Re: [squid-users] force squid to kill current connection after reconfigure
On 8/8/22 12:13, Ahmad Alzaeem wrote: Sometimes we need to change the tcp_outgoing addresses acl . We edit it and reconfigure squid , but the current connection still work on the old ips of tcp_outgoing The tcp_outgoing_address directive is applied to each forwarding attempt (that needs to select a connection), not each network I/O: * A current forwarding attempt should continue to use the old outgoing addresses that was selected for it. * A future forwarding attempt that uses a Squid-server connection _pinned_ to the client-Squid connection should continue to use the old outgoing addresses that was selected for that pinned connection. This happens, for example, in many SslBump configurations. * Other future forwarding attempts should obey new tcp_outgoing_address directives. For example, they should not reuse persistent connections that do not match new tcp_outgoing_address directives. If you observe something that contradicts the above, please detail your observations. Is there a way we can kill old sessions/connections in the old tcp_outgoing after applying reconfigure ? Squid does not have a feature like this, but there are external tools that can kill unwanted TCP connections. For example: https://stackoverflow.com/a/55616004 HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Force squid use dns query result as the destination server in squid tproxy
On 25/12/2013 9:12 p.m., Ge Jin wrote: Hi, all! We use squid with tproxy for caching. As our special construct, our client origin destination is useless for getting the right response. Why? what mangling are you doing to the TCP packet routing that would cause the client browser to be connecting directly (as it sees it) to an invalid IP address? So if there is any workaround, can we force squid use the Host header query result as the origin destination server address for fetch response. Dont. http://www.squid-cache.org/Advisories/SQUID-2011_1.txt Fix the above mentioned design problem with client traffic instead. Ability to use the Host header flows naturally from that. Here is the log I get 1387958630.972 7142 192.168.1.13 TCP_MISS/503 3817 GET http://www.yahoo.com/ - HIER_DIRECT/192.168.134.32 text/html # HIER_DIRECT/192.168.134.32 is the right destination server address. And I search this http://www.mail-archive.com/squid-users@squid-cache.org/msg92356.html and it's the revserse side of my situation, and I tried client_dst_passthru off and seems no help. client_dst_passthru off will only work in request cases where the TCP-level destination IP and the HTTP-level Host: header can be validated as pointing at the same service (not necessarily same server IP) via an independent DNS lookup by Squid. NP: Cases where it is possible to use the Host header for destination selection are the same cases where caching is permitted for the response. So your brokenness of the client destination IP is also breaking caching. Does anyone here can help ? Before any help is given we come back to the initial question of why?. There is very probably a better way to do what you want. So please explain the full usage for this proxy. Amos
Re: [squid-users] Force squid use dns query result as the destination server in squid tproxy
Hi, Amos! Thanks for your reply! To make a long story short, our struct is like this. tproxy tproxy client - haproxy - squid cluster -- Router --- internet We use haproxy for load balance, and squid for caching. And the most difficult part is the Router must see the clients source addresses. So we want to deliver the client address by tproxy. But haproxy just delivers the clients addresses and the squid address as the destination address. So I supposed there can be some workaround on squid for my purpose. On Wed, Dec 25, 2013 at 6:05 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 25/12/2013 9:12 p.m., Ge Jin wrote: Hi, all! We use squid with tproxy for caching. As our special construct, our client origin destination is useless for getting the right response. Why? what mangling are you doing to the TCP packet routing that would cause the client browser to be connecting directly (as it sees it) to an invalid IP address? So if there is any workaround, can we force squid use the Host header query result as the origin destination server address for fetch response. Dont. http://www.squid-cache.org/Advisories/SQUID-2011_1.txt Fix the above mentioned design problem with client traffic instead. Ability to use the Host header flows naturally from that. Here is the log I get 1387958630.972 7142 192.168.1.13 TCP_MISS/503 3817 GET http://www.yahoo.com/ - HIER_DIRECT/192.168.134.32 text/html # HIER_DIRECT/192.168.134.32 is the right destination server address. And I search this http://www.mail-archive.com/squid-users@squid-cache.org/msg92356.html and it's the revserse side of my situation, and I tried client_dst_passthru off and seems no help. client_dst_passthru off will only work in request cases where the TCP-level destination IP and the HTTP-level Host: header can be validated as pointing at the same service (not necessarily same server IP) via an independent DNS lookup by Squid. NP: Cases where it is possible to use the Host header for destination selection are the same cases where caching is permitted for the response. So your brokenness of the client destination IP is also breaking caching. Does anyone here can help ? Before any help is given we come back to the initial question of why?. There is very probably a better way to do what you want. So please explain the full usage for this proxy. Amos
Re: [squid-users] Force squid to cache
On 19/08/2012 8:42 a.m., Abhishek Chanda wrote: Hi, Is there a way to force squid to cache an object? I am trying to do this, a client and an apache server communicates. At some intermediate point in the path, the response from Apache will be split and one copy will go to the client, one to Squid. Will squid cache the object in this situation? I assume it won't by default, is there a way to make it cache? Huh? you are only sending the responses to Squid? Cache in indexed by *request* meta data. Better to divert the client request through the proxy. That way the HTTP up and downstream message flows are going through the proxy in the right directions. Caching happens whenever Squid is able to do so safely. You can force-cache using refresh_pattern options to violate HTTP behaviour - with various levels of breakage visible to the clients; from outdated responses to full-blown privacy violations. Amos
RE: [squid-users] Force Squid
Dear Dieter, I am not using squidclient, is there any way to overcome this? Thanks a lot Regards, Nikolas -Original Message- From: Dieter Bloms [mailto:[EMAIL PROTECTED] Sent: Monday, December 17, 2007 2:07 PM To: Nikolas Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Force Squid Hi, On Mon, Dec 17, Nikolas wrote: How to force squid to refresh cache for specific site? Can you give me some example in refresh pattern? you may use squidclient -r for this. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: RE: [squid-users] Force Squid
Hi, On Mon, Dec 17, Nikolas wrote: I am not using squidclient, is there any way to overcome this? Thanks a lot telnet, netcat, ..., make your own programm. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgpvBHsudQr48.pgp Description: PGP signature
Re: [squid-users] Force squid to use new neighbour
lör 2007-06-23 klockan 17:03 +0100 skrev Jamie Learmonth: Hi all, I am writing a custom proxy for squid to query as a cache_peer . What I am looking for is a way to tell squid to try a different peer if anything goes wrong within my proxy. An appropriate 5xx error, and retry_on_error on. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Force squid to timeout and internet explorer hanging
tis 2006-09-19 klockan 10:20 -0600 skrev Irwan Hadi: The main problem is we just implement a intrusion firewall at our border router that blocks advertisement websites. So, when Squid can't open this advertisement link, and thus caused the client (IE) to hang. Hmm... you should reconfigure your firewall to shut down such offending connections with TCP RST, not silently drop them. Is it possible to set some kind of timeout, so that a URL that fails to open should be returned as fail with squid within a couple seconds? It's automatic providing your firewall reacts properly. Detecting blackholed connections is harder as it's the exact same as a server taking a long time to respond. You should not need to do this, but if you absolutely want to look into the read_timeout. Depending on how these sites is blocked you may also have success looking into connect_timeout. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
