[squid-users] coss

[Heinz Diehl]

Hi,

just a short and simple question, because I could not find an answer on the
net:

Is the coss storage scheme stable on Linux running squid-2.7-STABLE5?

Re: [squid-users] Transparent but not intercepting proxy

[NTPT]

it is not for applicaions that need to know an IP address of the client, but for web 
traffic acceleration and traffic shaping purposees. Intercepting proxy is all or 
nothing scenario  on ISP site and customers can not voluntairy switch it on/off  
themselfs.

My idea is to allow users to set proxy in their browser to use (or not) our 
SQUID server, but we need their IP addresses to be preserved by squid (like in 
intercepting + tproxy scenario) for traffic shaping and control purposes.




#  Původní zpráva 
# Od: Amos Jeffries squ...@treenet.co.nz
# Předmět: Re: [squid-users] Transparent but not intercepting proxy
# Datum: 10.1.2009 03:50:18
# 
# NTPT wrote:
#  Hi all.
# 
#  Is it possible to run SQUID proxy server in transparent mode without
# interception ? ie SQUID pass original address of the client (tproxy patch), 
but
# clients connections are not intercepted automatically and user have to set
# proxy server manually in his browser ?
#
# No.
# See X-Forwarded-For:  header if you ave an application that needs to 
# detect the client behind a proxy. Sometimes also Client-IP:

#
# Amos
# --
# Please be using
#Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
#Current Beta Squid 3.1.0.3
#
#
#

[squid-users] RE : [squid-users] coss

[Emmanuel Pelerin]

I don't know

I have download this version : 
http://people.redhat.com/mnagy/squid/squid-2.7.STABLE5-1.el4/i386/

Emmanuel PELERIN


De : Heinz Diehl [...@fancy-poultry.org]
Date d'envoi : samedi 10 janvier 2009 10:28
À : squid-users@squid-cache.org
Objet : [squid-users] coss

Hi,

just a short and simple question, because I could not find an answer on the
net:

Is the coss storage scheme stable on Linux running squid-2.7-STABLE5?

RE: [squid-users] SquidGuard Replacement

[Thomas Raef]

Sorry for my misunderstanding. It was a bad day for me.

Please accept my apologies.

 -Original Message-
 From: Philipp Rusch - New Vision-IT [mailto:philipp.ru...@newvision-
 it.de]
 Sent: Thursday, January 08, 2009 12:02 PM
 To: squid-users@squid-cache.org
 Subject: Re: [squid-users] SquidGuard Replacement
 
 Thomas Raef schrieb:
  How do you figure that ufdb Guard is sub-optimal?
 
  Yes you can use shalla lists with this.
 
  I suggest you contact the owner and discuss your needs with him. He
  reads this list so I think he'll be available.
 
  Thomas J. Raef
  www.ebasedsecurity.com http://www.ebasedsecurity.com
  You're either hardened, or you're hacked!
 
 
-
 ---
  *From:* Philipp Rusch - New Vision IT
  [mailto:philipp.ru...@newvision-it.de]
  *Sent:* Wed 1/7/2009 1:12 PM
  *To:* squid-users@squid-cache.org
  *Subject:* Re: [squid-users] SquidGuard Replacement
 
  Joseph L. Casale schrieb:
   I switched to ufdbguard and have been real pleased with it's
  performance
   and support.
  
  
   Thomas,
   Do I understand this right, the software is free but the db is
not?
  Can one
   use shalla lists with this software?
  
   Thanks!
   jlc
  
  
  Joseph,
  I wasn't able to access the systems with the SG-config today.
  So let's solve your problem with SG tomorrow instead of hunting for
  a suboptimal solution.
  Did you try to post your prob to Shalla / Christine Kronberg ?
  She is usually a great help.
 
  CU, Philipp
 
 Thomas,
 I did not say that ufdbguard is a suboptimal solution.
 ALL I wanted to express with my mail was, that Joseph's
 search for a solution was leading to a somewhat suboptimal setup.
 He already had everything in place and encountered some problems,
 so I advised him to search for the reasons of that problem and solve
 them instaed of replacing components on a trial and error basis.
 And despite the possible second meaning of my original posting,
 I really wasn't trying to offend somebody.
 AND, btw, please keep in mind that english is not my mother's tongue.
 
 Regards from Germany,
 Philipp
 
 in his setup
 

Re: [squid-users] Transparent but not intercepting proxy

[Amos Jeffries]

NTPT wrote:
it is not for applicaions that need to know an IP address of the client, 
but for web traffic acceleration and traffic shaping purposees. 
Intercepting proxy is all or nothing scenario  on ISP site and 
customers can not voluntairy switch it on/off  themselfs.


My idea is to allow users to set proxy in their browser to use (or not) 
our SQUID server, but we need their IP addresses to be preserved by 
squid (like in intercepting + tproxy scenario) for traffic shaping and 
control purposes.




Okay. Assuming you are using standard QoS traffic shaping techniques you 
actually want to get Squid to set the TOS field values for you.

http://www.squid-cache.org/Doc/config/tcp_outgoing_tos/

This can be set for any of the fast accessible request details. You want 
to look at client IPs (src ACL) or receiving port (myport, myportname)


Amos





#  Původní zpráva 
# Od: Amos Jeffries squ...@treenet.co.nz
# Předmět: Re: [squid-users] Transparent but not intercepting proxy
# Datum: 10.1.2009 03:50:18
# 
# NTPT wrote:
#  Hi all.
#  #  Is it possible to run SQUID proxy server in transparent mode 
without
# interception ? ie SQUID pass original address of the client (tproxy 
patch), but
# clients connections are not intercepted automatically and user have to 
set # proxy server manually in his browser ? # # No.
# See X-Forwarded-For:  header if you ave an application that needs to # 
detect the client behind a proxy. Sometimes also Client-IP:

# # Amos
# -- # Please be using
#Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
#Current Beta Squid 3.1.0.3
# # #



--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
  Current Beta Squid 3.1.0.3

Re: [squid-users] Re: WCCP configuration

[viveksnv]

Amos,

Thanks for your reply.

Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables 
1.3.8 and linux kernal 2.6.20.21.

Cisco IOS 2800 Ver 12.4 (13b)

WCCP+Tranparent proxy works good. Trproxy without wccp works well by 
not revealing the server ip and only displaying the client ip. But once 
the wccp is enabled with tproxy, the sever ip is revealed instead of 
the client ip.


Please scroll down below to check our previous mails.

Any suggestions please.


VK



-Original Message-
From: Amos Jeffries squ...@treenet.co.nz
To: Ritter, Nicholas nicholas.rit...@americantv.com
Cc: vivek...@aol.in; squid-users@squid-cache.org
Sent: Sat, 10 Jan 2009 8:06 am
0ASubject: Re: [squid-users] Re: WCCP configuration



Ritter, Nicholas wrote: 

With TProxy, I think you need to use Squid3-HEAD to reliably fix your 

issueAmos would know for sure. 



Nick 



  


Yes. Squid-2.* has no support for TPROXY v4.1+ 
 

3.1.0.3 or later is needed. Which is at least an RC beta now, more
stable that pure 3.HEAD alpha code. 
 

Also the squid.conf and configure details have changed. 

http://wiki.squid-cache.org/Features/Tproxy4 
 

Amos 
 



 




From: vivek...@aol.in [mailto:vivek...@aol.in] 



Sent: Fri 1/9/2009 8:39 A

M 


To: hen...@henriknordstrom.net 



Cc: squid-users@squid-cache.org; squ...@treenet.co.nz 



Subject: [squid-users] Re: WCCP configuration 






Hi, 




Thanks for the reply. It did help us solve the problem. 




But there is a new issue. 




We have configured as squid+tproxy. The squid ip is not displayed and 



only the client ip is displayed when we do the proxy test. But after 



configuring wccp we find that the server ip is displayed in the proxy 



test instead of the client ip. 




We also find that the http request is pathetically slow. 




squid.conf 

=0
A


wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 



ports=80 



wccp2_service dynamic 90 



wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source 



priority=240 ports=80 




http_port 3128 transparent tproxy 




iptable: 


/usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m 

tcp 


--dport 80 -j TPROXY --on-port 3128 





We created a gre tunnel based on the router identifier. 




wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid 



machine) 




The following command is assigned at the router interface connected 

=0
Ato 


the lan. 



ip wccp 80 redirect in 



ip wccp 90 redirect out 




Following command at the router interface connected to squid. 



ip wccp redirect exclude in 




Router : Cisco IOS Software, 2800 Software 

(C2800NM-ADVIPSERVICESK9-M), 


Version 12.4(13b) 



Kernel : linux-2.6.20.21 



IPtable : iptables-1.3.8 



Os Ver : squid-2.7 Stable 5 




#lsmod 




ip_gre 19616  0 



iptable_filter 11136  0 



ipt_TPROXY 11136  1 


ipt_REDIRECT   10624 

 0 


xt_tcpudp  11904  1 



reiserfs  235144  5 



iptable_tproxy 23036  2 ipt_TPROXY 



iptable_nat15492  1 iptable_tproxy 


ip_nat 24620  3 

ipt_REDIRECT,iptable_tproxy,iptable_nat 


ip_tables  25448  3 



iptable_filter,iptable_tproxy,iptable_nat 



x_tables   23560  5 



ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables 



ip_conntrack   53400  3 iptable_tproxy,iptable_nat,ip_nat 





The internet works, b
ut the browsing is dead slow. Temporarily we 
have 



bypassed squid to browse the net. 





Thanks 



VK 





-Original Message- 



From: Henrik Nordstrom hen...@henriknordstrom.net 



To: vivek...@aol.in 



Cc: squ...@treenet.co.nz; squid-us...@squid-cache.org 



Sent: Thu, 8 Jan 2009 12:05 am 



Subject: Re: WCCP configuration 





ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: 





wccp2_router xxx.xx.xxx.xxx 



wccp_version 4 



wccp2_forwarding_method 1 



wccp2_return_method 1 



wccp2_assignment_method 1 



wccp2_service dynamic 8

0 


wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 



ports=80 



wccp2_service dynamic 90 



wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source 



priority=240 ports=80 



 



 



Router Eth0 - connected to lan. Eth1 - connecte to squid. 




Have you also configured 


* A loopback address on the router, giving it a easily identified 

router 


ID 




* the required GRE/WCCP tunnel interface on the Squid server 




* disabled rp_filter on the above GRE/WCCP interface. 




* And adjusted the REDIRECT/NAT rules to act on traffic=2
0received on 
the 



GRE/WCCP interface configured above? 






Service Identifier: web-cache 



Number of Service Group Clients: 1 



Number of Service Group Routers: 1 



Total Packets s/w Redirected:11336 



  Process:   0 



  

Re: [squid-users] Any one can help me to start Squid as service.

[Amos Jeffries]

Balram wrote:

I have installed Squid 3.0 STABLE11 on RHEL-4 on the /usr/local/squid
folder from source and enabling delay pools. It's work fine. But my
problem is that I have to start it manually by giving this command
#/usr/local/squid/sbin/squid start
 So any one show me that how can squid start automatically as a service.



Refer you back to the answers you got within half an hour of asking this 
same thing yesterday.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
  Current Beta Squid 3.1.0.3

Re: [squid-users] coss

[Amos Jeffries]

Heinz Diehl wrote:

Hi,

just a short and simple question, because I could not find an answer on the
net:

Is the coss storage scheme stable on Linux running squid-2.7-STABLE5?



Yes. As stable as COSS has ever been in Squid.
It's only the Squid-3 port thats broken.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
  Current Beta Squid 3.1.0.3

[squid-users] Re: RE : [squid-users] coss

[Heinz Diehl]

At Sat, 10 Jan 2009 11:53:47 +0100,
Emmanuel Pelerin wrote:

 I have download this version : 
 http://people.redhat.com/mnagy/squid/squid-2.7.STABLE5-1.el4/i386/

What I want to know is: is anybody here running squid-2.7-STABLE4/5 with the
coss storage scheme, and does it work well, it is stable and safe to use on
a production machine?

Re: [squid-users] Re: WCCP configuration

[Amos Jeffries]

vivek...@aol.in wrote:

Amos,

Thanks for your reply.

Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables 1.3.8 
and linux kernal 2.6.20.21.

Cisco IOS 2800 Ver 12.4 (13b)

WCCP+Tranparent proxy works good. Trproxy without wccp works well by not 
revealing the server ip and only displaying the client ip. But once the 
wccp is enabled with tproxy, the sever ip is revealed instead of the 
client ip.


Please scroll down below to check our previous mails.

Any suggestions please.


Other than checking your squid is built with --enable-linux-tproxy, none 
from me sorry.

cttproxy was obsolete and officially unsupported before I ever heard of it.

Amos




VK



-Original Message-
From: Amos Jeffries squ...@treenet.co.nz
To: Ritter, Nicholas nicholas.rit...@americantv.com
Cc: vivek...@aol.in; squid-users@squid-cache.org
Sent: Sat, 10 Jan 2009 8:06 am
0ASubject: Re: [squid-users] Re: WCCP configuration



Ritter, Nicholas wrote: 

With TProxy, I think you need to use Squid3-HEAD to reliably fix your 
issueAmos would know for sure. 



Nick 


  


Yes. Squid-2.* has no support for TPROXY v4.1+ 
 


3.1.0.3 or later is needed. Which is at least an RC beta now, more
stable that pure 3.HEAD alpha code. 
 

Also the squid.conf and configure details have changed. 

http://wiki.squid-cache.org/Features/Tproxy4 
 

Amos 
 



 




From: vivek...@aol.in [mailto:vivek...@aol.in] 



Sent: Fri 1/9/2009 8:39 A
M 

To: hen...@henriknordstrom.net 


Cc: squid-users@squid-cache.org; squ...@treenet.co.nz 


Subject: [squid-users] Re: WCCP configuration 






Hi, 




Thanks for the reply. It did help us solve the problem. 




But there is a new issue. 




We have configured as squid+tproxy. The squid ip is not displayed and 


only the client ip is displayed when we do the proxy test. But after 


configuring wccp we find that the server ip is displayed in the proxy 


test instead of the client ip. 




We also find that the http request is pathetically slow. 




squid.conf 

=0
A


wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 


ports=80 


wccp2_service dynamic 90 


wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source 


priority=240 ports=80 




http_port 3128 transparent tproxy 




iptable: 


/usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m 
tcp 

--dport 80 -j TPROXY --on-port 3128 





We created a gre tunnel based on the router identifier. 




wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid 


machine) 




The following command is assigned at the router interface connected 

=0
Ato 

the lan. 


ip wccp 80 redirect in 


ip wccp 90 redirect out 




Following command at the router interface connected to squid. 


ip wccp redirect exclude in 




Router : Cisco IOS Software, 2800 Software 
(C2800NM-ADVIPSERVICESK9-M), 

Version 12.4(13b) 


Kernel : linux-2.6.20.21 


IPtable : iptables-1.3.8 


Os Ver : squid-2.7 Stable 5 




#lsmod 




ip_gre 19616  0 


iptable_filter 11136  0 


ipt_TPROXY 11136  1 


ipt_REDIRECT   10624 
 0 

xt_tcpudp  11904  1 


reiserfs  235144  5 


iptable_tproxy 23036  2 ipt_TPROXY 


iptable_nat15492  1 iptable_tproxy 


ip_nat 24620  3 
ipt_REDIRECT,iptable_tproxy,iptable_nat 

ip_tables  25448  3 


iptable_filter,iptable_tproxy,iptable_nat 


x_tables   23560  5 


ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables 


ip_conntrack   53400  3 iptable_tproxy,iptable_nat,ip_nat 





The internet works, b
ut the browsing is dead slow. Temporarily we have 

bypassed squid to browse the net. 





Thanks 


VK 





-Original Message- 


From: Henrik Nordstrom hen...@henriknordstrom.net 


To: vivek...@aol.in 


Cc: squ...@treenet.co.nz; squid-users@squid-cache.org 


Sent: Thu, 8 Jan 2009 12:05 am 


Subject: Re: WCCP configuration 





ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: 




wccp2_router xxx.xx.xxx.xxx 


wccp_version 4 


wccp2_forwarding_method 1 


wccp2_return_method 1 


wccp2_assignment_method 1 



wccp2_service dynamic 8
0 

wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 


ports=80 


wccp2_service dynamic 90 


wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source 


priority=240 ports=80 


 


 


Router Eth0 - connected to lan. Eth1 - connecte to squid. 




Have you also configured 


* A loopback address on the router, giving it a easily identified 
router 

ID 




* the required GRE/WCCP tunnel interface on the Squid server 




* disabled rp_filter on the above GRE/WCCP interface. 




* And adjusted the REDIRECT/NAT rules to act on traffic=2
0received on the 

GRE/WCCP interface configured above? 





Service Identifier: web-cache 


Number of Service Group Clients: 1 


Number of Service Group 

Re: [squid-users] Fwd: Webapp problems with squid 2.7.STABLE3

[Chris Nighswonger]

On Fri, Jan 9, 2009 at 9:22 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 BTW, we started back up for the spring semester yesterday. I did my
 upgrade over the break. Now I am having multiple sites (many are ssl)
 unaccessible which were accessible under 2.6.STABLE12. Did I miss some
 major changes between 2.6 and 2.7? I'm considering rolling back to 2.6
 to quell the rebellion... :-(

 We can't really tell what or if you missed anything without config details
 :).
 Whats the current config and the diff between the old and new squid.conf?

Attached is the current config. The config on the upgrade was a simple
cp of the previous config file. The only thing different now is the
addition of ignore_expect_100 on at the end per the suggestion
earlier in this thread. (Which did allow the webapp to work
correctly.)

Regarding ssl sites
(https://pob-w.fidelitybanknc.com/servlet/cefs/online/login-tfb.html
is one example that hangs and times out via squid): Several tcpdumps
seem to indicate that the client sends a connect frame to squid, squid
acknowledges but never passes any traffic on to the internet site.
Generally clients are authenticated via ntlm helper, but I have some
clients that are authenticated based on ip. These clients (ipauthex)
do not have this problem: they connect to these sites fine. This would
seem to indicate an config issue, but what?

I have also attached a pcap file for traffic between an ntlm auth
client and squid. There is no pcap for the same squid to fidelity
connection as there is never any traffic there.

Thanks for the help on this one. If anyone sees any other
optimizations I should have in my squid.conf, feel free to point them
out.

Note: fidelity.txt is really a pcap file.

Kind Regards,
Chris

--
Christopher Nighswonger
Faculty Member
Network  Systems Director
Foundations Bible College  Seminary
www.foundations.edu
www.fbcradio.org
Ôò¡ÿÿ

gI+I
66 }9ÀW¥$E(�...@@JÀ¨÷À¨
ˆQ|MœÕš+P Ûñ
gI!J
ÀW¥$ }9E(...@€a%À¨À¨÷
ˆÕš+Q|MPÿÿõ
gI,K
ÀW¥$ }9E(...@€a$À¨À¨÷
ˆÕš+Q|MPÿÿõ
gI6K
66 }9ÀW¥$E(...@@¸kÀ¨÷À¨
ˆQ|MÕš,P ÛðgI7*ÀW¥$ }9e...@€`À¨À¨÷
Œ œ¦epÿÿ´

gIJ* 
}9Àw¥$e...@@¸cÀ¨÷À¨
ŒÂk¤£   œ¦fpШ¬´

gIC+ÀW¥$ }9E(...@€`À¨À¨÷
Œ œ¦fÂk¤¤pÿ�...@gi,1
1
ÀW¥$ 
}9e
...@€_!À¨À¨÷
Œ œ¦fÂk¤¤PÿÿX™CONNECT pob-w.fidelitybanknc.com:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 
1.1.4322; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: pob-w.fidelitybanknc.com
Pragma: no-cache

gIF,66 }9ÀW¥$E(�...@@}À¨÷À¨
ŒÂk¤¤   œ§aP Ò%http_port 192.168.0.247:3128
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 12 MB
maximum_object_size 32768 KB
maximum_object_size_in_memory 200 KB
cache_dir aufs /var/spool/squid 477184 65 256
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
cachemgr_passwd VerySecret all
debug_options ALL,1
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 17
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 2
auth_param basic realm Campus Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern .   0   20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.0.0.0
acl masada src 192.168.0.23/255.255.255.255
acl cnighswonger-lt src 192.168.0.105/255.255.255.255
acl campusnet src 192.168.0.0/24
acl farswap src 192.168.254.0/24
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 334
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 1
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl PURGE method PURGE
acl AuthorizedUsers proxy_auth REQUIRED
acl WindowsUpdate dstdomain download.microsoft.com ntservicepack.microsoft.com 
.update.microsoft.com .windowsupdate.com windowsupdate.microsoft.com 
wustat.windows.com c.microsoft.com crl.microsoft.com watson.microsoft.com
acl Webmin src 192.168.0.247-192.168.0.247/255.255.255.255
acl Zipcode dstdomain dail-a-zip.com
acl USPSShipping dstdomain 

[squid-users] squid not caching

[Wennie V. Lagmay]

Dear All,

I am using squid-2.7 Stable 5 for at least 6 months and since I am facing some 
problems I decided to upgarde it to squid-3.0 stable 11. It is working smooth 
ang much faster than 2.7stable but my problem it is not caching, my cache 
directory stays at 1%.

Can anybody help me on how to let my squid-proxy cache the same way it caching 
when I am using version 2.7? My 3.0 configuration was based on my 2.7 config. 
Below is my configuration for your reference.

acl shb dstdomain .site1.com 
acl eta dstdomain .site2.com
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl ipaddr src xxx.xxx.184.0/255.255.248.0
acl natmot src 192.168.10.0/255.255.255.0
acl natmot2 src 192.168.11.0/255.255.255.0
acl natmot3 src 192.168.12.0/255.255.255.0
acl natmot4 src 192.168.14.0/255.255.255.0
acl natmot5 src 192.168.15.0/255.255.255.0
acl natmot6 src 192.168.16.0/255.255.255.0
acl natmot7 src 192.168.24.0/255.255.248.0
acl natcuda1 src 192.168.64.0/255.255.224.0
acl natcuda2 src 192.168.96.0/255.255.224.0
acl cmts4 src 192.168.128.0/255.255.240.0
acl cmts5 src 192.168.144.0/255.255.240.0
acl cmts6 src 192.168.176.0/255.255.240.0
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow ipaddr
http_access allow natmot
http_access allow natmot2
http_access allow natmot3
http_access allow natmot4
http_access allow natmot5
http_access allow natmot6
http_access allow natmot7
http_access allow natcuda1
http_access allow natcuda2
http_access allow cmts4
http_access allow cmts5
http_access allow cmts6
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access deny all
htcp_access deny all
http_port xxx.xxx.184.42:8080
cache_peer xxx.xxx.193.87 parent 8080 0 no-query
cache_peer xxx.xxx.193.83 parent 8080 0 no-query
cache_peer_access xxx.xxx.193.87 allow shb
cache_peer_access xxx.xxx.193.87 deny all
cache_peer_access xxx.xxx.193.83 allow eta
cache_peer_access xxx.xxx.193.83 deny all
hierarchy_stoplist cgi-bin ?
 cache_mem 6144 MB
 maximum_object_size_in_memory 512 KB
 memory_replacement_policy heap GDSF
 cache_replacement_policy heap GDSF
cache_dir aufs /cache01/spool/squid/data01 8500 16 256
cache_dir aufs /cache01/spool/squid/data02 8500 16 256
cache_dir aufs /cache01/spool/squid/data03 8500 16 256
cache_dir aufs /cache01/spool/squid/data04 8500 16 256
cache_dir aufs /cache02/spool/squid/data01 8500 16 256
cache_dir aufs /cache02/spool/squid/data02 8500 16 256
cache_dir aufs /cache02/spool/squid/data03 8500 16 256
cache_dir aufs /cache02/spool/squid/data04 8500 16 256
cache_dir aufs /cache03/spool/squid/data01 8500 16 256
cache_dir aufs /cache03/spool/squid/data02 8500 16 256
cache_dir aufs /cache03/spool/squid/data03 8500 16 256
cache_dir aufs /cache03/spool/squid/data04 8500 16 256
 max_open_disk_fds 30720
 minimum_object_size 10240 KB
 cache_swap_low 70
 cache_swap_high 75
access_log /var/log/squid/access.log squid
 cache_log /var/log/squid/cache.log
cache_store_log none
 pid_filename /var/log/squid/squid.pid
 debug_options ALL,1
refresh_pattern \.gif$ 10080 90% 43200
refresh_pattern \.jpg$ 10080 90% 43200
refresh_pattern \.bom\.gov\.au 30 20% 120
refresh_pattern \.html$ 2880 50% 22160
refresh_pattern \.htm$ 2880 50% 22160
refresh_pattern \.php$ 2880 50% 22160
refresh_pattern \.asp$ 2880 50% 22160
refresh_pattern \.class$ 10080 90% 43200
refresh_pattern \.zip$ 10080 90% 43200
refresh_pattern \.jpeg$ 10080 90% 43200
refresh_pattern \.mid$ 10080 90% 43200
refresh_pattern \.shtml$ 2880 50% 22160
refresh_pattern \.exe$ 10080 90% 43200
refresh_pattern \.thm$ 10080 90% 43200
refresh_pattern \.wav$ 10080 90% 43200
refresh_pattern \.txt$ 10080 90% 43200
refresh_pattern \.cab$ 10080 90% 43200
refresh_pattern \.au$ 10080 90% 43200
refresh_pattern \.mov$ 10080 90% 43200
refresh_pattern \.xbm$ 10080 90% 43200
refresh_pattern \.ram$ 10080 90% 43200
refresh_pattern \.avi$ 10080 90% 43200
refresh_pattern \.chtml$ 2880 50% 22160
refresh_pattern \.thb$ 10080 90% 43200
refresh_pattern \.dcr$ 10080 90% 43200
refresh_pattern \.bmp$ 10080 90% 43200
refresh_pattern \.phtml$ 2880 50% 22160
refresh_pattern \.mpg$ 10080 90% 43200
refresh_pattern \.pdf$ 10080 90% 43200
refresh_pattern \.art$ 10080 90% 43200
refresh_pattern \.swf$ 10080 90% 43200
refresh_pattern \.mp3$ 10080 90% 43200
refresh_pattern \.ra$ 10080 90% 43200
refresh_pattern \.spl$ 10080 90% 43200
refresh_pattern \.viv$ 10080 90% 43200
refresh_pattern \.doc$ 10080 90% 43200
refresh_pattern \.gz$ 10080 90% 

RE: [squid-users] OWA accelerator authentication weirdness

[Alan Lehman]

  The order in which our auth_param lines are configured can alter the
  first authentication method tried. You will need to look at the
  debugging trace in cache.log to see which is generating which
 question
 
  Amos
 
  Only basic is enabled:
  auth_param basic children 5
  auth_param basic realm Squid proxy-caching web server
  auth_param basic credentialsttl 2 hours
 
  Do I need to select a program for basic?
 
  found in cache.log:
  2009/01/08 14:38:19.713| CacheManager::registerAction: registering
 legacy basicauthenticator
  2009/01/08 14:38:19.713| CacheManager::findAction: looking for action
 basicauthenticator
  2009/01/08 14:38:19.713| CacheManager::registerAction: registered
 basicauthenticator
  2009/01/08 14:41:22.010| CacheManager::registerAction: registering
 legacy basicauthenticator
  2009/01/08 14:41:22.010| CacheManager::registerAction: registered
 basicauthenticator
 
  The OWA web server has both basic and Windows Integrated
 Authentication enabled. If I disable windows integrated, OWA works
 fine, but I need activesync also, which does not work without windows
 integrated enabled.
 
  Thanks,
  Alan
 
 Um, further on my other email.
 Try some of the settings to disable pass-thru on the specific ports
 and/or peer:
 
 http://wiki.squid-cache.org/Features/ConnPin


My config pretty much follows the wiki example for OWA accelerator. Squid 
3.1.0.3. I'm using the same port for OWA and Activesync. I just added 
connection-auth=off on https_port and removed all auth_param lines, and that 
took care of my problem.

Thanks!

Re: [squid-users] Trying to improve the Byte Hit Ratio, any tips ?

[Kinkie]

On Sat, Jan 10, 2009 at 12:43 PM, Vianney Lejeune via@free.fr wrote:

 By the way, what about the ideal settings for cache_mem, cache size and
 so
 on, is there any formula ? Are 2*500 GB HD faster than 1*1TB ?

 Yes, as each of those can handle i/o operations concurrently. In
 general, the more disks the better the performance: squid performance
 is usually constrained by the disk head seek times.

 See http://wiki.squid-cache.org/SquidFaq/RAID

 Thank you, and what about the formula for cache_mem, cache_size etc ?

Everything should be quite well-documented in the FAQ and/or KnowledgeBase.
Please refer to that first.

-- 
/kinkie

Re: [squid-users] Re: RE : [squid-users] coss

[Oleg Motienko]

2.6 works fine (default Ubuntu 8.04 package)

$ squid -v
Squid Cache: Version 2.6.STABLE18
configure options:  '--prefix=/usr' '--exec_prefix=/usr'
'--bindir=/usr/sbin' '--sbindir=/usr/sbin'
'--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid'
'--localstatedir=/var/spool/
squid' '--datadir=/usr/share/squid' '--enable-async-io'
'--with-pthreads' '--enable-storeio=ufs,aufs,coss,diskd,null'
'--enable-linux-netfilter' '--enable-arp-acl' '--enable-epoll'
'--enable-removal-policies=lru,heap' '--enable-snmp'
'--enable-delay-pools' '--enable-htcp' '--enable-cache-digests'
'--enable-underscores' '--enable-referer-log' '--enable-useragent-log'
'--enable-auth=basic,digest,ntlm' '--enable-carp'
'--enable-follow-x-forwarded-for' '--with-large-files'
'--with-maxfd=65536' 'i386-debian-linux'
'build_alias=i386-debian-linux' 'host_alias=i386-debian-linux'
'target_alias=i386-debian-linux' 'CFLAGS=-Wall -g -O2'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='

$ uname -a
Linux proxygw 2.6.24-21-server #1 SMP Wed Oct 22 00:18:13 UTC 2008
i686 GNU/Linux


On Sat, Jan 10, 2009 at 5:23 PM, Heinz Diehl h...@fancy-poultry.org wrote:

 At Sat, 10 Jan 2009 11:53:47 +0100,
 Emmanuel Pelerin wrote:

  I have download this version : 
  http://people.redhat.com/mnagy/squid/squid-2.7.STABLE5-1.el4/i386/

 What I want to know is: is anybody here running squid-2.7-STABLE4/5 with the
 coss storage scheme, and does it work well, it is stable and safe to use on
 a production machine?




--
Regards,
Oleg

[squid-users] Re: squid not caching

[Wennie V. Lagmay]

I already solve the problem, it is typo error. instead of modifying the 
maximum_object_size I accidentally edited the minimum_object_size. 




- Original Message -
From: Wennie V. Lagmay wlag...@yanbulink.net
To: squid-users squid-users@squid-cache.org
Cc: wlagmay wlag...@yanbulink.net
Sent: Saturday, January 10, 2009 7:48:25 PM (GMT+0300) Asia/Kuwait
Subject: squid not caching

Dear All,

I am using squid-2.7 Stable 5 for at least 6 months and since I am facing some 
problems I decided to upgarde it to squid-3.0 stable 11. It is working smooth 
ang much faster than 2.7stable but my problem it is not caching, my cache 
directory stays at 1%.

Can anybody help me on how to let my squid-proxy cache the same way it caching 
when I am using version 2.7? My 3.0 configuration was based on my 2.7 config. 
Below is my configuration for your reference.

acl shb dstdomain .site1.com 
acl eta dstdomain .site2.com
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl ipaddr src xxx.xxx.184.0/255.255.248.0
acl natmot src 192.168.10.0/255.255.255.0
acl natmot2 src 192.168.11.0/255.255.255.0
acl natmot3 src 192.168.12.0/255.255.255.0
acl natmot4 src 192.168.14.0/255.255.255.0
acl natmot5 src 192.168.15.0/255.255.255.0
acl natmot6 src 192.168.16.0/255.255.255.0
acl natmot7 src 192.168.24.0/255.255.248.0
acl natcuda1 src 192.168.64.0/255.255.224.0
acl natcuda2 src 192.168.96.0/255.255.224.0
acl cmts4 src 192.168.128.0/255.255.240.0
acl cmts5 src 192.168.144.0/255.255.240.0
acl cmts6 src 192.168.176.0/255.255.240.0
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow ipaddr
http_access allow natmot
http_access allow natmot2
http_access allow natmot3
http_access allow natmot4
http_access allow natmot5
http_access allow natmot6
http_access allow natmot7
http_access allow natcuda1
http_access allow natcuda2
http_access allow cmts4
http_access allow cmts5
http_access allow cmts6
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access deny all
htcp_access deny all
http_port xxx.xxx.184.42:8080
cache_peer xxx.xxx.193.87 parent 8080 0 no-query
cache_peer xxx.xxx.193.83 parent 8080 0 no-query
cache_peer_access xxx.xxx.193.87 allow shb
cache_peer_access xxx.xxx.193.87 deny all
cache_peer_access xxx.xxx.193.83 allow eta
cache_peer_access xxx.xxx.193.83 deny all
hierarchy_stoplist cgi-bin ?
 cache_mem 6144 MB
 maximum_object_size_in_memory 512 KB
 memory_replacement_policy heap GDSF
 cache_replacement_policy heap GDSF
cache_dir aufs /cache01/spool/squid/data01 8500 16 256
cache_dir aufs /cache01/spool/squid/data02 8500 16 256
cache_dir aufs /cache01/spool/squid/data03 8500 16 256
cache_dir aufs /cache01/spool/squid/data04 8500 16 256
cache_dir aufs /cache02/spool/squid/data01 8500 16 256
cache_dir aufs /cache02/spool/squid/data02 8500 16 256
cache_dir aufs /cache02/spool/squid/data03 8500 16 256
cache_dir aufs /cache02/spool/squid/data04 8500 16 256
cache_dir aufs /cache03/spool/squid/data01 8500 16 256
cache_dir aufs /cache03/spool/squid/data02 8500 16 256
cache_dir aufs /cache03/spool/squid/data03 8500 16 256
cache_dir aufs /cache03/spool/squid/data04 8500 16 256
 max_open_disk_fds 30720
 minimum_object_size 10240 KB
 cache_swap_low 70
 cache_swap_high 75
access_log /var/log/squid/access.log squid
 cache_log /var/log/squid/cache.log
cache_store_log none
 pid_filename /var/log/squid/squid.pid
 debug_options ALL,1
refresh_pattern \.gif$ 10080 90% 43200
refresh_pattern \.jpg$ 10080 90% 43200
refresh_pattern \.bom\.gov\.au 30 20% 120
refresh_pattern \.html$ 2880 50% 22160
refresh_pattern \.htm$ 2880 50% 22160
refresh_pattern \.php$ 2880 50% 22160
refresh_pattern \.asp$ 2880 50% 22160
refresh_pattern \.class$ 10080 90% 43200
refresh_pattern \.zip$ 10080 90% 43200
refresh_pattern \.jpeg$ 10080 90% 43200
refresh_pattern \.mid$ 10080 90% 43200
refresh_pattern \.shtml$ 2880 50% 22160
refresh_pattern \.exe$ 10080 90% 43200
refresh_pattern \.thm$ 10080 90% 43200
refresh_pattern \.wav$ 10080 90% 43200
refresh_pattern \.txt$ 10080 90% 43200
refresh_pattern \.cab$ 10080 90% 43200
refresh_pattern \.au$ 10080 90% 43200
refresh_pattern \.mov$ 10080 90% 43200
refresh_pattern \.xbm$ 10080 90% 43200
refresh_pattern \.ram$ 10080 90% 43200
refresh_pattern \.avi$ 10080 90% 43200
refresh_pattern \.chtml$ 2880 50% 22160
refresh_pattern \.thb$ 10080 90% 43200
refresh_pattern \.dcr$ 10080 90% 43200
refresh_pattern \.bmp$ 10080 90% 43200
refresh_pattern \.phtml$ 2880 

[squid-users] FreeBSD users: 'squidstats' package

[Adrian Chadd]

Hi guys,

Those of you who are using FreeBSD should have a look at squidstats.
Its based on Henrik's scripts to gather basic statistics from Squid
via SNMP and graph them. Its based on a googlecode project I created
and I'm also the port maintainer. So it should be easy for me to fix
bugs. :)

Having statistics of your running server is the best thing to do for
debugging and provisioning, so please consider installing the package
and setting it up.

Enjoy!


Adrian

Re: [squid-users] Transparent but not intercepting proxy

[Matus UHLAR - fantomas]

On 09.01.09 11:56, NTPT wrote:
 Is it possible to run SQUID proxy server in transparent mode without
 interception ? ie SQUID pass original address of the client (tproxy
 patch), but clients connections are not intercepted automatically and user
 have to set proxy server manually in his browser ?

RFC 2616 (http/1.1) defines transparent proxy as proxy not changing the
data. 

Most people assume that transparent proxy means intercepting, e.g. no need
for configuring browser for anything.

Do you want to create new meaning for transparent proxy? Please, no.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers. 

Re: [squid-users] OWA accelerator authentication weirdness

[Amos Jeffries]

Alan Lehman wrote:

The order in which our auth_param lines are configured can alter the
first authentication method tried. You will need to look at the
debugging trace in cache.log to see which is generating which

question

Amos

Only basic is enabled:
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Do I need to select a program for basic?

found in cache.log:
2009/01/08 14:38:19.713| CacheManager::registerAction: registering

legacy basicauthenticator

2009/01/08 14:38:19.713| CacheManager::findAction: looking for action

basicauthenticator

2009/01/08 14:38:19.713| CacheManager::registerAction: registered

basicauthenticator

2009/01/08 14:41:22.010| CacheManager::registerAction: registering

legacy basicauthenticator

2009/01/08 14:41:22.010| CacheManager::registerAction: registered

basicauthenticator

The OWA web server has both basic and Windows Integrated

Authentication enabled. If I disable windows integrated, OWA works
fine, but I need activesync also, which does not work without windows
integrated enabled.

Thanks,
Alan

Um, further on my other email.
Try some of the settings to disable pass-thru on the specific ports
and/or peer:

http://wiki.squid-cache.org/Features/ConnPin



My config pretty much follows the wiki example for OWA accelerator. Squid 
3.1.0.3. I'm using the same port for OWA and Activesync. I just added 
connection-auth=off on https_port and removed all auth_param lines, and that 
took care of my problem.



Before I go recommending this as a general fix in 3.1, are BOTH of those 
changes needed for it to work?


I know there are people using Squid+OWA in multi-mode who may need auth 
for other things. Can we get away with just connection-auth=off on the 
port?



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
  Current Beta Squid 3.1.0.3

RE: [squid-users] OWA accelerator authentication weirdness

[Alan Lehman]

  The order in which our auth_param lines are configured can alter
 the
  first authentication method tried. You will need to look at the
  debugging trace in cache.log to see which is generating which
  question
  Amos
  Only basic is enabled:
  auth_param basic children 5
  auth_param basic realm Squid proxy-caching web server
  auth_param basic credentialsttl 2 hours
 
  Do I need to select a program for basic?
 
  found in cache.log:
  2009/01/08 14:38:19.713| CacheManager::registerAction: registering
  legacy basicauthenticator
  2009/01/08 14:38:19.713| CacheManager::findAction: looking for
 action
  basicauthenticator
  2009/01/08 14:38:19.713| CacheManager::registerAction: registered
  basicauthenticator
  2009/01/08 14:41:22.010| CacheManager::registerAction: registering
  legacy basicauthenticator
  2009/01/08 14:41:22.010| CacheManager::registerAction: registered
  basicauthenticator
  The OWA web server has both basic and Windows Integrated
  Authentication enabled. If I disable windows integrated, OWA
 works
  fine, but I need activesync also, which does not work without
 windows
  integrated enabled.
  Thanks,
  Alan
  Um, further on my other email.
  Try some of the settings to disable pass-thru on the specific ports
  and/or peer:
 
  http://wiki.squid-cache.org/Features/ConnPin
 
 
  My config pretty much follows the wiki example for OWA accelerator.
 Squid 3.1.0.3. I'm using the same port for OWA and Activesync. I just
 added connection-auth=off on https_port and removed all auth_param
 lines, and that took care of my problem.
 
 
 Before I go recommending this as a general fix in 3.1, are BOTH of
 those
 changes needed for it to work?
 
 I know there are people using Squid+OWA in multi-mode who may need auth
 for other things. Can we get away with just connection-auth=off on
 the
 port?
 
 
 Amos

The auth_param lines don't seem to make any difference. It works for me with 
them in. 

Re: [squid-users] OWA accelerator authentication weirdness

[Amos Jeffries]

Alan Lehman wrote:

The order in which our auth_param lines are configured can alter

the

first authentication method tried. You will need to look at the
debugging trace in cache.log to see which is generating which

question

Amos

Only basic is enabled:
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Do I need to select a program for basic?

found in cache.log:
2009/01/08 14:38:19.713| CacheManager::registerAction: registering

legacy basicauthenticator

2009/01/08 14:38:19.713| CacheManager::findAction: looking for

action

basicauthenticator

2009/01/08 14:38:19.713| CacheManager::registerAction: registered

basicauthenticator

2009/01/08 14:41:22.010| CacheManager::registerAction: registering

legacy basicauthenticator

2009/01/08 14:41:22.010| CacheManager::registerAction: registered

basicauthenticator

The OWA web server has both basic and Windows Integrated

Authentication enabled. If I disable windows integrated, OWA

works

fine, but I need activesync also, which does not work without

windows

integrated enabled.

Thanks,
Alan

Um, further on my other email.
Try some of the settings to disable pass-thru on the specific ports
and/or peer:

http://wiki.squid-cache.org/Features/ConnPin


My config pretty much follows the wiki example for OWA accelerator.

Squid 3.1.0.3. I'm using the same port for OWA and Activesync. I just
added connection-auth=off on https_port and removed all auth_param
lines, and that took care of my problem.
Before I go recommending this as a general fix in 3.1, are BOTH of
those
changes needed for it to work?

I know there are people using Squid+OWA in multi-mode who may need auth
for other things. Can we get away with just connection-auth=off on
the
port?


Amos


The auth_param lines don't seem to make any difference. It works for me with them in. 



Great. I'll get the wiki updated.

Thanks for your help finding this and testing the solution.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
  Current Beta Squid 3.1.0.3