date:20141130

[squid-users] Multiple SSL Domains on Reverse Proxy

2014-11-30 Thread Roman Gelfand

Is it possible to listen on port 443 for requests for multiple domains
ie... www.xyz.com, www.mno.com, etc...?

If yes, could you point me to sample config.

Thanks in advance
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid WCCP with multiple workers

2014-11-30 Thread Stephen Baynes

Is WCCP supposed to work with Squid multiple workers?

It works with 1 worker. If we change the number of workers from 1 to 2
we see it fail. The router no longer is aware of Squid and does not
reroute the data to the Squid box.

This can be seen on the router with "show ip wccp" . The "Number of
Service Group Clients" and "Number of Service Group Routers"  stops
being 1 and become 0.

The wccp lines in the Squid config are:

wccp2_router 10.0.5.201
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0 password=P
wccp2_service dynamic 70 password=P
wccp2_weight 1
wccp2_service_info 70 protocol=tcp flags=src_ip_hash priority=240 ports=443

Squid version 3.4.7


With 2 workers we see the following in the cache log:
2014/11/28 10:20:25 kid3| Accepting WCCPv2 messages on port 2048, FD 14.
2014/11/28 10:20:25 kid3| Initialising all WCCPv2 lists

With 2 worker we see the following in the cache log:
2014/11/28 09:44:09 kid1| Accepting WCCPv2 messages on port 2048, FD 16.
2014/11/28 09:44:09 kid1| Initialising all WCCPv2 lists


Any thoughts?

Thanks
-- 
Stephen Baynes CEng MBCS CITP
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] WARNING: there are more than 100 regular expressions

2014-11-30 Thread navari.lore...@gmail.com

 this is the error: WARNING: there are more than 100 regular expressions.
Consider using less REs or use rules without expressions like 'dstdomain'. 





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-there-are-more-than-100-regular-expressions-tp4668529p4668541.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.5x: Active Directory accounts with space issue

2014-11-30 Thread Amos Jeffries

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 30/11/2014 12:52 a.m., David Touzeau wrote:
> 
> Le 26/11/2014 11:27, Amos Jeffries a écrit : On 24/11/2014 12:01
> a.m., David Touzeau wrote:
 Hi

 We have connected 3.5.0.2-20141121-r13666 with Active
 Directory. It seems where there are spaces in login account
 squid use only the last argument.

 For example for an account "Jhon smith" squid use "smith"
 only For example for an account "Dr Jhon smith" squid use
 "smith" only

 In 3.3.13 there is no such issue, a "Jhon smith" account is
 logged as "Jhon smith" and sended as Jhon%20smith to helpers
> Any information about the auth Scheme being performed? the helpers
> being used? and what is being sent to/from the helpers in 3.5
> different from the 3.3 version?
> 
> Amos
> 
>> ___ squid-users
>> mailing list squid-users@lists.squid-cache.org 
>> http://lists.squid-cache.org/listinfo/squid-users
> Hi
> 
> I'm using this method
> 
> auth_param ntlm program /usr/bin/ntlm_auth --domain=TOUZEAU.BIZ 
> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 25
> startup=5 idle=1 auth_param ntlm keep_alive off #Dynamic ACLs
> groups Enabled: [1] external_acl_type ads_group ttl=3600
> children-max=5 children-startup=1 children-idle=1 %LOGIN 
> /usr/share/artica-postfix/external_acl_squid_ldap.php #Other
> settings authenticate_ttl 1 hour 
> authenticate_cache_garbage_interval 10 seconds authenticate_ip_ttl
> 60 seconds # END NTLM Parameters  
> #Basic authentication for other browser that did not supports
> NTLM: (KerbAuthMethod =  ) auth_param basic program
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param
> basic children 3 startup=1 idle=1 auth_param basic realm Basic
> Identification auth_param basic credentialsttl 2 hours
> 
> 
> On 3.3.13, everything works as expected. On 3.5x LOGIN are
> truncated where there is space on account.

By "LOGIN" are you meaning the log entries for user name labels?
 the %LOGIN format code delivered to the external ACL helper?
 the user=X labels delivered by the NTLM helper to Squid?
 or the generic "login" concept?

The 'old' helper protocol was whitespace delimited set of fields with
fixed meaning for each column/field. If the helper is delivering an
un-encoded SP character inside an old-style response to Squid it will
be parsed as two values.
 The 3.4+ helpers are parsing that protocol and upgrading it to the
new kv-pair protocol automatically. Garbage fields are discarded from
the input.

It looks like the 2-column AF (NTLM) response being confused for a
3-column AF (Kerberos) response. Since the only difference between the
two helpers outputs is the presence of a "token" column before the
username field.

You can workaround it with a script to convert the protocol explicitly
before delivering to Squid.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUetBqAAoJELJo5wb/XPRja6YH/1PpeTPb+BcfvWTKnsxDcy1O
deM+KEBK3nPz2IjTj6In73cH/UIkoFZaKIOViSR8MyjFtg517mz54tQcWWMkLIUQ
CId00veZcSlbpI1oJlg/eds6o0UXj+TZ4KpFGzLCnxLrAzwW93bneRuj6VeGUlpY
wlWwutZKFFlY1mHfIzlOkCE0f3AJZ/bK6XKP0x6UOfCzXjX4V/MW8KyhwCJXE0rz
Vr04GoJbMxSKR5JhMVZJV2uPteW9qFvX2efEkZA4coyV/E78YEp800et07eE+hRO
3O5Wswq7Lh+aZ0cMrjbdV/l4jcC/1UQnd9lM9rkiqoA3aXn63i5aUjxpbJJ9PWk=
=uEUQ
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Existing root certificate not working with SSL Bump (squid 3.3.10)

2014-11-30 Thread Amos Jeffries

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 27/11/2014 6:45 a.m., HaxNobody wrote:
> Alright, I figured out a possible cause. I downloaded the
> certificate that the browsers were complaining about, and used
> openssl verify to verify against the root certificate that I have.
> I got error 20, indicating that squid must not be using the correct
> root certificate to generate the client certificate on the fly, or
> that it is being generated incorrectly. The generated certificate
> shows all the correct properties of the root certificate that I am
> using, so my conclusion is that squid is incorrectly generating the
> client certificate.
> 
> Question: Under what circumstances might squid incorrectly generate
> a bump certificate?

In all circumstances involving client-first bumping, or a bug in Squid.

Other circumstances depend on your definitinon of "correct". Squid
3.3+ will mimic certificates *including errors* delivered by servers.

Also, Squid does not generate client certificates. It generates server
certificates. I assume that is what you are talking about.

> Another question: Why might it be working when I use a different
> root certificate?

a) possibly the client trusts only one out of the two root certificates.

b) possibly the non-working certificate is not properly installed in
the client.

c) possibly the non-trusted root certificate is part of a chain which
the client is not able to locate all the pieces for (leading to 'a').

d) possibly the root certificate has key extensions or usage
restrictions prohibiting what Squid usage requires (leading to 'a').

You will need to get a content dump of the certificates emitted by
Squid and a working system to see what the difference(s) are.

Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUerWgAAoJELJo5wb/XPRjOnoH/ROsdsAnwe837rrCSgvmlb7N
y51KKl6axftQZs6HQKToYNZ4BkB1Hzgpn5mPxT9NlsbQm8yRGA42mhjHOWvJX4R7
WEsW6OlF+HNd/FVhahkJHSGmS/isSKRCK0B5fXuq0KX3dnTrZz6/53oNYXMXeyl+
j89d9JHSKUPVmvtEUfLEPYW5VDmaZfcmFL8WkUQ7Hi/ZOubnbL5gQPr67DF0r6qE
maZucqIHs5j0xP3ItLbcOxZQ5iCjmTmyNrxh0gyjZ3/OOTp1qpyRZQ6UPGqtnswt
UIGPgvayerMDNN+rAp82qZyLm70A4mmcHVY42d6haG4hGWb/WweEEhCZm6wS/TI=
=+5Ty
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid-3.5.0.2-20141031-r13657 crashes

2014-11-30 Thread James Harper

This has happened again a day or so after wiping the cache directory. Core dump 
this time:

#0  StoreEntry::checkCachable (this=this@entry=0x284c440) at store.cc:962
962 getReply()->content_length > store_maxobjsize) ||
(gdb) bt
#0  StoreEntry::checkCachable (this=this@entry=0x284c440) at store.cc:962
#1  0x00619edf in StoreEntry::memoryCachable 
(this=this@entry=0x284c440) at store.cc:1418
#2  0x006255d2 in StoreController::keepForLocalMemoryCache 
(this=, e=...) at store_dir.cc:798
#3  0x00625a75 in StoreController::handleIdleEntry (this=0x23a48d0, 
e=...) at store_dir.cc:891
#4  0x0061b091 in StoreEntry::unlock (this=0x284c440, 
context=context@entry=0x806224 "clientReplyContext::forgetHit") at store.cc:543
#5  0x00535356 in clientReplyContext::forgetHit 
(this=this@entry=0x28eb5e8) at client_side_reply.cc:1586
#6  0x005390be in clientReplyContext::identifyFoundObject 
(this=0x28eb5e8, newEntry=) at client_side_reply.cc:1675
#7  0x0053ed0d in ClientHttpRequest::httpStart 
(this=this@entry=0x28e9ed8) at client_side_request.cc:1517
#8  0x005402b7 in ClientHttpRequest::processRequest 
(this=this@entry=0x28e9ed8) at client_side_request.cc:1503
#9  0x005420d5 in ClientHttpRequest::doCallouts (this=0x28e9ed8) at 
client_side_request.cc:1818
#10 0x00545bd7 in ClientRequestContext::clientAccessCheckDone 
(this=this@entry=0x28603d8, answer=...) at client_side_request.cc:821
#11 0x00546801 in ClientRequestContext::clientAccessCheck2 
(this=0x28603d8) at client_side_request.cc:718
#12 0x005427bc in ClientHttpRequest::doCallouts (this=0x28e9ed8) at 
client_side_request.cc:1711
#13 0x00545bd7 in ClientRequestContext::clientAccessCheckDone 
(this=this@entry=0x28603d8, answer=...) at client_side_request.cc:821
#14 0x005466c5 in clientAccessCheckDoneWrapper (answer=..., 
data=0x28603d8) at client_side_request.cc:730
#15 0x006c369b in ACLChecklist::checkCallback (this=0x28eda18, 
answer=...) at Checklist.cc:167
#16 0x006c3ea4 in ACLChecklist::completeNonBlocking (this=) at Checklist.cc:52
#17 0x006c43a3 in ACLChecklist::nonBlockingCheck (this=,
callback_=callback_@entry=0x5466a0 , callback_data_=callback_data_@entry=0x28603d8) at Checklist.cc:255
#18 0x00546171 in ClientRequestContext::clientAccessCheck 
(this=0x28603d8) at client_side_request.cc:698
#19 0x005426ca in ClientHttpRequest::doCallouts (this=0x28e9ed8) at 
client_side_request.cc:1682
#20 0x00544b90 in ClientRequestContext::hostHeaderIpVerify 
(this=0x28603d8, ia=0x2860cc0, dns=...) at client_side_request.cc:526
#21 0x005ca5d4 in ipcacheCallback (i=i@entry=0x2860ca0, 
wait=wait@entry=330) at ipcache.cc:325
#22 0x005cae74 in ipcacheHandleReply (data=, 
answers=, na=, error_message=) at 
ipcache.cc:475
#23 0x0055b4a1 in idnsCallback (q=0x28561e8, q@entry=0x2862ff8, 
error=error@entry=0x0) at dns_internal.cc:1097
#24 0x0055f78f in idnsGrokReply (buf=buf@entry=0xb0d100  "\262<\201\200", sz=sz@entry=156, from_ns=)
at dns_internal.cc:1266
#25 0x005601b5 in idnsRead (fd=7, data=) at 
dns_internal.cc:1353
#26 0x00752223 in Comm::DoSelect (msec=) at 
ModEpoll.cc:277
#27 0x006d3f7f in CommSelectEngine::checkEvents (this=, 
timeout=) at comm.cc:1835
#28 0x0056893a in EventLoop::checkEngine 
(this=this@entry=0x7fffee8124b0, engine=engine@entry=0x7fffee812440, 
primary=primary@entry=true)
at EventLoop.cc:35
#29 0x00568b27 in EventLoop::runOnce (this=this@entry=0x7fffee8124b0) 
at EventLoop.cc:114
#30 0x00568ce8 in EventLoop::run (this=this@entry=0x7fffee8124b0) at 
EventLoop.cc:82
#31 0x005d0753 in SquidMain (argc=, argv=) at main.cc:1508
#32 0x004e378c in SquidMainSafe (argv=, argc=) at main.cc:1240
#33 main (argc=, argv=) at main.cc:1233

James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Minor nit with cachemgr.cgi in 3.5.0.2

2014-11-30 Thread Amos Jeffries

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Please report through bugzilla so we do not loose track of this.

Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUeUkXAAoJELJo5wb/XPRjUDcIAIUQIhNmd1OMCSax99wbCTBz
LmSYPLwzeu7qE+YWMJiUXwnPxHD07f8SMFwYdczJpeuVDMYGOrbC6UHdac+EA8sl
65E3jgqsf0LwjwXCER8DmDPe2f39ve8pICYVKoxe4JxX88oPNmNw5fh7TSI+ZEi6
6cVsSpa9bDEMrJUJxsDomGCV9L+TSOBJJPO9UwdBhe3wtFPPI0S2OknkmmRwXL5l
WWKhz8+yu/wnSZ/BTZfgLp3COQ08ZVBZxFArF89HTmEMUH+L9eZn9cB72BrNoKo0
LzB6pIJPQbyZDnqlZ+lj6HlfPA9F+530XvWbWNJKVzj91vMxaOxYV23sF/CBFQ8=
=4U3q
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.5x: Active Directory accounts with space issue

2014-11-30 Thread David Touzeau



Le 26/11/2014 11:27, Amos Jeffries a écrit :

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 24/11/2014 12:01 a.m., David Touzeau wrote:

Hi

We have connected 3.5.0.2-20141121-r13666 with Active Directory. It
seems where there are spaces in login account squid use only the
last argument.

For example for an account "Jhon smith" squid use "smith" only For
example for an account "Dr Jhon smith" squid use "smith" only

In 3.3.13 there is no such issue, a "Jhon smith" account is logged
as "Jhon smith" and sended as Jhon%20smith to helpers

Any information about the auth Scheme being performed?
  the helpers being used?
  and what is being sent to/from the helpers in 3.5 different from the
3.3 version?

Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUdasMAAoJELJo5wb/XPRjRPUH/2aVKrtNdmJzupzsN9JtcOK0
1e+NIxNSaDiyu9R03eJrwlAy7g9zFGEj+0dI1HgJz36Mf2i03ahbyinD4GwFDVPh
a6iYyCPrhy2XDeL16qcSqsX0i2e8yXO/WRbFTJymKMOFhVDS05Bg6KuE1FroNjHG
OkhpzN/T3O1fUW2k0XSRZEWFV1YnriwcCLdKXdsXEXEIIA3J9ZN0WQZ8I/oGXfWV
S4xHKh4jnDFJCEO5lwYxT1CDe53CCHnPfV9Uf1Dhq6AkKnDZAR8U53Uyhji4V6ck
UzwZEPMAtK73O3uXn0J2l2S9v0ga5ymHRhiWADG2jC/8dyAc0ICaWFjK7o6wMfE=
=GaV2
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Hi

I'm using this method

auth_param ntlm program /usr/bin/ntlm_auth --domain=TOUZEAU.BIZ 
--helper-protocol=squid-2.5-ntlmssp

auth_param ntlm children 25 startup=5 idle=1
auth_param ntlm keep_alive off
#Dynamic ACLs groups Enabled: [1]
external_acl_type ads_group ttl=3600 children-max=5 children-startup=1 
children-idle=1 %LOGIN /usr/share/artica-postfix/external_acl_squid_ldap.php

#Other settings
authenticate_ttl 1 hour
authenticate_cache_garbage_interval 10 seconds
authenticate_ip_ttl 60 seconds
# END NTLM Parameters 
#Basic authentication for other browser that did not supports NTLM: 
(KerbAuthMethod =  )
auth_param basic program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic

auth_param basic children 3 startup=1 idle=1
auth_param basic realm Basic Identification
auth_param basic credentialsttl 2 hours


On 3.3.13, everything works as expected.
On 3.5x LOGIN are truncated where there is space on account.

I have tested by removing external_acl_type ads_group, no change issue 
is still displayed.







___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] 2.7.STABLE9 & Error with option deny_info from local requests

2014-11-30 Thread Mark Riede

Hello,

I have a strange behavior with Squid 2.7.STABLE9 and local requests which
should be intercept by the option deny_info.

I am using Squid as a reverse proxy.
I have configured a list of subdomains (i.e. subdomain.domain.tld) in a file
via the option dstdomain, which will be forwarded to the defined cache peer.
There is an additional list of domains (i.e. *.domain.tld) which match via
wildcard to all other domains, which are not absolutely defined yet and will be
forwarded to a custom error page via the option deny_info.

The problem is that requests forwarded to the ip of the server, i.e.
192.168.0.1, will be catched up by the option deny_info.
But, when the request is forwarded to the ip of the localhost (127.0.0.1), the
option deny_info will not match.
Now the strange behaviour is that requests to the ip of the localhost but with
the destination domain subdomain.domain.tld will be answered successfully.
I need a fix because clients get the custom error page for requests via http
(NAT to 192.168.0.1) but not the same response via https (nginx to 127.0.0.1).
I don´t know where or how I can fix this problem or do more debugging.

# Config
http_access allow localhost
acl foo dstdomain "/file"
acl foo_deny dstdom_regex "/ file _deny"
http_access allow foo
cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=srv1 login=PASS
cache_peer_access srv1 allow foo
cache_peer_access srv1 deny all
deny_info ERR_FOO foo_deny
http_access deny foo_deny
http_access deny all

# Error via curl
http://www.w3.org/TR/html4/strict.dtd";> ERROR: The
requested URL could not be retrieved
ERROR The
requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: http://subdomain.domain.tld/";>http://subdomain.domain.tld/
Unable to forward this request at this
time. This request could not be forwarded to the
origin server or to any parent caches. Some possible problems are:
An Internet connection needed to access this domains
origin servers may be down. All configured parent caches
may be currently unreachable. The administrator
may not allow this cache to make direct connections to origin servers.
Your cache administrator is mailto:serv...@babiel.com";>serv...@babiel.com.
Generated Fri, 28 Nov 2014 13:29:22 GMT by squid
(squid)

# Error from log
1417181439.852 RELEASE -1 B41394C6D2C0281301E5137947DE34E0 504
1417181439-1-1 text/html 1509/1509 GET
http://subdomain.domain.tld/

Best regards,
Mark
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Cannot display page correctly with SSL-Bump

2014-11-30 Thread Amos Jeffries

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 27/11/2014 5:38 p.m., Rino M Nur wrote:
> Hi,
> 
> Im trying to get ssl bump work correctly but when i get a site with
> https then browser display the page with no CSS or javascript. log
> : 1417149172.053175 192.168.10.10 TAG_NONE/200 0 CONNECT
> i.ytimg.com:443 - HIER_DIRECT/74.125.130.102 - 1417149172.145
> 194 192.168.10.10 TAG_NONE/200 0 CONNECT i.ytimg.com:443 -
> HIER_DIRECT/74.125.130.102 - 1417149172.181156 192.168.10.10
> TAG_NONE/200 0 CONNECT i.ytimg.com:443 - HIER_DIRECT/74.125.130.102
> - 1417149172.220169 192.168.10.10 TAG_NONE/200 0 CONNECT
> i.ytimg.com:443 - HIER_DIRECT/74.125.130.102 - 1417149172.299
> 348 192.168.10.10 TAG_NONE/200 0 CONNECT i.ytimg.com:443 -
> HIER_DIRECT/74.125.130.102 -

Hmm, I think that is what gets logged when the CONNECT gets bumped.
There should be other log lines for the decrypted requests from inside
the tunnel.

Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUeUgFAAoJELJo5wb/XPRjY3UIAMKMnbuvYhWsAivco1zt7uQ8
z0VMKdxPoYWYSoL1k8nPigUQWg60Chjoql0RWLT8ZeIRVvtPa0lPqMJBneEQJetj
s8QTnbqEOqr1Su/aUFPUiuWJfhjlg2AqD0PiJi4Jvl+6n8cKxabTpR1eD8uqoPTU
q5aPsNxYbMWRUBd26kADfmdu9bvhR3TZEOtb6RZxyDr8xUTCT9rOVDIbZnMKGpiW
EqjwJvRjFSgOAZJjpvSccvRV0tYzAY6/Ru2qg/Y/RCgHDDZeJQZv1OF+ncBhxPBl
RQhUUnYjG7MviVR1Ek0hB4n0XIac81gRZVYd0QQXqYT2OgqiDSq4fns3G0Nv6PM=
=zDDS
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] RFC2616 headers in bumped requests

2014-11-30 Thread Amos Jeffries

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/11/2014 11:51 p.m., Steve Hill wrote:
> On 17/11/14 22:05, Amos Jeffries wrote:
> 
>> Would you mind running an experiment for me?
>> 
>> To see what happens if Squid delivers either of these Via
>> headers instead of its current output:
>> 
>> Via: HTTPS/1.1 iceni2.opendium.net (squid/3.4.9)
> 
> The HTTPS/1.1 one appears to work correctly.
> 
>> Via: TLS/1.2 iceni2.opendium.net (squid/3.4.9)
> 
> The web server produces the same broken redirect as before when I
> send TLS/1.2.
> 
>> Setting it with request_header_access/replace should do.
> 
> I've tested this in Squid with request_header_access/replace and 
> confirmed with openssl's s_client directly.
> 

Just to followup, there will not be a permanent change made to Squid
because:

1) "HTTPS" is a common name for an entire stack of protocols. Since it
is a whole stack of protocols (HTTP-on-TLS-on-TCP-on-IP...) it is not
being registered by IANA as a label for an individual protocol.

2) the Via headers indicates the single top-level protocol. Which is
actually HTTP for both port 80 and 443 traffic, even though port 443
is HTTP being transmitted over TLS connections. Thus Squid Via header
is correct.

The ATS server has at least three bugs;

A) it is emitting some unknown "http/1.1" protocol. The "HTTP"
protocol label is case-sensitive as defined in RFC 7230.

B) it is attempting to determine security from the Via header. As the
server operators themselves should know (due to the "http/1.1" usage
by their own server) the presence of any top-level HTTP is no
indicator for or against security of the underlying network connection.

C) it is redirecting to the same https:// URI which is being delivered
to it. The server itself is uniquely in a position to be aware of
these types of loop and so expected not to cause them. (Squid opening
a port 443 connection is dead giveaway they are getting https:// even
if it is proxied).

PS. that said, the workaround should be enough to get things going
again until the ATS people fix their bugs.

Cheers
Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUesnsAAoJELJo5wb/XPRj5RYIAIzYJF0nbjG24jR3i73rVQSl
BUcUdwsfwo/KFDSDmqHBlgiN5qcxAt2pZcKzmyGevqmY+nwUQSBUwCvigWXh5tT1
vhrjAB4iuJfFefQqHac4ZtflVID5ft4hSLcwfxdlRwcld5XvNubU5L4bBLNkOuja
1JAezYn+EJtonhQsC7ZxecWPiDCMo/sUgtDjWjoYu3Awtn/A0mNQpzmPfsUyQyjI
c/2hwTZFPcPruwleZ6kB4/XXcfSRCKVpdI/U/nuPeoEXraO+n6ZhU6Y+6LfaHO26
osmgBf3DM2NirHSI67Ewgk9++JeFAd0v0MASFdzlH97da5SxIGy8yva1bl38Ii0=
=6EbN
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] long standing bug about aufs on freebsd 10

2014-11-30 Thread dan

FWIW I have this bug in CentOS 6.

On Mon, Dec 1, 2014 at 4:48 PM, k simon  wrote:

> Hi, Lists,
>AUFS can not run stable one day and report:
> 2014/11/30 07:10:15 kid1| WARNING: swapfile header inconsistent with 
> available data
> 2014/11/30 07:10:15 kid1| Could not parse headers from on disk object
> 2014/11/30 07:10:15 kid1| BUG 3279: HTTP reply without Date:
> 2014/11/30 07:10:15 kid1| StoreEntry->key: 553ABDC02632452B7204639E5DDA66D8
> 2014/11/30 07:10:15 kid1| StoreEntry->next: 0
> 2014/11/30 07:10:15 kid1| StoreEntry->mem_obj: 0x82178ed00
> 2014/11/30 07:10:15 kid1| StoreEntry->timestamp: -1
> 2014/11/30 07:10:15 kid1| StoreEntry->lastref: 1417302615
> 2014/11/30 07:10:15 kid1| StoreEntry->expires: -1
> 2014/11/30 07:10:15 kid1| StoreEntry->lastmod: -1
> 2014/11/30 07:10:15 kid1| StoreEntry->swap_file_sz: 0
> 2014/11/30 07:10:15 kid1| StoreEntry->refcount: 1
> 2014/11/30 07:10:15 kid1| StoreEntry->flags: 
> CACHABLE,PRIVATE,FWD_HDR_WAIT,VALIDATED
> 2014/11/30 07:10:15 kid1| StoreEntry->swap_dirn: -1
> 2014/11/30 07:10:15 kid1| StoreEntry->swap_filen: -1
> 2014/11/30 07:10:15 kid1| StoreEntry->lock_count: 2
> 2014/11/30 07:10:15 kid1| StoreEntry->mem_status: 0
> 2014/11/30 07:10:15 kid1| StoreEntry->ping_status: 2
> 2014/11/30 07:10:15 kid1| StoreEntry->store_status: 1
> 2014/11/30 07:10:15 kid1| StoreEntry->swap_status: 0
> 2014/11/30 07:10:15 kid1| assertion failed: store.cc:1876: "isEmpty()"
>How can I workaround it ?
> Simon
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] long standing bug about aufs on freebsd 10

2014-11-30 Thread k simon


Hi, Lists,
  AUFS can not run stable one day and report:

2014/11/30 07:10:15 kid1| WARNING: swapfile header inconsistent with 
available data

2014/11/30 07:10:15 kid1| Could not parse headers from on disk object
2014/11/30 07:10:15 kid1| BUG 3279: HTTP reply without Date:
2014/11/30 07:10:15 kid1| StoreEntry->key: 553ABDC02632452B7204639E5DDA66D8
2014/11/30 07:10:15 kid1| StoreEntry->next: 0
2014/11/30 07:10:15 kid1| StoreEntry->mem_obj: 0x82178ed00
2014/11/30 07:10:15 kid1| StoreEntry->timestamp: -1
2014/11/30 07:10:15 kid1| StoreEntry->lastref: 1417302615
2014/11/30 07:10:15 kid1| StoreEntry->expires: -1
2014/11/30 07:10:15 kid1| StoreEntry->lastmod: -1
2014/11/30 07:10:15 kid1| StoreEntry->swap_file_sz: 0
2014/11/30 07:10:15 kid1| StoreEntry->refcount: 1
2014/11/30 07:10:15 kid1| StoreEntry->flags: 
CACHABLE,PRIVATE,FWD_HDR_WAIT,VALIDATED

2014/11/30 07:10:15 kid1| StoreEntry->swap_dirn: -1
2014/11/30 07:10:15 kid1| StoreEntry->swap_filen: -1
2014/11/30 07:10:15 kid1| StoreEntry->lock_count: 2
2014/11/30 07:10:15 kid1| StoreEntry->mem_status: 0
2014/11/30 07:10:15 kid1| StoreEntry->ping_status: 2
2014/11/30 07:10:15 kid1| StoreEntry->store_status: 1
2014/11/30 07:10:15 kid1| StoreEntry->swap_status: 0
2014/11/30 07:10:15 kid1| assertion failed: store.cc:1876: "isEmpty()"

  How can I workaround it ?




Simon
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] WARNING: there are more than 100 regular expressions

2014-11-30 Thread Henrik Nordstrom


tor 2014-11-27 klockan 01:59 -0800 skrev navari.lore...@gmail.com:
> "Consider using less REs ..." is not possible.
> 
> if there is no other solution
> i will break the files in many files with less then 100 entries.
> 
> Probably will have the same problem with black list.

How many REs do you need in your blacklist? Most blacklists I have seen
is domain based, not pattern based.

If you don't know what I mean then read up on the difference bewteen
dstdom_regex and dstdomain ACL types in Squid.

Regards
Henrik


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Memory Leak Squid 3.4.9 on FreeBSD 10.0 x64

2014-11-30 Thread Doug Sampson

> On 25/11/2014 9:06 a.m., Doug Sampson wrote:
> > Recently due to squid 2.7 being EOL'ed, we migrated our squid
> > server to version 3.4.9 on a FreeBSD 10.0-RELEASE running on 64-bit
> > hardware. We started seeing paging file being swapped out
> > eventually running out of available memory. From the time squid
> > gets started it usually takes about two days before we see these
> > entries in /var/log/messages as follows:
> >
> > +swap_pager_getswapspace(16): failed +swap_pager_getswapspace(16):
> > failed +swap_pager_getswapspace(16): failed
> > +swap_pager_getswapspace(12): failed +swap_pager_getswapspace(16):
> > failed +swap_pager_getswapspace(12): failed
> > +swap_pager_getswapspace(6): failed +swap_pager_getswapspace(16):
> > failed
> >
> > Looking at the 'top' results, I see that the swap file has been
> > totally exhausted. Memory used by squid hovers around 2.3GB out of
> > the total 3GB of system memory.
> >
> > I am not sure what is causing these memory leaks. After rebooting,
> > squid-internal-mgr/info shows the following statistics:
> >
> > Squid Object Cache: Version 3.4.9 Build Info: Start Time:   Mon, 24
> > Nov 2014 18:39:08 GMT Current Time: Mon, 24 Nov 2014 19:39:13 GMT
> > Connection information for squid: Number of clients accessing
> > cache:  18 Number of HTTP requests received:10589 Number of ICP
> > messages received:  0 Number of ICP messages sent:  0 Number of
> > queued ICP replies: 0 Number of HTCP messages received: 0 Number of
> > HTCP messages sent: 0 Request failure ratio: 0.00 Average HTTP
> > requests per minute since start:176.2 Average ICP messages per
> > minute since start: 0.0 Select loop called: 763993 times, 4.719 ms
> > avg Cache information for squid: Hits as % of all requests: 5min:
> > 3.2%, 60min: 17.0% Hits as % of bytes sent: 5min: 2.0%, 60min:
> > 6.7% Memory hits as % of hit requests:  5min: 0.0%, 60min: 37.2%
> > Disk hits as % of hit requests: 5min: 22.2%, 60min: 33.2% Storage
> > Swap size:  7361088 KB Storage Swap capacity:   58.5% used, 41.5%
> > free Storage Mem size:  54348 KB Storage Mem capacity:   3.9%
> used,
> > 96.1% free Mean Object Size:23.63 KB Requests given to unlinkd: 
> > 1
> > Median Service Times (seconds)  5 min60 min: HTTP Requests
> > (All):   0.10857  0.19742 Cache Misses:  0.10857  0.32154
> > Cache Hits:0.08265  0.01387 Near Hits:
> > 0.15048  0.12106 Not-Modified Replies:  0.00091  0.00091 DNS
> > Lookups:   0.05078  0.05078 ICP Queries:   0.0
> > 0.0 Resource usage for squid: UP Time:  3605.384 seconds CPU
> > Time:   42.671 seconds CPU Usage:   1.18% CPU Usage, 5 minute avg:
> > 0.72% CPU Usage, 60 minute avg: 1.17% Maximum Resident Size: 845040
> > KB Page faults with physical i/o: 20 Memory accounted for: Total
> > accounted:   105900 KB memPoolAlloc calls:   2673353
> > memPoolFree calls:2676487 File descriptor usage for squid:
> > Maximum number of file descriptors:   87516 Largest file desc
> > currently in use:310 Number of file desc currently in use:
> > 198 Files queued for open:   0 Available number of
> > file descriptors: 87318 Reserved number of file descriptors:   100
> > Store Disk files open:   0 Internal Data
> > Structures: 311543 StoreEntries 4421 StoreEntries with MemObjects
> > 4416 Hot Object Cache Items 311453 on-disk objects
> >
> > I will post another one tomorrow that will indicate growing
> > memory/swapfile consumption.
> >
> > Here is my squid.conf:
> >
> > # OPTIONS FOR AUTHENTICATION #
> > 
> -
> >
> >
> # 1st four lines for
> > auth_param basic children 5 auth_param basic realm Squid
> > proxy-caching web server auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off #  next three lines for kerberos
> > authentication (needed to use usernames) #  used in conjunction
> > with "acl auth proxy_auth" line below #auth_param negotiate program
> > /usr/local/libexec/squid/negotiate_kerberos_auth -i #auth_param
> > negotiate children 50 startup=10 idle=5 #auth_param negotiate
> > keep_alive on
> >
> >
> > # ACCESS CONTROLS #
> > 
> -
> >
> >
> # Example rule allowing access from your local networks.
> > # Adapt to list your (internal) IP networks from where browsing #
> > should be allowed #acl manager proto cache_object acl manager
> > url_regex -i ^cache_object:// /squid-internal-mgr/ acl adminhost
> > src 192.168.1.149 acl localnet src 192.168.1.0/24   # RFC1918
> > possible internal network acl localnet src fc00::/7   # RFC
> > 4193 local private network range acl localnet src fe80::/10
> > # RFC 4291 link-local (directly plugged) machines acl webserver src
> > 198.168.1.35 acl some_big_clients src 192.168.1.149/32 #CI53
> >
> > # We want to limit downloads of th

[squid-users] Persistent Connections - only one side

2014-11-30 Thread Mathew Marulla

Need to know if this is even possible…

We have a PHP app that uses CURL to send requests/get responses from servers of 
various business partners.  The connections to these partner servers are not 
currently persistent.  Setting keep-alive headers would be ineffective because 
the connections are necessarily closed when the PHP code exists, at the end of 
each transaction.  Something like this:



Now, we have a potential partner that requires persistent, re-used connections. 
 Changing the system architecture so that the PHP code remains running is not 
an option.  I was wondering if a proxy server, running on the same server as 
the PHP code, could keep the outside half persistent, even after the inside 
half closes.  Like this:



Is this possible?  Is there a config option that might achieve this? 

Thanks!___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] cannot start Squid 3.4.9

2014-11-30 Thread Fernandez-Touzon, Carlos E (CTR)

RHEL 6.6 x86_64
Squid v3.4.9

I downloaded the 3.4.9 RPM from 
http://www1.ngtech.co.il/repo/centos/6/x86_64/squid-3.4.9-2.el6.x86_64.rpm

The squid service fails to start.

$ sudo service squid start
Starting squid:    [FAILED]

Squid doesn't write anything to squid.out.  Once I add the -X option to 
SQUID_OPTS, squid outputs a ton of messages to squid.out ... but nothing seems 
out of order.

Any thoughts on how I should track down this issue?

For completeness I have added the full debug log output

Thanks

C

==DEBUG LOG==
2014/11/18 18:22:35.457| debug.cc(425) parseOptions: command-line -X overrides: 
ALL,7
2014/11/18 18:22:35.467| cache_manager.cc(102) registerProfile: registering 
legacy mem
2014/11/18 18:22:35.467| cache_manager.cc(136) findAction: 
CacheManager::findAction: looking for action mem
2014/11/18 18:22:35.468| cache_manager.cc(144) findAction: Action not found.
2014/11/18 18:22:35.468| cache_manager.cc(87) registerProfile: registered 
profile: mem
2014/11/18 18:22:35.468| cache_manager.cc(102) registerProfile: registering 
legacy squidaio_counts
2014/11/18 18:22:35.468| cache_manager.cc(136) findAction: 
CacheManager::findAction: looking for action squidaio_counts
2014/11/18 18:22:35.468| cache_manager.cc(144) findAction: Action not found.
2014/11/18 18:22:35.468| cache_manager.cc(87) registerProfile: registered 
profile: squidaio_counts
2014/11/18 18:22:35.468| cache_manager.cc(136) findAction: 
CacheManager::findAction: looking for action diskd
2014/11/18 18:22:35.468| cache_manager.cc(144) findAction: Action not found.
2014/11/18 18:22:35.468| cache_manager.cc(87) registerProfile: registered 
profile: diskd
2014/11/18 18:22:35.468| rock/RockStoreFileSystem.cc(44) setup: Will use Rock FS
2014/11/18 18:22:35.468| Startup: Initializing Authentication Schemes ...
2014/11/18 18:22:35.468| Startup: Initialized Authentication Scheme 'basic'
2014/11/18 18:22:35.468| Startup: Initialized Authentication Scheme 'digest'
2014/11/18 18:22:35.468| Startup: Initialized Authentication Scheme 'negotiate'
2014/11/18 18:22:35.468| Startup: Initialized Authentication Scheme 'ntlm'
2014/11/18 18:22:35.468| Startup: Initialized Authentication.
2014/11/18 18:22:35.468| tools.cc(59) ProbeTransport: IPv6 not supported on 
this machine. Auto-Disabled.
2014/11/18 18:22:35.468| Config.cc(39) registerTokens:  register format tokens 
for 'adapt'
2014/11/18 18:22:35.468| Config.cc(39) registerTokens:  register format tokens 
for 'icap'
2014/11/18 18:22:35.468| Config.cc(39) registerTokens:  register format tokens 
for 'ssl'
2014/11/18 18:22:35.468| cache_cf.cc(608) parseConfigFile:
2014/11/18 18:22:35.468| cf_parser.cci(4061) free_all:
2014/11/18 18:22:35.468| Acl.cc(425) Registered: ACL::Prototype::Registered: 
invoked for type ssl_error
2014/11/18 18:22:35.468| Acl.cc(429) Registered: ACL::Prototype::Registered:
yes
2014/11/18 18:22:35.468| Acl.cc(118) FindByName: ACL::FindByName 
'ssl::certHasExpired'
2014/11/18 18:22:35.468| Acl.cc(124) FindByName: ACL::FindByName found no match
2014/11/18 18:22:35.468| Acl.cc(259) ParseAclLine: aclParseAclLine: Creating 
ACL 'ssl::certHasExpired'
2014/11/18 18:22:35.468| Acl.cc(461) Factory: ACL::Prototype::Factory: cloning 
an object for type 'ssl_error'
2014/11/18 18:22:35.468| cbdata.cc(324) cbdataInternalAlloc: cbdataAlloc: 
0x117d688
2014/11/18 18:22:35.468| Acl.cc(425) Registered: ACL::Prototype::Registered: 
invoked for type ssl_error
2014/11/18 18:22:35.468| Acl.cc(429) Registered: ACL::Prototype::Registered:
yes
2014/11/18 18:22:35.468| Acl.cc(118) FindByName: ACL::FindByName 
'ssl::certNotYetValid'
2014/11/18 18:22:35.468| Acl.cc(124) FindByName: ACL::FindByName found no match
2014/11/18 18:22:35.468| Acl.cc(259) ParseAclLine: aclParseAclLine: Creating 
ACL 'ssl::certNotYetValid'
2014/11/18 18:22:35.468| Acl.cc(461) Factory: ACL::Prototype::Factory: cloning 
an object for type 'ssl_error'
2014/11/18 18:22:35.468| cbdata.cc(324) cbdataInternalAlloc: cbdataAlloc: 
0x117d6b8
2014/11/18 18:22:35.468| Acl.cc(425) Registered: ACL::Prototype::Registered: 
invoked for type ssl_error
2014/11/18 18:22:35.468| Acl.cc(429) Registered: ACL::Prototype::Registered:
yes
2014/11/18 18:22:35.468| Acl.cc(118) FindByName: ACL::FindByName 
'ssl::certDomainMismatch'
2014/11/18 18:22:35.468| Acl.cc(124) FindByName: ACL::FindByName found no match
2014/11/18 18:22:35.469| Acl.cc(259) ParseAclLine: aclParseAclLine: Creating 
ACL 'ssl::certDomainMismatch'
2014/11/18 18:22:35.469| Acl.cc(461) Factory: ACL::Prototype::Factory: cloning 
an object for type 'ssl_error'
2014/11/18 18:22:35.469| cbdata.cc(324) cbdataInternalAlloc: cbdataAlloc: 
0x117d868
2014/11/18 18:22:35.469| Acl.cc(425) Registered: ACL::Prototype::Registered: 
invoked for type ssl_error
2014/11/18 18:22:35.469| Acl.cc(429) Registered: ACL::Prototype::Registered:
yes
2014/11/18 18:22:35.469| Acl.cc(118) FindByName: ACL::FindByName 
'ssl::certUntrusted'
2014/11/18 18:22:35.46

Re: [squid-users] using squid 3.head for large rock , but i still have mean object size is 32 !!!!!

2014-11-30 Thread Ahmed Allzaeem

 

More info ...

 

 

sample_start_time = 1415972068.352725 (Fri, 14 Nov 2014 13:34:28 GMT)

sample_end_time = 1415972368.441291 (Fri, 14 Nov 2014 13:39:28 GMT)

client_http.requests = 624.049293/sec

client_http.hits = 52.839655/sec

client_http.errors = 8.046615/sec

client_http.kbytes_in = 481.063567/sec

client_http.kbytes_out = 42844.925855/sec

client_http.all_median_svc_time = 0.154761 seconds

client_http.miss_median_svc_time = 0.181403 seconds

client_http.nm_median_svc_time = 0.00 seconds

client_http.nh_median_svc_time = 0.094540 seconds

client_http.hit_median_svc_time = 0.000304 seconds

server.all.requests = 556.379734/sec

server.all.errors = 0.00/sec

server.all.kbytes_in = 43258.073243/sec

server.all.kbytes_out = 494.860147/sec

server.http.requests = 556.379734/sec

server.http.errors = 0.00/sec

server.http.kbytes_in = 43258.073243/sec

server.http.kbytes_out = 494.860147/sec

server.ftp.requests = 0.00/sec

server.ftp.errors = 0.00/sec

server.ftp.kbytes_in = 0.00/sec

server.ftp.kbytes_out = 0.00/sec

server.other.requests = 0.00/sec

server.other.errors = 0.00/sec

server.other.kbytes_in = 0.00/sec

server.other.kbytes_out = 0.00/sec

icp.pkts_sent = 0.00/sec

icp.pkts_recv = 0.00/sec

icp.queries_sent = 0.00/sec

icp.replies_sent = 0.00/sec

icp.queries_recv = 0.00/sec

icp.replies_recv = 0.00/sec

icp.replies_queued = 0.00/sec

icp.query_timeouts = 0.00/sec

icp.kbytes_sent = 0.00/sec

icp.kbytes_recv = 0.00/sec

icp.q_kbytes_sent = 0.00/sec

icp.r_kbytes_sent = 0.00/sec

icp.q_kbytes_recv = 0.00/sec

icp.r_kbytes_recv = 0.00/sec

icp.query_median_svc_time = 0.00 seconds

icp.reply_median_svc_time = 0.00 seconds

dns.median_svc_time = 0.00 seconds

unlink.requests = 0.00/sec

page_faults = 0.00/sec

select_loops = 20058.805484/sec

select_fds = 22262.722249/sec

average_select_fd_period = 0.00/fd

median_select_fds = 0.00

swap.outs = 48.353008/sec

swap.ins = 111.065932/sec

swap.files_cleaned = 0.00/sec

aborted_requests = 38.496416/sec

syscalls.disk.opens = 109.649271/sec

syscalls.disk.closes = 213.635244/sec

syscalls.disk.reads = 133.399114/sec

syscalls.disk.writes = 910.827293/sec

syscalls.disk.seeks = 0.00/sec

syscalls.disk.unlinks = 3.456643/sec

syscalls.sock.accepts = 684.672141/sec

syscalls.sock.sockets = 241.881767/sec

syscalls.sock.connects = 241.695102/sec

syscalls.sock.binds = 241.671769/sec

syscalls.sock.closes = 542.913161/sec

syscalls.sock.reads = 7940.295208/sec

syscalls.sock.writes = 13137.561543/sec

syscalls.sock.recvfroms = 318.947897/sec

syscalls.sock.sendtos = 180.778809/sec

cpu_time = 524.449272 seconds

wall_time = 1800.012392 seconds

cpu_usage = 29.135870%

 

  _  

 

 

 

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Ahmed Allzaeem
Sent: Friday, November 14, 2014 5:36 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] using squid 3.head for large rock , but i still have
mean object size is 32 !

 

 

Hi ,

 

I migrated from squid 3.4.3 so that I wish to have a chance to save bw.

 

Im using : Squid Cache: Version 3.HEAD-20141105-r13687

 

 

With options below :

 

Service Name: squid

configure options:  '--prefix=/usr' '--includedir=/include'
'--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
'--enable-cachemgr-hostname=drx' '--localstatedir=/var'
'--libexecdir=/lib/squid' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam
,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-arp-acl'
'--enable-esi' '--disable-translation' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=131072'
'--with-large-files' '--with-default-user=squid' '--enable-linux-netfilter'
'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=' 'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g
-Wall -O2' '--enable-ltdl-convenience'

 

 

I have 16 cores and I have set 6 workes and used aufs cahe dir for bw saving
but still no luck ... the out traffc in general is less than in traffic.

 

This idea is getting me a headache 

 

Here is my cache manager :

Connection information for squid:

Number of clients accessing cache:8967

Number of HTTP requests received: 455542

Number of ICP messages received:  0

Number of ICP messa

[squid-users] using squid 3.head for large rock , but i still have mean object size is 32 !!!!!

2014-11-30 Thread Ahmed Allzaeem

Hi ,

 

I migrated from squid 3.4.3 so that I wish to have a chance to save bw.

 

Im using : Squid Cache: Version 3.HEAD-20141105-r13687

 

 

With options below :

 

Service Name: squid

configure options:  '--prefix=/usr' '--includedir=/include'
'--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
'--enable-cachemgr-hostname=drx' '--localstatedir=/var'
'--libexecdir=/lib/squid' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam
,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-arp-acl'
'--enable-esi' '--disable-translation' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=131072'
'--with-large-files' '--with-default-user=squid' '--enable-linux-netfilter'
'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=' 'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g
-Wall -O2' '--enable-ltdl-convenience'

 

 

I have 16 cores and I have set 6 workes and used aufs cahe dir for bw saving
but still no luck ... the out traffc in general is less than in traffic.

 

This idea is getting me a headache 

 

Here is my cache manager :

Connection information for squid:

Number of clients accessing cache:8967

Number of HTTP requests received: 455542

Number of ICP messages received:  0

Number of ICP messages sent:   0

Number of queued ICP replies:  0

Number of HTCP messages received: 0

Number of HTCP messages sent:  0

Request failure ratio: 0.00

Average HTTP requests per minute since start: 35706.3

Average ICP messages per minute since start:  0.0

Select loop called: 14737492 times, 0.345 ms avg

Cache information for squid:

Hits as % of all requests: 5min: 10.4%, 60min: 10.6%

Hits as % of bytes sent:   5min: -0.6%, 60min: -0.8%

Memory hits as % of hit requests: 5min: 37.1%, 60min: 36.9%

Disk hits as % of hit requests:   5min: 28.0%, 60min: 28.4%

Storage Swap size: 29253956 KB

Storage Swap capacity: 10.6% used, 89.4% free

Storage Mem size:  2434400 KB

Storage Mem capacity:  39.6% used, 60.4% free

Mean Object Size:  32.60 KB

Requests given to unlinkd: 0

Median Service Times (seconds)  5 min60 min:

HTTP Requests (All):   0.15616  0.15748

Cache Misses:  0.18340  0.19003

Cache Hits:0.00030  0.00030

Near Hits: 0.08938  0.08686

Not-Modified Replies:  0.0  0.0

DNS Lookups:   0.0  0.0

ICP Queries:   0.0  0.0

Resource usage for squid:

UP Time:   765.486 seconds

CPU Time:  1333.285 seconds

CPU Usage: 174.18%

CPU Usage, 5 minute avg:   176.56%

CPU Usage, 60 minute avg:  176.15%

Maximum Resident Size: 22667056 KB

Page faults with physical i/o: 0

Memory accounted for:

Total accounted:   1568707 KB

memPoolAlloc calls:  1830

memPoolFree calls:  133080611

File descriptor usage for squid:

Maximum number of file descriptors:   393216

Largest file desc currently in use:   6574

Number of file desc currently in use: 23510

Files queued for open:   0

Available number of file descriptors: 369706

Reserved number of file descriptors:   600

Store Disk files open:  37

Internal Data Structures:

899673 StoreEntries

  2442 StoreEntries with MemObjects

39600 Hot Object Cache Items

897283 on-disk objects

 

 

 

 

 

 

 

 

 

sample_start_time = 1415972068.352725 (Fri, 14 Nov 2014 13:34:28 GMT)

sample_end_time = 1415972368.441291 (Fri, 14 Nov 2014 13:39:28 GMT)

client_http.requests = 624.049293/sec

client_http.hits = 52.839655/sec

client_http.errors = 8.046615/sec

client_http.kbytes_in = 481.063567/sec

client_http.kbytes_out = 42844.925855/sec

client_http.all_median_svc_time = 0.154761 seconds

client_http.miss_median_svc_time = 0.181403 seconds

client_http.nm_median_svc_time = 0.00 seconds

client_http.nh_median_svc_time = 0.094540 seconds

client_http.hit_median_svc_time = 0.000304 seconds

server.all.requests = 556.379734/sec

server.all.errors = 0.00/sec

server.all.kbytes_in = 43258.073243/sec

ser

[squid-users] bad kernel logs on high traffic server

2014-11-30 Thread Ahmed Allzaeem

Hi guys , I have server with about 1000 users and its okay with 2 workers

 

Now I added more 1000 and its now 2000 users with 4 workers

 

But sometime some process of squid get killed suddenly and here is log below
, 

 

Here  is sysctl.conf

[root@Largerock-squid ~]# cat  /etc/sysctl.conf 

# Kernel sysctl configuration file for Red Hat Linux

#

# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and

# sysctl.conf(5) for more details.

 

# Controls IP packet forwarding

net.ipv4.ip_forward = 0

net.ipv4.ip_forward = 1

# Controls source route verification

#net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.rp_filter = 0

###

net.ipv4.conf.all.rp_filter = 0

net.ipv4.conf.eth0.rp_filter = 0

###

# Do not accept source routing

net.ipv4.conf.default.accept_source_route = 0

 

# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 0

 

# Controls whether core dumps will append the PID to the core filename.

# Useful for debugging multi-threaded applications.

kernel.core_uses_pid = 1

 

# Controls the use of TCP syncookies

net.ipv4.tcp_syncookies = 1

 

# Disable netfilter on bridges.

net.bridge.bridge-nf-call-ip6tables = 0

net.bridge.bridge-nf-call-iptables = 0

net.bridge.bridge-nf-call-arptables = 0

 

# Controls the default maxmimum size of a mesage queue

kernel.msgmnb = 65536

 

# Controls the maximum size of a message, in bytes

kernel.msgmax = 65536

 

# Controls the maximum shared segment size, in bytes

kernel.shmmax = 68719476736

 

# Controls the maximum number of shared memory segments, in pages

kernel.shmall = 4294967296



###

fs.file-max = 1131072

net.local.dgram.recvspace = 1262144

net.local.dgram.maxdgram = 116384

net.netfilter.nf_conntrack_max = 113



net.nf_conntrack_max = 1131072

#

kernel: possible SYN flooding on port 80. Sending cookies.#

net.ipv4.tcp_syncookies=0

 

 

im wondering wt should I do ,   or modify my kernel linux

 

the error code is below :

 

 

 

Nov  7 14:52:16 Largerock-squid snmpd[1576]: Connection from UDP:
[xxx]:57067xxx]

Nov  7 14:52:17 Largerock-squid kernel: snmpd invoked oom-killer:
gfp_mask=0x201da, order=0, oom_adj=0, oom_score_adj=0

Nov  7 14:52:17 Largerock-squid kernel: snmpd cpuset=/ mems_allowed=0

Nov  7 14:52:17 Largerock-squid kernel: Pid: 1576, comm: snmpd Not tainted
2.6.32-431.el6.x86_64 #1

Nov  7 14:52:17 Largerock-squid kernel: Call Trace:

Nov  7 14:52:17 Largerock-squid kernel: [] ?
cpuset_print_task_mems_allowed+0x91/0xb0

Nov  7 14:52:17 Largerock-squid kernel: [] ?
dump_header+0x90/0x1b0

Nov  7 14:52:17 Largerock-squid kernel: [] ?
security_real_capable_noaudit+0x3c/0x70

Nov  7 14:52:17 Largerock-squid kernel: [] ?
oom_kill_process+0x82/0x2a0

Nov  7 14:52:17 Largerock-squid kernel: [] ?
select_bad_process+0xe1/0x120

Nov  7 14:52:17 Largerock-squid kernel: [] ?
out_of_memory+0x220/0x3c0

Nov  7 14:52:17 Largerock-squid kernel: [] ?
__alloc_pages_nodemask+0x8ac/0x8d0

Nov  7 14:52:17 Largerock-squid kernel: [] ?
alloc_pages_current+0xaa/0x110

Nov  7 14:52:17 Largerock-squid kernel: [] ?
__page_cache_alloc+0x87/0x90

Nov  7 14:52:17 Largerock-squid kernel: [] ?
find_get_page+0x1e/0xa0

Nov  7 14:52:17 Largerock-squid kernel: [] ?
filemap_fault+0x1a7/0x500

Nov  7 14:52:17 Largerock-squid kernel: [] ?
__do_fault+0x54/0x530

Nov  7 14:52:17 Largerock-squid kernel: [] ?
handle_pte_fault+0xf7/0xb00

Nov  7 14:52:17 Largerock-squid kernel: [] ?
move_addr_to_kernel+0x64/0x70

Nov  7 14:52:17 Largerock-squid kernel: [] ?
copy_user_generic+0xe/0x20

Nov  7 14:52:17 Largerock-squid kernel: [] ?
handle_mm_fault+0x22a/0x300

Nov  7 14:52:17 Largerock-squid kernel: [] ?
__do_page_fault+0x138/0x480

Nov  7 14:52:17 Largerock-squid kernel: [] ?
sys_sendto+0x139/0x190

Nov  7 14:52:17 Largerock-squid kernel: [] ?
read_tsc+0x9/0x20

Nov  7 14:52:17 Largerock-squid kernel: [] ?
ktime_get_ts+0xb1/0xf0

Nov  7 14:52:17 Largerock-squid kernel: [] ?
poll_select_copy_remaining+0xf8/0x150

Nov  7 14:52:17 Largerock-squid kernel: [] ?
do_page_fault+0x3e/0xa0

Nov  7 14:52:17 Largerock-squid kernel: [] ?
page_fault+0x25/0x30

Nov  7 14:52:17 Largerock-squid kernel: Mem-Info:

Nov  7 14:52:17 Largerock-squid kernel: Node 0 DMA per-cpu:

Nov  7 14:52:17 Largerock-squid kernel: CPU0: hi:0, btch:   1 usd:
0

Nov  7 14:52:17 Largerock-squid kernel: CPU1: hi:0, btch:   1 usd:
0

Nov  7 14:52:17 Largerock-squid kernel: CPU2: hi:0, btch:   1 usd:
0

Nov  7 14:52:17 Largerock-squid kernel: CPU3: hi:0, btch:   1 usd:
0

Nov  7 14:52:17 Largerock-squid kernel: CPU4: hi:0, btch:   1 usd:
0

Nov  7 14:52:17 Largerock-squid kernel: CPU5: hi:0, btch:   1 usd:
0

Nov  7 14:52:17 Largerock-squid kernel:

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

2014-11-30 Thread Paul Freeman

Pedro,

This sounds similar to a problem I had a couple of years ago when using 
Kerberos authentication with Squid (3.1.x) on Ubuntu (10.04 at that stage). 
(see RE: [squid-users] Re: Authentication using squid_kerb_auth with Internet 
Explorer 8 on Windows Server 2008 R2, squid-users group Nov 3 2010)



What I discovered after debugging the Kerberos authentication process with gdb 
was the MIT Kerberos version distributed with that version of Ubuntu did not 
support one of the encryption types requested by the newer versions of Windows 
(7, 2008).  This was a reported issue with the version of Kerberos used in 
Ubuntu.  I ended up patching the Ubuntu MIT Kerberos source (a trivial patch) 
and compiling the packages manually.  This corrected the problem.



I am unsure whether this is the root cause of your issue though but thought it 
might be worth mentioning.  I have not kept up with the MIT Kerberos packages 
included with Ubuntu 12.04 and 14.04 to know whether the patch is included in 
the later versions.



Regards



Paul



From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Pedro Lobo
Sent: Tuesday, 28 October 2014 7:26 AM
To: Markus Moeller
Cc: squid-us...@squid-cache.org
Subject: Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with 
BH gss_accept_sec_context() failed



Hi Markus Moeller,


Hi Markus,

Yeah, I'm currently using that option and permissions are correct too.


On 27 Oct 2014 19:47, Markus Moeller wrote:

   Hi Pedro,



 Did you try the –s GSS_C_NO_NAME option ?



   Markus



   "Pedro Lobo" mailto:pal...@gmail.com>> wrote in message 
news:94f74226-f24b-4910-95b7-b86ace815...@gmail.com...

   Hey Everybody,

   Seems as though I celebrated too soon on Saturday. Today things are back to 
not working for Windows 7+ machines and XP/2003 machines are working just fine.

   I've also checked the permissions on the keytab file and they haven't 
changed since Saturday, so it's not that... ARGH

   Craving ideas and solutions right now... Pilot users are less than satisfied 
;)

   Cheers,
   Pedro

   On 25 Oct 2014, at 14:13, Markus Moeller wrote:

  Hi Pedro,

  I wonder if he upper case in the name is a problem. Can you try

  auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d 
-r -s GSS_C_NO_NAME

  instead of

  auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d 
-r -s HTTP/proxy01tst.fake.net

  Markus

  "Pedro Lobo" pal...@gmail.com wrote in message 
news:fd6832b9-3f1f-48c6-a76f-47a224f16...@gmail.com...
  Hi Markus,

  I used msktutil to create the keytab.

  msktutil -c -s HTTP/proxy01tst.fake.net -h proxy01tst.fake.net -k 
/etc/squid3/PROXY.keytab --computer-name proxy01-tst --upn 
HTTP/proxy01tst.fake.net --server srv01.fake.net --verbose
  Output of klist -ekt:

  2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET 
(arcfour-hmac)
  2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET 
(aes128-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET 
(aes256-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 
HTTP/proxy01tst.fake@fake.net 
(arcfour-hmac)
  2 10/24/2014 22:59:50 
HTTP/proxy01tst.fake@fake.net 
(aes128-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 
HTTP/proxy01tst.fake@fake.net 
(aes256-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 
host/proxy01tst.fake@fake.net 
(arcfour-hmac)
  2 10/24/2014 22:59:50 
host/proxy01tst.fake@fake.net 
(aes128-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 
host/proxy01tst.fake@fake.net 
(aes256-cts-hmac-sha1-96)
  Yep, using MIT Kerberos

  Thanks in advance for any help.

  Cheers,
  Pedro

  On 25 Oct 2014, at 1:26, Markus Moeller wrote:

  Hi Pedro,

  How did you create your keytab ? What does klist –ekt  show 
( I assume you use MIT Kerberos) ?

  Markus

  "Pedro Lobo" pal...@gmail.com wrote in message 
news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com...
  Hi Squid Gurus,

  I'm at my wit's end and in dire need of some squid expertise.

  We've got a production environment with a couple of squid 2.7 servers 
using NTLM and basic authentication. Recently though, we decided to upgrade and 
I'm now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed 
just about every guide I could find and in my testing environment, things were 
working great. Now that I've hooked it up to the main domain, things are awry.

  If I use a machine that's not part of the domain, NTLM kicks in and I can 
surf the web fine. If I use a Windows XP or Windo

[squid-users] Delay Class 3 - Squid (Amos Jeffries)

2014-11-30 Thread Jorge Visentini

Hello Amos Jeffries!

I tried to use three parameters, but it did not work.

I did not understand why this is giving error...




2014-10-27 14:40 GMT-02:00 :

> Send squid-users mailing list submissions to
> squid-users@lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
> squid-users-requ...@lists.squid-cache.org
>
> You can reach the person managing the list at
> squid-users-ow...@lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>1. Re: Delay Class 3 - Squid (Amos Jeffries)
>2. Re: Delay Class 3 - Squid (Amos Jeffries)
>3. Re: Filtering keywords on google search (Cassiano Martin)
>4. how to obtain info about actual active downloads?
>   (Frantisek Hanzlik)
>5. Re: how to obtain info about actual active downloads?
>   (Antony Stone)
>6. Re: how to obtain info about actual active downloads?
>   (Leonardo Rodrigues)
>7. Re: Kerberos Authentication Failing for Windows 7+ with BH
>   gss_accept_sec_context() failed (Pedro Lobo)
>
>
> --
>
> Message: 1
> Date: Tue, 28 Oct 2014 01:01:34 +1300
> From: Amos Jeffries 
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Delay Class 3 - Squid
> Message-ID: <544e341e.7080...@treenet.co.nz>
> Content-Type: text/plain; charset=utf-8
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 28/10/2014 12:57 a.m., Jorge Visentini wrote:
> > Hello!
> >
> > Sorry my english.
> >
> > I'm racking my brain to figure out why the error.
> >
> > I've used a long time ago a rule delay pool but this time I am not
> > able to implement ...
> >
> > In my squid.conf looks like this:
> >
> > delay_pools 1 delay_class 1 3 delay_parameters 1 5/5
> > 24000/24000
>
> http://www.squid-cache.org/Doc/config/delay_parameters/
>
> class 1 pools only have one speed parameter. Not two.
>
>
> Amos
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUTjQeAAoJELJo5wb/XPRjm0IH/3Fwh9VhfFOhpMfn1Z20ii2b
> 49SC9fhyMmVfoNdm49uOY9txb/7VDQpfRtb4yvNcAJJ+t0soNRlz8wcYrvJHeu52
> HMG1te3wySXVZgar/DzQbsI/k15Ar2uuUVmJJ/rkQextBjftqXF7HLXo6kBNRLG7
> xcwSSrtGy9SIY8yOZflz+4ANJr5Z1Fme1w2Cp88UXXBLuKXZ3JNeQrte06aRpJkn
> KwWQwSLwv3KGF48PbuLRD2M8flA/eFkoqg0VK0CRzjytGwxb/b0OIE9shl/GH2A0
> oEcWVowZHqAXSsSbbpW9GIyNpKoxjndY80VBijaTvvXj+tBQK2DaIse7e7NaEGc=
> =tJHs
> -END PGP SIGNATURE-
>
>
> --
>
> Message: 2
> Date: Tue, 28 Oct 2014 01:06:13 +1300
> From: Amos Jeffries 
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Delay Class 3 - Squid
> Message-ID: <544e3535.7050...@treenet.co.nz>
> Content-Type: text/plain; charset=utf-8
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 28/10/2014 1:01 a.m., Amos Jeffries wrote:
> > On 28/10/2014 12:57 a.m., Jorge Visentini wrote:
> >> Hello!
> >
> >> Sorry my english.
> >
> >> I'm racking my brain to figure out why the error.
> >
> >> I've used a long time ago a rule delay pool but this time I am
> >> not able to implement ...
> >
> >> In my squid.conf looks like this:
> >
> >> delay_pools 1 delay_class 1 3 delay_parameters 1 5/5
> >> 24000/24000
> >
> > http://www.squid-cache.org/Doc/config/delay_parameters/
> >
> > class 1 pools only have one speed parameter. Not two.
> >
>
> Meh, sorry. I mean class 3 has 3 parameters.
>
> Amos
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUTjU1AAoJELJo5wb/XPRjHYAIAI2oAOpjZTgsTlbdz20LZW+k
> XAAAnm8QgJSDBI7ErmZAJ7AxJILfi2PR2M60411mN5AgrVYulofUriTebS13bguR
> g0aoFmVMBj003T70sNZWwSgyf18Gr9ewu5X6sOSu1IdQg6M9VMJFaUUMs+FFy2bs
> IOqfhEhkcszlz0wrmY+xhAxR7mm8qWenrRk47W6rQR90p5Ml5m6ha0cCyTMTo46H
> euojiX3JHvbFa3NtoOiNTmNOK7ZVt6bE/KTDSGobx6ehNtsUgKQgMBfyQ9ET2269
> x8/MBDBjpK3JSld0UF3CjTkF8eWZHLAC+/Y6ZRR1vY6ihXi5B4yK7+Ve0ZvK5eU=
> =7r5y
> -END PGP SIGNATURE-
>
>
> --
>
> Message: 3
> Date: Mon, 27 Oct 2014 11:05:33 -0200
> From: Cassiano Martin 
> To: Job 
> Cc: "squid-us...@squid-cache.org" 
> Subject: Re: [squid-users] Filtering keywords on google search
> Message-ID:
> <
> caooxthnmwsp7xck4bpnxoo-wnnsge3e4jkxgfvslffesbk9...@mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> I have some proof of concept on my github. it can be done thought  DNS
> hijacking. I modified a version of tinyproxy to enforce safe search.
> you can check it out on https://github.com/polaco1782/tinyproxy
>
> 2014-10-25 9:49 GMT-02:00 Job :
> > Hello, since Google switch definitely on SSL connection it seems there
> is no way to filter semantic (with danguardian, squidguard or squid).
> >
> > SSL Bump can help in this case, both on explicit or transparent prox

Re: [squid-users] Transparent proxy with Peek and Splice feature.

2014-11-30 Thread Amos Jeffries

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 28/11/2014 2:48 a.m., Vadim Rogoziansky wrote:
> Hello Amos.
> 
> Thank you for answer.
> 
> There was made an investigation related to squid's peek and splice 
> issues in transparent mode. One-line explanation is as follows - in
> intercept mode squid can't get a server host name from the request
> header and uses clent IP address instead for both fake cert
> generation and as a SNI record in server bump SSL handshaking. This
> is the root of the problem. However this can be fixed if squid uses
> SNI field taken from client TLS Hello message for that purposes.
> Can you hack squid in this way? What do you think?

I think peek-n-splice is supposed to already be doing that.

However it does depend on whether you are bumping the connection at
step 1 (before ClientHello), step 2 (after ClientHello, before
ServerHello), or step 3 (after both ClientHello and ServerHello) of
the TLS handshake whether the SNI details are present.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUeUjPAAoJELJo5wb/XPRj6QEIAOHrR8wmDcjkfgUh2UtPwpHP
vVkPMEuIrUq9Gxx3uSojCZjlFJPuCQ2UafS1p8LuxcEQ+TRmUFbAu4AkKoO2RoZ5
7fCGoiXTwn4TzFf0pLh9SPBq9j12OJ3uT28EEqbILrT0sbKP02xK/qiJfCLR61Ev
vprAdggapbKg/ns1l1H3BBgZR2A4W/abQPIq6/Eu/r+7nYK6L2oOdqPDWTJjudMV
8D9sdOD9mYYryrdptU0GLh9Q/V5QEhipSkuA936iZ0Dfa2ZSr4gphJyaRAFWSMf3
q502lZy+ASkDa2vAbjALRBgn3VwYWl8KBQcypUKF4UXtaLtF0EIrLMun+p4QxUM=
=44aG
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] WARNING: there are more than 100 regular expressions

2014-11-30 Thread navari.lore...@gmail.com

I saw that the error does not preclude the use of the lines over the 100. I
have no problem with the CPU ( 7 % ) . Only I do not like to see " Warning"



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-there-are-more-than-100-regular-expressions-tp4668529p4668542.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid-3.5.0.2-20141031-r13657 crashes

2014-11-30 Thread James Harper

I've been getting squid crashes with squid-3.5.0.2-20141031-r13657. Basically I 
think my cache got corrupt - started seeing TCP_SWAPFAIL_MISS and md5 
mismatches.
Config is cache_dir ufs /usr/local/squid/var/cache/squid 102400 16 256

It's possible that at one point I might have started 2 instances of squid 
running at once... could that cause corruption?

And if it happens again, what sort of things should I collect to better 
diagnose the problem? As I see it there are two problems:
1. that the cache got corrupt in the first place
2. that a corrupt cache can crash squid

Unfortunately I did the stupid thing and deleted the cache without taking a 
copy for post-mortem... the best I can do is:

[31072.428922] squid[6317]: segfault at 58 ip 0061a6f9 sp 
7fff8b9e2d40 error 4 in squid[40+4e9000]
[31654.707792] squid[6329]: segfault at 58 ip 0061a6f9 sp 
7fff54358fe0 error 4 in squid[40+4e9000]
[31783.399832] squid[6465]: segfault at 58 ip 0061a6f9 sp 
7fff82af0aa0 error 4 in squid[40+4e9000]
[31984.470507] squid[6509]: segfault at 58 ip 0061a6f9 sp 
7fff028a6640 error 4 in squid[40+4e9000]
[32178.270298] squid[6576]: segfault at 58 ip 0061a6f9 sp 
7fffe64a07e0 error 4 in squid[40+4e9000]
[32789.635935] squid[6626]: segfault at 58 ip 0061a6f9 sp 
76932960 error 4 in squid[40+4e9000]

addr2line -e /usr/local/squid/sbin/squid 0061a6f9
/usr/local/src/squid-3.5.0.2-20141031-r13657/src/store.cc:962

James


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Multiple SSL Domains on Reverse Proxy

[squid-users] Squid WCCP with multiple workers

Re: [squid-users] WARNING: there are more than 100 regular expressions

Re: [squid-users] squid 3.5x: Active Directory accounts with space issue

Re: [squid-users] Existing root certificate not working with SSL Bump (squid 3.3.10)

Re: [squid-users] squid-3.5.0.2-20141031-r13657 crashes

Re: [squid-users] Minor nit with cachemgr.cgi in 3.5.0.2

Re: [squid-users] squid 3.5x: Active Directory accounts with space issue

[squid-users] 2.7.STABLE9 & Error with option deny_info from local requests

Re: [squid-users] Cannot display page correctly with SSL-Bump

Re: [squid-users] RFC2616 headers in bumped requests

Re: [squid-users] long standing bug about aufs on freebsd 10

[squid-users] long standing bug about aufs on freebsd 10

Re: [squid-users] WARNING: there are more than 100 regular expressions

Re: [squid-users] Memory Leak Squid 3.4.9 on FreeBSD 10.0 x64

[squid-users] Persistent Connections - only one side

[squid-users] cannot start Squid 3.4.9

Re: [squid-users] using squid 3.head for large rock , but i still have mean object size is 32 !!!!!

[squid-users] using squid 3.head for large rock , but i still have mean object size is 32 !!!!!

[squid-users] bad kernel logs on high traffic server

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

[squid-users] Delay Class 3 - Squid (Amos Jeffries)

Re: [squid-users] Transparent proxy with Peek and Splice feature.

Re: [squid-users] WARNING: there are more than 100 regular expressions

[squid-users] squid-3.5.0.2-20141031-r13657 crashes

25 matches

Site Navigation

Mail list logo

Footer information