgrade. I now see the following Restarting Squid HTTP proxy: squid2006/07/25 09:11:56| parseConfigFile: line 136 unrecognized: 'httpd_accel_host virtual' 2006/07/25 09:11:56| parseConfigFile: line 137 unrecognized: 'httpd_accel_port 80' 2006/07/25 09:11:56| parseConfigFile: line 138 unrecognized: 'httpd_accel_with_proxy on' 2006/07/25 09:11:56| parseConfigFile: line 139 unrecognized: 'httpd_accel_uses_host_header on' 2006/07/25 09:11:56| parseConfigFile: line 146 unrecognized: 'httpd_accel_single_host off' Hello Brent Clark, The above configuration directives are changed from squid -2.5. The transparent proxy setup can be done by using the following directive in squid-2.6. http_port 172.16.1.57: transparent For more detials about squid-2.6 at : http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE1-RELEASENOTES.html -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] TCP_MISS/503
Fabio wrote: hi everyone I have a BIG problem I can't solve with my squid. sometimes (randomly) I have an error in retrieving the URL in logs it appears as: 1153487449.160 2211 10.91.195.69 TCP_MISS/503 1660 GET http://www.sing365.com/music/lyric.nsf/Disposition-lyrics-Tool/C574A6A82533DECC48256A57002CEDB3 - NONE/- text/html 1153487449.332 1 10.91.195.69 TCP_MISS/503 1538 GET http://www.sing365.com/favicon.ico - NONE/- text/html 1153487455.352 45 10.91.195.69 TCP_MISS/503 1660 GET http://www.sing365.com/music/lyric.nsf/Disposition-lyrics-Tool/C574A6A82533DECC48256A57002CEDB3 - NONE/- text/html from what it's depends? where can I find the explanation of the error codes? regards, Hello Fabio, *TCP_MISS* message will come when the requested object is not in the cache. For more details about squid status codes visit at: http://wiki.squid-cache.org/SquidFaq/SquidLogs#head-2914f3a846d41673d4ae34018142e672b8f258ce. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Howto NOT log URLs in access.log
Michael Ellis wrote: Hi, I was wondering if anyone knows of a way to configure squid so that it does not write the URL to access.log. All I want to know is who was browsing the web from which computer and when (date, client ip, and authname). This is to comply with personal privacy and information policies and laws. Hello Mike Ellis, In squid-2.6, you can customize the access log format by using logformat directive in squid.conf file. logformat squid %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %un %Sh/%A %mt %ru is Request URL. If remove the format code (%ru) from the logformat direcive, the requested URL will not write into access.log. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] How to rotate logs in Squid
Mehmet, Levent (Accenture) wrote: Hi We have just installed Squid and I would like to know how rotate the logs files. Hello Mehmet, The command squid -k rotate will rotate the log files. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] status codes meanings..
Linda W wrote: I was trying to track down a problem and got distracted on squid status codes. I was curious on how to interpret these. I extracted the status codes from each line, sorted, counted and got: 1 TCP_CLIENT_REFRESH_MISS/000 955 TCP_CLIENT_REFRESH_MISS/200 *TCP_CLIENT_REFRESH_MISS -* The client issued a no-cache pragma, or some analogous cache control command along with the request. Thus, the cache has to refetch the object. 6 TCP_MISS/000 *TCP_MISS* -The requested object was not in the cache 1 TCP_NEGATIVE_HIT/404 *TCP_NEGATIVE_HIT* - Request for a negatively cached object, e.g. 404 not found, for which the cache believes to know that it is inaccessible. Also refer to the explainations for /negative_ttl/ in your /squid.conf/ file. 2 TCP_SWAPFAIL_MISS/200 --- *TCP_SWAPFAIL_MISS* - The object was believed to be in the cache, but could not be accessed. For more details of squid status codes in: http://wiki.squid-cache.org/SquidFaq/SquidLogs#head-2914f3a846d41673d4ae34018142e672b8f258ce -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Download always get disconnected through proxy
Yong Bong Fong wrote: Dear friends, Wondering if anyone else face smilar issue to me with downloading problems through proxy. Many users complained to me that when they download through proxy, they often get corrupted file or download disconnected half way. Only if using download manager can the download be more reliable. I have come to the conclusion that it is my proxy problem because on the same link of download, if I use other direct connections internet, the download is perfect, but when go through proxy there is the problem with download disconnected... any idea what went wrong? thanks for taking time reading my mail... Regards Yong Hello Yong, Check and send the cache.log messages while you are downloading through proxy. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Squid Transparent Proxy with Auth User
RdBSD wrote: Dear All, Is there any futures in squid-3 that will auth user with transparent proxy mode ? Hello, No . It is not possible. With interception proxying, the client thinks it is talking to an origin server and would never send the /Proxy-authorization/ request header. For more details visit: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe0e21e5c2903473c473d401533ac7 Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Queing downloads
Janco van der Merwe wrote: Hi guys, I have an interesting question which I hope somebody will be able= to help me or give me a push in the right direction. Firstly we are running Squid 2.5 Stable 10 on Fedora Core 4, behi= nd a Shorewall firewall with squid_ldap_group authentication. Now= what I want to know is, is it possible for Squid or any other Li= nux package to queue a download job for after hours, lets say tha= t a user wants to download a file @ 10:00 in the morning but I on= ly want to allow that download after 5 in the afternoon. (I hope=20= that I'm making sense) To get back to my question.is it possible, can Squid or any o= ther program do that??? I tried searching on the net but wasn= 't very successful. Hello Merwe, Yes. It is possible. You can try with the following ACL acl aclname time [day-abbrevs] [h1:m1-h2:m2] -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Only MISSES in Access log
Thomas Tronier-Rasmussen wrote: Hi Squid Users, I'm new to Squid, and I just installed it via Yum. After setting up ACL's I can access the Internet, but in my access log, I only get TCP_MISS/200 and TCP_REFRESH_MISS/200 when refreshing websites. I can't figure out what's wrong, any ideas? - I thought squid was configured to do caching by default. Hello Thomas, Squid doesnot support to cache the dynamic pages. It only cache the static html pages. We guess your server might be filling stage in cache. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] ACL wildcards?
Shoebottom, Bryan wrote: Hello, Is it possible to use wildcards in an ACL? For example, currently I do this? acl restricted dstdomain .domain1.tld acl restricted dstdomain .domain2.tld acl restricted dstdomain .domain3.tld acl restricted dstdomain .domain4.tld Can I do this? acl restricted dstdomain .domain?.tld Thanks, Hello Bryan, Try with ACL acl aclname dstdom_regex [-i] xxx.. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Re: httpd_accel in Squid 2.6.STABLE1 problem
peter S wrote: I am having trouble with squid config in 2.6 stable1.They have taken out httpd_accel_port and httpd_accel_host and replaced them with defaultsite http_port and cache_peer originserver options. When I put in the name of my server defaultsite http_port and the port that I am using under the cache_peer option squid returns an error saying that it doesn't understand the host name or port. I had to go back to another version of squid. Does anyone have a squid config http accelrater example for 2.6? Hello Peter, http accelrater for 2.6 can be done by the following modification in squid.conf http_port 80 vhost cache_peer virtual parent 80 0 noquery originserver (or) cahce_peer [backend server IP] parent 80 0 noquery originserver http_access allow all Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] How to restrict the users validate the login credientials
Pavan Kumar Mahoorker wrote: Hi all, I have configured SQUID as HTTP proxy and allowed some range of IPs. And when I use internet form my PC for which I have configured this SQUID PC as proxy server and i can see all the traffic going through the proxy. Now I want to allow the PC's to access the Proxy server only if the login credentials authentication is success. And if the PC's fail to authenticate then the proxy should block the traffic. I have modified the /etc/squid/squid.conf file but looks like it needs a external auth server like LDAP, APACHE etc... Let me know what needs to be done to achieve this Hello Kumar, The Squid source code comes with a few authentcation processes for Basic authentication. These include LDAP: Uses the Lightweight Directory Access Protocol NCSA: Uses an NCSA-style username and password file. MSNT: Uses a Windows NT authentication domain. PAM: Uses the Linux Pluggable Authentication Modules scheme. SMB: Uses a SMB server like Windows NT or Samba. getpwam: Uses the old-fashioned Unix password file. sasl: Uses SALS libraries. winbind: Uses Samba authenticate in a Windows NT domain If you have LDAP then you can configure with squid. Configuration of LDAP can be done with the following Compiling squid with ldap support. ./configure --enable-basic-auth-helpers=LDAP In squid.conf file edit the following auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b dc=yourdomain,dc=com -f uid=%s -h yourdomain.com acl password proxy_auth REQUIRED http_access allow password http_access deny all This Squid-LDAP Setup allows the users in the LDAP to access the pages and deny all the others. Similarly you can configure with the other authentication methods. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] httpd_accel in Squid 2.6.STABLE1 problem
Jon wrote: First I added cache_peer virtual parent 80 3130 originserver and http_port 80 vhost to the conf file. But I get this error: The following error was encountered: * Unable to forward this request at this time. Hello Jon, You can try with following directive in squid.conf file. cache_peer virtual parent 80 0 no-query originserver -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] httpd_accel in Squid 2.6.STABLE1 problem
Jon wrote: tor 2006-07-06 klockan 12:26 -0400 skrev Jon: Thanks for the reply and I tried cache_peer virtual parent 80 0 no-query originserver but it gave me an error The following error was encountered: Unable to determine IP address from host name for virtual Hello Jon, You can try with Server IP address instead of virual . cache_peer [Ip address] parent 80 0 no-query originserver -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] different round-robin parents
[EMAIL PROTECTED] wrote: Hello, is it possible to use different group of round-robin parents ? I've got some local squid servers that forward internet requests to 2 squid parent servers (configured with round-robin). In parallel, for some specific intranets website, i would need to forward these requests to some another couple of squid servers, and so implementing another couple of round-robin parents. Hello, The round-robin option must be used on more than one cache_peer line to be useful. Connections to caches configured with this options are spread evenly (round-robined) among the caches. This can be used by client caches to communicate with a group of loaded parents, so that load is spread evenly. If you have multiple Internet connections, with a parent cache on each side, you can use this option to do some basic load-balancing of the connections. In other words,the round-robin option is similar to default, except that Squid forwards the request to the parent with the lowest use count. The cache_peer_domain restrictions still apply, of course. A typical configuration might look like: cache_peer proxy.visolve.com1 parent 3128 3130 round-robin no-query cache_peer proxy.visolve.com2 parent 3128 3130 round-robin no-query For more details visit: http://squid.visolve.com/squid/squid24s1/glossary.htm. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] disk space over limit
lawrence wang wrote: squid-users, i hope you can save me once again :) i've been getting a lot of the errors below. does this look like something i can fix with reconfiguration or recompilation? 2006/07/04 20:59:42| WARNING: Disk space over limit: 440086904 KB 432410624 KB 2006/07/04 20:59:53| WARNING: Disk space over limit: 439706788 KB 432410624 KB 2006/07/04 21:00:04| WARNING: Disk space over limit: 439553980 KB 432410624 KB 2006/07/04 21:00:15| WARNING: Disk space over limit: 439485096 KB 432410624 KB Hello Lawrence, This might be swap.state has been corrupted. Such corruption can occur on unexpected system shutdowns (power failure, kernel panic etc). You can try with the following 1. Shut down squid. 2. Remove the swap.state files from your cache directories. 3. Start Squid again. It will rebuild swap.state from the cache files. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Squid won't debug
John Oliver wrote: [EMAIL PROTECTED] squid-2.5.STABLE14]# /usr/local/squid/sbin/squid -k debug squid: ERROR: No running copy Squid is not running Start Squid first then debug it #/usr/local/squid/sbin/squid #/usr/local/squid/sbin/squid -k debug See the outputs in cache.log I was trying to find out why I always get: ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://localhost:81/ The following error was encountered: * Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. I tried http_access allow all since I'm using Squid as an accelerator, but that didn't work. Check your iptables setting. #iptables -L If there is any rule set for denying port 81,remove it and then try it again. Also you can check to know whether the port 81 is opened. #telnet localhost 81 -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] How to set up a reverse proxy server over SSL?
fulan Peng wrote: Hi, I have compiled Squid 3.0 pre-release4 with its default. Then I changed one line from http-access deny all to http-access allow all and tried out the non-ssl forward proxy server worked. Now I want to set up with SSL and a reverse proxy server. Could you please help to tell where is a tutorial or a sample configuration file? Hello Peng, The following steps are used to configure the squid-3.0 with SSL Compile squid with the ssl support option ./configure --prefix=/usr/local/squid --enable-ssl Edit the squid configuration for squid with SSL support (Reverse proxy) https_port 443 protocol=http cert=/path/to/server/certificate/server_cert.pem key=/path/to/server/key/server_priv_key.pem vport=port in which the back end server listen acl SSL method CONNECT never_direct allow SSL create a Swap Directory /usr/local/squid/sbin/squid -z Start Squid /usr/local/squid/sbin/squid -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Strange behaviour with squid
Luca Manganelli wrote: Hi, I've configured my squid proxy to use NTLM authentication. When I access to internet from a PC with Firefox, an authentication window appears: Please write username and password for proxy on testproxy:3128 I write user and pwd, but the same window appears. If I press ESC (close window), another window appears: Please write username and password for proxy Squid Test Proxy on testproxy:3128 The only difference is the proxy name, but after I wrote user and password the proxy works! Why the proxy is acting in this mode? Hello Manganelli, Check your auth_param configuration in squid.conf file. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] HOWTO accelerate WindowsUpdate
John Mok wrote: Hi, I am using squid-2.5.STABLE12 on FC3 Linux and would like to reduce the Internet traffic and accelerate for windowsupdate. I found that there were many TCP_MISS for windowsupdate (as shown below) although I set a large value for maximum object size (e.g. 600MB) and I was sure that a previous user had got the update before. Hello John Mok, Squid won't support caching of dynamic pages. acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] What does squid call items in its' cache?
John Oliver wrote: I want to purge some (or even all) of the stuff in squid's cache. But every possible name I've passwd with squidclient gets rejected with a 404. I've tried *, www.mydomain.com, http://www.mydomain.com, http://www.mydomain.com/*... nothing is working. Is there a way to list the cache? Hello Oliver, You can try with purge tool to solve your problem.The purge tool is a kind of magnifying glass into your squid-2 cache. You can use purge to have a look at what URLs are stored in which file within your cache. The purge tool can also be used to release objects which URLs match user specified regular expressions. A more troublesome feature is the ability to remove files squid does not seem to know about any longer. For more details of purge tool at: http://www.wa.apana.org.au/~dean/squidpurge/ -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] delay access to cached objects
Santosh Rani wrote: Sirs/ Madams I wonder how should I tell squid not to cache any thing! I am trying to chain two squid proxies. Both squids are installed on different machines. (I may sound foolish here! pardon me). I am telling one machine (machine 'A') to fetch data from other squid machine (machine 'B'). In machine 'A' , I have this line under TAG 'cache_peer' cache_peer 192.168.x.x sibling 8080 3130 proxy-only I am not able to get data from cache of machine 'A' by this directive (It is fetching data from internet) . Do I have to pass some directive in squid's configuration file on machine 'A' too? Hello Santhosh Rani, For more detailed configuration of squid forward all requests to another proxy: http://info.ccone.at/INFO/Squid/FAQ-4.html#ss4.9 -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] OWA reverse proxy with 2.6RC2
Another question maybe off topic but is Squid able to do reverse proxying for multiple urls using different backend (peer cache)? How is the link between the https_port and the cache_peer done in this case? Using cache_peer_domain? Hello Grilli, cache_peer_access is more flexibility directive to solve your problem. For more details see: http://www.visolve.com/squid/squid30/accesscontrols.html#cache_peer_access -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Group ACLs
Luís Fernando C. Talora wrote: Hum, I see now... And how would the acl line to group those ACLs into one be like? Hello Fernando, You can try with following acl acl usr_sites dstdomain site1, site2, site 3... (or) acl usr_sites dstdomain /path/to/sitesfile -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Does squid admits ubiquity?
[EMAIL PROTECTED] wrote: Hello, i use squid with ncsa_auth to identify my users, but i have a problem whith the accounts; how to prevent users to connect themselves on different machines with the same account at the same time? I don't know if i was clear I've tried to use at the same time the same accounts on different machine and it was possible. I need to prevent it, because postal police couldn't believe in ubiquity.. Hello Davide, You can try with acl aclname max_user_ip [-s] number directive in squid.conf. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Novell lookup
Keith Owen wrote: Can anyone lead me in the right direction. Is there a way for the access.log instead of IP addresses to have user names? We are a Novell shop. Thanks in advance. Hello Owen, The 8th field of access.log is Ident. If ident_lookup is on, this field may contain the username associated with the client connection as derived from the ident service. If you are already authenticated with username , the username will display automatically at the 8th field of access.log. For more details about access.log format: http://squid.visolve.com/squid/squid24s1/glossary.htm#access.log. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Date and Expires headers not updating?
lawrence wang wrote: Squid seems to have a bug with Expires and Date headers: It fetches an object and caches the headers. The object expires, and Squid fetches it again. The object is unmodified, so Squid continues to use the cached object. However, it appears that it also continues to return the old Expires and Date headers, even though it seems to be using new values under the hood. This will confuse downstream caches, won't it? Hello Lawrence, We guess this is something to do in webserver. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Help. SQUID very very slow.
Sergey Bondar wrote: Hi all. I am using squid for 7 year. No complains, but two week ago I installed new squid on brand new Dell Server to replace old machine. So Squid on new computer working much slower then on old one. If I go through NAT on new server it is fast. Over 50 people going through squid. Here is the specs: OLD Computer: FreeBSD 4.5-RELEASE #0: Tue Apr 30 18:25:23 EDT 2002 i386 CPU: Pentium III (501.14-MHz 686-class CPU) 512 Mb RAM squid-2.4.STABLE4 cache_dir 700 24 256 cache_mem 256 M Internet line: DSL 700 kb NEW Computer: FreeBSD 6.1-RELEASE #0: Fri Jun 16 13:10:14 EDT 2006 i386 DELL Server PE1420 ACPI APIC Table: DELL PE1420 Timecounter i8254 frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(TM) CPU 3.00GHz (2992.52-MHz 686-class CPU) 1 Gb RAM squid-2.5.STABLE12 cache_dir 3000 128 512 cache_mem 500 M Internet line: T1 I tried GENERIC kernel and My own with out all not needed drivers same results Hello Bonder, Your new server might be started with filling stage in cache . It will be fast when the cache is full. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Replicate web object in peer cache server
Eswari Pd. Sharma wrote: Hi squid users, We are running peer transparent cache servers . In peer cache server, the web objects are store identical in each peer server and when request comes it look on its own and if doesnt get it look from the siblings , eventually it takes time and degrades the performance of cache server. I want to replicate web objects in peer cache server also and see the performance of cache server. Do anyone have idea how to replicate web objects in peer server ? Hello Eswari, For the details of peer cache: http://squid.visolve.com/squid/squid24s1/neighbour.htm. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Re: Squid for beginner
ankush grover wrote: On 6/16/06, Oshio Adams [EMAIL PROTECTED] wrote: Is there any where I can get Squid information for beinngers. I need a basic set up that works before I start making changes I parse ok I start ok But cant browse via the squid server from a system. Oshio Hello Oshio, Check your cache.log whether squid is running . If squid is running check the access.log while you are browsing. For more details about squid quick start guide: http://squid.visolve.com/squid/sqguide.htm -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Multiple domains and multiple backend servers : use of httpd_accel ?
Crimso wrote: Hi, I currently use squid on a virtual private server the following way : www.domains.com - squid - my server The VPS is localized in Italy so my websites seems to be in Italy for the search engines, although my server is localized in France. I use : http_accel_host www.myserverhost.com directive and it works perfectly. For some reasons I'd like to add some domains to my configuration, but these domains are hosted on another server (I can't change that, it doesn't depend on me...) The result should be : www.domain1.com - Squid - server1 www.domain2.com - Squid - server2 I really don't see how to do that since the http_accel_host directive can only be used once... Hello Crimso, If you are using the reverse proxy for more than one web server, then we must use the word virtual as the httpd_accel_host. For more details: http://squid.visolve.com/squid/reverseproxy.htm -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] configuring external acls in squid 2.5stable6 on fc3
ankush grover wrote: hey friends, I am using Squid 2.5 Stable 6 on FC3. I am trying to configure an external acl to make request_body_max_size work inside an acl. An example is given on this url http://www.mail-archive.com/squid-users@squid-cache.org/msg16568.html the external acl defined in my squid.conf file external_acl_type request_body %{Content-Length} /etc/squid/request.sh acl external request_max_250 request_body 256000 http_access allow mynetwork request_max_250 Messages which we are getting while restarting the squid Stopping squid: 2006/06/16 14:01:12| squid.conf line 1816: acl external request_max_250 request_body 256000 2006/06/16 14:01:12| aclParseAclLine: Invalid ACL type 'request_max_250' 2006/06/16 14:01:12| squid.conf line 1900: http_access allow mynetwork request_max_250 2006/06/16 14:01:12| aclParseAccessLine: ACL name 'request_max_250 not found. What is the best way of configure external acl's in squid ? An example will be very helpful Thanks Regards Ankush Grover Hello Grover, Your acl format is incorrect acl external request_max_250 request_body 256000 . You can try with acl request_max_250 external request_body 256 -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Error - Cache Manager Access Denied
Gabe Matteson wrote: I receive this error after logging into Squid's cachemgr.cgi site... Any idea's how to resolve this? Thank you. - Gabe The following error was encountered: * Cache Manager Access Denied. Sorry, you are not currently allowed to request: cache_object://srvsquid1.rrg.local/ from this cache manager until you have authenticated yourself. === SQUID.CONF === acl all src 0.0.0.0/0.0.0.0 acl cachemgr proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl server_vlan src 172.18.2.0/255.255.255.0 acl client_vlan src 172.18.5.0/255.255.255.0 #http_access allow cachemgr localhost http_access allow cachemgr all http_access deny cachemgr all # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost http_access allow client_vlan http_access deny all Hello Matteson, Your password might not be match with cachemgr_passwd.Check the cachemgr_passwd directive in squid.conf -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] SQUID DNS problems
Falko Zurell wrote: Hello list, I got a strange problem with our squid server (squid 2.5.12 on linux) . We have a network with multiple subdomains. Lets say ads.domain.com and localtions.domain.com My squid host is a linux box with the correct /etc/resolv.conf settings. The machine itself can resolve all host names in our network. If i do a nslookup or host request I can resolve hosts on all our subdomains. But the squid can't resolve hosts in one of the subdomain (ads.domain.com). The domain it can't resolve in is a windows domain, served by MS DNS-Server. I wonder why the operating system can correctly resolve all the hostnames but the squid doesn't. I even entered all our DNS-Servers in the squid.conf but this doesn't helped. I even changed the default domain of the squid host to the ads.domain.com but this also doesn't resolved to problem. Does anyone has an idea on that? Thanks --- Falko Zurell Head of Application Management Hello Falko, What is the dns_nameservers configured on the squid.conf. Are able to query the dnsserver from command line using dig dig @dns_nameservers ads.domain.com If does not get the correct record, try changing the dnsserver. Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] file descriptor problem
genco yilmaz wrote: Hi, Squid generates the following warning on cache.log file: WARNING! your cache is running out of filedescriptors. I know that there is no available FD for squid but I couldn't solve it yet. I have tried the methods mentioned in squid archive to increase FD number but nothing changed. I have added ; * soft nofile 8192 * hardnofile 65535 lines into the /etc/security/limits.conf file then I have issued ulimit -HSn 8192 to increase the per process file descriptor limit but squid still says that there is 1024 file descriptor available at startup. Hello Yilmaz, Squid might be compiled with 1024 fildescriptors. So You need to set the ulimit -Hsn 8192 and recompile the squid Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Blacklisting problem, simple fix?
Dave Mullen wrote: Fellow Users, I have squid running with a blacklist, but I seem to have found an issue with my config. The blacklist lists a domain, but it's not blocking any subdomains of that domain. Should it? Is there an option that turns on this recursion or something? For example: playboy.com is blocked in domains. www.playboy.com or members.playboy.com are still reachable. Shouldn't they be stopped as well as the playboy.com? Any thoughts? Thanks in advance, Dave Mullen Hello Dave, You can block the domain with subdomain using regular expression in acl. acl domain_block dstdom_regex [-i] playboy.com (or) acl domain_block url_regex [-i] playboy.com http_access deny domain_block Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Selective .dll block
John Halfpenny wrote: hi. i've been running squid with dansguardian for a while, works really well. however, some people here need to use ebay and as i have dll files blocked at dans it won't work properly. as dans doesn't have an exception list for filetype, i thought about controlling them with the squid instance dans 'sits on'. my question is- how do i create an acl to ban .dll files, but allow the one necessary .dll file through? (ebayisapi.dll) is it possible to do with a single acl, or will i need to create an 'ok' acl followed by a 'not ok' acl? :-) Hello John, You can try with the following acl FILE urlpath_regex [-i]\.dll acl FILE1 urlpath_regex [-i]\.dll http_access allow FILE http_access deny FILE1 Thanks, Visolve Squid Team, http://squid.visolve.com http://squid.visolve.com
Re: [squid-users] I have Squid 2.5 stable 14 running on a Linux box using the WCCPv1.
Keith Owen wrote: I have Squid 2.5 stable 14 running on a Linux box using the WCCPv1. This setup seems to be having troubles with e-mail websites (ex mail.yahoo.com hotmail.com) If anyone can offer suggestions that would be appreciated. Hello , Could you send me the error message in browser while you are browsing these sites. Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Limited site access
[EMAIL PROTECTED] wrote: We've a situation at our facility where specific clients sit in static IP address block This clients are considered restricted and I need a way to get these clients to access a set of websites that I've defined. There's probably 20 or 30 sites. Can I get some recommendations on how to do this most-efficiently? Much appreciated, Tim Rainier Hello Rainer, You can solve your problem with the following acl restricted src x.x.x.x/. acl restricted_sites dst /usr/local/restrict.txt http_access allow restricted restricted_sites http_access deny restricted You can create a file(restrict.txt) to list the restricted sites. For more details: http://www.squid-cache.org/Doc/FAQ/FAQ-10.html Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] SQUID 2.5 STABLE4 and AD 2003 R2
Meyerovich Aleksandr EB_NY wrote: 1. Which options Squid needs to be complied with to be able to authenticate against Windows 2003 R2 Active Directory with 2003 Functional Domain Level enabled? 2. Which authentication helper would work in this situation? Thanks a lot for help. Regards, Alex Meyerovich Hello Alex, you can compile squid by enabling the following configuration options --enable-ntlm-auth-helpers=SMB,winbind \ --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group \ --enable-auth=basic,ntlm --with-winbind-auth-challenge --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,winbind with the authentication methods as your requirement. NTLM auth helper should work for your situation. Thanks, Visolve Squid Team, http://squid.visolve.com http://squid.visolve.com/
Re: [squid-users] Broken Upload
On Wed, 2006-06-07 at 11:12 +0330, Mehdi Sarmadi wrote: Dears I've problem with upload use, uploads more than 1MB get broken often. What should affect on such usage? Any configuration directive or system hardware? Hi, If the error(time out) is due to the read_timeout then that will be logged in the cache.log as ERR_READ_TIMEOUT So check your cache.log -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Squid + Websense
On Wed, 2006-06-07 at 08:17 -0700, Daniel EPEE LEA wrote: Hello, Does anyone have links about squid + websense integration ? Is there an altenative to Websense in the opensource world ? Thanks for links and advice. Regards, Daniel - T OG O D B ET H E G L O R Y :) -- __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Hello Daniel, For Web Content Filtering there are Dansguardian,Poesia http://dansguardian.org/ (open source but restricted for commercial use) http://sourceforge.net/projects/poesia/ For URL Based Filtering there is squidguard http://www.squidguard.org/
Re: [squid-users] Squid - Upgrading Weird Problem - Timeout
On Wed, 2006-06-07 at 13:32 -0300, Palula wrote: Ok... I can't figure this one out... I've just upgraded my Squid to 2.5/STABLE11 with yum (previously was using 2.5/STABLE6). And this problem started. I receive this message on the clients browsers: The requested URL could not be retrieved - While trying to retrieve the URL: http://www.google.com.br/ The following error was encountered: Unable to determine IP address from host name for www.google.com.br The dnsserver returned: Timeout This means that: The cache was not able to resolve the hostname presented in the URL. Check if the address is correct. Your cache administrator is [EMAIL PROTECTED] - Generated Wed, 07 Jun 2006 05:01:08 GMT by netradio.com.br (squid/2.5.STABLE11) The weirdest thing is that I can browse with the server. And worst... Everything returns to normal when I restart squid service (ex: /etc/rc.d/init.d/squid restart) So this means it has to be a small glitch. I can't be related to network problems. If it were network problems, by restarting squid, things would continue to go wrong right? Has anyone gone through this? Hi, What is the dns_nameservers configured on the squid.conf. Are able to query the dnsserver from command line using dig dig @dnsnameserver goolge.com.br If does not get the correct record, try changing the dnsserver. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] want to install squid on ubuntu
On Thu, 2006-06-08 at 03:03 +0500, Naveed Razaq wrote: hi any body who can help me to configure squid on ubuntu thank naveed razaq Hello Razag, Install squid with #apt-get install squid and edit the squid conf file as your needs refer http://squid.visolve.com/squid/sqguide.htm for configuring squid. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Broken Upload
On Wed, 2006-06-07 at 11:12 +0330, Mehdi Sarmadi wrote: Dears I've problem with upload use, uploads more than 1MB get broken often. What should affect on such usage? Any configuration directive or system hardware? Looking forward to your reply TIA Hello Tia, Check the delay_pools configuration directive in squid. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] permanantly caching a site/content
On Tue, 2006-06-06 at 10:51 +1000, [EMAIL PROTECTED] wrote: is it possible to set an acl to permanently cache a site? regardless of the disk/cache size? i've looked over all of the doco and i cant find anything tia Hello Tia, You can try with the following refresh_pattern -i www.site.com/. 4320 100% 43200 override-expire override-lastmod -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] FW: using Squid as a proxy server
On Sat, 2006-06-03 at 08:43 +0200, Bluemountain wrote: PLez help, I have a 2003 server domain and 40 users in a call center, can ANYONE help me with the below query??? Hi, I am new to squid and have a new client that apparently has a squid proxy that is not working, can anyone tell me how to even begin to fix this problem, and get there proxy up and running again? I am absolute clueless Hello Roux, Could you send me the details of your version,log files and configuration. Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Transparent Reverse Proxy
On Fri, 2006-06-02 at 16:49 +0200, Cole wrote: Hi. I wanted to know if its possible to setup squid to be a transparent reverse proxy/httpd accelerator for multiple servers behind squid. I read through all the ViSolve stuff regarding this, and that all makes sense, I was just wondering if its possible to multiple servers in transparent mode? Regards /Cole Hello Cole, Yes it is possible to setup reverse proxy for multiple servers. You have to make squid to resolve to appropriate servers through DNS or hosts file. And squid configuration has to me modified as given in http://squid.visolve.com/squid/reverseproxy.htm Let us know if you have some specific questions. Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] external file processing with squid
On Fri, 2006-06-02 at 12:03 -0700, power159 wrote: Hi i want to know its this possible that check file extension or Type and if it was for example image , open a a program and do something in image and send send it to user ? with current configuration or editing source .. Thanks Hello , You could write a redirector and when the url matches for an image, it can be replaced with a different one (url having different image). But editing the image is not trivial. Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Random authentication popups
On Thu, 2006-06-01 at 13:37 +0900, Scott Jarkoff wrote: I have setup Squid to perform authentication via NTLM and everything is working fine with the exception of 1 odd error. At random times throughout the day, and for no apparent reason, an authentication popup will be presented to the user. Merely clicking cancel will allow the user to view the site. The proxy server has not yet been deployed throughout the organization and therefore only has a very minimal load on it at the moment, yet it does this random authentication thing. Does anyone have any ideas as to what might be causing this to happen? Hello Scott, You can use this directive of squid.conf file to prevent the problem. auth_param ntlm use_ntlm_negotiate off You may also need to increase children based on your number of users. You can visit for more details:http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 Thanks, Visolve Squid Team, http://squid.visolve.com