[squid-users] Re: Re: squid_kerb_ldap clarification
Joseph L. Casale jcas...@activenetwerx.com wrote in message news:ca5a491e9defbe4cb777de97e21575e906bb0...@prato.activenetwerx.local... Here is a short overview what squid_kerb_ldap does. 1) A user authenticates with either NTLM (username will be NT-DOM\user) or Kerberos (username will be u...@kerb-dom) 2) squid_kerb_ldap uses the -N flag to map NT-DOM to KERB-DOM for NTLM authenticated users 3) Uses DNS SRV records to find AD server for KERB-DOM 4) Uses the Kerberos Keytab to authenticate an ldap connection to AD using SASL/GSSAPI. 5) Searches AD if the user is member of the group given by -s ( The newer squid_kerb_ldap version has also an -m option to allow recursive search (e.g. check if a group is a member of another group ) Does this help ? Markus, Sure does... So by creating a computer account in AD, I can avoid the LDAP bind account I was using with the older squid_ldap_auth helper, great. Correct, assuming the account has been created correctly (e.g. it has to have serviceprincipalname=HTTP/fqdn AND userprincipalname=HTTP/fqdn@KERB-DOM set) Thanks! jlc Markus
[squid-users] squid on Windows
Hi Can I run squid on Windows XP or Vista and provide NTLM authentication for the XP/Vista local accounts or do I need a DC ? Thank you Markus
[squid-users] Question about proxy_auth
Hello all, I have written an external auth helper which returns OK user=external username in case of a positive authentication result. I would think that I could use this external username - which in case of LDAP authentication would be the user's DN - in other external_acl_type acls as the %EXT_USER format. I've now learnt that I've misunderstood this but I am still wondering if something like this can be done? Regards, Khaled
Re: [squid-users] squid on Windows
Markus Moeller wrote: Hi Can I run squid on Windows XP or Vista and provide NTLM authentication for the XP/Vista local accounts or do I need a DC ? Windows builds provide several helpers that use the SSPI interface of the local system. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
Re: [squid-users] Reg: Squid - POST log uploded files...
Sathish Kannan Subramanian wrote:
Hi,
I am trying to set up squid proxy for my network where I also want to monitor the file uploads with their names.
My first question is that is it possible to monitor uploaded file names using squid and continuing on that question i would like to ask if possible then what is the best way to do so?
I have posted the problem on the google group also but since nobody is
responding i thought of sending you the problem.
Depends on what you mean by monitor.
You can log any of the standard HTTP headers individually or as a block.
This will log the header which contains filename and when it was POSTed:
logformat files %ts.%03tu %{Content-Disposition:;name}h
acl POST method POST
access_log /posted-files.log files POST
What google group? this email list is the official users help channel.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.6
Beta testers wanted for 3.2.0.1
Re: [squid-users] Setting up new Squid server
Hi Amos, I was successfully able to build with --disable-loadable-modules however after configuring the squid.conf, i am getting the following error. 2010/08/06 18:15:10| WARNING: Netmasks are deprecated. Please use CIDR masks instead. 2010/08/06 18:15:10| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges. 2010/08/06 18:15:10| WARNING: For now we will assume you meant to write /8 snip 2010/08/06 18:15:10| WARNING: Netmasks are deprecated. Please use CIDR masks instead. 2010/08/06 18:15:10| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges. 2010/08/06 18:15:10| WARNING: For now we will assume you meant to write /16 snip 2010/08/06 18:15:10| WARNING: Netmasks are deprecated. Please use CIDR masks instead. 2010/08/06 18:15:10| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges. 2010/08/06 18:15:10| WARNING: For now we will assume you meant to write /24 snip the above errors are repeated 15 times in random order. Please help!! Sagar. On Thu, Aug 5, 2010 at 5:32 PM, Amos Jeffries squ...@treenet.co.nz wrote: Sagar wrote: Hi Amos, Thanks for your speedy response. I'm not able to find a proper command for disabling the loadable modules. can you please show how? ./configure --disable-loadable-modules ... (if the packaging system does the ./configure for you I'm not sure how to pass it in) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1 -- Regards. Sagar Navalkar.
[squid-users] R: [squid-users] squid on Windows
Hi Markus, I wrote the native Windows helpers many time ago, but now I don't remember exactly if the NTLM one needs a DC, but it should, because is a full negotiating NTLM helper. It seems to me that only the Basic one can work using local accounts. Again, I'm not sure, and now I don't have the possibility to make a check. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Markus Moeller [mailto:hua...@moeller.plus.com] Inviato: venerdì 6 agosto 2010 11.34 A: squid-users@squid-cache.org Oggetto: [squid-users] squid on Windows Hi Can I run squid on Windows XP or Vista and provide NTLM authentication for the XP/Vista local accounts or do I need a DC ? Thank you Markus
[squid-users] More Squid+Facebook problems?
Has anyone noticed any issues accessing Facebook this morning behind a forward Squid proxy (I am running 2.6STABLE21/EL5). It seems like the first time that I access the site, Squid is returning a Read Error - Connection Reset by Peer (104). Refreshing the page usually temporarily fixes the problem and then sometimes Facebook will just display a plain white page, etc. Nothing seems to be logged to cache_log or access_log. Any ideas? I know there was a Squid+Facebook issue discovered a couple of weeks ago, but I believe that was since fixed on Facebook's side. Thanks, Josh
[squid-users] Http upload problem with TCP_MISS/000 and ctx: enter/exit messages
Hello We've been struggling for a few days with a permanent problem on a newly installed squid 3.1.4 and those web form-based uploads, either using ASP, javascript or any other language behind. Let me assure you guys, ALL uploads are failing, not with a few specific sites. It is just a matter of clicking an OK button to submit the file and the browser (IE or Firefox) instantly shows either its own error page (Page could not be opened) in 90% of the tries or squid's error page (Connection Reset by Peer) in the remaining 10%. By configuring a remote client to use the proxy server through an external SSH tunnel (i.e. by excluding all the local network devices), we can reduce the error ratio to around 5% of the tries. So, when the upload works, it shows this: 1281099317.664 409638 127.0.0.1 TCP_MISS/200 1840 POST http://discovirtual.terra.com.br/vd.cgi administrator DIRECT/200.154.56.65 text/html When it doesn't, it shows this: 1281102595.774 21086 127.0.0.1 TCP_MISS/000 0 POST http://discovirtual.terra.com.br/vd.cgi administrator DIRECT/200.154.56.65 - Plus, cache.log has a lot of these messages which I don't understand: 2010/08/06 08:55:53| ctx: enter level 2: 'http://p2.trrsf.com.br/image/get?o=cfw=296h=222src=http://sdp.terra.com.br/Thumbox/free/cnt314458_h300_aNoChange_Prison-Break-1-Temporada-Ep-12_20108611342.jpg' 2010/08/06 10:13:35| ctx: enter level 3: 'application/vnd.google.safebrowsing-chunk' 2010/08/06 10:13:35| ctx: enter level 4: 'application/vnd.google.safebrowsing-chunk' 2010/08/06 10:23:54.948| ctx: enter level 5: 'http://discovirtual.terra.com.br/vdexecup.html' 2010/08/06 10:23:54.948| ctx: exit level 5 2010/08/06 10:23:54.949| ctx: enter level 5: 'http://discovirtual.terra.com.br/vdexecup.html' 2010/08/06 10:23:54.949| ctx: exit level 5 2010/08/06 10:23:54.951| ctx: enter level 5: 'http://discovirtual.terra.com.br/vdexecup.html' 2010/08/06 10:23:54.951| ctx: exit level 5 2010/08/06 10:23:55.810| ctx: enter level 5: 'http://uv.terra.com.br/UV?c=discovirtualord=907532REF=SCRNSZ=1440x900BRSRSZ=924x695TIMEZONE=Fri%20Aug%206%2010%3A23%3A41%20UTC-0300%202010' 2010/08/06 10:23:55.810| ctx: exit level 5 2010/08/06 10:23:55.812| ctx: enter level 5: 'http://uv.terra.com.br/UV?c=discovirtualord=907532REF=SCRNSZ=1440x900BRSRSZ=924x695TIMEZONE=Fri%20Aug%206%2010%3A23%3A41%20UTC-0300%202010' 2010/08/06 10:23:55.812| ctx: exit level 5 2010/08/06 10:23:55.814| ctx: enter level 5: 'http://uv.terra.com.br/UV?c=discovirtualord=907532REF=SCRNSZ=1440x900BRSRSZ=924x695TIMEZONE=Fri%20Aug%206%2010%3A23%3A41%20UTC-0300%202010' 2010/08/06 10:23:55.814| ctx: exit level 5 2010/08/06 10:23:56.623| ctx: enter level 5: 'http://br.hits.e.cl/cert/hit.dll?sitio_id=300274path=srv/enviando_arquivoreferer=java=trueflash=10cert_cachebuster=1034descr=ENVIANDO' 2010/08/06 10:23:56.623| ctx: exit level 5 2010/08/06 10:23:56.625| ctx: enter level 5: 'http://br.hits.e.cl/cert/hit.dll?sitio_id=300274path=srv/enviando_arquivoreferer=java=trueflash=10cert_cachebuster=1034descr=ENVIANDO' 2010/08/06 10:23:56.625| ctx: exit level 5 2010/08/06 10:23:56.627| ctx: enter level 5: 'http://br.hits.e.cl/cert/hit.dll?sitio_id=300274path=srv/enviando_arquivoreferer=java=trueflash=10cert_cachebuster=1034descr=ENVIANDO' 2010/08/06 10:23:56.627| ctx: exit level 5 2010/08/06 10:23:56.807| ctx: enter level 5: 'http://terra.112.2o7.net/b/ss/terrabr/1/H.20.3/s03451603567267?AQB=1ndh=1t=6/7/2010%2010%3A23%3A41%205%20180ce=ISO-8859-1ns=terracdp=3pageName=discovirtual.br/vdexecup.htmlg=http%3A//discovirtual.terra.com.br/vdexecup.htmlcc=USDch=br.produtoseservicos.discovirtual%7C300274server=discovirtual.terra.com.brevents=event1v1=br.produtoseservicos.discovirtual%7C300274h1=productos_y_servicios%7Cdiscovirtual%7Cdiscovirtual%7C300274%7Csrvc2=productos_y_serviciosv2=srvh2=terra%7Cproductos_y_servicios%7Cdiscovirtual%7Cdiscovirtual%7C300274%7Csrvc3=productos_y_servicios%7Cdiscovirtualv3=300274c4=300274v4=discovirtual.br/vdexecup.htmlc5=srvc6=productos_y_servicios%7Cdiscovirtual%7Cdiscovirtualc7=discovirtualv7=terrac8=discovirtualc9=300274%7C%7Csrvc10=discovirtualc11=enviando_arquivoc12=300274%7Cc15=terrac16=productos_y_servicios%7Cdiscovirtual%7Cterrav19=More%20than%2030%20daysc20=http%3A//stf.terra.com.br/metrics/inc/br/20100730b.jsv20=Newv44=D%3DpageNamev45=D%3Dgc47=Newc48=flash%2010c49=silverlight%203.0c50=Weekday%20%3A%20Friday%20%3A%2010%3A00AMv50=Weekday%20%3A%20Friday%20%3A%2010%3A00AMs=1440x900c=32j=1.5v=Yk=Ybw=945bh=699ct=lanhp=Npid=discovirtual.br/vd.cgipidt=1oid=functiononclick%28%29%7Bjan%3Djan.open%28%27./vdexecup.html%27%2C%27Uploading%27%2C%27toolbar%3D0%2Clocation%3D0%2Cdirectories%3D0%2Cmenoidt=2ot=IMAGEoi=125AQE=1' 2010/08/06 10:23:56.807| ctx: exit level 5 2010/08/06 10:23:56.810| ctx: enter level 5:
Re: [squid-users] Http upload problem with TCP_MISS/000 and ctx: enter/exit messages
Rodrigo Ferraz wrote: Hello We've been struggling for a few days with a permanent problem on a newly installed squid 3.1.4 and those web form-based uploads, either using ASP, javascript or any other language behind. Let me assure you guys, ALL uploads are failing, not with a few specific sites. It is just a matter of clicking an OK button to submit the file and the browser (IE or Firefox) instantly shows either its own error page (Page could not be opened) in 90% of the tries or squid's error page (Connection Reset by Peer) in the remaining 10%. By configuring a remote client to use the proxy server through an external SSH tunnel (i.e. by excluding all the local network devices), we can reduce the error ratio to around 5% of the tries. So, when the upload works, it shows this: 1281099317.664 409638 127.0.0.1 TCP_MISS/200 1840 POST http://discovirtual.terra.com.br/vd.cgi administrator DIRECT/200.154.56.65 text/html When it doesn't, it shows this: 1281102595.774 21086 127.0.0.1 TCP_MISS/000 0 POST http://discovirtual.terra.com.br/vd.cgi administrator DIRECT/200.154.56.65 - either connection to client or server died before the reply came back. this is consistent with squid-server TCP not getting any replies back. check that PMTU discovery works to those sites from the squid box. Plus, cache.log has a lot of these messages which I don't understand: snip 2010/08/06 10:24:12.867| ctx: enter level 5: 'http://dnl-14.geo.kaspersky.com/bases/av/emu/emu-0607g.xml.dif' 2010/08/06 10:24:12.867| ctx: exit level 5 ctx is not something to worry overly much about. It's just a counter of how many times squid has had to stop and wait for a particular request's headers to arrive. 3.1.4 had a small 'leak', that meant the counter was not reset properly when the headers were finished. Additional info: * CentOS release 5.5 (Final), 32 bit * squid3-3.1.4-1.el5.pp.i386.rpm (from http://www.pramberger.at/peter/services/repository/) * No more than 5 simultaneous users * Intel Core 2 Duo E7600, 4 GB RAM, Intel DG31PR motherboard * Direct connections, without squid, always work. * Resolv.conf points to 127.0.0.1, which is bind-9.3.6-4.P1.el5_4.2 * Tried with and without half_closed_clients off. * Already deleted and recreated /var/cache/squid. * One of the cache.log files seem to be truncated or with binary characters preventing it to be properly read from the console. * Found two occurrences of Exception error:found data bewteen chunk end and CRLF in cache.log. Not good. That is a sign of the remote end of those links sending corrupted data. My guesses are: - It could be a hardware problem with the server specifically related to faulty NIC, I/O or bad memory, but there are no system wide errors being logged which would support this and all other server applications are working fine; - It could be a hardware problem with the wan circuit or provider, but without the proxy server, going directly to Internet, the problem never happens. - It could be a DNS problem. Unlikely, since the problem is only relates to upload (POST) operations to the same websites which were already resolved by its own named. - It coud be a DoS launched from an internal infected workstation. Unlikely, squid is not crashing and server load stays at 0.00. - It could be a squid bug or problem in face of an unknown condition? Unlikely, we have the same software setup (O.S., the same rpm and config of squid 3.1.4) in another remote office which works perfectly with these same upload websites. - It could be a problem with all the upload websites tried? REALLY unlikely. So I would like to kindly ask for any suggestions on diagnostics and troubleshooting of this problem. Looks like you have eliminated everything except network lag. does persistent connections help (particularly to servers) What squid -v show please? and what do the dying sites resolve to from the squid box (both and A). squid.conf half_closed_clients off range_offset_limit -1 maximum_object_size 200 MB quick_abort_min -1 snip Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
RE: [squid-users] Http upload problem with TCP_MISS/000 and ctx: enter/exit messages
Hello Amos Thank you for your answer. Here is the information. MTU: I've checked this following your suggestion and it appears that there are no MTU issues with the upload sites as ping shows below: [r...@fw01-sao ~]# ping -c 5 -M do -s 1472 discovirtual.terra.com.br PING produtos.terra.com.br (200.154.56.65) 1472(1500) bytes of data. 1480 bytes from produtos.terra.com.br (200.154.56.65): icmp_seq=1 ttl=245 time=75.1 ms snip 1480 bytes from produtos.terra.com.br (200.154.56.65): icmp_seq=5 ttl=245 time=72.1 ms --- produtos.terra.com.br ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 3999ms rtt min/avg/max/mdev = 72.081/73.193/75.138/1.157 ms [r...@fw01-sao ~]# ping -c 5 -M do -s 1472 www.freeaspupload.net PING www.freeaspupload.net (208.106.217.3) 1472(1500) bytes of data. 1480 bytes from innerstrengthfit.com (208.106.217.3): icmp_seq=1 ttl=113 time=230 ms snip 1480 bytes from innerstrengthfit.com (208.106.217.3): icmp_seq=5 ttl=114 time=233 ms --- www.freeaspupload.net ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4000ms rtt min/avg/max/mdev = 227.849/230.390/233.794/2.042 ms [r...@fw01-sao ~]# ping -c 5 -M want -s 1472 discovirtual.terra.com.br PING produtos.terra.com.br (200.154.56.65) 1472(1500) bytes of data. 1480 bytes from produtos.terra.com.br (200.154.56.65): icmp_seq=1 ttl=245 time=76.1 ms snip 1480 bytes from produtos.terra.com.br (200.154.56.65): icmp_seq=5 ttl=245 time=71.9 ms --- produtos.terra.com.br ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4001ms rtt min/avg/max/mdev = 71.634/72.920/76.120/1.655 ms [r...@fw01-sao ~]# ping -c 5 -M want -s 1472 www.freeaspupload.net PING www.freeaspupload.net (208.106.217.3) 1472(1500) bytes of data. 1480 bytes from webmailasp.net (208.106.217.3): icmp_seq=1 ttl=113 time=233 ms snip 1480 bytes from webmailasp.net (208.106.217.3): icmp_seq=5 ttl=114 time=232 ms --- www.freeaspupload.net ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4000ms rtt min/avg/max/mdev = 228.214/231.006/233.755/1.985 ms [r...@fw01-sao ~]# Persistent connections: I'm not really sure if I understood your suggestion correctly, but isn't server_persistent_connections on the default? Anyway, forcing it in configuration did not have any impact on the problem. [r...@fw01-sao ~]# squid -v Squid Cache: Version 3.1.4 configure options: '--build=i386-koji-linux-gnu' '--host=i386-koji-linux-gnu' '--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' 'CPPFLAGS= -DOPENSSL_NO_KRB5' '--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid' '--datadir=/usr/share/squid' '--enable-async-io=64' '--enable-storeio=aufs,diskd,ufs' '--enable-disk-io=AIO,Blocking,DiskDaemon,DiskThreads' '--enable-removal-policies=heap,lru' '--enable-icmp' '--enable-delay-pools' '--enable-icap-client' '--enable-useragent-log' '--enable-referer-log' '--enable-kill-parent-hack' '--enable-arp-acl' '--enable-ssl' '--enable-forw-via-db' '--enable-cache-digests' '--disable-http-violations' '--enable-linux-netfilter' '--enable-follow-x-forwarded-for' '--disable-ident-lookups' '--enable-auth=basic,digest,negotiate,ntlm' '--enable-basic-auth-helpers=DB,LDAP,MSNT,NCSA,PAM,SASL,SMB,getpwnam,multi-domain-NTLM,squid_radius_auth' '--enable-ntlm-auth-helpers=fakeauth,no_check,smb_lm' '--enable-ntlm-fail-open' '--enable-digest-auth-helpers=eDirectory,ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-stacktraces' '--enable-x-accelerator-vary' '--enable-zph-qos' '--with-default-user=squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-pthreads' '--with-aio' '--with-dl' '--with-openssl=/usr' '--with-large-files' '--with-filedescriptors=32768' 'build_alias=i386-koji-linux-gnu' 'host_alias=i386-koji-linux-gnu' 'target_alias=i386-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' 'FFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' --with-squid=/builddir/build/BUILD/squid-3.1.4 --enable-ltdl-convenience [r...@fw01-sao ~]# DNS: I've compared local resolution (in squid's box) results to what this online
[squid-users] NTLM problem with squid 2.7 on Windows Server 2008 for IE8 clients
Hello, I've been having trouble configuring squid with NTLM to replace an ISA Server. The configuration is: * squid version 2.7.STABLE7 (downloaded from http://squid.acmeconsulting.it/) * windows 2008 server * on the client side: Internet Explorer 8 The problem is that IE8 always prompts for the password unless it is configured with the servers in the Trusted Zone and Automatic Logon with current user/password (no tests done with other browsers). Users were able to access sites through the previous proxy server (ISA Server) which was using Integrated Authentication without having to provide any credentials. Without any change on Internet Explorer configuration, once squid is in use, users are prompted for credentials. Are there any requirements for Internet Explorer configuration to work with squid's NTLM? Squid configuration is: auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe* * auth_param ntlm children 5 acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl ntlm proxy_auth REQUIRED http_access allow ntlm http_access deny all icp_access deny all http_port 8080 cache_peer proxytd parent8080 0 no-query no-digest login=PASS connection-auth=on redirect_programC:\\squid\\squidGuard\\squidGuard.exe -c C:\\squid\\squidGuard\\conf\\squidGuard.conf acl ss dstdomain ss always_direct allow ss never_directdenyss no_cachedenyss hierarchy_stoplist cgi-bin ? acl to_av dstdomain avserver header_accessPragmadenyto_av refresh_pattern -i avserver 10080 20% 99 ignore-no-cache reload-into-ims refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern .020%4320 range_offset_limit-1 maximum_object_size200 MB quick_abort_min-1 acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] upgrade_http0.9 deny shoutcast visible_hostname localhost acl apache rep_header Server ^Apache broken_vary_encoding allow apache never_directallowall I don't know much about NTLM or ISA so I hope the question isn't stupid... Thanks in advance, Sailor
[squid-users] Squid 2.7 behaviour when run as caching reverse proxy when origin web site down
Hello everyone, I tried searching MARC for an answer to my question, but gave up after about an hour of reading unrelated threads. I have an intranet application that depends upon graphics generated by an external web site, the results of which depend upon GET request query parameters. I would like to use Squid in two capacities: 1. To cache the graphics so as to reduce the load on the external web site, as well as improve the performance of the intranet application, and 2. To allow the intranet application to survive (hopefully) temporary service interruptions experienced by either our data centre or the external web site. To this end, I have set up Squid as a reverse proxy for the external web site. This satisfies #1. I have examined the HTTP response headers returned with the graphic resources, and they include a Cache-Control header as follows: Cache-Control: max-age=7200 I've read Mark Nottingham's blog about the stale-when-validation and stale-if-error options. In the absence of these Cache-Control options, what do I have to do (if anything) to have Squid serve the cached (and possibly stale) content if there are errors connecting to the origin web site? The graphics for any given set of GET request query parameters are static, so the graphics that are generated for any given request can essentially be reused indefinitely. Thanks. Sean Dockery Senior Software Test Developer QuIC Financial Technologies Inc. Suite 225, 3553 - 31 St. NW Calgary, AB Canada T2L 2K7 t +1 403 210 8282 m +1 403 966 0631 f +1 403 210 8299 e sean.dock...@quic.com www.quic.com To view our disclaimer please visit http://www.quic.com/emailnotice.aspx ver. QuIC 0707
