Re: [squid-users] Squid - WCCP and ASA
Amos, The tunnel is actually between the ASA and WCCP enabled squid. All the examples on squid-cache site as well as googling this issue points to creating a tunnel like this. Are you saying I don't need tunnel??? external ip??? the squid box has an internal interface and is not connected to the internet directly. The squid box itself goes out the ASA and fetches the pages. Basically its NATed. -Parvinder Bhasin On Jun 16, 2009, at 5:51 PM, Amos Jeffries wrote: On Tue, 16 Jun 2009 16:49:56 -0700, Parvinder Bhasin parvinder.bha...@gmail.com wrote: I have setup of squid ..which was compiled with --enable-delay-pools option. Works really well but without WCCP. I enabled WCCP support in the squid config and also enabled wccp support on my ASA. Setup GRE tunnel etc. For my testing purpose I am only having ONE client IP go through WCCP. The problem is I am able to see that client on the GRE1 interface (the requests) of the proxy server but that client is not getting anything back reply back. Do I need anything in iptables to allow etc??? do I need to compile with some transparent support?? if so which one would I use for ASA? Any help is highly appreciated. Here is part of my config: http_port 3128 transparent wccp2_router 192.168.100.250 wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 Additionally here is what I did to setup tunnel: modprobe ip_gre iptunnel add gre1 mode gre remote $ASA_IP local $LOCAL_IP dev eth0 ifconfig gre1 inet 127.0.0.2 netmask 255.255.255.0 up IIRC localhost IDs 127.0.0.0/8 are hardware-limited to only be usable for traffic internal to the box. If WCCP is going on a tunnel it will likely need an externally visible IP for the router to send to. echo 1 /proc/sys/net/ipv4/ip_forward echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/conf/default/rp_filter echo 0 /proc/sys/net/ipv4/conf/all/rp_filter echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 /proc/sys/net/ipv4/conf/gre1/rp_filter iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 I do see the RX counter going up but not the TX on gre1: gre1 Link encap:UNSPEC HWaddr C0-A8-64-CF-B7-BF-C8- C2-00-00-00-00-00-00-00-00 inet addr:127.0.0.2 P-t-P:127.0.0.2 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:1559 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:83432 (81.4 KiB) TX bytes:0 (0.0 b) Here is tcpdump output: [r...@squidnclamav etc]# tcpdump -i gre1 host 192.168.100.175 and port not ssh tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 14:13:37.615862 IP 192.168.100.175.52257 cf-in-f99.google.com.http: S 3689381709:3689381709(0) win 65535 mss 1460,sackOK,eol 14:13:45.524999 IP 192.168.100.175.52256 bs2.ads.vip.sp1.yahoo.com.http: S 2516726129:2516726129(0) win 65535 mss 1460,sackOK,eol 14:13:45.525001 IP 192.168.100.175.52255 bs2.ads.vip.sp1.yahoo.com.http: S 878462413:878462413(0) win 65535 mss 1460,sackOK,eol 14:13:45.525002 IP 192.168.100.175.52254 bs2.ads.vip.sp1.yahoo.com.http: S 1528706489:1528706489(0) win 65535 mss 1460,sackOK,eol 14:13:45.525003 IP 192.168.100.175.52253 bs2.ads.vip.sp1.yahoo.com.http: S 1578413587:1578413587(0) win 65535 mss 1460,sackOK,eol 14:13:47.427509 IP 192.168.100.175.52252 mc2b.mail.vip.re1.yahoo.com.http: S 3796070861:3796070861(0) win 65535 mss 1460,sackOK,eol 14:13:47.886251 IP 192.168.100.175.52259 f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 322113293 0,sackOK,eol 14:13:48.127001 IP 192.168.100.175.52260 hp-core.ebay.com.http: S 357937093:357937093(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 322113295 0,sackOK,eol 14:13:48.829652 IP 192.168.100.175.52259 f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 322113302 0,sackOK,eol 14:13:49.029600 IP 192.168.100.175.52260 hp-core.ebay.com.http: S 357937093:357937093(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 322113304 0,sackOK,eol 14:13:49.820922 IP 192.168.100.175.52259 f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 322113312 0,sackOK,eol 14:13:50.030914 IP 192.168.100.175.52260 hp-core.ebay.com.http: S 357937093:357937093(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 322113314 0,sackOK,eol
Re: [squid-users] Authntication loop
Hi , Nice to see your quick response. I compiled with --enable-linux-netfilter configuration. You mean to say compile squid with out that flag to run squid in accel mode ? I tried with out vhost and vport . Just giving the defaultsite=X.xom request is not going to the correct URL. Any suggestion in the config file ? -Sampath Chris Robertson-2 wrote: csampath wrote: Hi All, I am using squid3.0 satble 15. I am facing the authentication loop . For a page to load squid is asking for 3 to 5 times (may be for each ajax request) When I give wrong password it is saying Sorry, you are not currently allowed to request http://yahoo.com from this cache until you have authenticated yourself. When I give correct password it is asking repeatedly (for every click) Here is my squid configuration. http_port 3128 accel vport vhost auth_param basic program /usr/lib64/squid/squid_radius_auth -f /etc/squid/squid_radius_conf auth_param basic children 2 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl radius-auth proxy_auth REQUIRED http_access deny all !radius-auth http_access deny !radius-auth all http_access allow all http_reply_access allow all visible_hostname localhost #miss_access allow all cache deny all always_direct allow all can any one suggest me the order of http_access entries in the configuration file? From the information given, I gather that you are running an interception proxy. The accel argument to http_port is meant for acceleration setups, not for interception setups. I further surmise that you chose to go the accel vport vhost route because using transparent gave configuration errors with authentication. There is a reason for that. http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe0e21e5c2903473c473d401533ac7 Appreciate your response. Thanks -Sampath. Chris -- View this message in context: http://www.nabble.com/Authntication-loop-tp24052068p24068440.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: AW: [squid-users] Squid - WCCP and ASA
Akos, You are right ASA does not support any GRE tunnels. But from what I have read by googling squid asa wccp is that tunnel is GRE on the proxy server side where as ASA is WCCP. Like I mentioned that I do see ASA REDIRECTING the packets . I see the redirected packets appearing on the proxy server but then I don't get any response back. I think there could be some issue with iptables rule maybe. -Parvinder Bhasin On Jun 17, 2009, at 1:38 AM, Daniel, Akos wrote: Hi, ASA does not support any IPoverIP such as GRE. Which SW Version you have on ASA? Once I tried WCCP and collected my info here: http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.html Regards, Akos -Ursprüngliche Nachricht- Von: Parvinder Bhasin [mailto:parvinder.bha...@gmail.com] Gesendet: Mittwoch, 17. Juni 2009 08:06 An: Amos Jeffries Cc: squid-users@squid-cache.org Betreff: Re: [squid-users] Squid - WCCP and ASA Amos, The tunnel is actually between the ASA and WCCP enabled squid. All the examples on squid-cache site as well as googling this issue points to creating a tunnel like this. Are you saying I don't need tunnel??? external ip??? the squid box has an internal interface and is not connected to the internet directly. The squid box itself goes out the ASA and fetches the pages. Basically its NATed. -Parvinder Bhasin On Jun 16, 2009, at 5:51 PM, Amos Jeffries wrote: On Tue, 16 Jun 2009 16:49:56 -0700, Parvinder Bhasin parvinder.bha...@gmail.com wrote: I have setup of squid ..which was compiled with --enable-delay-pools option. Works really well but without WCCP. I enabled WCCP support in the squid config and also enabled wccp support on my ASA. Setup GRE tunnel etc. For my testing purpose I am only having ONE client IP go through WCCP. The problem is I am able to see that client on the GRE1 interface (the requests) of the proxy server but that client is not getting anything back reply back. Do I need anything in iptables to allow etc??? do I need to compile with some transparent support?? if so which one would I use for ASA? Any help is highly appreciated. Here is part of my config: http_port 3128 transparent wccp2_router 192.168.100.250 wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 Additionally here is what I did to setup tunnel: modprobe ip_gre iptunnel add gre1 mode gre remote $ASA_IP local $LOCAL_IP dev eth0 ifconfig gre1 inet 127.0.0.2 netmask 255.255.255.0 up IIRC localhost IDs 127.0.0.0/8 are hardware-limited to only be usable for traffic internal to the box. If WCCP is going on a tunnel it will likely need an externally visible IP for the router to send to. echo 1 /proc/sys/net/ipv4/ip_forward echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/conf/default/rp_filter echo 0 /proc/sys/net/ipv4/conf/all/rp_filter echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 /proc/sys/net/ipv4/conf/gre1/rp_filter iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 I do see the RX counter going up but not the TX on gre1: gre1 Link encap:UNSPEC HWaddr C0-A8-64-CF-B7-BF-C8- C2-00-00-00-00-00-00-00-00 inet addr:127.0.0.2 P-t-P:127.0.0.2 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:1559 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:83432 (81.4 KiB) TX bytes:0 (0.0 b) Here is tcpdump output: [r...@squidnclamav etc]# tcpdump -i gre1 host 192.168.100.175 and port not ssh tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 14:13:37.615862 IP 192.168.100.175.52257 cf-in- f99.google.com.http: S 3689381709:3689381709(0) win 65535 mss 1460,sackOK,eol 14:13:45.524999 IP 192.168.100.175.52256 bs2.ads.vip.sp1.yahoo.com.http: S 2516726129:2516726129(0) win 65535 mss 1460,sackOK,eol 14:13:45.525001 IP 192.168.100.175.52255 bs2.ads.vip.sp1.yahoo.com.http: S 878462413:878462413(0) win 65535 mss 1460,sackOK,eol 14:13:45.525002 IP 192.168.100.175.52254 bs2.ads.vip.sp1.yahoo.com.http: S 1528706489:1528706489(0) win 65535 mss 1460,sackOK,eol 14:13:45.525003 IP 192.168.100.175.52253 bs2.ads.vip.sp1.yahoo.com.http: S 1578413587:1578413587(0) win 65535 mss 1460,sackOK,eol 14:13:47.427509 IP 192.168.100.175.52252 mc2b.mail.vip.re1.yahoo.com.http: S 3796070861:3796070861(0) win 65535 mss 1460,sackOK,eol 14:13:47.886251 IP 192.168.100.175.52259 f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 322113293 0,sackOK,eol 14:13:48.127001 IP 192.168.100.175.52260 hp-core.ebay.com.http: S 357937093:357937093(0)
[squid-users] organization squid.conf
What do you suggest to prepare a clean squid.conf ? I have many many ACL which I use in these directive: no_cache deny http_access deny http_access allow 1- To collect ACL all together or I can insert specific ACL groups next to directives where they are used, e.g. Acl A... Acl B... Acl C... no_cache deny A no_cache deny B no_cache deny C Acl E... Acl F.. Acl G... http_access allow E http_access allow F http_access allow G Acl H... Acl I.. Acl L... http_reply_access allow H http_reply_access allow I http_reply_access deny L
[squid-users] Multiple Parent Proxies
Hello all, My name is Brian, I have a problem that I hope to configure squid to solve, but I'm not really sure where to begin if its even possible. This is the scenario I have, around the world I have many proxy servers, each serving one subnet and one subnet only. Now to access the computers in these subnets you must go through the proxy associated with them. Due to restrictive software on the client end that I cant change, I need one permanent proxy server hardcoded into the client machine, but I would like the ability to access any one of these subnets, and possibly more than one at once. What I was hoping to achieve, was to put another proxy running squid between the client and the WAN that would act as the permanent proxy that the client computer is pointing to, but would redirect traffic to another proxy server based on subnet, so that proxy could do its job. I thought I saw something that looked promising here: http://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers , but I'm not sure if there is a way to switch from domain to subnet, and if the servers it redirects to is another proxy or the actual final destination. Thank you for your time and help, Brian
[squid-users] How does Squid handle bandwidth distribution
Can squid do 'fair bandwidth sharing' ? What i mean is, if there is 1 user online on a 4mg line, that user will be using the entire 4mg line speed, and if there are 2 users online, each user will have 2mg line speed, and so on. I have squid cache set up already, but i just need to know how bandwidth distribution/sharing can be handled Can squid also be used to limit/disconnect users after they have used up their allotted bandwidth? [I have a mikrotik router connected to the adsl (for wireless users)] I would really appreciate your comments and help Thank you
Re: [squid-users] Authntication loop
csampath wrote: Hi , Nice to see your quick response. I compiled with --enable-linux-netfilter configuration. You mean to say compile squid with out that flag to run squid in accel mode ? No. Reverse-proxy mode Acceleration of an internal webserver is available by default in current Squid. Where Squid listens on port 80 and gateways to your master web server. Port-80 Interception is a different mode and requires such options along with transparent or intercept settings to http_port (can be, but best not to have it on the usual proxy port). I tried with out vhost and vport . Just giving the defaultsite=X.xom request is not going to the correct URL. Any suggestion in the config file ? What usage are you trying to put Squid to? Its hard to give specifics when working to a vague assumption. Amos Chris Robertson-2 wrote: csampath wrote: Hi All, I am using squid3.0 satble 15. I am facing the authentication loop . For a page to load squid is asking for 3 to 5 times (may be for each ajax request) When I give wrong password it is saying Sorry, you are not currently allowed to request http://yahoo.com from this cache until you have authenticated yourself. When I give correct password it is asking repeatedly (for every click) Here is my squid configuration. http_port 3128 accel vport vhost auth_param basic program /usr/lib64/squid/squid_radius_auth -f /etc/squid/squid_radius_conf auth_param basic children 2 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl radius-auth proxy_auth REQUIRED http_access deny all !radius-auth http_access deny !radius-auth all http_access allow all http_reply_access allow all visible_hostname localhost #miss_access allow all cache deny all always_direct allow all can any one suggest me the order of http_access entries in the configuration file? From the information given, I gather that you are running an interception proxy. The accel argument to http_port is meant for acceleration setups, not for interception setups. I further surmise that you chose to go the accel vport vhost route because using transparent gave configuration errors with authentication. There is a reason for that. http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe0e21e5c2903473c473d401533ac7 Appreciate your response. Thanks -Sampath. Chris -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.8
[squid-users] Betr.: [squid-users] How does Squid handle bandwidth distribution
Op Wo, jun 17, 2009 om 2:16 nm is in bericht 4a38deb9.6010...@gmail.com door Mark Lodge mlodg...@gmail.com geschreven: Can squid do 'fair bandwidth sharing' ? What i mean is, if there is 1 user online on a 4mg line, that user will be using the entire 4mg line speed, and if there are 2 users online, each user will have 2mg line speed, and so on. I have squid cache set up already, but i just need to know how bandwidth distribution/sharing can be handled Can squid also be used to limit/disconnect users after they have used up their allotted bandwidth? [I have a mikrotik router connected to the adsl (for wireless users)] I would really appreciate your comments and help Thank you Yes it does, sort of. It's called delay pools. See google i.e.: http://quark.humbug.org.au/publications/squid/aclsquid.html It might do what you need Arnaud -- Amarantis Onderwijsgroep IT Architect Tel: 033 - 4221885 / 06 - 30053814 Fax: 033 - 2570287 a.loons...@amarantis.nl Amarantis Onderwijsgroep is de concernorganisatie van ISA-scholen en ROC ASA
[squid-users] clean squid.conf
What do you suggest to prepare a clean squid.conf ? I have many many ACL which I use in these directive: no_cache deny http_access deny http_access allow 1- To collect ACL all together or I can insert specific ACL groups next to directives where they are used, e.g. Acl A... Acl B... Acl C... no_cache deny A no_cache deny B no_cache deny C Acl E... Acl F.. Acl G... http_access allow E http_access allow F http_access allow G Acl H... Acl I.. Acl L... http_reply_access allow H http_reply_access allow I http_reply_access deny L
Re: [squid-users] Squid for Windows users **Best Practice**
Beavis wrote: thanks for the reply amos.. I'm sorry it seems that i have not been clear on how i want to do this. I'm not planning to put squid on windows, my plan is to get some best practice from folks that have experience on using squid as a proxy for their windows network (with AD and all). (sorry about the rant) The official Squid wiki and website I reference below are the only current / most accurate authoritative sources. They are kept very up to date with current info as things change. One of my hobby tasks (and Francesco Chemolli who admins the wiki) is going through and re-organising the old FAQ and Squid Authoritive Guide book excerpts into an easier reading format and removing obsolete facts. If we have incorrect or missing data, please point out for an update. FWIW: Only Squid 2.7 or higher are supported free by the project members. 2.6 and older are starting to cost real money as they obsolete. If you are one of the crowd who recently have started making their own versions please note all the existing third-party best practice recommendations often quickly change to incorrect and outdated. Thus the wiki format for our own authoritative sources. We would rather references to our documents than re-writes, and please, please specify clearly what versions of Squid your document is talking about. I for one am tired of fixing new users 'understanding' from obsolete Squid tutorials. /rant I'm looking for some suggestions or common setup's on their squid where. a.) squid can determine the AD user's group and give them their own list of ACL's The first part of that requirements is: http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory Not sure about the give them their own list of ACL's. Squid only uses explicit ACLs defined by you in its config. Some can be sort of dynamic based on custom helpers though: http://wiki.squid-cache.org/Features/Authentication The method of configuration can limit certain ACL to only be tested if the result of another ACL is true. Anything that can be stated as boolean logic with the ACL types provided. b.) redundancy setup's HTTP is stateless. Auth is not really much different. Redundancy is built into the back end (AD, LDAP, RADIUS, etc) or the very front end (PAC,LVS, etc) outside of Squid. During a failover event either Squid will have the auth result cached and things just work. Or squid will deny the lookup until its source is fixed or changed. Helpers theoretically can do this second, I'm not sure if they do though. c.) recommended most common way of authenticating AD users to squid. (NTLM, LDAP, ADS) Not sure if there is a most common. Every admin has their own preferences and local site requirements. There are as many methods of operation as there are software to do the auth and ways to connect to that software. The auth methods we get asked about often enough for someone to do a write-up are listed under Authentication at: http://wiki.squid-cache.org/Features/Authentication thanks again, -b On Tue, Jun 16, 2009 at 6:54 PM, Amos Jeffriessqu...@treenet.co.nz wrote: On Tue, 16 Jun 2009 17:29:33 -0600, Beavis pfu...@gmail.com wrote: All, I just want to get some views from folks that use squid on a windows environment. I'm looking at the following scenario. a.) running squid that can be use by windows users (auth via ldap, ntlm. AD) b.) site access is on a per group basis (squid auth or through squidguard) c.) Squid Redundancy. Being a squid linux admin with many users on windows I can say that none of the above require Squid to run on a windows box. Samba + the provided squid helpers handle windows authentications just fine from most non-windows OS. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.8
Re: [squid-users] Squid - WCCP and ASA
Parvinder Bhasin wrote: Amos, The tunnel is actually between the ASA and WCCP enabled squid. No tunnel is between ASA and the squid box Operating System. Squid itself has nothing to do with the tunnel. Squids only concern is that the packets are arriving via some interception method. Thus the src/dst IPs are a bit strange and it needs transparent or intercept http_port option to handle. All the examples on squid-cache site as well as googling this issue points to creating a tunnel like this. Are you saying I don't need tunnel??? external ip??? No you still need the tunnel. But I think assigning localhost-only address to it may be a bad thing. The other tunnels I know about all need an IP the firewall device can send to. Try without it to see if our packets start appearing. the squid box has an internal interface and is not connected to the internet directly. There are three categories of traffic interface: WAN - Internet facing LAN - local network facing localhost - not even getting past the NIC onto the wire. The squid box itself goes out the ASA and fetches the pages. Basically its NATed. Can you trace the packets as far as reaching Squid and starting their way out again though? If so the tunnels etc are fine. But the routing exemption to allow for Squid box connections out through the router may be whacked. Amos -Parvinder Bhasin On Jun 16, 2009, at 5:51 PM, Amos Jeffries wrote: On Tue, 16 Jun 2009 16:49:56 -0700, Parvinder Bhasin parvinder.bha...@gmail.com wrote: I have setup of squid ..which was compiled with --enable-delay-pools option. Works really well but without WCCP. I enabled WCCP support in the squid config and also enabled wccp support on my ASA. Setup GRE tunnel etc. For my testing purpose I am only having ONE client IP go through WCCP. The problem is I am able to see that client on the GRE1 interface (the requests) of the proxy server but that client is not getting anything back reply back. Do I need anything in iptables to allow etc??? do I need to compile with some transparent support?? if so which one would I use for ASA? Any help is highly appreciated. Here is part of my config: http_port 3128 transparent wccp2_router 192.168.100.250 wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 Additionally here is what I did to setup tunnel: modprobe ip_gre iptunnel add gre1 mode gre remote $ASA_IP local $LOCAL_IP dev eth0 ifconfig gre1 inet 127.0.0.2 netmask 255.255.255.0 up IIRC localhost IDs 127.0.0.0/8 are hardware-limited to only be usable for traffic internal to the box. If WCCP is going on a tunnel it will likely need an externally visible IP for the router to send to. echo 1 /proc/sys/net/ipv4/ip_forward echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/conf/default/rp_filter echo 0 /proc/sys/net/ipv4/conf/all/rp_filter echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 /proc/sys/net/ipv4/conf/gre1/rp_filter iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 I do see the RX counter going up but not the TX on gre1: gre1 Link encap:UNSPEC HWaddr C0-A8-64-CF-B7-BF-C8- C2-00-00-00-00-00-00-00-00 inet addr:127.0.0.2 P-t-P:127.0.0.2 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:1559 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:83432 (81.4 KiB) TX bytes:0 (0.0 b) Here is tcpdump output: [r...@squidnclamav etc]# tcpdump -i gre1 host 192.168.100.175 and port not ssh tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 14:13:37.615862 IP 192.168.100.175.52257 cf-in-f99.google.com.http: S 3689381709:3689381709(0) win 65535 mss 1460,sackOK,eol 14:13:45.524999 IP 192.168.100.175.52256 bs2.ads.vip.sp1.yahoo.com.http: S 2516726129:2516726129(0) win 65535 mss 1460,sackOK,eol 14:13:45.525001 IP 192.168.100.175.52255 bs2.ads.vip.sp1.yahoo.com.http: S 878462413:878462413(0) win 65535 mss 1460,sackOK,eol 14:13:45.525002 IP 192.168.100.175.52254 bs2.ads.vip.sp1.yahoo.com.http: S 1528706489:1528706489(0) win 65535 mss 1460,sackOK,eol 14:13:45.525003 IP 192.168.100.175.52253 bs2.ads.vip.sp1.yahoo.com.http: S 1578413587:1578413587(0) win 65535 mss 1460,sackOK,eol 14:13:47.427509 IP 192.168.100.175.52252 mc2b.mail.vip.re1.yahoo.com.http: S 3796070861:3796070861(0) win 65535 mss 1460,sackOK,eol 14:13:47.886251 IP 192.168.100.175.52259 f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 322113293 0,sackOK,eol 14:13:48.127001 IP 192.168.100.175.52260
Re: [squid-users] organization squid.conf
Riccardo Castellani wrote: What do you suggest to prepare a clean squid.conf ? I have many many ACL which I use in these directive: no_cache deny change #1: no_cache deny X to: cache deny X no_cache is an obsolete option name. http_access deny http_access allow 1- To collect ACL all together or I can insert specific ACL groups next to directives where they are used, e.g. Acl A... Acl B... Acl C... no_cache deny A no_cache deny B no_cache deny C Acl E... Acl F.. Acl G... http_access allow E http_access allow F http_access allow G Acl H... Acl I.. Acl L... http_reply_access allow H http_reply_access allow I http_reply_access deny L Neither. Look at what the requirements are for each and create logical groupigs that do not interfere with each other and in order configured do what your policy requires. Also, be extremely careful about http_reply_access. It's often over-blocked by using rules that duplicate http_access. This can either prevent access denied pages getting out to bad viewers, or cause extra useless load. Only use it to filter requests that cannot be checked earlier in http_access. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.8
Re: [squid-users] clean squid.conf
Riccardo Castellani wrote: What do you suggest to prepare a clean squid.conf ? I have many many ACL which I use in these directive: See replies to your email from 3 hours ago. Just the other side of midnight. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.8
RE: [squid-users] Applying ACLs to access_log directive
Hi Chris, Thank you for the response. Yes, the third column of the log shows the host IP of the machine requesting pages. Regards, Jon Gregory -Original Message- From: crobert...@gci.net [mailto:crobert...@gci.net] Sent: Tue 16 June 2009 21:04 To: squid-users@squid-cache.org Subject: Re: [squid-users] Applying ACLs to access_log directive Jon Gregory wrote: I am using SquidNT 2.7 STABLE 5 on WinXP SP3 running as a service and would like to sense check what I am attempting but failing to achieve. From all the documentation I have read from Visolve, squid-cache.org FAQ and this lists history I am creating a valid set of directives in the below format. access_log filepath [logformat name [acl acl ...]] I am wanting to direct logging to individual files depending on the source network while still capturing all requests in the access.log. The example below is how I have attempted to implement this but the result is that access.log logs all events which is okay but the network specific logs remain empty. acl NET_A src 192.168.0.0/24 acl NET_A src 10.20.30.0/24 acl NET_B src 192.168.1.0/24 acl NET_C src 192.168.2.0/24 access_log c:/squid/var/logs/access_NET_A.log squid NET_A access_log c:/squid/var/logs/access_NET_B.log squid NET_B access_log c:/squid/var/logs/access_NET_C.log squid NET_C access_log c:/squid/var/logs/access.log squid That looks right... In an attempt to test I have also implemented a usergroup based ACL I can get logging to individual files and to the catch all access.log which works as I would expect. acl Admins external NT_local_group Administrators access_log c:/squid/var/logs/access_ADMINS.log squid Admins access_log c:/squid/var/logs/access.log squid So it works... What am I not understanding? Is there a dependence on the acl type when using access_log? Do the entries in c:/squid/var/logs/access.log show the remotehost IP in the third column? Chris This message is meant for the sole viewing of the addressee. If you have received this message in error please reply to the sender to inform them of their mistake. The views and opinions expressed in this email are not necessarily endorsed by Innovate Logistics Ltd (Company No. 02058414). Disclaimer : This e-mail has been scanned using Anti-Virus Software, although all efforts have been made to make this email safe it is always a wise precaution to scan this message with your own Anti-Virus Software.
Re: [squid-users] Betr.: [squid-users] How does Squid handle bandwidth distribution
Arnaud Loonstra wrote: Op Wo, jun 17, 2009 om 2:16 nm is in bericht 4a38deb9.6010...@gmail.com door Mark Lodge mlodg...@gmail.com geschreven: Can squid do 'fair bandwidth sharing' ? What i mean is, if there is 1 user online on a 4mg line, that user will be using the entire 4mg line speed, and if there are 2 users online, each user will have 2mg line speed, and so on. I have squid cache set up already, but i just need to know how bandwidth distribution/sharing can be handled Can squid also be used to limit/disconnect users after they have used up their allotted bandwidth? [I have a mikrotik router connected to the adsl (for wireless users)] I would really appreciate your comments and help Thank you Yes it does, sort of. It's called delay pools. See google i.e.: http://quark.humbug.org.au/publications/squid/aclsquid.html It might do what you need No. It places a maximum bandwidth cap and speed limit on all applicable requests, regardless of other traffic. Fair, but not what asked for. To divide the line evenly between concurrent users is what Squid already natively does. This is not noticable becasue HTTP is stateless and defines on 'user' as one 'request'. There are either N concurrent requests or none. Squid handle N concurrent requests by reading what it can for one and the moving on to the next. Imagine this: Given 1 large request + 1 small request. Squid will read the small request and part of the large request in one cycle. The small is much more likely to be finished after that cycle, leaving the large request with a full-bandwidth pipe to suck from in the next. The result is the small being finished at maybe half speed, and the large seeing a very light blip in its overall transfer. Spread this across many dozens of requests all starting and stopping at different times and it becomes nearly impossible to tell whats fair and whats not. You can use the delay pools to set caps on each IP or authenticated user connecting and hope its relatively fair. But there will be spots of wastage with low visitor counts. Someone asked recently about having a custom ACL (external_acl_type) which kicked people into a delay pool when the bandwidth pipe was reaching capacity. So people only got limited when the network was under stress or they were downloading a very big file. That seems a nice way to go about it, but does involve some complexity detecting the load. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.8
[squid-users] squid date based acls
Hi, I was just looking to set up ACLs based on dates, eg something like: acl termtime date 01/06-31/08 acl summertime date 01/09-31/05 but I can't seem to find that feature in the manual. Is this not possible or have I missed something? If it's not currently in squid, would it be a useful feature for people other than me? Gavin
Re: Fw: Re: [squid-users] NONE/411 Length Required
Bijayant Kumar wrote: Bijayant Kumar --- On Mon, 15/6/09, Bijayant Kumar bijayan...@yahoo.com wrote: From: Bijayant Kumar bijayan...@yahoo.com Subject: Re: [squid-users] NONE/411 Length Required To: squid users squid-users@squid-cache.org Date: Monday, 15 June, 2009, 6:48 PM --- On Mon, 15/6/09, Amos Jeffries squ...@treenet.co.nz wrote: From: Amos Jeffries squ...@treenet.co.nz Subject: Re: [squid-users] NONE/411 Length Required To: Bijayant Kumar bijayan...@yahoo.com Cc: squid users squid-users@squid-cache.org Date: Monday, 15 June, 2009, 6:06 PM Bijayant Kumar wrote: Hello list, I have Squid version 3.0.STABLE 10 installed on Gentoo linux box. All things are working fine, means caching proxying etc. There is a problem with some sites. When I am accessing one of those sites, in access.log I am getting NONE/411 3692 POST http://.justdial.com/autosuggest_category_query_main.php? - NONE/- text/html And on the webpage I am getting whole error page of squid. Actually its a search related page. In the search criteria field as soon as I am typing after two words I am getting this error. The website in a question is http://justdial.com;. But it works without the Squid. I tried to capture the http headers also which are as below http://.justdial.com/autosuggest_category_query_main.php?city=Bangaloresearch=Ka POST /autosuggest_category_query_main.php?city=Bangaloresearch=Ka HTTP/1.1 Host: .justdial.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080807 Firefox/2.0.0.16 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.7,hi;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://.justdial.com/ Cookie: PHPSESSID=d1d12004187d4bf1f084a1252ec46cef; __utma=79653650.2087995718.1245064656.1245064656.1245064656.1; __utmb=79653650; __utmc=79653650; __utmz=79653650.1245064656.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CITY=Bangalore Pragma: no-cache Cache-Control: no-cache HTTP/1.x 411 Length Required Server: squid/3.0.STABLE10 Mime-Version: 1.0 Date: Mon, 15 Jun 2009 11:18:10 GMT Content-Type: text/html Content-Length: 3287 Expires: Mon, 15 Jun 2009 11:18:10 GMT X-Squid-Error: ERR_INVALID_REQ 0 X-Cache: MISS from bijayant.kavach.blr X-Cache-Lookup: NONE from bijayant.kavach.blr:3128 Via: 1.0 bijayant.kavach.blr (squid/3.0.STABLE10) Proxy-Connection: close Please suggest me what could be the reason and how to resolve this. Any help/pointer can be a very helpful for me. Bijayant Kumar Get your new Email address! Grab the Email name you've always wanted before someone else does! http://mail.promotions.yahoo.com/newdomains/aa/ NONE - no upstream source. 411 - Content-Length missing HTTP requires a Content-Length: header on POST requests. How to resolve this issue. Because the website is on internet and its working fine without the squid. When I am bypassing the proxy, I am not getting any type of error. Can't this website be accessed through the Squid? From Marks reply it looks like Squid might be able to handle these weird empty POST requests if someone can find the patch. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.8
RE: [squid-users] Problems with H/W SSL acceleration
Thank you for your response. We will try with a later version of squid. I am, however, greatly confused. Does squid support h/w acceleration? Cavium claims it does not. Steven Paster -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Tuesday, June 16, 2009 6:11 PM To: Steven Paster Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Problems with H/W SSL acceleration On Tue, 16 Jun 2009 15:30:54 -0700, Steven Paster spas...@facetime.com wrote: Hi, We are trying to use a Cavium H/W SSL acceleration card to accelerate SSL encryption. The Cavium driver builds and installs without complaint. Cavium supplies an SDK for building libcrypto.a and libssl.a. These too built without issue. We compiled Squid 3.1.0.4 statically using the Cavium supplied libraries and the configuration options: --with-openssl=cavium-base-directory and --enable-ssl. (We used ldd to confirm that Squid built statically with the correct libraries.) In our squid.conf file we added ssl_engine cavium as per information provided by Cavium; but, we get the message: FATAL Unable to find SSL engine 'cavium'. Cavium has tested with Apache but never with Squid. Please try with current 3.1 or snapshot to be sure this is not already fixed. We have a few thousand lines of code changed every Squid beta release, 3.1.0.4 is now quite old. Questions: 1) Does Squid require a patch for SSL crypto h/w acceleration? 2) Are there any Squid settings I need to know about? 3) Has anyone been successful with another h/w card? We are not wedded to Cavium. Forgive me if this territory has been covered in the past; I'm new to Squid. Thank you in advance for any help, Steven Paster FaceTime Communications Amos Squid-3 Release Maintainer
RE: FW: [squid-users] Tproxy Help // Transparent works fine
Does access.log say anything is arriving at Squid? Are you able to track the packets anywhere else? Amos Once the client tries to browse, the connection times out after 100-150 seconds and displays the error page: The following error was encountered while trying to retrieve the URL: http://www.msn.com/ Connection to 207.68.172.246 failed. The system returned: (110) Connection timed out The remote host or network may be down. Please try the request again. ..and the following message will show on the access.log(at the same time as the timeout page is showed on the browser) 1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET http://www.msn.com/ - DIRECT/207.68.173.76 text/html 1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET http://www.msn.com/ - DIRECT/207.68.173.76 text/html Nothing else will show in the access.log from the moment that the client tries to browse. The following is the output of 'iptables -I INPUT -p tcp -j LOG'. Here is everything from the time the client tries to browse to when the connection times out client ip = 192.168.10.3 squid ip = 192.168.20.10 msn.com ip = 207.68.172.246 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=192.168.20.10 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4652 DF PROTO=TCP SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=192.168.20.10 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4653 DF PROTO=TCP SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 ACK URGP=0 MARK=0x1 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=192.168.20.10 LEN=968 TOS=0x00 PREC=0x00 TTL=127 ID=4654 DF PROTO=TCP SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 ACK PSH URGP=0 MARK=0x1 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46343 DF PROTO=TCP SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4655 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46344 DF PROTO=TCP SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4656 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:09:29 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46345 DF PROTO=TCP SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:09:29 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4660 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:09:41 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46346 DF PROTO=TCP SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:09:41 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4664 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:10:05 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46347 DF PROTO=TCP SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:10:05 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4673 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:10:30 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32546 DF PROTO=TCP SPT=54114 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:10:30 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4683 PROTO=TCP SPT=54114 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:10:33 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32547 DF PROTO=TCP SPT=54114 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:10:33 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4684 PROTO=TCP SPT=54114 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:10:39 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32548 DF PROTO=TCP SPT=54114 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:10:39 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4688 PROTO=TCP SPT=54114 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:10:51 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32549 DF PROTO=TCP SPT=54114 DPT=80 WINDOW=5840 RES=0x00 SYN
Re: [squid-users] Authntication loop
csampath wrote: Hi , Nice to see your quick response. I compiled with --enable-linux-netfilter configuration. You mean to say compile squid with out that flag to run squid in accel mode ? I mean to say you can't use proxy authentication with an intercepting proxy. I tried with out vhost and vport . Just giving the defaultsite=X.xom request is not going to the correct URL. Any suggestion in the config file? Remove authentication. -Sampath Chris
[squid-users] squid and wccp doesn't work
Hello, i'm trying to get squid and wccp on a cisco asa 5510 running. These are the steps, i've done to set it up. #aptitude install squid3 #vi /etc/squid3/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow all http_access deny all icp_access deny all htcp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? cache_dir aufs /var/cache/squid3 3 32 256 access_log /var/log/squid3/access.log squid cache_log /var/log/squid3/cache.log cache_store_log /var/log/squid3/store.log refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern (cgi-bin|\?)00%0 refresh_pattern .020%4320 wccp2_router 10.1.7.1 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 client_persistent_connections off icp_port 3130 coredump_dir /var/spool/squid3 #iptunnel add gre1 mode gre remote $ASA-EXT-IP local 10.1.7.2 dev eth0 #ifconfig gre1 10.1.7.2 netmask 255.255.255.255 up #echo 0 /proc/sys/net/ipv4/conf/gre1/rp_filter #iptables -t nat -A PREROUTING -i gre1 -p tcp --dport 80 -j REDIRECT --to-port 3128 # echo 1 /proc/sys/ipv4/ip_forward The asa detects the proxy and redirects the packets. On the squid-machine, i can see the syn-packets from the client, but no ack-packets. The counter for the iptables-rule is also increasing. If i remove the iptables-rule, the clients can browse the web, because the squid-machine is acting as a router, so the gre-tunnel seems to work correctly. After some research, i've found out, that the ack-packets are send out at eth0. I don't think, it's the correct way. Are there any things, i've forgotten? All howto's i've found, don't tell me any other steps. System is Debian lenny with squid 3.0.STABLE8-3. Is there anyone, who can give me a hint? Thanks, Tom
Re: [squid-users] squid and wccp doesn't work
Hi Tom, Exactly the same problem I have. Please let me know if you come across anything. -Parvinder Bhasin On Jun 17, 2009, at 11:50 AM, Tom Penndorf wrote: Hello, i'm trying to get squid and wccp on a cisco asa 5510 running. These are the steps, i've done to set it up. #aptitude install squid3 #vi /etc/squid3/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow all http_access deny all icp_access deny all htcp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? cache_dir aufs /var/cache/squid3 3 32 256 access_log /var/log/squid3/access.log squid cache_log /var/log/squid3/cache.log cache_store_log /var/log/squid3/store.log refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern (cgi-bin|\?)00%0 refresh_pattern .020%4320 wccp2_router 10.1.7.1 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 client_persistent_connections off icp_port 3130 coredump_dir /var/spool/squid3 #iptunnel add gre1 mode gre remote $ASA-EXT-IP local 10.1.7.2 dev eth0 #ifconfig gre1 10.1.7.2 netmask 255.255.255.255 up #echo 0 /proc/sys/net/ipv4/conf/gre1/rp_filter #iptables -t nat -A PREROUTING -i gre1 -p tcp --dport 80 -j REDIRECT --to-port 3128 # echo 1 /proc/sys/ipv4/ip_forward The asa detects the proxy and redirects the packets. On the squid- machine, i can see the syn-packets from the client, but no ack- packets. The counter for the iptables-rule is also increasing. If i remove the iptables-rule, the clients can browse the web, because the squid- machine is acting as a router, so the gre-tunnel seems to work correctly. After some research, i've found out, that the ack-packets are send out at eth0. I don't think, it's the correct way. Are there any things, i've forgotten? All howto's i've found, don't tell me any other steps. System is Debian lenny with squid 3.0.STABLE8-3. Is there anyone, who can give me a hint? Thanks, Tom
[squid-users] Please help me install videocache 1.9.1
I have installed squid and its running fine Now i am trying to install videocache First ii did # python setup.py install [in videocache-1.9.1 folder] But at that time python-iniparse was not installed I then installed iniparse, but now when i try to do # python setup.py install i get the following errors: vpro:/home/ztel/videocache-1.9.1# python setup.py install Traceback (most recent call last): File setup.py, line 397, in module setup(root) File setup.py, line 288, in setup if not dir_perms_and_ownership(new_dir, squid_user, squid_group): File setup.py, line 76, in dir_perms_and_ownership user = pwd.getpwnam(user)[2] KeyError: 'getpwnam(): name not found: squid' vpro:/home/ztel/videocache-1.9.1# and here is the videocache setup log 2009-06-17 13:03:15,039 INFO Directory /etc/apache2/conf.d already exists. 2009-06-17 13:03:15,039 INFO Directory /etc already exists. 2009-06-17 13:03:15,039 INFO Directory /usr/share already exists. 2009-06-17 13:03:15,039 INFO Directory /usr/share/man/man8 already exists. 2009-06-17 13:03:15,039 INFO Directory /usr/sbin already exists. 2009-06-17 13:03:15,040 INFO Directory /var/log/videocache already exists. Please tell me how i can overcome this. Thank you very much
[squid-users] Re: RPC over HTTP NTLM
Is it possible to have squid run as an accel for Exchange 2007 rpc/http with ntlm authentication? I've disabled SSL and it seems that login=PASS only supports Basic Authentication. Thanks, -Devon
[squid-users] LDAP Authentication and Logging
Hi, If I setup squid to require authentication against my Win2003 AD, will the usernames appear in the log file? I have about 150 users hitting the web from 3 terminal servers through squid. I need to be able to see who a request came from, not just which server it came from. Thanks, James House
[squid-users] How to never cache a directory of website?
I use squid as a reversed proxy for my website, I want squid never cache a directory in the website, the URL of directory is http://www.abc.com/news/, I can I do it? Thanks -- View this message in context: http://www.nabble.com/How-to-never-cache-a-directory-of-website--tp24085622p24085622.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Is something out there bamboozling Squid?
Everyone: Just this past week, our Squid cache has become balky, with long page loads from some sites and timeouts or partial page loads from others. (It's gotten to the point where performance is better without the cache.) I thought that it was just us, but another system administrator in town has complained of the same symptom: weird delays through the cache and none without it. Is there some popular site out there which has started doing something that ties Squid in knots? --Brett Glass
RE: [squid-users] Problems with H/W SSL acceleration
On Wed, 17 Jun 2009 09:39:16 -0700, Steven Paster spas...@facetime.com wrote: Thank you for your response. We will try with a later version of squid. I am, however, greatly confused. Does squid support h/w acceleration? Cavium claims it does not. AFAIK we have not explicitly tested or added such to Squid. The capabilities are fully offloaded to whatever libraries are provided to Squid at build time. I would expect that if the Cavium libraries provide the same API as OpenSSL they can wrap the H/W support in a way usable by Squid. If special calls are mode its not too hard to patch Squid for this type of thing. Amos Steven Paster -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Tuesday, June 16, 2009 6:11 PM To: Steven Paster Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Problems with H/W SSL acceleration On Tue, 16 Jun 2009 15:30:54 -0700, Steven Paster spas...@facetime.com wrote: Hi, We are trying to use a Cavium H/W SSL acceleration card to accelerate SSL encryption. The Cavium driver builds and installs without complaint. Cavium supplies an SDK for building libcrypto.a and libssl.a. These too built without issue. We compiled Squid 3.1.0.4 statically using the Cavium supplied libraries and the configuration options: --with-openssl=cavium-base-directory and --enable-ssl. (We used ldd to confirm that Squid built statically with the correct libraries.) In our squid.conf file we added ssl_engine cavium as per information provided by Cavium; but, we get the message: FATAL Unable to find SSL engine 'cavium'. Cavium has tested with Apache but never with Squid. Please try with current 3.1 or snapshot to be sure this is not already fixed. We have a few thousand lines of code changed every Squid beta release, 3.1.0.4 is now quite old. Questions: 1) Does Squid require a patch for SSL crypto h/w acceleration? 2) Are there any Squid settings I need to know about? 3) Has anyone been successful with another h/w card? We are not wedded to Cavium. Forgive me if this territory has been covered in the past; I'm new to Squid. Thank you in advance for any help, Steven Paster FaceTime Communications Amos Squid-3 Release Maintainer
RE: FW: [squid-users] Tproxy Help // Transparent works fine
On Wed, 17 Jun 2009 10:28:35 -0700, Alexandre DeAraujo al...@cal.net wrote: Does access.log say anything is arriving at Squid? Are you able to track the packets anywhere else? Amos Once the client tries to browse, the connection times out after 100-150 seconds and displays the error page: The following error was encountered while trying to retrieve the URL: http://www.msn.com/ Connection to 207.68.172.246 failed. The system returned: (110) Connection timed out The remote host or network may be down. Please try the request again. ..and the following message will show on the access.log(at the same time as the timeout page is showed on the browser) 1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET http://www.msn.com/ - DIRECT/207.68.173.76 text/html 1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET http://www.msn.com/ - DIRECT/207.68.173.76 text/html Nothing else will show in the access.log from the moment that the client tries to browse. The following is the output of 'iptables -I INPUT -p tcp -j LOG'. Here is everything from the time the client tries to browse to when the connection times out client ip = 192.168.10.3 squid ip = 192.168.20.10 msn.com ip = 207.68.172.246 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=192.168.20.10 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4652 DF PROTO=TCP SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=192.168.20.10 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4653 DF PROTO=TCP SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 ACK URGP=0 MARK=0x1 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=192.168.20.10 LEN=968 TOS=0x00 PREC=0x00 TTL=127 ID=4654 DF PROTO=TCP SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 ACK PSH URGP=0 MARK=0x1 ... show several packets where client is connecting straight to squid IP as a regular proxy!! (I assume squid handles the requests and spoofs the client IP: 192.168.10.3-207.68.172.246) Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46343 DF PROTO=TCP SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4655 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 ... router catches packets between 192.168.10.3-207.68.172.246 and send them to Squid for handling... (I assume squid handles the requests and spoofs the client IP: 192.168.10.3-207.68.172.246) Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46344 DF PROTO=TCP SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4656 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 ... router catches packets between 192.168.10.3-207.68.172.246 and send them to Squid for handling... ... IF my assumption about where each of those packets is originating is true. It seems like a triangle of doom. IMO Squid needs to be given a dedicated _interface_ on the router. And any packets coming from that _interface_ be exempted from WCCP route-back. Amos
Re: [squid-users] squid and wccp doesn't work
On Wed, 17 Jun 2009 20:50:40 +0200, Tom Penndorf tpennd...@seibert-media.net wrote: Hello, i'm trying to get squid and wccp on a cisco asa 5510 running. These are the steps, i've done to set it up. #aptitude install squid3 #vi /etc/squid3/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow all http_access deny all icp_access deny all htcp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? cache_dir aufs /var/cache/squid3 3 32 256 access_log /var/log/squid3/access.log squid cache_log /var/log/squid3/cache.log cache_store_log /var/log/squid3/store.log refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern (cgi-bin|\?)00%0 refresh_pattern .020%4320 wccp2_router 10.1.7.1 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 client_persistent_connections off icp_port 3130 coredump_dir /var/spool/squid3 #iptunnel add gre1 mode gre remote $ASA-EXT-IP local 10.1.7.2 dev eth0 #ifconfig gre1 10.1.7.2 netmask 255.255.255.255 up #echo 0 /proc/sys/net/ipv4/conf/gre1/rp_filter #iptables -t nat -A PREROUTING -i gre1 -p tcp --dport 80 -j REDIRECT --to-port 3128 # echo 1 /proc/sys/ipv4/ip_forward The asa detects the proxy and redirects the packets. On the squid-machine, i can see the syn-packets from the client, but no ack-packets. The counter for the iptables-rule is also increasing. If i remove the iptables-rule, the clients can browse the web, because the squid-machine is acting as a router, so the gre-tunnel seems to work correctly. After some research, i've found out, that the ack-packets are send out at eth0. I don't think, it's the correct way. Are there any things, i've forgotten? All howto's i've found, don't tell me any other steps. Ack is probably between squidIP and clientIP. You may need to SNAT it back towards the client. http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect Amos
Re: [squid-users] LDAP Authentication and Logging
On Wed, 17 Jun 2009 20:39:10 -0500, James House poenitentia.tranquili...@gmail.com wrote: Hi, If I setup squid to require authentication against my Win2003 AD, will the usernames appear in the log file? I have about 150 users hitting the web from 3 terminal servers through squid. I need to be able to see who a request came from, not just which server it came from. Thanks, James House If they successfully log in yes. Amos
Re: [squid-users] Is something out there bamboozling Squid?
On Wed, 17 Jun 2009 20:19:49 -0600, Brett Glass squid-us...@brettglass.com wrote: Everyone: Just this past week, our Squid cache has become balky, with long page loads from some sites and timeouts or partial page loads from others. (It's gotten to the point where performance is better without the cache.) I thought that it was just us, but another system administrator in town has complained of the same symptom: weird delays through the cache and none without it. Time to run through the checklist. What version of squid? What do network times and loads look like? hardware access time for the disks etc? Is one of the routers somewhere dropping packets? And some weird ones that are becoming issues: has your upstream started interception proxy? are they doing carrier NAT on you? Is there some popular site out there which has started doing something that ties Squid in knots? Your the only one who can really answer that. What shift in destination sites have you noticed? Amos
Re: [squid-users] How to never cache a directory of website?
On Wed, 17 Jun 2009 19:56:09 -0700 (PDT), sailer sailer.s...@gmail.com wrote: I use squid as a reversed proxy for my website, I want squid never cache a directory in the website, the URL of directory is http://www.abc.com/news/, I can I do it? Thanks Yes. http://www.squid-cache.org/Doc/config/cache/ http://www.squid-cache.org/Doc/config/acl/ Amos
Re: [squid-users] Re: RPC over HTTP NTLM
On Wed, 17 Jun 2009 17:18:49 -0400, Devon Harding devonhard...@gmail.com wrote: Is it possible to have squid run as an accel for Exchange 2007 rpc/http with ntlm authentication? I've disabled SSL and it seems that login=PASS only supports Basic Authentication. Thanks, -Devon Yes. http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc or http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess Amos
