[squid-users] coss
Hi, just a short and simple question, because I could not find an answer on the net: Is the coss storage scheme stable on Linux running squid-2.7-STABLE5?
Re: [squid-users] Transparent but not intercepting proxy
it is not for applicaions that need to know an IP address of the client, but for web traffic acceleration and traffic shaping purposees. Intercepting proxy is all or nothing scenario on ISP site and customers can not voluntairy switch it on/off themselfs. My idea is to allow users to set proxy in their browser to use (or not) our SQUID server, but we need their IP addresses to be preserved by squid (like in intercepting + tproxy scenario) for traffic shaping and control purposes. # Původní zpráva # Od: Amos Jeffries squ...@treenet.co.nz # Předmět: Re: [squid-users] Transparent but not intercepting proxy # Datum: 10.1.2009 03:50:18 # # NTPT wrote: # Hi all. # # Is it possible to run SQUID proxy server in transparent mode without # interception ? ie SQUID pass original address of the client (tproxy patch), but # clients connections are not intercepted automatically and user have to set # proxy server manually in his browser ? # # No. # See X-Forwarded-For: header if you ave an application that needs to # detect the client behind a proxy. Sometimes also Client-IP: # # Amos # -- # Please be using #Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 #Current Beta Squid 3.1.0.3 # # #
[squid-users] RE : [squid-users] coss
I don't know I have download this version : http://people.redhat.com/mnagy/squid/squid-2.7.STABLE5-1.el4/i386/ Emmanuel PELERIN De : Heinz Diehl [...@fancy-poultry.org] Date d'envoi : samedi 10 janvier 2009 10:28 À : squid-users@squid-cache.org Objet : [squid-users] coss Hi, just a short and simple question, because I could not find an answer on the net: Is the coss storage scheme stable on Linux running squid-2.7-STABLE5?
RE: [squid-users] SquidGuard Replacement
Sorry for my misunderstanding. It was a bad day for me. Please accept my apologies. -Original Message- From: Philipp Rusch - New Vision-IT [mailto:philipp.ru...@newvision- it.de] Sent: Thursday, January 08, 2009 12:02 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] SquidGuard Replacement Thomas Raef schrieb: How do you figure that ufdb Guard is sub-optimal? Yes you can use shalla lists with this. I suggest you contact the owner and discuss your needs with him. He reads this list so I think he'll be available. Thomas J. Raef www.ebasedsecurity.com http://www.ebasedsecurity.com You're either hardened, or you're hacked! - --- *From:* Philipp Rusch - New Vision IT [mailto:philipp.ru...@newvision-it.de] *Sent:* Wed 1/7/2009 1:12 PM *To:* squid-users@squid-cache.org *Subject:* Re: [squid-users] SquidGuard Replacement Joseph L. Casale schrieb: I switched to ufdbguard and have been real pleased with it's performance and support. Thomas, Do I understand this right, the software is free but the db is not? Can one use shalla lists with this software? Thanks! jlc Joseph, I wasn't able to access the systems with the SG-config today. So let's solve your problem with SG tomorrow instead of hunting for a suboptimal solution. Did you try to post your prob to Shalla / Christine Kronberg ? She is usually a great help. CU, Philipp Thomas, I did not say that ufdbguard is a suboptimal solution. ALL I wanted to express with my mail was, that Joseph's search for a solution was leading to a somewhat suboptimal setup. He already had everything in place and encountered some problems, so I advised him to search for the reasons of that problem and solve them instaed of replacing components on a trial and error basis. And despite the possible second meaning of my original posting, I really wasn't trying to offend somebody. AND, btw, please keep in mind that english is not my mother's tongue. Regards from Germany, Philipp in his setup
Re: [squid-users] Transparent but not intercepting proxy
NTPT wrote: it is not for applicaions that need to know an IP address of the client, but for web traffic acceleration and traffic shaping purposees. Intercepting proxy is all or nothing scenario on ISP site and customers can not voluntairy switch it on/off themselfs. My idea is to allow users to set proxy in their browser to use (or not) our SQUID server, but we need their IP addresses to be preserved by squid (like in intercepting + tproxy scenario) for traffic shaping and control purposes. Okay. Assuming you are using standard QoS traffic shaping techniques you actually want to get Squid to set the TOS field values for you. http://www.squid-cache.org/Doc/config/tcp_outgoing_tos/ This can be set for any of the fast accessible request details. You want to look at client IPs (src ACL) or receiving port (myport, myportname) Amos # Původní zpráva # Od: Amos Jeffries squ...@treenet.co.nz # Předmět: Re: [squid-users] Transparent but not intercepting proxy # Datum: 10.1.2009 03:50:18 # # NTPT wrote: # Hi all. # # Is it possible to run SQUID proxy server in transparent mode without # interception ? ie SQUID pass original address of the client (tproxy patch), but # clients connections are not intercepted automatically and user have to set # proxy server manually in his browser ? # # No. # See X-Forwarded-For: header if you ave an application that needs to # detect the client behind a proxy. Sometimes also Client-IP: # # Amos # -- # Please be using #Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 #Current Beta Squid 3.1.0.3 # # # -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] Re: WCCP configuration
Amos, Thanks for your reply. Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables 1.3.8 and linux kernal 2.6.20.21. Cisco IOS 2800 Ver 12.4 (13b) WCCP+Tranparent proxy works good. Trproxy without wccp works well by not revealing the server ip and only displaying the client ip. But once the wccp is enabled with tproxy, the sever ip is revealed instead of the client ip. Please scroll down below to check our previous mails. Any suggestions please. VK -Original Message- From: Amos Jeffries squ...@treenet.co.nz To: Ritter, Nicholas nicholas.rit...@americantv.com Cc: vivek...@aol.in; squid-users@squid-cache.org Sent: Sat, 10 Jan 2009 8:06 am 0ASubject: Re: [squid-users] Re: WCCP configuration Ritter, Nicholas wrote: With TProxy, I think you need to use Squid3-HEAD to reliably fix your issueAmos would know for sure. Nick Yes. Squid-2.* has no support for TPROXY v4.1+ 3.1.0.3 or later is needed. Which is at least an RC beta now, more stable that pure 3.HEAD alpha code. Also the squid.conf and configure details have changed. http://wiki.squid-cache.org/Features/Tproxy4 Amos From: vivek...@aol.in [mailto:vivek...@aol.in] Sent: Fri 1/9/2009 8:39 A M To: hen...@henriknordstrom.net Cc: squid-users@squid-cache.org; squ...@treenet.co.nz Subject: [squid-users] Re: WCCP configuration Hi, Thanks for the reply. It did help us solve the problem. But there is a new issue. We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. We also find that the http request is pathetically slow. squid.conf =0 A wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 http_port 3128 transparent tproxy iptable: /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 We created a gre tunnel based on the router identifier. wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid machine) The following command is assigned at the router interface connected =0 Ato the lan. ip wccp 80 redirect in ip wccp 90 redirect out Following command at the router interface connected to squid. ip wccp redirect exclude in Router : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(13b) Kernel : linux-2.6.20.21 IPtable : iptables-1.3.8 Os Ver : squid-2.7 Stable 5 #lsmod ip_gre 19616 0 iptable_filter 11136 0 ipt_TPROXY 11136 1 ipt_REDIRECT 10624 0 xt_tcpudp 11904 1 reiserfs 235144 5 iptable_tproxy 23036 2 ipt_TPROXY iptable_nat15492 1 iptable_tproxy ip_nat 24620 3 ipt_REDIRECT,iptable_tproxy,iptable_nat ip_tables 25448 3 iptable_filter,iptable_tproxy,iptable_nat x_tables 23560 5 ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables ip_conntrack 53400 3 iptable_tproxy,iptable_nat,ip_nat The internet works, b ut the browsing is dead slow. Temporarily we have bypassed squid to browse the net. Thanks VK -Original Message- From: Henrik Nordstrom hen...@henriknordstrom.net To: vivek...@aol.in Cc: squ...@treenet.co.nz; squid-us...@squid-cache.org Sent: Thu, 8 Jan 2009 12:05 am Subject: Re: WCCP configuration ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: wccp2_router xxx.xx.xxx.xxx wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 8 0 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 Router Eth0 - connected to lan. Eth1 - connecte to squid. Have you also configured * A loopback address on the router, giving it a easily identified router ID * the required GRE/WCCP tunnel interface on the Squid server * disabled rp_filter on the above GRE/WCCP interface. * And adjusted the REDIRECT/NAT rules to act on traffic=2 0received on the GRE/WCCP interface configured above? Service Identifier: web-cache Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:11336 Process: 0
Re: [squid-users] Any one can help me to start Squid as service.
Balram wrote: I have installed Squid 3.0 STABLE11 on RHEL-4 on the /usr/local/squid folder from source and enabling delay pools. It's work fine. But my problem is that I have to start it manually by giving this command #/usr/local/squid/sbin/squid start So any one show me that how can squid start automatically as a service. Refer you back to the answers you got within half an hour of asking this same thing yesterday. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] coss
Heinz Diehl wrote: Hi, just a short and simple question, because I could not find an answer on the net: Is the coss storage scheme stable on Linux running squid-2.7-STABLE5? Yes. As stable as COSS has ever been in Squid. It's only the Squid-3 port thats broken. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
[squid-users] Re: RE : [squid-users] coss
At Sat, 10 Jan 2009 11:53:47 +0100, Emmanuel Pelerin wrote: I have download this version : http://people.redhat.com/mnagy/squid/squid-2.7.STABLE5-1.el4/i386/ What I want to know is: is anybody here running squid-2.7-STABLE4/5 with the coss storage scheme, and does it work well, it is stable and safe to use on a production machine?
Re: [squid-users] Re: WCCP configuration
vivek...@aol.in wrote: Amos, Thanks for your reply. Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables 1.3.8 and linux kernal 2.6.20.21. Cisco IOS 2800 Ver 12.4 (13b) WCCP+Tranparent proxy works good. Trproxy without wccp works well by not revealing the server ip and only displaying the client ip. But once the wccp is enabled with tproxy, the sever ip is revealed instead of the client ip. Please scroll down below to check our previous mails. Any suggestions please. Other than checking your squid is built with --enable-linux-tproxy, none from me sorry. cttproxy was obsolete and officially unsupported before I ever heard of it. Amos VK -Original Message- From: Amos Jeffries squ...@treenet.co.nz To: Ritter, Nicholas nicholas.rit...@americantv.com Cc: vivek...@aol.in; squid-users@squid-cache.org Sent: Sat, 10 Jan 2009 8:06 am 0ASubject: Re: [squid-users] Re: WCCP configuration Ritter, Nicholas wrote: With TProxy, I think you need to use Squid3-HEAD to reliably fix your issueAmos would know for sure. Nick Yes. Squid-2.* has no support for TPROXY v4.1+ 3.1.0.3 or later is needed. Which is at least an RC beta now, more stable that pure 3.HEAD alpha code. Also the squid.conf and configure details have changed. http://wiki.squid-cache.org/Features/Tproxy4 Amos From: vivek...@aol.in [mailto:vivek...@aol.in] Sent: Fri 1/9/2009 8:39 A M To: hen...@henriknordstrom.net Cc: squid-users@squid-cache.org; squ...@treenet.co.nz Subject: [squid-users] Re: WCCP configuration Hi, Thanks for the reply. It did help us solve the problem. But there is a new issue. We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. We also find that the http request is pathetically slow. squid.conf =0 A wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 http_port 3128 transparent tproxy iptable: /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 We created a gre tunnel based on the router identifier. wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid machine) The following command is assigned at the router interface connected =0 Ato the lan. ip wccp 80 redirect in ip wccp 90 redirect out Following command at the router interface connected to squid. ip wccp redirect exclude in Router : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(13b) Kernel : linux-2.6.20.21 IPtable : iptables-1.3.8 Os Ver : squid-2.7 Stable 5 #lsmod ip_gre 19616 0 iptable_filter 11136 0 ipt_TPROXY 11136 1 ipt_REDIRECT 10624 0 xt_tcpudp 11904 1 reiserfs 235144 5 iptable_tproxy 23036 2 ipt_TPROXY iptable_nat15492 1 iptable_tproxy ip_nat 24620 3 ipt_REDIRECT,iptable_tproxy,iptable_nat ip_tables 25448 3 iptable_filter,iptable_tproxy,iptable_nat x_tables 23560 5 ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables ip_conntrack 53400 3 iptable_tproxy,iptable_nat,ip_nat The internet works, b ut the browsing is dead slow. Temporarily we have bypassed squid to browse the net. Thanks VK -Original Message- From: Henrik Nordstrom hen...@henriknordstrom.net To: vivek...@aol.in Cc: squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thu, 8 Jan 2009 12:05 am Subject: Re: WCCP configuration ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: wccp2_router xxx.xx.xxx.xxx wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 8 0 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 Router Eth0 - connected to lan. Eth1 - connecte to squid. Have you also configured * A loopback address on the router, giving it a easily identified router ID * the required GRE/WCCP tunnel interface on the Squid server * disabled rp_filter on the above GRE/WCCP interface. * And adjusted the REDIRECT/NAT rules to act on traffic=2 0received on the GRE/WCCP interface configured above? Service Identifier: web-cache Number of Service Group Clients: 1 Number of Service Group
Re: [squid-users] Fwd: Webapp problems with squid 2.7.STABLE3
On Fri, Jan 9, 2009 at 9:22 PM, Amos Jeffries squ...@treenet.co.nz wrote: BTW, we started back up for the spring semester yesterday. I did my upgrade over the break. Now I am having multiple sites (many are ssl) unaccessible which were accessible under 2.6.STABLE12. Did I miss some major changes between 2.6 and 2.7? I'm considering rolling back to 2.6 to quell the rebellion... :-( We can't really tell what or if you missed anything without config details :). Whats the current config and the diff between the old and new squid.conf? Attached is the current config. The config on the upgrade was a simple cp of the previous config file. The only thing different now is the addition of ignore_expect_100 on at the end per the suggestion earlier in this thread. (Which did allow the webapp to work correctly.) Regarding ssl sites (https://pob-w.fidelitybanknc.com/servlet/cefs/online/login-tfb.html is one example that hangs and times out via squid): Several tcpdumps seem to indicate that the client sends a connect frame to squid, squid acknowledges but never passes any traffic on to the internet site. Generally clients are authenticated via ntlm helper, but I have some clients that are authenticated based on ip. These clients (ipauthex) do not have this problem: they connect to these sites fine. This would seem to indicate an config issue, but what? I have also attached a pcap file for traffic between an ntlm auth client and squid. There is no pcap for the same squid to fidelity connection as there is never any traffic there. Thanks for the help on this one. If anyone sees any other optimizations I should have in my squid.conf, feel free to point them out. Note: fidelity.txt is really a pcap file. Kind Regards, Chris -- Christopher Nighswonger Faculty Member Network Systems Director Foundations Bible College Seminary www.foundations.edu www.fbcradio.org Ôò¡ ÿÿ gI+I 6 6 }9 ÀW¥$ E (�...@ @JÀ¨ ÷À¨ Q|MÕ +P Ûñ gI!J ÀW¥$ }9 E (...@ a%À¨ À¨ ÷ Õ +Q|MPÿÿõgI,K ÀW¥$ }9 E (...@ a$À¨ À¨ ÷ Õ +Q|MPÿÿõgI6K 6 6 }9 ÀW¥$ E ( ...@ @¸kÀ¨ ÷À¨ Q|MÕ ,P Ûð gI7*ÀW¥$ }9 e ...@ `À¨ À¨ ÷ ¦epÿÿ ´gIJ* }9 Àw¥$ e ...@ @¸cÀ¨ ÷À¨ Âk¤£ ¦fpШ¬ ´gIC+ÀW¥$ }9 E (...@ `À¨ À¨ ÷ ¦fÂk¤¤pÿ�...@gi, 1 1 ÀW¥$ }9 e ...@ _!À¨ À¨ ÷ ¦fÂk¤¤PÿÿX CONNECT pob-w.fidelitybanknc.com:443 HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Proxy-Connection: Keep-Alive Content-Length: 0 Host: pob-w.fidelitybanknc.com Pragma: no-cache gIF, 6 6 }9 ÀW¥$ E (�...@ @}À¨ ÷À¨ Âk¤¤ §aP Ò% http_port 192.168.0.247:3128 http_port 127.0.0.1:3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache cache_mem 12 MB maximum_object_size 32768 KB maximum_object_size_in_memory 200 KB cache_dir aufs /var/spool/squid 477184 65 256 access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log none cachemgr_passwd VerySecret all debug_options ALL,1 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 17 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm Campus Proxy Server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 quick_abort_min 0 KB quick_abort_max 0 KB acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.0.0.0 acl masada src 192.168.0.23/255.255.255.255 acl cnighswonger-lt src 192.168.0.105/255.255.255.255 acl campusnet src 192.168.0.0/24 acl farswap src 192.168.254.0/24 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 334 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 1 acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl PURGE method PURGE acl AuthorizedUsers proxy_auth REQUIRED acl WindowsUpdate dstdomain download.microsoft.com ntservicepack.microsoft.com .update.microsoft.com .windowsupdate.com windowsupdate.microsoft.com wustat.windows.com c.microsoft.com crl.microsoft.com watson.microsoft.com acl Webmin src 192.168.0.247-192.168.0.247/255.255.255.255 acl Zipcode dstdomain dail-a-zip.com acl USPSShipping dstdomain
[squid-users] squid not caching
Dear All, I am using squid-2.7 Stable 5 for at least 6 months and since I am facing some problems I decided to upgarde it to squid-3.0 stable 11. It is working smooth ang much faster than 2.7stable but my problem it is not caching, my cache directory stays at 1%. Can anybody help me on how to let my squid-proxy cache the same way it caching when I am using version 2.7? My 3.0 configuration was based on my 2.7 config. Below is my configuration for your reference. acl shb dstdomain .site1.com acl eta dstdomain .site2.com acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl ipaddr src xxx.xxx.184.0/255.255.248.0 acl natmot src 192.168.10.0/255.255.255.0 acl natmot2 src 192.168.11.0/255.255.255.0 acl natmot3 src 192.168.12.0/255.255.255.0 acl natmot4 src 192.168.14.0/255.255.255.0 acl natmot5 src 192.168.15.0/255.255.255.0 acl natmot6 src 192.168.16.0/255.255.255.0 acl natmot7 src 192.168.24.0/255.255.248.0 acl natcuda1 src 192.168.64.0/255.255.224.0 acl natcuda2 src 192.168.96.0/255.255.224.0 acl cmts4 src 192.168.128.0/255.255.240.0 acl cmts5 src 192.168.144.0/255.255.240.0 acl cmts6 src 192.168.176.0/255.255.240.0 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow ipaddr http_access allow natmot http_access allow natmot2 http_access allow natmot3 http_access allow natmot4 http_access allow natmot5 http_access allow natmot6 http_access allow natmot7 http_access allow natcuda1 http_access allow natcuda2 http_access allow cmts4 http_access allow cmts5 http_access allow cmts6 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all icp_access deny all htcp_access deny all http_port xxx.xxx.184.42:8080 cache_peer xxx.xxx.193.87 parent 8080 0 no-query cache_peer xxx.xxx.193.83 parent 8080 0 no-query cache_peer_access xxx.xxx.193.87 allow shb cache_peer_access xxx.xxx.193.87 deny all cache_peer_access xxx.xxx.193.83 allow eta cache_peer_access xxx.xxx.193.83 deny all hierarchy_stoplist cgi-bin ? cache_mem 6144 MB maximum_object_size_in_memory 512 KB memory_replacement_policy heap GDSF cache_replacement_policy heap GDSF cache_dir aufs /cache01/spool/squid/data01 8500 16 256 cache_dir aufs /cache01/spool/squid/data02 8500 16 256 cache_dir aufs /cache01/spool/squid/data03 8500 16 256 cache_dir aufs /cache01/spool/squid/data04 8500 16 256 cache_dir aufs /cache02/spool/squid/data01 8500 16 256 cache_dir aufs /cache02/spool/squid/data02 8500 16 256 cache_dir aufs /cache02/spool/squid/data03 8500 16 256 cache_dir aufs /cache02/spool/squid/data04 8500 16 256 cache_dir aufs /cache03/spool/squid/data01 8500 16 256 cache_dir aufs /cache03/spool/squid/data02 8500 16 256 cache_dir aufs /cache03/spool/squid/data03 8500 16 256 cache_dir aufs /cache03/spool/squid/data04 8500 16 256 max_open_disk_fds 30720 minimum_object_size 10240 KB cache_swap_low 70 cache_swap_high 75 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log none pid_filename /var/log/squid/squid.pid debug_options ALL,1 refresh_pattern \.gif$ 10080 90% 43200 refresh_pattern \.jpg$ 10080 90% 43200 refresh_pattern \.bom\.gov\.au 30 20% 120 refresh_pattern \.html$ 2880 50% 22160 refresh_pattern \.htm$ 2880 50% 22160 refresh_pattern \.php$ 2880 50% 22160 refresh_pattern \.asp$ 2880 50% 22160 refresh_pattern \.class$ 10080 90% 43200 refresh_pattern \.zip$ 10080 90% 43200 refresh_pattern \.jpeg$ 10080 90% 43200 refresh_pattern \.mid$ 10080 90% 43200 refresh_pattern \.shtml$ 2880 50% 22160 refresh_pattern \.exe$ 10080 90% 43200 refresh_pattern \.thm$ 10080 90% 43200 refresh_pattern \.wav$ 10080 90% 43200 refresh_pattern \.txt$ 10080 90% 43200 refresh_pattern \.cab$ 10080 90% 43200 refresh_pattern \.au$ 10080 90% 43200 refresh_pattern \.mov$ 10080 90% 43200 refresh_pattern \.xbm$ 10080 90% 43200 refresh_pattern \.ram$ 10080 90% 43200 refresh_pattern \.avi$ 10080 90% 43200 refresh_pattern \.chtml$ 2880 50% 22160 refresh_pattern \.thb$ 10080 90% 43200 refresh_pattern \.dcr$ 10080 90% 43200 refresh_pattern \.bmp$ 10080 90% 43200 refresh_pattern \.phtml$ 2880 50% 22160 refresh_pattern \.mpg$ 10080 90% 43200 refresh_pattern \.pdf$ 10080 90% 43200 refresh_pattern \.art$ 10080 90% 43200 refresh_pattern \.swf$ 10080 90% 43200 refresh_pattern \.mp3$ 10080 90% 43200 refresh_pattern \.ra$ 10080 90% 43200 refresh_pattern \.spl$ 10080 90% 43200 refresh_pattern \.viv$ 10080 90% 43200 refresh_pattern \.doc$ 10080 90% 43200 refresh_pattern \.gz$ 10080 90%
RE: [squid-users] OWA accelerator authentication weirdness
The order in which our auth_param lines are configured can alter the first authentication method tried. You will need to look at the debugging trace in cache.log to see which is generating which question Amos Only basic is enabled: auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Do I need to select a program for basic? found in cache.log: 2009/01/08 14:38:19.713| CacheManager::registerAction: registering legacy basicauthenticator 2009/01/08 14:38:19.713| CacheManager::findAction: looking for action basicauthenticator 2009/01/08 14:38:19.713| CacheManager::registerAction: registered basicauthenticator 2009/01/08 14:41:22.010| CacheManager::registerAction: registering legacy basicauthenticator 2009/01/08 14:41:22.010| CacheManager::registerAction: registered basicauthenticator The OWA web server has both basic and Windows Integrated Authentication enabled. If I disable windows integrated, OWA works fine, but I need activesync also, which does not work without windows integrated enabled. Thanks, Alan Um, further on my other email. Try some of the settings to disable pass-thru on the specific ports and/or peer: http://wiki.squid-cache.org/Features/ConnPin My config pretty much follows the wiki example for OWA accelerator. Squid 3.1.0.3. I'm using the same port for OWA and Activesync. I just added connection-auth=off on https_port and removed all auth_param lines, and that took care of my problem. Thanks!
Re: [squid-users] Trying to improve the Byte Hit Ratio, any tips ?
On Sat, Jan 10, 2009 at 12:43 PM, Vianney Lejeune via@free.fr wrote: By the way, what about the ideal settings for cache_mem, cache size and so on, is there any formula ? Are 2*500 GB HD faster than 1*1TB ? Yes, as each of those can handle i/o operations concurrently. In general, the more disks the better the performance: squid performance is usually constrained by the disk head seek times. See http://wiki.squid-cache.org/SquidFaq/RAID Thank you, and what about the formula for cache_mem, cache_size etc ? Everything should be quite well-documented in the FAQ and/or KnowledgeBase. Please refer to that first. -- /kinkie
Re: [squid-users] Re: RE : [squid-users] coss
2.6 works fine (default Ubuntu 8.04 package) $ squid -v Squid Cache: Version 2.6.STABLE18 configure options: '--prefix=/usr' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/spool/ squid' '--datadir=/usr/share/squid' '--enable-async-io' '--with-pthreads' '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter' '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp' '--enable-delay-pools' '--enable-htcp' '--enable-cache-digests' '--enable-underscores' '--enable-referer-log' '--enable-useragent-log' '--enable-auth=basic,digest,ntlm' '--enable-carp' '--enable-follow-x-forwarded-for' '--with-large-files' '--with-maxfd=65536' 'i386-debian-linux' 'build_alias=i386-debian-linux' 'host_alias=i386-debian-linux' 'target_alias=i386-debian-linux' 'CFLAGS=-Wall -g -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' $ uname -a Linux proxygw 2.6.24-21-server #1 SMP Wed Oct 22 00:18:13 UTC 2008 i686 GNU/Linux On Sat, Jan 10, 2009 at 5:23 PM, Heinz Diehl h...@fancy-poultry.org wrote: At Sat, 10 Jan 2009 11:53:47 +0100, Emmanuel Pelerin wrote: I have download this version : http://people.redhat.com/mnagy/squid/squid-2.7.STABLE5-1.el4/i386/ What I want to know is: is anybody here running squid-2.7-STABLE4/5 with the coss storage scheme, and does it work well, it is stable and safe to use on a production machine? -- Regards, Oleg
[squid-users] Re: squid not caching
I already solve the problem, it is typo error. instead of modifying the maximum_object_size I accidentally edited the minimum_object_size. - Original Message - From: Wennie V. Lagmay wlag...@yanbulink.net To: squid-users squid-users@squid-cache.org Cc: wlagmay wlag...@yanbulink.net Sent: Saturday, January 10, 2009 7:48:25 PM (GMT+0300) Asia/Kuwait Subject: squid not caching Dear All, I am using squid-2.7 Stable 5 for at least 6 months and since I am facing some problems I decided to upgarde it to squid-3.0 stable 11. It is working smooth ang much faster than 2.7stable but my problem it is not caching, my cache directory stays at 1%. Can anybody help me on how to let my squid-proxy cache the same way it caching when I am using version 2.7? My 3.0 configuration was based on my 2.7 config. Below is my configuration for your reference. acl shb dstdomain .site1.com acl eta dstdomain .site2.com acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl ipaddr src xxx.xxx.184.0/255.255.248.0 acl natmot src 192.168.10.0/255.255.255.0 acl natmot2 src 192.168.11.0/255.255.255.0 acl natmot3 src 192.168.12.0/255.255.255.0 acl natmot4 src 192.168.14.0/255.255.255.0 acl natmot5 src 192.168.15.0/255.255.255.0 acl natmot6 src 192.168.16.0/255.255.255.0 acl natmot7 src 192.168.24.0/255.255.248.0 acl natcuda1 src 192.168.64.0/255.255.224.0 acl natcuda2 src 192.168.96.0/255.255.224.0 acl cmts4 src 192.168.128.0/255.255.240.0 acl cmts5 src 192.168.144.0/255.255.240.0 acl cmts6 src 192.168.176.0/255.255.240.0 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow ipaddr http_access allow natmot http_access allow natmot2 http_access allow natmot3 http_access allow natmot4 http_access allow natmot5 http_access allow natmot6 http_access allow natmot7 http_access allow natcuda1 http_access allow natcuda2 http_access allow cmts4 http_access allow cmts5 http_access allow cmts6 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all icp_access deny all htcp_access deny all http_port xxx.xxx.184.42:8080 cache_peer xxx.xxx.193.87 parent 8080 0 no-query cache_peer xxx.xxx.193.83 parent 8080 0 no-query cache_peer_access xxx.xxx.193.87 allow shb cache_peer_access xxx.xxx.193.87 deny all cache_peer_access xxx.xxx.193.83 allow eta cache_peer_access xxx.xxx.193.83 deny all hierarchy_stoplist cgi-bin ? cache_mem 6144 MB maximum_object_size_in_memory 512 KB memory_replacement_policy heap GDSF cache_replacement_policy heap GDSF cache_dir aufs /cache01/spool/squid/data01 8500 16 256 cache_dir aufs /cache01/spool/squid/data02 8500 16 256 cache_dir aufs /cache01/spool/squid/data03 8500 16 256 cache_dir aufs /cache01/spool/squid/data04 8500 16 256 cache_dir aufs /cache02/spool/squid/data01 8500 16 256 cache_dir aufs /cache02/spool/squid/data02 8500 16 256 cache_dir aufs /cache02/spool/squid/data03 8500 16 256 cache_dir aufs /cache02/spool/squid/data04 8500 16 256 cache_dir aufs /cache03/spool/squid/data01 8500 16 256 cache_dir aufs /cache03/spool/squid/data02 8500 16 256 cache_dir aufs /cache03/spool/squid/data03 8500 16 256 cache_dir aufs /cache03/spool/squid/data04 8500 16 256 max_open_disk_fds 30720 minimum_object_size 10240 KB cache_swap_low 70 cache_swap_high 75 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log none pid_filename /var/log/squid/squid.pid debug_options ALL,1 refresh_pattern \.gif$ 10080 90% 43200 refresh_pattern \.jpg$ 10080 90% 43200 refresh_pattern \.bom\.gov\.au 30 20% 120 refresh_pattern \.html$ 2880 50% 22160 refresh_pattern \.htm$ 2880 50% 22160 refresh_pattern \.php$ 2880 50% 22160 refresh_pattern \.asp$ 2880 50% 22160 refresh_pattern \.class$ 10080 90% 43200 refresh_pattern \.zip$ 10080 90% 43200 refresh_pattern \.jpeg$ 10080 90% 43200 refresh_pattern \.mid$ 10080 90% 43200 refresh_pattern \.shtml$ 2880 50% 22160 refresh_pattern \.exe$ 10080 90% 43200 refresh_pattern \.thm$ 10080 90% 43200 refresh_pattern \.wav$ 10080 90% 43200 refresh_pattern \.txt$ 10080 90% 43200 refresh_pattern \.cab$ 10080 90% 43200 refresh_pattern \.au$ 10080 90% 43200 refresh_pattern \.mov$ 10080 90% 43200 refresh_pattern \.xbm$ 10080 90% 43200 refresh_pattern \.ram$ 10080 90% 43200 refresh_pattern \.avi$ 10080 90% 43200 refresh_pattern \.chtml$ 2880 50% 22160 refresh_pattern \.thb$ 10080 90% 43200 refresh_pattern \.dcr$ 10080 90% 43200 refresh_pattern \.bmp$ 10080 90% 43200 refresh_pattern \.phtml$ 2880
[squid-users] FreeBSD users: 'squidstats' package
Hi guys, Those of you who are using FreeBSD should have a look at squidstats. Its based on Henrik's scripts to gather basic statistics from Squid via SNMP and graph them. Its based on a googlecode project I created and I'm also the port maintainer. So it should be easy for me to fix bugs. :) Having statistics of your running server is the best thing to do for debugging and provisioning, so please consider installing the package and setting it up. Enjoy! Adrian
Re: [squid-users] Transparent but not intercepting proxy
On 09.01.09 11:56, NTPT wrote: Is it possible to run SQUID proxy server in transparent mode without interception ? ie SQUID pass original address of the client (tproxy patch), but clients connections are not intercepted automatically and user have to set proxy server manually in his browser ? RFC 2616 (http/1.1) defines transparent proxy as proxy not changing the data. Most people assume that transparent proxy means intercepting, e.g. no need for configuring browser for anything. Do you want to create new meaning for transparent proxy? Please, no. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers.
Re: [squid-users] OWA accelerator authentication weirdness
Alan Lehman wrote: The order in which our auth_param lines are configured can alter the first authentication method tried. You will need to look at the debugging trace in cache.log to see which is generating which question Amos Only basic is enabled: auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Do I need to select a program for basic? found in cache.log: 2009/01/08 14:38:19.713| CacheManager::registerAction: registering legacy basicauthenticator 2009/01/08 14:38:19.713| CacheManager::findAction: looking for action basicauthenticator 2009/01/08 14:38:19.713| CacheManager::registerAction: registered basicauthenticator 2009/01/08 14:41:22.010| CacheManager::registerAction: registering legacy basicauthenticator 2009/01/08 14:41:22.010| CacheManager::registerAction: registered basicauthenticator The OWA web server has both basic and Windows Integrated Authentication enabled. If I disable windows integrated, OWA works fine, but I need activesync also, which does not work without windows integrated enabled. Thanks, Alan Um, further on my other email. Try some of the settings to disable pass-thru on the specific ports and/or peer: http://wiki.squid-cache.org/Features/ConnPin My config pretty much follows the wiki example for OWA accelerator. Squid 3.1.0.3. I'm using the same port for OWA and Activesync. I just added connection-auth=off on https_port and removed all auth_param lines, and that took care of my problem. Before I go recommending this as a general fix in 3.1, are BOTH of those changes needed for it to work? I know there are people using Squid+OWA in multi-mode who may need auth for other things. Can we get away with just connection-auth=off on the port? Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
RE: [squid-users] OWA accelerator authentication weirdness
The order in which our auth_param lines are configured can alter the first authentication method tried. You will need to look at the debugging trace in cache.log to see which is generating which question Amos Only basic is enabled: auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Do I need to select a program for basic? found in cache.log: 2009/01/08 14:38:19.713| CacheManager::registerAction: registering legacy basicauthenticator 2009/01/08 14:38:19.713| CacheManager::findAction: looking for action basicauthenticator 2009/01/08 14:38:19.713| CacheManager::registerAction: registered basicauthenticator 2009/01/08 14:41:22.010| CacheManager::registerAction: registering legacy basicauthenticator 2009/01/08 14:41:22.010| CacheManager::registerAction: registered basicauthenticator The OWA web server has both basic and Windows Integrated Authentication enabled. If I disable windows integrated, OWA works fine, but I need activesync also, which does not work without windows integrated enabled. Thanks, Alan Um, further on my other email. Try some of the settings to disable pass-thru on the specific ports and/or peer: http://wiki.squid-cache.org/Features/ConnPin My config pretty much follows the wiki example for OWA accelerator. Squid 3.1.0.3. I'm using the same port for OWA and Activesync. I just added connection-auth=off on https_port and removed all auth_param lines, and that took care of my problem. Before I go recommending this as a general fix in 3.1, are BOTH of those changes needed for it to work? I know there are people using Squid+OWA in multi-mode who may need auth for other things. Can we get away with just connection-auth=off on the port? Amos The auth_param lines don't seem to make any difference. It works for me with them in.
Re: [squid-users] OWA accelerator authentication weirdness
Alan Lehman wrote: The order in which our auth_param lines are configured can alter the first authentication method tried. You will need to look at the debugging trace in cache.log to see which is generating which question Amos Only basic is enabled: auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Do I need to select a program for basic? found in cache.log: 2009/01/08 14:38:19.713| CacheManager::registerAction: registering legacy basicauthenticator 2009/01/08 14:38:19.713| CacheManager::findAction: looking for action basicauthenticator 2009/01/08 14:38:19.713| CacheManager::registerAction: registered basicauthenticator 2009/01/08 14:41:22.010| CacheManager::registerAction: registering legacy basicauthenticator 2009/01/08 14:41:22.010| CacheManager::registerAction: registered basicauthenticator The OWA web server has both basic and Windows Integrated Authentication enabled. If I disable windows integrated, OWA works fine, but I need activesync also, which does not work without windows integrated enabled. Thanks, Alan Um, further on my other email. Try some of the settings to disable pass-thru on the specific ports and/or peer: http://wiki.squid-cache.org/Features/ConnPin My config pretty much follows the wiki example for OWA accelerator. Squid 3.1.0.3. I'm using the same port for OWA and Activesync. I just added connection-auth=off on https_port and removed all auth_param lines, and that took care of my problem. Before I go recommending this as a general fix in 3.1, are BOTH of those changes needed for it to work? I know there are people using Squid+OWA in multi-mode who may need auth for other things. Can we get away with just connection-auth=off on the port? Amos The auth_param lines don't seem to make any difference. It works for me with them in. Great. I'll get the wiki updated. Thanks for your help finding this and testing the solution. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3