AW: [squid-users] squid and wccp doesn't work

2009-06-17 Thread Daniel, Akos

Hi,

ASA does not support any IPoverIP such as GRE. Which SW Version you have
on ASA? Could you send me the link where it is written to create a
tunnel between the ASA and the Squid?
What is your ASA config?
"sh run interface"
"sh run wccp" or "sh run | grep wccp"

Once I tried WCCP with PIX SW Version 7.2.2 and collected my info here:
http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht
ml

Regards,
Akos




Re: [squid-users] Re: RPC over HTTP & NTLM

2009-06-17 Thread Amos Jeffries
On Wed, 17 Jun 2009 17:18:49 -0400, Devon Harding 
wrote:
> Is it possible to have squid run as an accel for Exchange 2007
> rpc/http with ntlm authentication?  I've disabled SSL and it seems
> that login=PASS only supports Basic Authentication.
> 
>  Thanks,
> 
>  -Devon

Yes.

http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc
or
http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess

Amos



Re: [squid-users] How to never cache a directory of website?

2009-06-17 Thread Amos Jeffries
On Wed, 17 Jun 2009 19:56:09 -0700 (PDT), sailer 
wrote:
> I use squid as a reversed proxy for my website, I want squid never cache
a
> directory in the website, the URL of directory is
http://www.abc.com/news/,
> I can I do it?
> Thanks

Yes.
http://www.squid-cache.org/Doc/config/cache/
http://www.squid-cache.org/Doc/config/acl/

Amos


Re: [squid-users] Is something out there bamboozling Squid?

2009-06-17 Thread Amos Jeffries
On Wed, 17 Jun 2009 20:19:49 -0600, Brett Glass

wrote:
> Everyone:
> 
> Just this past week, our Squid cache has become balky, with long 
> page loads from some sites and timeouts or partial page loads from 
> others. (It's gotten to the point where performance is better 
> without the cache.) I thought that it was just us, but another 
> system administrator in town has complained of the same symptom: 
> weird delays through the cache and none without it.

Time to run through the checklist. What version of squid?
What do network times and loads look like? hardware access time for the
disks etc?
Is one of the routers somewhere dropping packets?

And some weird ones that are becoming issues:
 has your upstream started interception proxy?
 are they doing carrier NAT on you?

> 
> Is there some popular site out there which has started doing 
> something that ties Squid in knots?

Your the only one who can really answer that. What shift in destination
sites have you noticed?

Amos


Re: [squid-users] LDAP Authentication and Logging

2009-06-17 Thread Amos Jeffries
On Wed, 17 Jun 2009 20:39:10 -0500, James House
 wrote:
> Hi,
> If I setup squid to require authentication against my Win2003 AD, will
> the usernames appear in the log file?
> I have about 150 users hitting the web from 3 terminal servers through
> squid. I need to be able to see who a request came from, not just
> which server it came from.
> Thanks,
> James House

If they successfully log in yes.

Amos


Re: [squid-users] squid and wccp doesn't work

2009-06-17 Thread Amos Jeffries
On Wed, 17 Jun 2009 20:50:40 +0200, Tom Penndorf
 wrote:
> Hello,
> 
> i'm trying to get squid and wccp on a cisco asa 5510 running. These are 
> the steps, i've done to set it up.
> #aptitude install squid3
> #vi /etc/squid3/squid.conf
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80# http
> acl Safe_ports port 21# ftp
> acl Safe_ports port 443# https
> acl Safe_ports port 70# gopher
> acl Safe_ports port 210# wais
> acl Safe_ports port 1025-65535# unregistered ports
> acl Safe_ports port 280# http-mgmt
> acl Safe_ports port 488# gss-http
> acl Safe_ports port 591# filemaker
> acl Safe_ports port 777# multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow all
> http_access deny all
> icp_access deny all
> htcp_access deny all
> http_port 3128 transparent
> hierarchy_stoplist cgi-bin ?
>  cache_dir aufs /var/cache/squid3 3 32 256
> access_log /var/log/squid3/access.log squid
>  cache_log /var/log/squid3/cache.log
>  cache_store_log /var/log/squid3/store.log
> refresh_pattern ^ftp:144020%10080
> refresh_pattern ^gopher:14400%1440
> refresh_pattern (cgi-bin|\?)00%0
> refresh_pattern .020%4320
> wccp2_router 10.1.7.1
>  wccp2_forwarding_method 1
>  wccp2_return_method 1
>  wccp2_service standard 0
>  client_persistent_connections off
> icp_port 3130
> coredump_dir /var/spool/squid3
> 
> #iptunnel add gre1 mode gre remote $ASA-EXT-IP local 10.1.7.2 dev eth0
> 
> #ifconfig gre1 10.1.7.2 netmask 255.255.255.255 up
> 
> #echo 0 >/proc/sys/net/ipv4/conf/gre1/rp_filter
> 
> #iptables -t nat -A PREROUTING -i gre1 -p tcp --dport 80 -j REDIRECT 
> --to-port 3128
> # echo 1 >/proc/sys/ipv4/ip_forward
> 
> The asa detects the proxy and redirects the packets. On the 
> squid-machine, i can see the syn-packets from the client, but no 
> ack-packets.
> The counter for the iptables-rule is also increasing. If i remove the 
> iptables-rule, the clients can browse the web, because the squid-machine 
> is acting as a router, so the gre-tunnel seems to work correctly.
> After some research, i've found out, that the ack-packets are send out 
> at eth0. I don't think, it's the correct way.
> 
> 
> Are there any things, i've forgotten? All howto's i've found, don't tell 
> me any other steps.

Ack is probably between squidIP and clientIP. You may need to SNAT it back
towards the client.

http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

Amos


RE: FW: [squid-users] Tproxy Help // Transparent works fine

2009-06-17 Thread Amos Jeffries
On Wed, 17 Jun 2009 10:28:35 -0700, "Alexandre DeAraujo" 
wrote:
>> Does access.log say anything is arriving at Squid?
>> Are you able to track the packets anywhere else?
>> 
>> Amos
> 
> Once the client tries to browse, the connection times out after 100-150
> seconds and displays the error page:
> The following error was encountered while trying to retrieve the URL:
> http://www.msn.com/
>   Connection to 207.68.172.246 failed.
> The system returned: (110) Connection timed out
> The remote host or network may be down. Please try the request again.
> 
> ..and the following message will show on the access.log(at the same time
as
> the timeout page is showed on the browser)
> 1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET
> http://www.msn.com/ - DIRECT/207.68.173.76 text/html
> 1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET
> http://www.msn.com/ - DIRECT/207.68.173.76 text/html
> Nothing else will show in the access.log from the moment that the client
> tries to browse.
> 
> The following is the output of 'iptables -I INPUT -p tcp -j LOG'. Here is
> everything from the time the client tries to browse to when the
connection
> times out
> client ip = 192.168.10.3
> squid ip = 192.168.20.10
> msn.com ip = 207.68.172.246
> 
> Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=192.168.20.10 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4652 DF PROTO=TCP
> SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x1 
> Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=192.168.20.10 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4653 DF PROTO=TCP
> SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 ACK URGP=0 MARK=0x1 
> Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=192.168.20.10 LEN=968 TOS=0x00 PREC=0x00 TTL=127 ID=4654 DF PROTO=TCP
> SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 ACK PSH URGP=0 MARK=0x1 

... show several packets where client is connecting straight to squid IP as
a regular proxy!!

(I assume squid handles the requests and spoofs the client IP:  
192.168.10.3->207.68.172.246)

> Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46343 DF PROTO=TCP
> SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 
> Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4655 PROTO=TCP
> SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 

... router catches packets between 192.168.10.3->207.68.172.246 and send
them to Squid for handling...


(I assume squid handles the requests and spoofs the client IP:  
192.168.10.3->207.68.172.246)

> Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46344 DF PROTO=TCP
> SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 
> Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4656 PROTO=TCP
> SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 

... router catches packets between 192.168.10.3->207.68.172.246 and send
them to Squid for handling...

... IF my assumption about where each of those packets is originating is
true. It seems like a triangle of doom.


IMO Squid needs to be given a dedicated _interface_ on the router. And any
packets coming from that _interface_ be exempted from WCCP route-back.


Amos



RE: [squid-users] Problems with H/W SSL acceleration

2009-06-17 Thread Amos Jeffries
On Wed, 17 Jun 2009 09:39:16 -0700, "Steven Paster" 
wrote:
> Thank you for your response.  
> 
> We will try with a later version of squid.   I am, however, greatly
> confused.  Does squid support h/w acceleration?  Cavium claims it does
> not.

AFAIK we have not explicitly tested or added such to Squid. The
capabilities are fully offloaded to whatever libraries are provided to
Squid at build time.

I would expect that if the Cavium libraries provide the same API as OpenSSL
they can wrap the H/W support in a way usable by Squid.

If special calls are mode its not too hard to patch Squid for this type of
thing.

Amos

> 
> Steven Paster
> 
> -Original Message-
> From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
> Sent: Tuesday, June 16, 2009 6:11 PM
> To: Steven Paster
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Problems with H/W SSL acceleration
> 
> On Tue, 16 Jun 2009 15:30:54 -0700, "Steven Paster"
> 
> wrote:
>> Hi,
>> 
>> We are trying to use a Cavium H/W SSL acceleration card to accelerate
> SSL
>> encryption.  The Cavium driver builds and installs without complaint. 
>> Cavium supplies an SDK for building libcrypto.a and libssl.a.  These
> too
>> built without issue.  
>> 
>> We compiled Squid 3.1.0.4 statically using the Cavium supplied
> libraries
>> and the configuration options:
> "--with-openssl="
>> and " --enable-ssl". (We used ldd to confirm that Squid built
> statically
>> with the correct libraries.) In our squid.conf file we added
> "ssl_engine
>> cavium" as per information provided by Cavium; but, we get the
> message:
>> FATAL Unable to find SSL engine 'cavium'.  Cavium has tested with
> Apache
>> but never with Squid.
> 
> Please try with current 3.1 or snapshot to be sure this is not already
> fixed.
> We have a few thousand lines of code changed every Squid beta release,
> 3.1.0.4 is now quite old.
> 
>> 
>> Questions:
>> 1) Does Squid require a patch for SSL crypto h/w acceleration?
>> 2) Are there any Squid settings I need to know about?
>> 3) Has anyone been successful with another h/w card? We are not wedded
> to
>> Cavium.
>> 
>> 
>> Forgive me if this territory has been covered in the past; I'm new to
>> Squid.  Thank you in advance for any help,
>> 
>> Steven Paster
>> FaceTime Communications
> 
> Amos
> Squid-3 Release Maintainer


[squid-users] Is something out there bamboozling Squid?

2009-06-17 Thread Brett Glass

Everyone:

Just this past week, our Squid cache has become balky, with long 
page loads from some sites and timeouts or partial page loads from 
others. (It's gotten to the point where performance is better 
without the cache.) I thought that it was just us, but another 
system administrator in town has complained of the same symptom: 
weird delays through the cache and none without it.


Is there some popular site out there which has started doing 
something that ties Squid in knots?


--Brett Glass



[squid-users] How to never cache a directory of website?

2009-06-17 Thread sailer

I use squid as a reversed proxy for my website, I want squid never cache a
directory in the website, the URL of directory is http://www.abc.com/news/,
I can I do it?
Thanks
-- 
View this message in context: 
http://www.nabble.com/How-to-never-cache-a-directory-of-website--tp24085622p24085622.html
Sent from the Squid - Users mailing list archive at Nabble.com.



[squid-users] LDAP Authentication and Logging

2009-06-17 Thread James House
Hi,
If I setup squid to require authentication against my Win2003 AD, will
the usernames appear in the log file?
I have about 150 users hitting the web from 3 terminal servers through
squid. I need to be able to see who a request came from, not just
which server it came from.
Thanks,
James House


[squid-users] Re: RPC over HTTP & NTLM

2009-06-17 Thread Devon Harding
 Is it possible to have squid run as an accel for Exchange 2007
rpc/http with ntlm authentication?  I've disabled SSL and it seems
that login=PASS only supports Basic Authentication.

 Thanks,

 -Devon


[squid-users] Please help me install videocache 1.9.1

2009-06-17 Thread Mark Lodge

I have installed squid and its running fine
Now i am trying to install videocache

First ii did # python setup.py install [in videocache-1.9.1 folder]
But at that time python-iniparse was not installed

I then installed iniparse, but now when i try to do # python setup.py 
install i get the following errors:


vpro:/home/ztel/videocache-1.9.1# python setup.py install
Traceback (most recent call last):
File "setup.py", line 397, in 
setup(root)
File "setup.py", line 288, in setup
if not dir_perms_and_ownership(new_dir, squid_user, squid_group):
File "setup.py", line 76, in dir_perms_and_ownership
user = pwd.getpwnam(user)[2]
KeyError: 'getpwnam(): name not found: squid'
vpro:/home/ztel/videocache-1.9.1#

and here is the videocache setup log

2009-06-17 13:03:15,039 INFO Directory /etc/apache2/conf.d already exists.
2009-06-17 13:03:15,039 INFO Directory /etc already exists.
2009-06-17 13:03:15,039 INFO Directory /usr/share already exists.
2009-06-17 13:03:15,039 INFO Directory /usr/share/man/man8 already exists.
2009-06-17 13:03:15,039 INFO Directory /usr/sbin already exists.
2009-06-17 13:03:15,040 INFO Directory /var/log/videocache already exists.

Please tell me how i can overcome this.
Thank you very much




Re: [squid-users] squid and wccp doesn't work

2009-06-17 Thread Parvinder Bhasin

Hi Tom,

Exactly the same problem I have.  Please let me know if you come  
across anything.


-Parvinder Bhasin

On Jun 17, 2009, at 11:50 AM, Tom Penndorf wrote:


Hello,

i'm trying to get squid and wccp on a cisco asa 5510 running. These  
are the steps, i've done to set it up.

#aptitude install squid3
#vi /etc/squid3/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow all
http_access deny all
icp_access deny all
htcp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
cache_dir aufs /var/cache/squid3 3 32 256
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern (cgi-bin|\?)00%0
refresh_pattern .020%4320
wccp2_router 10.1.7.1
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
client_persistent_connections off
icp_port 3130
coredump_dir /var/spool/squid3

#iptunnel add gre1 mode gre remote $ASA-EXT-IP local 10.1.7.2 dev eth0

#ifconfig gre1 10.1.7.2 netmask 255.255.255.255 up

#echo 0 >/proc/sys/net/ipv4/conf/gre1/rp_filter

#iptables -t nat -A PREROUTING -i gre1 -p tcp --dport 80 -j REDIRECT  
--to-port 3128

# echo 1 >/proc/sys/ipv4/ip_forward

The asa detects the proxy and redirects the packets. On the squid- 
machine, i can see the syn-packets from the client, but no ack- 
packets.
The counter for the iptables-rule is also increasing. If i remove  
the iptables-rule, the clients can browse the web, because the squid- 
machine is acting as a router, so the gre-tunnel seems to work  
correctly.
After some research, i've found out, that the ack-packets are send  
out at eth0. I don't think, it's the correct way.



Are there any things, i've forgotten? All howto's i've found, don't  
tell me any other steps.


System is Debian lenny  with squid 3.0.STABLE8-3.

Is there anyone, who can give me a hint?

Thanks,

Tom





[squid-users] squid and wccp doesn't work

2009-06-17 Thread Tom Penndorf

Hello,

i'm trying to get squid and wccp on a cisco asa 5510 running. These are 
the steps, i've done to set it up.

#aptitude install squid3
#vi /etc/squid3/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow all
http_access deny all
icp_access deny all
htcp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
cache_dir aufs /var/cache/squid3 3 32 256
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern (cgi-bin|\?)00%0
refresh_pattern .020%4320
wccp2_router 10.1.7.1
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
client_persistent_connections off
icp_port 3130
coredump_dir /var/spool/squid3

#iptunnel add gre1 mode gre remote $ASA-EXT-IP local 10.1.7.2 dev eth0

#ifconfig gre1 10.1.7.2 netmask 255.255.255.255 up

#echo 0 >/proc/sys/net/ipv4/conf/gre1/rp_filter

#iptables -t nat -A PREROUTING -i gre1 -p tcp --dport 80 -j REDIRECT 
--to-port 3128

# echo 1 >/proc/sys/ipv4/ip_forward

The asa detects the proxy and redirects the packets. On the 
squid-machine, i can see the syn-packets from the client, but no 
ack-packets.
The counter for the iptables-rule is also increasing. If i remove the 
iptables-rule, the clients can browse the web, because the squid-machine 
is acting as a router, so the gre-tunnel seems to work correctly.
After some research, i've found out, that the ack-packets are send out 
at eth0. I don't think, it's the correct way.



Are there any things, i've forgotten? All howto's i've found, don't tell 
me any other steps.


System is Debian lenny  with squid 3.0.STABLE8-3.

Is there anyone, who can give me a hint?

Thanks,

Tom



Re: [squid-users] Authntication loop

2009-06-17 Thread Chris Robertson

csampath wrote:

Hi ,

Nice to see your quick response.

I compiled with --enable-linux-netfilter configuration. You mean to say
compile squid with out that flag to run squid  in accel mode ?
  


I mean to say you can't use proxy authentication with an intercepting proxy.


I tried with out vhost and vport . Just giving the defaultsite=X.xom

request is not going to the correct URL. 


Any suggestion in the config file?
  


Remove authentication.


-Sampath
  


Chris


RE: FW: [squid-users] Tproxy Help // Transparent works fine

2009-06-17 Thread Alexandre DeAraujo
> Does access.log say anything is arriving at Squid?
> Are you able to track the packets anywhere else?
> 
> Amos

Once the client tries to browse, the connection times out after 100-150 seconds 
and displays the error page:
The following error was encountered while trying to retrieve the URL: 
http://www.msn.com/
Connection to 207.68.172.246 failed.
The system returned: (110) Connection timed out
The remote host or network may be down. Please try the request again.

..and the following message will show on the access.log(at the same time as the 
timeout page is showed on the browser)
1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET http://www.msn.com/ - 
DIRECT/207.68.173.76 text/html
1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET http://www.msn.com/ - 
DIRECT/207.68.173.76 text/html
Nothing else will show in the access.log from the moment that the client tries 
to browse.

The following is the output of 'iptables -I INPUT -p tcp -j LOG'. Here is 
everything from the time the client tries to browse to when the connection 
times out
client ip = 192.168.10.3
squid ip = 192.168.20.10
msn.com ip = 207.68.172.246

Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=192.168.20.10 
LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4652 DF PROTO=TCP SPT=3920 DPT=3128 
WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x1 
Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=192.168.20.10 
LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4653 DF PROTO=TCP SPT=3920 DPT=3128 
WINDOW=65535 RES=0x00 ACK URGP=0 MARK=0x1 
Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=192.168.20.10 
LEN=968 TOS=0x00 PREC=0x00 TTL=127 ID=4654 DF PROTO=TCP SPT=3920 DPT=3128 
WINDOW=65535 RES=0x00 ACK PSH URGP=0 MARK=0x1 
Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46343 DF PROTO=TCP SPT=34661 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 
Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4655 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 
RES=0x00 RST URGP=0 MARK=0x1 
Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46344 DF PROTO=TCP SPT=34661 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 
Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4656 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 
RES=0x00 RST URGP=0 MARK=0x1 
Jun 17 10:09:29 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46345 DF PROTO=TCP SPT=34661 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 
Jun 17 10:09:29 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4660 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 
RES=0x00 RST URGP=0 MARK=0x1 
Jun 17 10:09:41 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46346 DF PROTO=TCP SPT=34661 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 
Jun 17 10:09:41 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4664 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 
RES=0x00 RST URGP=0 MARK=0x1 
Jun 17 10:10:05 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46347 DF PROTO=TCP SPT=34661 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 
Jun 17 10:10:05 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4673 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 
RES=0x00 RST URGP=0 MARK=0x1 
Jun 17 10:10:30 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32546 DF PROTO=TCP SPT=54114 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 
Jun 17 10:10:30 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4683 PROTO=TCP SPT=54114 DPT=80 WINDOW=0 
RES=0x00 RST URGP=0 MARK=0x1 
Jun 17 10:10:33 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32547 DF PROTO=TCP SPT=54114 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 
Jun 17 10:10:33 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4684 PROTO=TCP SPT=54114 DPT=80 WINDOW=0 
RES=0x00 RST URGP=0 MARK=0x1 
Jun 17 10:10:39 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32548 DF PROTO=TCP SPT=54114 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 
Jun 17 10:10:39 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4688 PROTO=TCP SPT=54114 DPT=80 WINDOW=0 
RES=0x00 RST URGP=0 MARK=0x1 
Jun 17 10:10:51 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32549 DF PROTO=TCP SPT=54114 DPT=80 
WINDOW=5840 RES=0x00 SYN UR

RE: [squid-users] Problems with H/W SSL acceleration

2009-06-17 Thread Steven Paster
Thank you for your response.  

We will try with a later version of squid.   I am, however, greatly
confused.  Does squid support h/w acceleration?  Cavium claims it does
not.

Steven Paster

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, June 16, 2009 6:11 PM
To: Steven Paster
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Problems with H/W SSL acceleration

On Tue, 16 Jun 2009 15:30:54 -0700, "Steven Paster"

wrote:
> Hi,
> 
> We are trying to use a Cavium H/W SSL acceleration card to accelerate
SSL
> encryption.  The Cavium driver builds and installs without complaint. 
> Cavium supplies an SDK for building libcrypto.a and libssl.a.  These
too
> built without issue.  
> 
> We compiled Squid 3.1.0.4 statically using the Cavium supplied
libraries
> and the configuration options:
"--with-openssl="
> and " --enable-ssl". (We used ldd to confirm that Squid built
statically
> with the correct libraries.) In our squid.conf file we added
"ssl_engine
> cavium" as per information provided by Cavium; but, we get the
message:
> FATAL Unable to find SSL engine 'cavium'.  Cavium has tested with
Apache
> but never with Squid.

Please try with current 3.1 or snapshot to be sure this is not already
fixed.
We have a few thousand lines of code changed every Squid beta release,
3.1.0.4 is now quite old.

> 
> Questions:
> 1) Does Squid require a patch for SSL crypto h/w acceleration?
> 2) Are there any Squid settings I need to know about?
> 3) Has anyone been successful with another h/w card? We are not wedded
to
> Cavium.
> 
> 
> Forgive me if this territory has been covered in the past; I'm new to
> Squid.  Thank you in advance for any help,
> 
> Steven Paster
> FaceTime Communications

Amos
Squid-3 Release Maintainer



Re: Fw: Re: [squid-users] NONE/411 Length Required

2009-06-17 Thread Amos Jeffries

Bijayant Kumar wrote:

Bijayant Kumar


--- On Mon, 15/6/09, Bijayant Kumar  wrote:


From: Bijayant Kumar 
Subject: Re: [squid-users] NONE/411 Length Required
To: "squid users" 
Date: Monday, 15 June, 2009, 6:48 PM


--- On Mon, 15/6/09, Amos Jeffries 
wrote:


From: Amos Jeffries 
Subject: Re: [squid-users] NONE/411 Length Required
To: "Bijayant Kumar" 
Cc: "squid users" 
Date: Monday, 15 June, 2009, 6:06 PM
Bijayant Kumar wrote:

Hello list,

I have Squid version 3.0.STABLE 10 installed on

Gentoo

linux box. All things are working fine, means caching
proxying etc. There is a problem with some sites. When

I am

accessing one of those sites, in access.log I am

getting

NONE/411 3692 POST http://.justdial.com/autosuggest_category_query_main.php?

- NONE/- text/html

And on the webpage I am getting whole error page

of

squid. Actually its a search related page. In the

search

criteria field as soon as I am typing after two words

I am

getting this error. The website in a question is "http://justdial.com";. But it 
works without the Squid.


I tried to capture the http headers also which

are as

below

http://.justdial.com/autosuggest_category_query_main.php?city=Bangalore&search=Ka



POST

/autosuggest_category_query_main.php?city=Bangalore&search=Ka

HTTP/1.1

Host: .justdial.com

User-Agent: Mozilla/5.0 (X11; U; Linux i686;

en-US;

rv:1.8.1.16) Gecko/20080807 Firefox/2.0.0.16

Accept:

text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.7,hi;q=0.3

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://.justdial.com/

Cookie:

PHPSESSID=d1d12004187d4bf1f084a1252ec46cef;
__utma=79653650.2087995718.1245064656.1245064656.1245064656.1;

__utmb=79653650; __utmc=79653650;


__utmz=79653650.1245064656.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none);

CITY=Bangalore

Pragma: no-cache

Cache-Control: no-cache



HTTP/1.x 411 Length Required

Server: squid/3.0.STABLE10

Mime-Version: 1.0

Date: Mon, 15 Jun 2009 11:18:10 GMT

Content-Type: text/html

Content-Length: 3287

Expires: Mon, 15 Jun 2009 11:18:10 GMT

X-Squid-Error: ERR_INVALID_REQ 0

X-Cache: MISS from bijayant.kavach.blr

X-Cache-Lookup: NONE from

bijayant.kavach.blr:3128

Via: 1.0 bijayant.kavach.blr

(squid/3.0.STABLE10)

Proxy-Connection: close

Please suggest me what could be the reason and

how to

resolve this. Any help/pointer can be a very helpful

for me.

Bijayant Kumar


  Get your new

Email

address!

Grab the Email name you've always wanted before

someone else does!

http://mail.promotions.yahoo.com/newdomains/aa/


NONE - no upstream source.
411  - "Content-Length missing"

HTTP requires a Content-Length: header on POST

requests.

How to resolve this issue. Because the website is on internet and its working 
fine without the squid. When I am bypassing the proxy, I am not getting any 
type of error.
 
Can't this website be accessed through the Squid?


From Marks reply it looks like Squid might be able to handle these 
weird empty POST requests if someone can find the patch.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.8


[squid-users] squid date based acls

2009-06-17 Thread Gavin McCullagh
Hi,

I was just looking to set up ACLs based on dates, eg something like:

acl termtime   date 01/06-31/08
acl summertime date 01/09-31/05

but I can't seem to find that feature in the manual.  Is this not possible
or have I missed something?  If it's not currently in squid, would it be a
useful feature for people other than me?

Gavin



Re: [squid-users] Betr.: [squid-users] How does Squid handle bandwidth distribution

2009-06-17 Thread Amos Jeffries

Arnaud Loonstra wrote:

Op Wo, jun 17, 2009 om  2:16 nm is in bericht <4a38deb9.6010...@gmail.com> door

Mark Lodge  geschreven:> Can squid do 'fair bandwidth 
sharing' ?
What i mean is, if there is 1 user online on a 4mg line, that user will 
be using the entire 4mg line speed, and if there are 2 users online, 
each user will have 2mg line speed, and so on.
I have squid cache set up already, but i just need to know how bandwidth 
distribution/sharing can be handled


Can squid also be used to limit/disconnect users after they have used up 
their allotted bandwidth?


[I have a mikrotik router connected to the adsl (for wireless users)]

I would really appreciate your comments and help
Thank you


Yes it does, sort of. It's called delay pools. See google i.e.: 
http://quark.humbug.org.au/publications/squid/aclsquid.html

It might do what you need



No. It places a maximum bandwidth cap and speed limit on all applicable 
requests, regardless of other traffic. Fair, but not what asked for.



To divide the line evenly between concurrent users is what Squid already 
natively does.


This is not noticable becasue HTTP is stateless and defines on 'user' as 
one 'request'. There are either N concurrent requests or none. Squid 
handle N concurrent requests by reading what it can for one and the 
moving on to the next.


Imagine this:
 Given 1 large request + 1 small request. Squid will read the small 
request and part of the large request in one cycle.
The small is much more likely to be finished after that cycle, leaving 
the large request with a full-bandwidth pipe to suck from in the next.


The result is the small being finished at maybe half speed, and the 
large seeing a very light blip in its overall transfer.


Spread this across many dozens of requests all starting and stopping at 
different times and it becomes nearly impossible to tell whats "fair" 
and whats not.



You can use the delay pools to set caps on each IP or authenticated user 
connecting and hope its relatively fair. But there will be spots of 
wastage with low visitor counts.


Someone asked recently about having a custom ACL (external_acl_type) 
which kicked people into a delay pool when the bandwidth pipe was 
reaching capacity. So people only got limited when the network was under 
stress or they were downloading a very big file. That seems a nice way 
to go about it, but does involve some complexity detecting the load.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.8


RE: [squid-users] Applying ACLs to access_log directive

2009-06-17 Thread Jon Gregory
Hi Chris,

Thank you for the response.

Yes, the third column of the log shows the host IP of the machine requesting 
pages.


Regards,

Jon Gregory

-Original Message-
From: crobert...@gci.net [mailto:crobert...@gci.net] 
Sent: Tue 16 June 2009 21:04
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Applying ACLs to access_log directive

Jon Gregory wrote:
> I am using SquidNT 2.7 STABLE 5 on WinXP SP3 running as a service and would 
> like to sense check what I am attempting but failing to achieve.  From all 
> the documentation I have read from Visolve, squid-cache.org FAQ and this 
> lists history I am creating a valid set of directives in the below format.
>
> access_log  [ [acl acl ...]]
>
>
>
> I am wanting to direct logging to individual files depending on the source 
> network while still capturing all requests in the access.log.  The example 
> below is how I have attempted to implement this but the result is that 
> access.log logs all events which is okay but the network specific logs remain 
> empty.
>
> acl NET_A src 192.168.0.0/24
> acl NET_A src 10.20.30.0/24
> acl NET_B src 192.168.1.0/24
> acl NET_C src 192.168.2.0/24
>
> access_log c:/squid/var/logs/access_NET_A.log squid NET_A
> access_log c:/squid/var/logs/access_NET_B.log squid NET_B
> access_log c:/squid/var/logs/access_NET_C.log squid NET_C
> access_log c:/squid/var/logs/access.log squid
>   

That looks right...

> In an attempt to test I have also implemented a usergroup based ACL I can get 
> logging to individual files and to the catch all access.log which works as I 
> would expect.
>
> acl Admins external NT_local_group Administrators
>
> access_log c:/squid/var/logs/access_ADMINS.log squid Admins
> access_log c:/squid/var/logs/access.log squid
>   

So it works...

> What am I not understanding?  Is there a dependence on the acl type when 
> using access_log?
>   

Do the entries in c:/squid/var/logs/access.log show the remotehost IP in 
the third column?

Chris


This message is meant for the sole viewing of the addressee. If you have 
received this message in error please reply to the sender to inform them of 
their mistake.
The views and opinions expressed in this email are not necessarily endorsed by 
Innovate Logistics Ltd (Company No. 02058414).

Disclaimer : 

This e-mail has been scanned using Anti-Virus Software, although all efforts 
have been made to make this email safe it is always a wise precaution to scan 
this message with your own Anti-Virus Software.



Re: [squid-users] clean squid.conf

2009-06-17 Thread Amos Jeffries

Riccardo Castellani wrote:

What do you suggest to prepare a clean squid.conf ?
I have many many ACL which I use in these directive:



See replies to your email from 3 hours ago. Just the other side of midnight.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.8


Re: [squid-users] organization squid.conf

2009-06-17 Thread Amos Jeffries

Riccardo Castellani wrote:

What do you suggest to prepare a clean squid.conf ?
I have many many ACL which I use in these directive:

no_cache deny


change #1:
  no_cache deny X
to:
  cache deny X

no_cache is an obsolete option name.


http_access deny
http_access allow


1- To collect ACL all together or I can insert specific ACL groups next to
directives where they are used, e.g.


Acl A...
Acl B...
Acl C...
no_cache deny A
no_cache deny B
no_cache deny C

Acl E...
Acl F..
Acl G...
http_access allow E
http_access allow F
http_access allow G

Acl H...
Acl I..
Acl L...
http_reply_access allow H
http_reply_access allow I
http_reply_access deny L



Neither. Look at what the requirements are for each and create logical 
groupigs that do not interfere with each other and in order configured 
do what your policy requires.


Also, be extremely careful about http_reply_access.
 It's often over-blocked by using rules that duplicate http_access. 
This can either prevent access denied pages getting out to bad viewers, 
or cause extra useless load.
Only use it to filter requests that cannot be checked earlier in 
http_access.



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.8


Re: [squid-users] Squid - WCCP and ASA

2009-06-17 Thread Amos Jeffries

Parvinder Bhasin wrote:

Amos,

 The tunnel is actually between the ASA and WCCP enabled squid.


No tunnel is between ASA and the squid box Operating System.

Squid itself has nothing to do with the tunnel. Squids only concern is 
that the packets are arriving via some interception method. Thus the 
src/dst IPs are a bit strange and it needs "transparent" or "intercept" 
http_port option to handle.



 All the 
examples on squid-cache site as well as googling this issue points to 
creating a tunnel like this.  Are you saying I don't need tunnel???  
external ip???


No you still need the tunnel. But I think assigning localhost-only 
address to it may be a bad thing.


The other tunnels I know about all need an IP the firewall device can 
send to. Try without it to see if our packets start appearing.



the squid box has an internal interface and is not 
connected to the internet directly.


There are three categories of traffic interface:
 WAN - Internet facing
 LAN - local network facing
 localhost - not even getting past the NIC onto the wire.

 The squid box itself goes out the 
ASA and fetches the pages.  Basically its NATed.




Can you trace the packets as far as reaching Squid and starting their 
way out again though?
If so the tunnels etc are fine. But the routing exemption to allow for 
Squid box connections out through the router may be whacked.


Amos


-Parvinder Bhasin

On Jun 16, 2009, at 5:51 PM, Amos Jeffries wrote:


On Tue, 16 Jun 2009 16:49:56 -0700, Parvinder Bhasin
 wrote:

I have setup of squid ..which was compiled with --enable-delay-pools
option.  Works really well but without WCCP.
I enabled WCCP support in the squid config and also enabled wccp
support on my ASA.  Setup GRE tunnel etc.
For my testing purpose I am only having ONE client IP go through
WCCP.  The problem is I am able to see that client on the GRE1
interface (the requests) of the proxy server but that client is not
getting anything back reply back.  Do I need anything in iptables to
allow etc???  do I need to compile with some transparent support?? if
so which one would I use for ASA?

 Any help is highly appreciated.


Here is part of my config:

http_port 3128 transparent

wccp2_router 192.168.100.250
wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0

Additionally here is what I did to setup tunnel:

modprobe ip_gre
iptunnel add gre1 mode gre remote $ASA_IP local $LOCAL_IP dev eth0
ifconfig gre1 inet 127.0.0.2 netmask 255.255.255.0 up



IIRC localhost IDs 127.0.0.0/8 are hardware-limited to only be usable for
traffic internal to the box.
If WCCP is going on a tunnel it will likely need an externally visible IP
for the router to send to.


echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter

iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j
REDIRECT --to-port
3128

I do see the RX counter going up but not the TX on gre1:

gre1  Link encap:UNSPEC  HWaddr C0-A8-64-CF-B7-BF-C8-
C2-00-00-00-00-00-00-00-00
  inet addr:127.0.0.2  P-t-P:127.0.0.2  Mask:255.255.255.0
  UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
  RX packets:1559 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:83432 (81.4 KiB)  TX bytes:0 (0.0 b)

Here is tcpdump output:

[r...@squidnclamav etc]# tcpdump -i gre1 host 192.168.100.175 and port
not ssh
tcpdump: WARNING: arptype 778 not supported by libpcap - falling back
to cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96
bytes
14:13:37.615862 IP 192.168.100.175.52257 > cf-in-f99.google.com.http:
S 3689381709:3689381709(0) win 65535 
14:13:45.524999 IP 192.168.100.175.52256 >
bs2.ads.vip.sp1.yahoo.com.http: S 2516726129:2516726129(0) win 65535

14:13:45.525001 IP 192.168.100.175.52255 >
bs2.ads.vip.sp1.yahoo.com.http: S 878462413:878462413(0) win 65535

14:13:45.525002 IP 192.168.100.175.52254 >
bs2.ads.vip.sp1.yahoo.com.http: S 1528706489:1528706489(0) win 65535

14:13:45.525003 IP 192.168.100.175.52253 >
bs2.ads.vip.sp1.yahoo.com.http: S 1578413587:1578413587(0) win 65535

14:13:47.427509 IP 192.168.100.175.52252 >
mc2b.mail.vip.re1.yahoo.com.http: S 3796070861:3796070861(0) win 65535

14:13:47.886251 IP 192.168.100.175.52259 >
f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535

14:13:48.127001 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S
357937093:357937093(0) win 65535 
14:13:48.829652 IP 192.168.100.175.52259 >
f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535

14:13:49.029600 IP 192.168.100.1

Re: [squid-users] Squid for Windows users **Best Practice**

2009-06-17 Thread Amos Jeffries

Beavis wrote:

thanks for the reply amos..

I'm sorry it seems that i have not been clear on how i want to do this.

I'm not planning to put squid on windows, my plan is to get some "best
practice" from folks that have experience on using squid as a proxy
for their windows network (with AD and all).


(sorry about the rant)

The official Squid wiki and website I reference below are the only 
current / most accurate  authoritative sources. They are kept very up to 
date with current info as things change.


One of my hobby tasks (and Francesco Chemolli who admins the wiki) is 
going through and re-organising the old FAQ and Squid Authoritive Guide 
book excerpts into an easier reading format and removing obsolete facts. 
If we have incorrect or missing data, please point out for an update.


FWIW: Only Squid 2.7 or higher are supported free by the project 
members. 2.6 and older are starting to cost real money as they obsolete.



If you are one of the crowd who recently have started making their own 
versions please note all the existing third-party "best practice" 
recommendations often quickly change to incorrect and outdated. Thus the 
wiki format for our own authoritative sources.


We would rather references to our documents than re-writes, and please, 
please specify clearly what versions of Squid your document is talking 
about. I for one am tired of fixing new users 'understanding' from 
obsolete Squid tutorials.


/rant



I'm looking for some suggestions or common setup's on their squid where.

a.) squid can determine the AD user's group and give them their own
list of ACL's


The first part of that requirements is:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

Not sure about the "give them their own list of ACL's".
Squid only uses explicit ACLs defined by you in its config.

Some can be sort of dynamic based on custom helpers though:
http://wiki.squid-cache.org/Features/Authentication

The method of configuration can limit certain ACL to only be tested if 
the result of another ACL is true. Anything that can be stated as 
boolean logic with the ACL types provided.




b.) redundancy setup's


HTTP is stateless. Auth is not really much different. Redundancy is 
built into the back end (AD, LDAP, RADIUS, etc) or the very front end 
(PAC,LVS, etc) outside of Squid.


During a failover event either Squid will have the auth result cached 
and things "just work". Or squid will deny the lookup until its source 
is fixed or changed. Helpers theoretically can do this second, I'm not 
sure if they do though.




c.) recommended "most common" way of authenticating AD users to squid.
(NTLM, LDAP, ADS)


Not sure if there is a "most common". Every admin has their own 
preferences and local site requirements. There are as many methods of 
operation as there are software to do the auth and ways to connect to 
that software.


The auth methods we get asked about often enough for someone to do a 
write-up are listed under Authentication at:

http://wiki.squid-cache.org/Features/Authentication



thanks again,
-b


On Tue, Jun 16, 2009 at 6:54 PM, Amos Jeffries wrote:

On Tue, 16 Jun 2009 17:29:33 -0600, Beavis  wrote:

All,

  I just want to get some views from folks that use squid on a windows
environment. I'm looking at the following scenario.

a.) running squid that can be use by windows users (auth via ldap, ntlm.
AD)
b.) site access is on a per group basis (squid auth or through

squidguard)

c.) Squid Redundancy.


Being a squid linux admin with many users on windows I can say that none of
the above require Squid to run on a windows box. Samba + the provided squid
helpers handle windows authentications just fine from most non-windows OS.



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.8


[squid-users] clean squid.conf

2009-06-17 Thread Riccardo Castellani
What do you suggest to prepare a clean squid.conf ?
I have many many ACL which I use in these directive:

no_cache deny
http_access deny
http_access allow


1- To collect ACL all together or I can insert specific ACL groups next to
directives where they are used, e.g.


Acl A...
Acl B...
Acl C...
no_cache deny A
no_cache deny B
no_cache deny C

Acl E...
Acl F..
Acl G...
http_access allow E
http_access allow F
http_access allow G

Acl H...
Acl I..
Acl L...
http_reply_access allow H
http_reply_access allow I
http_reply_access deny L



[squid-users] Betr.: [squid-users] How does Squid handle bandwidth distribution

2009-06-17 Thread Arnaud Loonstra
>>> Op Wo, jun 17, 2009 om  2:16 nm is in bericht <4a38deb9.6010...@gmail.com> 
>>> door
Mark Lodge  geschreven:> Can squid do 'fair bandwidth 
sharing' ?
> What i mean is, if there is 1 user online on a 4mg line, that user will 
> be using the entire 4mg line speed, and if there are 2 users online, 
> each user will have 2mg line speed, and so on.
> I have squid cache set up already, but i just need to know how bandwidth 
> distribution/sharing can be handled
> 
> Can squid also be used to limit/disconnect users after they have used up 
> their allotted bandwidth?
> 
> [I have a mikrotik router connected to the adsl (for wireless users)]
> 
> I would really appreciate your comments and help
> Thank you

Yes it does, sort of. It's called delay pools. See google i.e.: 
http://quark.humbug.org.au/publications/squid/aclsquid.html

It might do what you need

Arnaud


-- 
Amarantis Onderwijsgroep
IT Architect
Tel: 033 - 4221885 / 06 - 30053814
Fax: 033 - 2570287
a.loons...@amarantis.nl






Amarantis Onderwijsgroep is de concernorganisatie van ISA-scholen en ROC ASA


Re: [squid-users] Authntication loop

2009-06-17 Thread Amos Jeffries

csampath wrote:

Hi ,

Nice to see your quick response.

I compiled with --enable-linux-netfilter configuration. You mean to say
compile squid with out that flag to run squid  in accel mode ?


No. Reverse-proxy mode "Acceleration" of an internal webserver is 
available by default in current Squid. Where Squid listens on port 80 
and gateways to your master web server.


Port-80 Interception is a different mode and requires such options along 
with "transparent" or "intercept" settings to http_port (can be, but 
best not to have it on the usual proxy port).





I tried with out vhost and vport . Just giving the defaultsite=X.xom

request is not going to the correct URL. 


Any suggestion in the config file ?


What usage are you trying to put Squid to? Its hard to give specifics 
when working to a vague assumption.


Amos



Chris Robertson-2 wrote:

csampath wrote:

Hi All,

I am using squid3.0 satble 15.

I am facing the authentication loop . For a page to load squid is asking
for
3 to 5 times (may be for each ajax request)

When I give wrong password it is saying 


Sorry, you are not currently allowed to request http://yahoo.com from
this
cache until you have authenticated yourself.

When I give correct password it is asking repeatedly (for every click) 


Here is my squid configuration.


http_port 3128 accel vport vhost

auth_param basic program /usr/lib64/squid/squid_radius_auth -f
/etc/squid/squid_radius_conf
auth_param basic children 2
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl radius-auth proxy_auth REQUIRED
http_access deny all !radius-auth
http_access deny  !radius-auth all
http_access allow  all
http_reply_access allow all
visible_hostname localhost
#miss_access allow all
cache deny all
always_direct allow all

can any one suggest me the order of http_access entries in the
configuration
file?
  
 From the information given, I gather that you are running an 
interception proxy.  The accel argument to http_port is meant for 
acceleration setups, not for interception setups.  I further surmise 
that you chose to go the "accel vport vhost" route because using 
"transparent" gave configuration errors with authentication.


There is a reason for that.  
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe0e21e5c2903473c473d401533ac7



Appreciate your response.
 
Thanks

-Sampath.

Chris







--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.8


[squid-users] How does Squid handle bandwidth distribution

2009-06-17 Thread Mark Lodge

Can squid do 'fair bandwidth sharing' ?
What i mean is, if there is 1 user online on a 4mg line, that user will 
be using the entire 4mg line speed, and if there are 2 users online, 
each user will have 2mg line speed, and so on.
I have squid cache set up already, but i just need to know how bandwidth 
distribution/sharing can be handled


Can squid also be used to limit/disconnect users after they have used up 
their allotted bandwidth?


[I have a mikrotik router connected to the adsl (for wireless users)]

I would really appreciate your comments and help
Thank you


[squid-users] Multiple Parent Proxies

2009-06-17 Thread Raspino,Brian M.
Hello all,
My name is Brian, I have a problem that I hope to configure squid to
solve, but I'm not really sure where to begin if its even possible.
This is the scenario I have, around the world I have many proxy servers,
each serving one subnet and one subnet only.  Now to access the
computers in these subnets you must go through the proxy associated with
them.  Due to restrictive software on the client end that I cant change,
I need one permanent proxy server hardcoded into the client machine, but
I would like the ability to access any one of these subnets, and
possibly more than one at once.  What I was hoping to achieve, was to
put another proxy running squid between the client and the WAN that
would act as the permanent proxy that the client computer is pointing
to, but would redirect traffic to another proxy server based on subnet,
so that proxy could do its job.  I thought I saw something that looked
promising here:
http://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers ,
but I'm not sure if there is a way to switch from domain to subnet, and
if the servers it redirects to is another proxy or the actual final
destination.

Thank you for your time and help,
Brian



[squid-users] organization squid.conf

2009-06-17 Thread Riccardo Castellani
What do you suggest to prepare a clean squid.conf ?
I have many many ACL which I use in these directive:

no_cache deny
http_access deny
http_access allow


1- To collect ACL all together or I can insert specific ACL groups next to
directives where they are used, e.g.


Acl A...
Acl B...
Acl C...
no_cache deny A
no_cache deny B
no_cache deny C

Acl E...
Acl F..
Acl G...
http_access allow E
http_access allow F
http_access allow G

Acl H...
Acl I..
Acl L...
http_reply_access allow H
http_reply_access allow I
http_reply_access deny L



Re: AW: [squid-users] Squid - WCCP and ASA

2009-06-17 Thread Parvinder Bhasin

Akos,

You are right ASA does not support any GRE tunnels.  But from what I  
have read by googling "squid asa wccp" is that tunnel is GRE on the  
proxy server side where as ASA is WCCP.  Like I mentioned that I do  
see ASA REDIRECTING the packets .  I see the redirected packets  
appearing on the proxy server but then I don't get any response back.   
I think there could be some issue with iptables rule maybe.


-Parvinder Bhasin

On Jun 17, 2009, at 1:38 AM, Daniel, Akos wrote:



Hi,

ASA does not support any IPoverIP such as GRE. Which SW Version you  
have on ASA?

Once I tried WCCP and collected my info here:
http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.html

Regards,
Akos

-Ursprüngliche Nachricht-
Von: Parvinder Bhasin [mailto:parvinder.bha...@gmail.com]
Gesendet: Mittwoch, 17. Juni 2009 08:06
An: Amos Jeffries
Cc: squid-users@squid-cache.org
Betreff: Re: [squid-users] Squid - WCCP and ASA

Amos,

 The tunnel is actually between the ASA and WCCP enabled squid.  All
the examples on squid-cache site as well as googling this issue points
to creating a tunnel like this.  Are you saying I don't need
tunnel???  external ip??? the squid box has an internal interface and
is not connected to the internet directly.  The squid box itself goes
out the ASA and fetches the pages.  Basically its NATed.

-Parvinder Bhasin

On Jun 16, 2009, at 5:51 PM, Amos Jeffries wrote:


On Tue, 16 Jun 2009 16:49:56 -0700, Parvinder Bhasin
 wrote:

I have setup of squid ..which was compiled with --enable-delay-pools
option.  Works really well but without WCCP.
I enabled WCCP support in the squid config and also enabled wccp
support on my ASA.  Setup GRE tunnel etc.
For my testing purpose I am only having ONE client IP go through
WCCP.  The problem is I am able to see that client on the GRE1
interface (the requests) of the proxy server but that client is not
getting anything back reply back.  Do I need anything in iptables to
allow etc???  do I need to compile with some transparent support??  
if

so which one would I use for ASA?

Any help is highly appreciated.


Here is part of my config:

http_port 3128 transparent

wccp2_router 192.168.100.250
wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0

Additionally here is what I did to setup tunnel:

modprobe ip_gre
iptunnel add gre1 mode gre remote $ASA_IP local $LOCAL_IP dev eth0
ifconfig gre1 inet 127.0.0.2 netmask 255.255.255.0 up



IIRC localhost IDs 127.0.0.0/8 are hardware-limited to only be
usable for
traffic internal to the box.
If WCCP is going on a tunnel it will likely need an externally
visible IP
for the router to send to.


echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter

iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j
REDIRECT --to-port
3128

I do see the RX counter going up but not the TX on gre1:

gre1  Link encap:UNSPEC  HWaddr C0-A8-64-CF-B7-BF-C8-
C2-00-00-00-00-00-00-00-00
 inet addr:127.0.0.2  P-t-P:127.0.0.2  Mask:255.255.255.0
 UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
 RX packets:1559 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:83432 (81.4 KiB)  TX bytes:0 (0.0 b)

Here is tcpdump output:

[r...@squidnclamav etc]# tcpdump -i gre1 host 192.168.100.175 and
port
not ssh
tcpdump: WARNING: arptype 778 not supported by libpcap - falling  
back

to cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on gre1, link-type LINUX_SLL (Linux cooked), capture size
96
bytes
14:13:37.615862 IP 192.168.100.175.52257 > cf-in- 
f99.google.com.http:

S 3689381709:3689381709(0) win 65535 
14:13:45.524999 IP 192.168.100.175.52256 >
bs2.ads.vip.sp1.yahoo.com.http: S 2516726129:2516726129(0) win 65535

14:13:45.525001 IP 192.168.100.175.52255 >
bs2.ads.vip.sp1.yahoo.com.http: S 878462413:878462413(0) win 65535

14:13:45.525002 IP 192.168.100.175.52254 >
bs2.ads.vip.sp1.yahoo.com.http: S 1528706489:1528706489(0) win 65535

14:13:45.525003 IP 192.168.100.175.52253 >
bs2.ads.vip.sp1.yahoo.com.http: S 1578413587:1578413587(0) win 65535

14:13:47.427509 IP 192.168.100.175.52252 >
mc2b.mail.vip.re1.yahoo.com.http: S 3796070861:3796070861(0) win
65535

14:13:47.886251 IP 192.168.100.175.52259 >
f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535

14:13:48.127001 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S
357937093:357937093(0) win 65535 
14:13:48.829652 IP 192.168.100.175.52259 >
f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535

14:13:49.029600 IP 192.168.100.175.52260 > hp-core.ebay.com.http:

Re: [squid-users] Authntication loop

2009-06-17 Thread csampath

Hi ,

Nice to see your quick response.

I compiled with --enable-linux-netfilter configuration. You mean to say
compile squid with out that flag to run squid  in accel mode ?

I tried with out vhost and vport . Just giving the defaultsite=X.xom

request is not going to the correct URL. 

Any suggestion in the config file ?
-Sampath






Chris Robertson-2 wrote:
> 
> csampath wrote:
>> Hi All,
>>
>> I am using squid3.0 satble 15.
>>
>> I am facing the authentication loop . For a page to load squid is asking
>> for
>> 3 to 5 times (may be for each ajax request)
>>
>> When I give wrong password it is saying 
>>
>> Sorry, you are not currently allowed to request http://yahoo.com from
>> this
>> cache until you have authenticated yourself.
>>
>> When I give correct password it is asking repeatedly (for every click) 
>>
>> Here is my squid configuration.
>>
>>
>> http_port 3128 accel vport vhost
>>
>> auth_param basic program /usr/lib64/squid/squid_radius_auth -f
>> /etc/squid/squid_radius_conf
>> auth_param basic children 2
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> acl radius-auth proxy_auth REQUIRED
>> http_access deny all !radius-auth
>> http_access deny  !radius-auth all
>> http_access allow  all
>> http_reply_access allow all
>> visible_hostname localhost
>> #miss_access allow all
>> cache deny all
>> always_direct allow all
>>
>> can any one suggest me the order of http_access entries in the
>> configuration
>> file?
>>   
> 
>  From the information given, I gather that you are running an 
> interception proxy.  The accel argument to http_port is meant for 
> acceleration setups, not for interception setups.  I further surmise 
> that you chose to go the "accel vport vhost" route because using 
> "transparent" gave configuration errors with authentication.
> 
> There is a reason for that.  
> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe0e21e5c2903473c473d401533ac7
> 
>> Appreciate your response.
>>  
>> Thanks
>> -Sampath.
> 
> Chris
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Authntication-loop-tp24052068p24068440.html
Sent from the Squid - Users mailing list archive at Nabble.com.