Re: [squid-users] OWA accelerator authentication weirdness

2009-01-10 Thread Amos Jeffries

Alan Lehman wrote:

The order in which our auth_param lines are configured can alter

the

first authentication method tried. You will need to look at the
debugging trace in cache.log to see which is generating which

question

Amos

Only basic is enabled:
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Do I need to select a program for basic?

found in cache.log:
2009/01/08 14:38:19.713| CacheManager::registerAction: registering

legacy basicauthenticator

2009/01/08 14:38:19.713| CacheManager::findAction: looking for

action

basicauthenticator

2009/01/08 14:38:19.713| CacheManager::registerAction: registered

basicauthenticator

2009/01/08 14:41:22.010| CacheManager::registerAction: registering

legacy basicauthenticator

2009/01/08 14:41:22.010| CacheManager::registerAction: registered

basicauthenticator

The OWA web server has both basic and "Windows Integrated

Authentication" enabled. If I disable "windows integrated", OWA

works

fine, but I need activesync also, which does not work without

"windows

integrated" enabled.

Thanks,
Alan

Um, further on my other email.
Try some of the settings to disable pass-thru on the specific ports
and/or peer:

http://wiki.squid-cache.org/Features/ConnPin


My config pretty much follows the wiki example for OWA accelerator.

Squid 3.1.0.3. I'm using the same port for OWA and Activesync. I just
added connection-auth=off on https_port and removed all auth_param
lines, and that took care of my problem.
Before I go recommending this as a general fix in 3.1, are BOTH of
those
changes needed for it to work?

I know there are people using Squid+OWA in multi-mode who may need auth
for other things. Can we get away with just "connection-auth=off" on
the
port?


Amos


The auth_param lines don't seem to make any difference. It works for me with them in. 



Great. I'll get the wiki updated.

Thanks for your help finding this and testing the solution.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
  Current Beta Squid 3.1.0.3


RE: [squid-users] OWA accelerator authentication weirdness

2009-01-10 Thread Alan Lehman
>  The order in which our auth_param lines are configured can alter
> the
>  first authentication method tried. You will need to look at the
>  debugging trace in cache.log to see which is generating which
> >> question
>  Amos
> >>> Only basic is enabled:
> >>> auth_param basic children 5
> >>> auth_param basic realm Squid proxy-caching web server
> >>> auth_param basic credentialsttl 2 hours
> >>>
> >>> Do I need to select a program for basic?
> >>>
> >>> found in cache.log:
> >>> 2009/01/08 14:38:19.713| CacheManager::registerAction: registering
> >> legacy basicauthenticator
> >>> 2009/01/08 14:38:19.713| CacheManager::findAction: looking for
> action
> >> basicauthenticator
> >>> 2009/01/08 14:38:19.713| CacheManager::registerAction: registered
> >> basicauthenticator
> >>> 2009/01/08 14:41:22.010| CacheManager::registerAction: registering
> >> legacy basicauthenticator
> >>> 2009/01/08 14:41:22.010| CacheManager::registerAction: registered
> >> basicauthenticator
> >>> The OWA web server has both basic and "Windows Integrated
> >> Authentication" enabled. If I disable "windows integrated", OWA
> works
> >> fine, but I need activesync also, which does not work without
> "windows
> >> integrated" enabled.
> >>> Thanks,
> >>> Alan
> >> Um, further on my other email.
> >> Try some of the settings to disable pass-thru on the specific ports
> >> and/or peer:
> >>
> >> http://wiki.squid-cache.org/Features/ConnPin
> >
> >
> > My config pretty much follows the wiki example for OWA accelerator.
> Squid 3.1.0.3. I'm using the same port for OWA and Activesync. I just
> added connection-auth=off on https_port and removed all auth_param
> lines, and that took care of my problem.
> >
> 
> Before I go recommending this as a general fix in 3.1, are BOTH of
> those
> changes needed for it to work?
> 
> I know there are people using Squid+OWA in multi-mode who may need auth
> for other things. Can we get away with just "connection-auth=off" on
> the
> port?
> 
> 
> Amos

The auth_param lines don't seem to make any difference. It works for me with 
them in. 



Re: [squid-users] OWA accelerator authentication weirdness

2009-01-10 Thread Amos Jeffries

Alan Lehman wrote:

The order in which our auth_param lines are configured can alter the
first authentication method tried. You will need to look at the
debugging trace in cache.log to see which is generating which

question

Amos

Only basic is enabled:
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Do I need to select a program for basic?

found in cache.log:
2009/01/08 14:38:19.713| CacheManager::registerAction: registering

legacy basicauthenticator

2009/01/08 14:38:19.713| CacheManager::findAction: looking for action

basicauthenticator

2009/01/08 14:38:19.713| CacheManager::registerAction: registered

basicauthenticator

2009/01/08 14:41:22.010| CacheManager::registerAction: registering

legacy basicauthenticator

2009/01/08 14:41:22.010| CacheManager::registerAction: registered

basicauthenticator

The OWA web server has both basic and "Windows Integrated

Authentication" enabled. If I disable "windows integrated", OWA works
fine, but I need activesync also, which does not work without "windows
integrated" enabled.

Thanks,
Alan

Um, further on my other email.
Try some of the settings to disable pass-thru on the specific ports
and/or peer:

http://wiki.squid-cache.org/Features/ConnPin



My config pretty much follows the wiki example for OWA accelerator. Squid 
3.1.0.3. I'm using the same port for OWA and Activesync. I just added 
connection-auth=off on https_port and removed all auth_param lines, and that 
took care of my problem.



Before I go recommending this as a general fix in 3.1, are BOTH of those 
changes needed for it to work?


I know there are people using Squid+OWA in multi-mode who may need auth 
for other things. Can we get away with just "connection-auth=off" on the 
port?



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
  Current Beta Squid 3.1.0.3


Re: [squid-users] Transparent but not intercepting proxy

2009-01-10 Thread Matus UHLAR - fantomas
On 09.01.09 11:56, NTPT wrote:
> Is it possible to run SQUID proxy server in transparent mode without
> interception ? ie SQUID pass original address of the client (tproxy
> patch), but clients connections are not intercepted automatically and user
> have to set proxy server manually in his browser ?

RFC 2616 (http/1.1) defines transparent proxy as proxy not changing the
data. 

Most people assume that transparent proxy means intercepting, e.g. no need
for configuring browser for anything.

Do you want to create new meaning for transparent proxy? Please, no.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers. 


[squid-users] FreeBSD users: 'squidstats' package

2009-01-10 Thread Adrian Chadd
Hi guys,

Those of you who are using FreeBSD should have a look at "squidstats".
Its based on Henrik's scripts to gather basic statistics from Squid
via SNMP and graph them. Its based on a googlecode project I created
and I'm also the port maintainer. So it should be easy for me to fix
bugs. :)

Having statistics of your running server is the best thing to do for
debugging and provisioning, so please consider installing the package
and setting it up.

Enjoy!


Adrian


[squid-users] Re: squid not caching

2009-01-10 Thread Wennie V. Lagmay
I already solve the problem, it is typo error. instead of modifying the 
maximum_object_size I accidentally edited the minimum_object_size. 




- Original Message -
From: "Wennie V. Lagmay" 
To: "squid-users" 
Cc: "wlagmay" 
Sent: Saturday, January 10, 2009 7:48:25 PM (GMT+0300) Asia/Kuwait
Subject: squid not caching

Dear All,

I am using squid-2.7 Stable 5 for at least 6 months and since I am facing some 
problems I decided to upgarde it to squid-3.0 stable 11. It is working smooth 
ang much faster than 2.7stable but my problem it is not caching, my cache 
directory stays at 1%.

Can anybody help me on how to let my squid-proxy cache the same way it caching 
when I am using version 2.7? My 3.0 configuration was based on my 2.7 config. 
Below is my configuration for your reference.

acl shb dstdomain .site1.com 
acl eta dstdomain .site2.com
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl ipaddr src xxx.xxx.184.0/255.255.248.0
acl natmot src 192.168.10.0/255.255.255.0
acl natmot2 src 192.168.11.0/255.255.255.0
acl natmot3 src 192.168.12.0/255.255.255.0
acl natmot4 src 192.168.14.0/255.255.255.0
acl natmot5 src 192.168.15.0/255.255.255.0
acl natmot6 src 192.168.16.0/255.255.255.0
acl natmot7 src 192.168.24.0/255.255.248.0
acl natcuda1 src 192.168.64.0/255.255.224.0
acl natcuda2 src 192.168.96.0/255.255.224.0
acl cmts4 src 192.168.128.0/255.255.240.0
acl cmts5 src 192.168.144.0/255.255.240.0
acl cmts6 src 192.168.176.0/255.255.240.0
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow ipaddr
http_access allow natmot
http_access allow natmot2
http_access allow natmot3
http_access allow natmot4
http_access allow natmot5
http_access allow natmot6
http_access allow natmot7
http_access allow natcuda1
http_access allow natcuda2
http_access allow cmts4
http_access allow cmts5
http_access allow cmts6
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access deny all
htcp_access deny all
http_port xxx.xxx.184.42:8080
cache_peer xxx.xxx.193.87 parent 8080 0 no-query
cache_peer xxx.xxx.193.83 parent 8080 0 no-query
cache_peer_access xxx.xxx.193.87 allow shb
cache_peer_access xxx.xxx.193.87 deny all
cache_peer_access xxx.xxx.193.83 allow eta
cache_peer_access xxx.xxx.193.83 deny all
hierarchy_stoplist cgi-bin ?
 cache_mem 6144 MB
 maximum_object_size_in_memory 512 KB
 memory_replacement_policy heap GDSF
 cache_replacement_policy heap GDSF
cache_dir aufs /cache01/spool/squid/data01 8500 16 256
cache_dir aufs /cache01/spool/squid/data02 8500 16 256
cache_dir aufs /cache01/spool/squid/data03 8500 16 256
cache_dir aufs /cache01/spool/squid/data04 8500 16 256
cache_dir aufs /cache02/spool/squid/data01 8500 16 256
cache_dir aufs /cache02/spool/squid/data02 8500 16 256
cache_dir aufs /cache02/spool/squid/data03 8500 16 256
cache_dir aufs /cache02/spool/squid/data04 8500 16 256
cache_dir aufs /cache03/spool/squid/data01 8500 16 256
cache_dir aufs /cache03/spool/squid/data02 8500 16 256
cache_dir aufs /cache03/spool/squid/data03 8500 16 256
cache_dir aufs /cache03/spool/squid/data04 8500 16 256
 max_open_disk_fds 30720
 minimum_object_size 10240 KB
 cache_swap_low 70
 cache_swap_high 75
access_log /var/log/squid/access.log squid
 cache_log /var/log/squid/cache.log
cache_store_log none
 pid_filename /var/log/squid/squid.pid
 debug_options ALL,1
refresh_pattern \.gif$ 10080 90% 43200
refresh_pattern \.jpg$ 10080 90% 43200
refresh_pattern \.bom\.gov\.au 30 20% 120
refresh_pattern \.html$ 2880 50% 22160
refresh_pattern \.htm$ 2880 50% 22160
refresh_pattern \.php$ 2880 50% 22160
refresh_pattern \.asp$ 2880 50% 22160
refresh_pattern \.class$ 10080 90% 43200
refresh_pattern \.zip$ 10080 90% 43200
refresh_pattern \.jpeg$ 10080 90% 43200
refresh_pattern \.mid$ 10080 90% 43200
refresh_pattern \.shtml$ 2880 50% 22160
refresh_pattern \.exe$ 10080 90% 43200
refresh_pattern \.thm$ 10080 90% 43200
refresh_pattern \.wav$ 10080 90% 43200
refresh_pattern \.txt$ 10080 90% 43200
refresh_pattern \.cab$ 10080 90% 43200
refresh_pattern \.au$ 10080 90% 43200
refresh_pattern \.mov$ 10080 90% 43200
refresh_pattern \.xbm$ 10080 90% 43200
refresh_pattern \.ram$ 10080 90% 43200
refresh_pattern \.avi$ 10080 90% 43200
refresh_pattern \.chtml$ 2880 50% 22160
refresh_pattern \.thb$ 10080 90% 43200
refresh_pattern \.dcr$ 10080 90% 43200
refresh_pattern \.bmp$ 10080 90% 43200
refresh_pattern \.phtml$ 2880 50% 22160
refresh_pattern \.mpg$ 10080 90% 43200
refresh_pattern 

Re: [squid-users] Re: RE : [squid-users] coss

2009-01-10 Thread Oleg Motienko
2.6 works fine (default Ubuntu 8.04 package)

$ squid -v
Squid Cache: Version 2.6.STABLE18
configure options:  '--prefix=/usr' '--exec_prefix=/usr'
'--bindir=/usr/sbin' '--sbindir=/usr/sbin'
'--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid'
'--localstatedir=/var/spool/
squid' '--datadir=/usr/share/squid' '--enable-async-io'
'--with-pthreads' '--enable-storeio=ufs,aufs,coss,diskd,null'
'--enable-linux-netfilter' '--enable-arp-acl' '--enable-epoll'
'--enable-removal-policies=lru,heap' '--enable-snmp'
'--enable-delay-pools' '--enable-htcp' '--enable-cache-digests'
'--enable-underscores' '--enable-referer-log' '--enable-useragent-log'
'--enable-auth=basic,digest,ntlm' '--enable-carp'
'--enable-follow-x-forwarded-for' '--with-large-files'
'--with-maxfd=65536' 'i386-debian-linux'
'build_alias=i386-debian-linux' 'host_alias=i386-debian-linux'
'target_alias=i386-debian-linux' 'CFLAGS=-Wall -g -O2'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='

$ uname -a
Linux proxygw 2.6.24-21-server #1 SMP Wed Oct 22 00:18:13 UTC 2008
i686 GNU/Linux


On Sat, Jan 10, 2009 at 5:23 PM, Heinz Diehl  wrote:
>
> At Sat, 10 Jan 2009 11:53:47 +0100,
> Emmanuel Pelerin wrote:
>
> > I have download this version : 
> > http://people.redhat.com/mnagy/squid/squid-2.7.STABLE5-1.el4/i386/
>
> What I want to know is: is anybody here running squid-2.7-STABLE4/5 with the
> "coss" storage scheme, and does it work well, it is stable and safe to use on
> a production machine?
>



--
Regards,
Oleg


Re: [squid-users] Trying to improve the Byte Hit Ratio, any tips ?

2009-01-10 Thread Kinkie
On Sat, Jan 10, 2009 at 12:43 PM, Vianney Lejeune  wrote:
>>>
>>> By the way, what about the ideal settings for cache_mem, cache size and
>>> so
>>> on, is there any formula ? Are 2*500 GB HD faster than 1*1TB ?
>>
>> Yes, as each of those can handle i/o operations concurrently. In
>> general, the more disks the better the performance: squid performance
>> is usually constrained by the disk head seek times.
>>
>> See http://wiki.squid-cache.org/SquidFaq/RAID
>
> Thank you, and what about the formula for cache_mem, cache_size etc ?

Everything should be quite well-documented in the FAQ and/or KnowledgeBase.
Please refer to that first.

-- 
/kinkie


RE: [squid-users] OWA accelerator authentication weirdness

2009-01-10 Thread Alan Lehman
> >> The order in which our auth_param lines are configured can alter the
> >> first authentication method tried. You will need to look at the
> >> debugging trace in cache.log to see which is generating which
> question
> >>
> >> Amos
> >
> > Only basic is enabled:
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> >
> > Do I need to select a program for basic?
> >
> > found in cache.log:
> > 2009/01/08 14:38:19.713| CacheManager::registerAction: registering
> legacy basicauthenticator
> > 2009/01/08 14:38:19.713| CacheManager::findAction: looking for action
> basicauthenticator
> > 2009/01/08 14:38:19.713| CacheManager::registerAction: registered
> basicauthenticator
> > 2009/01/08 14:41:22.010| CacheManager::registerAction: registering
> legacy basicauthenticator
> > 2009/01/08 14:41:22.010| CacheManager::registerAction: registered
> basicauthenticator
> >
> > The OWA web server has both basic and "Windows Integrated
> Authentication" enabled. If I disable "windows integrated", OWA works
> fine, but I need activesync also, which does not work without "windows
> integrated" enabled.
> >
> > Thanks,
> > Alan
> 
> Um, further on my other email.
> Try some of the settings to disable pass-thru on the specific ports
> and/or peer:
> 
> http://wiki.squid-cache.org/Features/ConnPin


My config pretty much follows the wiki example for OWA accelerator. Squid 
3.1.0.3. I'm using the same port for OWA and Activesync. I just added 
connection-auth=off on https_port and removed all auth_param lines, and that 
took care of my problem.

Thanks!




[squid-users] squid not caching

2009-01-10 Thread Wennie V. Lagmay
Dear All,

I am using squid-2.7 Stable 5 for at least 6 months and since I am facing some 
problems I decided to upgarde it to squid-3.0 stable 11. It is working smooth 
ang much faster than 2.7stable but my problem it is not caching, my cache 
directory stays at 1%.

Can anybody help me on how to let my squid-proxy cache the same way it caching 
when I am using version 2.7? My 3.0 configuration was based on my 2.7 config. 
Below is my configuration for your reference.

acl shb dstdomain .site1.com 
acl eta dstdomain .site2.com
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl ipaddr src xxx.xxx.184.0/255.255.248.0
acl natmot src 192.168.10.0/255.255.255.0
acl natmot2 src 192.168.11.0/255.255.255.0
acl natmot3 src 192.168.12.0/255.255.255.0
acl natmot4 src 192.168.14.0/255.255.255.0
acl natmot5 src 192.168.15.0/255.255.255.0
acl natmot6 src 192.168.16.0/255.255.255.0
acl natmot7 src 192.168.24.0/255.255.248.0
acl natcuda1 src 192.168.64.0/255.255.224.0
acl natcuda2 src 192.168.96.0/255.255.224.0
acl cmts4 src 192.168.128.0/255.255.240.0
acl cmts5 src 192.168.144.0/255.255.240.0
acl cmts6 src 192.168.176.0/255.255.240.0
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow ipaddr
http_access allow natmot
http_access allow natmot2
http_access allow natmot3
http_access allow natmot4
http_access allow natmot5
http_access allow natmot6
http_access allow natmot7
http_access allow natcuda1
http_access allow natcuda2
http_access allow cmts4
http_access allow cmts5
http_access allow cmts6
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access deny all
htcp_access deny all
http_port xxx.xxx.184.42:8080
cache_peer xxx.xxx.193.87 parent 8080 0 no-query
cache_peer xxx.xxx.193.83 parent 8080 0 no-query
cache_peer_access xxx.xxx.193.87 allow shb
cache_peer_access xxx.xxx.193.87 deny all
cache_peer_access xxx.xxx.193.83 allow eta
cache_peer_access xxx.xxx.193.83 deny all
hierarchy_stoplist cgi-bin ?
 cache_mem 6144 MB
 maximum_object_size_in_memory 512 KB
 memory_replacement_policy heap GDSF
 cache_replacement_policy heap GDSF
cache_dir aufs /cache01/spool/squid/data01 8500 16 256
cache_dir aufs /cache01/spool/squid/data02 8500 16 256
cache_dir aufs /cache01/spool/squid/data03 8500 16 256
cache_dir aufs /cache01/spool/squid/data04 8500 16 256
cache_dir aufs /cache02/spool/squid/data01 8500 16 256
cache_dir aufs /cache02/spool/squid/data02 8500 16 256
cache_dir aufs /cache02/spool/squid/data03 8500 16 256
cache_dir aufs /cache02/spool/squid/data04 8500 16 256
cache_dir aufs /cache03/spool/squid/data01 8500 16 256
cache_dir aufs /cache03/spool/squid/data02 8500 16 256
cache_dir aufs /cache03/spool/squid/data03 8500 16 256
cache_dir aufs /cache03/spool/squid/data04 8500 16 256
 max_open_disk_fds 30720
 minimum_object_size 10240 KB
 cache_swap_low 70
 cache_swap_high 75
access_log /var/log/squid/access.log squid
 cache_log /var/log/squid/cache.log
cache_store_log none
 pid_filename /var/log/squid/squid.pid
 debug_options ALL,1
refresh_pattern \.gif$ 10080 90% 43200
refresh_pattern \.jpg$ 10080 90% 43200
refresh_pattern \.bom\.gov\.au 30 20% 120
refresh_pattern \.html$ 2880 50% 22160
refresh_pattern \.htm$ 2880 50% 22160
refresh_pattern \.php$ 2880 50% 22160
refresh_pattern \.asp$ 2880 50% 22160
refresh_pattern \.class$ 10080 90% 43200
refresh_pattern \.zip$ 10080 90% 43200
refresh_pattern \.jpeg$ 10080 90% 43200
refresh_pattern \.mid$ 10080 90% 43200
refresh_pattern \.shtml$ 2880 50% 22160
refresh_pattern \.exe$ 10080 90% 43200
refresh_pattern \.thm$ 10080 90% 43200
refresh_pattern \.wav$ 10080 90% 43200
refresh_pattern \.txt$ 10080 90% 43200
refresh_pattern \.cab$ 10080 90% 43200
refresh_pattern \.au$ 10080 90% 43200
refresh_pattern \.mov$ 10080 90% 43200
refresh_pattern \.xbm$ 10080 90% 43200
refresh_pattern \.ram$ 10080 90% 43200
refresh_pattern \.avi$ 10080 90% 43200
refresh_pattern \.chtml$ 2880 50% 22160
refresh_pattern \.thb$ 10080 90% 43200
refresh_pattern \.dcr$ 10080 90% 43200
refresh_pattern \.bmp$ 10080 90% 43200
refresh_pattern \.phtml$ 2880 50% 22160
refresh_pattern \.mpg$ 10080 90% 43200
refresh_pattern \.pdf$ 10080 90% 43200
refresh_pattern \.art$ 10080 90% 43200
refresh_pattern \.swf$ 10080 90% 43200
refresh_pattern \.mp3$ 10080 90% 43200
refresh_pattern \.ra$ 10080 90% 43200
refresh_pattern \.spl$ 10080 90% 43200
refresh_pattern \.viv$ 10080 90% 43200
refresh_pattern \.doc$ 10080 90% 43200
refresh_pattern \.gz$ 10080 90% 43

Re: [squid-users] Fwd: Webapp problems with squid 2.7.STABLE3

2009-01-10 Thread Chris Nighswonger
On Fri, Jan 9, 2009 at 9:22 PM, Amos Jeffries  wrote:
>> BTW, we started back up for the spring semester yesterday. I did my
>> upgrade over the break. Now I am having multiple sites (many are ssl)
>> unaccessible which were accessible under 2.6.STABLE12. Did I miss some
>> major changes between 2.6 and 2.7? I'm considering rolling back to 2.6
>> to quell the rebellion... :-(
>
> We can't really tell what or if you missed anything without config details
> :).
> Whats the current config and the diff between the old and new squid.conf?

Attached is the current config. The config on the upgrade was a simple
cp of the previous config file. The only thing different now is the
addition of "ignore_expect_100 on" at the end per the suggestion
earlier in this thread. (Which did allow the webapp to work
correctly.)

Regarding ssl sites
(https://pob-w.fidelitybanknc.com/servlet/cefs/online/login-tfb.html
is one example that hangs and times out via squid): Several tcpdumps
seem to indicate that the client sends a connect frame to squid, squid
acknowledges but never passes any traffic on to the internet site.
Generally clients are authenticated via ntlm helper, but I have some
clients that are authenticated based on ip. These clients (ipauthex)
do not have this problem: they connect to these sites fine. This would
seem to indicate an config issue, but what?

I have also attached a pcap file for traffic between an ntlm auth
client and squid. There is no pcap for the same squid to fidelity
connection as there is never any traffic there.

Thanks for the help on this one. If anyone sees any other
optimizations I should have in my squid.conf, feel free to point them
out.

Note: fidelity.txt is really a pcap file.

Kind Regards,
Chris

--
Christopher Nighswonger
Faculty Member
Network & Systems Director
Foundations Bible College & Seminary
www.foundations.edu
www.fbcradio.org
Ôò¡ÿÿgI+I
66 }9ÀW¥$E(�...@@JÀ¨÷À¨
ˆQ|MœÕš+P ÛñgI!J
<<ÀW¥$ }9E(...@€a%À¨À¨÷
ˆÕš+Q|MPÿÿõgI,K
<<ÀW¥$ }9E(...@€a$À¨À¨÷
ˆÕš+Q|MPÿÿõgI6K
66 }9ÀW¥$E(...@@¸kÀ¨÷À¨
ˆQ|MÕš,P ÛðgI7*>>ÀW¥$ }9e...@€`À¨À¨÷
Œ œ¦epÿÿ&´gIJ*>> 
}9Àw¥$e...@@¸cÀ¨÷À¨
ŒÂk¤£   œ¦fpШ¬´gIC+<<ÀW¥$ }9E(...@€`À¨À¨÷
Œ œ¦fÂk¤¤pÿ�...@gi<,11ÀW¥$ 
}9e...@€_!À¨À¨÷
Œ œ¦fÂk¤¤PÿÿX™CONNECT pob-w.fidelitybanknc.com:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 
1.1.4322; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: pob-w.fidelitybanknc.com
Pragma: no-cache

gIF,66 }9ÀW¥$E(�...@@}À¨÷À¨
ŒÂk¤¤   œ§aP Ò%http_port 192.168.0.247:3128
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 12 MB
maximum_object_size 32768 KB
maximum_object_size_in_memory 200 KB
cache_dir aufs /var/spool/squid 477184 65 256
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
cachemgr_passwd VerySecret all
debug_options ALL,1
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 17
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 2
auth_param basic realm Campus Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern .   0   20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.0.0.0
acl masada src 192.168.0.23/255.255.255.255
acl cnighswonger-lt src 192.168.0.105/255.255.255.255
acl campusnet src 192.168.0.0/24
acl farswap src 192.168.254.0/24
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 334
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 1
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl PURGE method PURGE
acl AuthorizedUsers proxy_auth REQUIRED
acl WindowsUpdate dstdomain download.microsoft.com ntservicepack.microsoft.com 
.update.microsoft.com .windowsupdate.com windowsupdate.microsoft.com 
wustat.windows.com c.microsoft.com crl.microsoft.com watson.microsoft.com
acl Webmin src 192.168.0.247-192.168.0.247/255.255.255.255
acl Zipcode dstdomain dail-a-zip.com
acl USPSShipping dst

Re: [squid-users] Re: WCCP configuration

2009-01-10 Thread Amos Jeffries

vivek...@aol.in wrote:

Amos,

Thanks for your reply.

Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables 1.3.8 
and linux kernal 2.6.20.21.

Cisco IOS 2800 Ver 12.4 (13b)

WCCP+Tranparent proxy works good. Trproxy without wccp works well by not 
revealing the server ip and only displaying the client ip. But once the 
wccp is enabled with tproxy, the sever ip is revealed instead of the 
client ip.


Please scroll down below to check our previous mails.

Any suggestions please.


Other than checking your squid is built with --enable-linux-tproxy, none 
from me sorry.

cttproxy was obsolete and officially unsupported before I ever heard of it.

Amos




VK



-Original Message-
From: Amos Jeffries 
To: Ritter, Nicholas 
Cc: vivek...@aol.in; squid-users@squid-cache.org
Sent: Sat, 10 Jan 2009 8:06 am
0ASubject: Re: [squid-users] Re: WCCP configuration



Ritter, Nicholas wrote: 

With TProxy, I think you need to use Squid3-HEAD to reliably fix your 
issueAmos would know for sure. 



Nick 


  


Yes. Squid-2.* has no support for TPROXY v4.1+ 
 


3.1.0.3 or later is needed. Which is at least an RC beta now, more
stable that pure 3.HEAD alpha code. 
 

Also the squid.conf and configure details have changed. 

http://wiki.squid-cache.org/Features/Tproxy4 
 

Amos 
 



 




From: vivek...@aol.in [mailto:vivek...@aol.in] 



Sent: Fri 1/9/2009 8:39 A
M 

To: hen...@henriknordstrom.net 


Cc: squid-users@squid-cache.org; squ...@treenet.co.nz 


Subject: [squid-users] Re: WCCP configuration 






Hi, 




Thanks for the reply. It did help us solve the problem. 




But there is a new issue. 




We have configured as squid+tproxy. The squid ip is not displayed and 


only the client ip is displayed when we do the proxy test. But after 


configuring wccp we find that the server ip is displayed in the proxy 


test instead of the client ip. 




We also find that the http request is pathetically slow. 




squid.conf 

=0
A


wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 


ports=80 


wccp2_service dynamic 90 


wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source 


priority=240 ports=80 




http_port 3128 transparent tproxy 




iptable: 


/usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m 
tcp 

--dport 80 -j TPROXY --on-port 3128 





We created a gre tunnel based on the router identifier. 




wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid 


machine) 




The following command is assigned at the router interface connected 

=0
Ato 

the lan. 


ip wccp 80 redirect in 


ip wccp 90 redirect out 




Following command at the router interface connected to squid. 


ip wccp redirect exclude in 




Router : Cisco IOS Software, 2800 Software 
(C2800NM-ADVIPSERVICESK9-M), 

Version 12.4(13b) 


Kernel : linux-2.6.20.21 


IPtable : iptables-1.3.8 


Os Ver : squid-2.7 Stable 5 




#lsmod 




ip_gre 19616  0 


iptable_filter 11136  0 


ipt_TPROXY 11136  1 


ipt_REDIRECT   10624 
 0 

xt_tcpudp  11904  1 


reiserfs  235144  5 


iptable_tproxy 23036  2 ipt_TPROXY 


iptable_nat15492  1 iptable_tproxy 


ip_nat 24620  3 
ipt_REDIRECT,iptable_tproxy,iptable_nat 

ip_tables  25448  3 


iptable_filter,iptable_tproxy,iptable_nat 


x_tables   23560  5 


ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables 


ip_conntrack   53400  3 iptable_tproxy,iptable_nat,ip_nat 





The internet works, b
ut the browsing is dead slow. Temporarily we have 

bypassed squid to browse the net. 





Thanks 


VK 





-Original Message- 


From: Henrik Nordstrom  


To: vivek...@aol.in 


Cc: squ...@treenet.co.nz; squid-users@squid-cache.org 


Sent: Thu, 8 Jan 2009 12:05 am 


Subject: Re: WCCP configuration 





ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: 




wccp2_router xxx.xx.xxx.xxx 


wccp_version 4 


wccp2_forwarding_method 1 


wccp2_return_method 1 


wccp2_assignment_method 1 



wccp2_service dynamic 8
0 

wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 


ports=80 


wccp2_service dynamic 90 


wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source 


priority=240 ports=80 


 


 


Router Eth0 - connected to lan. Eth1 - connecte to squid. 




Have you also configured 


* A loopback address on the router, giving it a easily identified 
router 

ID 




* the required GRE/WCCP tunnel interface on the Squid server 




* disabled rp_filter on the above GRE/WCCP interface. 




* And adjusted the REDIRECT/NAT rules to act on traffic=2
0received on the 

GRE/WCCP interface configured above? 





Service Identifier: web-cache 


Number of Service Group Clients: 1 


Number of Service Group Routers: 1 


Total Packets s/w Redirected:11336 


  

[squid-users] Re: RE : [squid-users] coss

2009-01-10 Thread Heinz Diehl
At Sat, 10 Jan 2009 11:53:47 +0100,
Emmanuel Pelerin wrote:

> I have download this version : 
> http://people.redhat.com/mnagy/squid/squid-2.7.STABLE5-1.el4/i386/

What I want to know is: is anybody here running squid-2.7-STABLE4/5 with the
"coss" storage scheme, and does it work well, it is stable and safe to use on
a production machine?



Re: [squid-users] coss

2009-01-10 Thread Amos Jeffries

Heinz Diehl wrote:

Hi,

just a short and simple question, because I could not find an answer on the
net:

Is the coss storage scheme stable on Linux running squid-2.7-STABLE5?



Yes. As stable as COSS has ever been in Squid.
It's only the Squid-3 port thats broken.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
  Current Beta Squid 3.1.0.3


Re: [squid-users] Any one can help me to start Squid as service.

2009-01-10 Thread Amos Jeffries

Balram wrote:

I have installed Squid 3.0 STABLE11 on RHEL-4 on the /usr/local/squid
folder from source and enabling delay pools. It's work fine. But my
problem is that I have to start it manually by giving this command
#/usr/local/squid/sbin/squid start
 So any one show me that how can squid start automatically as a service.



Refer you back to the answers you got within half an hour of asking this 
same thing yesterday.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
  Current Beta Squid 3.1.0.3


Re: [squid-users] Re: WCCP configuration

2009-01-10 Thread viveksnv

Amos,

Thanks for your reply.

Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables 
1.3.8 and linux kernal 2.6.20.21.

Cisco IOS 2800 Ver 12.4 (13b)

WCCP+Tranparent proxy works good. Trproxy without wccp works well by 
not revealing the server ip and only displaying the client ip. But once 
the wccp is enabled with tproxy, the sever ip is revealed instead of 
the client ip.


Please scroll down below to check our previous mails.

Any suggestions please.


VK



-Original Message-
From: Amos Jeffries 
To: Ritter, Nicholas 
Cc: vivek...@aol.in; squid-users@squid-cache.org
Sent: Sat, 10 Jan 2009 8:06 am
0ASubject: Re: [squid-users] Re: WCCP configuration



Ritter, Nicholas wrote: 

With TProxy, I think you need to use Squid3-HEAD to reliably fix your 

issueAmos would know for sure. 



Nick 



  


Yes. Squid-2.* has no support for TPROXY v4.1+ 
 

3.1.0.3 or later is needed. Which is at least an RC beta now, more
stable that pure 3.HEAD alpha code. 
 

Also the squid.conf and configure details have changed. 

http://wiki.squid-cache.org/Features/Tproxy4 
 

Amos 
 



 




From: vivek...@aol.in [mailto:vivek...@aol.in] 



Sent: Fri 1/9/2009 8:39 A

M 


To: hen...@henriknordstrom.net 



Cc: squid-users@squid-cache.org; squ...@treenet.co.nz 



Subject: [squid-users] Re: WCCP configuration 






Hi, 




Thanks for the reply. It did help us solve the problem. 




But there is a new issue. 




We have configured as squid+tproxy. The squid ip is not displayed and 



only the client ip is displayed when we do the proxy test. But after 



configuring wccp we find that the server ip is displayed in the proxy 



test instead of the client ip. 




We also find that the http request is pathetically slow. 




squid.conf 

=0
A


wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 



ports=80 



wccp2_service dynamic 90 



wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source 



priority=240 ports=80 




http_port 3128 transparent tproxy 




iptable: 


/usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m 

tcp 


--dport 80 -j TPROXY --on-port 3128 





We created a gre tunnel based on the router identifier. 




wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid 



machine) 




The following command is assigned at the router interface connected 

=0
Ato 


the lan. 



ip wccp 80 redirect in 



ip wccp 90 redirect out 




Following command at the router interface connected to squid. 



ip wccp redirect exclude in 




Router : Cisco IOS Software, 2800 Software 

(C2800NM-ADVIPSERVICESK9-M), 


Version 12.4(13b) 



Kernel : linux-2.6.20.21 



IPtable : iptables-1.3.8 



Os Ver : squid-2.7 Stable 5 




#lsmod 




ip_gre 19616  0 



iptable_filter 11136  0 



ipt_TPROXY 11136  1 


ipt_REDIRECT   10624 

 0 


xt_tcpudp  11904  1 



reiserfs  235144  5 



iptable_tproxy 23036  2 ipt_TPROXY 



iptable_nat15492  1 iptable_tproxy 


ip_nat 24620  3 

ipt_REDIRECT,iptable_tproxy,iptable_nat 


ip_tables  25448  3 



iptable_filter,iptable_tproxy,iptable_nat 



x_tables   23560  5 



ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables 



ip_conntrack   53400  3 iptable_tproxy,iptable_nat,ip_nat 





The internet works, b
ut the browsing is dead slow. Temporarily we 
have 



bypassed squid to browse the net. 





Thanks 



VK 





-Original Message- 



From: Henrik Nordstrom  



To: vivek...@aol.in 



Cc: squ...@treenet.co.nz; squid-us...@squid-cache.org 



Sent: Thu, 8 Jan 2009 12:05 am 



Subject: Re: WCCP configuration 





ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: 





wccp2_router xxx.xx.xxx.xxx 



wccp_version 4 



wccp2_forwarding_method 1 



wccp2_return_method 1 



wccp2_assignment_method 1 



wccp2_service dynamic 8

0 


wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 



ports=80 



wccp2_service dynamic 90 



wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source 



priority=240 ports=80 



 



 



Router Eth0 - connected to lan. Eth1 - connecte to squid. 




Have you also configured 


* A loopback address on the router, giving it a easily identified 

router 


ID 




* the required GRE/WCCP tunnel interface on the Squid server 




* disabled rp_filter on the above GRE/WCCP interface. 




* And adjusted the REDIRECT/NAT rules to act on traffic=2
0received on 
the 



GRE/WCCP interface configured above? 






Service Identifier: web-cache 



Number of Service Group Clients: 1 



Number of Service Group Routers: 1 



Total Packets s/w Redirected:11336 



  Process:   0 



  Fast:  0 



  CEF:

Re: [squid-users] Transparent but not intercepting proxy

2009-01-10 Thread Amos Jeffries

NTPT wrote:
it is not for applicaions that need to know an IP address of the client, 
but for web traffic acceleration and traffic shaping purposees. 
Intercepting proxy is "all or nothing scenario"  on ISP site and 
customers can not voluntairy switch it on/off  themselfs.


My idea is to allow users to set proxy in their browser to use (or not) 
our SQUID server, but we need their IP addresses to be preserved by 
squid (like in intercepting + tproxy scenario) for traffic shaping and 
control purposes.




Okay. Assuming you are using standard QoS traffic shaping techniques you 
actually want to get Squid to set the TOS field values for you.

http://www.squid-cache.org/Doc/config/tcp_outgoing_tos/

This can be set for any of the fast accessible request details. You want 
to look at client IPs (src ACL) or receiving port (myport, myportname)


Amos





#  Původní zpráva 
# Od: Amos Jeffries 
# Předmět: Re: [squid-users] Transparent but not intercepting proxy
# Datum: 10.1.2009 03:50:18
# 
# NTPT wrote:
# > Hi all.
# > # > Is it possible to run SQUID proxy server in transparent mode 
without
# interception ? ie SQUID pass original address of the client (tproxy 
patch), but
# clients connections are not intercepted automatically and user have to 
set # proxy server manually in his browser ? # # No.
# See X-Forwarded-For:  header if you ave an application that needs to # 
detect the client behind a proxy. Sometimes also Client-IP:

# # Amos
# -- # Please be using
#Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
#Current Beta Squid 3.1.0.3
# # #



--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
  Current Beta Squid 3.1.0.3


RE: [squid-users] SquidGuard Replacement

2009-01-10 Thread Thomas Raef
Sorry for my misunderstanding. It was a bad day for me.

Please accept my apologies.

> -Original Message-
> From: Philipp Rusch - New Vision-IT [mailto:philipp.ru...@newvision-
> it.de]
> Sent: Thursday, January 08, 2009 12:02 PM
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] SquidGuard Replacement
> 
> Thomas Raef schrieb:
> > How do you figure that ufdb Guard is "sub-optimal"?
> >
> > Yes you can use shalla lists with this.
> >
> > I suggest you contact the owner and discuss your needs with him. He
> > reads this list so I think he'll be available.
> >
> > Thomas J. Raef
> > www.ebasedsecurity.com 
> > "You're either hardened, or you're hacked!"
> >
> >
-
> ---
> > *From:* Philipp Rusch - New Vision IT
> > [mailto:philipp.ru...@newvision-it.de]
> > *Sent:* Wed 1/7/2009 1:12 PM
> > *To:* squid-users@squid-cache.org
> > *Subject:* Re: [squid-users] SquidGuard Replacement
> >
> > Joseph L. Casale schrieb:
> > >> I switched to ufdbguard and have been real pleased with it's
> > performance
> > >> and support.
> > >>
> > >
> > > Thomas,
> > > Do I understand this right, the software is free but the db is
not?
> > Can one
> > > use shalla lists with this software?
> > >
> > > Thanks!
> > > jlc
> > >
> > >
> > Joseph,
> > I wasn't able to access the systems with the SG-config today.
> > So let's solve your problem with SG tomorrow instead of hunting for
> > a "suboptimal" solution.
> > Did you try to post your prob to Shalla / Christine Kronberg ?
> > She is usually a great help.
> >
> > CU, Philipp
> >
> Thomas,
> I did not say that ufdbguard is a "suboptimal" solution.
> ALL I wanted to express with my mail was, that Joseph's
> search for a solution was leading to a somewhat suboptimal setup.
> He already had everything in place and encountered some problems,
> so I advised him to search for the reasons of that problem and solve
> them instaed of replacing components on a trial and error basis.
> And despite the possible second meaning of my original posting,
> I really wasn't trying to offend somebody.
> AND, btw, please keep in mind that english is not my mother's tongue.
> 
> Regards from Germany,
> Philipp
> 
> in his setup
> 



[squid-users] RE : [squid-users] coss

2009-01-10 Thread Emmanuel Pelerin
I don't know

I have download this version : 
http://people.redhat.com/mnagy/squid/squid-2.7.STABLE5-1.el4/i386/

Emmanuel PELERIN


De : Heinz Diehl [...@fancy-poultry.org]
Date d'envoi : samedi 10 janvier 2009 10:28
À : squid-users@squid-cache.org
Objet : [squid-users] coss

Hi,

just a short and simple question, because I could not find an answer on the
net:

Is the coss storage scheme stable on Linux running squid-2.7-STABLE5?

Re: [squid-users] Transparent but not intercepting proxy

2009-01-10 Thread NTPT

it is not for applicaions that need to know an IP address of the client, but for web 
traffic acceleration and traffic shaping purposees. Intercepting proxy is "all or 
nothing scenario"  on ISP site and customers can not voluntairy switch it on/off  
themselfs.

My idea is to allow users to set proxy in their browser to use (or not) our 
SQUID server, but we need their IP addresses to be preserved by squid (like in 
intercepting + tproxy scenario) for traffic shaping and control purposes.




#  Původní zpráva 
# Od: Amos Jeffries 
# Předmět: Re: [squid-users] Transparent but not intercepting proxy
# Datum: 10.1.2009 03:50:18
# 
# NTPT wrote:
# > Hi all.
# >
# > Is it possible to run SQUID proxy server in transparent mode without
# interception ? ie SQUID pass original address of the client (tproxy patch), 
but
# clients connections are not intercepted automatically and user have to set
# proxy server manually in his browser ?
#
# No.
# See X-Forwarded-For:  header if you ave an application that needs to 
# detect the client behind a proxy. Sometimes also Client-IP:

#
# Amos
# --
# Please be using
#Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
#Current Beta Squid 3.1.0.3
#
#
#


[squid-users] coss

2009-01-10 Thread Heinz Diehl
Hi,

just a short and simple question, because I could not find an answer on the
net:

Is the coss storage scheme stable on Linux running squid-2.7-STABLE5?