RE: [squid-users] NoProxy directive equivalent in squid
Citeren Chris Vaughan [EMAIL PROTECTED]: I am trying to get to an intranet site on a remote host, that our office has a point to point connection for. We are trying to tell the server not to use proxy for the specific internal domain names for this site. Chris, You can use -for example: acl internal dstdomain yahoo.com (or something similar) always_direct allow internal never_direct deny internal rgrds, Bart
Re: [squid-users] Page loading issues
On Tuesday 08 July 2003 06.28, Schelstraete Bart wrote: Hernik, Is this normal?? Yes, if you have enabled more detailed debug_options than the default or is using squid -k debug. Regards Henrik
Re: [squid-users] Re: Unable to forward this request at this time
On Tuesday 08 July 2003 01.29, Norman Zhang wrote: Hi, On Tuesday 08 July 2003 00.47, Norman Zhang wrote: * Unable to forward this request at this time. This message is only seen if you are using never_direct. But default setting for squid.conf never_direct is none. I haven't touched those fancy options yet 8) miss_access is also related to this option. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] urgent squid with squidguard help
On Tuesday 08 July 2003 07.02, Vishal For You wrote: I have tried to used squid acl for this. Infact i am currently using acl's but for the new configuration somehow it is not working thats why i am using squidguard to solve the problem. I have denied everyone in my squid.conf. If you deny everyone in squid.conf, then noone will be able to reach SquidGuard. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Re: Squid server
On Tuesday 08 July 2003 09.22, Hussain Mohammad wrote: Squid server version 3.0 where used to solve problem, it has been used as proxy server. http worked fine but any https site does not open and also an error occurred on squid server when https sites were browsed. Squid-3.0 is still in development and not suitable for production use. Use Squid-2.5. 2003/07/07 17:59:45| clientNegotiateSSL: Error negotiating SSL connection on FD 25: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) You are trying to use a https_port as proxy port. This will not work. Specify the http_port as the proxy port in your browser. Regards Henrik
Re: [squid-users] the problem of blocking URL
On Tuesday 08 July 2003 03.20, Li Wei wrote: However, when my colleague was accessing http://photo.cameraunion.net:81/phpchat/index.php3, he was rejected by Squid. This is probably blocked by the Safe_Ports acl as the server is running on a non-standard port. Port 81 is not included in the default set of safe ports. -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Squid proxying okay but not really cacheing?
Hi. I've just set up a squid system (2.5stable3) under Linux, and I've changed only the access control setting in the squid.conf file, to allow me access. It's working fine, and passing requests and pages through nicely. However, I can't really see that it's doing much cacheing, when I would expect it to. So far I'm the only user, testing the system, and I'm using a website mapping application which walks through every page on a website, following all the local links, as a way of generating some traffic through squid. I'm visiting a couple of sites which have nearly all static content, so it should be cacheable okay. The first time I run the app, and I watch squid's access.log output, I see lots of TCP_MISS entries, with the access going DIRECT to fetch the webpage from the server. But it looks pretty much the same the second time I do the same thing - I get very few TCP_HIT, TCP_IMS_HIT or TCP_MEM_HIT entries, and my inbound traffic to the squid server is pretty much as high as it was the first time round. I have two questions, which I can't find in the FAQ: 1. Can I get any statistics out of squid to tell me what size cache it's using, how full it is, and how quickly it's churning the entries? 2. Is there anything else I should be changing in the squid.conf file to get good cacheing as well as proxying? Thanks, Antony. -- Programming is a Dark Art, and it will always be. The programmer is fighting against the two most destructive forces in the universe: entropy and human stupidity. They're not things you can always overcome with a methodology or on a schedule. - Damian Conway, Perl God
[squid-users] what library is libz.so ?
I intend to install Webalizer for analyzing its log file. But it warned me that libz.so was not found when installation. I checked its requirements, and believe all of them was installed. What is it? Who know? ** Li Wei ^-^ HAVE A GOOD DAY ^-^ JFTT E-mail: [EMAIL PROTECTED] **
Re: [squid-users] Squid proxying okay but not really cacheing?
Antony Stone wrote: Hi. I've just set up a squid system (2.5stable3) under Linux, and I've changed only the access control setting in the squid.conf file, to allow me access. It's working fine, and passing requests and pages through nicely. However, I can't really see that it's doing much cacheing, when I would expect it to. So far I'm the only user, testing the system, and I'm using a website mapping application which walks through every page on a website, following all the local links, as a way of generating some traffic through squid. I'm visiting a couple of sites which have nearly all static content, so it should be cacheable okay. The first time I run the app, and I watch squid's access.log output, I see lots of TCP_MISS entries, with the access going DIRECT to fetch the webpage from the server. But it looks pretty much the same the second time I do the same thing - I get very few TCP_HIT, TCP_IMS_HIT or TCP_MEM_HIT entries, and my inbound traffic to the squid server is pretty much as high as it was the first time round. I have two questions, which I can't find in the FAQ: 1. Can I get any statistics out of squid to tell me what size cache it's using, how full it is, and how quickly it's churning the entries? Use squid's cachemgr interface to obtain various stats/info about the cache. 2. Is there anything else I should be changing in the squid.conf file to get good cacheing as well as proxying? Not really, 'refresh_pattern' is related , though read the comment in squid.conf.default completely before tweaking this parameter. You can also use : http://www.ircache.net/cgi-bin/cacheability.py as a 'tool' to verify cacheability stats for objects returned by webservers. M.
Re: [squid-users] Squid proxying okay but not really cacheing?
On Tuesday 08 July 2003 10.20, Antony Stone wrote: 1. Can I get any statistics out of squid to tell me what size cache it's using, how full it is, and how quickly it's churning the entries? Yes, via the cachemgr interface. 2. Is there anything else I should be changing in the squid.conf file to get good cacheing as well as proxying? Make sure that your cache size is sufficiently large to fit the content you want to cache. The default setting is just 100MB. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] what library is libz.so ?
Li Wei wrote: I intend to install Webalizer for analyzing its log file. But it warned me that libz.so was not found when installation. I checked its requirements, and believe all of them was installed. What is it? Who know? zlib compression and decompression library Which os/platform/version are you using ? Any way, you will apparently need this lib installed. M. ** Li Wei ^-^ HAVE A GOOD DAY ^-^ JFTT E-mail: [EMAIL PROTECTED] ** -- 'Love is truth without any future. (M.E. 1997)
Re: [squid-users] what library is libz.so ?
On Tuesday 08 July 2003 10.33, Li Wei wrote: I intend to install Webalizer for analyzing its log file. But it warned me that libz.so was not found when installation. I checked its requirements, and believe all of them was installed. What is it? Who know? libz is the library of zlib url:http://www.gzip.org/zlib/ Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Client Socket Buffer leak?
Can anyone confirm that squid-2.5STABLE3 leaks a Client Socket Buffer each time it denies a request through reply_body_max_size ? The CSBs were growing out of control on one of our newer accelerators, which was odd, since the binary was directly copied from a working install. The major difference is the new one is blocking quite a few large requests. -- Brian
Re: [squid-users] Client Socket Buffer leak?
Brian wrote: Can anyone confirm that squid-2.5STABLE3 leaks a Client Socket Buffer each time it denies a request through reply_body_max_size ? How do you observe this ? Which command/tool ? The CSBs were growing out of control on one of our newer accelerators, which was odd, since the binary was directly copied from a working install. The major difference is the new one is blocking quite a few large requests. Could the issue be os related ? Which platform/os/version are you using ? M. -- 'Love is truth without any future. (M.E. 1997)
Re: [squid-users] Client Socket Buffer leak?
tis 2003-07-08 klockan 10.56 skrev Brian: Can anyone confirm that squid-2.5STABLE3 leaks a Client Socket Buffer each time it denies a request through reply_body_max_size ? Is these objects with a known object size (denied up front) or denials of objects with unknown size (denied when reaching the set size)? The CSBs were growing out of control on one of our newer accelerators, which was odd, since the binary was directly copied from a working install. The major difference is the new one is blocking quite a few large requests. I would recommend registering a bug report. If you see the memory allocated for buffers grow out of control then there almost certainly is a leak of these. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Trying to select appropiate outgoing interface depending on src ip
Hi, I have the following configuration on my NAT box eth0 to an internal private network consisiting of 2 subnets 192.168.2.0/24 and 192.168.3.0/24. The NAT box has .1 address in both subnet and is the gateway for everybody eth1 is connected to an ADSL modem which I obtain an $ADSL_IP via ppp eth2 is connected to a routable Ethernet interface $ETH_2 Using policy routing/netfilter I am able to SNAT 192.168.2.0/24 to ADSL_IP via eth1 and 192.168.3.0/24 to $ETH_2 I have squid setup to listen on 192.168.2.1 and 192.168.3.1 on the NAT box. I thought I could use tcp_outgoing_address to do this acl net_1 src 192.168.2.0/255.255.255.0 acl net_2 src 192.168.3.0/255.255.255.0 tcp_outgoing_address 192.168.2.1 net_1 tcp_outgoing_address 192.168.3.1 net_2 However, my clients either on 192.168.2.0/24 nor on 192.168.3.0/24 are able to reach any website with these lines in the config file If I remove the tcp_outgoing_address lines, then I am able to reach websites via squids Any insights would be appreciated, Thanks Yusuf
Re: [squid-users] Trying to select appropiate outgoing interface depending on src ip
Surely you should be using $ADSL_IP or $ETH_2 as the source address for outbound website requests? I assume that SNAT will take care of this, In any case. I did change it to $ADSL_IP and $ETH_2 respectively and the same issue occurs -- Yusuf Goolamabbas [EMAIL PROTECTED]
Re: [squid-users] Trying to select appropiate outgoing interface depending on src ip
On Tuesday 08 July 2003 11:48 am, Yusuf Goolamabbas wrote: Surely you should be using $ADSL_IP or $ETH_2 as the source address for outbound website requests? I assume that SNAT will take care of this, In any case. I did change it to $ADSL_IP and $ETH_2 respectively and the same issue occurs Can you put a sniffer such as ethereal on the external interface and see: a) whether any packets are leaving the box at all b) what source / destination addresses they have c) whether you see any replies ? Antony. -- Having been asked to provide a reference for this man, I can confidently state that you will be very lucky indeed if you can get him to work for you.
[squid-users] -- Simple question about authentication
Hello, I´d just like to answer a simple question. My squid authenticates by LDAP on AD. I Also have an user list of those who may access the proxy, like: http_access alow FULANOS SITES The FULANOS list is like the folowing: DOMAIN\FULANO1 DOMAIN\FULANO2 DOMAIN\FULANO3 The FULANOS acl is like: acl FULANOS proxy_auth FULANOS_FILE Now the question: If I change the FULANOS acl to: acl FULANOS proxy_auth REQUIRED What will gonna happen ? Squid will allow access to anyone it can authenticate by LDAP ? regardless of my user list on SQUID (since it will not be using anymore) So, if someone is added to my LDAP, he will have instantant access to squid, isn´t it ? Thanks... Alex C. B. Antão Analista de Sistemas e Suporte ICQ: 5144629http://motoviagens.pagina.de http://e-modelismo.pagina.de Um bom pouso é aquele do qual você sai caminhando. Um ótimo pouso é aquele depois do qual você pode usar o avião novamente.
[squid-users] more on FD errors
2003/07/08 05:31:53| comm_accept: FD 16: (130) Software caused connection abort 2003/07/08 05:31:53| httpAccept: FD 16: accept failure: (130) Software caused connection abort 2003/07/08 05:33:26| comm_accept: FD 16: (130) Software caused connection abort 2003/07/08 05:33:26| httpAccept: FD 16: accept failure: (130) Software caused connection abort Ok..before all I ever had seen were the SSL FD errors...now I am seeing this! I am sure that I have plenty of file descriptors and especially at this time in the morning..the squid box is virtually quiet. Is there anyway to get further information on these errors and how to fix them once and for all? -- J.D. Bronson Aurora Health Care // Information Services // Milwaukee, WI USA Office: 414.978.8282 // Fax: 414.328.8282 // Pager: 414.314.8282
Re: [squid-users] more on FD errors
tis 2003-07-08 klockan 13.37 skrev J.D. Bronson: 2003/07/08 05:31:53| comm_accept: FD 16: (130) Software caused connection abort 2003/07/08 05:31:53| httpAccept: FD 16: accept failure: (130) Software caused connection abort It is not 100% clear to me when these errors are seen, but my theory is that these errors are seen if a client aborts the TCP connection before it has been accepted by Squid. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] -- Daily Snapshot and Patches
Hello, Let me ask you something: Does the daily snapshots of squid has the patches already applied If I download it and install te last version, do I have to apply that patches ??? Thanks Alex C. B. Antão Analista de Sistemas e Suporte ICQ: 5144629http://motoviagens.pagina.de http://e-modelismo.pagina.de Um bom pouso é aquele do qual você sai caminhando. Um ótimo pouso é aquele depois do qual você pode usar o avião novamente.
RE: [squid-users] -- Simple question about authentication
If I change the FULANOS acl to acl FULANOS proxy_auth REQUIRED What will gonna happen ? Squid will allow access to anyone it can authenticate by LDAP ? regardless of my user list on SQUID? Correct. REQUIRED will match any user Squid can successfully authenticate. There is an external_acl LDAP group helper - you could use that to verify that your LDAP users are members of a specific group, and base authentication on that. I've never used the group helpers, so I can't give you any configuration info, but you should be able to find it easily on the list archive (search for LDAP auth). Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
Re: [squid-users] -- Daily Snapshot and Patches
On Tuesday 08 July 2003 14:23, Alex Carlos Braga Antão wrote: Hi Alex, Hello, Let me ask you something: Does the daily snapshots of squid has the patches already applied If I download it and install te last version, do I have to apply that patches ??? well, for sure they are already applied. If not, a daily-snapshot makes no sense ;) ciao, Marc
RE: [squid-users] credentialsttl
tis 2003-07-08 klockan 14.07 skrev Adam Aube: I notice that it's only listed for basic auth; does it also work with NTLM auth? NTLM auth works very differently, and the helpers need to be queried a lot compared to basic. Basically there is two helper queries per client TCP connnection. The closest similar parameter of NTLM auth is the max_challenge_reuses and max_challenge_lifetime parameters, but again, these are very different from the basic auth credentialsttl parameter. Also, these parameters are merely a bandaid to lessen the impact of a slight design problem in the current Squid NTLM implementation and may go away in a later Squid release. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] -- Simple question about authentication
tis 2003-07-08 klockan 13.33 skrev Alex Carlos Braga Antão: acl FULANOS proxy_auth REQUIRED What will gonna happen ? Squid will allow access to anyone it can authenticate by LDAP? Yes. REQUIRED matches any user who can successfully authenticate himself. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Res: RE: [squid-users] -- Simple question about authentication
Thanks, Adam, The problem with external_acls is that I also use NTLM auth, and external_acl is good if I have just one auth scheme. My squid firt authenticate by NTLM and if the browser does not accepts NTLM (everything else but IE), it authenticates with BASIC by LDAP. For the group I can easly make a filter to ldap_auth to return just users for a specific group. I already have this filter here... Thanks... Alex C. B. Antão Analista de Sistemas e Suporte ICQ: 5144629http://motoviagens.pagina.de http://e-modelismo.pagina.de Um bom pouso é aquele do qual você sai caminhando. Um ótimo pouso é aquele depois do qual você pode usar o avião novamente. ---Mensagem original--- De: Adam Aube Data: terça-feira, 08 de julho de 2003 09:31:05 Para: [EMAIL PROTECTED] Assunto: RE: [squid-users] -- Simple question about authentication If I change the FULANOS acl to acl FULANOS proxy_auth REQUIRED What will gonna happen ? Squid will allow access to anyone it can authenticate by LDAP ? regardless of my user list on SQUID? Correct. REQUIRED will match any user Squid can successfully authenticate. There is an external_acl LDAP group helper - you could use that to verify that your LDAP users are members of a specific group, and base authentication on that. I've never used the group helpers, so I can't give you any configuration info, but you should be able to find it easily on the list archive (search for LDAP auth). Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001 .
Re: [squid-users] -- Daily Snapshot and Patches
tis 2003-07-08 klockan 14.23 skrev Alex Carlos Braga Antão: Hello, Let me ask you something: Does the daily snapshots of squid has the patches already applied Yes, and may also contain some other changes not yet published as a patch. If I download it and install te last version, do I have to apply that patches ??? No. But it is recommended you spend some time on reading the list of patches to determine if you really need any of these patches or if the latest STABLE release is sufficient for you. The latest snapshot is not always the best. Notice: In the same document you can also find a short list of known issues for which there is not yet a official patch available. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: Res: RE: [squid-users] -- Simple question about authentication
tis 2003-07-08 klockan 14.43 skrev Alex Carlos Braga Antão: Thanks, Adam, The problem with external_acls is that I also use NTLM auth, and external_acl is good if I have just one auth scheme. external_acl_type does not care how many auth schemes you have, and several of the helpers handle both domain\user and user as login name if asked to. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] credentialsttl
Hi ! I am using squid_ldap_auth helper to authenticate. I need squid to query the helper again to any user that has been inactive for a period of time, let's say 20 minutes. Thanks !! On 08 Jul 2003 14:25:56 +0200 Henrik Nordstrom [EMAIL PROTECTED] wrote: tis 2003-07-08 klockan 14.07 skrev Adam Aube: I notice that it's only listed for basic auth; does it also work with NTLM auth? NTLM auth works very differently, and the helpers need to be queried a lot compared to basic. Basically there is two helper queries per client TCP connnection. The closest similar parameter of NTLM auth is the max_challenge_reuses and max_challenge_lifetime parameters, but again, these are very different from the basic auth credentialsttl parameter. Also, these parameters are merely a bandaid to lessen the impact of a slight design problem in the current Squid NTLM implementation and may go away in a later Squid release. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
RE: [squid-users] credentialsttl
I need squid to query the helper again to any user that has been inactive for a period of time, let's say 20 minutes. As Henrick has already noted: 1) credentialsttl will make Squid re-verify the user's credentials with the auth helper at a given interval. 2) credentialsttl will NOT make the user have to re-authenticate in their browser. However, I have noticed there is a credentialsttl for basic auth, and there is also an authenticate_ttl that applies to all auth types. Perhaps Henrick can shed some light on the differences between the two. Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
[squid-users] Many TCP_DENIED with NTLM auth
I'm using the wb_ntlmauth helper, and I've noticed in my access.log there will often be two TCP_DENIED requests for an object with no user information, then a successful TCP request for the same object, this time with the user information. Example: 1057675581.034 19 192.168.127.100 TCP_DENIED/407 1454 GET http://www.google.com/ - NONE/- text/html 1057675581.044 2 192.168.127.100 TCP_DENIED/407 1470 GET http://www.google.com/ - NONE/- text/html 1057675581.181136 192.168.127.100 TCP_MISS/200 1601 GET http://www.google.com/ [domain]\[user] DIRECT/216.239.37.99 text/html Note that the user nevers sees any error message in the browser; the page loads perfectly. Is this normal? Is there anything I can do to reduce the ocurrence of this? Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
RE: [squid-users] Many TCP_DENIED with NTLM auth
I'm using the wb_ntlmauth helper, and I've noticed in my access.log there will often be two TCP_DENIED requests for an object with no user information, then a successful TCP request for the same object, this time with the user information. Now I feel extremely foolish. Google hit a thread on the mailing list from Feb 7, 2003, and the site for the Squid NTLM authentication project. Both hits indicated this was a normal behavior. That is odd, though - I searched for ntlm TCP_DENIED in the Squid archive search and got no hits, but searched for squid ntlm TCP_DENIED on Google and hit in the Squid archives. Are there problems with the Squid mailing list archive search tool? Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
[squid-users] Performance and tuning on Sparc with Solaris
Hi folks, I'm going to implement squid on a SUN E450 with Solaris 9. The machine has 4 x 450MHz processors and 4GB RAM. The expected load will be around 300 req/s at peak and will probably increase over time. So the question is how to tune E450/Solaris/squid to achive maximum performance. Obvious things like different disks on different controllers for different cache_dirs are clear. As squid can't take advantage of multiple processors I'm thinking of running several instances of squid bound to different processor to share the load. Is there anybody out there running a similar setup who could give comments or recommendations? Thanks, Frank
Re: [squid-users] credentialsttl
tis 2003-07-08 klockan 14.07 skrev Alejandro Javier Pomeraniec: I am using squid_ldap_auth helper to authenticate. I need squid to query the helper again to any user that has been inactive for a period of time, let's say 20 minutes. You can set Squid to query the helper lets say every 20 minutes via the credentailsttl parameter. However, note that this has nothing to do with the interaction between the user and Squid or how often the user needs to log in. All this controls is how long Squid may assume the password of the user has not changed. If you want the user to have to login again after a certain period of inactivity then this has to be configured within the browser. The browser logs in to Squid on each and every request and the only reason why the user does not have to login all the time is because the browser remembers the login+password and automatically sends the same login+password on future requests to the proxy. If you want the user to have to login again after 20 minutes of inactivity then you have to make the browser forget the users login after 20 minutes of inactivity, there is nothing the proxy can do about this. Regards Henrik
RE: [squid-users] credentialsttl
tis 2003-07-08 klockan 17.12 skrev Adam Aube: However, I have noticed there is a credentialsttl for basic auth, and there is also an authenticate_ttl that applies to all auth types. Perhaps Henrick can shed some light on the differences between the two. authenticate_ttl does not provide any meaningful functionality outside the internal guts of Squid. All you need to remember is to make sure authenticate_ttl is bigger than any of the other user related ttl values (mainly authenticate_ip_ttl and basic credentialsttl). Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Your opinions on setup
tis 2003-07-08 klockan 18.33 skrev glen hyland: So far I have not been able to get it to work. Now I ask for your help, in deciding what would be the best way to get different access levels, and figuring out what would be the best authentification. If your boss wants NTLM then give it a try. See the Squid FAQ entry on using Squid with winbind. Would LDAP be able to accomplish that. Everything but NTLM. What would be the best way to handle this? running two squids and two DG's, using an ldap server?? As you only need one DG policy (restricted access) you in theory only need one Squid. DG works as a proxy IIRC, and you should be able to select via cache_peer_access/always_direct/never_direct who is sent to DG and who is allowed to bypass the filter. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
RE: [squid-users] Page loading issues
Well I was able to resolve the problem it seems that the google toolbar was causing it to hang up, the access.log was showing multiple deny's to an address space owned by google even though I was on a completely different website. I uninstalled it this morning and I haven't had any page hangs happen since (usually I would have a few by now). Thanks for your help on letting me know that the behavior with the cache.log is normal. Jeremy Broadway Network Administrator [EMAIL PROTECTED] Office: 734-727-3151 Cell: 734-216-9359 -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 6:56 PM To: Jeremy Broadway; [EMAIL PROTECTED] Subject: Re: [squid-users] Page loading issues On Monday 07 July 2003 18.57, Jeremy Broadway wrote: 2003/07/07 12:46:33| The request GET http://www.google.com/webhp?hl=enedition=usaq= is DENIED, because it matched 'AuthorizedUsers' This is normal and should correlate to a TCP_DENIED/407 entry in cache.log. 2003/07/07 12:46:33| The request GET http://www.google.com/webhp?hl=enedition= saq= is ALLOWED, because it matched 'AuthorizedUsers' The same request as above but after successful authentication. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] getting dhcpd client-hostname (or other name) in access log
Yes, the external_acl_type appears to work nicely. I wrote a small C prog that gets the client hostname mac address using the dhcpctl api provided with the isc dhcp server. I should have looked more closely at the squid.conf before posting. Thanks! You can't query DHCP who an IP address belongs to using standard protocols, but real DHCP servers supports automatic DNS updates these days to keep DNS data in synch with DHCP updates.. There is also the option (for Windows netowrks) to use Microsoft DNS with a WINS fallback which works to some level.. However, if you find a way to query the user name (including looking direclty into the dhcpd database of IP addresses) or equivalent based on the source IP address then you can easily plug this into Squid via an external acl returning the information as user name (see external_acl_type). Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Re: Unable to forward this request at this time
Hi Henrik, * Unable to forward this request at this time. This message is only seen if you are using never_direct. But default setting for squid.conf never_direct is none. I haven't touched those fancy options yet 8) miss_access is also related to this option. I set miss_access allow all, but problem still persists. Do you have further suggestions. BTW, should I be prompted for the username and password as I had set auth_param ntlm program /usr/lib/squid/wb_ntlmauth auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes acl password proxy_auth REQUIRED But I got the Unable to forward this request at this time. as soon as I hit on any page. Regards, Norman
[squid-users] Squid is Overperforming ;)
Hi Henrik, Previously when i use squid, it seems just fine, it caches and browsing seems to be ok, but recently I activated delay pools for the same network, and ever since then, my browsing is extremely fast, overthrottling I might add. am just curious, is this the work of delay pools, cause i intend to experiment with it more? acl cafenet160kusers src blah.blah.blah.blah/255.255.255.0 delay_pools 1 delay_class 1 3 delay_access 1 allow cafenet160kusers delay_access 1 deny all delay_parameters 1 17920/17920 -1/-1 600/17920 and I know my network has not been upgraded in any other way, like bandwidth increase, etc Thanks K _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
[squid-users] Re: what library is libz.so ?
Dear Henrik I did install zlib package into my server. However, when I run Webalizer, I always faced same error message. $./webalizer ld.so.1: ./webalizer: fatal: libz.so: open failed: No such file or directory Killed Actually, during making the package, that file seems not to be found. Why? Anyway, do you know which analyse tool is the best for Squid? ** Li Wei ^-^ HAVE A GOOD DAY ^-^ JFTT E-mail: [EMAIL PROTECTED] **
[squid-users] Squid Help
Hello All, Can anyone help me out w.r.t Squid. My job what has to be done is to insert a Resize Module insidee squid. This resize module will catch the data coming from inetrnet changes the values of all the html tags present in it sends back the resized data back to the squid. Main objective is to display the browser in the PDA w.r.t its resolution. Now, I have inserted my module since I will not be knowing in prior abt the no. of bytes od data coming from net ( i.e., its a stream of bytes) I will be using very big amount of buffers some are static some are dynamic. After inserting this module into squid, I have a lot of memory problems. My module is being inserted in comm.c file inside the function void comm_write(int fd, const char *buf, int size, CWCB Mail backups lists lock mbox tmp handler, void *handler_data, FREE Mail backups lists lock mbox tmp free_func) . Can anyone please let me know whether I can modify the squid code so that resizing can be done also b'cos of the delay caused by my reszing module timeout in squid is occuring. Thanks in advance. Please anyone help me out. Regards, Pooja Prakash Send free SMS using the Yahoo! Messenger. Go to http://in.mobile.yahoo.com/new/pc/