Re: [squid-users] Documentation for squidclient?

Look this Negotiate Authenticator Statistics: program: /lib64/squid/negotiate_kerberos_auth number active: 25 of 25 (0 shutting down) requests sent: 27331 replies received: 27306 queue length: 11 avg service time: 389 msec I change to 25... and in this moment i have queue length 11... there

Re: [squid-users] Documentation for squidclient?

and 35, someone it's eating...and by the way the first "error" (a lot of numbers and letters its happening) Negotiate Authenticator Statistics: program: /lib64/squid/negotiate_kerberos_auth number active: 35 of 35 (0 shutting down) requests sent: 35222 replies received: 35221 queue length: 0 avg

Re: [squid-users] Documentation for squidclient?

Ok, Thanks. We are using a windows server 2012... Can you explain to me how the negotiate authenticator works?? how works? when a user want browser to a page, the squid, use the authenticator for know if can browse?? every time? for every single web pages? Thanks -- View this message in

Re: [squid-users] Documentation for squidclient?

And... for last How i read this?? Delay pools configured: 5 Pool: 1 Class: 2 Aggregate: Max: 100 Restore: 100 Current: 100 Individual: Max: 512000 Restore: 5

Re: [squid-users] Documentation for squidclient?

And for example, if i have this Negotiate Authenticator Statistics: program: /lib64/squid/negotiate_kerberos_auth number active: 20 of 20 (0 shutting down) requests sent: 23980 replies received: 23980 queue length: 0 avg service time: 8 msec ID # FD PID # Requests # Replies

[squid-users] AD Windows server 2012 - Squid Authenticator slow

Hi to all. Im having too much "avg service time" in the negotiate kerberos helper. Amos tell me that it's a configuration related to the AD. Can somebody give me a hand to tune that? or tell me where find information about? Thanks Negotiate Authenticator Statistics: program:

[squid-users] Two squid server - Would it be useful?

Hi. I have working a squid server. we have 110 pc. I have two virtualized squids. One of them is working, and the other i use for testing purpose. but, i want to know if i could take that of "testing purpose" and put to work with "cache peers or neighbors"?? It would be better?? it give some

Re: [squid-users] Two squid server - Would it be useful?

thanks and sorry, i have just two. In one of them (the more "important") i have SSO, and in the other i have access per ip. So, i need to have the two squid servers equally or not? In the other hand I do not mind the use of bandwidth but serve as fast as possible. how i would config this??

[squid-users] Wrong timestamp??

Hi to all. This is strange... if a put "date" i get the actual time. I mean the time it's correct. More or less in this moment it is [root@squid ~]# date mié may 24 15:59:59 ART 2017 in the same moment (more or less) access.log 24/May/2017:19:00:21 same moment (more or less) [root@squid

Re: [squid-users] Documentation for squidclient?

Hi again. Just boot up 11:43 number active: 14 of 25 (0 shutting down) requests sent: 166348 replies received: 166348 queue length: 0 avg service time: 34 msec ID # FD PID # Requests # Replies Flags Time Offset Request 366 97 13237 510

[squid-users] this config is ok? is ok the order?

acl local_machines dst 192.168.1.0/24 ###Kerberos Auth with ActiveDirectory### auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s HTTP/squid.xxx@xxx.lan auth_param negotiate children 25 startup=0 idle=1 auth_param negotiate keep_alive on external_acl_type i-full

Re: [squid-users] this config is ok? is ok the order?

Amos Jeffries wrote > The core issue is the speed at which that service rotates its response > IP lists, which is directly related to each request going to entirely > different server in their farm. Simply having a single (and maybe more > sane regarding TTLs) resolver as a networks focal point

Re: [squid-users] this config is ok? is ok the order?

oh ok! so... dosent have any sense try to have a big ttl? because ok, if i use just a own dns resolver then "they" have just one ttl and no one for each user. But, would not be better have long ttl??? the ip attached to a domain name it's changing so quickly (15', for example)?? i dont

Re: [squid-users] this config is ok? is ok the order?

"If I assume that its doing what you want there are still two major issues that can be seen.". i think it was... "1) Mixing interception and authentication (ssl-bump is a type of interception, at least on the https:// traffic). Intercepted messages cannot be authenticated - though

Re: [squid-users] this config is ok? is ok the order?

Hi. For what I understood. It is important ttl of dns names. So, I wanted to know when the squid server would ask for resolution again. That is, how long was the record kept. Thanks pd.:whitout -x [root@squid ~]# dig yahoo.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> yahoo.com ;; global

[squid-users] Negotiate Authenticator and DNS

Hi. Im traying to improve the dns response because im having this times: Negotiate Authenticator Statistics: program: /lib64/squid/negotiate_kerberos_auth number active: 32 of 32 (0 shutting down) requests sent: 72241 replies received: 72241 queue length: 0 avg service time: 56 msec ID #

[squid-users] Ipv6 error

Hi. Im getting this kind of error: -- The following error was encountered while trying to retrieve the URL: https://wiki.squid-cache.org/* Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed. The

Re: [squid-users] Ipv6 error

this is weird. This just happend to me with that web... i mean, with https://wiki.squid-cache.org/ (not with google, not with facebook). But the weird is that if i go trough a authenticate machine for ip, i receive that ipv6. but if i go throug a authenticate kerberos machine i get this net::err

Re: [squid-users] Ipv6 error

Sorry, but, the problem with the certificate is a problem from the web?? i mean, is not a problem of "my squid". So better i exclude that web... but, so strange, squid webpage wiki with problem in certificate??? -- Sent from:

Re: [squid-users] Ipv6 error

Ok, thats a error from chrome. Another thing with just that web, that if i disable dns_ipv4_first. I get this: -- The following error was

Re: [squid-users] Is your kerberos ticket expired?

Sorry, i found where /etc/sysconfig/squid And was good, already have that config, so i dont know why is failing. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list

Re: [squid-users] Is your kerberos ticket expired?

Hi. I follow this guide https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory But, i dont know where put this Add the following configuration to /etc/default/squid3 KRB5_KTNAME=/etc/squid3/PROXY.keytab export KRB5_KTNAME i dont have that file /etc/default/squid3

[squid-users] Is your kerberos ticket expired?

Hi. All is working fine, but im having this error in the mail of root -- From r...@squid.domain.lan Tue Oct 3 04:00:02 2017 Return-Path: X-Original-To: root

Re: [squid-users] ipcCreate: fork: (12) Cannot allocate memory

By the way, totalusedfree shared buff/cache available Mem: 3,7G3,0G122M 13M554M 422M Swap: 2,0G160M1,8G -- Sent from:

[squid-users] ipcCreate: fork: (12) Cannot allocate memory

Hi to all. all was working fine.. but today Im having this issue 2017/09/07 11:34:49 kid1| Starting new negotiateauthenticator helpers... 2017/09/07 11:34:49 kid1| helperOpenServers: Starting 1/35 'negotiate_kerberos_auth' processes 2017/09/07 11:34:50 kid1| Starting new negotiateauthenticator

Re: [squid-users] ipcCreate: fork: (12) Cannot allocate memory

Ok, thanks i grow the swap [root@squid /]# free -h totalusedfree shared buff/cache available Mem: 3,7G1,0G117M 29M2,6G 2,4G Swap: 6,0G124M5,9G related to swappiness what would be a

Re: [squid-users] Negotiate Authenticator and DNS

but, why so slow then??? " For Negotiate and NTLM the credentials are supposed to be unique per connection, so each TCP connection requires separate lookup. But followup pipelined requests on a connection should not need auth helper lookups as they share the already authenticated credentials.

Re: [squid-users] Negotiate Authenticator and DNS

Hi. Thanks. But there is some Time to live, for config in the squid, so the service is not asking every time for authenticate?? Thanks! -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing

Re: [squid-users] Negotiate Authenticator and DNS

Sorry, this is part of my config ###Kerberos Auth with ActiveDirectory### auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s HTTP/squid.domain@domain.lan auth_param negotiate children 45 startup=0 idle=1 auth_param negotiate keep_alive on external_acl_type i-full %LOGIN

[squid-users] SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Hi. Im having a lot of this in cache.log... is this normal?? The https is access is working fine... but i have those error. 2017/09/04 13:10:58 kid1| Error negotiating SSL on FD 467: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ( 1/-1/0) 2017/09/04 13:10:58

[squid-users] DNS Server Failure

Hi. There is a way to know what can be happend with this failure? Thanks to all. Internal DNS Statistics: The Queue: DELAY SINCE ID SIZE SENDS FIRST SEND LAST SEND M FQDN -- - -- - - DNS jumbo-grams: not working Nameservers: IP

Re: [squid-users] Block a web just for a group inside another group, or how?

Sorry, i dont understand. Just enumerate the user in a acl? a common acl or a kerberos acl?? can you put me a example please? Thanks -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing

Re: [squid-users] Block a web just for a group inside another group, or how?

Thanks Amos. Let's be clear ... this configuration was working exactly as I wanted it to. The users in each of those groups (i-full, sin_autenticacion, i-limitados) navigated without problems. So that they did not navigate, I simply took them out of one of those groups, period. Everything works

Re: [squid-users] Block a web just for a group inside another group, or how?

But, that's exactly the problem. Thats what i do. I do a have this large group i-full and a small group with a few users from i-full, the small group is called i-restringidos. And put i-restringidos in the top... (as you can see in my config file) But, is not working. They can go trough the web

Re: [squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

Thanks. I update to 3.5.27 and now i dont have this problem. But, i have this doubt... so, this was a problem of my certificate or a bug from squid??? Thanks -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

[squid-users] WARNING: HTTP requires the use of Via

Im having this warning in the log. I dont find anything related to this in google, so. What could be?? this is my config GRUPOS DE IP acl sin_autenticacion src "/etc/squid/listas/sin_autenticacion.lst" ###Kerberos Auth with ActiveDirectory### auth_param negotiate program

[squid-users] Some things in the log

Hi to all. Im having some things in the log. Like this: -Vary object loop -Could not parse headers from on disk object -varyEvaluateMatch: Oops ipcacheParse No Address records in response to (i supposed this is not a problem) And a lot more as you can see. 2017/12/12 16:09:50 kid1|

[squid-users] reference_age 1 week

Hi. I want to put that command reference_age 1 week i see that in a lot of tutorial, but... squid give me a error, and stop the service. dont recognice the command... that command doesnt exist anymore?? Thanks pd:there is another way to tell squid how manage the time for the cache objets??

Re: [squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

When i put the in Chrome https://.sdfasdfasdfasdfasd.com it produces the same error... but this just happend with "https" and with chrome.. not with firefox. With firefox i get the error web pager from squid Unable to determine IP address from host name

Re: [squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

Hi, and thanks. But, i dont get it, how this is possible, if the bumping is working well. I mean, if all https is working with my certificate, except for those that i block (from chrome). But the bumping is working well in Chrome and Firefox. This is log from Chrome with port 1512501177.181

Re: [squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

"Does that error match the generated certificate sent by Squid to a blocked Chrome user? In other words, does that certificate have an invalid common name (CN) field? " No, is the same certificate. "I suggest comparing the following two certificates: * the certificate sent by Squid to a

Re: [squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

Yes, Chrome tell this when i look the certificate "The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address." So, my certificate does not have a Subject Alternative Name. But, this is not a problem with Firefox. I have to change

Re: [squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

Ok, thanks for your time. This "fix" the problem... reg add HKLM\Software\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors /t REG_DWORD /d 1 When i wrote that command, the problem is gone. but, i want to know about that fix that you are telling me. Im using this version Squid

[squid-users] Error page or redirect just to a user

Hi. I want to do a redirect to a user. For example if the user want to go to google, i redirect to some particular web. Can you tell me how?? i have config the http access trough user (with kerberos). Thanks to all -- Sent from:

[squid-users] Certificate for bump?

Hi. What you think about using certificate for bump from https://letsencrypt.org??? Thanks to all. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list

[squid-users] Problem with Kerberos ticket keytab

Hi to all. The squid was working fine, but i made a mistake and... delete the proxy.keytab. I try to do it again, but make a mistake in the syntax wrong syntax (the real name is not squidproxy.domain.lan is squid.domain.lan): msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.lan -k

Re: [squid-users] Problem with Kerberos ticket keytab

Ok. Thanks Know the ticket is fine, and is working (people are going throug internet and i see in access.log there user names) but... im having this error in the log. 2018/02/05 12:56:46 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message:

Re: [squid-users] Problem with Kerberos ticket keytab

Thanks for your time! Know is working fine. a little and stupid question where i can found the start script of squid??? This is a Centos 7. I want put this KRB5RCACHETYPE=none export KRB5RCACHETYPE [root@squid etc]# cat /usr/lib/systemd/system/squid.service ## Copyright (C) 1996-2015 The

[squid-users] All 32/32 ssl_crtd processes are busy / All 35/35 negotiateauthenticator processes are busy

Hi. Im having this warning in cache.log 2018/02/14 15:56:55 kid1| WARNING: All 32/32 ssl_crtd processes are busy. 2018/02/14 15:56:55 kid1| WARNING: 32 pending requests queued 2018/02/14 15:56:55 kid1| WARNING: Consider increasing the number of ssl_crtd processes in your config file. 2018/02/14

[squid-users] ldap_sasl_interactive_bind_s error: Can't contact LDAP server

Hi. Im having this problem. Im running squid on a Centos 7 container (lxc on proxmox). This is cache.log support_sasl.cc(276): pid=555 :2018/02/20 10:13:34| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server support_ldap.cc(957): pid=555 :2018/02/20

Re: [squid-users] ldap_sasl_interactive_bind_s error: Can't contact LDAP server

Hi. The port is open. There is a way to have a little more log??' Thanks -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org

Re: [squid-users] ldap_sasl_interactive_bind_s error: Can't contact LDAP server

sorry, yuri, yes is working. i can connect via ldap and also turn on debug for investigate, and is no error know... but time to time, this error is happening... so... is strange. In the other hand im getting this values with just one machine using the squid : Negotiate Authenticator Statistics:

[squid-users] Kerberos negotiate slow avg service time

Hi to all. I dont know why i have this bad values. My network is woking fine. How i can do to fix this. I think is a high value. HTTP/1.1 200 OK Server: squid/3.5.27 Mime-Version: 1.0 Date: Fri, 23 Feb 2018 17:16:25 GMT Content-Type: text/plain;charset=utf-8 Expires: Fri, 23 Feb 2018 17:16:25 GMT

[squid-users] Block some web to a group of ip and allow the rest.

Hi to all. Im trying to block some web to a ip group. [root@squid ips]# cat i-restringidos.lst 192.168.1.42 192.168.1.43 192.168.1.44 192.168.1.45 192.168.1.99 192.168.1.50 192.168.1.128 This same ip group has access to all internet. [root@squid ips]# cat prensa_isla.lst 192.168.1.42

[squid-users] Wpad problem (DNS)

Hi to all. Im trying to put proxy trough DNS. Im working on a Windows Server 2012 r2. I follow a lot of tutorial... and cant do it. The best i have is this (and is strange). When the pc start i see in log of squid the ip of that pc. tail -f /var/log/squid/access.log | grep 192.168.6.22

Re: [squid-users] Wpad problem (DNS)

Hi, thanks I try Explorer 8.0 and Chrome 68.0... -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org

Re: [squid-users] Squid as reverse proxy for two or more webs

Thanks to all!! Now is working fine. Just, one question to know... i make this accessible from the internet... so, i create some acl 0.0.0.0/0 and it's working. But.. this is a security issue??? or it's ok declare that ACL. Thanks to all. -- Sent from:

Re: [squid-users] Squid as reverse proxy for two or more webs

> php.mydomain.lan 192.168.1.223 > ticket.mydomain.lan 192.168.1.246 >.. and clients never connect to the above directly. So these domains are >never to be accessed by users/clients. The client can connect directly from the domain. (i mean they can connect directly in work, but i want to do

Re: [squid-users] Squid as reverse proxy for two or more webs

Antony Stone wrote >> I create two entries pointing to squid in DNS now. >> site1.mydomain.lan >> site2.mydomain.lan > > So, both of those resolve to 192.168.1.21, right? > > Yes, the resolve to the ip of squid. > >> > The config example you want to follow is >> >

Re: [squid-users] Squid as reverse proxy for two or more webs

Ok, thanks. I change that. Now, if i go to reverse.mydomain.lan i get this error: "Unable to forward this request at this time." 1533909140.268 0 192.168.6.20 TCP_IMS_HIT/304 355 GET http://reverse.mydomain.lan/squid-internal-static/icons/SN.png - HIER_NONE/- image/png but what would be

[squid-users] Squid Reverse HTTPS Let's Encrypt

Hi. I have Squid configured as a proxy reverse. The DNS are configured too. The clients can access from outside without problem. It is working well. But I want to serve web pages with https and I would like to use Let's Encrypt (or something similar) so clients do not have to accept an invalid

Re: [squid-users] Kerberos negotiate slow avg service time

Thank you Amos (sorry again Yuri). And yes, the user are complains. The problem is this (and sorry for be recurrent with this). That value avg ms for some times goes up to 3000... and in that moment all stop. in the cache.log sometimes, im getting this. support_sasl.cc(276): pid=3729

[squid-users] Pass ip to server

Hi. I want to know if is possible that, for some site (sales.mydomain.com) the proxy server send the "real ip". Because i want to see in the logs of sales.mydomain.com the real ip of the machine that are going (and not the proxy ip). I know that i can see this in the log of squid... but, i want

<    1   2