Re: [squid-users] Need help on Squid Setup
On 12/11/2013 8:19 p.m., Durga Prasath wrote: Hello All, I am trying to setup Squid Proxy for our internal users. we want to restrict access to only a few domains and URLs. the requirement i have is, i should allow https://www.google.co.in/search and other URLs should be banned. Like if users try to access https://www.google.co.in/blogsearch or https://www.google.co.in/imagesearch should be restricted and only /search should be allowed. The options url_regex or urlpath_regex are not working. Can someone help on this requirement on how to setup this using squid? This is HTTPS traffic. When it goes through a HTTP proxy it uses special CONNECT requests. Those requests contain *only* the domain name and port (usually 443) being connected to, and some headers related to what agent is requesting the tunnel connection be setup. Path and other parts of the URL are not available for access control to use. To do what you want, you will have to hijack the HTTPS/SSL connection, decrypt the users traffic, apply your controls, then re-encrypt. Squid can do that with the SSL-bump feature, BUT before using it please check with your local lawyer - using it is considered illegal wiretapping and/or breach of privacy in many countries. Amos
[squid-users] WARNING: unparseable HTTP header field {:: }
hi ,
is that harmfull log ??
2013/11/11 02:20:12 kid2| WARNING: unparseable HTTP header field {:: }
2013/11/11 02:20:13 kid1| ctx: exit level 0
2013/11/11 02:20:13 kid1| ctx: enter level 0:
'http://vap2iad3.lijit.com/www/delivery/lg.php?bannerid=38827campaignid=232cids=232bids=38827zoneid=220681retarget_matches=nulltid=1075526134_220681_a90622ba5df04921Bd03a7abab3f6328channel_ids=,fpr=c874c715b2faad8885ad1254850d8d74loc=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520referer=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520cb=78291847'
2013/11/11 02:20:13 kid1| WARNING: unparseable HTTP header field {:: }
2013/11/11 02:20:13 kid1| ctx: exit level 0
2013/11/11 02:20:13 kid1| ctx: enter level 0:
'http://vap2iad3.lijit.com/www/delivery/lg.php?bannerid=6573campaignid=232cids=232bids=6573zoneid=131033retarget_matches=nulltid=711430930_131033_1820daa33ce9444aAf695c9465d9ea5achannel_ids=,fpr=c874c715b2faad8885ad1254850d8d74loc=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520referer=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520cb=16754765'
2013/11/11 02:20:13 kid1| WARNING: unparseable HTTP header field {:: }
2013/11/11 02:20:13 kid2| ctx: exit level 0
2013/11/11 02:20:13 kid2| ctx: enter level 0:
'http://vap2iad3.lijit.com/www/delivery/lg.php?bannerid=38827campaignid=232cids=232bids=38827zoneid=220681retarget_matches=nulltid=6614988552_220681_b6c5cff7d82042ccB86be4cfb6e8595echannel_ids=,fpr=c874c715b2faad8885ad1254850d8d74loc=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520referer=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520cb=20837268'
2013/11/11 02:20:13 kid2| WARNING: unparseable HTTP header field {:: }
2013/11/11 02:20:13 kid2| ctx: exit level 0
2013/11/11 02:20:13 kid2| ctx: enter level 0:
'http://vap2iad3.lijit.com/www/delivery/lg.php?bannerid=6573campaignid=232cids=232bids=6573zoneid=131033retarget_matches=nulltid=33051520_131033_4fd6080af4a846df8ba0ef5c3694d699channel_ids=,fpr=c874c715b2faad8885ad1254850d8d74loc=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520referer=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520cb=33770260'
2013/11/11 02:20:13 kid2| WARNING: unparseable HTTP header field {:: }
2013/11/11 02:20:13 kid2| ctx: exit level 0
2013/11/11 02:20:13 kid2| ctx: enter level 0:
'http://vap2iad3.lijit.com/www/delivery/lg.php?bannerid=6573campaignid=232cids=232bids=6573zoneid=131033retarget_matches=nulltid=133013941_131033_c61cb783eaab4af98630849e954798b2channel_ids=,fpr=c874c715b2faad8885ad1254850d8d74loc=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520referer=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520cb=67402879'
2013/11/11 02:20:13 kid2| WARNING: unparseable HTTP header field {:: }
2013/11/11 02:20:13 kid2| ctx: exit level 0
2013/11/11 02:20:13 kid2| ctx: enter level 0:
'http://vap2iad3.lijit.com/www/delivery/lg.php?bannerid=38827campaignid=232cids=232bids=38827zoneid=220681retarget_matches=nulltid=1952756553_220681_c5b7aec4567a4a65Bb1ef7ec7e718012channel_ids=,fpr=c874c715b2faad8885ad1254850d8d74loc=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520referer=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520cb=08604172'
2013/11/11 02:20:13 kid2| WARNING: unparseable HTTP header field {:: }
===
regards
-
Dr.x
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-unparseable-HTTP-header-field-tp4663232.html
Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] squid cache manager question and snmp with smp question
hi , from cache manager : Cache information for squid: Hits as % of all requests: 5min: 11.7%, 60min: 11.0% Hits as % of bytes sent:5min: 0.6%, 60min: -0.3% Memory hits as % of hit requests: 5min: 20.0%, 60min: 13.9% Disk hits as % of hit requests: 5min: 11.6%, 60min: 9.5% Storage Swap size: 28703904 KB Storage Swap capacity: 70.1% used, 29.9% free Storage Mem size: 1024000 KB *Storage Mem capacity: 100.0% used, 0.0% free* Mean Object Size: 32.00 KB Requests given to unlinkd: 0 im asking about : Storage Mem capacity: 100.0% used, 0.0% free why it is 100 % Q1-does that mean that squid dissipated 100% from cache_mem value configured Q2- does the result in cache manager in general run time information is calculated as total for all processes ??? == Q3 ABOUT snmp with smp wt i need to configure in squid.conf ?? do i need to configure snmp for each instance ??? i want to say that i configured as below : acl snmppublic snmp_community xxx snmp_port 3401 snmp_access allow snmppublic localhost snmp_access allow snmppublic all snmp_incoming_address 0.0.0.0 snmp_outgoing_address 0.0.0.0 ### i had results in my mrtg , but not sure of the results , i got squid mib file and converted it to oidb file and put it in m y mrtg . by here im using smp , not sure from the results i also revived some suspicious logs : 2013/11/08 16:51:26 kid3| snmpHandleUdp: FD 20 recvfrom: (11) Resource temporarily unavailable 2013/11/08 16:51:26 kid1| snmpHandleUdp: FD 19 recvfrom: (11) Resource temporarily unavailable 2013/11/08 16:51:26 kid3| snmpHandleUdp: FD 19 recvfrom: (11) Resource temporarily unavailable 2013/11/08 16:51:51 kid2| snmpHandleUdp: FD 20 recvfrom: (11) Resource temporarily unavailable 2013/11/08 16:51:51 kid3| snmpHandleUdp: FD 19 recvfrom: (11) Resource temporarily unavailable 2013/11/08 16:51:51 kid1| snmpHandleUdp: FD 19 recvfrom: (11) Resource temporarily unavailable 2013/11/08 16:51:51 kid3| snmpHandleUdp: FD 20 recvfrom: (11) Resource temporarily unavailable 2013/11/08 16:51:51 kid1| snmpHandleUdp: FD 19 recvfrom: (11) Resource temporarily unavailable 2013/11/08 16:51:51 kid3| snmpHandleUdp: FD 19 recvfrom: (11) Resource temporarily unavailable 2013/11/08 16:51:51 kid1| snmpHandleUdp: FD 20 recvfrom: (11) Resource temporarily unavailable not sure if it is harmful !!! regards - Dr.x -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-cache-manager-question-and-snmp-with-smp-question-tp4663233.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: RPM for Squid 3.3.10 is OUT.
On 12/11/2013 8:22 p.m., Dr.x wrote: Eliezer Croitoru-2 wrote I am happy to release the new RPM for squid version 3.3.10.(links at the bottom of the article) The new release includes the big addition of cache_dir type *rock*, big thanks for Alex Rousskov work on rock ssl-bump and many other small and big things that makes squid what it is! What is *rock* cache_dir type? What it gives me? Speed! and SMP support for cache_dir. A small introduction to FileSystems and Squid: Squid uses UFS\AUFS types cache directories for a very long time in a very nice way to overcome and try to beat the OS and the FileSystems limits in order to allow millions of objects\files to be cached. The UFS type that can be used with either reiserFS, ext4 or any other FS you can think about that is supported by the OS. There are limits to each and every FS like the reiserFS that was designed to work with lots of small\tiny files and does that in a very nice way. A FS far as it is perfected it is still a *FileSystem* which is very global and has a design which effects directly on the performance of itself. An example for this point is being demonstrated when creating a file on a FS can be quite easy in one while erasing a file can result in a very CPU and I\O intensive task on some FS. If you are interested in understanding a bit more about FS complexity you can watch Ric Wheeler at his video and presentation: * video: http://video.linux.com/videos/one-billion-files-pushing-scalability-limits-of-linux-file-systems * or: http://www1.ngtech.co.il/squid/videos/37.webm * pdf: http://www.redhat.com/summit/2011/presentations/summit/decoding_the_code/thursday/wheeler_t_0310_billion_files_2011.pdf * or: http://www1.ngtech.co.il/squid/fs/wheeler_t_0310_billion_files_2011.pdf What heavy lifting do the FS and squid needs to handle with? UFS\AUFS actually uses the FileSystem in order to store for an example 200 requests per second which 50 of them are not even cacheable so 150 requests per second to be placed in files in the FileSystem based on the OS. 60 secs doubles 60 minutes doubles 100 requests per second(yes I reduced it..) it means creation of about 3600 files on the FS per hour for a tiny Small Office squid instance. While some squid systems can sit on a very big machine with more then one instance that has more then 500 requests per second per instance, the growth can be about 14,400,000 per hour. It do sounds like a very big number but a MegaByte is about 1 Million bytes and today we are talking about speeds which exceeds 10Gbps.. So there might be another design that is needed in order to store all these HTTP objects and which rock comes to unleash. In the next release I will try to describe it in more depth. * note that the examples do demonstrate the ideas in a wild way. The RPMS at: http://www1.ngtech.co.il/rpm/centos/6/x86_64/ The package includes 3 RPMs one for the squid core and helpers, the other is for debuging and the third is the init script. http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-3.3.10-1.el6.x86_64.rpm http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-sysvinit-3.3.10-1.el6.x86_64.rpm http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-debuginfo-3.3.10-1.el6.x86_64.rpm To Each and everyone of them there is an asc file which contains PGP and MD5 SHA1 SHA2 SHA256 SHA384 SHA512 hashes. I also released the SRPM which is very simple at: http://www1.ngtech.co.il/rpm/centos/6/x86_64/SRPM/squid-3.3.10-1.el6.src.rpm * I do hope to release in the next weeks a RPM of 3.HEAD build for ALPHA testers of the newest bug fixes and squid improvements. * Sorry that the I686 release is not out yet but since I do not have on me a I686 running OS it will be added later to the repo. Eliezer nice news , i would like to ask about mounting options related to rock , is it critical for performance ?? ' i read wiki , but no one care with it !!! as an example machine with 7 hardisks ssd , each hardisk with 90 G storage , and with about 4000 req/sec on squid with smp. does squid 3.3.10 better than squid 3.3.9 for rock support and speed ??? if not big updater i prefer staying with 3.3.9 There is always something better about new releases or I would not bother going to the work of releasing. A few of the 3.3.10 changes affect speed is a good way. But only a little bit. So you may not notice unless you are hitting the particular problem events. This is an encouraged as soon as possible release so if you have the chance upgrade, but there is no need to go out of your way to make it happen. Amos
Re: [squid-users] WARNING: unparseable HTTP header field {:: }
On 12/11/2013 9:08 p.m., Dr.x wrote:
hi ,
is that harmfull log ??
2013/11/11 02:20:12 kid2| WARNING: unparseable HTTP header field {:: }
2013/11/11 02:20:13 kid1| ctx: exit level 0
2013/11/11 02:20:13 kid1| ctx: enter level 0:
'http://vap2iad3.lijit.com/www/delivery/lg.php?bannerid=38827campaignid=232cids=232bids=38827zoneid=220681retarget_matches=nulltid=1075526134_220681_a90622ba5df04921Bd03a7abab3f6328channel_ids=,fpr=c874c715b2faad8885ad1254850d8d74loc=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520referer=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520cb=78291847'
2013/11/11 02:20:13 kid1| WARNING: unparseable HTTP header field {:: }
I means the response to the URL shown contains corrupted HTTP headers.
Something outside the HTTP protool has been injected, So Squid will drop
the header, if relaxed_header_parser is disabled then the whole response
is dropped.
In this case the reponse is:
HTTP/1.1 204 No Content
Server: nginx
Content-Type: text/html
Connection: close
Date: Tue, 12 Nov 2013 08:29:00 GMT
P3P: CP=CUR ADM OUR NOR STA NID
Set-Cookie: ljt_reader=9927a11290d0240d8b2c3a6526658585; expires=Wed,
12-Nov-2014 08:29:00 GMT; path=/; domain=.lijit.com
::
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Notice the line which contains only ::. Exactly as Squid reported.
Amos
Re: [squid-users] squid cache manager question and snmp with smp question
On 12/11/2013 9:21 p.m., Dr.x wrote: hi , from cache manager : Cache information for squid: Hits as % of all requests: 5min: 11.7%, 60min: 11.0% Hits as % of bytes sent:5min: 0.6%, 60min: -0.3% Memory hits as % of hit requests: 5min: 20.0%, 60min: 13.9% Disk hits as % of hit requests: 5min: 11.6%, 60min: 9.5% Storage Swap size: 28703904 KB Storage Swap capacity: 70.1% used, 29.9% free Storage Mem size: 1024000 KB *Storage Mem capacity: 100.0% used, 0.0% free* Mean Object Size: 32.00 KB Requests given to unlinkd: 0 im asking about : Storage Mem capacity: 100.0% used, 0.0% free why it is 100 % Because your cache is busy and using all the memory you gave it for caching objects (cache_mem). This is normal for memory cache, there is no reason to hold it lower than 100% since there is no delay in deleting things when they need to be. Q1-does that mean that squid dissipated 100% from cache_mem value configured dissipated? no, used. Q2- does the result in cache manager in general run time information is calculated as total for all processes ??? Um. Is cache_mem set to 1000 MB in on worker? or would that be the sum for all the workers with cache_mem ? == Q3 ABOUT snmp with smp wt i need to configure in squid.conf ?? Squid must be built with --enable-snmp. Also, snmp_port and snmp_access directives must be configured. do i need to configure snmp for each instance ??? http://wiki.squid-cache.org/Features/SmpScale#What_can_workers_share.3F i want to say that i configured as below : acl snmppublic snmp_community xxx snmp_port 3401 snmp_access allow snmppublic localhost snmp_access allow snmppublic all snmp_incoming_address 0.0.0.0 snmp_outgoing_address 0.0.0.0 Drop those last two lines about address. The first one is doing nothing useful. The second one will cause failures. From the config manual: NOTE, snmp_incoming_address and snmp_outgoing_address can not have the same value since they both use the same port. ### i had results in my mrtg , but not sure of the results , i got squid mib file and converted it to oidb file and put it in m y mrtg . by here im using smp , not sure from the results i also revived some suspicious logs : 2013/11/08 16:51:26 kid3| snmpHandleUdp: FD 20 recvfrom: (11) Resource temporarily unavailable We are still trying to figure this one out. It seems not to be harmful particularly, except a waste of effort somewhere. Amos
Re: [squid-users] WARNING: unparseable HTTP header field {:: }
* Amos Jeffries squ...@treenet.co.nz:
On 12/11/2013 9:08 p.m., Dr.x wrote:
hi ,
is that harmfull log ??
2013/11/11 02:20:12 kid2| WARNING: unparseable HTTP header field {:: }
2013/11/11 02:20:13 kid1| ctx: exit level 0
2013/11/11 02:20:13 kid1| ctx: enter level 0:
'http://vap2iad3.lijit.com/www/delivery/lg.php?bannerid=38827campaignid=232cids=232bids=38827zoneid=220681retarget_matches=nulltid=1075526134_220681_a90622ba5df04921Bd03a7abab3f6328channel_ids=,fpr=c874c715b2faad8885ad1254850d8d74loc=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520referer=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520cb=78291847'
2013/11/11 02:20:13 kid1| WARNING: unparseable HTTP header field {:: }
I means the response to the URL shown contains corrupted HTTP headers.
Something outside the HTTP protool has been injected, So Squid will drop
the header, if relaxed_header_parser is disabled then the whole response
is dropped.
Since I'm also seeing that, I'd guess lijit.com is having issues.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
[squid-users] Re: WARNING: unparseable HTTP header field {:: }
Ralf Hildebrandt wrote
* Amos Jeffries lt;
squid3@.co
gt;:
On 12/11/2013 9:08 p.m., Dr.x wrote:
hi ,
is that harmfull log ??
2013/11/11 02:20:12 kid2| WARNING: unparseable HTTP header field {:: }
2013/11/11 02:20:13 kid1| ctx: exit level 0
2013/11/11 02:20:13 kid1| ctx: enter level 0:
'http://vap2iad3.lijit.com/www/delivery/lg.php?bannerid=38827campaignid=232cids=232bids=38827zoneid=220681retarget_matches=nulltid=1075526134_220681_a90622ba5df04921Bd03a7abab3f6328channel_ids=,fpr=c874c715b2faad8885ad1254850d8d74loc=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520referer=http%3A%2F%2Fforum.mobilism.org%2Fviewtopic.php%3Ff%3D1292%26t%3D652520cb=78291847'
2013/11/11 02:20:13 kid1| WARNING: unparseable HTTP header field {:: }
I means the response to the URL shown contains corrupted HTTP headers.
Something outside the HTTP protool has been injected, So Squid will drop
the header, if relaxed_header_parser is disabled then the whole response
is dropped.
Since I'm also seeing that, I'd guess lijit.com is having issues.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt@
Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
well , if this is just error for lijit.com website , i can remove
redirecting this website to squid and let my head clear.
but if it face to alot of sites i will try to solve it :)
but any way ,
almost all logs of this type is belongs to lijit.com only !!.
if i found another logs to another sites , i will post it here
regards
-
Dr.x
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-unparseable-HTTP-header-field-tp4663232p4663239.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: WARNING: unparseable HTTP header field {:: }
* Dr.x ahmed.za...@netstream.ps: well , if this is just error for lijit.com website , i can remove redirecting this website to squid and let my head clear. just block them, all they do is to serve ads! -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
[squid-users] Re: squid cache manager question and snmp with smp question
Because your cache is busy and using all the memory you gave it for caching objects (cache_mem). This is normal for memory cache, there is no reason to hold it lower than 100% since there is no delay in deleting things when they need to be.. ===well , no worry :) Q2- does the result in cache manager in general run time information is calculated as total for all processes ??? Um. Is cache_mem set to 1000 MB in on worker? or would that be the sum for all the workers with cache_mem ? ==i think memory will be for all workers i mean if i put to 1000 === the given cache_mem to squid is to be (1000*process number) == Q3 ABOUT snmp with smp wt i need to configure in squid.conf ?? Squid must be built with --enable-snmp. Also, snmp_port and snmp_access directives must be configured. do i need to configure snmp for each instance ??? http://wiki.squid-cache.org/Features/SmpScale#What_can_workers_share.3F ===well from wiki it say that snmp is shared wit workers , u mean we dont need to do it per workers ?? Drop those last two lines about address. The first one is doing nothing useful. The second one will cause failures. ok i will From the config manual: NOTE, snmp_incoming_address and snmp_outgoing_address can not have the same value since they both use the same port. ### i had results in my mrtg , but not sure of the results , i got squid mib file and converted it to oidb file and put it in m y mrtg . by here im using smp , not sure from the results i also revived some suspicious logs : 2013/11/08 16:51:26 kid3| snmpHandleUdp: FD 20 recvfrom: (11) Resource temporarily unavailable We are still trying to figure this one out. It seems not to be harmful particularly, except a waste of effort somewhere. =well regards - Dr.x -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-cache-manager-question-and-snmp-with-smp-question-tp4663233p4663241.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] install error on Squid 3.1.6
I am doing analysis on Squid bugs and need to reproduce them at the first step. Best wishes. Yours, Wang Peipei On Tue, Nov 12, 2013 at 2:56 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/11/2013 6:54 p.m., Peipei Wang wrote: Hi all, Please help me with this installation problem. Firstly, this is a build/compile problem. I got a problem whiling installing Squid 3.1.6. The configure works well, but it reports the error message from make as follows. snip User.cc: In static member function ‘static void AuthUser::CachedACLsReset()’: User.cc:161:17: error: variable ‘username’ set but not used [-Werror=unused-but-set-variable] Here is my platform Information: OS: Ubuntu 12.04.3 gcc: 4.6.3 I also tried under the instructions from http://wiki.squid-cache.org/SquidFaq/CompilingSquid#Debian.2C_Ubuntu, but it reports the same problem. But this error doesn't happen on squid-3.2.3. That means the dependency libraries are already installed. Secondly, this is about 3.1.6 code being so old that it does not build using GCC 4.6. The only dependency problem visible is the compiler version. If you had 3.2 earlier why are you downgrading your Squid to an older and very broken release? Amos
[squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload
Hi everyone During configuration of LDAP basic and group authentication methods by Squid, a came across this error (/var/log/squid3/cache.log): Code: WARNING: external ACL 'memberof' queue overload. Request rejected 'administrator InternetAccess'.For basic authentication I use following piece of code: Code: auth_param basic program /usr/lib/squid3/basic_ldap_auth -P -R -u cn -b cn=Users,dc=dot,dc=lan ubuntu.dot.lan auth_param basic realm ubuntu.dot.lanThe test shows: Administrator Pa77w0rd OK. For LDAP groups I use this: Code: external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -P -R -K -b dc=dot,dc=lan -f ((cn=%v)(memberOf=cn=%a,cn=Users,dc=dot,dc=lan)) -D nslcd-serv...@dot.lan -w Pa77w0rd -h ubuntu.dot.lan The test shows: Administrator InternetAccess OK My ACL list has following rules: Code: acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl LDAP_Auth proxy_auth REQUIRED acl ClientNet src 192.168.1.135 acl Block_site url_regex -i fb vk youtube acl InetAccess external memberof InternetAccess And my Access/deny rules are: Code: http_access allow localhost manager http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny Block_site http_access allow InetAccess http_access deny !LDAP_Auth http_access allow ClientNet http_access deny all Where is the problem? How to solve it? Thank you.
Re: [squid-users] squid cache manager question and snmp with smp question
On 11/12/2013 01:21 AM, Dr.x wrote: Q2- does the result in cache manager in general run time information is calculated as total for all processes ??? All mgr:info information is aggregated to represent a Squid instance view, as documented at: http://wiki.squid-cache.org/Features/CacheManager#SMP_considerations Not all aggregated numbers are totals though. Some are, for example, maximums. Each statistics uses its own aggregation method. HTH, Alex.
[squid-users] Install Squid 3.3.10 on Slackware 14
Hello Please i need help to ./configure, make and install Squid 3.3.10 on Slackware 14.0 I Installed Slackware 14 with this packets: aaa_base-14.0-i486-5 aaa_elflibs-14.0-i486-4 acl-2.2.51-i486-1 attr-2.4.46-i486-1 autoconf-2.69-noarch-1 automake-1.11.5-noarch-1 bash-4.2.037-i486-1 bin-11.1-i486-1 bind-9.9.1_P3-i486-1 binutils-2.22.52.0.2-i486-2 bison-2.5.1-i486-1 bzip2-1.0.6-i486-1 clisp-2.49-i486-1 coreutils-8.19-i486-1 cxxlibs-6.0.17-i486-1 db42-4.2.52-i486-3 db44-4.4.20-i486-3 db48-4.8.30-i486-2 dcron-4.5-i486-4 devs-2.3.1-noarch-25 dialog-1.1_20100428-i486-2 diffutils-3.2-i486-1 e2fsprogs-1.42.6-i486-1 elvis-2.2_0-i486-2 etc-14.0-i486-1 expat-2.0.1-i486-2 findutils-4.4.2-i486-1 floppy-5.4-i386-3 gawk-3.1.8-i486-1 gcc-4.7.1-i486-1 gcc-g++-4.7.1-i486-1 gdbm-1.8.3-i486-4 gettext-0.18.1.1-i486-3 gettext-tools-0.18.1.1-i486-3 glib-1.2.10-i486-3 glib2-2.32.4-i486-1 glibc-2.15-i486-7 glibc-i18n-2.15-i486-7 glibc-solibs-2.15-i486-7 glibc-zoneinfo-2012f_2012f-noarch-7 gpm-1.20.1-i486-5 grep-2.14-i486-1 groff-1.21-i486-1 guile-1.8.8-i486-1 gzip-1.5-i486-1 hdparm-9.37-i486-1 infozip-6.0-i486-1 iproute2-3.4.0-i486-2 iptables-1.4.14-i486-1 joe-3.7-i486-1 kbd-1.15.3-i486-2 kernel-firmware-20120804git-noarch-1 kernel-headers-3.2.29_smp-x86-1 kernel-huge-3.2.29-i486-1 kernel-modules-3.2.29-i486-1 kmod-9-i486-3 less-451-i486-1 libexif-0.6.21-i486-1 libpcap-1.3.0-i486-1 libpng-1.4.12-i486-1 libtermcap-1.2.3-i486-7 libtool-2.4.2-i486-1 libxml2-2.8.0-i486-1 libxslt-1.1.26-i486-2 lilo-23.2-i486-3 links-2.7-i486-1 logrotate-3.8.2-i486-1 lsof-4.83-i486-1 m4-1.4.16-i486-1 make-3.82-i486-3 man-1.6g-i486-1 man-pages-3.41-noarch-1 mhash-0.9.9.9-i486-3 mkinitrd-1.4.7-i486-6 ncftp-3.2.5-i486-1 ncurses-5.9-i486-1 net-tools-1.60.20120726git-i486-1 netwatch-1.3.0-i486-1 network-scripts-14.00-noarch-3 openssh-6.1p1-i486-1 openssl-1.0.1c-i486-3 openssl-solibs-1.0.1c-i486-3 pciutils-3.1.9-i486-1 perl-5.16.1-i486-1 pkg-config-0.25-i486-1 pkgtools-14.0-noarch-2 popt-1.7-i486-3 procps-3.2.8-i486-3 readline-5.2-i486-4 samba-3.6.8-i486-1 screen-4.0.3-i486-3 sed-4.2.1-i486-1 shadow-4.1.4.3-i486-7 slocate-3.1-i486-4 strace-4.5.20-i486-1 sysklogd-1.5-i486-1 sysvinit-2.88dsf-i486-2 sysvinit-scripts-2.0-noarch-13 tar-1.26-i486-1 tcpdump-4.3.0-i486-1 texinfo-4.13a-i486-4 time-1.7-i486-1 traceroute-2.0.18-i486-1 tree-1.6.0-i486-1 udev-182-i486-5 util-linux-2.21.2-i486-5 vim-7.3.645-i486-1 wget-1.14-i486-1 whois-5.0.15-i486-1 zlib-1.2.6-i486-1 zsh-5.0.0-i486-1 I can Boot and the Installation is ok. Now i want install Squid 3.3.10 on this Slackware 14 Installation but everytime when i did the ./configure command, this error came: gcc error: C Compiler works ..no gcc -v command unrecognized gcc -qversion command unrecognized But!, here is the Point, when i install slackware 14 full (with all packages) then i can ./configure, make and install squid 3.3.10 without any Problem. So, Which package of slackware 14 is missing to ./configure, make and install Squid 3.3.10 Here's is the list of all slackware 14 included packages: http://mirror.netcologne.de/slackware/slackware-14.0/PACKAGES.TXT Please help me to get the squid install process working, Thanks! Mit freundlichen Grüssen Ivan Vukovic Abteilung Informatik-Dienste -- Schlatter Industries AG Brandstrasse 24 CH-8952 Schlieren Tel. +41 44 732 7111 Direct +41 44 732 7495 Fax +41 44 732 45 00 Email: ivan.vuko...@schlattergroup.com Internet www.schlattergroup.com NoSpam
Re: [squid-users] Install Squid 3.3.10 on Slackware 14
On Tue, Nov 12, 2013 at 5:57 PM, Vukovic Ivan ivan.vuko...@schlattergroup.com wrote: Hello Please i need help to ./configure, make and install Squid 3.3.10 on Slackware 14.0 I Installed Slackware 14 with this packets: [...] gcc-4.7.1-i486-1 gcc-g++-4.7.1-i486-1 I can Boot and the Installation is ok. Now i want install Squid 3.3.10 on this Slackware 14 Installation but everytime when i did the ./configure command, this error came: gcc error: C Compiler works ..no gcc -v command unrecognized gcc -qversion command unrecognized But!, here is the Point, when i install slackware 14 full (with all packages) then i can ./configure, make and install squid 3.3.10 without any Problem. So, Which package of slackware 14 is missing to ./configure, make and install Squid 3.3.10 Here's is the list of all slackware 14 included packages: http://mirror.netcologne.de/slackware/slackware-14.0/PACKAGES.TXT Please help me to get the squid install process working, Thanks! This is a question for the Slackware developers.. The error message is however quite telling: it seems that your gcc setup is not working. I suggest you to check config.log (it may contain additional information) and/or gcc -v, and check what it prints. It may give you a clue as to what's wrong with your C compiler. -- /kinkie
RE: [squid-users] Re: WARNING: unparseable HTTP header field {:: }
Is there any way to turn off reporting of unparseable HTTP headers for these?
I get them also all day only for lijit.com. I know I can choose to block the
domain, was just curious if there was a way to put something in the conf that
will prevent these from being logged. I searched through the archives for this
mailing list and could not find anything definitive. Is there even any value
in having this feedback?
2013/11/12 09:54:26 kid1| ctx: exit level 0
2013/11/12 09:54:26 kid1| ctx: enter level 0:
'http://vap5dfw1.lijit.com/www/delivery/lg.php?bannerid=24091campaignid=232cids=23
2bids=24091zoneid=183788retarget_matches=nulltid=4261995064_183788_a3f2bede5bd5486b923050d6938005c2channel_ids=,fpr=c5de34fca
55a8e61eda787785db9a4c3loc=http%3A%2F%2Ffmsads.com%2Freq%3Fau%3D121referer=http%3A%2F%2Ffmsads.com%2Freq%3Fau%3D121cb=34826104'
2013/11/12 09:54:26 kid1| WARNING: unparseable HTTP header field {:: }
Thanks
-Original Message-
From: Ralf Hildebrandt [mailto:ralf.hildebra...@charite.de]
Sent: Tuesday, November 12, 2013 4:18 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Re: WARNING: unparseable HTTP header field {:: }
* Dr.x ahmed.za...@netstream.ps:
well , if this is just error for lijit.com website , i can remove
redirecting this website to squid and let my head clear.
just block them, all they do is to serve ads!
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
===
CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the
Internal Revenue
Service, any tax advice contained herein is not intended or written to be used
and cannot be used
by a taxpayer for the purpose of avoiding tax penalties that may be imposed on
the taxpayer.
===
CONFIDENTIALITY NOTICE:
This electronic mail message and any attached files contain information
intended for the exclusive
use of the individual or entity to whom it is addressed and may contain
information that is
proprietary, privileged, confidential and/or exempt from disclosure under
applicable law. If you
are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or
distribution of this information may be subject to legal restriction or
sanction. Please notify
the sender, by electronic mail or telephone, of any unintended recipients and
delete the original
message without making any copies.
===
NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability
partnership that has
elected to be governed by the Illinois Uniform Partnership Act (1997).
===
RE: [squid-users] Re: WARNING: unparseable HTTP header field {:: }
They generate huge log files. We turn them off. Here it a patch for 3.3.10 if
you need to suppress them.
Some of the cache log options should have config entries as they generate
clutter and hide more important issues. We remove the following as well:
* Username ACLs are not reliable here
* ACL is used but there is no HTTP request (generates very huge files when
peer is dead)
* Failed to select source for (Fixed in 3.3.10)
* Host Header Forgery crap
J
--- HttpHeader.cc.orig 2013-11-08 11:33:47.965826408
+++ HttpHeader.cc 2013-11-08 11:34:56.248823857
@@ -620,7 +620,7 @@ HttpHeader::parse(const char *header_sta
if (field_start == field_end) {
if (field_ptr header_end) {
-debugs(55, DBG_IMPORTANT, WARNING: unparseable HTTP header
field near {
+debugs(55, 3, WARNING: unparseable HTTP header field near {
getStringPrefix(field_start, header_end) });
goto reset;
}
@@ -629,7 +629,7 @@ HttpHeader::parse(const char *header_sta
}
if ((e = HttpHeaderEntry::parse(field_start, field_end)) == NULL) {
-debugs(55, DBG_IMPORTANT, WARNING: unparseable HTTP header field
{
+debugs(55, 3, WARNING: unparseable HTTP header field {
getStringPrefix(field_start, field_end) });
debugs(55, Config.onoff.relaxed_header_parser = 0 ? 1 : 2,
in { getStringPrefix(header_start, header_end)
});
From: brian.dun...@kattenlaw.com
To: squid-users@squid-cache.org
Date: Tue, 12 Nov 2013 18:24:48 +
Subject: RE: [squid-users] Re: WARNING: unparseable HTTP header field {:: }
Is there any way to turn off reporting of unparseable HTTP headers for these?
I get them also all day only for lijit.com. I know I can choose to block the
domain, was just curious if there was a way to put something in the conf that
will prevent these from being logged. I searched through the archives for
this mailing list and could not find anything definitive. Is there even any
value in having this feedback?
2013/11/12 09:54:26 kid1| ctx: exit level 0
2013/11/12 09:54:26 kid1| ctx: enter level 0:
'http://vap5dfw1.lijit.com/www/delivery/lg.php?bannerid=24091campaignid=232cids=23
2bids=24091zoneid=183788retarget_matches=nulltid=4261995064_183788_a3f2bede5bd5486b923050d6938005c2channel_ids=,fpr=c5de34fca
55a8e61eda787785db9a4c3loc=http%3A%2F%2Ffmsads.com%2Freq%3Fau%3D121referer=http%3A%2F%2Ffmsads.com%2Freq%3Fau%3D121cb=34826104'
2013/11/12 09:54:26 kid1| WARNING: unparseable HTTP header field {:: }
Thanks
-Original Message-
From: Ralf Hildebrandt [mailto:ralf.hildebra...@charite.de]
Sent: Tuesday, November 12, 2013 4:18 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Re: WARNING: unparseable HTTP header field {:: }
* Dr.x ahmed.za...@netstream.ps:
well , if this is just error for lijit.com website , i can remove
redirecting this website to squid and let my head clear.
just block them, all they do is to serve ads!
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.de Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
===
CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before
the Internal Revenue
Service, any tax advice contained herein is not intended or written to be
used and cannot be used
by a taxpayer for the purpose of avoiding tax penalties that may be imposed
on the taxpayer.
===
CONFIDENTIALITY NOTICE:
This electronic mail message and any attached files contain information
intended for the exclusive
use of the individual or entity to whom it is addressed and may contain
information that is
proprietary, privileged, confidential and/or exempt from disclosure under
applicable law. If you
are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or
distribution of this information may be subject to legal restriction or
sanction. Please notify
the sender, by electronic mail or telephone, of any unintended recipients and
delete the original
message without making any copies.
===
NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability
partnership that has
elected to be governed by the Illinois Uniform Partnership Act (1997).
===
Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload
Hey, I do not know this warning but you can try to add a verbose log using: debug_options ALL,1 28,4 29,6 82,6 The above logs will show what comes and goes inside squid and from the external_acl to squid. are you using the basic auth from ubuntu or self compiled? Also if you can get the output of squid -v. Thanks, Eliezer On 11/12/2013 06:33 PM, Andrey wrote: Hi everyone During configuration of LDAP basic and group authentication methods by Squid, a came across this error (/var/log/squid3/cache.log): Code: WARNING: external ACL 'memberof' queue overload. Request rejected 'administrator InternetAccess'.For basic authentication I use following piece of code: Code: auth_param basic program /usr/lib/squid3/basic_ldap_auth -P -R -u cn -b cn=Users,dc=dot,dc=lan ubuntu.dot.lan auth_param basic realm ubuntu.dot.lanThe test shows: Administrator Pa77w0rd OK. For LDAP groups I use this: Code: external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -P -R -K -b dc=dot,dc=lan -f ((cn=%v)(memberOf=cn=%a,cn=Users,dc=dot,dc=lan)) -D nslcd-serv...@dot.lan -w Pa77w0rd -h ubuntu.dot.lan The test shows: Administrator InternetAccess OK My ACL list has following rules: Code: acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl LDAP_Auth proxy_auth REQUIRED acl ClientNet src 192.168.1.135 acl Block_site url_regex -i fb vk youtube acl InetAccess external memberof InternetAccess And my Access/deny rules are: Code: http_access allow localhost manager http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny Block_site http_access allow InetAccess http_access deny !LDAP_Auth http_access allow ClientNet http_access deny all Where is the problem? How to solve it? Thank you.
Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload
Hi Eliezer,
Thank you for response. I tried to put your command:
squid3 debug_options ALL,1 28,4 29,6 82,6
But for me is not clear where data will appear?
In cache.log:
2013/11/12 21:12:00 kid1| Starting new basicauthenticator helpers...
2013/11/12 21:12:00 kid1| helperOpenServers: Starting 1/20 'basic_ldap_auth'
processes
2013/11/12 21:12:00 kid1| WARNING: external ACL 'memberof' queue overload.
Request rejected 'administrator InternetAccess'.
in syslog:
Nov 12 21:11:20 ubuntu squid3[1883]: Squid Parent: will start 1 kids
Nov 12 21:11:20 ubuntu squid3[1883]: Squid Parent: (squid-1) process 1885
started
Further, I use package from ubuntu 13.10:
http://packages.ubuntu.com/search?lang=ensuite=saucysearchon=nameskeywords=squid3
I do not use extern repository at all.
And the output from squid3 -v:
root@ubuntu:~# squid3 -v
Squid Cache: Version 3.3.8
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules'
'--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation'
'--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3'
'--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu'
'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security
-Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-D_FORTIFY_SOURCE=2'
'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security'
Thank you.
-Oorspronkelijk bericht-
From: Eliezer Croitoru
Sent: Tuesday, November 12, 2013 8:28 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING:
external ACL 'memberof' queue overload
Hey,
I do not know this warning but you can try to add a verbose log using:
debug_options ALL,1 28,4 29,6 82,6
The above logs will show what comes and goes inside squid and from the
external_acl to squid.
are you using the basic auth from ubuntu or self compiled?
Also if you can get the output of squid -v.
Thanks,
Eliezer
On 11/12/2013 06:33 PM, Andrey wrote:
Hi everyone
During configuration of LDAP basic and group authentication methods by
Squid, a came across this error (/var/log/squid3/cache.log):
Code:
WARNING: external ACL 'memberof' queue overload. Request rejected
'administrator InternetAccess'.For basic authentication I use following
piece of code:
Code:
auth_param basic program /usr/lib/squid3/basic_ldap_auth -P -R -u cn
-b cn=Users,dc=dot,dc=lan ubuntu.dot.lan
auth_param basic realm ubuntu.dot.lanThe test shows:
Administrator Pa77w0rd
OK.
For LDAP groups I use this:
Code:
external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl
-P -R -K -b dc=dot,dc=lan -f
((cn=%v)(memberOf=cn=%a,cn=Users,dc=dot,dc=lan)) -D
nslcd-serv...@dot.lan -w Pa77w0rd -h ubuntu.dot.lan
The test shows:
Administrator InternetAccess
OK
My ACL list has following rules:
Code:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl LDAP_Auth proxy_auth REQUIRED
acl ClientNet src 192.168.1.135
acl Block_site url_regex -i fb vk youtube
acl InetAccess external memberof InternetAccess
And my Access/deny rules are:
Code:
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny Block_site
http_access allow InetAccess
http_access deny !LDAP_Auth
http_access allow ClientNet
http_access deny all
[squid-users] Squid 27 vs 33
Hello, talking only on memory hungry, same configuration (or equivalent), who needs more ram? LD
Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload
Hey Andrey,
You should add the debug_options X at squid.conf.
then reconfigure squid
then the lots of lines will appear in cache.log.
Eliezer
On 11/12/2013 10:19 PM, Andrey wrote:
Hi Eliezer,
Thank you for response. I tried to put your command:
squid3 debug_options ALL,1 28,4 29,6 82,6
But for me is not clear where data will appear?
In cache.log:
2013/11/12 21:12:00 kid1| Starting new basicauthenticator helpers...
2013/11/12 21:12:00 kid1| helperOpenServers: Starting 1/20
'basic_ldap_auth' processes
2013/11/12 21:12:00 kid1| WARNING: external ACL 'memberof' queue
overload. Request rejected 'administrator InternetAccess'.
in syslog:
Nov 12 21:11:20 ubuntu squid3[1883]: Squid Parent: will start 1 kids
Nov 12 21:11:20 ubuntu squid3[1883]: Squid Parent: (squid-1) process
1885 started
Further, I use package from ubuntu 13.10:
http://packages.ubuntu.com/search?lang=ensuite=saucysearchon=nameskeywords=squid3
I do not use extern repository at all.
And the output from squid3 -v:
root@ubuntu:~# squid3 -v
Squid Cache: Version 3.3.8
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap'
'--disable-translation' '--with-swapdir=/var/spool/squid3'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security'
Thank you.
-Oorspronkelijk bericht- From: Eliezer Croitoru
Sent: Tuesday, November 12, 2013 8:28 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING:
external ACL 'memberof' queue overload
Hey,
I do not know this warning but you can try to add a verbose log using:
debug_options ALL,1 28,4 29,6 82,6
The above logs will show what comes and goes inside squid and from the
external_acl to squid.
are you using the basic auth from ubuntu or self compiled?
Also if you can get the output of squid -v.
Thanks,
Eliezer
On 11/12/2013 06:33 PM, Andrey wrote:
Hi everyone
During configuration of LDAP basic and group authentication methods by
Squid, a came across this error (/var/log/squid3/cache.log):
Code:
WARNING: external ACL 'memberof' queue overload. Request rejected
'administrator InternetAccess'.For basic authentication I use following
piece of code:
Code:
auth_param basic program /usr/lib/squid3/basic_ldap_auth -P -R -u cn
-b cn=Users,dc=dot,dc=lan ubuntu.dot.lan
auth_param basic realm ubuntu.dot.lanThe test shows:
Administrator Pa77w0rd
OK.
For LDAP groups I use this:
Code:
external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl
-P -R -K -b dc=dot,dc=lan -f
((cn=%v)(memberOf=cn=%a,cn=Users,dc=dot,dc=lan)) -D
nslcd-serv...@dot.lan -w Pa77w0rd -h ubuntu.dot.lan
The test shows:
Administrator InternetAccess
OK
My ACL list has following rules:
Code:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl LDAP_Auth proxy_auth REQUIRED
acl ClientNet src 192.168.1.135
acl Block_site url_regex -i fb vk youtube
acl InetAccess external memberof InternetAccess
And my Access/deny rules are:
Code:
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow
Re: [squid-users] Squid 27 vs 33
On 11/12/2013 10:40 PM, Luis Daniel Lucio Quiroz wrote: Hello, talking only on memory hungry, same configuration (or equivalent), who needs more ram? LD What? Eliezer
Re: [squid-users] Squid 27 vs 33
On 2013-11-13 09:40, Luis Daniel Lucio Quiroz wrote: Hello, talking only on memory hungry, same configuration (or equivalent), who needs more ram? LD Huh? Amos
RE: [squid-users] Re: WARNING: unparseable HTTP header field {:: }
On 2013-11-13 07:45, Jenny Lee wrote:
They generate huge log files. We turn them off. Here it a patch for
3.3.10 if you need to suppress them.
Some of the cache log options should have config entries as they
generate clutter and hide more important issues. We remove the
following as well:
* Username ACLs are not reliable here
* ACL is used but there is no HTTP request (generates very huge
files when peer is dead)
* Failed to select source for (Fixed in 3.3.10)
* Host Header Forgery crap
J
--- HttpHeader.cc.orig 2013-11-08 11:33:47.965826408
+++ HttpHeader.cc 2013-11-08 11:34:56.248823857
@@ -620,7 +620,7 @@ HttpHeader::parse(const char *header_sta
if (field_start == field_end) {
if (field_ptr header_end) {
-debugs(55, DBG_IMPORTANT, WARNING: unparseable HTTP
header field near {
+debugs(55, 3, WARNING: unparseable HTTP header field
near {
getStringPrefix(field_start, header_end)
});
goto reset;
}
@@ -629,7 +629,7 @@ HttpHeader::parse(const char *header_sta
}
if ((e = HttpHeaderEntry::parse(field_start, field_end)) ==
NULL) {
-debugs(55, DBG_IMPORTANT, WARNING: unparseable HTTP
header field {
+debugs(55, 3, WARNING: unparseable HTTP header field {
getStringPrefix(field_start, field_end) });
debugs(55, Config.onoff.relaxed_header_parser = 0 ? 1 :
2,
in { getStringPrefix(header_start,
header_end) });
Thats the general idea. Although replacing the fixed level with
(Config.onoff.relaxed_header_parser = 0 ? DBG_IMPORTANT : 2) would be
better and leave is configurable with the relaxed_header_parser direcive
(can be set to warn / on / off - default is on which is quiet).
I'm applying that change to 3.HEAD right now for these and a few nearly
warnings with the same noise problem.
Amos
Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload
On 2013-11-13 09:19, Andrey wrote: On 11/12/2013 06:33 PM, Andrey wrote: Hi everyone During configuration of LDAP basic and group authentication methods by Squid, a came across this error (/var/log/squid3/cache.log): Code: WARNING: external ACL 'memberof' queue overload. Request rejected 'administrator InternetAccess'.For basic authentication I use following piece of code: What is going on is exactly what the warning states. Your external ACL helper is being overloaded with traffic. Code: auth_param basic program /usr/lib/squid3/basic_ldap_auth -P -R -u cn -b cn=Users,dc=dot,dc=lan ubuntu.dot.lan auth_param basic realm ubuntu.dot.lanThe test shows: Administrator Pa77w0rd OK. For LDAP groups I use this: Code: external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -P -R -K -b dc=dot,dc=lan -f ((cn=%v)(memberOf=cn=%a,cn=Users,dc=dot,dc=lan)) -D nslcd-serv...@dot.lan -w Pa77w0rd -h ubuntu.dot.lan The test shows: Administrator InternetAccess OK My ACL list has following rules: Code: snip acl LDAP_Auth proxy_auth REQUIRED acl ClientNet src 192.168.1.135 acl Block_site url_regex -i fb vk youtube acl InetAccess external memberof InternetAccess snip http_access allow InetAccess http_access deny !LDAP_Auth http_access allow ClientNet http_access deny all Where is the problem? How to solve it? The big visible problem here is that group is being checked before authentication. If the user is not already authenticated external ACL has to trigger that authentication and wait for it before even starting the group lookup. The request is queued the entire time that waiting is happening - and yoru queue is overflowing. You can re-order the lines so that group check is done after login authentication. http_access deny !LDAP_Auth http_access allow InetAccess http_access allow ClientNet http_access deny all ... after which it becomes clear that you can speed up performance even further for some user(s) by allowing the ClientNet through before checking the group type (since theya re allowed through even if their group is not InetAccess). http_access deny !LDAP_Auth http_access allow ClientNet http_access allow InetAccess http_access deny all This should halve the load on the external ACL helper, and greatly reduce the time each request spends in the queue. If you still get these warnings, or if they shift to happening on the authenticator you can increase the children parameter of the helper with queue overload. That runs more sub-processes for handling the traffic load. Amos
Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload
Hi Eliezer, yes it's working i got following lines related to LDAP in log: 2013/11/13 00:47:28.348| Acl.cc(336) matches: ACLList::matches: checking localhost 2013/11/13 00:47:28.348| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'localhost' 2013/11/13 00:47:28.348| Ip.cc(560) match: aclIpMatchIp: '192.168.1.135:54208' NOT found 2013/11/13 00:47:28.348| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'localhost' is 0 2013/11/13 00:47:28.348| Acl.cc(354) matches: localhost result is false 2013/11/13 00:47:28.348| Checklist.cc(275) matchNode: 0x7f655bf98768 matched=0 async=0 finished=0 2013/11/13 00:47:28.348| Checklist.cc(299) matchNode: 0x7f655bf98768 simple mismatch 2013/11/13 00:47:28.348| Checklist.cc(160) checkAccessList: 0x7f655bf98768 checking 'http_access deny !LDAP_Auth' 2013/11/13 00:47:28.348| Acl.cc(336) matches: ACLList::matches: checking !LDAP_Auth 2013/11/13 00:47:28.348| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'LDAP_Auth' 2013/11/13 00:47:28.348| UserRequest.cc(360) authenticate: No connection authentication type 2013/11/13 00:47:28.348| UserRequest.cc(115) UserRequest: initialised request 0x7f655bf97520 2013/11/13 00:47:28.348| User.cc(67) User: Initialised auth_user '0x7f655bf95200'. 2013/11/13 00:47:28.348| User.cc(153) ~User: Freeing auth_user '0x7f655bf95200'. 2013/11/13 00:47:28.348| UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x7f655bf97520'. 2013/11/13 00:47:28.349| UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x7f655bf97520'. 2013/11/13 00:47:28.349| UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x7f655bf97520'. 2013/11/13 00:47:28.349| Acl.cc(259) cacheMatchAcl: ACL::cacheMatchAcl: cache hit on acl 'LDAP_Auth' (0x7f655bc40a70) 2013/11/13 00:47:28.349| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'LDAP_Auth' is 1 2013/11/13 00:47:28.349| Acl.cc(354) matches: !LDAP_Auth result is false 2013/11/13 00:47:28.349| Checklist.cc(275) matchNode: 0x7f655bf98768 matched=0 async=0 finished=0 2013/11/13 00:47:28.349| Checklist.cc(299) matchNode: 0x7f655bf98768 simple mismatch 2013/11/13 00:47:28.349| Checklist.cc(160) checkAccessList: 0x7f655bf98768 checking 'http_access deny !InetAccess' 2013/11/13 00:47:28.349| Acl.cc(336) matches: ACLList::matches: checking !InetAccess 2013/11/13 00:47:28.349| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'InetAccess' 2013/11/13 00:47:28.349| external_acl.cc(826) aclMatchExternal: memberof check user authenticated. 2013/11/13 00:47:28.349| external_acl.cc(832) aclMatchExternal: memberof user is authenticated. 2013/11/13 00:47:28.349| external_acl.cc(856) aclMatchExternal: memberof(administrator InternetAccess) = lookup needed 2013/11/13 00:47:28.349| external_acl.cc(858) aclMatchExternal: administrator InternetAccess: entry=@0, age=0 2013/11/13 00:47:28.349| WARNING: external ACL 'memberof' queue overload. Request rejected 'administrator InternetAccess'. 2013/11/13 00:47:28.349| Checklist.cc(146) markFinished: 0x7f655bf98768 answer DUNNO for aclMatchExternal exception 2013/11/13 00:47:28.349| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'InetAccess' is -1 2013/11/13 00:47:28.349| Acl.cc(354) matches: !InetAccess result is false 2013/11/13 00:47:28.349| Checklist.cc(275) matchNode: 0x7f655bf98768 matched=0 async=0 finished=1 2013/11/13 00:47:28.349| Checklist.cc(294) matchNode: 0x7f655bf98768 exception: DUNNO 2013/11/13 00:47:28.349| Checklist.cc(88) matchNonBlocking: ACLChecklist::check: 0x7f655bf98768 match found, calling back with DUNNO 2013/11/13 00:47:28.349| Checklist.cc(182) checkCallback: ACLChecklist::checkCallback: 0x7f655bf98768 answer=DUNNO 2013/11/13 00:47:28.349| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff35ef82a0 2013/11/13 00:47:28.349| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff35ef82a0 2013/11/13 00:47:28.349| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff35ef82a0 2013/11/13 00:47:28.349| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff35ef82a0 2013/11/13 00:47:28.349| UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x7f655bf97520'. 2013/11/13 00:47:28.349| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7f655bf98768 2013/11/13 00:47:28.349| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7f655bf98768 2013/11/13 00:47:28.350| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7f655bf98768 2013/11/13 00:47:28.350| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7f655bf98768 2013/11/13 00:47:28.350| UserRequest.cc(121) ~UserRequest: freeing request 0x7f655bf97520 But it is far from understanding for me. I see many HEX based addresses, what they are mean is not clear. Thank you. -Oorspronkelijk
Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload
Hey, debug_options ALL,1 11,3 28,6 29,6 82,6 And throw couple requests to the server Eliezer On 11/13/2013 01:58 AM, Andrey wrote: Hi Eliezer, yes it's working i got following lines related to LDAP in log: 2013/11/13 00:47:28.348| Acl.cc(336) matches: ACLList::matches: checking localhost 2013/11/13 00:47:28.348| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'localhost' 2013/11/13 00:47:28.348| Ip.cc(560) match: aclIpMatchIp: '192.168.1.135:54208' NOT found 2013/11/13 00:47:28.348| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'localhost' is 0 2013/11/13 00:47:28.348| Acl.cc(354) matches: localhost result is false 2013/11/13 00:47:28.348| Checklist.cc(275) matchNode: 0x7f655bf98768 matched=0 async=0 finished=0 2013/11/13 00:47:28.348| Checklist.cc(299) matchNode: 0x7f655bf98768 simple mismatch 2013/11/13 00:47:28.348| Checklist.cc(160) checkAccessList: 0x7f655bf98768 checking 'http_access deny !LDAP_Auth' 2013/11/13 00:47:28.348| Acl.cc(336) matches: ACLList::matches: checking !LDAP_Auth 2013/11/13 00:47:28.348| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'LDAP_Auth' 2013/11/13 00:47:28.348| UserRequest.cc(360) authenticate: No connection authentication type 2013/11/13 00:47:28.348| UserRequest.cc(115) UserRequest: initialised request 0x7f655bf97520 2013/11/13 00:47:28.348| User.cc(67) User: Initialised auth_user '0x7f655bf95200'. 2013/11/13 00:47:28.348| User.cc(153) ~User: Freeing auth_user '0x7f655bf95200'. 2013/11/13 00:47:28.348| UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x7f655bf97520'. 2013/11/13 00:47:28.349| UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x7f655bf97520'. 2013/11/13 00:47:28.349| UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x7f655bf97520'. 2013/11/13 00:47:28.349| Acl.cc(259) cacheMatchAcl: ACL::cacheMatchAcl: cache hit on acl 'LDAP_Auth' (0x7f655bc40a70) 2013/11/13 00:47:28.349| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'LDAP_Auth' is 1 2013/11/13 00:47:28.349| Acl.cc(354) matches: !LDAP_Auth result is false 2013/11/13 00:47:28.349| Checklist.cc(275) matchNode: 0x7f655bf98768 matched=0 async=0 finished=0 2013/11/13 00:47:28.349| Checklist.cc(299) matchNode: 0x7f655bf98768 simple mismatch 2013/11/13 00:47:28.349| Checklist.cc(160) checkAccessList: 0x7f655bf98768 checking 'http_access deny !InetAccess' 2013/11/13 00:47:28.349| Acl.cc(336) matches: ACLList::matches: checking !InetAccess 2013/11/13 00:47:28.349| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'InetAccess' 2013/11/13 00:47:28.349| external_acl.cc(826) aclMatchExternal: memberof check user authenticated. 2013/11/13 00:47:28.349| external_acl.cc(832) aclMatchExternal: memberof user is authenticated. 2013/11/13 00:47:28.349| external_acl.cc(856) aclMatchExternal: memberof(administrator InternetAccess) = lookup needed 2013/11/13 00:47:28.349| external_acl.cc(858) aclMatchExternal: administrator InternetAccess: entry=@0, age=0 2013/11/13 00:47:28.349| WARNING: external ACL 'memberof' queue overload. Request rejected 'administrator InternetAccess'. 2013/11/13 00:47:28.349| Checklist.cc(146) markFinished: 0x7f655bf98768 answer DUNNO for aclMatchExternal exception 2013/11/13 00:47:28.349| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'InetAccess' is -1 2013/11/13 00:47:28.349| Acl.cc(354) matches: !InetAccess result is false 2013/11/13 00:47:28.349| Checklist.cc(275) matchNode: 0x7f655bf98768 matched=0 async=0 finished=1 2013/11/13 00:47:28.349| Checklist.cc(294) matchNode: 0x7f655bf98768 exception: DUNNO 2013/11/13 00:47:28.349| Checklist.cc(88) matchNonBlocking: ACLChecklist::check: 0x7f655bf98768 match found, calling back with DUNNO 2013/11/13 00:47:28.349| Checklist.cc(182) checkCallback: ACLChecklist::checkCallback: 0x7f655bf98768 answer=DUNNO 2013/11/13 00:47:28.349| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff35ef82a0 2013/11/13 00:47:28.349| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff35ef82a0 2013/11/13 00:47:28.349| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff35ef82a0 2013/11/13 00:47:28.349| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff35ef82a0 2013/11/13 00:47:28.349| UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x7f655bf97520'. 2013/11/13 00:47:28.349| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7f655bf98768 2013/11/13 00:47:28.349| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7f655bf98768 2013/11/13 00:47:28.350| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7f655bf98768 2013/11/13 00:47:28.350| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7f655bf98768 2013/11/13 00:47:28.350| UserRequest.cc(121) ~UserRequest: freeing request 0x7f655bf97520 But it is far from understanding for me. I see many HEX based
Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload
I did. All LDAP related logs info is in previous message. However I do not understand what all this codes means. -Oorspronkelijk bericht- From: Eliezer Croitoru Sent: Wednesday, November 13, 2013 1:04 AM To: Andrey ; squid-users@squid-cache.org Subject: Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload Hey, debug_options ALL,1 11,3 28,6 29,6 82,6 And throw couple requests to the server Eliezer On 11/13/2013 01:58 AM, Andrey wrote: Hi Eliezer, yes it's working i got following lines related to LDAP in log: 2013/11/13 00:47:28.348| Acl.cc(336) matches: ACLList::matches: checking localhost 2013/11/13 00:47:28.348| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'localhost' 2013/11/13 00:47:28.348| Ip.cc(560) match: aclIpMatchIp: '192.168.1.135:54208' NOT found 2013/11/13 00:47:28.348| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'localhost' is 0 2013/11/13 00:47:28.348| Acl.cc(354) matches: localhost result is false 2013/11/13 00:47:28.348| Checklist.cc(275) matchNode: 0x7f655bf98768 matched=0 async=0 finished=0 2013/11/13 00:47:28.348| Checklist.cc(299) matchNode: 0x7f655bf98768 simple mismatch 2013/11/13 00:47:28.348| Checklist.cc(160) checkAccessList: 0x7f655bf98768 checking 'http_access deny !LDAP_Auth' 2013/11/13 00:47:28.348| Acl.cc(336) matches: ACLList::matches: checking !LDAP_Auth 2013/11/13 00:47:28.348| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'LDAP_Auth' 2013/11/13 00:47:28.348| UserRequest.cc(360) authenticate: No connection authentication type 2013/11/13 00:47:28.348| UserRequest.cc(115) UserRequest: initialised request 0x7f655bf97520 2013/11/13 00:47:28.348| User.cc(67) User: Initialised auth_user '0x7f655bf95200'. 2013/11/13 00:47:28.348| User.cc(153) ~User: Freeing auth_user '0x7f655bf95200'. 2013/11/13 00:47:28.348| UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x7f655bf97520'. 2013/11/13 00:47:28.349| UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x7f655bf97520'. 2013/11/13 00:47:28.349| UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x7f655bf97520'. 2013/11/13 00:47:28.349| Acl.cc(259) cacheMatchAcl: ACL::cacheMatchAcl: cache hit on acl 'LDAP_Auth' (0x7f655bc40a70) 2013/11/13 00:47:28.349| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'LDAP_Auth' is 1 2013/11/13 00:47:28.349| Acl.cc(354) matches: !LDAP_Auth result is false 2013/11/13 00:47:28.349| Checklist.cc(275) matchNode: 0x7f655bf98768 matched=0 async=0 finished=0 2013/11/13 00:47:28.349| Checklist.cc(299) matchNode: 0x7f655bf98768 simple mismatch 2013/11/13 00:47:28.349| Checklist.cc(160) checkAccessList: 0x7f655bf98768 checking 'http_access deny !InetAccess' 2013/11/13 00:47:28.349| Acl.cc(336) matches: ACLList::matches: checking !InetAccess 2013/11/13 00:47:28.349| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'InetAccess' 2013/11/13 00:47:28.349| external_acl.cc(826) aclMatchExternal: memberof check user authenticated. 2013/11/13 00:47:28.349| external_acl.cc(832) aclMatchExternal: memberof user is authenticated. 2013/11/13 00:47:28.349| external_acl.cc(856) aclMatchExternal: memberof(administrator InternetAccess) = lookup needed 2013/11/13 00:47:28.349| external_acl.cc(858) aclMatchExternal: administrator InternetAccess: entry=@0, age=0 2013/11/13 00:47:28.349| WARNING: external ACL 'memberof' queue overload. Request rejected 'administrator InternetAccess'. 2013/11/13 00:47:28.349| Checklist.cc(146) markFinished: 0x7f655bf98768 answer DUNNO for aclMatchExternal exception 2013/11/13 00:47:28.349| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'InetAccess' is -1 2013/11/13 00:47:28.349| Acl.cc(354) matches: !InetAccess result is false 2013/11/13 00:47:28.349| Checklist.cc(275) matchNode: 0x7f655bf98768 matched=0 async=0 finished=1 2013/11/13 00:47:28.349| Checklist.cc(294) matchNode: 0x7f655bf98768 exception: DUNNO 2013/11/13 00:47:28.349| Checklist.cc(88) matchNonBlocking: ACLChecklist::check: 0x7f655bf98768 match found, calling back with DUNNO 2013/11/13 00:47:28.349| Checklist.cc(182) checkCallback: ACLChecklist::checkCallback: 0x7f655bf98768 answer=DUNNO 2013/11/13 00:47:28.349| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff35ef82a0 2013/11/13 00:47:28.349| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff35ef82a0 2013/11/13 00:47:28.349| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff35ef82a0 2013/11/13 00:47:28.349| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff35ef82a0 2013/11/13 00:47:28.349| UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x7f655bf97520'. 2013/11/13 00:47:28.349| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7f655bf98768 2013/11/13 00:47:28.349| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7f655bf98768
Re: [squid-users] Need help on Squid Setup
Thanks for your email amos. is there any other way that we can get this done other than SSL_bump. any URL redirector program can help us... ( I did check here and usage of ssl_bump is illegal.) Thanks and Regards, Durga Prasath On Tue, Nov 12, 2013 at 1:35 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/11/2013 8:19 p.m., Durga Prasath wrote: Hello All, I am trying to setup Squid Proxy for our internal users. we want to restrict access to only a few domains and URLs. the requirement i have is, i should allow https://www.google.co.in/search and other URLs should be banned. Like if users try to access https://www.google.co.in/blogsearch or https://www.google.co.in/imagesearch should be restricted and only /search should be allowed. The options url_regex or urlpath_regex are not working. Can someone help on this requirement on how to setup this using squid? This is HTTPS traffic. When it goes through a HTTP proxy it uses special CONNECT requests. Those requests contain *only* the domain name and port (usually 443) being connected to, and some headers related to what agent is requesting the tunnel connection be setup. Path and other parts of the URL are not available for access control to use. To do what you want, you will have to hijack the HTTPS/SSL connection, decrypt the users traffic, apply your controls, then re-encrypt. Squid can do that with the SSL-bump feature, BUT before using it please check with your local lawyer - using it is considered illegal wiretapping and/or breach of privacy in many countries. Amos
Re: [squid-users] Need help on Squid Setup
On 13/11/2013 6:21 p.m., Durga Prasath wrote: Thanks for your email amos. is there any other way that we can get this done other than SSL_bump. any URL redirector program can help us... ( I did check here and usage of ssl_bump is illegal.) Unfortunately no, that is the only way. Amos
[squid-users] how to upgrade to 3.3.10 from3.3.8
now squid 3.3.8 running on server ,i want to upgrade to 3.3.10 how to upgrade it? thanks in advance. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/how-to-upgrade-to-3-3-10-from3-3-8-tp4663263.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] alot of annoying logs in squid 3.1.6 disappeared in squid 3.3.9 !!
this logs pump my cache.log
*1st log:*
Unknown capability type in WCCPv2 Packet (5).
*2nd log:*
NULL
{Accept: */*
Content-Type: application/x-www-form-urlencoded
2013/11/12 00:53:21| WARNING: HTTP header contains NULL characters {Accept:
*/*
Content-Type: application/x-www-form-urlencoded}
NULL
{Accept: */*
Content-Type: application/x-www-form-urlencoded
2013/11/12 00:53:21| WARNING: HTTP header contains NULL characters {Accept:
*/*
Content-Type: application/x-www-form-urlencoded}
NULL
=
but , im happy that i dont see them in squid 3.3.9
-
Dr.x
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/alot-of-annoying-logs-in-squid-3-1-6-disappeared-in-squid-3-3-9-tp4663264.html
Sent from the Squid - Users mailing list archive at Nabble.com.
