[squid-users] open socket: (13) Permission denied
Hi, I’m trying to set up Squid on a ARM platform. After compiling, I run Squid with command “/opt/squid/sbin/squid -N -d1” , and then configure the iptables. Unfortunately, when I browse a url, Squid reports an error: Attempt to open socket for EUI retrieval failed: (13) Permission denied. Please do you have an idea? I find that this error is report by Eui48.cc. The coding is as following: // return binary representation of the EUI bool Eui::Eui48::lookup(const Ip::Address c) { Ip::Address ipAddr = c; ipAddr.port(0); #if _SQUID_LINUX_ unsigned char ifbuffer[sizeof(struct ifreq) * 64]; struct ifconf ifc; struct ifreq *ifr; int offset; /* IPv6 builds do not provide the first http_port as an IPv4 socket for ARP */ int tmpSocket = socket(AF_INET,SOCK_STREAM,0); if (tmpSocket 0) { debugs(28, DBG_IMPORTANT, Attempt to open socket for EUI retrieval failed: xstrerror()); clear(); return false; } Best regards, Lizhi ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] open socket: (13) Permission denied
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/10/2014 9:14 p.m., 李志-iie wrote: Hi, I’m trying to set up Squid on a ARM platform. After compiling, I run Squid with command “/opt/squid/sbin/squid -N -d1” , and then configure the iptables. Unfortunately, when I browse a url, Squid reports an error: Attempt to open socket for EUI retrieval failed: (13) Permission denied. Please do you have an idea? This error should only show up there if your machine runs out of TCP ports or hits the FD limits. How did you configure iptables? How many FD is Squid finding available? (see startup log message about FD available). Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUOO/EAAoJELJo5wb/XPRjI3sH/R+hm/KgyOgzZVldL77cGmlR PHW/wVZ4NrBP5hPHRavpd7U0k7EgVUs1b2ZpjE9MVWv6HJxKk29qfqtXsgpelM9N OxaocWwTdayoGVL5eTElZerS29MGoC8TuD0NPT202UMxQ5WwAyqpr++GXFFNxfA9 uSMPlqCgwfg3XZDYlDwGNVuXppLDCE+UvVeMDIa5RtWP7x8ztU9rau0GSWKHQeRR kw1PvVwUatZF7R3N/3KKZ5QxYRCdxyHTySSed845HmyUnjbQPnuTHvKcvpa59pco 6awyA8sDp+IKDogEM15SmiS1n+ktsTdvN498nk7O2e+bdP5sLFQUmhO19V4qwFE= =ktMv -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)
Markus Moeller wrote: Hi Viktor, These sections of code do the selection in squid: char *service_name = (char *) HTTP, *host_name = NULL; Thanks for posting this. BTW does it mean that the service name HTTP is hardcoded, and if I wanted to use a principal with a different service name ort without / at all, I have no way of doing it other than patching the source? I have come across a strange issue with the w2k AD. When requested for a ticket to HTTP/proxy.sibptus.transneft.ru, it instead gives the ticket to PROXY01-SIBPTUS$ (this is the name of the AD account to which the SPN HTTP/proxy.sibptus.transneft.ru is bound). I seem to have no way of using this HTTP-less name in a keytab. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] unexplained MISSes
Hi Amos, I know that the first request is always a miss. I'm reproducing the same vídeo from the same PC, and same browser erasing the cache between tests. Are there any doc that explain the meaning of all responses like ORIGINAL_DST ? And are there any way to know the reason of a MISS or a HIT ? I tried with the debug options, but the reason of a MISS isn't there. Thanks Josep -Mensaje original- De: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] En nombre de Amos Jeffries Enviado el: viernes, 10 de octubre de 2014 19:05 Para: squid-users@lists.squid-cache.org Asunto: Re: [squid-users] unexplained MISSes -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/10/2014 5:00 a.m., Josep Borrell wrote: Hi, I'm trying build a squid server that can cache youtube request for a school. I'm using squid 3.4.7 compiled from source on Ubuntu server 14.04 I have a lot of request that are cached, but not served from cache and generate a TCP_MISS/200 I'm trying to figure why this requests are not served from cache. Please find attached squid.conf and cache.log sample with debug enabled. I hope someone can help me. Thanks Josep *** access.log *** 1412953551.775167 192.168.1.112 TCP_MISS/200 4344 GET http://i1.ytimg.com/vi/9_iANxI-Mrc/default.jpg - ORIGINAL_DST/74.125.230.3 image/jpeg I see ORIGINAL_DST, meaning you are intercepting users traffic. This interception action naturally imposes some big problems which Squid has to deal with. IF the domain name does not specifically resolve for Squid to the same IP the user/client was contacting the object is NOT safely cacheable. Squid will therefore not cache it, so as to prevent one smart-alec student causing http://i1.ytimg.com/vi/9_iANxI-Mrc/default.jpg to be fetched from a malware host - thus infecting anyone else loading the image they get back. That required decision by Squid may be part of your problem, or not. Check the log file for mentions of Host header forgery by this clients connection or the previous one(s) fetching that same URL. NP: if there is *none* previously fetching the URL, there is your answer. For it to have become cached someone has to fetch it - the first fetch is *always* a MISS. ** cache.log ** - -- 2014/10/10 17:05:51.772| ctx: enter level 0: 'http://ytimg.com.squid.internal/vi/9_iANxI-Mrc/default.jpg' 2014/10/10 17:05:51.773| http.cc(705) processReplyHeader: processReplyHeader: key '9F1BB8D27BED16A8B74F8995105B2941' 2014/10/10 17:05:51.773| http.cc(749) processReplyHeader: HTTP Server local=192.168.111.10:59210 remote=74.125.230.3:80 FD 65 flags=1 2014/10/10 17:05:51.773| http.cc(750) processReplyHeader: HTTP Server REPLY: - HTTP/1.1 200 OK Content-Type: image/jpeg Last-Modified: Thu, 01 Jan 1970 00:23:21 GMT Date: Fri, 10 Oct 2014 10:45:51 GMT Expires: Fri, 10 Oct 2014 16:45:51 GMT X-Content-Type-Options: nosniff Server: sffe Content-Length: 3861 X-XSS-Protection: 1; mode=block Age: 15619 Cache-Control: public, max-age=21600 Alternate-Protocol: 80:quic,p=0.01 ���� -- 2014/10/10 17:05:51.773| ctx: exit level 0 2014/10/10 17:05:51.773| ctx: enter level 0: 'http://ytimg.com.squid.internal/vi/9_iANxI-Mrc/default.jpg' 2014/10/10 17:05:51.773| http.cc(919) haveParsedReplyHeaders: HTTP CODE: 200 2014/10/10 17:05:51.773| refresh.cc(247) refreshCheck: refreshCheck: 'http://ytimg.com.squid.internal/vi/9_iANxI-Mrc/default.jpg' 2014/10/10 17:05:51.773| refresh.cc(262) refreshCheck: refreshCheck: Matched '^http:\/\/ytimg\.com\.squid\.internal.* 604800 80%% 4794000' 2014/10/10 17:05:51.773| refresh.cc(264) refreshCheck: age:15679 2014/10/10 17:05:51.773| refresh.cc(266) refreshCheck: check_time: Fri, 10 Oct 2014 15:06:51 GMT 2014/10/10 17:05:51.773| refresh.cc(268) refreshCheck: entry-timestamp: Fri, 10 Oct 2014 10:45:32 GMT 2014/10/10 17:05:51.773| refresh.cc(171) refreshStaleness: FRESH: expires 1412959532 = check_time 1412953611 2014/10/10 17:05:51.773| refresh.cc(288) refreshCheck: Staleness = -1 2014/10/10 17:05:51.773| refresh.cc(373) refreshCheck: refreshCheck: object isn't stale.. 2014/10/10 17:05:51.773| refresh.cc(375) refreshCheck: refreshCheck: returning FRESH_EXPIRES 2014/10/10 17:05:51.773| http.cc(482) cacheableReply: YES because HTTP status 200 That image is cacheable according to its headers. Provided the next client fetches it again within the next 99mins, and the interception limits do not prevent storage. Check for mentions of Host header forgery by this same user/client or the previous one fetching this URL. ** squid.conf
Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports
On 10/12/2014 05:18 AM, Timothy Spear wrote: Hello, Here is the issue: I can proxy through Squid just fine to HTTP and HTTPS. I can also run SSH via Corkscrew to a SSH server running on port 443 and it works fine. What I cannot do, is access HTTPS or SSH on any other port except 443. Look at SSL_ports and Safe_ports in your squid.conf (unless you rewrote it completely) Amm. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports
check out your access log seeing what it says. Sounds like you are looking for an AFW from squid. The ports themselves are defined. You need to make sure the other ports are opened. Your rule tells squid to block the non-allowed sites to the non-allowed ports. Still sounds like FW function, but with the domain feature only. -B On 10/12/2014 7:48 AM, Timothy Spear wrote: Hello, Here is the issue: I can proxy through Squid just fine to HTTP and HTTPS. I can also run SSH via Corkscrew to a SSH server running on port 443 and it works fine. What I cannot do, is access HTTPS or SSH on any other port except 443. I have lost track of the number of things I have tried so any help will be appreciated and I feel like I am missing something simple. OS: Ubuntu 14.04.1 LTS Squid: 3.3.8-1ubuntu6.1 Here is my current Squid 3 configuration: debug_optionsall,3 # local network we proxy for acllocalnet src10.110.98.0/24 # what ports can be the desitnation acl allowedPorts port 21 acl allowedPorts port 22 acl allowedPorts port acl allowedPorts port 80 acl allowedPorts port 443 acl allowedPorts port 8443 acl CONNECT method CONNECT # determine the available sites acl allowedSites dstdomain /etc/squid3/allowed-sites.squid # now block anything not on the localnet or ports http_access deny !localnet # allow connect only for approved ports http_access deny CONNECT !allowedPorts # now only allow to the specific sites http_access allow localnet allowedSites allowedPorts http_port3128 access_log /var/log/squid3/access.log squid hosts_file /etc/hosts Background (just FYI): I am trying to setup Squid to control network access from a local subnet to a select number of domains. I do not need to bump the encrypted traffic and play man in the middle, I just need to prevent the servers on the local network from accessing unauthorized networks. Yes, I know I can do this in the Firewall, but that is IP based and I am dealing with enough other companies that maintaining the IP list has become a major pain. Instead I want to use domains, which I can do in Squid. Thanks, Tim ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users