Re: [squid-users] Re: How to log IP address after successful authentication
On 2014-03-17 05:57, PavelD wrote: Hi, In my diploma thesis I need connect proxy squid, dns bind9 and iptables. I am trying to do some basic security against DNS tunnels. I want to put in a lab at school where every people has only one IP address, but If someone use multiple device to access I get record WHO IP TIME. You can not figure out how to get the IP address in the auth plugin or how to set up logging. Okay. So it is just logging. Good. What you can do is have an external ACL helper doing the logging using "%SRC %LOGIN" format parameters as the line to log (excluding date) and always returning "OK" to Squid. A ttl=86400 prevents the helper being contacted more than once per day per user:IP pair. logger.sh: #!/bin/bash while read id data; do dt=`date --utc` echo "${dt} ${data}" >>users.log echo "${id} OK" done squid.conf: auth_param ... acl auth proxy_auth REQUIRED external_acl_type logger concurrency=20 ttl=86400 ... %SRC %LOGIN ... acl logger external logger http_access deny !auth http_access deny !logger Amos
Re: [squid-users] couldn't cache this image file
It is being cached... 1395009265.334 0 192.168.10.125 TCP_IMS_HIT/304 309 GET http://s2.glbimg.com/XG7L47pX_ik0O_uxiV3g65rvpNU=/90x68/s.glbimg.com/jo/g1/f/original/2014/02/21/whatsapp.jpg - HIER_NONE/- image/jpeg I would try something like forcing a if modified since or something similar. Squid will contact the origin server to verify if being asked to http://www.squid-cache.org/Doc/config/refresh_pattern/ The above contains couple nice options you can use. "ignore-reload ignore-must-revalidate" will might be the choice for this specific case but I would not recommed to understand it is good for everybody and for every case. Eliezer On 16/03/2014 14:35, Carlos Defoe wrote: Yes, I tried with 3.3.12, thinking that the vary bug could be the problem... but it is still a MISS. 3.4 series is getting me in trouble, with 100% CPU, so for now I discarded that. The problem is listed on some other threads... I tried 3.4.1, 3.4.2, 3.4.3, and i couldn't find the problem yet. I have some proxy servers with red hat 6, running on vmware hosts. But with no squid packages, I compile the code with the options I need. The problem is that some files just can't get cached. I listed that one, for example. It never gets cached. I think my HIT rate could be better if some files like that, from a highly visited website here, could be cached. thanks
Re: [squid-users] couldn't cache this image file
can you get to the IRC channel to verify the issue? Eliezer(i will be there i the next hours) On 16/03/2014 14:35, Carlos Defoe wrote: Yes, I tried with 3.3.12, thinking that the vary bug could be the problem... but it is still a MISS. 3.4 series is getting me in trouble, with 100% CPU, so for now I discarded that. The problem is listed on some other threads... I tried 3.4.1, 3.4.2, 3.4.3, and i couldn't find the problem yet. I have some proxy servers with red hat 6, running on vmware hosts. But with no squid packages, I compile the code with the options I need. The problem is that some files just can't get cached. I listed that one, for example. It never gets cached. I think my HIT rate could be better if some files like that, from a highly visited website here, could be cached. thanks On Sun, Mar 16, 2014 at 8:11 AM, Eliezer Croitoru wrote: Hey, The current stable version is 3.3.12 in the 3.3 branch. There are couple fixes in 3.4.4 that do not exist on 3.3 branch. What is your issue? try 3.4.4, what OS are you using squid on? Eliezer On 15/03/2014 15:35, Carlos Defoe wrote: Can anybody get this image to be cached? If yes, in which squid version? http://s2.glbimg.com/XG7L47pX_ik0O_uxiV3g65rvpNU=/90x68/s.glbimg.com/jo/g1/f/original/2014/02/21/whatsapp.jpg I tried with squid 3.3.12, which came with this bug correction: (Bug #3806: Caching responses with Vary header) Tried with 3.3.8 too, but with no luck. Only MISS responses. thanks, Carlos
Re: [squid-users] Re: Automatic StoreID ?
On 03/15/2014 12:50 AM, babajaga wrote: >> This is how Rock store does it, essentially: Rock store index does not > store the real location of the object on disk but computes it based on > the hash value.< > Which means, the mapping URL-hash -> slot_# is _not_ fixed (predictable). I am simplifying a bit, but the mapping of the URL to the first slot on disk is essentially determined by the URL hash. The other slots are not important for this discussion because you have to load the first slot to know where the next slot (or slots) are -- the theoretically possible scheme where the next slot location is also determined by a hash is not practical for storing large objects. >>> Positive consequence: No rebuild of the in-memory-table necessary, as >>> there is none. Avoids the time-comsuning rebuild of rock-storage-table from >>> disk. >> If you do not build the index, >> you have to do a disk I/O to fetch the first slot of the candidate >> object on _every_ request. > Not necessarily to do a disk I/O, but to do an I/O. Still, underlying > OS-buffering/blocking is happening. In most environments where Rock makes sense, Squid will be doing disk I/O because the large database means virtually zero filesystem buffer cache hit ratio. > Besides, for a HIT you have to do the I/O anyway. > So, the amount of "unnecessary disk-I/Os" would be the (squid-MISSes - not > in OS/buffers residing disk-blocks). Yes, of course. Also, depending on how you implement this, you may have to do extra disk I/Os to delete objects from the cache (to make room for new ones). > Which leads to a good compromise: Direct hashing would allow the slow > population of the optional translation-table. That compromise would not be "good" for most targeted environments. Most folks who care about performance would gladly pay for the extra RAM it takes to store the index than to see Squid slowing every request down even more (which usually means buying more servers). Can a disk-only cache function correctly? Sure! Is it a good idea for a performance-sensitive deployment that Rock targets? No. Alex.
[squid-users] Re: How to log IP address after successful authentication
Hi, In my diploma thesis I need connect proxy squid, dns bind9 and iptables. I am trying to do some basic security against DNS tunnels. I want to put in a lab at school where every people has only one IP address, but If someone use multiple device to access I get record WHO IP TIME. You can not figure out how to get the IP address in the auth plugin or how to set up logging. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/How-to-log-IP-address-after-successful-authentication-tp4665211p4665228.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Inject some html with transparent squid
Hi, thanks for quick answer! What i should do is to make some ads in a free hotspot. I have this http://www.ubnt.com/picostationm with openwrt installed. Now all clients connected through this AP should receive ads, just for financing the free wifi. I don't want to alter copyright protected contents of course. I want something like bit.ly, something like a redirect. I would write the page in php and make some backend where is possible to insert some content to display in this redirection process. Is this possible through squid? I readed that squid contains bot ICAP and eCAP. Is there any tutorial to learn this difficult (for me ) process? Thanks again in advance for every answer. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Inject-some-html-with-transparent-squid-tp4665224p4665227.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Inject some html with transparent squid
On 17/03/2014 12:42 a.m., xan wrote: > Goodmorning, I'm new in the forum. > I'm a software engineer but I'm new to networking > I have installed squid3 on a virtual machine running ubuntu server. I have > configured the squid.conf to redirect the clients to a specified page with > the deny_info parameter. Now i would to inject some HTML on a page after > some times (eg. 5 mins). I have googling this question and I found this > http://www.ex-parrot.com/pete/upside-down-ternet.html that isn't what I > really want to do, but it's a first step. > However, I cannot get it to run. > So the question is: is there a way to run some php code in squid3? And in > which way? I need a redirector such as squirm? > Thanks in advance for every answer. > Not directly because Squid is a proxy server, not a web server. Content alteration can be done indirectly with ICAP or eCAP content adapters. But should NOT be done without great care. The redirect you have going already is the legal way to do notifications, adverts etc. regardless of situation and is usually acceptable to users. It is a very bad idea to alter copyright protected content without the owners permission. Before going further you had best consult a laywer about Copyright and Trademark infringement if you are being pressed by management. Some due diligence from thse who tried before you: http://www.dslreports.com/shownews/Cable-Operator-CMA-Injects-Their-Ads-Into-Web-Content-123731 http://www.dslreports.com/shownews/NY-Marriott-Stops-WiFi-JavaScript-Ad-Injection-119189 http://www.dslreports.com/shownews/Mediacom-Ad-Injection-Was-Popup-Test-Gone-Wrong-113070 http://www.dslreports.com/shownews/90134 http://www.techdirt.com/articles/20010828/144214.shtml The instant you start altering content it ceases being a transparent proxy and starts being an MITM attack (http://en.wikipedia.org/wiki/Cross-site_scripting). Amos
Re: [squid-users] couldn't cache this image file
Yes, I tried with 3.3.12, thinking that the vary bug could be the problem... but it is still a MISS. 3.4 series is getting me in trouble, with 100% CPU, so for now I discarded that. The problem is listed on some other threads... I tried 3.4.1, 3.4.2, 3.4.3, and i couldn't find the problem yet. I have some proxy servers with red hat 6, running on vmware hosts. But with no squid packages, I compile the code with the options I need. The problem is that some files just can't get cached. I listed that one, for example. It never gets cached. I think my HIT rate could be better if some files like that, from a highly visited website here, could be cached. thanks On Sun, Mar 16, 2014 at 8:11 AM, Eliezer Croitoru wrote: > Hey, > > The current stable version is 3.3.12 in the 3.3 branch. > There are couple fixes in 3.4.4 that do not exist on 3.3 branch. > > What is your issue? > try 3.4.4, what OS are you using squid on? > > Eliezer > > > On 15/03/2014 15:35, Carlos Defoe wrote: >> >> Can anybody get this image to be cached? If yes, in which squid version? >> >> >> http://s2.glbimg.com/XG7L47pX_ik0O_uxiV3g65rvpNU=/90x68/s.glbimg.com/jo/g1/f/original/2014/02/21/whatsapp.jpg >> >> I tried with squid 3.3.12, which came with this bug correction: (Bug >> #3806: Caching responses with Vary header) >> >> Tried with 3.3.8 too, but with no luck. Only MISS responses. >> >> thanks, >> >> Carlos > >
[squid-users] Inject some html with transparent squid
Goodmorning, I'm new in the forum. I'm a software engineer but I'm new to networking I have installed squid3 on a virtual machine running ubuntu server. I have configured the squid.conf to redirect the clients to a specified page with the deny_info parameter. Now i would to inject some HTML on a page after some times (eg. 5 mins). I have googling this question and I found this http://www.ex-parrot.com/pete/upside-down-ternet.html that isn't what I really want to do, but it's a first step. However, I cannot get it to run. So the question is: is there a way to run some php code in squid3? And in which way? I need a redirector such as squirm? Thanks in advance for every answer. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Inject-some-html-with-transparent-squid-tp4665224.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] couldn't cache this image file
Hey, The current stable version is 3.3.12 in the 3.3 branch. There are couple fixes in 3.4.4 that do not exist on 3.3 branch. What is your issue? try 3.4.4, what OS are you using squid on? Eliezer On 15/03/2014 15:35, Carlos Defoe wrote: Can anybody get this image to be cached? If yes, in which squid version? http://s2.glbimg.com/XG7L47pX_ik0O_uxiV3g65rvpNU=/90x68/s.glbimg.com/jo/g1/f/original/2014/02/21/whatsapp.jpg I tried with squid 3.3.12, which came with this bug correction: (Bug #3806: Caching responses with Vary header) Tried with 3.3.8 too, but with no luck. Only MISS responses. thanks, Carlos
Re: [squid-users] Delay Pools
On Sun, Mar 16, 2014 at 9:43 AM, Amos Jeffries wrote: >> >> Next, I also tried client_delay_pools (3.3.11/3.4.3) >> >> client_delay_pools 1 >> client_delay_access 1 allow all >> client_delay_parameters 1 128000 256000 >> >> This gets "connection reset" straightaway. What am I missing? >> > > Information about what the connection reset is coming from? > Is squid crashing? http://bugs.squid-cache.org/show_bug.cgi?id=3696 > > Amos > Yes, same assertion failed in cache.log, and Squid's crashing and restarting.
Re: [squid-users] Is it possible to mark tcp_outgoing_mark (server side) with SAME MARK as incoming packet (client side)?
On 03/16/2014 03:02 AM, Andrew Beverley wrote: I used (and created) the patch to get the value from the remote server. However, I can't remember whether it does it the other way as well (at the time I thought I'd written the documentation so clearly, but coming back to it now it's not clear...) From memory, however, you do need to configure qos_flows to *something*, to trigger its operation. I think you can simply state "qos_flows mark". Yes it needs "qos_flows mark", without specifying qos_flows, its not working. But ... My question however was to pass on mark from client side to server side. i.e. reverse of what above paragraph says. As above, it's primarily server to client. Get that working first so you know everything is in order, and then try it the other way. ... it works only from server to client. If I CONNMARK server (to squid) packet, I can see it appearing in log. If I CONNMARK client (to server) packet its not showing in LOG. Let me know what you find out and I will update the documentation! (I don't have time to look through the source code right now) So documentation is right but placement of the statement is possibly wrong. Its not highlighted right infront. i.e qos_flows applies only for packets from server to client(squid) NOT from client to server. Is it possible to do reverse too? Or atleast have an acl where I can check incoming MARK on packet? So then I can make use of tcp_outgoing_mark. I just noticed that there was same discussion done in list previously as well (in 2013), here is the link: http://www.squid-cache.org/mail-archive/squid-users/201303/0421.html Regards Amm