[squid-users] Pass ip to server

[erdosain9]

Hi.
I want to know if is possible that, for some site (sales.mydomain.com) the
proxy server send the "real ip".

Because i want to see in the logs of sales.mydomain.com the real ip of the
machine that are going (and not the proxy ip).

I know that i can see this in the log of squid... but, i want to know if it
is possible see this in the other server.

Thanks to all.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Reverse HTTPS Let's Encrypt

[erdosain9]

Hi.
I have Squid configured as a proxy reverse.
The DNS are configured too. The clients can access from outside without
problem.
It is working well.

But I want to serve web pages with https and I would like to use Let's
Encrypt (or something similar) so clients do not have to accept an invalid
certificate.

I wanted to know if this is possible. 

Somebody can give me a hand??

this is my config so far:

---

http_port 192.168.1.21:80 accel defaultsite=soporte.mydomain.ar vhost

cache_peer 192.168.1.246 parent 80 0 no-query no-digest originserver
name=soporte
acl soporte_acl dstdomain soporte.mydomain.ar
http_access allow soporte_acl
cache_peer_access soporte allow soporte_acl

cache_peer 192.168.1.223 parent 80 0 no-query no-digest originserver 
name=phplists
acl phplists_acl dstdomain phplists.mydomain.ar
http_access allow phplists_acl
cache_peer_access phplists allow phplists_acl

cache_peer 192.168.1.107 parent 80 0 no-query no-digest originserver 
name=owncloud
acl owncloud_acl dstdomain owncloud.mydomain.ar
http_access allow owncloud_acl
cache_peer_access owncloud allow owncloud_acl

cache_peer 192.168.1.167 parent 443 0 no-query no-digest originserver
name=micro
acl micro_acl dstdomain microimporta.com.ar
http_access allow micro_acl
cache_peer_access micro allow micro_acl



I read that i have to put squid earing in 443 like this with the certificate

https_port 443 cert=/path/to/cert.pem key=/path/to/private.key (here is
where i put the let's encrypt certificate?? this will work?)

The servers have to have configured let's encrypt?
Squid has to have configured let's encrypt?
Both have to have them configured?

(is the term "have to have" in English well used? :-)

Greetings and many thanks to all.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as reverse proxy for two or more webs

[erdosain9]

Thanks to all!!
Now is working fine.

Just, one question to know... i make this accessible from the internet...
so, i create some acl 0.0.0.0/0 and it's working.
But.. this is a security issue??? or it's ok declare that ACL.
Thanks to all.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as reverse proxy for two or more webs

[erdosain9]

Antony Stone wrote
>> I create two entries pointing to squid in DNS now.
>> site1.mydomain.lan
>> site2.mydomain.lan
> 
> So, both of those resolve to 192.168.1.21, right?
> 
> Yes, the resolve to the ip of squid.
> 
>> > The config example you want to follow is
>> > https://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers
> 
>> 
>> I read that... but i dont get what im doing wrong.
> 
> You want to follow the section:
> 
> Switching on Domains
> 
> Using cache_peer_access: 
> 
> cache_peer ip.of.server1 parent 80 0 no-query originserver name=server_1
> acl sites_server_1 dstdomain www.example.com example.com
> cache_peer_access server_1 allow sites_server_1
> 
>> this is the config now.
>> 
>> http_port 192.168.1.21:80 accel vhost
>> 
>> cache_peer 192.168.1.246 parent 80 0 proxy-only name=site1
>> cache_peer 192.168.1.223 parent 80 0 proxy-only name=site2
> 
> You are missing "originserver" at the very least.  Otherwise Squid expects
> to 
> find another proxy at the IP address.
> 
> Oh, sorry. I try with that config too. anyway i dont know about that.
> thanks.
> 
> ...when you requested what as a URL?
> site1.mydomain.lan
> 
>> 153392.071  1 192.168.6.20 TCP_MISS/500 4605 GET
>> http://site1.MYDOMAIN.lan/ - HIER_NONE/- text/html
> 
> Looks like you entered "site1.mydomain.lan" into your browser.
> 
> Yep.
> 
> Try "ticket.mydomain.lan" (after correcting the above config problems)
> instead.
> 
> Well, if if put ticket.mydomain.lan i go directly to the server i want to
> go.
> 
> This is:
> 
> ticket.mydomian.lan > Server  1
> php.mydomian.lan --> Server 2
> 
> site1.mydomain.lan > squid
> site2.mydomian.lan > squid
> 
> for my config i expect that when squid receive site1 go to
> ticket.mydomain.lan
> and for site2 go to php.mydomain.lan
> 
> Thanks to all.





--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as reverse proxy for two or more webs

[erdosain9]

> php.mydomain.lan 192.168.1.223
> ticket.mydomain.lan 192.168.1.246

>.. and clients never connect to the above directly. So these domains are
>never to be accessed by users/clients.

The client can connect directly from the domain. (i mean they can connect
directly in work, but i want to do this (proxy reverse, for when they are at
home...) I dont public yet nothing of this, im trying to do it first inside
my network.

>If (as I suspect) the above statements are not true, then your naming is
>the first thing that is wrong.

Why?

>The domain name(s) which your clients access should point to the proxy.
>There can be multiple.

I dont get this.

>Right now your ticket_acl and php_acl are exactly the same. So they are
>telling Squid that both peers are providing identical content (ie both
>are authoritative for anything inside *.mydomain.lan). The first of the
>available peers will be used, unless it starts to overload then the
>second will start receiving the traffic.


>To send traffic to one of the peers and not the other you need some way
>to distinguish between them.

>Normally you would have the ticket.* and php.* domain names both
>pointing at Squid (192.168.1.21) so your ACLs can check for and use the
>domain name to identify which peer is supposed to receive it.

I create two entries pointing to squid in DNS now.
site1.mydomain.lan
site2.mydomain.lan

>The config example you want to follow is
>https://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers;.

I read that... but i dont get what im doing wrong.


this is the config now.

http_port 192.168.1.21:80 accel vhost


cache_peer 192.168.1.246 parent 80 0 proxy-only name=site1
cache_peer 192.168.1.223 parent 80 0 proxy-only name=site2


acl soporte_acl dstdomain ticket.MYDOMAIN.lan
http_access allow soporte_acl
cache_peer_access site1 allow soporte_acl


acl phplists_acl dstdomain php.MYDOMAIN.lan
http_access allow phplists_acl
cache_peer_access site2 allow phplists_acl



But, i get this error

" Unable to forward this request at this time."

153392.071  1 192.168.6.20 TCP_MISS/500 4605 GET
http://site1.MYDOMAIN.lan/ - HIER_NONE/- text/html
153392.193  0 192.168.6.20 TCP_MEM_HIT_ABORTED/200 4274 GET
http://reverse.MYDOMAIN.lan/squid-internal-static/icons/SN.png - HIER_NONE/-
image/png
1533911124.117  0 192.168.6.20 TCP_MISS/500 4605 GET
http://site2.MYDOMAIN.lan/ - HIER_NONE/- text/html
1533911124.217  0 192.168.6.20 TCP_MEM_HIT_ABORTED/200 4274 GET
http://reverse.MYDOMAIN.lan/squid-internal-static/icons/SN.png - HIER_NONE/-
image/png

Thanks to all.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as reverse proxy for two or more webs

[erdosain9]

Ok, thanks. I change that.

Now, if i go to reverse.mydomain.lan i get this error:

"Unable to forward this request at this time."

1533909140.268  0 192.168.6.20 TCP_IMS_HIT/304 355 GET
http://reverse.mydomain.lan/squid-internal-static/icons/SN.png - HIER_NONE/-
image/png

but what would be the url that i have to wrote to go to each site??
(sorry my ignorance)

Thanks again






--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Wpad problem (DNS)

[erdosain9]

Hi, thanks
I try Explorer 8.0 and Chrome 68.0...




--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Wpad problem (DNS)

[erdosain9]

Hi to all.
Im trying to put proxy trough DNS. Im working on a Windows Server 2012 r2.
I follow a lot of tutorial... and cant do it.
The best i have is this (and is strange).
When the pc start i see in log of squid the ip of that pc.

 tail -f /var/log/squid/access.log | grep 192.168.6.22
1532616150.629 77 192.168.6.22 TCP_REFRESH_UNMODIFIED/200 316 GET
http://www.msftncsi.com/ncsi.txt - HIER_DIRECT/200.81.17.41 text/plain

but, if i go throug a web browser, nothing appears in access.log... is like
the things that the system search (is a windows 7) goes trough proxy, but
not the thing that i search in the web browser (it's configured to "detect
automatic").

I do this in windows server.
Create a web with IIS, and put wpad.dat file. (create the mime)
In the DNS, create a new zone wpad, and put a new record txt with this
"service: wpad:!http://wpad..xxx:80/wpad.dat;
and a CNAME in my domain with a A record name wpad, and fqdn: the hostname
of the server.

i unblock the wpad in the dns also.

And as i say, the system of the machine use the proxy, but not the web
browser... so... some help???

Thanks to all!



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos negotiate slow avg service time

[erdosain9]

Thank you Amos (sorry again Yuri).

And yes, the user are complains.

The problem is this (and sorry for be recurrent with this).

That value avg ms for some times goes up to 3000... and in that moment all
stop.

in the cache.log sometimes, im getting this.

support_sasl.cc(276): pid=3729 :2018/02/27 14:44:35| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=3729 :2018/02/27 14:44:35| kerberos_ldap_group:
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact
LDAP server
2018/02/27 14:44:49 kid1| Error negotiating SSL on FD 45:
error::lib(0):func(0):reason(0) (5/-1/104)
support_sasl.cc(276): pid=3719 :2018/02/27 14:46:56| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=3719 :2018/02/27 14:46:56| kerberos_ldap_group:
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact
LDAP server
support_sasl.cc(276): pid=3719 :2018/02/27 14:47:18| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=3719 :2018/02/27 14:47:18| kerberos_ldap_group:
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact
LDAP server
support_sasl.cc(276): pid=3729 :2018/02/27 14:47:28| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=3729 :2018/02/27 14:47:28| kerberos_ldap_group:
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact
LDAP server
support_sasl.cc(276): pid=3719 :2018/02/27 14:47:36| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=3719 :2018/02/27 14:47:36| kerberos_ldap_group:
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact
LDAP server


Is impossible that this problem happend from the squid side? Im thinking
that is a problem in the AD (windows server 2012). 

With more log (-d) i got a lot of this... (just a little). This is working
negotiate_kerberos_pac.cc(376): pid=3973 :2018/02/27 12:08:33|
negotiate_kerberos_auth: INFO: Got PAC data of lengh 584
negotiate_kerberos_pac.cc(180): pid=3973 :2018/02/27 12:08:33|
negotiate_kerberos_auth: INFO: Found 4 rids
negotiate_kerberos_pac.cc(188): pid=3973 :2018/02/27 12:08:33|
negotiate_kerberos_auth: Info: Got rid: 1168
negotiate_kerberos_pac.cc(188): pid=3973 :2018/02/27 12:08:33|
negotiate_kerberos_auth: Info: Got rid: 512
negotiate_kerberos_pac.cc(188): pid=3973 :2018/02/27 12:08:33|
negotiate_kerberos_auth: Info: Got rid: 513
negotiate_kerberos_pac.cc(188): pid=3973 :2018/02/27 12:08:33|
negotiate_kerberos_auth: Info: Got rid: 1132
negotiate_kerberos_pac.cc(256): pid=3973 :2018/02/27 12:08:33|
negotiate_kerberos_auth: INFO: Got DomainLogonId
S-1-5-21-3939648023-1419124151
-3306617744
negotiate_kerberos_pac.cc(278): pid=3973 :2018/02/27 12:08:33|
negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs
negotiate_kerberos_pac.cc(327): pid=3973 :2018/02/27 12:08:33|
negotiate_kerberos_auth: INFO: Got ExtraSid S-1-18-1
negotiate_kerberos_pac.cc(456): pid=3973 :2018/02/27 12:08:33|
negotiate_kerberos_auth: INFO: Read 540 of 584 bytes 
negotiate_kerberos_auth.cc(778): pid=3973 :2018/02/27 12:08:33|
negotiate_kerberos_auth: DEBUG: Groups
group=AQUAAAUVF0LS6rcdllSQ+xbFk
AQAAA== group=AQUAAAUVF0LS6rcdllSQ+xbFAAIAAA==
group=AQUAAAUVF0LS6rcdllSQ+xbFAQIAAA==
group=AQUAAAUVF0LS6rcdllSQ+xbFbA
QAAA== group=AQEAABIB
negotiate_kerberos_auth.cc(783): pid=3973 :2018/02/27 12:08:33|
negotiate_kerberos_auth: DEBUG: AF
oYG2MIGzoAMKAQChCwYJKoZIgvcSAQICooGeBIGbYIG
YBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARub5MOjpO177M/gXJcAdluTnj+29wfwmcbZJVIFDyiXBKLScmwPhaPd2sH4IvcEiBhgddiTbURTRfM7OsWlql7+
uS2I4WWSke5bcRYRIaprvgl3wtCoX9PjSQEmYL0H8LIBL0sQh2fbYftAXyxMGs=
u...@mydomain.lan
negotiate_kerberos_auth.cc(610): pid=3973 :2018/02/27 12:08:37|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIHJQYGKwYBBQUCoIIHGTCCBxWgMDAuBgkqhk
iC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBt8EggbbYIIG1wYJKoZIhvcSAQICAQBuggbGMIIGwqADAgEFoQMCAQ6iBwMFACCjggUDYYIE/zCCBPug
AwIBBaEMGwpFTVBEREguTEFOoiMwIaADAgECoRowGBsESFRUUBsQcHJveHkuZW1wZGRoLmxhbqOCBL8wggS7oAMCARKhAwIBA6KCBK0EggSpV5Ofs3WVdVBcsFv+Hm0rIqwv8Lnra2qZOa
8cldCaPT4j6lGbmhe4JphrdI8H+dJbZI42SC1WLj6ettPI1OB5JPc340A6q3X7f9Zjp1rplc/6/n2mNooCah+Epq83CeI2w1bjX24sIwv5Vj5fNv9l5tzRI2vm5hry828+jNNGEamR0Vi5
1wy1HpFRVm39xExs9HiIdVRuVLC2sgXPf3PLLlmE5pKPATPW074v045VnrYXFERgyFN45Le4oBqavwtQ4yxdnVt/3wHzx9B2jYckYp0EMbS4yHMH8trwNJwYWji7zTINkD1s81EMCl0t0R
bQBwt8rLbcYLurOpj95nicRZbfSAkNozbVo1i4sYApjqxZG1xPK1JdNYc927kCayiTSa6emuD2LbXaY47phntoGg77k8JvaSeqL/yNMhPS8/k5PuE1qSaQjSvatAiqUF8fWQRu9O8f4uhQ
LyseKPkBiO6Ll/NgQFXhAQOwxyvunbLZhVz568UsP1EMw8IRU8m6CRXoyHB9xFQVS+QI3PBYXzD3eFtYfofbXJjYm97VZrB+CmmU5K72Azm/bQzwybSbDhqLo9FyKAR2K9lFp0q3/Gt/Gf

[squid-users] Kerberos negotiate slow avg service time

[erdosain9]

Hi to all.
I dont know why i have this bad values. My network is woking fine. How i can
do to fix this. I think is a high value.

HTTP/1.1 200 OK
Server: squid/3.5.27
Mime-Version: 1.0
Date: Fri, 23 Feb 2018 17:16:25 GMT
Content-Type: text/plain;charset=utf-8
Expires: Fri, 23 Feb 2018 17:16:25 GMT
Last-Modified: Fri, 23 Feb 2018 17:16:25 GMT
X-Cache: MISS from proxy.mydomain.lan
X-Cache-Lookup: MISS from proxy.mydomain.lan:3128
Via: 1.1 proxy.mydomain.lan (squid/3.5.27)
Connection: close

Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 50 of 50 (0 shutting down)
requests sent: 4106
replies received: 4105
queue length: 0
avg service time: 82 msec

   ID #  FD PID  # Requests   # Replies  Flags Time  Offset
Request
 21  18   5725911831182 B R   0.293   0 
(none)
 22  22   57260 652 652   0.164   0 
(none)
 23  42   57261 440 440   0.163   0 
(none)
 24  46   57262 307 307   0.962   0 
(none)
 25  48   57263 223 223   0.642   0 
(none)
 26  50   57264 180 180   0.642   0 
(none)
 27  55   57265 138 138   1.048   0 
(none)
 28  59   57266 115 115   1.158   0 
(none)
 29  65   57267  90  90   1.193   0 
(none)
 30  56   57268  77  77   1.193   0 
(none)
 31  74   57269  69  69   1.193   0 
(none)
 32  76   57270  64  64   1.039   0 
(none)
 33  78   57271  56  56   1.015   0 
(none)
 34  80   57272  54  54   0.993   0 
(none)
 35  82   57273  46  46   0.956   0 
(none)
 36  84   57274  39  39   0.763   0 
(none)
 37  79   57275  37  37   0.763   0 
(none)
 38  83   57276  31  31   0.690   0 
(none)
 39  94   57277  28  28   0.635   0 
(none)
 40  96   57278  26  26   0.624   0 
(none)
 41  98   57279  25  25   0.577   0 
(none)
 42 100   57280  23  23   0.504   0 
(none)
 43 102   57281  20  20   1.262   0 
(none)
 44  99   57282  20  20   1.259   0 
(none)
 45 122   57283  17  17   1.252   0 
(none)
 46 124   57284  16  16   0.836   0 
(none)
 47 126   57285  14  14   0.796   0 
(none)
 48 128   57286  14  14   0.543   0 
(none)
 49 119   57287  13  13   0.520   0 
(none)
 50 125   57288  11  11   0.942   0 
(none)
 52 222   57292   8   8   0.900   0 
(none)
 53 224   57293   7   7   0.921   0 
(none)
 54 227   57294   6   6   0.740   0 
(none)
 55 230   57295   5   5   1.912   0 
(none)
 56 231   57296   4   4   1.979   0 
(none)
 57 233   57297   5   5   1.857   0 
(none)
 58 236   57298   5   5   1.665   0 
(none)
 59 237   57299   5   5   1.652   0 
(none)
 60 239   57300   4   4   1.659   0 
(none)
 61 241   57301   5   5   1.614   0 
(none)
 62 243   57304   5   5   1.499   0 
(none)
 63 245   57305   5   5   1.308   0 
(none)
 71 450   57317   3   3   0.855   0 
(none)
 72 452   57318   2   2   0.515   0 
(none)
 73 453   57319   1   1   3.052   0 
(none)
 74 455   57320   2   2   0.703   0 
(none)
 75 457   57321   2   2   0.572   0 
(none)
 76 458   57322   1   1   

[squid-users] Block some web to a group of ip and allow the rest.

[erdosain9]

Hi to all.
Im trying to block some web to a ip group. 

[root@squid ips]# cat i-restringidos.lst 
192.168.1.42
192.168.1.43
192.168.1.44
192.168.1.45
192.168.1.99
192.168.1.50
192.168.1.128

This same ip group has access to all internet.
[root@squid ips]# cat prensa_isla.lst 
192.168.1.42
192.168.1.43
192.168.1.44
192.168.1.45
192.168.1.99
192.168.1.50
192.168.1.128

This is what i want to block
[root@squid listas]# cat restringidos.lst 
.whatsapp.com
.facebook.com
.instagram.com
.twitter.com


(so i have this 2 acl whit the same ip, one for deny, the other to allow.

So this is my config... and it's not working. Some help?? Thanks!

acl i-restringidos src "/etc/squid/ips/i-restringidos.lst"
acl logistica src "/etc/squid/ips/logistica.lst"
acl adminis  src "/etc/squid/ips/adminis.lst"
acl institucionales src "/etc/squid/ips/institucionales.lst"
acl patriysumi  src "/etc/squid/ips/patriysumi.lst"
acl rrhhsrc "/etc/squid/ips/rrhh.lst"
acl proyectosrc "/etc/squid/ips/proyecto.lst"
acl programas_y_activsrc "/etc/squid/ips/programas_y_activ.lst"
acl auditoria   src "/etc/squid/ips/auditoria.lst"
acl legales src "/etc/squid/ips/legales.lst"
acl proteccion  src "/etc/squid/ips/proteccion.lst"
acl oe  src "/etc/squid/ips/oe.lst"
acl prensa-isla src "/etc/squid/ips/prensa_isla.lst"

#acl red6 src "/etc/squid/ips/red6.lst"
acl red6 src 192.168.6.0/24  #para la red 6
acl red2 src 192.168.2.0/24 #red 2

Bloquea Publicidad ( http://pgl.yoyo.org/adservers/ )
acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
http_access deny ads
#deny_info TCP_RESET ads

Streaming
acl youtube url_regex -i \.flv$
acl youtube url_regex -i \.mp4$
acl youtube url_regex -i watch?
acl youtube url_regex -i youtube
acl facebook url_regex -i facebook
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\? 
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?

##Dominios denegados
acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"

##bloqueo de pagina prueba
acl blockprueba dstdomain "/etc/squid/listas/blockprueba.lst"

##Extensiones bloqueadas
acl multimedia urlpath_regex "/etc/squid/listas/multimedia.lst"

##Extensiones peligrosas
acl peligrosos urlpath_regex "/etc/squid/listas/peligrosos.lst"

##Redes sociales
acl restringidos dstdomain “/etc/squid/listas/restringidos.lst”


#Puertos
acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 2
#acl SSL_ports port 30666
#acl SSL_ports port 31666
acl SSL_ports port 1
acl SSL_ports port 10040 # webmin sitio web
acl SSL_ports port 2083

acl Safe_ports port 631 # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 8443# httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080# edesur y otros

acl CONNECT method CONNECT



http_access allow localhost manager


http_access deny manager
http_access deny to_localhost

http_access deny i-restringidos restringidos
http_access allow prensa-isla
http_access allow red6
http_access allow red2
http_access allow logistica !dominios_denegados !multimedia !peligrosos
http_access allow adminis !dominios_denegados
http_access allow institucionales !dominios_denegados !peligrosos
!multimedia
http_access allow patriysumi !multimedia !peligrosos !dominios_denegados
http_access allow proyecto !dominios_denegados !peligrosos !multimedia
http_access allow rrhh !dominios_denegados !peligrosos !multimedia
http_access allow programas_y_activ !dominios_denegados !peligrosos
!multimedia
http_access allow auditoria !dominios_denegados !peligrosos !multimedia
http_access allow legales !dominios_denegados !peligrosos !multimedia
http_access allow proteccion !dominios_denegados !peligrosos !multimedia
http_access allow oe !dominios_denegados !peligrosos !multimedia
http_access deny all

http_port 127.0.0.1:3128
http_port 192.168.1.97:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=5MB cert=/etc/squid/ssl_cert/myca.pem
key=/etc/squid/ssl_cert/myca.pem


acl step1 at_step SslBump1

acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst"

ssl_bump peek step1
ssl_bump splice excludeSSL
ssl_bump bump all

cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 256 MB


cache_swap_low 75
cache_swap_high 85

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid


#My refresh pattern
#obliga el cache de imagenes .jgp

refresh_pattern -i \.jpg$ 30 0% 30 

Re: [squid-users] ldap_sasl_interactive_bind_s error: Can't contact LDAP server

[erdosain9]

sorry, yuri, yes is working. 
i can connect via ldap and also turn on debug for investigate, and is no
error know...
but time to time, this error is happening... so... is strange.

In the other hand im getting this values with just one machine using the
squid :

Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 32 of 50 (0 shutting down)
requests sent: 66
replies received: 66
queue length: 0
avg service time: 208 msec

   ID #  FD PID  # Requests   # Replies  Flags Time  Offset
Request
 21  442193  24  24   0.022   0 
(none)
 22  612194   5   5   0.322   0 
(none)
 23  642195   5   5   0.387   0 
(none)
 24  702196   3   3   0.397   0 
(none)
 25 1502201   2   2   0.323   0 
(none)
 26 1512202   1   1   0.158   0 
(none)
 27 1532203   1   1   0.192   0 
(none)
 28 1552204   1   1   0.152   0 
(none)
 29 1572205   1   1   0.380   0 
(none)
 30 1592206   1   1   0.394   0 
(none)
 31 1612207   1   1   0.465   0 
(none)
 32 1632208   1   1   0.439   0 
(none)
 33 1652209   1   1   0.437   0 
(none)
 34 1672210   1   1   0.591   0 
(none)
 35 1692211   1   1   0.226   0 
(none)
 36 1712212   1   1   0.564   0 
(none)
 37 1732213   1   1   0.221   0 
(none)
 38 1752214   1   1   0.115   0 
(none)
 39 1772215   1   1   0.161   0 
(none)
 40 1792216   1   1   0.335   0 
(none)
 41 1812217   1   1   0.382   0 
(none)
 42 1542218   1   1   0.547   0 
(none)
 43 1582219   1   1   0.605   0 
(none)
 44 1622220   1   1   0.493   0 
(none)
 45 1662221   1   1   0.465   0 
(none)
 46 170   1   1   0.586   0 
(none)
 47 1742223   1   1   0.270   0 
(none)
 48 1782224   1   1   0.249   0 
(none)
 49 1822225   1   1   0.504   0 
(none)
 50 1842226   1   1   0.479   0 
(none)
 51 1862227   1   1   0.284   0 
(none)
 52 1882228   1   1   0.560   0 
(none)

a little high dont you think?? avg service time: 208 msec
In the working squid some times the values go to 2500 msec. (with 70
users)

Thanks




--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ldap_sasl_interactive_bind_s error: Can't contact LDAP server

[erdosain9]

Hi.
The port is open.

There is a way to have a little more log??'
Thanks



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] ldap_sasl_interactive_bind_s error: Can't contact LDAP server

[erdosain9]

Hi. Im having this problem. Im running squid on a Centos 7 container (lxc on
proxmox).

This is cache.log

support_sasl.cc(276): pid=555 :2018/02/20 10:13:34| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=555 :2018/02/20 10:13:34| kerberos_ldap_group:
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact
LDAP server


Can somebody give me a hand???

I dont know what can be bad. This is the config:

 cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.LAN
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
default_keytab_name = /etc/squid/PROXY.keytab

; for Windows 2003
;default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5


[realms]
MYDOMAIN.LAN = {
kdc = adw-1.mydomain.lan
kdc = w-data2.mydomain.lan
admin_server = adw-1.mydomain.lan
default_domain = mydomain.lan
}

[domain_realm]
.mydomain.lan = MYDOMAIN.LAN
mydomain.lan = MYDOMAIN.LAN  


SQUID.CONF
###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/proxy.mydomain@mydomain.lan
auth_param negotiate children 50 startup=0 idle=1
auth_param basic credentialsttl 2 hours
auth_param negotiate keep_alive on

external_acl_type i-restringidos %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-restringi...@mydomain.lan
external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
-g i-f...@mydomain.lan
external_acl_type i-limitado %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-limit...@mydomain.lan



/ETC/HOSTS

[root@proxy ~]# cat /etc/hosts
127.0.0.1   localhost LXC_NAME
::1 localhost.localnet localhost
# --- END PVE ---
#
192.168.1.222 adw-1.mydomain.lan
192.168.1.107 w-data2.mydomain.lan
# --- BEGIN PVE ---
192.168.6.215 proxy.mydomain.lan proxy
# --- END PVE ---


/ETC/RESOLV.CONF
[root@proxy ~]# cat /etc/resolv.conf 
# --- BEGIN PVE ---
search mydomain.lan
nameserver 192.168.1.107
nameserver 192.168.1.222
# --- END PVE ---
domain mydomain.lan


Thanks



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] All 32/32 ssl_crtd processes are busy / All 35/35 negotiateauthenticator processes are busy

[erdosain9]

Hi.
Im having this warning in cache.log


2018/02/14 15:56:55 kid1| WARNING: All 32/32 ssl_crtd processes are busy.
2018/02/14 15:56:55 kid1| WARNING: 32 pending requests queued
2018/02/14 15:56:55 kid1| WARNING: Consider increasing the number of
ssl_crtd processes in your config file.

2018/02/14 16:07:06 kid1| WARNING: All 35/35 negotiateauthenticator
processes are busy.
2018/02/14 16:07:06 kid1| WARNING: 35 pending requests queued
2018/02/14 16:07:06 kid1| WARNING: Consider increasing the number of
negotiateauthenticator processes in your config file.

I know how to increase the negotiate authenticator... but, how can i
increase the ssl_crtd proceses???

Thanks to all.

This is my config

acl sin_autenticacion src "/etc/squid/listas/sin_autenticacion.lst"


###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/squid.mydomain@mydomain.lan
auth_param negotiate children 35 startup=0 idle=1
auth_param basic credentialsttl 2 hours
auth_param negotiate keep_alive on


external_acl_type i-restringidos %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-restringi...@mydomain.lan
external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
-g i-f...@mydomain.lan
external_acl_type i-limitado %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-limit...@mydomain.lan

acl i-restringidos external i-restringidos
acl i-full external i-full
acl i-limitado external i-limitado

acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
http_access deny ads

acl youtube url_regex -i \.flv$
acl youtube url_regex -i \.mp4$
acl youtube url_regex -i watch?
acl youtube url_regex -i youtube
acl facebook url_regex -i facebook
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\? 
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?

acl restringidos dstdomain "/etc/squid/listas/restringidos.lst"
acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"

acl SSL_ports port 443
acl SSL_ports port 4443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 2
acl SSL_ports port 1
acl SSL_ports port 2083

acl Safe_ports port 631 # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 25  #
acl Safe_ports port 587 #
acl Safe_ports port 143 #
acl Safe_ports port 993 #
acl Safe_ports port 995 #
acl Safe_ports port 465 #
acl Safe_ports port 443 # https
acl Safe_ports port 4443# https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 8443# httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080# edesur y otros
acl Safe_ports port 2199# radio
acl CONNECT method CONNECT


# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

http_access allow sin_autenticacion
http_access deny i-restringidos restringidos
http_access allow i-limitado !dominios_denegados
http_access allow i-full !dominios_denegados
http_access allow localhost

http_access deny all

http_port 127.0.0.1:3128
http_port 192.168.1.215:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem
key=/etc/squid/ssl_cert/myca.pem

acl step1 at_step SslBump1

acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst"

ssl_bump peek step1
ssl_bump splice excludeSSL
ssl_bump bump all


cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 500 MB

cache_swap_low 70
cache_swap_high 85

coredump_dir /var/spool/squid


refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
ignore-private
refresh_pattern -i ^http:\/\/www\.google\.com\/$ 0 20% 360 override-expire
override-lastmod ignore-reload ignore-no-cache ignore-no-store
reload-into-ims ignore-must-revalidate

refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

delay_pools 5

#Ancho de Youtube
delay_class 1 2
delay_parameters 1 100/100 2/15
delay_access 1 allow 

Re: [squid-users] Problem with Kerberos ticket keytab

[erdosain9]

Thanks for your time! Know is working fine.

a little and stupid question where i can found the start script of
squid??? This is a Centos 7.

I want put this

KRB5RCACHETYPE=none
export KRB5RCACHETYPE

[root@squid etc]# cat /usr/lib/systemd/system/squid.service
## Copyright (C) 1996-2015 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
## Please see the COPYING and CONTRIBUTORS files for details.
##

[Unit]
Description=Squid Web Proxy Server
Documentation=man:squid(8)
After=network.target

[Service]
Type=forking
LimitNOFILE=16384
PIDFile=/var/run/squid.pid
ExecStartPre=/usr/bin/mkdir -p /var/run/squid
ExecStartPre=/usr/bin/chown squid.squid /var/run/squid
ExecStart=/usr/sbin/squid -sYC
ExecReload=/usr/sbin/squid -kreconf
ExecStop=/usr/sbin/squidshut.sh
TimeoutStopSec=36
KillMode=none

[Install]
WantedBy=multi-user.target


Thanks!!!



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos ticket keytab

[erdosain9]

Ok. 
Thanks

Know the ticket is fine, and is working (people are going throug internet
and i see in access.log there user names) but... im having this error in
the log.

2018/02/05 12:56:46 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: gss_accept_sec_context() failed:
Unspecified GSS failure.  Minor code may provide more information. Cannot
decrypt ticket for HTTP/squid.domain.lan-DOMAIN.LAN using keytab key for
HTTP/squid.domain.lan-DOMAIN.LAN; }}
2018/02/05 12:57:55 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: gss_accept_sec_context() failed:
Unspecified GSS failure.  Minor code may provide more information. Cannot
decrypt ticket for HTTP/squid.domain.lan-DOMAIN.LAN using keytab key for
HTTP/squid.domain.lan-DOMAIN.LAN; }}
(END)

I change @ for - 

Thanks.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with Kerberos ticket keytab

[erdosain9]

Hi to all.

The squid was working fine, but i made a mistake and... delete the
proxy.keytab. I try to do it again, but make a mistake in the syntax

wrong syntax (the real name is not squidproxy.domain.lan is
squid.domain.lan):

msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.lan -k
/etc/squid/PROXY.keytab --computer-name SQUIDPROXY-K --upn
HTTP/squidproxy.domain.lan --server adw-1.domain.lan --verbose --enctypes 28

now i put well the syntax, but the keytab is wrong... why??

well syntax:

msktutil -c -b "CN=COMPUTERS" -s HTTP/squid.domain.lan -h squid.domain.lan
-k /etc/squid/PROXY.keytab --computer-name SQUIDPROXY-K --upn
HTTP/squid.domain.lan --server adw-1.domain.lan --verbose --enctypes 28


[root@squid squid]# ktutil 
ktutil:  read_kt PROXY.keytab 
ktutil:  l
slot KVNO Principal
 
-
   1   18 squidproxy-k$@DOMAIN.LAN
   2   18 squidproxy-k$@DOMAIN.LAN
   3   18 squidproxy-k$@DOMAIN.LAN
   4   18HTTP/squidproxy.domain@domain.lan
   5   18HTTP/squidproxy.domain@domain.lan
   6   18HTTP/squidproxy.domain@domain.lan
   7   18 host/squid.domain@domain.lan
   8   18 host/squid.domain@domain.lan
   9   18 host/squid.domain@domain.lan
  10   18 HTTP/squid.domain@domain.lan
  11   18 HTTP/squid.domain@domain.lan
  12   18 HTTP/squid.domain@domain.lan


Why squidproxy.DOMAIN.LAN? what can i do to solve this???

Thanks to all!!



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] reference_age 1 week

[erdosain9]

Hi.
I want to put that command
reference_age 1 week

i see that in a lot of tutorial, but... squid give me a error, and stop the
service.
dont recognice the command... that command doesnt exist anymore??

Thanks

pd:there is another way to tell squid how manage the time for the cache
objets??



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] WARNING: HTTP requires the use of Via

[erdosain9]

Im having this warning in the log.
I dont find anything related to this in google, so.

What could be??
this is my config


GRUPOS DE IP
acl sin_autenticacion src "/etc/squid/listas/sin_autenticacion.lst" 


###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/squid.mydomain@mydomain.lan
auth_param negotiate children 35 startup=0 idle=1
auth_param basic credentialsttl 2 hours
auth_param negotiate keep_alive on




external_acl_type i-restringidos %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-restringi...@mydomain.lan
external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
-g i-f...@mydomain.lan
external_acl_type i-limitado %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-limit...@mydomain.lan


#GRUPOS
acl i-restringidos external i-restringidos
acl i-full external i-full
acl i-limitado external i-limitado


Bloquea Publicidad ( http://pgl.yoyo.org/adservers/ )
acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
http_access deny ads


Streaming
acl youtube url_regex -i \.flv$
acl youtube url_regex -i \.mp4$
acl youtube url_regex -i watch?
acl youtube url_regex -i youtube
acl facebook url_regex -i facebook
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\? 
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?

##Dominios denegados
acl restringidos dstdomain "/etc/squid/listas/restringidos.lst"
acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"


#Puertos
acl SSL_ports port 443
acl SSL_ports port 4443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 2
acl SSL_ports port 1
acl SSL_ports port 2083

acl Safe_ports port 631 # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 4443# https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 8443# httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080# edesur y otros
acl Safe_ports port 2199# radio
acl CONNECT method CONNECT


#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow sin_autenticacion
http_access deny i-restringidos restringidos
http_access allow i-limitado !dominios_denegados 
http_access allow i-full !dominios_denegados 
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 127.0.0.1:3128
http_port 192.168.1.215:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem
key=/etc/squid/ssl_cert/myca.pem 

acl step1 at_step SslBump1 

acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst"

ssl_bump peek step1 
ssl_bump splice excludeSSL 
ssl_bump bump all 

#tcp_outgoing_address  

# Uncomment and adjust the following to add a disk cache directory.
cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 500 MB
#maximum_object_size_in_memory 1 MB

cache_swap_low 70
cache_swap_high 85

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid


#Your refresh_pattern
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

###ACTIVAR EN CASO DE "Connection reset by peer" EN MUCHOS HOST
via off
forwarded_for delete


###

#Pools para ancho de banda
delay_pools 5

#Ancho de Youtube
delay_class 1 2 
delay_parameters 1 100/100 1/10
delay_access 1 allow i-limitado youtube !facebook
delay_access 1 deny all

#Ancho de Facebook
delay_class 2 2 
delay_parameters 2 100/100 5/256000
delay_access 2 allow i-limitado facebook !youtube
delay_access 2 deny all

#Ancho de banda YOUTUBE 

[squid-users] Some things in the log

[erdosain9]

Hi to all.
Im having some things in the log.
Like this:

-Vary object loop
-Could not parse headers from on disk object
-varyEvaluateMatch: Oops

ipcacheParse No Address records in response to (i supposed this is not a
problem)

And a lot more as you can see.

2017/12/12 16:09:50 kid1| ipcacheParse No Address records in response to
'notifications-4.mercadolibre.com'
2017/12/12 16:09:50 kid1| ipcacheParse No Address records in response to
'notifications-4.mercadolibre.com'
2017/12/12 16:09:54 kid1| Error negotiating SSL on FD 701:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/12/12 16:11:00 kid1| Error negotiating SSL on FD 246:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/12/12 16:11:10 kid1| Error negotiating SSL on FD 246:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/12/12 16:11:35 kid1| Error negotiating SSL on FD 404:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/12/12 16:11:45 kid1| Error negotiating SSL on FD 369:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/12/12 16:11:49 kid1| Error negotiating SSL on FD 194:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/12/12 16:12:33 kid1| ipcacheParse No Address records in response to
'notifications-6.mercadolibre.com'
2017/12/12 16:12:33 kid1| ipcacheParse No Address records in response to
'notifications-6.mercadolibre.com'
2017/12/12 16:12:42 kid1| Could not parse headers from on disk object
*2017/12/12 16:12:42 kid1| varyEvaluateMatch: Oops. Not a Vary object on
second attempt,
'https://www.airbnb.es/?eluid=5=136f93f9-c827-7b74-55a7-af773e8b4a16'
'accept-encoding="gzip,%20deflate,%20br"'
2017/12/12 16:12:42 kid1| clientProcessHit: Vary object loop!*
2017/12/12 16:15:24 kid1| Error negotiating SSL on FD 232:
error::lib(0):func(0):reason(0) (5/-1/104)
2017/12/12 16:18:21 kid1| Error negotiating SSL on FD 603:
error::lib(0):func(0):reason(0) (5/-1/104)
2017/12/12 16:19:45 kid1| urlParse: URL too large (9283 bytes)
2017/12/12 16:20:23 kid1| urlParse: URL too large (9328 bytes)
2017/12/12 16:20:24 kid1| urlParse: URL too large (9286 bytes)
2017/12/12 16:26:04 kid1| ipcacheParse No Address records in response to
'notifications-6.mercadolibre.com'
2017/12/12 16:26:04 kid1| ipcacheParse No Address records in response to
'notifications-6.mercadolibre.com'
2017/12/12 16:28:13 kid1| Logfile: opening log
stdio:/var/log/squid/netdb.state
2017/12/12 16:28:13 kid1| Logfile: closing log
stdio:/var/log/squid/netdb.state
2017/12/12 16:28:13 kid1| NETDB state saved; 0 entries, 3 msec
2017/12/12 16:32:08 kid1| Error negotiating SSL on FD 247:
error::lib(0):func(0):reason(0) (5/-1/104)
2017/12/12 16:34:52 kid1| urlParse: URL too large (8304 bytes)
2017/12/12 16:37:47 kid1| Error negotiating SSL on FD 559:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/12/12 16:37:47 kid1| Error negotiating SSL on FD 558:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
*2017/12/12 16:41:46 kid1| ipcacheParse No Address records in response to
'notifications-14.mercadolibre.com'
2017/12/12 16:41:46 kid1| ipcacheParse No Address records in response to
'notifications-14.mercadolibre.com'
2017/12/12 16:43:00 kid1| ipcacheParse No Address records in response to
'notifications-6.mercadolibre.com'*
2017/12/12 16:43:00 kid1| ipcacheParse No Address records in response to
'notifications-6.mercadolibre.com'
2017/12/12 16:43:00 kid1| ipcacheParse No Address records in response to
'notifications-6.mercadolibre.com'
2017/12/12 16:43:00 kid1| ipcacheParse No Address records in response to
'notifications-6.mercadolibre.com'
2017/12/12 16:43:00 kid1| ipcacheParse No Address records in response to
'notifications-6.mercadolibre.com'
2017/12/12 16:43:00 kid1| ipcacheParse No Address records in response to
'notifications-6.mercadolibre.com'
2017/12/12 16:43:07 kid1| ipcacheParse No Address records in response to
'notifications-5.mercadolibre.com'
2017/12/12 16:43:07 kid1| ipcacheParse No Address records in response to
'notifications-5.mercadolibre.com'
2017/12/12 16:43:45 kid1| ipcacheParse No Address records in response to
'notifications-11.mercadolibre.com'
2017/12/12 16:43:45 kid1| ipcacheParse No Address records in response to
'notifications-11.mercadolibre.com'
2017/12/12 16:43:58 kid1| ipcacheParse No Address records in response to
'notifications-14.mercadolibre.com'
2017/12/12 16:43:58 kid1| ipcacheParse No Address records in response to
'notifications-14.mercadolibre.com'
2017/12/12 16:45:58 kid1| ipcacheParse No Address records in response to
'notifications-11.mercadolibre.com'
2017/12/12 16:45:58 kid1| ipcacheParse No Address records in response to
'notifications-11.mercadolibre.com'
2017/12/12 

Re: [squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

[erdosain9]

Thanks.
I update to  3.5.27 and now i dont have this problem.
But, i have this doubt... so, this was a problem of my certificate or a bug
from squid???

Thanks



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

[erdosain9]

Ok, thanks for your time.

This "fix" the problem...

reg add HKLM\Software\Policies\Google\Chrome /v
EnableCommonNameFallbackForLocalAnchors /t REG_DWORD /d 1

When i wrote that command, the problem is gone.

but, i want to know about that fix that you are telling me.
Im using this version Squid Cache: Version 3.5.20

How i know if this is patched (probably not)... and, more important, how i
cant apply that patch (sorry i never do that).
Im working on a Centos 7.

Thanks for your time.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

[erdosain9]

Yes, Chrome tell this when i look the certificate

"The certificate for this site does not contain a Subject Alternative Name
extension containing a domain name or IP address."

So, my certificate does not have a Subject Alternative Name.
But, this is not a problem with Firefox.

I have to change my certificate?? t
There is a way to tell Chrome "dont look for this"???
Thanks





--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

[erdosain9]

When i put the in Chrome
https://.sdfasdfasdfasdfasd.com

it produces the same error...
but this just happend with  "https" and with chrome.. not with
firefox.

With firefox i get the error web pager from squid

Unable to determine IP address from host name
"www.sdfasdfasdfasdfasf.com"

But... i dont get, why this problem if web.whatsapp.com, facebook.com, etc.
exist... in the other hand why this when squid is trying to show the
informative page (access denied). Because like i say, bumping is working
well.

Thanks all.





--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

[erdosain9]

Hi, and thanks.

But, i dont get it, how this is possible, if the bumping is working well. I
mean, if all https is working with my certificate, except for those that i
block (from chrome). But the bumping is working well in Chrome and Firefox.

This is log from Chrome with port 

1512501177.181 33 192.168.1.121 TCP_MISS/204 459 POST
https://www.google.com.ar/gen_204? u...@mydomain.lan HIER_DIRECT/- text/html
443
1512501177.182 35 192.168.1.121 TCP_MISS/204 459 POST
https://www.google.com.ar/gen_204? u...@mydomain.lan HIER_DIRECT/- text/html
443
1512501177.186 40 192.168.1.121 TCP_MISS/200 815 POST
https://www.google.com.ar/url? u...@mydomain.lan HIER_DIRECT/- text/html 443
1512501177.252 59 192.168.1.121 TCP_DENIED/200 0 CONNECT
web.whatsapp.com:443 u...@mydomain.lan HIER_NONE/- - 443
1512501177.338 80 192.168.1.121 TCP_MISS/204 193 GET
http://www.gstatic.com/generate_204 u...@mydomain.lan
HIER_DIRECT/www.gstatic.com - 80


This is the log from firefox with port 

1512501278.321 41 192.168.1.121 TCP_MISS/200 813 GET
https://www.google.com.ar/url? u...@mydomain.lan HIER_DIRECT/- text/html 443
1512501278.684185 192.168.1.121 TCP_DENIED/200 0 CONNECT
www.whatsapp.com:443 u...@mydomain.lan HIER_NONE/- - 443
1512501278.875  3 192.168.1.121 TAG_NONE/403 6567 GET
https://www.whatsapp.com/? u...@mydomain.lan HIER_NONE/- text/html 443
1512501278.916 35 192.168.1.121 TCP_MISS/204 459 POST
https://www.google.com.ar/gen_204? u...@mydomain.lan HIER_DIRECT/- text/html
443
1512501279.160877 192.168.1.121 TAG_NONE/200 0 CONNECT
www.google.com.ar:443 u...@mydomain.lan HIER_DIRECT/www.google.com.ar - 443
1512501279.278 52 192.168.1.121 TCP_MISS/204 459 POST
https://www.google.com.ar/gen_204? u...@mydomain.lan HIER_DIRECT/- text/html
443
1512501279.529608 192.168.1.121 TCP_DENIED/200 0 CONNECT
www.whatsapp.com:443 u...@mydomain.lan HIER_NONE/- - 443
1512501279.746  2 192.168.1.121 TAG_NONE/403 6569 GET
http://squid.mydomain.lan:3128/squid-internal-static/icons/SN.png
u...@mydomain.lan HIER_NONE/- text/html 3128
1512501279.832 75 192.168.1.121 TCP_DENIED/200 0 CONNECT
www.whatsapp.com:443 u...@mydomain.lan HIER_NONE/- - 443
1512501279.838  0 192.168.1.121 TAG_NONE/403 6571 GET
https://www.whatsapp.com/favicon.ico u...@mydomain.lan HIER_NONE/- text/html
443

"How do you compare the two certificates? "

I see the certificate, and look detail (both, firefox and chrome).

 

is the same CN :squid.mydomain.lan

And, again, this error just happend from Chrome when there is time to show a
"web from squid" (no route to host, error, access denied,  etc.)

For example if i see the certificate from facebook (trough squid https
bumping) i see my certificate... so why when i block the web Chrome give
that problem

Thanks again
(sorry i dont speak english very well)



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

[erdosain9]

"Does that error match the generated certificate sent by Squid to a
blocked Chrome user? In other words, does that certificate have an
invalid common name (CN) field? "

No, is the same certificate. 

"I suggest comparing the following two certificates:
  * the certificate sent by Squid to a blocked FireFox user
  * the certificate sent by Squid to a blocked Chrome user "

Is the same certificate.

"I also suggest comparing the following access.log entries:

  * the line(s) corresponding to the blocked FireFox user request
  * the line(s) corresponding to the blocked Chrome user request "

Line corresponding to blocked Chrome

1512493257.523175 192.168.1.121 TCP_DENIED/200 0 CONNECT
es-la.facebook.com:443 u...@domain.lan HIER_NONE/- -
1512493257.716169 192.168.1.121 TCP_MISS/204 193 GET
http://www.gstatic.com/generate_204 u...@domain.lan
HIER_DIRECT/172.217.30.163 -


Line corresponding to blocked Firefox

1512493386.314 43 192.168.1.121 TCP_DENIED/200 0 CONNECT
es-la.facebook.com:443 u...@domain.lan HIER_NONE/- -
1512493386.317  0 192.168.1.121 TAG_NONE/403 6569 GET
https://es-la.facebook.com/ u...@domain.lan HIER_NONE/- text/html
1512493386.370173 192.168.1.121 TAG_NONE/200 0 CONNECT
www.google.com.ar:443 u...@domain.lan HIER_DIRECT/216.58.222.163 -
1512493386.397 45 192.168.1.121 TCP_DENIED/200 0 CONNECT
es-la.facebook.com:443 u...@domain.lan HIER_NONE/- -
1512493386.400  0 192.168.1.121 TAG_NONE/403 6561 GET
http://squid.DOMAIN.lan:3128/squid-internal-static/icons/SN.png
u...@domain.lan HIER_NONE/- text/html


Is strange that from Firefox the "answer" is instantaneous, from chrome not.

Thanks to all.




--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Block a web just for a group inside another group, or how?

[erdosain9]

Thanks Amos.

Let's be clear ... this configuration was working exactly as I wanted it to.
The users in each of those groups (i-full, sin_autenticacion, i-limitados)
navigated without problems. So that they did not navigate, I simply took
them out of one of those groups, period. Everything works as I want except
this related to the group "i-restricted" which is composed of some users of
"i-full".

Thats because i need to "deny"? that group to navigate to the acl of
web.whatsapp, etc.??

Let's be clear... because im not :-)

Do you understand what is going wrong there? 

Nop

Sorry. i dont get it.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Block a web just for a group inside another group, or how?

[erdosain9]

But, that's exactly the problem.

Thats what i do.
I do a have this large group
i-full
and a small group with a few users from i-full, the small group is called
i-restringidos.

And put i-restringidos in the top... (as you can see in my config file)

But, is not working. They can go trough the web i try to block.
If i delete the user from i-full, then yes, works... (the users then is just
in i-restringidos).



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Block a web just for a group inside another group, or how?

[erdosain9]

Sorry, i dont understand.
Just enumerate the user in a acl?

a common acl or a kerberos acl??

can you put me a example please?

Thanks



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Error page or redirect just to a user

[erdosain9]

Hi.
I want to do a redirect to a user. 
For example if the user want to go to google, i redirect to some particular
web.
Can you tell me how??

i have config the http access trough user (with kerberos).

Thanks to all



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Certificate for bump?

[erdosain9]

Hi. What you think about using certificate for bump from
https://letsencrypt.org???
Thanks to all.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is your kerberos ticket expired?

[erdosain9]

Sorry, i found where 
/etc/sysconfig/squid

And was good, already have that config, so i dont know why is failing. 



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is your kerberos ticket expired?

[erdosain9]

Hi.
I follow this guide

https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

But, i dont know where put this

Add the following configuration to /etc/default/squid3

KRB5_KTNAME=/etc/squid3/PROXY.keytab
export KRB5_KTNAME

i dont have that file /etc/default/squid3

Squid is installed on Centos 7.

/usr/lib/systemd/system/squid.service


[Unit]
Description=Squid Web Proxy Server
Documentation=man:squid(8)
After=network.target

[Service]
Type=forking
LimitNOFILE=16384
PIDFile=/var/run/squid.pid
ExecStartPre=/usr/bin/mkdir -p /var/run/squid
ExecStartPre=/usr/bin/chown squid.squid /var/run/squid
ExecStart=/usr/sbin/squid -sYC
ExecReload=/usr/sbin/squid -kreconf
ExecStop=/usr/sbin/squidshut.sh
TimeoutStopSec=36
KillMode=none


[Install]
WantedBy=multi-user.target

Thanks to all.
~   
 
~



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ipv6 error

[erdosain9]

Sorry, but, the problem with the certificate is a problem from the web?? i
mean, is not a problem of "my squid".
So better i exclude that web... but, so strange, squid webpage wiki with
problem in certificate???



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ipv6 error

[erdosain9]

Ok, thats a error from chrome.

Another thing with just that web, that if i disable dns_ipv4_first.

I get this:
--
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*

Failed to establish a secure connection to 104.130.201.120

The system returned:

(71) Protocol error (TLS code:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's
Encrypt/CN=Let's Encrypt Authority X3

This proxy and the remote host failed to negotiate a mutually acceptable
security settings for handling your request. It is possible that the remote
host does not support secure connections, or the proxy is not satisfied with
the host security credentials.
---

AND, if i reload the web, then again this, 

--
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*

Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.

The system returned: (101) Network is unreachable

The remote host or network may be down. Please try the request again.
--

First a certificate problem (with ipv4) and later that problem in ipv6...



So i put this and all have to work (or -I 0)
  ip6tables -t INPUT -I 1 PREROUTING -j REJECT
  ip6tables -t FORWARD -I 1 PREROUTING -j REJECT
  ip6tables -t OUTPUT -I 1 PREROUTING -j REJECT 

Thanks.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ipv6 error

[erdosain9]

this is weird.

This just happend to me with that web... i mean, with
https://wiki.squid-cache.org/ (not with google, not with facebook).

But the weird is that if i go trough a authenticate machine for ip, i
receive that ipv6. but if i go throug a authenticate kerberos machine i get
this net::err cert common name invalid.
?

so, you tell me i config in iptables to reject ipv6 traffic??




--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ipv6 error

[erdosain9]

Hi.
Im getting this kind of error:

--
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*

Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.

The system returned: (101) Network is unreachable

The remote host or network may be down. Please try the request again.
---

So, i want disable ipv6 (because now i cant config ipv6 in my net).
Squid is on a Centos7.

I found this command: 
tcp_outgoing_address

but, have this error when i wrote it on squid.conf

2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 19 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 28 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 24 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 24 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 24 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:08 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:08 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:08 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address


Im using this command to, for authenticate

external_acl_type i-full ipv4 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-f...@domain.lan
external_acl_type i-limitado ipv4 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-limit...@domain.lan

(I mean the ipv4 command).

What can i do??

Thanks to all, 
and sorry for my bad english.






--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Is your kerberos ticket expired?

[erdosain9]

Hi.
All is working fine, but im having this error in the mail of root

--


From r...@squid.domain.lan  Tue Oct  3 04:00:02 2017
Return-Path: 
X-Original-To: root
Delivered-To: r...@squid.domain.lan
Received: by squid.domain.lan (Postfix, from userid 0)
id 2581F8066D7F; Tue,  3 Oct 2017 04:00:02 -0300 (ART)
From: "(Cron Daemon)" 
To: r...@squid.domain.lan
Subject: Cron   msktutil --auto-update --verbose --computer-name
squidproxy-k | logger -t msktutil > /dev/null
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
Precedence: bulk
X-Cron-Env: 

Re: [squid-users] Negotiate Authenticator and DNS

[erdosain9]

Sorry, this is part of my config

###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/squid.domain@domain.lan
auth_param negotiate children 45 startup=0 idle=1
auth_param negotiate keep_alive on


external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
-g i-f...@domain.lan
external_acl_type i-limitado %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-limit...@domain.lan


#GRUPOS
acl i-full external i-full
acl i-limitado external i-limitado




--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Negotiate Authenticator and DNS

[erdosain9]

but, why so slow then???

"
For Negotiate and NTLM the credentials are supposed to be unique per
connection, so each TCP connection requires separate lookup. But
followup pipelined requests on a connection should not need auth helper
lookups as they share the already authenticated credentials.

*group* lookups are different (and cached normally), but they are not
authentication.

"

thanks



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Negotiate Authenticator and DNS

[erdosain9]

Hi.
Thanks.
But there is some Time to live, for config in the squid, so the service is
not asking every time for authenticate??
Thanks!



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Negotiate Authenticator and DNS

[erdosain9]

Hi.
Im traying to improve the dns response because im having this times:

Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 32 of 32 (0 shutting down)
requests sent: 72241
replies received: 72241
queue length: 0
avg service time: 56 msec

   ID #  FD PID  # Requests   # Replies  Flags Time  Offset
Request
 16  30   22242   38896   38896   0.368   0 
(none)
 17  32   22243   13404   13404   0.388   0 
(none)
 18  38   2224469626962   0.126   0 
(none)
 19  61   2224538953895   0.344   0 
(none)
 20  65   2224626362636   0.369   0 
(none)
 21  74   2224718791879   0.124   0 
(none)
 22  76   2224811771177   0.340   0 
(none)
 23  78   22249 809 809   0.307   0 
(none)
 24  79   22250 592 592   0.364   0 
(none)
 25  81   22251 436 436   0.265   0 
(none)
 26  94   22252 320 320   0.244   0 
(none)
 27  96   22253 243 243   0.243   0 
(none)
 28  98   22254 184 184   0.299   0 
(none)
 29 109   22255 142 142   0.285   0 
(none)
 30 111   22256 112 112   0.308   0 
(none)
 31 113   22257  85  85   0.308   0 
(none)
 45 473   22285  69  69   0.789   0 
(none)
 46 475   22286  60  60   0.756   0 
(none)
 47 480   22287  52  52   1.504   0 
(none)
 48 495   22288  48  48   1.611   0 
(none)
 49 499   22289  44  44   1.611   0 
(none)
 50 580   22291  36  36   1.598   0 
(none)
 51 596   22292  31  31   1.099   0 
(none)
 52 593   22293  26  26   0.916   0 
(none)
 53 547   22308  20  20   0.916   0 
(none)
 54 550   22309  18  18   0.602   0 
(none)
 55 551   22310  14  14   0.397   0 
(none)
 56 553   22311  12  12   0.567   0 
(none)
 57 552   22312  12  12   0.567   0 
(none)
 58 397   22313  11  11   0.567   0 
(none)
 59 407   22314  10  10   0.584   0 
(none)
 67 436   22355   6   6   1.035   0 
(none)

Sometimes much more time, sometimes go to avg service time: 560 msec...

Sorry for my ignorance...
This Negotiate Authenticator is for users??? i mean this is related to, for
example, go to google.com, or is just the time that the user (client pc)
wait for be authenticate??

I think, that is related to go to a web (now i have my doubts). so i make a
dns with bind. and put that dns in squid config, and let the dns from the AD
in second place... but, when i restart this happend:

support_resolv.cc(289): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: Error while resolving service record _ldap._tcp.DOMAIN.LAN with r
es_search
support_resolv.cc(71): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: res_search: Unknown service record: _ldap._tcp.DOMAIN.LAN
support_resolv.cc(183): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: Error while resolving hostname with getaddrinfo: Name or service 
not known
support_sasl.cc(276): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact 
LDAP server


So, this post is for two question. 
1- The thing about Negotiate Authenticator (that value what represent?)
2- Can i improve making my own dns (apart from the the dns from the domain)?
(i prefer make other dns, than fix the dns from the domain, because i dont
manage that).

Thanks to all, and sorry for the ignorance, and my bad writing (i dont speak
english)



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list

Re: [squid-users] ipcCreate: fork: (12) Cannot allocate memory

[erdosain9]

Ok, thanks

i grow the swap

[root@squid /]# free -h
  totalusedfree  shared  buff/cache  
available
Mem:   3,7G1,0G117M 29M2,6G   
2,4G
Swap:  6,0G124M5,9G


related to swappiness what would be a good value??

i have this

 cat /proc/sys/vm/swappiness
30

cat /proc/sys/vm/vfs_cache_pressure

100

Thanks!



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ipcCreate: fork: (12) Cannot allocate memory

[erdosain9]

By the way,

  totalusedfree  shared  buff/cache  
available
Mem:   3,7G3,0G122M 13M554M   
422M
Swap:  2,0G160M1,8G




--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] ipcCreate: fork: (12) Cannot allocate memory

[erdosain9]

Hi to all.
all was working fine.. but today Im having this issue


2017/09/07 11:34:49 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:49 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:50 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| ipcCreate: fork: (12) Cannot allocate memory
2017/09/07 11:34:50 kid1| WARNING: Cannot run
'/lib64/squid/negotiate_kerberos_auth' process.
2017/09/07 11:34:50 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:50 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| ipcCreate: fork: (12) Cannot allocate memory
2017/09/07 11:34:50 kid1| WARNING: Cannot run
'/lib64/squid/negotiate_kerberos_auth' process.
2017/09/07 11:34:50 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:50 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| ipcCreate: fork: (12) Cannot allocate memory
2017/09/07 11:34:50 kid1| WARNING: Cannot run
'/lib64/squid/negotiate_kerberos_auth' process.
2017/09/07 11:34:50 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:50 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| ipcCreate: fork: (12) Cannot allocate memory
2017/09/07 11:34:50 kid1| WARNING: Cannot run
'/lib64/squid/negotiate_kerberos_auth' process.
2017/09/07 11:34:50 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:50 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| ipcCreate: fork: (12) Cannot allocate memory
2017/09/07 11:34:50 kid1| WARNING: Cannot run
'/lib64/squid/negotiate_kerberos_auth' process.
2017/09/07 11:34:50 kid1| Starting new ssl_crtd helpers...
2017/09/07 11:34:50 kid1| helperOpenServers: Starting 1/32 'ssl_crtd'
processes
2017/09/07 11:34:51 kid1| Starting new ssl_crtd helpers...
2017/09/07 11:34:51 kid1| helperOpenServers: Starting 1/32 'ssl_crtd'
processes
2017/09/07 11:34:51 kid1| ipcCreate: fork: (12) Cannot allocate memory
2017/09/07 11:34:51 kid1| WARNING: Cannot run '/usr/lib64/squid/ssl_crtd'
process.


Can somebody give me a hand??
Thanks to all.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] DNS Server Failure

[erdosain9]

Hi.
There is a way to know what can be happend with this failure?
Thanks to all.

Internal DNS Statistics:

The Queue:
   DELAY SINCE
  ID   SIZE SENDS FIRST SEND LAST SEND M FQDN
--  - -- - - 

DNS jumbo-grams: not working

Nameservers:
IP ADDRESS # QUERIES # REPLIES Type
-- - - 
192.168.1.107 27862 27862 recurse
192.168.1.222   425   411 recurse

Rcode Matrix:
RCODE ATTEMPT1 ATTEMPT2 ATTEMPT3 PROBLEM
0   590210  205   41 : Success
1000 : Packet Format Error
2 7165 6950 6909 : DNS Server Failure
321827   100 : Non-Existent Domain
4000 : Not Implemented
5000 : Query Refused
6000 : Name Exists when it should not
7000 : RR Set Exists when it should not
8000 : RR Set that should exist does not
9000 : Server Not Authoritative for zone
   10000 : Name not contained in zone
   16000 : Bad OPT Version or TSIG Signature Failure




--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

[erdosain9]

Hi.
Im having a lot of this in cache.log... is this normal?? The https is access
is working fine... but i have those error.

2017/09/04 13:10:58 kid1| Error negotiating SSL on FD 467:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:10:58 kid1| Error negotiating SSL on FD 58: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1
/-1/0)
2017/09/04 13:10:59 kid1| Error negotiating SSL on FD 640:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:01 kid1| Error negotiating SSL on FD 640:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:01 kid1| Error negotiating SSL on FD 794:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:02 kid1| Error negotiating SSL on FD 314:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:28 kid1| Error negotiating SSL on FD 299:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:29 kid1| Error negotiating SSL on FD 299:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:31 kid1| Error negotiating SSL on FD 620:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:31 kid1| Error negotiating SSL on FD 105:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:31 kid1| Error negotiating SSL on FD 495:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:32 kid1| Error negotiating SSL on FD 495:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:39 kid1| Error negotiating SSL on FD 457:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:40 kid1| Error negotiating SSL on FD 457:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:11:40 kid1| Error negotiating SSL on FD 452:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/09/04 13:11:41 kid1| Error negotiating SSL on FD 452:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/09/04 13:11:41 kid1| Error negotiating SSL on FD 210:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/09/04 13:11:42 kid1| Error negotiating SSL on FD 210:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/09/04 13:11:58 kid1| Error negotiating SSL on FD 197:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/09/04 13:11:58 kid1| Error negotiating SSL on FD 197:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/09/04 13:11:59 kid1| Error negotiating SSL on FD 472:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (:




--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as gateway

[erdosain9]

Hi, and thanks

The ROUTERWIFI is a TpLink TL-WR940N i dont see in this router any Nat
option :-(

This is the router table of the SquidBox

Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse
Iface
0.0.0.0 10.1.158.1  0.0.0.0 UG0  00
ens192
10.1.158.0  0.0.0.0 255.255.255.0   U 0  00
ens192
169.254.0.0 0.0.0.0 255.255.0.0 U 1002   00
ens160
169.254.0.0 0.0.0.0 255.255.0.0 U 1003   00
ens192
192.168.0.0 192.168.1.40255.255.255.0   UG0  00
ens160
192.168.1.0 0.0.0.0 255.255.255.0   U 0  00
ens160
192.168.2.0 192.168.1.1 255.255.255.0   UG0  00
ens160
192.168.6.0 192.168.1.1 255.255.255.0   UG0  00
ens160

If i enable ipv4 forwarding in SquidBox, the clients of the ROUTERWIFI can
access internet, so i think the router table it's ok the clients can go
to internet but just because ipv4 forwarding is enable (the squid service is
not getting anything, i dont see nothing in the access.log...) if i disable
ipv4 forwarding the clients dont go anyway.

This is iptables

[root@squid ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 383 packets, 42336 bytes)
 pkts bytes target prot opt in out source  
destination 
0 0 ACCEPT tcp  --  *  *   192.168.1.20   0.0.0.0/0 
  
tcp dpt:80
0 0 DNAT   tcp  --  *  *   0.0.0.0/0   
0.0.0.0/0tcp dpt:80 to:192.168.1.20:3129

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source  
destination 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source  
destination 

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source  
destination 
0 0 MASQUERADE  all  --  *  *   0.0.0.0/0   
0.0.0.0/0 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683200.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as gateway

[erdosain9]

Hi, and thank you all.

Well this is the diagram.



INTERNET
+
+
FIREWALL (10.1.158.1/24)
+
+
+
SQUID (2 interfaces) 10.1.158.2/24
192.168.1.20/24
+
+
+
ROUTERWIFI( WANstatic ip 192.168.1.40/24 gw 192.168.1.20) LAN
192.168.0.1/24)

squid config:

acl red1 src 192.168.1.0/24

acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 2
acl SSL_ports port 1
acl SSL_ports port 2083

acl Safe_ports port 631 # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 8443# httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080# edesur y otros
acl CONNECT method CONNECT


#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

http_access allow localhost
http_access allow red1

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 192.168.1.20:3128
http_port 192.168.1.20:3129 intercept

# Uncomment and adjust the following to add a disk cache directory.
cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 256 MB

cache_swap_low 90
cache_swap_high 95

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid


#Your refresh_pattern
refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
ignore-private

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

dns_nameservers 8.8.8.8 8.8.4.4
visible_hostname squid.xx.lan

---

I probe this, nothing work..
-

iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
192.168.1.20:3129
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP 



iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP

---

A hand??
Thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683192.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as gateway

[erdosain9]

Ok Yuri, im re re re reading... :-)

And probe another configs, like this
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

and nothing, i dont get where i fail.

Squid, it is config in interception mode.

cache.log

2017/07/11 14:15:43 kid1| Accepting HTTP Socket connections at
local=[::]:3128 remote=[::] FD 14 flags=9
2017/07/11 14:15:43 kid1| Accepting NAT intercepted HTTP Socket connections
at local=[::]:3129 remote=[::] FD 15 flags=41

So. yes, yes, i keep reading. 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683058.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as gateway

[erdosain9]

Thanks
Yes, im looking the wiki and follow this
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

And, it is not working. Nothing it is going to squid.

I can go to internet because 

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

but, nothing throug squid.

What can be? Another wiki???



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683056.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] WARNING: Disk space over limit

[erdosain9]

Hi to all.
Im having this warning

2017/07/11 11:37:44 kid1| WARNING: Disk space over limit: 17241692.00 KB >
1536 KB
2017/07/11 11:37:56 kid1| WARNING: Disk space over limit: 16800692.00 KB >
1536 KB
2017/07/11 11:38:07 kid1| WARNING: Disk space over limit: 16466860.00 KB >
1536 KB
2017/07/11 11:38:19 kid1| WARNING: Disk space over limit: 16152960.00 KB >
1536 KB
2017/07/11 11:38:30 kid1| WARNING: Disk space over limit: 15905772.00 KB >
1536 KB
2017/07/11 11:38:41 kid1| WARNING: Disk space over limit: 15664684.00 KB >
1536 KB
2017/07/11 11:38:52 kid1| WARNING: Disk space over limit: 15499404.00 KB >
1536 KB


Why is this happening?? why is over limit??

[root@squid ~]# df -h
S.ficheros  Tamaño Usados  Disp Uso% Montado en
/dev/mapper/centos-root48G17G   31G  36% /
devtmpfs  1,9G  0  1,9G   0% /dev
tmpfs 1,9G   2,1M  1,9G   1% /dev/shm
tmpfs 1,9G   8,5M  1,9G   1% /run
tmpfs 1,9G  0  1,9G   0% /sys/fs/cgroup
/dev/sda1 497M   143M  355M  29% /boot
tmpfs 380M  0  380M   0% /run/user/0

SQUID.CONF

cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 1000 MB
maximum_object_size_in_memory 1 MB

cache_swap_low 90
cache_swap_high 95

Yes, it is over cache_dir... but why?? and how i correct this?



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-Disk-space-over-limit-tp4683055.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as gateway

[erdosain9]

Hi, and thanks.
Maybe i dont explain well.
I just want this:

 WanRouter---Squid-switch--PC

I want to declare in "PC" IP, MASK, AND GATEWAY, instead of the WanRouter, i
want that PC have for gateway the ip of the Squid.

I do this by now.

sudo iptables -A PREROUTING -t nat -s 192.168.1.0/24 -p tcp --dport 80 -j
REDIRECT --to-port 3128

[root@squid ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source   destination 
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0tcp dpt:3128
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0tcp dpt:443
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0tcp dpt:80
ACCEPT all  --  0.0.0.0/00.0.0.0/0state
RELATED,ESTABLISHED
ACCEPT icmp --  0.0.0.0/00.0.0.0/0   
ACCEPT all  --  0.0.0.0/00.0.0.0/0   
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0state NEW tcp
dpt:22
REJECT all  --  0.0.0.0/00.0.0.0/0reject-with
icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source   destination 
REJECT all  --  0.0.0.0/00.0.0.0/0reject-with
icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination 


 iptables -t nat --line-numbers -L
Chain PREROUTING (policy ACCEPT)
num  target prot opt source   destination 
1REDIRECT   tcp  --  192.168.1.0/24   anywhere tcp
dpt:http redir ports 3128


And in squid.conf 
i have
http 192.168.1.35:3128 intercept

But... this is not working... so
Can anyone give me a hand?

Thanks to all.

 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683053.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid as gateway

[erdosain9]

Hi.
It's possible to put the squid server as gateway??? and config to ear in
port 80 instead of 3128? This will work?
Thanks to all.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] The best way to start | stop | reload | status

[erdosain9]

Ok, thank you all!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/The-best-way-to-start-stop-reload-status-tp4682998p4683005.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] The best way to start | stop | reload | status

[erdosain9]

Hi.
mmm... im having a doubt.
I usually use Systemctl for start, stop, reload, and status; but sometimes i
heard that it was not the best way to do these actions.
Way? I heard something wrong?
And if not the best way, what would it be?

1) squid -z
2) squid

???

And from there, how i can stop and reload, status??
And, if this is the best way, how do I start Squid automatically when the
system boots?

(Or is it really not relevant?)

Thanks to all!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/The-best-way-to-start-stop-reload-status-tp4682998.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] open failed to shm_open(/squid-ssl_session_cache.shm)

[erdosain9]

Hi.
Why you say "This is because you use two commands"? 
i use systemctl reload squid. or systemctl stop, start

This is the cache.log

Thanks to all.

2017/07/05 07:41:07 kid1| Error negotiating SSL on FD 161:
error::lib(0):func(0):reason(0) (5/-1/104)
2017/07/05 07:42:29 kid1| Error negotiating SSL on FD 93:
error::lib(0):func(0):reason(0) (5/-1/104)
2017/07/05 08:13:28 kid1| Error negotiating SSL on FD 136:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/07/05 08:13:28 kid1| Error negotiating SSL on FD 136:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/07/05 08:13:29 kid1| Error negotiating SSL on FD 136:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/07/05 08:13:29 kid1| Error negotiating SSL on FD 112:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/07/05 08:13:29 kid1| Error negotiating SSL on FD 112:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/07/05 08:13:30 kid1| Error negotiating SSL on FD 112:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/07/05 08:22:26 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: received type 1 NTLM token; }}
2017/07/05 08:22:26 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: received type 1 NTLM token; }}
2017/07/05 08:22:26 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: received type 1 NTLM token; }}
2017/07/05 08:22:26 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: received type 1 NTLM token; }}
2017/07/05 08:22:26 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: received type 1 NTLM token; }}
2017/07/05 08:22:26 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: received type 1 NTLM token; }}
2017/07/05 08:22:26 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: received type 1 NTLM token; }}
2017/07/05 08:22:26 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: received type 1 NTLM token; }}
2017/07/05 08:22:26 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: received type 1 NTLM token; }}
2017/07/05 08:45:23 kid1| Logfile: opening log
stdio:/var/log/squid/netdb.state
2017/07/05 08:45:23 kid1| Logfile: closing log
stdio:/var/log/squid/netdb.state
2017/07/05 08:45:23 kid1| NETDB state saved; 0 entries, 0 msec
2017/07/05 09:08:44 kid1| WARNING: HTTP: Invalid Response: No object data
received for
https://br08.zopim.com/s/W/xdds/Aep43AMeh1O8Vlwe/p/1499256649501 AKA
br08.zopim.com/s/W/xdds/Aep43AMeh1O8Vlwe/p/1499256649501
2017/07/05 09:10:45 kid1| WARNING: HTTP: Invalid Response: No object data
received for
https://br08.zopim.com/s/W/xdds/Aep43AMeh1O8Vlwe/p/1499256770077 AKA
br08.zopim.com/s/W/xdds/Aep43AMeh1O8Vlwe/p/1499256770077
2017/07/05 09:12:45 kid1| WARNING: HTTP: Invalid Response: No object data
received for
https://br08.zopim.com/s/W/xdds/Aep43AMeh1O8Vlwe/p/1499256890082 AKA
br08.zopim.com/s/W/xdds/Aep43AMeh1O8Vlwe/p/1499256890082
2017/07/05 09:14:28 kid1| Error negotiating SSL on FD 119:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
2017/07/05 09:14:39 kid1| WARNING: HTTP: Invalid Response: No object data
received for
https://br02.zopim.com/s/W/xdds/7mNYAXLNdYVGN3KW/p/1499257004386 AKA
br02.zopim.com/s/W/xdds/7mNYAXLNdYVGN3KW/p/1499257004386
2017/07/05 09:16:39 kid1| WARNING: HTTP: Invalid Response: No object data
received for
https://br02.zopim.com/s/W/xdds/7mNYAXLNdYVGN3KW/p/1499257124091 AKA
br02.zopim.com/s/W/xdds/7mNYAXLNdYVGN3KW/p/1499257124091
2017/07/05 09:18:39 kid1| WARNING: HTTP: Invalid Response: No object data
received for
https://br02.zopim.com/s/W/xdds/7mNYAXLNdYVGN3KW/p/1499257244092 AKA
br02.zopim.com/s/W/xdds/7mNYAXLNdYVGN3KW/p/1499257244092
2017/07/05 09:20:31 kid1| WARNING: HTTP: Invalid Response: No object data
received for
https://ct-m-fbx.fbsbx.com/fp/clear.png?org_id=j8ck72di_id=araflybsfmbnfree=333126247f6d6070766b5d636c7665726e636c5d61783f333b3a2c3b343a2e312e333134
AKA
ct-m-fbx.fbsbx.com/fp/clear.png?org_id=j8ck72di_id=araflybsfmbnfree=333126247f6d6070766b5d636c7665726e636c5d61783f333b3a2c3b343a2e312e333134
2017/07/05 09:22:35 kid1| WARNING: HTTP: Invalid Response: No object data
received for
https://br02.zopim.com/s/W/xdds/RwyggWx9nKXxEZRw/p/1499257480125 AKA
br02.zopim.com/s/W/xdds/RwyggWx9nKXxEZRw/p/1499257480125
2017/07/05 09:24:04 kid1| WARNING: HTTP: Invalid Response: No object data
received for
https://br02.zopim.com/s/W/xdds/U7YAcQjwdF8M8Ofg/p/1499257569147 AKA

[squid-users] open failed to shm_open(/squid-ssl_session_cache.shm)

[erdosain9]

Hi.
What's going on here?
Can somebody give me a hand?
I dont make any change so... what's going on??

2017/07/03 12:44:41 kid1| Error negotiating SSL on FD 481:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
fai
led (1/-1/0)
2017/07/03 12:45:38 kid1| Closing HTTP port 127.0.0.1:3128
2017/07/03 12:45:38 kid1| Closing HTTP port 192.168.1.215:3128
2017/07/03 12:45:38 kid1| storeDirWriteCleanLogs: Starting...
2017/07/03 12:45:38 kid1| 65536 entries written so far.
2017/07/03 12:45:38 kid1|131072 entries written so far.
2017/07/03 12:45:38 kid1|196608 entries written so far.
2017/07/03 12:45:38 kid1|262144 entries written so far.
2017/07/03 12:45:38 kid1|327680 entries written so far.
2017/07/03 12:45:38 kid1|393216 entries written so far.
2017/07/03 12:45:38 kid1|458752 entries written so far.
2017/07/03 12:45:38 kid1|524288 entries written so far.
2017/07/03 12:45:38 kid1|   Finished.  Wrote 583448 entries.
2017/07/03 12:45:38 kid1|   Took 0.39 seconds (1489679.82 entries/sec).
FATAL: Too many queued negotiateauthenticator requests
Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 1922.935 seconds = 1731.880 user + 191.054 sys
Maximum Resident Size: 8584000 KB
Page faults with physical i/o: 11
2017/07/03 12:45:45 kid1| Set Current Directory to /var/spool/squid
2017/07/03 12:45:45 kid1| Starting Squid Cache version 3.5.20 for
x86_64-redhat-linux-gnu...
2017/07/03 12:45:45 kid1| Service Name: squid
2017/07/03 12:45:45 kid1| Process ID 4455
2017/07/03 12:45:45 kid1| Process Roles: worker
2017/07/03 12:45:45 kid1| With 16384 file descriptors available
2017/07/03 12:45:45 kid1| Initializing IP Cache...
2017/07/03 12:45:45 kid1| DNS Socket created at [::], FD 9
2017/07/03 12:45:45 kid1| DNS Socket created at 0.0.0.0, FD 10
2017/07/03 12:45:45 kid1| Adding nameserver 192.168.1.107 from squid.conf
2017/07/03 12:45:45 kid1| Adding nameserver 192.168.1.222 from squid.conf
2017/07/03 12:45:45 kid1| helperOpenServers: Starting 5/32 'ssl_crtd'
processes
FATAL: Ipc::Mem::Segment::open failed to
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory

Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.101 seconds = 0.078 user + 0.022 sys
Maximum Resident Size: 133856 KB
Page faults with physical i/o: 6
2017/07/03 12:45:48 kid1| Set Current Directory to /var/spool/squid
2017/07/03 12:45:48 kid1| Starting Squid Cache version 3.5.20 for
x86_64-redhat-linux-gnu...
2017/07/03 12:45:48 kid1| Service Name: squid
2017/07/03 12:45:48 kid1| Process ID 4494
2017/07/03 12:45:48 kid1| Process Roles: worker
2017/07/03 12:45:48 kid1| With 16384 file descriptors available
2017/07/03 12:45:48 kid1| Initializing IP Cache...
2017/07/03 12:45:48 kid1| DNS Socket created at [::], FD 9
2017/07/03 12:45:48 kid1| DNS Socket created at 0.0.0.0, FD 10
2017/07/03 12:45:48 kid1| Adding nameserver 192.168.1.107 from squid.conf
2017/07/03 12:45:48 kid1| Adding nameserver 192.168.1.222 from squid.conf
2017/07/03 12:45:48 kid1| helperOpenServers: Starting 5/32 'ssl_crtd'
processes
FATAL: Ipc::Mem::Segment::open failed to
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory

Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.118 seconds = 0.084 user + 0.033 sys
Maximum Resident Size: 133872 KB
Page faults with physical i/o: 0
2017/07/03 12:45:51 kid1| Set Current Directory to /var/spool/squid
2017/07/03 12:45:51 kid1| Starting Squid Cache version 3.5.20 for
x86_64-redhat-linux-gnu...
2017/07/03 12:45:51 kid1| Service Name: squid
2017/07/03 12:45:51 kid1| Process ID 4501
2017/07/03 12:45:51 kid1| Process Roles: worker
2017/07/03 12:45:51 kid1| With 16384 file descriptors available
2017/07/03 12:45:51 kid1| Initializing IP Cache...
2017/07/03 12:45:51 kid1| DNS Socket created at [::], FD 9
2017/07/03 12:45:51 kid1| DNS Socket created at 0.0.0.0, FD 10
2017/07/03 12:45:51 kid1| Adding nameserver 192.168.1.107 from squid.conf
2017/07/03 12:45:51 kid1| Adding nameserver 192.168.1.222 from squid.conf
2017/07/03 12:45:51 kid1| helperOpenServers: Starting 5/32 'ssl_crtd'
processes
FATAL: Ipc::Mem::Segment::open failed to
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/open-failed-to-shm-open-squid-ssl-session-cache-shm-tp4682961.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] this config is ok? is ok the order?

[erdosain9]

oh ok!
so... dosent have any sense try to have a big ttl?
because ok, if i use just a own dns resolver then "they" have just one ttl
and no one for each user. 
But, would not be better have long ttl??? 
the ip attached to a domain name it's changing so quickly (15', for
example)?? i dont understand that. because if it is not changing so quickly
why those values so lows??
Thanks (and again... sorry... for...my...ignorance... and my bad writing)



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/this-config-is-ok-is-ok-the-order-tp4682631p4682702.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] this config is ok? is ok the order?

[erdosain9]

Hi. For what I understood. It is important ttl of dns names. So, I wanted to
know when the squid server would ask for resolution again. That is, how long
was the record kept.
Thanks

pd.:whitout -x

[root@squid ~]# dig yahoo.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> yahoo.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6258
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;yahoo.com. IN  A

;; ANSWER SECTION:
yahoo.com.  590 IN  A   98.138.253.109
yahoo.com.  590 IN  A   98.139.183.24
yahoo.com.  590 IN  A   206.190.36.45

;; Query time: 4 msec
;; SERVER: 192.168.1.222#53(192.168.1.222)
;; WHEN: lun jun 05 16:00:44 ART 2017
;; MSG SIZE  rcvd: 86

[root@squid ~]# dig pijamasurf.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> pijamasurf.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17497
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;pijamasurf.com.IN  A

;; ANSWER SECTION:
pijamasurf.com. 299 IN  A   104.24.25.112
pijamasurf.com. 299 IN  A   104.24.26.112

;; Query time: 71 msec
;; SERVER: 192.168.1.222#53(192.168.1.222)
;; WHEN: lun jun 05 16:02:15 ART 2017
;; MSG SIZE  rcvd: 75


I wish I could put a bigger ttl to avoid being asked every "little amount of
time" by one address. For example pijamasurf.com = 299 and yahoo = 590, so
who manage that time?? how can i put more time to live?
Or does this make no sense?
Maybe I did not understand Amos's comment. (I thought I read better English
:-))
Thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/this-config-is-ok-is-ok-the-order-tp4682631p4682679.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] this config is ok? is ok the order?

[erdosain9]

Amos Jeffries wrote
> The core issue is the speed at which that service rotates its response 
> IP lists, which is directly related to each request going to entirely 
> different server in their farm. Simply having a single (and maybe more 
> sane regarding TTLs) resolver as a networks focal point for the traffic 
> before it reaches out to the Google service seems to bring sanity back 
> to the performance.

Ok, thanks.
mmm... and what you think about this

dig -x google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> -x google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25260
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;com.google.in-addr.arpa.   IN  PTR

;; AUTHORITY SECTION:
in-addr.arpa.   900 IN  SOA b.in-addr-servers.arpa. 
nstld.iana.org. 2017042647
1800 900 604800 3600

;; Query time: 1 msec
;; SERVER: 192.168.1.222#53(192.168.1.222)
;; WHEN: lun jun 05 12:37:03 ART 2017
;; MSG SIZE  rcvd: 120

We have, little time? about 15', this is a problem, dont you think?
Or im using bad dig??
what would be a good value???
Thanks againg.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/this-config-is-ok-is-ok-the-order-tp4682631p4682677.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] this config is ok? is ok the order?

[erdosain9]

"If I assume that its doing what you want there are still two major
issues that can be seen.". i think it was...

"1) Mixing interception and authentication (ssl-bump is a type of
interception, at least on the https:// traffic). Intercepted messages
cannot be authenticated - though there are some workarounds in place for
ssl-bump to authenticate the CONNECT tunnel and label all the bumped
traffic with that username."

how it's that?, maybe i wrong (probably) but, for example a connection to
youtube, it is ssl, and i see (in access.log, who do that (its
authenticate). So? im wrong no? why?

2) we have a dns server (192.168.1.222) that just have our internal
dns names and then points to 8.8.8.8... that (192.168.1.222) dns server
would it not be useful either?

sorry for ignorance and thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/this-config-is-ok-is-ok-the-order-tp4682631p4682653.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] this config is ok? is ok the order?

[erdosain9]

acl local_machines dst 192.168.1.0/24 

###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/squid.xxx@xxx.lan
auth_param negotiate children 25 startup=0 idle=1
auth_param negotiate keep_alive on

external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
-g i-f...@xxx.lan
external_acl_type i-limitado %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-limit...@xxx.lan

#GRUPOS
acl i-full external i-full
acl i-limitado external i-limitado

Bloquea Publicidad ( http://pgl.yoyo.org/adservers/ )
acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
http_access deny ads
#deny_info TCP_RESET ads

Streaming
acl youtube url_regex -i \.flv$
acl youtube url_regex -i \.mp4$
acl youtube url_regex -i watch?
acl youtube url_regex -i youtube
acl facebook url_regex -i facebook
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\? 
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?

##Dominios denegados
acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"

#Puertos
acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 2
acl SSL_ports port 1
acl SSL_ports port 2083

acl Safe_ports port 631 # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 8443# httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080# edesur y otros
acl Safe_ports port 2199# radio
acl CONNECT method CONNECT


#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow i-limitado !dominios_denegados 
http_access allow i-full !dominios_denegados 
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 127.0.0.1:3128
http_port 192.168.1.215:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem
key=/etc/squid/ssl_cert/myca.pem 

acl step1 at_step SslBump1 

acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst"

ssl_bump peek step1 
ssl_bump splice excludeSSL 
ssl_bump bump all 


# Uncomment and adjust the following to add a disk cache directory.
cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 1000 MB
maximum_object_size_in_memory 1 MB

cache_swap_low 90
cache_swap_high 95

cache deny local_machines
quick_abort_min 1024 KB
quick_abort_max 2048 KB
quick_abort_pct 90

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid


#Your refresh_pattern
refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
ignore-private
refresh_pattern -i ^http:\/\/www\.google\.com\/$ 0 20% 360 override-expire
override-lastmod ignore-reload ignore-no-cache ignore-no-store
reload-into-ims ignore-must-revalidate

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

###ACTIVAR EN CASO DE "Connection reset by peer" EN MUCHOS HOST
via off
forwarded_for delete
###

#Pools para ancho de banda
delay_pools 5

#Ancho de Youtube
delay_class 1 2 
delay_parameters 1 100/100 5/256000
delay_access 1 allow i-limitado youtube !facebook
delay_access 1 deny all

#Ancho de Facebook
delay_class 2 2 
delay_parameters 2 100/100 5/256000
delay_access 2 allow i-limitado facebook !youtube
delay_access 2 deny all

#Ancho de banda YOUTUBE FULL
delay_class 3 1
delay_parameters 3 100/100
delay_access 3 allow i-full youtube !facebook
delay_access 3 deny all

#Ancho de banda LIMITADO
delay_class 4 3 
delay_parameters 4 300/300 100/100 256000/512000

[squid-users] Wrong timestamp??

[erdosain9]

Hi to all.
This is strange...
if a put "date" i get the actual time. I mean the time it's correct.
More or less in this moment it is

[root@squid ~]# date
mié may 24 15:59:59 ART 2017

in the same moment (more or less) access.log
24/May/2017:19:00:21 

same moment (more or less)
[root@squid ~]# squidclient mgr:negotiateauthenticator
HTTP/1.1 200 OK
Server: squid/3.5.20
Mime-Version: 1.0
Date: Wed, 24 May 2017 19:01:37 GMT
Content-Type: text/plain;charset=utf-8
Expires: Wed, 24 May 2017 19:01:37 GMT
Last-Modified: Wed, 24 May 2017 19:01:37 GMT

So... why squid have wrong time if the "date" command says another thing.
From where squid take the time?



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Wrong-timestamp-tp4682545.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] AD Windows server 2012 - Squid Authenticator slow

[erdosain9]

Hi to all.
Im having too much "avg service time" in the negotiate kerberos helper. Amos
tell me that it's a configuration related to the AD. Can somebody give me a
hand to tune that? or tell me where find information about?
Thanks


Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 20 of 20 (0 shutting down)
requests sent: 1063
replies received: 1043
queue length: 2
avg service time: 414 msec




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/AD-Windows-server-2012-Squid-Authenticator-slow-tp4682543.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Two squid server - Would it be useful?

[erdosain9]

thanks and sorry, i have just two.
In one of them (the more "important") i have SSO, and in the other i have
access per ip.
So, i need to have the two squid servers equally or not?

In the other hand I do not mind the use of bandwidth but serve as fast as
possible.
how i would config this??

thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Two-squid-server-Would-it-be-useful-tp4682529p4682532.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Two squid server - Would it be useful?

[erdosain9]

Hi.
I have working a squid server. we have 110 pc. 
I have two virtualized squids.
One of them is working, and the other i use for testing purpose. but, i want
to know if i could take that of "testing purpose" and put to work with
"cache peers or neighbors"??
It would be better?? it give some benefits??
thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Two-squid-server-Would-it-be-useful-tp4682529.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Documentation for squidclient?

[erdosain9]

Ok, 
Thanks.
We are using a windows server 2012...

Can you explain to me how the negotiate authenticator works??
how works? when a user want browser to a page, the squid, use the
authenticator for know if can browse?? every time? for every single web
pages?
Thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Documentation-for-squidclient-tp4682457p4682512.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Documentation for squidclient?

[erdosain9]

Hi again.

Just boot up
11:43
number active: 14 of 25 (0 shutting down)
requests sent: 166348
replies received: 166348
queue length: 0
avg service time: 34 msec

   ID #  FD PID  # Requests   # Replies  Flags Time  Offset
Request
366  97   13237 510 510   0.040   0 
(none)
367 107   13238 225 225   0.243   0 
(none)
368 135   13239 119 119   0.069   0 
(none)
369  94   13240  77  77   0.072   0 
(none)
370 109   13242  51  51   0.228   0 
(none)
371 131   13243  41  41   0.228   0 
(none)
372 301   13244  28  28   0.276   0 
(none)
373 212   13245  23  23   0.276   0 
(none)
374 261   13246  15  15   0.276   0 
(none)
375 427   13249   9   9   0.276   0 
(none)
376 429   13250   6   6   0.276   0 
(none)
377 431   13251   5   5   0.276   0 
(none)
381 332   13293   2   2   0.276   0 
(none)
382 496   13359   1   1   0.276   0 
(none)


12:00
-
number active: 25 of 25 (0 shutting down)
requests sent: 173579
replies received: 173579
queue length: 0
avg service time: 42 msec

   ID #  FD PID  # Requests   # Replies  Flags Time  Offset
Request
366  97   1323735613561   0.130   0 
(none)
367 107   1323816221622   0.059   0 
(none)
368 135   13239 910 910   0.128   0 
(none)
369  94   13240 599 599   0.142   0 
(none)
370 109   13242 411 411   0.153   0 
(none)
371 131   13243 308 308   0.215   0 
(none)
372 301   13244 230 230   0.167   0 
(none)
373 212   13245 172 172   0.136   0 
(none)
374 261   13246 120 120   0.167   0 
(none)
375 427   13249  98  98   0.173   0 
(none)
376 429   13250  71  71   0.120   0 
(none)
377 431   13251  50  50   0.180   0 
(none)
381 332   13293  41  41   0.294   0 
(none)
382 496   13359  32  32   0.312   0 
(none)
383 374   13361  25  25   0.192   0 
(none)
384 377   13362  21  21   0.309   0 
(none)
385 373   13430  16  16   0.198   0 
(none)
386 392   13431  13  13   1.044   0 
(none)
387 399   13432  10  10   0.960   0 
(none)
388 403   13433   8   8   1.006   0 
(none)
389 448   13434   6   6   0.930   0 
(none)
390 450   13435   7   7   0.994   0 
(none)
391 452   13436   5   5   0.927   0 
(none)
392 455   13437   4   4   0.829   0 
(none)
393 457   13438   3   3   0.253   0 
(none)


12:30

number active: 25 of 25 (0 shutting down)
requests sent: 182608
replies received: 182608
queue length: 0
avg service time: 36 msec

   ID #  FD PID  # Requests   # Replies  Flags Time  Offset
Request
366  97   1323774587458   0.085   0 
(none)
367 107   1323834013401   0.128   0 
(none)
368 135   1323918621862   0.108   0 
(none)
369  94   1324012351235   0.534   0 
(none)
370 109   13242 862 862   0.115   0 
(none)
371 131   13243 641 641   0.118   0 
(none)
372 301   13244 466 466   0.118   0 
(none)
373 212   13245 335 335   

Re: [squid-users] Documentation for squidclient?

[erdosain9]

/6MUCr8mH4TVMIOUcv3E4WtXARWS2ocYmCEHjQ5tdBhf2mmvEUEV6K5hYcMzfB3ouIYHJfHg/TOeFABtVtfBSUy/XwC2yZb2WiNxx3n55Ao1M6WQ5wwHb65GmJ1EsF0IpvLxoi/Ivb/A1PAg2rgTlM4MA/gQ5HU9+GuZCaLkc95X9GV/kPGLVEf4B5keukiOqCNwGcFyYTutiqmz/Z58qCooYvYfEqkc5hFLtRPFy4LD5iHW3V94fDDnDRk7vND+xQzIB3DPzMIii++TN0BdpbwWiFbsnDjXRqaHQ17SPNHtdL7iVsJMURqHoGbKOHiqev27uCLTCl6D76NYpOKaeO7+xYWSykxfFHk/RiXkwUhHLns+5XWqlHnksOd9w7aLpQzuNiEitLxgyrJxf7ViQ0BvVm0hVLmcVZbWlh9nGRZAGSB68+7DxGcGNA71EL7dG5d0IuaUH3/c31eYO0wVTPOANhBnDQk5BPkv36gn+Qo3kv9pfAfUGnzHyxkg8u5A/pfhpQ9z2w8dIMXYYiXqOB3txNSuqvvedkO+aWSNx0TVhOOQ8ZoE9yHEqdGY9actVS6sBGiaeCgTGEGPyF9Scb+X+wVwR3lDrDVlsp7gFyN7S5Ppv/k7yuN1n13DlFkiP1X0zDYi8FzHGP8CZqu0TAP8QLr83aUhWtQY0C0yEX1vZKplwGBZ84La8EljyszPmbG1y2MEl6+0RCy6vsEbNLrG/VJswOn10Cp6CnUZHVb7cTkJOXX5mr/fIXNe6SgGLRmN5AnDTtNYPnB0YzzspEdY45rWfmTw0QmJD0PMXPhTPernwGEZxJU4+J11YA+btbnfdKWAYjooVxsuwNVAMKUBJ/hLqSCAVQwggFQoAMCARKiggFHBIIBQ0XSO5I/ocg57bxXypY15YjoexwAEbNNOM71wvWLTAStGGF2v8h0WbKef5qUDu1XsOJLzQwfBRz6belQ+KSCttat563mSBfR7mm29I1D6/utbrE1SqqfBwTvqMYcj74pHTZWDvMUKYP1nf0bZgSALdDEATutes5b0vB12TnyVHz53PC7loe0sDti4761U7djBT5yT9AYBQACGWX2CsOjvNbszTOxHtgG1ry3T45UIomlL5XqcMfUS8fqlpVbEnEfmiFjagWDDdrqntgxaRJmZPTrc8X2yBvexO4UkLo/qsyJbm32N2LjAtP0MhJeHHTOk5PFNrgyG+/lIaikXmCV2pOzeZvcDBYRvUBqgW8pIdjvrw8SUhZarZ65JQNxQ5u409tPiqDRH/3bXQ88+RNnoWD6HzfT2y5+DTUN+mwkNlwBPIgp\n
220 
erdosain9 wrote
> ETC
> and 35, someone it's eating...and by the way the first "error" (a lot of
> numbers and letters its happening)
> 
> Negotiate Authenticator Statistics:
> program: /lib64/squid/negotiate_kerberos_auth
> number active: 35 of 35 (0 shutting down)
> requests sent: 35222
> replies received: 35221
> queue length: 0
> avg service time: 105 msec
> 
>ID #FD PID  # Requests   # Replies  Flags Time 
>  Offset
> Request
> 209   1137534 557 556 B R   0.000 
>   0 YR
> YIIGXQYGKwYBBQUCoIIGUTCCBk2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBhcEggYTYIIGDwYJKoZIhvcSAQICAQBuggX+MIIF+qADAgEFoQMCAQ6iBwMFACCjggSQYYIEjDCCBIigAwIBBaEMGwpFTVBEREguTEFOoiMwIaADAgECoRo
> wGBsESFRUUBsQc3F1aWQuZW1wZGRoLmxhbqOCBEwwggRIoAMCARKhAwIBAqKCBDoEggQ2jpSodyZYVva7UV1lpeFDneeTonYRIuPbWQrRHapGngHJsxJ0Sb/saB97FH3aC3DuJgDF5eJIgrDqh38gksmi+zd7WhOWF7r9iRudcgHSnYmSYS9hxrMNEaoyBd0kKlO2it11WDBYb0tdd8OZKlFzYF+T4r714kl52a2fvHrJl5M3RB0QcHlrqngBoANinyZkvCZLpWkLtGJ5PC0jutoRvCX0KT6Znth2GwotJjOUftR4rQR0SfgQuxGkqcOsku2/xhJ88pMMo+7R6F3Crx0d391NS0F/4DWSk/JYsPOfEoemFKQPRWGQyQvLJ4Y78obg48PnMv9xhtsbUGB+LdYMWIAjKGFUDK4RGFPJtEnmhsOt6LIHi+Yqo3Ravna0mq61+xSFtzGJRuHTptpACxy/F+3tsSIIWsTdyVMHIBY4TH/5IXgFG2xc06kt8XmQaWvvByxZhBWn97W8ynrgR0y9Eg3YwqDi1YZtDGKc1XqbExMAw2bWlRNI3Oo6F8czcekK/H0Yrzm9sgXmmHHqFGGoJBBeqNZXQ+j8FhJ7LuXLg3B1Vki8XWaIP21LQcR/kLj2QvmMdZzLo2lglJIaUVlPnTFBEA3/ACAT2NHm0j4rZhEirf5+k45w/gz6fAlkbYWfISAqw20prIDbjMuzV+Z9XcxU9mZH0QuSIhV4wYNfZMh1VakBw00B9/5il/xqoXf15ra/vvopOib8WHztAsUwi+NLWsLichIh7fmrW2+U1D0XfSj8G2HhNus71ZsffYN0HZHsxz4ESlhAoxOLj/7eZLyNXL/zchrQspw+1URE1aizx6ui4oOZ0u/2QjPF0as/1+XjvS9VzSSCypx6gLMCXUAVPnVQayG0HF1OumIXvdHEhn5lyzng6qk5KYqbJcFGi+yHsQGLzaBjvv704ldsSucKnrXtmjxyZIapt10frNXVHa42yp+DAfaCGJBTQdsbD/6Y1OIvgpOzr0VEkzUFaYoGCMMqT7yRdWxdXewvpb8hLNYwTNJwepIYO15Y6n2a+R5HLCh5l1arnAgn1iIdiB86NoL0gMNhgQ8sg6ow3oNRnjzylQN/wqNFgouymk8fpp/Z1/vr3zq3wn8GEpoEKFgkYlM8S9b700lai85apEO5RF/92Fu150+kk6j/zBgkASdCHF7NHu4ljVcaUQ2Pn/vjNKopQ2AfAw/eLvbEoi47tRbvq+cQo71VJxrbqu+d6N+9Me1K6RIjrauPhnxmqtv8jmzUEd7eMSlFS1Nhcm/zbiXffS1z1+sattSADqr/r9vz/stT1UIPUvTGECSGscwzO9eBx2KqNd64Y8ijgo8r7oZfGPy5BEYc6Kme8iehWdXMjIW4CDoKJd5rbJ+mn2l0ZKsm4141ZOjr/N64PZZRMFTax3ejDyefXs101kKJpfkCJjPugzFCu6MGvk5ZcvrtSjefCqSCAU8wggFLoAMCARKiggFCBIIBPnk2DODYIW0g4hXFKmoKlnIHRezRwxL/E22eI7mjihUd/z7PQ2V6IQdx/ScsgKyMHcsaG5naiQliCf7/Sl7QQbpxypdbT0/7THdMBd67fMLNZ3/7I78+dS90BD+XODtWJyC/+vQdfHGBOSFfAnetzaFJGsfbni4qMrF1V8onHnmwq800CrN1WoQt6ADBwBwFbMIHqSLUbaBmye3AQiZ16L646xGw7GqCwPKeFUkrXeG17iD0NRQKUr3nPD0UZtOf36YK5J+/HQ68+ou6d2as4Rjx7FHQVR9RLKeCj6ZnBZKeAp5P/SmLaj1+0k5F5Ra71KZslWyzLDFw7/unGUksNkpP71Gl9B3XMavdhPqfOSrczGnW5Rr4nJ7oLikj06IdsCSmhub+TUN1qxn3/XNfHu08wA0lJv9mEZpCpaKSdA==\n
> 210   1317535 490 490   0.332 
>   0
> (none)
> 211   1447536 435 435   0.550 
>   0
> (none)
> 212   1897537 398 398   0.825 
>   0
> (none)
> 213277538 364 364   0.566 
>   0
> (none)
> 214   2147539 331 331   0.783 
>   0
> (none)
> 215   2257540 307 307   0.500 
>   0
> (none)
> 216   2387541 284 284   0.838 
>   0
> (none)
> 217967542 288 288   0.587 
>   0
> (none)
> 218

Re: [squid-users] Documentation for squidclient?

[erdosain9]

and 35, someone it's eating...and by the way the first "error" (a lot of
numbers and letters its happening)

Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 35 of 35 (0 shutting down)
requests sent: 35222
replies received: 35221
queue length: 0
avg service time: 105 msec

   ID #  FD PID  # Requests   # Replies  Flags Time  Offset
Request
209 1137534 557 556 B R   0.000   0 
YR
YIIGXQYGKwYBBQUCoIIGUTCCBk2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBhcEggYTYIIGDwYJKoZIhvcSAQICAQBuggX+MIIF+qADAgEFoQMCAQ6iBwMFACCjggSQYYIEjDCCBIigAwIBBaEMGwpFTVBEREguTEFOoiMwIaADAgECoRo
wGBsESFRUUBsQc3F1aWQuZW1wZGRoLmxhbqOCBEwwggRIoAMCARKhAwIBAqKCBDoEggQ2jpSodyZYVva7UV1lpeFDneeTonYRIuPbWQrRHapGngHJsxJ0Sb/saB97FH3aC3DuJgDF5eJIgrDqh38gksmi+zd7WhOWF7r9iRudcgHSnYmSYS9hxrMNEaoyBd0kKlO2it11WDBYb0tdd8OZKlFzYF+T4r714kl52a2fvHrJl5M3RB0QcHlrqngBoANinyZkvCZLpWkLtGJ5PC0jutoRvCX0KT6Znth2GwotJjOUftR4rQR0SfgQuxGkqcOsku2/xhJ88pMMo+7R6F3Crx0d391NS0F/4DWSk/JYsPOfEoemFKQPRWGQyQvLJ4Y78obg48PnMv9xhtsbUGB+LdYMWIAjKGFUDK4RGFPJtEnmhsOt6LIHi+Yqo3Ravna0mq61+xSFtzGJRuHTptpACxy/F+3tsSIIWsTdyVMHIBY4TH/5IXgFG2xc06kt8XmQaWvvByxZhBWn97W8ynrgR0y9Eg3YwqDi1YZtDGKc1XqbExMAw2bWlRNI3Oo6F8czcekK/H0Yrzm9sgXmmHHqFGGoJBBeqNZXQ+j8FhJ7LuXLg3B1Vki8XWaIP21LQcR/kLj2QvmMdZzLo2lglJIaUVlPnTFBEA3/ACAT2NHm0j4rZhEirf5+k45w/gz6fAlkbYWfISAqw20prIDbjMuzV+Z9XcxU9mZH0QuSIhV4wYNfZMh1VakBw00B9/5il/xqoXf15ra/vvopOib8WHztAsUwi+NLWsLichIh7fmrW2+U1D0XfSj8G2HhNus71ZsffYN0HZHsxz4ESlhAoxOLj/7eZLyNXL/zchrQspw+1URE1aizx6ui4oOZ0u/2QjPF0as/1+XjvS9VzSSCypx6gLMCXUAVPnVQayG0HF1OumIXvdHEhn5lyzng6qk5KYqbJcFGi+yHsQGLzaBjvv704ldsSucKnrXtmjxyZIapt10frNXVHa42yp+DAfaCGJBTQdsbD/6Y1OIvgpOzr0VEkzUFaYoGCMMqT7yRdWxdXewvpb8hLNYwTNJwepIYO15Y6n2a+R5HLCh5l1arnAgn1iIdiB86NoL0gMNhgQ8sg6ow3oNRnjzylQN/wqNFgouymk8fpp/Z1/vr3zq3wn8GEpoEKFgkYlM8S9b700lai85apEO5RF/92Fu150+kk6j/zBgkASdCHF7NHu4ljVcaUQ2Pn/vjNKopQ2AfAw/eLvbEoi47tRbvq+cQo71VJxrbqu+d6N+9Me1K6RIjrauPhnxmqtv8jmzUEd7eMSlFS1Nhcm/zbiXffS1z1+sattSADqr/r9vz/stT1UIPUvTGECSGscwzO9eBx2KqNd64Y8ijgo8r7oZfGPy5BEYc6Kme8iehWdXMjIW4CDoKJd5rbJ+mn2l0ZKsm4141ZOjr/N64PZZRMFTax3ejDyefXs101kKJpfkCJjPugzFCu6MGvk5ZcvrtSjefCqSCAU8wggFLoAMCARKiggFCBIIBPnk2DODYIW0g4hXFKmoKlnIHRezRwxL/E22eI7mjihUd/z7PQ2V6IQdx/ScsgKyMHcsaG5naiQliCf7/Sl7QQbpxypdbT0/7THdMBd67fMLNZ3/7I78+dS90BD+XODtWJyC/+vQdfHGBOSFfAnetzaFJGsfbni4qMrF1V8onHnmwq800CrN1WoQt6ADBwBwFbMIHqSLUbaBmye3AQiZ16L646xGw7GqCwPKeFUkrXeG17iD0NRQKUr3nPD0UZtOf36YK5J+/HQ68+ou6d2as4Rjx7FHQVR9RLKeCj6ZnBZKeAp5P/SmLaj1+0k5F5Ra71KZslWyzLDFw7/unGUksNkpP71Gl9B3XMavdhPqfOSrczGnW5Rr4nJ7oLikj06IdsCSmhub+TUN1qxn3/XNfHu08wA0lJv9mEZpCpaKSdA==\n
210 1317535 490 490   0.332   0 
(none)
211 1447536 435 435   0.550   0 
(none)
212 1897537 398 398   0.825   0 
(none)
213  277538 364 364   0.566   0 
(none)
214 2147539 331 331   0.783   0 
(none)
215 2257540 307 307   0.500   0 
(none)
216 2387541 284 284   0.838   0 
(none)
217  967542 288 288   0.587   0 
(none)
218  767543 272 272   0.626   0 
(none)
219 2277544 245 245   0.796   0 
(none)
220 2757545 241 241   0.427   0 
(none)
221 2997546 236 236   0.694   0 
(none)
222 3087547 228 228   0.784   0 
(none)
223 2417548 215 215   0.919   0 
(none)
224 2657549 210 210   0.842   0 
(none)
225 3187550 198 198   0.728   0 
(none)
226 3217551 190 190   0.770   0 
(none)
227 2337552 183 183   0.527   0 
(none)
228 2427553 171 171   0.819   0 
(none)
229 1907554 169 169   0.690   0 
(none)
230 2727555 155 155   0.636   0 
(none)
231 3537588 147 147   0.683   0 
(none)
232 3577589 138 138   0.623   0 
(none)
233 3407590 122 122   0.750   0 
(none)
234 3627591  98  98   0.529   0 
(none)
235 3657592  87  87   0.655   0 
(none)
236 2077593  

Re: [squid-users] Documentation for squidclient?

[erdosain9]

Look this

Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 25 of 25 (0 shutting down)
requests sent: 27331
replies received: 27306
queue length: 11
avg service time: 389 msec

I change to 25... and in this moment i have queue length 11... there is
a way to know who is taken this? Because its strange, before this is not
happening... can be a virus? there is some way to know from what pc came
this?

(really sorry for my english... i know this is not to readable).



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Documentation-for-squidclient-tp4682457p4682467.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Documentation for squidclient?

[erdosain9]

Thanks you all!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Documentation-for-squidclient-tp4682457p4682464.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Documentation for squidclient?

[erdosain9]

And... for last

How i read this??

Delay pools configured: 5

Pool: 1
Class: 2

Aggregate:
Max: 100
Restore: 100
Current: 100

Individual:
Max: 512000
Restore: 5
Current: 124:512000 67:512000 120:512000 127:512000 9:512000 
26:214810
64:512000 169:512000 156:512000

Pool: 2
Class: 2

Aggregate:
Max: 100
Restore: 100
Current: 100

Individual:
Max: 512000
Restore: 5
Current: 238:512000 124:512000 67:512000 120:512000 127:512000 
26:512000
64:512000 156:512000 149:512000

Pool: 3
Class: 1

Aggregate:
Max: 100
Restore: 100
Current: 100

Pool: 4
Class: 3

Aggregate:
Max: 300
Restore: 300
Current: 300

Network:
Max: 100
Restore: 100
Current: 1:100 2:100

Individual:
Max: 512000
Restore: 256000
Current [Network 1]: 238:512000 127:512000 124:512000 17:512000 
63:512000
149:512000 120:512000 155:512000 156:512000 26:512000 9:512000
Current [Network 2]: 68:512000 61:512000 67:512000 64:512000 
169:512000
66:512000 12:512000


Pool: 5
Class: 3

Aggregate:
Max: 150
Restore: 150
Current: 150

Network:
Max: 75
Restore: 75
Current: 1:75

Individual:
Max: 512000
Restore: 256000
Current [Network 1]: 48:512000 75:512000 121:512000 151:512000




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Documentation-for-squidclient-tp4682457p4682459.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Documentation for squidclient?

[erdosain9]

And for example, if i have this

Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 20 of 20 (0 shutting down)
requests sent: 23980
replies received: 23980
queue length: 0
avg service time: 8 msec

   ID #  FD PID  # Requests   # Replies  Flags Time  Offset
Request
 21  182159   15266   15266   0.034   0 
(none)
 22  20216040164016   0.167   0 
(none)
 23  26216118271827   0.225   0 
(none)
 24  34216210631063   0.142   0 
(none)
 25  362167 674 674   0.113   0 
(none)
 26  402169 427 427   0.134   0 
(none)
 27  442170 251 251   0.134   0 
(none)
 28  482172 171 171   0.073   0 
(none)
 29  552174 106 106   0.299   0 
(none)
 30 2133167  64  64   0.298   0 
(none)
 31 2163168  41  41   0.297   0 
(none)
 32 2183169  26  26   0.250   0 
(none)
 33 2173170  15  15   0.297   0 
(none)
 37  996631  10  10   0.243   0 
(none)
 38 1066632   7   7   0.171   0 
(none)
 39 1247630   4   4   0.112   0 
(none)
 40 1297631   4   4   0.306   0 
(none)
 41 263   18079   3   3   0.306   0 
(none)
 42 266   18080   3   3   0.404   0 
(none)
 43 108   18081   2   2   0.401   0 
(none)

Flags key:

   B = BUSY
   C = CLOSING
   R = RESERVED
   S = SHUTDOWN PENDING
   P = PLACEHOLDER

20 of 20 authenticators are in use but, there is no busy... so... i have to
increase the number of authenticators or not?



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Documentation-for-squidclient-tp4682457p4682458.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] WARNING: All 20/20 negotiateauthenticator processes are busy.

[erdosain9]

Sorry now squidclient it's working! was the ipv6.
Thanks!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-All-20-20-negotiateauthenticator-processes-are-busy-tp4682362p4682444.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] WARNING: All 20/20 negotiateauthenticator processes are busy.

[erdosain9]

And if i do this 

http_port 127.0.0.1:3128

The i get this

[root@squid ~]# squidclient -vv mgr:menu
verbosity level set to 2
Request:
GET cache_object://localhost/menu HTTP/1.0
Host: localhost
User-Agent: squidclient/3.5.20
Accept: */*
Connection: close


.
Transport detected: IPv4-mapped  and IPv6
Resolving localhost ...
Connecting... localhost ([::1]:3128)
ERROR: Cannot connect to [::1]:3128




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-All-20-20-negotiateauthenticator-processes-are-busy-tp4682362p4682443.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] WARNING: All 20/20 negotiateauthenticator processes are busy.

[erdosain9]

Thanks, now i have "access denied"...why???

[root@squid ~]# squidclient -vv -h 192.168.1.215 mgr:info
verbosity level set to 2
Request:
GET cache_object://192.168.1.215/info HTTP/1.0
Host: 192.168.1.215
User-Agent: squidclient/3.5.20
Accept: */*
Connection: close


.
Transport detected: IPv4-mapped  and IPv6
Resolving 192.168.1.215 ...
Connecting... 192.168.1.215 (192.168.1.215:3128)
Connected to: 192.168.1.215 (192.168.1.215:3128)
Sending HTTP request ... 
done.
HTTP/1.1 403 Forbidden
Server: squid/3.5.20
Mime-Version: 1.0
Date: Wed, 17 May 2017 19:14:41 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3567
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from squid.xxx.lan
X-Cache-Lookup: NONE from squid.xxx.lan:3128
Connection: close

http://www.w3.org/TR/html4/strict.dtd;>



ERROR: The requested URL could not be retrieved



ERROR

The requested URL could not be retrieved





The following error was encountered while trying to retrieve the URL: 
cache_object://192.168.1.215/info   


*Access Denied.*


Access control configuration prevents your request from being allowed at
this time. Please contact your service provider if you feel this is
incorrect.

Your cache administrator is  webmaster

 
.





Generated Wed, 17 May 2017 19:14:41 GMT by squid.xxx.lan
(squid/3.5.20)








--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-All-20-20-negotiateauthenticator-processes-are-busy-tp4682362p4682442.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Slow server ¿?

[erdosain9]

Hi.
The server is serving web pages very slow.
Not related to bandwith of delay pools...
Thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Slow-server-tp4682400p4682440.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] WARNING: All 20/20 negotiateauthenticator processes are busy.

[erdosain9]

Hi.
this is my config file 


GRUPOS DE IP
acl sin_autenticacion src "/etc/squid/listas/sin_autenticacion.lst"
acl red6 src 192.168.6.0/24

###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/squid.xxx@xxx.lan
auth_param negotiate children 35 startup=0 idle=1
auth_param negotiate keep_alive off


external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
-g i-f...@xxx.lan
external_acl_type i-limitado %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-limit...@xxx.lan
external_acl_type i-sinlimite %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-sinlim...@xxx.lan


#GRUPOS
acl i-full external i-full
acl i-limitado external i-limitado
acl i-sinlimite external i-sinlimite

Bloquea Publicidad ( http://pgl.yoyo.org/adservers/ )
acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
http_access deny ads


Streaming
acl youtube url_regex -i \.flv$
acl youtube url_regex -i \.mp4$
acl youtube url_regex -i watch?
acl youtube url_regex -i youtube
acl facebook url_regex -i facebook
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\? 
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?

##Dominios denegados
acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"

##Extensiones bloqueadas
acl multimedia urlpath_regex "/etc/squid/listas/multimedia.lst"

##Extensiones peligrosas
acl peligrosos urlpath_regex "/etc/squid/listas/peligrosos.lst"


#Puertos
acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 2
acl SSL_ports port 1
acl SSL_ports port 2083

acl Safe_ports port 631 # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 8443# httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080# edesur y otros
acl Safe_ports port 2199# radio
acl CONNECT method CONNECT


#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localhost
http_access allow i-sinlimite
http_access allow sin_autenticacion
http_access allow i-limitado #!dominios_denegados
http_access allow i-full #!dominios_denegados

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 192.168.1.215:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=5MB cert=/etc/squid/ssl_cert/myca.pem
key=/etc/squid/ssl_cert/myca.pem 

acl step1 at_step SslBump1 

acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst"

ssl_bump peek step1 
ssl_bump splice excludeSSL 
ssl_bump bump all 


# Uncomment and adjust the following to add a disk cache directory.
cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 256 MB

cache_swap_low 90
cache_swap_high 95

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid


#Your refresh_pattern
refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
ignore-private

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

###ACTIVAR EN CASO DE "Connection reset by peer" EN MUCHOS HOST
via off
forwarded_for delete
###

#Pools para ancho de banda
delay_pools 5

#Ancho de Youtube
delay_class 1 2 
delay_parameters 1 100/100 5/512000
delay_access 1 allow i-limitado youtube !facebook
delay_access 1 deny all

#Ancho de Facebook
delay_class 2 2 
delay_parameters 2 100/100 5/512000
delay_access 2 allow i-limitado facebook !youtube
delay_access 2 deny all

#Ancho de banda YOUTUBE FULL
delay_class 3 1
delay_parameters 3 100/100
delay_access 3 allow i-full youtube !facebook
delay_access 3 deny all

#Ancho de banda LIMITADO
delay_class 4 3 
delay_parameters 4 300/300 100/100 256000/512000
delay_access 4 allow i-limitado !youtube !facebook
delay_access 4 deny all

#Ancho de 

[squid-users] Slow server ¿?

[erdosain9]

Hi.
Can somebody tell why the squid server it's going slow???

top - 15:05:21 up  3:52,  1 user,  load average: 0,93, 2,15, 10,85
Tasks: 186 total,   1 running, 185 sleeping,   0 stopped,   0 zombie
%Cpu(s):  1,7 us,  0,5 sy,  0,0 ni, 97,2 id,  0,7 wa,  0,0 hi,  0,0 si,  0,0
st
KiB Mem :  3882708 total,   110044 free,  1934236 used,  1838428 buff/cache
KiB Swap:  2097148 total,  2087324 free, 9824 used.  1646000 avail Mem 

  PID USER  PR  NIVIRTRESSHR S  %CPU %MEM TIME+ COMMAND 
 2142 squid 20   0 1127580 0,977g   9244 S   3,7 26,4  65:15.76 squid   
 2171 squid 20   0   52788   3404   2292 S   0,7  0,1  10:54.76
negotiate_+ 
  939 clamscan  20   0 1437976 553640   9036 S   0,3 14,3   2:03.58 clamd   
1 root  20   0   41148   3156   2368 S   0,0  0,1   0:01.56 systemd 
2 root  20   0   0  0  0 S   0,0  0,0   0:00.00 kthreadd
3 root  20   0   0  0  0 S   0,0  0,0   0:00.23
ksoftirqd/0 
7 root  rt   0   0  0  0 S   0,0  0,0   0:00.32
migration/0 
8 root  20   0   0  0  0 S   0,0  0,0   0:00.00 rcu_bh  
9 root  20   0   0  0  0 S   0,0  0,0   0:00.00 rcuob/0 
   10 root  20   0   0  0  0 S   0,0  0,0   0:00.00 rcuob/1 
   11 root  20   0   0  0  0 S   0,0  0,0   0:26.01
rcu_sched   
   12 root  20   0   0  0  0 S   0,0  0,0   0:12.05 rcuos/0 
   13 root  20   0   0  0  0 S   0,0  0,0   0:25.08 rcuos/1 
   14 root  rt   0   0  0  0 S   0,0  0,0   0:00.05
watchdog/0  
   15 root  rt   0   0  0  0 S   0,0  0,0   0:00.05
watchdog/1  
   16 root  rt   0   0  0  0 S   0,0  0,0   0:00.00
migration/1 
   17 root  20   0   0  0  0 S   0,0  0,0   0:04.11
ksoftirqd/1 

Config file
*-**


GRUPOS DE IP
acl sin_autenticacion src "/etc/squid/listas/sin_autenticacion.lst"
acl red6 src 192.168.6.0/24

###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/squid.xxx@xxx.lan
auth_param negotiate children 35 startup=0 idle=1
auth_param negotiate keep_alive off


external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
-g i-f...@xxx.lan
external_acl_type i-limitado %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-limit...@xxx.lan
external_acl_type i-sinlimite %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-sinlim...@xxx.lan


#GRUPOS
acl i-full external i-full
acl i-limitado external i-limitado
acl i-sinlimite external i-sinlimite

Bloquea Publicidad ( http://pgl.yoyo.org/adservers/ )
acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
http_access deny ads


Streaming
acl youtube url_regex -i \.flv$
acl youtube url_regex -i \.mp4$
acl youtube url_regex -i watch?
acl youtube url_regex -i youtube
acl facebook url_regex -i facebook
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\? 
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?

##Dominios denegados
acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"

##Extensiones bloqueadas
acl multimedia urlpath_regex "/etc/squid/listas/multimedia.lst"

##Extensiones peligrosas
acl peligrosos urlpath_regex "/etc/squid/listas/peligrosos.lst"


#Puertos
acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 2
acl SSL_ports port 1
acl SSL_ports port 2083

acl Safe_ports port 631 # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 8443# httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080# edesur y otros
acl Safe_ports port 2199# radio
acl CONNECT method CONNECT


#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localhost
http_access allow i-sinlimite
http_access allow sin_autenticacion

Re: [squid-users] WARNING: All 20/20 negotiateauthenticator processes are busy.

[erdosain9]

Hi.
Thanks!

We have 100 users... What would you think is a good "auth_param
negotiate children"??

I cant run squidclient

[root@squid ~]# squidclient mgr:negotiate_authenticator 
ERROR: Cannot connect to [::1]:3128
[root@squid ~]# squidclient -vv mgr:negotiate_authenticator 
verbosity level set to 2
Request:
GET cache_object://localhost/negotiate_authenticator HTTP/1.0
Host: localhost
User-Agent: squidclient/3.5.20
Accept: */*
Connection: close


.
Transport detected: IPv4-mapped  and IPv6
Resolving localhost ...
Connecting... localhost ([::1]:3128)
ERROR: Cannot connect to [::1]:3128


CONFIG
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager


So??
Thanks!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-All-20-20-negotiateauthenticator-processes-are-busy-tp4682362p4682379.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to make sslbump'ing more robust? (option to continue?)

[erdosain9]

how you do the option 1???
Thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/How-to-make-sslbump-ing-more-robust-option-to-continue-tp4682359p4682364.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] WARNING: All 20/20 negotiateauthenticator processes are busy.

[erdosain9]

Hi.
Im having this problem.

may 11 11:26:23 squid..lan squid[32138]: WARNING: All 30/30
negotiateauthenticator processes are busy.
may 11 11:26:23 squid..lan squid[32138]: WARNING: 30 pending requests
queued
may 11 11:26:23 squid..lan squid[32138]: WARNING: Consider increasing
the number of negotiateauthenticator processes in your config file.


This is my config file

###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/squid.empddh@empddh.lan
auth_param negotiate children 30
auth_param negotiate keep_alive on


Can somebody explain this for me?
Of course, i can "increasing the number of negotiateauthenticator", but i
want to understand (maybe its a better way)

I see some examples like this
auth_param digest children 20 startup=0 idle=1

What about that? startup? idle? that was a better way? or this not having
nothing to do?

Thanks to all!
(i dont speak english)



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-All-20-20-negotiateauthenticator-processes-are-busy-tp4682362.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Failed to shm_open

[erdosain9]

Im having this problem too
mar 01 12:23:37 squid.x.lan squid[17628]: Error negotiating
SSL connection on FD 181: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
mar 01 12:23:38 squid.x.lan squid[17628]: Error negotiating
SSL connection on FD 467: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
mar 01 12:23:38 squid.x.lan squid[17628]: Error negotiating
SSL connection on FD 471: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
mar 01 12:23:39 squid.x.lan squid[17628]: Error negotiating
SSL connection on FD 414: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
mar 01 12:23:39 squid.x.lan squid[17628]: Error negotiating
SSL connection on FD 446: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
mar 01 12:23:41 squid.x.lan squid[17628]: Error negotiating
SSL connection on FD 266: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
mar 01 12:23:42 squid.x.lan squid[17628]: Error negotiating
SSL connection on FD 276: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
mar 01 12:23:42 squid.x.lan squid[17628]: Error negotiating
SSL connection on FD 266: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
mar 01 12:23:43 squid.x.lan squid[17628]: Error negotiating
SSL connection on FD 211: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
mar 01 12:23:43 squid.x.lan squid[17628]: Error negotiating
SSL connection on FD 136: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Failed-to-shm-open-tp4681639p4681640.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Failed to shm_open

[erdosain9]

Hi.
Now squid stop... abnormaly.

2017/03/01 12:04:31 kid1| helperOpenServers: Starting 5/32 'ssl_crtd'
processes
FATAL: Ipc::Mem::Segment::open failed to
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory

Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.095 seconds = 0.074 user + 0.021 sys
Maximum Resident Size: 134144 KB
Page faults with physical i/o: 0
2017/03/01 12:04:31| Set Current Directory to /var/spool/squid

What is happend??



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Failed-to-shm-open-tp4681639.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Unspecified GSS failure ERROR

[erdosain9]

Hi.
Today the users cant go to internet because the web browser asking everytime
the user and pass, constantly.

This is the error in cache.log:

2017/03/01 08:22:16 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: gss_accept_sec_context() failed:
Unspecified GSS failure.  Minor code may provide more information. Cannot
find key for HTTP/squid.xx@xx.lan kvno 22 in
keytab; }}

Just stop and start the service put squid working again... but what
happend???

Thanks for all.
(i dont speak english.)




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Unspecified-GSS-failure-ERROR-tp4681636.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Antivirus for squid

[erdosain9]

Hi, again.
Well i installed squidclamav, c-icap, and clamav; and its working all fine,
but... the download is too slow, the download of a file. There is a way to
accelerate this?? 
Also, when the file its a virus, the message "this is a virus bla bla", go
fast... i mean the slow download its for all the other files that dosent
have a virus...

*This is squid.conf
*
# c-icap integration
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_preview_enable on 
icap_preview_size 1024 
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
# end integration


*c-icap.conf
*
PidFile /var/run/c-icap.pid
CommandsSocket /var/run/c-icap.ctl
StartServers 1
MaxServers 20
MaxRequestsPerChild  100
Port 1344 
ServerAdmin yourname@yourdomain
TmpDir /tmp
MaxMemObject 131072
DebugLevel 0 
ModulesDir /usr/local/c-icap/lib/c_icap/ 
ServicesDir /usr/local/c-icap/lib/c_icap/ 
LoadMagicFile /usr/local/etc/c-icap.magic

acl localhost src 127.0.0.1/255.255.255.255
acl PERMIT_REQUESTS type REQMOD RESPMOD
icap_access allow localhost PERMIT_REQUESTS
icap_access deny all

ServerLog /var/log/c-icap/server.log
AccessLog /var/log/c-icap/access.log 

Service squidclamav squidclamav.so


*CLAMD.CONF*
LogFile /var/log/clamd.scan
PidFile /var/run/clamd.scan/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/lib/clamav
LocalSocket /var/run/clamd.scan/clamd.sock
TCPSocket 3310
TCPAddr 127.0.0.1
User clamscan


*SQUIDCLAMAV.CONF
*
maxsize 500
redirect http://squid.espaciomemoria.lan/cgi-bin/clwarn.cgi.en_EN
clamd_ip 127.0.0.1
clamd_port 3310
trust_cache 0 
timeout 1
logredir 1
dnslookup 0
safebrowsing 0

abortcontent ^video\/x-flv$
abortcontent ^video\/mp4$
# White list some sites

Somebody can give me a hand with this???
Thanks to all.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Antivirus-for-squid-tp4681323p4681413.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Strange behavior - reload service failed, but not start.... (solved)

[erdosain9]

Hi, again.
Now, i do this

[root@squid ips]# ps aux | grep squid
root  2228  0.0  0.0 130900   344 ?Ss   ene24   0:00
/usr/sbin/squid -sYC
squid 2230  6.2 64.9 1341864 1205160 ? Rene24 263:30 (squid-1)
-sYC
squid 2231  0.4  0.1  68196  1948 ?Sene24  20:35 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2232  0.0  0.1  68196  1944 ?Sene24   1:21 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2233  0.0  0.1  68196  1948 ?Sene24   0:32 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2234  0.0  0.1  68196  1952 ?Sene24   0:17 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2235  0.0  0.1  68196  1944 ?Sene24   0:11 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2236  0.0  0.0  33712   216 ?Sene24   1:48
(logfile-daemon) /var/log/squid/access.log
squid 2237  0.0  0.0  33560   220 ?Sene24   0:20 (unlinkd)
squid 2238  0.8  0.0  34084   484 ?Sene24  34:55 diskd
2283524 2283525 2283526
squid 2239  0.0  0.1  68196  1944 ?Sene24   0:06 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2240  0.0  0.1  68196  1944 ?Sene24   0:04 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2241  0.0  0.1  68196  1944 ?Sene24   0:02 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2242  0.0  0.1  68196  1944 ?Sene24   0:01 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2243  0.0  0.1  68196  1940 ?Sene24   0:01 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2244  0.0  0.1  68184  1932 ?Sene24   0:01 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2245  0.0  0.1  68196  1948 ?Sene24   0:01 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2246  0.0  0.1  68196  1940 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2247  0.0  0.1  68196  1940 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2248  0.0  0.1  68196  2076 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2278  0.0  0.1  68196  1940 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2325  0.0  0.1  68196  2064 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2368  0.0  0.1  68196  1984 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2369  0.0  0.1  68196  2168 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2371  0.0  0.0  68152  1656 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2397  0.0  0.1  68180  1920 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2398  0.0  0.1  68188  1920 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2399  0.0  0.1  68184  1924 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2400  0.0  0.1  68184  1932 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2401  0.0  0.1  68180  2032 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2402  0.0  0.1  68180  2032 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2403  0.0  0.0  68152  1648 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2404  0.0  0.0  68152  1620 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2405  0.0  0.0  68152  1612 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2406  0.0  0.1  68188  1920 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2407  0.0  0.0  68152  1612 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 2408  0.0  0.0  68152  1608 ?Sene24   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
root  8128  0.0  0.0 112672   972 pts/0S+   10:24   0:00 grep
--color=auto squid
[root@squid ips]# systemctl stop squid
[root@squid ips]# pkill squid
[root@squid ips]# squid -z


And now is working, also with the command systemctl but, anyway you
recommend more the use of squid -k commands no??

Thanks again.

pd: this is process now. 
[root@squid ips]# ps aux | grep squid
root  8156  0.0  1.3 130900 25272 ?Ss   10:26   0:00
/usr/sbin/squid -sYC
squid 8158  6.5 18.7 452532 347580 ?   S10:26   0:42 (squid-1)
-sYC
squid 8165  0.0  0.0  33560  1300 ?S10:26   0:00 (unlinkd)
squid 8166  1.0  0.0  34084  1572 ?S10:26   0:06 diskd
8353796 8353797 8353798
squid 8182  0.0  0.0  33712  1304 ?S10:28   0:00
(logfile-daemon) /var/log/squid/access.log
squid 8183  0.5  0.2  68188  4940 ?S10:28   0:02 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 8184  0.0  0.2  68152  4708 ?S10:28   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 8185  0.0  0.2  68192  4936 ?S10:28   0:00 (ssl_crtd)
-s /var/lib/ssl_db -M 4MB
squid 8186  0.0  0.2  68152  4708 ?S10:28   0:00 (ssl_crtd)
-s 

Re: [squid-users] Strange behavior - reload service failed, but not start....

[erdosain9]

Ok, thanks.
But something more its wrong look up this:

[root@squid ips]# squid -k restart
squid: ERROR: Could not send signal 21 to process 8083: (3) No such process

[root@squid ips]# squid -k shutdown
squid: ERROR: Could not send signal 15 to process 8083: (3) No such process

[root@squid ips]# squid -k kill
squid: ERROR: Could not send signal 9 to process 8083: (3) No such process

[root@squid ips]# squid -k debug
squid: ERROR: Could not send signal 12 to process 8083: (3) No such process

..mmm... what's going on here???

But actually squid is running and working, so 
Also, if i do a change in squid.conf... it dosent take it. neither
systemctl, or like you see any squid -k command







--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Strange-behavior-reload-service-failed-but-not-start-tp4681317p4681360.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Antivirus for squid

[erdosain9]

Hi to all.
Im a little confuse about this... i just want "antivirus", i dont care block
some web, filter, etc. (at least no more that what i get with squid)... so,
just for antivirus, what recommend???
clamav
squidclamav
squidguard

Somebody have a tutorial to install something of this on Centos7??
Thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Antivirus-for-squid-tp4681323.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Strange behavior - reload service failed, but not start....

[erdosain9]

Hi, no

[root@squid ~]# df -h
S.ficheros  Tamaño Usados  Disp Uso% Montado en
/dev/mapper/centos-root48G16G   33G  32% /
devtmpfs  896M  0  896M   0% /dev
tmpfs 906M   2,1M  904M   1% /dev/shm
tmpfs 906M   8,5M  898M   1% /run
tmpfs 906M  0  906M   0% /sys/fs/cgroup
/dev/sda1 497M   141M  356M  29% /boot
tmpfs 182M  0  182M   0% /run/user/0


by the way, this error dosent appear anymore, but was the first error i
noticed after the bad reboot. (i think that maybe i fix that with "squid
-z"

some other approach??

(another "log", that maybe help)

[root@squid squid]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address   Foreign Address State  
PID/Program name
tcp0  0 0.0.0.0:22  0.0.0.0:*   LISTEN 
971/sshd
tcp0  0 192.168.1.97:3128   0.0.0.0:*   LISTEN 
2230/(squid-1)  
tcp0  0 127.0.0.1:250.0.0.0:*   LISTEN 
2001/master 
tcp0  0 0.0.0.0:56660.0.0.0:*   LISTEN 
1027/nrpe   
tcp0  0 192.168.1.97:3128   192.168.1.22:49350 
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:3128   192.168.6.20:53850 
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:3128   192.168.1.91:51600 
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:45465  104.16.127.226:443 
TIME_WAIT   -   
tcp0  0 192.168.1.97:38009  104.16.133.65:443  
TIME_WAIT   -   
tcp   1689601  0 192.168.1.97:58852  204.79.197.213:443 
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:

   192.168.1.147:49249 ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:52295  64.233.186.94:443  
TIME_WAIT   -   
tcp0  0 192.168.1.97:3128   192.168.1.147:49867
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:39331  172.217.28.227:443 
TIME_WAIT   -   
tcp0  0 192.168.1.97:3128   192.168.6.20:37590 
TIME_WAIT   -   
tcp0  0 192.168.1.97:54678  54.230.81.192:443  
TIME_WAIT   -   
tcp0  0 192.168.1.97:41725  64.233.186.189:443 
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:39358  172.217.28.227:443 
TIME_WAIT   -   
tcp0  0 192.168.1.97:3128   192.168.1.18:54890 
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:3128   192.168.6.20:37646 
TIME_WAIT   -   
tcp0  0 192.168.1.97:56268  64.233.186.102:443 
TIME_WAIT   -   
tcp0  0 192.168.1.97:3128   192.168.1.164:49749
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:3128   192.168.1.164:49707
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:45542  104.16.127.226:443 
TIME_WAIT   -   
tcp0  1 192.168.1.97:3128   192.168.1.112:63933
FIN_WAIT1   -   
tcp0  0 192.168.1.97:52912  172.217.29.5:443   
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:3128   192.168.1.91:51606 
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:3128   192.168.1.62:51074 
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:59908  31.13.85.8:443 
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:34688  104.16.32.227:443  
TIME_WAIT   -   
tcp0  0 192.168.1.97:48964  172.217.29.5:443   
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:56055  64.233.186.102:443 
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:39352  172.217.28.227:443 
TIME_WAIT   -   
tcp0  0 192.168.1.97:3128   192.168.1.164:49763
ESTABLISHED 2230/(squid-1)  
tcp   181822  0 192.168.1.97:40542  170.51.244.15:443  
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:45466  104.16.127.226:443 
TIME_WAIT   -   
tcp0  0 192.168.1.97:3128   192.168.1.164:49761
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:56139  64.233.186.139:443 
TIME_WAIT   -   
tcp0  0 192.168.1.97:3128   192.168.1.91:51590 
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:3128   192.168.1.91:51368 
ESTABLISHED 2230/(squid-1)  
tcp0  0 192.168.1.97:35640  23.76.60.41:80 

[squid-users] Strange behavior - reload service failed, but not start....

[erdosain9]

Hi,
I'm having this problem:
if i reload the service (systemctl reload squid)... the service failed and
dont reload... but, if i do systemctl start squid, all is working fine...
this begin to happend after a bad reboot... (and after the bad reboot, squid
dosent work for a moment giving this error:
"2017/01/24 11:58:30 kid1| WARNING: Disk space over limit: 19244596.00 KB >
1536 KB
2017/01/24 11:58:57 kid1| WARNING: Disk space over limit: 19134980.00 KB >
1536 KB
2017/01/24 11:59:21 kid1| WARNING: Disk space over limit: 19021112.00 KB >
1536 KB
2017/01/24 12:00:06 kid1| WARNING: Disk space over limit: 18804760.00 KB >
1536 KB
2017/01/24 12:00:21 kid1| WARNING: Disk space over limit: 18640860.00 KB >
1536 KB"

After some stop start process, again is working but with that problem of
"reload" that i mentioned before.

this is some log

[root@squid squid]# *systemctl status squid.service*
● squid.service - Squid Web Proxy Server
   Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor
preset: disabled)
   Active: failed (Result: exit-code) since mié 2017-01-25 09:49:52 ART; 41s
ago
 Docs: man:squid(8)
  Process: 4057 ExecStop=/usr/sbin/squidshut.sh (code=exited,
status=1/FAILURE)
  Process: 4056 ExecReload=/usr/sbin/squid -kreconf (code=exited,
status=1/FAILURE)
  Process: 3995 ExecStart=/usr/sbin/squid -sYC (code=exited,
status=0/SUCCESS)
  Process: 3993 ExecStartPre=/usr/bin/chown squid.squid /var/run/squid
(code=exited, status=0/SUCCESS)
  Process: 3992 ExecStartPre=/usr/bin/mkdir -p /var/run/squid (code=exited,
status=0/SUCCESS)
 Main PID: 4020
   CGroup: /system.slice/squid.service
   ├─2228 /usr/sbin/squid -sYC
   ├─2230 (squid-1) -sYC
   ├─2231 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2232 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2233 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2234 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2235 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2236 (logfile-daemon) /var/log/squid/access.log
   ├─2237 (unlinkd)
   ├─2238 diskd 2283524 2283525 2283526
   ├─2239 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2240 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2241 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2242 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2243 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2244 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2245 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2246 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2247 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2248 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2278 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2325 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2368 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2369 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2371 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2397 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2398 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2399 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2400 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2401 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2402 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2403 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2404 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2405 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2406 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   ├─2407 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
   └─2408 (ssl_crtd) -s /var/lib/ssl_db -M 4MB

ene 25 09:49:40 squid.domain.lan squid[4040]: Rebuilding storage in
/var/spool/squid (no log)
ene 25 09:49:40 squid.domain.lan squid[4040]: Using Least Load store dir
selection
ene 25 09:49:40 squid.domain.lan squid[4040]: Set Current Directory to
/var/spool/squid
ene 25 09:49:52 squid.domain.lan squid[4056]: squid: ERROR: Could not send
signal 1 to process 4040: (3) No such process
ene 25 09:49:52 squid.domain.lan systemd[1]: squid.service: control process
exited, code=exited status=1
ene 25 09:49:52 squid.domain.lan squidshut.sh[4057]: Stopping Squid: Squid
settings file Falied the check
ene 25 09:49:52 squid.domain.lan systemd[1]: squid.service: control process
exited, code=exited status=1
ene 25 09:49:52 squid.domain.lan systemd[1]: Reload failed for Squid Web
Proxy Server.
ene 25 09:49:52 squid.domain.lan systemd[1]: Unit squid.service entered
failed state.
ene 25 09:49:52 squid.domain.lan systemd[1]: squid.service failed

[root@squid squid]# *journalctl -xe*
ene 25 09:49:40 squid.domain.lan squid[4040]: Squid plugin modules loade
ene 25 09:49:40 squid.domain.lan squid[4040]: Adaptation support is off.
ene 25 09:49:40 squid.domain.lan squid[4040]: Closing HTTP port 192.168.
ene 25 09:49:40 squid.domain.lan squid[4040]: Unable to open HTTP Socket
ene 25 09:49:40 squid.domain.lan squid[3997]: Squid Parent: (squid-1) pr
ene 25 09:49:40 squid.domain.lan 

Re: [squid-users] Just one error page.

[erdosain9]

"It sounds like many of your users have already been trained to think 
that"

its exactly like that. If a light bulb break... was the proxy.. if a
chair is broken... was the proxy... so i want for a while at least avoid
this complaints

Thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Just-one-error-page-tp4680631p4680702.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Avoid ips Lan (for servers)

[erdosain9]

Hi
i want to know if it's possible bypass the request that go to a local
server.

Like if im in 192.168.1.15 and want to go to 192.168.1.20 (server) (or from
192.168.1.5 to 192.168.6.10). 

I know that this is possible from the web browser configuration, but want to
know if it is possible doing from the squid server.

Thanks!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Avoid-ips-Lan-for-servers-tp4680701.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Just one error page.

[erdosain9]

Thanks.
Anyway i have another issue... when, for example, a web have a bad
certificate... then squid show "the error page of bad certificate and no
connect..."... then i have "oh, fucking proxy". and i want to avoid that
kind of error too... so, i stick with just the same page for all error (if i
found some problem then i activate the normal errors page and see...)
Thanks for your help.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Just-one-error-page-tp4680631p4680698.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Just one error page.

[erdosain9]

Hi
Thanks!
Can you guide me on this "Use an helper that will check the status of the
internet connection. 
If the Internet is down then redirect to a special error page" ???





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Just-one-error-page-tp4680631p4680661.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Just one error page.

[erdosain9]

mmm, 
how i "ist the full list of error pages files and create a symbolic link
from the single one to all the other named that are installed"

by the way, i can use this with just one ACL? and the "regular errors pages"
with another?

im doing this, because we are changing a lot of things (we have a broken
router "working") and sometimes the internet go down... the people (users)
think "Oh... it's the fucking proxy!" because they see error pages that they
dont understand.

Thanks a lot!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Just-one-error-page-tp4680631p4680649.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Just one error page.

[erdosain9]

ok, i have my error page... (just one, like i want).
How i tell squid to uses just that for all errors??

and

I can use that page for all errors of just one ACL??

thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Just-one-error-page-tp4680631p4680639.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users