Re: [squid-users] crash squid-3.1.18

2011-12-08 Thread Amos Jeffries

On 8/12/2011 8:44 p.m., Knop, Uwe wrote:

Hi,

i create a bugreport for this error
http://bugs.squid-cache.org/show_bug.cgi?id=3442:

assertion failed: external_acl.cc:841: ch-auth_user_request

bye UK


This is fixed already. Just winding its way down through QA.
Thanks for the info that 3.1 needs it as well as 3.2 where it was found.

Amos


[squid-users] URL parsing crashing squid 3.2.0.13... snapshot

2011-12-08 Thread alex sharaz

Hi,

2011/12/08 10:05:13 kid5| Starting Squid Cache version  
3.2.0.13-20111206-r11454 for x86_64-unknown-linux-gnu...

2011/12/08 10:05:13 kid5| Process ID 6007
2011/12/08 10:05:13 kid5| Process Roles: worker
2011/12/08 10:05:13 kid5| With 49152 file descriptors available
2011/12/08 10:05:13 kid5| Initializing IP Cache...
2011/12/08 10:05:13 kid5| DNS Socket created at 0.0.0.0, FD 7
2011/12/08 10:05:13 kid5| Adding nameserver 150.237.84.21 from  
squid.conf
2011/12/08 10:05:13 kid5| Adding nameserver 150.237.198.2 from  
squid.conf
2011/12/08 10:05:13 kid5| helperOpenServers: Starting 5/20 'helper- 
mux.pl' processes
2011/12/08 10:05:13 kid5| helperOpenServers: Starting 0/10  
'basic_pam_auth' processes
2011/12/08 10:05:13 kid5| helperOpenServers: No 'basic_pam_auth'  
processes needed.

2011/12/08 10:05:13 kid5| Logfile: opening log daemon:/logs/access.log
2011/12/08 10:05:13 kid5| Logfile Daemon: opening log /logs/access.log
2011/12/08 10:05:13 kid5| Local cache digest enabled; rebuild/rewrite  
every 3600/3600 sec

2011/12/08 10:05:13 kid5| Store logging disabled
2011/12/08 10:05:13 kid5| WARNING: disk-cache maximum object size is  
unlimited but mem-cache maximum object size is 32.00 KB
2011/12/08 10:05:13 kid5| Swap maxSize 4060160 + 262144 KB, estimated  
332484 objects

2011/12/08 10:05:13 kid5| Target number of buckets: 16624
2011/12/08 10:05:13 kid5| Using 32768 Store buckets
2011/12/08 10:05:13 kid5| Max Mem  size: 262144 KB [shared]
2011/12/08 10:05:13 kid5| Max Swap size: 4060160 KB
2011/12/08 10:05:13 kid5| Version 1 of swap file with LFS support  
detected...

2011/12/08 10:05:13 kid5| Rebuilding storage in /cache/5 (CLEAN)
2011/12/08 10:05:13 kid5| Using Least Load store dir selection
2011/12/08 10:05:13 kid5| Set Current Directory to /usr/local/squid/ 
var/cache/squid

2011/12/08 10:05:13 kid5| Loaded Icons.
2011/12/08 10:05:13 kid5| IcmpSquid.cc(255) Open: Pinger socket opened  
on FD 24

2011/12/08 10:05:13 kid5| Ready to serve requests.
2011/12/08 10:05:13| pinger: Initialising ICMP pinger ...
2011/12/08 10:05:13| pinger: ICMP socket opened.
2011/12/08 10:05:13 kid5| Store rebuilding is 19.10% complete
2011/12/08 10:05:13 kid5| Done reading /cache/5 swaplog (21442 entries)
2011/12/08 10:05:13 kid5| Finished rebuilding storage from disk.
2011/12/08 10:05:13 kid5| 21442 Entries scanned
2011/12/08 10:05:13 kid5| 0 Invalid entries.
2011/12/08 10:05:13 kid5| 0 With invalid flags.
2011/12/08 10:05:13 kid5| 20983 Objects loaded.
2011/12/08 10:05:13 kid5| 0 Objects expired.
2011/12/08 10:05:13 kid5| 0 Objects cancelled.
2011/12/08 10:05:13 kid5|   447 Duplicate URLs purged.
2011/12/08 10:05:13 kid5|12 Swapfile clashes avoided.
2011/12/08 10:05:13 kid5|   Took 0.13 seconds (158376.61 objects/sec).
2011/12/08 10:05:13 kid5| Beginning Validation Procedure
2011/12/08 10:05:13 kid5|   Completed Validation Procedure
2011/12/08 10:05:13 kid5|   Validated 20983 Entries
2011/12/08 10:05:13 kid5|   store_swap_size = 848684.00 KB
2011/12/08 10:05:13 kid5| Accepting HTTP Socket connections at  
local=150.237.85.249:3128 remote=[::] FD 9 flags=1
2011/12/08 10:05:13 kid5| Accepting HTTP Socket connections at  
local=150.237.84.13:3128 remote=[::] FD 11 flags=1

2011/12/08 10:05:13 kid5| Accepting HTCP messages on 0.0.0.0:4827
2011/12/08 10:05:13 kid5| Sending HTCP messages from 0.0.0.0:4827
2011/12/08 10:05:14 kid5| storeLateRelease: released 0 objects
2011/12/08 10:05:16 kid4| Starting Squid Cache version  
3.2.0.13-20111206-r11454 for x86_64-unknown-linux-gnu...

2011/12/08 10:05:16 kid4| Process ID 6016
2011/12/08 10:05:16 kid4| Process Roles: worker
2011/12/08 10:05:16 kid4| With 49152 file descriptors available
2011/12/08 10:05:16 kid4| Initializing IP Cache...
2011/12/08 10:05:16 kid4| DNS Socket created at 0.0.0.0, FD 7
2011/12/08 10:05:16 kid4| Adding nameserver 150.237.84.21 from  
squid.conf
2011/12/08 10:05:16 kid4| Adding nameserver 150.237.198.2 from  
squid.conf
2011/12/08 10:05:16 kid4| helperOpenServers: Starting 5/20 'helper- 
mux.pl' processes
2011/12/08 10:05:16 kid4| helperOpenServers: Starting 0/10  
'basic_pam_auth' processes
2011/12/08 10:05:16 kid4| helperOpenServers: No 'basic_pam_auth'  
processes needed.

2011/12/08 10:05:16 kid4| Logfile: opening log daemon:/logs/access.log
2011/12/08 10:05:16 kid4| Logfile Daemon: opening log /logs/access.log
2011/12/08 10:05:16 kid4| Local cache digest enabled; rebuild/rewrite  
every 3600/3600 sec

2011/12/08 10:05:16 kid4| Store logging disabled
2011/12/08 10:05:16 kid4| WARNING: disk-cache maximum object size is  
unlimited but mem-cache maximum object size is 32.00 KB
2011/12/08 10:05:16 kid4| Swap maxSize 4060160 + 262144 KB, estimated  
332484 objects

2011/12/08 10:05:16 kid4| Target number of buckets: 16624
2011/12/08 10:05:16 kid4| Using 32768 Store buckets
2011/12/08 10:05:16 kid4| Max Mem  size: 262144 KB [shared]
2011/12/08 10:05:16 kid4| Max Swap size: 4060160 KB
2011/12/08 

[squid-users] icap problem with 3.1.18

2011-12-08 Thread Daniel Beschorner
After upgrading to 3.1.18 (+adaption compile patch) the following url never 
stops loading in the browser

http://x.ligatus.com/cgi-bin/ivw/CP/11260-365/83-1056/129647-107545-_129709-105679-_128565-101085-//

If I bypass the ICAP server for this url (which is indeed a redirect to 
http://x.ligatus.com/blank.gif) all works fine.

3.1.16 works with ICAP, the url is loaded immediately.

Any idea? Thanks
Daniel



Re: [squid-users] crash squid-3.1.18

2011-12-08 Thread Jan Sievers
Hi Amos,

On 2011-12-08 10:04, Amos Jeffries wrote:
 On 8/12/2011 8:44 p.m., Knop, Uwe wrote:
 i create a bugreport for this error
 http://bugs.squid-cache.org/show_bug.cgi?id=3442

 assertion failed: external_acl.cc:841: ch-auth_user_request
 
 This is fixed already. Just winding its way down through QA.
 Thanks for the info that 3.1 needs it as well as 3.2 where it was found.

I applied patch squ...@treenet.co.nz-20111208111329-4p5ugr1bj8lxdd8i (¹)
but here Squid 3.1.18 still dies on every request.

backtrace:

#0  0xb7746424 in __kernel_vsyscall ()
#1  0xb7479640 in raise () from /lib/i686/cmov/libc.so.6
#2  0xb747b018 in abort () from /lib/i686/cmov/libc.so.6
#3  0x0811670f in death (sig=11) at tools.cc:398
#4  signal handler called
#5  0x0814185b in authenticateValidateUser (auth_user_request=0x85b2170)
at UserRequest.cc:104
#6  0x08141ab2 in authenticateUserAuthenticated
(auth_user_request=0x85b2170) at UserRequest.cc:246
#7  0x08141ec4 in AuthUserRequest::authenticate
(auth_user_request=0x85b20bc,
headertype=HDR_PROXY_AUTHORIZATION, request=0x8588540,
conn=0x85ae9f0, src_addr=@0x85b2018)
at UserRequest.cc:450
#8  0x08142759 in AuthUserRequest::tryToAuthenticateAndSetAuthUser
(auth_user_request=0x85b20bc,
headertype=HDR_PROXY_AUTHORIZATION, request=0x8588540,
conn=0x85ae9f0, src_addr=@0x85b2018)
at UserRequest.cc:524
#9  0x0812f8a0 in AuthenticateAcl (ch=0x85b1ff8) at Acl.cc:50
#10 0x080943e0 in ACLExternal::ExternalAclLookup (checklist=0x85b1ff8,
me=0x8354a00,
callback=0x8091680 ExternalACLLookup::LookupDone(void*, void*),
callback_data=0x85b1ff8)
at external_acl.cc:1252
#11 0x08094e4a in ExternalACLLookup::checkForAsync (this=0x81e80a0,
checklist=0x85b1ff8)
at external_acl.cc:1450
#12 0x08152937 in ACLChecklist::checkForAsync (this=0x85b1ff8) at
Checklist.cc:178
#13 0x08153175 in ACLChecklist::matchAclList (this=0x85b1ff8,
head=0x8357a00, fast=false)
at Checklist.cc:229
#14 0x08153530 in ACLChecklist::matchAclListSlow (this=0x85b1ff8,
list=0x8357a00) at Checklist.cc:202
#15 0x08153564 in ACLChecklist::checkAccessList (this=0x85b1ff8) at
Checklist.cc:172
#16 0x08153602 in ACLChecklist::check (this=0x85b1ff8) at Checklist.cc:92
#17 0x080937f1 in externalAclHandleReply (data=0x8480358,
reply=0x83c2a20 OK) at external_acl.cc:1226
#18 0x080b3d6c in helperHandleRead (fd=39, buf=0x83c2a20 OK, len=3,
flag=COMM_OK, xerrno=0,
data=0x83c29a8) at helper.cc:856
#19 0x0812da25 in CommIoCbPtrFun::dial (this=0x83c4a84) at CommCalls.cc:183
#20 0x0811fb46 in AsyncCall::make (this=0x83c4a68) at AsyncCall.cc:34
#21 0x08122276 in AsyncCallQueue::fireNext (this=0x838eda0) at
AsyncCallQueue.cc:53
#22 0x08122408 in AsyncCallQueue::fire (this=0x838eda0) at
AsyncCallQueue.cc:39
#23 0x08091197 in EventLoop::runOnce (this=0xbf869648) at EventLoop.cc:130
#24 0x08091260 in EventLoop::run (this=0xbf869648) at EventLoop.cc:94
#25 0x080ded42 in SquidMain (argc=1, argv=0xbf869764) at main.cc:1418
#26 0x080df37a in main (argc=-1217635500, argv=0x29) at main.cc:1176

and cache.log:

2011/12/08 16:45:04.388| authenticateAuthenticate: This is a new
checklist test on FD:11
2011/12/08 16:45:04.388| authenticateValidateUser: Validating Auth_user
request '0x9650818'.
(squid)[0x8116619]
[0xb7739400]
(squid)[0x814185b]
(squid)[0x8141ab2]
(squid)[0x8141ec4]
(squid)[0x8142759]
(squid)[0x812f8a0]
(squid)[0x80943e0]
(squid)[0x8094e4a]
(squid)[0x8152937]
(squid)[0x8153175]
(squid)[0x8153530]
(squid)[0x8153564]
(squid)[0x8153602]
(squid)[0x80937f1]
(squid)[0x80b3d6c]
(squid)[0x812da25]
(squid)[0x811fb46]
(squid)[0x8122276]
(squid)[0x8122408]
(squid)[0x8091197]
(squid)[0x8091260]
(squid)[0x80ded42]
(squid)[0x80df37a]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7457455]
(squid)(__gxx_personality_v0+0x199)[0x804ce21]
FATAL: Received Segment Violation...dying.
CPU Usage: 2.648 seconds = 0.916 user + 1.732 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
total space in arena:2560 KB
Ordinary blocks: 2501 KB 16 blks
Small blocks:   0 KB  6 blks
Holding blocks:  8860 KB  7 blks
Free Small blocks:  0 KB
Free Ordinary blocks:  58 KB
Total in use:   11361 KB 444%
Total free:59 KB 2%

Shall I open a new bug for this?

Jan

¹)
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10418.patch

-- 
Jan Sievers  |
Freie Universität Berlin | siev...@zedat.fu-berlin.de
Zentraleinrichtung für Datenverarbeitung | http://www.zedat.fu-berlin.de


[squid-users] config help on squid-3.1.8 on Tomato router

2011-12-08 Thread Jason Ianacone

I am running squid 3.1.8 (non-transparent) on a Tomato based router. I 
connect to my router via SSH (PuTTY). In the GUI I have a tunnel setup 
to forward port 444 to 3128. I have a couple of small problems that 
bother me.

1. I run a WHS on my LAN. When I am connected to the 
SSH and I type in 192.168.0.2 (the WHS) in Firefox, it connects no 
problem. When I type in .homeserver.com, I get a connection refused 
(146) error. I get the same error if I type in my WAN IP as well.

2. For my SSH tunnel setup, I have 444 forwarded to 192.168.0.1:3128. This
 works perfect. If I change it to forward 444 to WNR3500L:3128, which is
 my device name, I get an access denied error. So I am connecting to 
the proxy, but it doesn't like it for some reason.

Any help would be appreciated.

Re: [squid-users] Kerberos auth and users in another AD domain

2011-12-08 Thread Emmanuel Lacour

(sorry for the thread break, I loosed original messages and cannot find
the Message-ID)

Amos, thanks for your hints.

I did some tests to connect to a kerberos enabled squid from a windows
client not within the AD domain:

squid auth setup is: 
negotiate squid_kerb_auth
ntlm
basic (ldap)


As negotiate is proposed and IE support it, it always try to
authenticate with negotiate and so it fails every time.

I tried to invert the auth order, putting basic at first, IE always try
negotiate (when Firefox just use the first one).

With the negotiate,ntlm,basic order, firefox seems to try different
methods, because after three tries of login in, it works.

If I remove negotiate, then I can authenticate using ntlm by specifying
as username DOMAIN\user.

So as I understand, the only way to go is to have two squids:
- one with kerberos for 'domain' users (with ntlm fallback for clients
  not knowing negotiate support, but ntlm and with basic fallback for
  client without negotiate/ntlm support)
- and a second one with only basic auth


Re: [squid-users] config help on squid-3.1.8 on Tomato router

2011-12-08 Thread Amos Jeffries

On 9/12/2011 8:37 a.m., Jason Ianacone wrote:

I am running squid 3.1.8 (non-transparent) on a Tomato based router. I
connect to my router via SSH (PuTTY). In the GUI I have a tunnel setup
to forward port 444 to 3128. I have a couple of small problems that
bother me.

1. I run a WHS on my LAN. When I am connected to the
SSH and I type in 192.168.0.2 (the WHS) in Firefox, it connects no
problem. When I type in .homeserver.com, I get a connection refused
(146) error. I get the same error if I type in my WAN IP as well.

2. For my SSH tunnel setup, I have 444 forwarded to 192.168.0.1:3128. This
  works perfect. If I change it to forward 444 to WNR3500L:3128, which is
  my device name, I get an access denied error. So I am connecting to
the proxy, but it doesn't like it for some reason.

Any help would be appreciated.  


This description reads as if you have configured the proxy or firewall 
to block access via non-LAN IPs.


The help you seek is in the config files somewhere.

Amos


[squid-users] MAC addresses as the only ACL restriction

2011-12-08 Thread Inter Node
Hello everyone, I have a question (and it may be a stupid one), but here goes. 
I use squid on my server for privacy reasons when I surf the web. I currently 
use IP addresses as my access restriction; only my home IP has access to my 
squid server. I was thinking of transitioning to MAC addresses for ACL 
purposes, so that I can use my proxy when I'm on the bus or at work. Are MAC 
addresses any less secure as an ACL restriction than IP addresses?

Thank you for your time!



Re: [squid-users] MAC addresses as the only ACL restriction

2011-12-08 Thread Pieter De Wit

Hi,

MAC address filtering will only work on the same LAN segment. The mac 
address for your IP will be the gateway of the squid server if you are 
connecting remotely.


Cheers,

Pieter

On Thu, 8 Dec 2011, Inter Node wrote:


Hello everyone, I have a question (and it may be a stupid one), but here goes. 
I use squid on my server for privacy reasons when I surf the web. I currently 
use IP addresses as my access restriction; only my home IP has access to my 
squid server. I was thinking of transitioning to MAC addresses for ACL 
purposes, so that I can use my proxy when I'm on the bus or at work. Are MAC 
addresses any less secure as an ACL restriction than IP addresses?

Thank you for your time!




Re: [squid-users] config help on squid-3.1.8 on Tomato router

2011-12-08 Thread Jason Ianacone
I totally agree. Just hoping someone could say what exactly. 

Problem #2 had to do with the hosts name redirecting the device name to the 
ipv4 and ipv6 addresses. I have a unique name to the ipv4 and the problem went 
away. 

Sent from my iPhone

On Dec 8, 2011, at 3:41 PM, Amos Jeffries squ...@treenet.co.nz wrote:

 On 9/12/2011 8:37 a.m., Jason Ianacone wrote:
 I am running squid 3.1.8 (non-transparent) on a Tomato based router. I
 connect to my router via SSH (PuTTY). In the GUI I have a tunnel setup
 to forward port 444 to 3128. I have a couple of small problems that
 bother me.
 
 1. I run a WHS on my LAN. When I am connected to the
 SSH and I type in 192.168.0.2 (the WHS) in Firefox, it connects no
 problem. When I type in .homeserver.com, I get a connection refused
 (146) error. I get the same error if I type in my WAN IP as well.
 
 2. For my SSH tunnel setup, I have 444 forwarded to 192.168.0.1:3128. This
  works perfect. If I change it to forward 444 to WNR3500L:3128, which is
  my device name, I get an access denied error. So I am connecting to
 the proxy, but it doesn't like it for some reason.
 
 Any help would be appreciated.
 
 This description reads as if you have configured the proxy or firewall to 
 block access via non-LAN IPs.
 
 The help you seek is in the config files somewhere.
 
 Amos
 


[squid-users] Prevent squid from adding headers

2011-12-08 Thread Jan van Riebeeck
Hi list,

I'm using squid proxy in a debugging context. So I've configured it to not 
cache anything. However, squid still adds headers to all my requests and 
responses. I'd like to see the response *exactly* as it came from the web 
server, and I'd like the web server to receive my request exactly as I sent it. 
This means I want squid not to add Via, X-Cache and X-Cache-Lookup headers.

Answers I've read to this problem boil down to using header_access to strip out 
a header. However, if a response comes back with a via header from the 
loadbalancer at the server side, then I want to see it... So I don't want to 
ban the header, I just want squid to be absolutely silent.

Is that possible without modifying the source?

Best,

-- jan