Re: [squid-users] Cache reference age for heap LRU/LFUDA and rock/aufs

[Ivan Larionov]

On Fri, Feb 9, 2018 at 7:50 PM, Alex Rousskov <
rouss...@measurement-factory.com> wrote:

>
> I cannot answer your question for aufs, but please note that rock
> cache_dirs do not support/have/use a configurable replacement policy:
> Each incoming object is assigned a slot based on its key hash. With
> modern rock code, it is possible to remove that limitation IIRC, but
> nobody have done that.
>

Yeah I figured this out from the source code and I'm extremely surprised by
the fact that it was never mentioned in documentation. I think it will be a
huge blocker in our squid 4 + SMP + rock migration plan.

So what does rock do when storage is full then?


>
>
> > If you're wondering why would we need to know that – it's related to
> > GDPR and removing data of closed customer's accounts. We need to make
> > sure that we don't have any "not being accessed anymore" objects older
> > than "data retention period" days.
>
> If it is important to get this right, then I would not trust replacement
> policy metadata with this: The corresponding code interfaces look
> unreliable to me, and access counts/timestamps for a ufs-based cache_dir
> are not updated across Squid restarts when the swap log is lost (at least).
>
>
It's actually fine, we never restart squid and if it restarted by any
unexpected reason (host reboot, crash or w/e) we just replace the host.


> I would instead configure Squid to prohibit serving hits that are too
> old. That solution does not match your problem exactly, but it may be
> good enough and should work a lot more reliably across all cache_dirs.
> If there is no "age" ACL to use with the send_hit directive, then you
> may need to add one.
>
> http://www.squid-cache.org/Doc/config/send_hit/
>
> You may also be able to accomplish the same using refresh_pattern, but I
> am a little worroed about various exceptional/special conditions
> implemented on top of that directive. Others on this list may offer
> better guidance in this area.
>
>
I was thinking about similar solution but this is exactly why I wasn't able
to use it – there seems to be no acl suitable for such task.

We can always just replace the host every month or something like this but
it'll mean starting with a cold cache every time which I wanted to avoid.

I found this debug option for heap which could probably help in
understanding of approximate cache age but it doesn't work with rock
because rock uses some "simple scan" policy.

> src/repl/heap/store_repl_heap.cc:debugs(81, 3, "Heap age set to "
<< h->theHeap->age);


> HTH,
>
> Alex.
>



-- 
With best regards, Ivan Larionov.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] log external ip address in squid logs

[Antony Stone]

On Monday 12 February 2018 at 16:36:58, --Ahmad-- wrote:

> Hello folks
> 
> i had a look on
> http://www.squid-cache.org/Doc/config/logformat/
> but i cant see the external ip address that used on squid

> i had a look on
> http://www.squid-cache.org/Doc/config/logformat/
> and did find that option .

Hm, that's confusing.

> i have this FORMAT below :
> logformat squid %tl %6tr %>a %>p %>la %>lp %Ss/%03Hs % %http://lists.squid-cache.org/listinfo/squid-users

[squid-users] log external ip address in squid logs

[--Ahmad--]

Hello folks 

i had a look on 

http://www.squid-cache.org/Doc/config/logformat/


but i cant see the external ip address that used on squid 



say i have 10 ips with 10 ports

i would like to see the logs file with the external ip address that is matched 
with the acl ==> tcp_outgoing_address x.x.x.x yyy


i had a look on 

http://www.squid-cache.org/Doc/config/logformat/
and did find that option .


i have this FORMAT below :
logformat squid %tl %6tr %>a %>p %>la %>lp %Ss/%03Hs %http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

If there is nothing to say on the topic - it's better to keep quiet.

I'm not talking with you. And when I need your opinion - I'll call you.


12.02.2018 14:15, Vacheslav пишет:
> Works like a charm is a stubborn phrase, never experienced that when being 
> charmed one problem is gone and replaced with numerous others, like sick 
> relatives?
>
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Yuri
> Sent: Saturday, February 10, 2018 10:57 PM
> To: Alex Rousskov ; 
> squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Squid SSL db on ramdisk
>
> Yes, confirmed.
>
> When I've replaced int m; and int d; to long m; and long d; - works like 
> charm.
>
>
> 11.02.2018 01:08, Yuri пишет:
>> int m; declaration inside static bool parseBytesOptionValue(size_t * 
>> bptr, char const * value) ?
>>
>> If I set it long, as by as int d, seems ok.
>>
>>
>> 11.02.2018 01:04, Alex Rousskov пишет:
>>> On 02/10/2018 12:02 PM, Yuri wrote:
 11.02.2018 00:59, Alex Rousskov пишет:
> On 02/10/2018 10:03 AM, Yuri wrote:
>
>> What is correct syntax for -M option?
> The correct syntax is, roughly,
>
>   -M [bytes|KB|MB|GB]
 Exactly with space between integer and units?
>>> Without anything between integer and units. For example: 2GB
>>>
>>> Alex.
> --
> *
> * C++20 : Bug to the future *
> *
>
>
>
>

-- 
*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Transition from squid3.5 to squid4; ciphers don't work anymore, ERROR: Unknown TLS option SINGLE_DH_USE

[chiasa.men]

Hi I tried squid4.

Squid Cache: Version 4.0.23 
This binary uses OpenSSL 1.1.1-dev  xx XXX 

Before, I used:
Squid Cache: Version 3.5.27 
This binary uses OpenSSL 1.0.2g  1 Mar 2016

Some of the config directives changed:
E.g.
sslproxy_options SINGLE_DH_USE,SINGLE_ECDH_USE
->
tls_tls_outgoing_options options=SINGLE_DH_USE,SINGLE_ECDH_USE 

But that results in version 4 in the follwing errors (cache.log)
ERROR: Unknown TLS option SINGLE_DH_USE
ERROR: Unknown TLS option SINGLE_ECDH_USE

(same error with the same options in https_proxy)

Is that a problem related to the openssl version change?


In cache_peer I also have now to configure tls-cafile=/etc/ssl/certs/ca-
certificates.crt explicitly (I used some self signed certificates for testing - 
but in Squid3 I didn't need to configure that)
Otherwise I get: 
(71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
In the reference it's stated that:
tls-default-ca[=off]
Whether to use the system Trusted CAs. Default is ON.
Shouldn't the tls-cafile option be unnecessary since it's trusted by default?



Furthermore I set Apache (the peer) to "SSLCipherSuite  ECDHE-ECDSA-AES256-
GCM-SHA384"
as well as cache_peer sslcipher=ECDHE-ECDSA-AES256-GCM-SHA384

ERROR: negotiating TLS on FD 20: error:141A90B5:SSL 
routines:ssl_cipher_list_to_bytes:no ciphers available (1/-1/0)

How can that be?




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to set up a reverse proxy using squid for a simplified scenario?

[Peng Yu]

It is still not difficult to completely comprehend the squid document
to see how to modify the example at derpturkey.com for my following
scenario.

I have a bunch of forward proxy servers whose IPs are ip1 and ip2,
..., ip_n (using port 3128). The reverse proxy will use the
round-robin policy to forward each incoming request to one of these
forward proxies.

Do you mind giving me a minimal working configuration for my scenario?
Working means that the configure must be used directly without
modification (except domain names or IP addresses). Minimal means that
anything not relevant to my scenario should not be included in the
configuration.

BTW, to make sure make sure my understanding of forward proxy is
correct, could you confirm whether the proxies here are forward
proxies?

https://free-proxy-list.net/

On Sat, Feb 10, 2018 at 12:09 PM, Amos Jeffries  wrote:
> On 11/02/18 06:33, Peng Yu wrote:
>> Hi,
>>
>> I see the following blog about setting up a reverse proxy using squid.
>>
>> http://derpturkey.com/squid-as-a-reverse-proxy/
>>
>> But there seem to be more configurations than what I need.
>>
>> For example, for the following line, I don't need to restrict the
>> access to a specific domain.
>> http_port 80 accel defaultsite=www.example.com
>
> The above does not *restrict*. It sets a default value for Squid to use
> when the Host header is missing from HTTP requests.
>
>
>>
>> Instead, any access to the IP of the reverse proxy should be OK. In
>> this sense, should I just use the following?
>>
>> http_port 80 accel
>
> You can if you want to. But be aware that any clients which omit the
> Host header in their requests will be rejected by the proxy with an
> error page.
>
>
>>
>> Also, let's say I have two web servers server1 and server2 to be
>> proxied. Since I don't use a domain, I am not sure how Step 3 should
>> be adjusted.
>
> By using other types of ACLs in an arrangement which meets your desired
> mapping.
>
> Please read the FAQ about how ACLs work. That includes a list of
> different ACLs.
> 
>
>
> So far as you have stated that would be "cache_peer ... allow all".
>
> Which is a very bad idea...
>
> Be aware that the domain based config is itself a security layer to
> prevent attackers and certain type of DoS reaching through the proxy to
> attack the peers directly with bogus traffic. Using other types of ACLs,
> particularly ones leading to "no restriction" like you describe make
> your proxy and the origins all at risk for denial of service attacks.
>
>
> What is your reason for wanting "no restrictions"?
>  it could be that you actually need something very different to what you
> are asking about.
>
>
>>
>> I also do not want any restrictions to my reverse proxy. But I am not
>> sure how Step 4 should be simplified.
>>
>> Could anybody please let me know how to configure squid reverse proxy
>> in my simplified scenario?
>
> That tutorial is describing the simplest scenario possible with a
> multiple peers in a reverse-proxy.
>
> Yours is actually the more complicated scenario since you apparently
> need some unusual ACL configuration.
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



-- 
Regards,
Peng
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Vacheslav]

Works like a charm is a stubborn phrase, never experienced that when being 
charmed one problem is gone and replaced with numerous others, like sick 
relatives?

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Yuri
Sent: Saturday, February 10, 2018 10:57 PM
To: Alex Rousskov ; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid SSL db on ramdisk

Yes, confirmed.

When I've replaced int m; and int d; to long m; and long d; - works like charm.


11.02.2018 01:08, Yuri пишет:
> int m; declaration inside static bool parseBytesOptionValue(size_t * 
> bptr, char const * value) ?
>
> If I set it long, as by as int d, seems ok.
>
>
> 11.02.2018 01:04, Alex Rousskov пишет:
>> On 02/10/2018 12:02 PM, Yuri wrote:
>>> 11.02.2018 00:59, Alex Rousskov пишет:
 On 02/10/2018 10:03 AM, Yuri wrote:

> What is correct syntax for -M option?
 The correct syntax is, roughly,

   -M [bytes|KB|MB|GB]
>>> Exactly with space between integer and units?
>> Without anything between integer and units. For example: 2GB
>>
>> Alex.

--
*
* C++20 : Bug to the future *
*




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users