Re: [squid-users] what's the meaning of this?
On Tue, 2 Dec 2003, sword wrote: Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 0.58309 0.89858 Cache Misses: 0.61549 1.81376 Cache Hits:0.0 0.00179 Near Hits: 0.0 1.17732 Not-Modified Replies: 0.00179 0.00179 DNS Lookups: 0.00704 0.01686 ICP Queries: 0.0 0.0 This gives the median service times for different aspects of the proxy operation. For example the first line says that the median service time for requests was 0.58309 seconds in the last 5 minutes or 0.89858 in the last 60 minutes. Regards Henrik
Re: [squid-users] cache performance
On Tue, 2 Dec 2003, Nelson Serrao wrote: I spoke to my ISP and found that option b) is the only one thats going to work in my case. I need help on how to use proxy-arp on the proxy server to divide your internal network in two parts without renumbering. See your OS documentation. Each OS does it slightly differently. How to set up proxy-arp is a routing question, not a Squid question. In Linux you assign the same IP on both interfaces and then set up routing so the server knows which IP addresses of the local network segment are on which side and then enable proxy_arp on the affected interfaces. If you like you can cheat by using a 255.255.255.255 netmask on the smallest interface, only requiring the routes for that interface. Regards Henrik
Re: [squid-users] only allow HTTP and HTTPS protocol using pattern matching???
On Mon, 1 Dec 2003, Siew Wing Loon wrote: How can I only allow HTTP and HTTPS protocol using pattern matching in squid? acl HTTP protocol HTTP http_access deny !HTTP !CONNECT but from the rest of your question this is most likely not what you want. This is because if users point the proxy setting to the squid server and they able to connect to MSN. What do you get in access.log when they do? Most likely the traffic is tunneled over HTTP. Regards Henrik
Re: [squid-users] squid is not functioning properly
On Tue, 2 Dec 2003, Firas Mubarak wrote: start msn messenger or yahoo messenger or having any voice or vedio chats. Last time I looked these are not HTTP applications and can not use a HTTP proxy. some of web sites are not opening such as www.hotmail.com. for this problem have you tried what is said in the Squid FAQ about running Squid on Linux? Regards Henrik
Re: [squid-users] anonymize_headers headers description
On Tue, 2 Dec 2003, Mueller Tomas wrote: I'm unsuccessfully trying to search a description of specific headers in the tag anonymize_headres, for example Allow, Location, Host or Connection. Pls, does anybody know some URL with a complete list of this headers and mainly with their description? The HTTP specification RFC 2616 is a good source. See http://www.w3.org/ Regards Henrik
Re: [squid-users] Best conf for dial-up
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 01 December 2003 05:18 pm, Fajar Priyanto wrote: On Monday 01 December 2003 04:50 pm, Henrik Nordstrom wrote: Try half_closed_clients off. Thanks Henrik, I've done that and let's see the result tomorrow when the users are back online. Henrik, looks like half_closed_clients off option gives a positive result, squid hasn't hang all day today. There was moment when I thought I hung, but it resumed all by itself in about 20 seconds later. Any idea why half_closed_clients affect dial-up connection? Thanks, you've been very kind. - -- Fajar http://linux.arinet.org Linux mdk91.sistek.kom 2.4.21-0.13mdk GNU/Linux 15:38:01 up 7:54, 10 users, load average: 0.70, 0.30, 0.16 Quote of the day: Welcome to Hell! Here's your copy of Windows 98! -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/zFBgMai9kCFqACoRAl9OAJ0bkt9L+fizvkYSEeyfN2757av+SQCdFkRL nB+bD5MdBJXzOdXyra8J7vw= =wxxC -END PGP SIGNATURE-
Re: [squid-users] Best conf for dial-up
On Tue, 2 Dec 2003, Fajar Priyanto wrote: Henrik, looks like half_closed_clients off option gives a positive result, squid hasn't hang all day today. There was moment when I thought I hung, but it resumed all by itself in about 20 seconds later. Any idea why half_closed_clients affect dial-up connection? It doesn't actually, but it considerably speeds up error recovery by allowing Squid to terminate the request if it looks like the client aborted the session. In dial-up conditions there is many more error causes than in a fixed connection so the likelyhood that there is connectivity problems to the Internet is much higher, and without disabling half_closed_clients there is a high likelyhood for a lot of stuck connections to build up. Regards Henrik
Re: [squid-users] diskd - option
Hello Henrik, Thanks for the reply. I've seen Releasenotes. As i said in prev mail, samba version is 2.2.6 But i came to know that winbind helpers updated to match Samba-2.2.7a and should work with Samba-2.2.6 or later (required). So my pbl is runtime pbl or build pbl? i mean will it(wb_auth or wb_group) run by chnaging samba verion (it is build where the machine has samba-2.2.3a.) or i need to rebuild squid after having samba 2.2.6 verison. plz help me. Regs, -Sadha --- Henrik Nordstrom [EMAIL PROTECTED] wrote: On Mon, 1 Dec 2003, shadha nker wrote: ***my samba verison is 2.2.3a and 2.2.5. I've one dbt then how with this version , squid2.5STABLE1, wb_auth and wb_group works, but in squid2.5STABLE4 WON't. See the Squid release notes. Regards Henrik __ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/
Re: [squid-users] diskd - option
On Tue, 2 Dec 2003, shadha nker wrote: Thanks for the reply. I've seen Releasenotes. As i said in prev mail, samba version is 2.2.6 But i came to know that winbind helpers updated to match Samba-2.2.7a and should work with Samba-2.2.6 or later (required). So my pbl is runtime pbl or build pbl? A build problem. i mean will it(wb_auth or wb_group) run by chnaging samba verion (it is build where the machine has samba-2.2.3a.) or i need to rebuild squid after having samba 2.2.6 verison. You either need to change Samba version or rebuild the helpers to use your older Samba version according to the instructions in the release notes. Regards Henrik
Re: [squid-users] diskd - option
Hello Henrik, Thanks for your response. So one solution is I can change samba version = 2.2.6 to run this itself and no need to rebuild for newer samba Thanks . If anythong wrong in my above statement,plz reply. Regs, -Sadha --- Henrik Nordstrom [EMAIL PROTECTED] wrote: On Tue, 2 Dec 2003, shadha nker wrote: Thanks for the reply. I've seen Releasenotes. As i said in prev mail, samba version is 2.2.6 But i came to know that winbind helpers updated to match Samba-2.2.7a and should work with Samba-2.2.6 or later (required). So my pbl is runtime pbl or build pbl? A build problem. i mean will it(wb_auth or wb_group) run by chnaging samba verion (it is build where the machine has samba-2.2.3a.) or i need to rebuild squid after having samba 2.2.6 verison. You either need to change Samba version or rebuild the helpers to use your older Samba version according to the instructions in the release notes. Regards Henrik __ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/
[squid-users] ldap on freeBSD
Henrick, No matter what I do I can't install ldap helpers on FreeBSD5.0. It always bombs out on the lber.h and ldap.h I have 2 installations running already on solaris 5.9, however, I haven't succeeded on FreeBSD. I have installed openldap-2.0.27 (the same as on solaris) with ldap v2.0 and the lber.h and ldap.h installed in /usr/include You have mentioned in one of mails that running make from the squid root directory to build support functions. That bombed out with the same error. On the solaris boxes I have the lber.h and ldap.h in /usr/include as well as /usr/local/include, however, the /usr/include are being used. When I tried to install the openldap headers in /usr/include it still did not work. Don't get me wrong, I'm well chuffed with the authentication, however, it's still bugging me why I can't run it on FreeBSD. I even tried to edit the Makefile in the helpers, no success. Thankf tomas -- tp This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk
[squid-users] Oracle Portal
Hi We have a client who is using Oracle Portal behind a Squid proxy. They are having a problem whereby documents published via the portal appear to be cached by the proxy, that is, if an existing document is updated then the new version is often not seen by users who access the portal via the proxy - they continue to see the old version. Users who bypass the proxy always see the updated document. The steps taken to try and sort the problem are: - disable caching on the PC ('always refresh' in the browser) - disable caching in the portal - configure the proxy so that it proxies but no longer caches any data (the clients words - I know little about proxies) Has anyone any experiences similar to this which they could share with me? Thanks very much Manfred --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003
RE: [squid-users] Oracle Portal
Hi We have a client who is using Oracle Portal behind a Squid proxy. They are having a problem whereby documents published via the portal appear to be cached by the proxy, that is, if an existing document is updated then the new version is often not seen by users who access the portal via the proxy - they continue to see the old version. Users who bypass the proxy always see the updated document. The steps taken to try and sort the problem are: - disable caching on the PC ('always refresh' in the browser) - disable caching in the portal (?) - configure the proxy so that it proxies but no longer caches any data (the clients words - I know little about proxies) Has anyone any experiences similar to this which they could share with me? It is the responsibility of the remote webserver(+portal) to provide correct freshness info , for the discussed items (docs). If it doesn't when docs are updated then one could state that the remote webserver and portal architecture is defunct. Anyway you also have the possibility of limiting a no cache setting in squid.conf for a particular site/server(see squid.conf). You don't need to disable complete caching in squid. M.
RE: [squid-users] Oracle Portal
Thanks for that. I think the client has just disabled caching for the relevant server. I would agree that in an ideal setup, the webserver should be responsible for maintaining 'freshness'. I suspect that there is a configuration gotcha with Portal and Squid which is causing this problem, I am hoping someone else has hit this. Manfred -Original Message- From: Elsen Marc [mailto:[EMAIL PROTECTED] Sent: 02 December 2003 12:37 To: Manfred Milhofer; [EMAIL PROTECTED] Subject: RE: [squid-users] Oracle Portal Hi We have a client who is using Oracle Portal behind a Squid proxy. They are having a problem whereby documents published via the portal appear to be cached by the proxy, that is, if an existing document is updated then the new version is often not seen by users who access the portal via the proxy - they continue to see the old version. Users who bypass the proxy always see the updated document. The steps taken to try and sort the problem are: - disable caching on the PC ('always refresh' in the browser) - disable caching in the portal (?) - configure the proxy so that it proxies but no longer caches any data (the clients words - I know little about proxies) Has anyone any experiences similar to this which they could share with me? It is the responsibility of the remote webserver(+portal) to provide correct freshness info , for the discussed items (docs). If it doesn't when docs are updated then one could state that the remote webserver and portal architecture is defunct. Anyway you also have the possibility of limiting a no cache setting in squid.conf for a particular site/server(see squid.conf). You don't need to disable complete caching in squid. M. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003
RE: [squid-users] Oracle Portal
I think the client has just disabled caching for the relevant server. I would agree that in an ideal setup, the webserver should be responsible for maintaining 'freshness'. I suspect that there is a configuration gotcha with Portal and Squid which is causing this problem, I am hoping someone else has hit this. Ok, but basically squid doesn't know anything about or even knows what a Portal is : it only looks at http headers for each acquired object for making relevant caching decisions. These can also be verified with , for instance : http://www.ircache.net/cgi-bin/cacheability.py M.
Re: [squid-users] ldap on freeBSD
On Tue, 2 Dec 2003, Tomas Palfi wrote: No matter what I do I can't install ldap helpers on FreeBSD5.0. It always bombs out on the lber.h and ldap.h So what exact error do you receive? And is the files really in /usr/include? As yourself run cat /usr/include/ldap.h and cat /usr/include/lber.h and the same for the other OpenLDAP include files.. but if a file is missing the error should tell which.. Regards Henrik
RE: [squid-users] Oracle Portal
Thanks for the info. I am setting up a test environment here and will look at thte link you sent. Manfred -Original Message- From: Elsen Marc [mailto:[EMAIL PROTECTED] Sent: 02 December 2003 12:45 To: Manfred Milhofer; [EMAIL PROTECTED] Subject: RE: [squid-users] Oracle Portal I think the client has just disabled caching for the relevant server. I would agree that in an ideal setup, the webserver should be responsible for maintaining 'freshness'. I suspect that there is a configuration gotcha with Portal and Squid which is causing this problem, I am hoping someone else has hit this. Ok, but basically squid doesn't know anything about or even knows what a Portal is : it only looks at http headers for each acquired object for making relevant caching decisions. These can also be verified with , for instance : http://www.ircache.net/cgi-bin/cacheability.py M. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003
[squid-users] squid Version in ERROR Page
Hi, I want to remove the default signature from squid completely from the ERROR pages. I always get at the End: Generated Tue, 02 Dec 2003 13:21:20 GMT by gate (squid/2.5.STABLE4) I dont understand why this is implented so stupid: If I use %s oder %S in my custom error pages i can sustomize them, if I dont use %s or %S I get the default signature, but how can I completely remove it ! :-( Help :-) Heiko Wüst Technical Consultant ADIVA Computertechnologie GmbH Norsk-Data-Str. 1 D-61352 Bad Homburg v.d.H. Fon: +49(0) 61 72/48 61-118 Fax: +49(0) 61 72/48 61-718 Web: http://www.adiva.de eMail: [EMAIL PROTECTED] Diese E-Mail Nachricht enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. This e-mail message may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail.
Re: [squid-users] Oracle Portal
On Tue, 2 Dec 2003, Manfred Milhofer wrote: Hi We have a client who is using Oracle Portal behind a Squid proxy. They are having a problem whereby documents published via the portal appear to be cached by the proxy, that is, if an existing document is updated then the new version is often not seen by users who access the portal via the proxy - they continue to see the old version. Users who bypass the proxy always see the updated document. The steps taken to try and sort the problem are: - disable caching on the PC ('always refresh' in the browser) - disable caching in the portal - configure the proxy so that it proxies but no longer caches any data (the clients words - I know little about proxies) Has anyone any experiences similar to this which they could share with me? I would recommend you to read the Caching Tutorial for web masters document url:http://www.mnot.net/cache_docs/. This document explains in detail how the whole picture pulls together and what should be done to applications/servers to work properly in precense of caches. It also explains many of the common errors which is often done, allowing you to not repeat the same stupid mistakes. This document should be mandatory reading for anyone who designs a web system for publishing content. Regards Henrik
Re: [squid-users] squid Version in ERROR Page
I want to remove the default signature from squid completely from the ERROR pages. You cant remove it completely. What you can do is to hide the Squid version in a comment. See the Squid FAQ on writing custom error messages. Regards Henrik
Re: [squid-users] squid_ldap_group with 2 levels of group
On Tue, 2 Dec 2003 [EMAIL PROTECTED] wrote: I'd like to create group in a LDAP directory, and these groups would contain some other groups would should contain users. And of course, I'd like to match this ugly thing using squid_ldap_group. Now you make me slightly confused.. is these groups member of the bigger group, or is the bigger group a OU the other groups are located under? The OU case is trivial. The recursive group membership case of groups being members of groups is not, and such group design will be very slow and complex to look up via LDAP. I would seriously recommend making the users direct members of the group. Regards Henrik
RE: [squid-users] Wb_group error message in cache.log
DOES ANYBODY HAVE AN IDEA ABOUT THIS??? -Original Message- From: Mark Pelkoski Sent: Wednesday, November 26, 2003 10:27 AM To: [EMAIL PROTECTED] Subject: [squid-users] Wb_group error message in cache.log List, I keep seeing this error in my cache.log a couple of times a day. Is this normal or do I have a problem? I require my users to belong to a certain NT group in order to use Squid. I wasn't seeing it when I tested it with 70 users. Now I have 800+ users. (wb_group)[9464](wb_check_group.c:231): Warning: Can't enum user groups. TIA. -Mark
RE: [squid-users] Oracle Portal
Thanks Henrik I will have a look -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 02 December 2003 14:01 To: Manfred Milhofer Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] Oracle Portal On Tue, 2 Dec 2003, Manfred Milhofer wrote: Hi We have a client who is using Oracle Portal behind a Squid proxy. They are having a problem whereby documents published via the portal appear to be cached by the proxy, that is, if an existing document is updated then the new version is often not seen by users who access the portal via the proxy - they continue to see the old version. Users who bypass the proxy always see the updated document. The steps taken to try and sort the problem are: - disable caching on the PC ('always refresh' in the browser) - disable caching in the portal - configure the proxy so that it proxies but no longer caches any data (the clients words - I know little about proxies) Has anyone any experiences similar to this which they could share with me? I would recommend you to read the Caching Tutorial for web masters document url:http://www.mnot.net/cache_docs/. This document explains in detail how the whole picture pulls together and what should be done to applications/servers to work properly in precense of caches. It also explains many of the common errors which is often done, allowing you to not repeat the same stupid mistakes. This document should be mandatory reading for anyone who designs a web system for publishing content. Regards Henrik --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003
[squid-users] Disk hit ratio question
i am getting very low Request Disk Hit Ratios: 5 min 0.3% as compare to other proxies in cache farm which are getting around 34 % disk ratio. cache manager. is this normal ? we are not using cache peer relationship between cache farm . is this recommeneded feature when used cache farm . ?? Thanks and Regards uw Connection information for squid: Number of clients accessing cache: 3188 Number of HTTP requests received: 1536134 Number of ICP messages received:0 Number of ICP messages sent:0 Number of queued ICP replies: 0 Request failure ratio: 0.00 Average HTTP requests per minute since start: 3948.7 Average ICP messages per minute since start:0.0 Select loop called: 5003017 times, 4.665 ms avg Cache information for squid: Request Hit Ratios: 5min: 56.1%, 60min: 58.8% Byte Hit Ratios:5min: 27.9%, 60min: 29.0% Request Memory Hit Ratios: 5min: 17.0%, 60min: 20.4% Request Disk Hit Ratios:5min: 0.2%, 60min: 0.2% Storage Swap size: 13210884 KB Storage Mem size: 32644 KB Mean Object Size: 13.80 KB Requests given to unlinkd: 0 __ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/
Re: [squid-users] Redirect_program not working
No other ideas. For redirectors it is only the redirect_program and redirect_access directives which are relevant. Well, there is the obvious question of course: Did the traffic reach the proxy at all? I.e. is the requests logged in access.log? Regards Henrik On Tue, 2 Dec 2003, Cyril COUPEL wrote: Thanks, I ame using the default RedHat Squid config file. The redirector_access directive is not set. I tried to set it to redirector_access allow all, with all is acl all src 0.0.0.0/0.0.0.0 This does not solve my problem. An other idea? Le mar 02/12/2003 à 15:51, Henrik Nordstrom a écrit : Maybe you have denied the use of the redirect_program via the redirector_access directive? On Tue, 2 Dec 2003, Cyril COUPEL wrote: All seems to work like squid don't redirect querys to redirect_program.
RE: [squid-users] Wb_group error message in cache.log
Not really.. Does it happen for all users or just some? Is there any log messages from Samba in the Samba or messages log files? Regards Henrik On Tue, 2 Dec 2003, Mark Pelkoski wrote: DOES ANYBODY HAVE AN IDEA ABOUT THIS??? -Original Message- From: Mark Pelkoski Sent: Wednesday, November 26, 2003 10:27 AM To: [EMAIL PROTECTED] Subject: [squid-users] Wb_group error message in cache.log List, I keep seeing this error in my cache.log a couple of times a day. Is this normal or do I have a problem? I require my users to belong to a certain NT group in order to use Squid. I wasn't seeing it when I tested it with 70 users. Now I have 800+ users. (wb_group)[9464](wb_check_group.c:231): Warning: Can't enum user groups. TIA. -Mark
Re: [squid-users] Disk hit ratio question
On Tue, 2 Dec 2003, unixware wrote: i am getting very low Request Disk Hit Ratios: 5 min 0.3% as compare to other proxies in cache farm which are getting around 34 % disk ratio. cache manager. is this normal ? It is not normal that one proxy in a farm has significantly different hit ratios if all members of the farm have approximately similar traffic. is this recommeneded feature when used cache farm . ?? Depends on the setup and how requests are distributed among the farm members. Regards Henrik
Re: [squid-users] authentication problem and Server redirected too many times (20) error message
I did that already. It gives ERR on wrong username/password pairs and OK on the correct one. Henrik Nordstrom wrote: On Mon, 1 Dec 2003, Rami Jaamour wrote: I do configure Mozilla to use the proxy, giving it the host name and port and it worked in the past before I did the authentication, but when Squid is configured to require authentication, then the browser (both mozilla and IE) keep prompting for username and password. Is my squid.conf correct to do the proxy authentication? Then most likely there is a configuration error. First test is if the password file is correcly created. Start the auth_param basic program command manually and then type a username password pair as input. Regards Henrik -- Rami Jaamour SOAPtest http://www.parasoft.com/jsp/products/home.jsp?product=SOAP Development ParaSoft Corporation http://www.parasoft.com (626) 256-3680 ext. 1217
[squid-users] authentication issues using winbind and ntlm
Hi all, I don't know if this has already been answered but I was unable to find anything about it. I've setup squid-2.5.STABLE4 with Samba 3.0.0 using winbind for authentication. Everything works fine, except, every page accessed first enters 2 TCP_DENIED entries in the access log. I wanted to know if there is a way around this as when I add back in the following acl acl test url_regex /etc/blacklist and deny access to it, I can not get the username recorded in the access log. Below is an entry from the access.log from opening yahoo.com. 1070384877.123 9 192.168.12.50 TCP_DENIED/407 1741 GET http://www.yahoo.com/ - NONE/- text/html 1070384877.152 9 192.168.12.50 TCP_DENIED/407 1741 GET http://www.yahoo.com/ - NONE/- text/html 1070384877.456303 192.168.12.50 TCP_MISS/200 13360 GET http://www.yahoo.com/ ELITEHOU\JIMC DIRECT/66.218.71.93 text/html 1070384878.276 7 192.168.12.50 TCP_DENIED/407 2094 GET http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149: JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1 - NONE/- text/html 1070384878.288 8 192.168.12.50 TCP_DENIED/407 2098 GET http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149: JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1 - NONE/- text/html 1070384878.312187 192.168.12.50 TCP_MISS/304 391 GET http://switch.atdmt.com/action/PTCYahooFront ELITEHOU\JIMC DIRECT/216.39.69.71 - 1070384878.446154 192.168.12.50 TCP_MISS/200 261 GET http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149: JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1 ELITEHOU\JIMC DIRECT/66.218.71.101 image/gif 1070384879.032587 192.168.12.50 TCP_MISS/200 515 GET http://kd.barcfg.myway.com/speedbar/mySpeedbarCfg2.jsp? ELITEHOU\JIMC DIRECT/63.236.66.5 text/html Here is the relevant section of the squid.conf file: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --enable-helper-fail-open -d 10 -l auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 1 auth_param ntlm max_challenge_lifetime 20 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours I appreciate any help anyone can give me. Thanks. Jim Crippen Sr LAN Administrator Elite Transportation [EMAIL PROTECTED]
RE: [squid-users] authentication issues using winbind and ntlm
I see the same thing in my logs after getting ntlm to work about a month ago. I think is more of an issue with how squid processes its acls. I wish squid would handle its acls in the same manner as Cisco routers, which is that a packet is accepted or denied based on the first matching rule that it encounters. -Original Message- From: Jim Crippen [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 02, 2003 10:18 AM To: '[EMAIL PROTECTED]' Subject: [squid-users] authentication issues using winbind and ntlm Hi all, I don't know if this has already been answered but I was unable to find anything about it. I've setup squid-2.5.STABLE4 with Samba 3.0.0 using winbind for authentication. Everything works fine, except, every page accessed first enters 2 TCP_DENIED entries in the access log. I wanted to know if there is a way around this as when I add back in the following acl acl test url_regex /etc/blacklist and deny access to it, I can not get the username recorded in the access log. Below is an entry from the access.log from opening yahoo.com. 1070384877.123 9 192.168.12.50 TCP_DENIED/407 1741 GET http://www.yahoo.com/ - NONE/- text/html 1070384877.152 9 192.168.12.50 TCP_DENIED/407 1741 GET http://www.yahoo.com/ - NONE/- text/html 1070384877.456303 192.168.12.50 TCP_MISS/200 13360 GET http://www.yahoo.com/ ELITEHOU\JIMC DIRECT/66.218.71.93 text/html 1070384878.276 7 192.168.12.50 TCP_DENIED/407 2094 GET http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149: JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1 - NONE/- text/html 1070384878.288 8 192.168.12.50 TCP_DENIED/407 2098 GET http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149: JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1 - NONE/- text/html 1070384878.312187 192.168.12.50 TCP_MISS/304 391 GET http://switch.atdmt.com/action/PTCYahooFront ELITEHOU\JIMC DIRECT/216.39.69.71 - 1070384878.446154 192.168.12.50 TCP_MISS/200 261 GET http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149: JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1 ELITEHOU\JIMC DIRECT/66.218.71.101 image/gif 1070384879.032587 192.168.12.50 TCP_MISS/200 515 GET http://kd.barcfg.myway.com/speedbar/mySpeedbarCfg2.jsp? ELITEHOU\JIMC DIRECT/63.236.66.5 text/html Here is the relevant section of the squid.conf file: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --enable-helper-fail-open -d 10 -l auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 1 auth_param ntlm max_challenge_lifetime 20 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours I appreciate any help anyone can give me. Thanks. Jim Crippen Sr LAN Administrator Elite Transportation [EMAIL PROTECTED]
[squid-users] How to make squid serve cached pages even if Internet connection is unavailable?
Hi all, I've done some google trawling on this and it appears that the current Squid 2.x release doesn't seem to support 'offline' browsing via the cache as well as older versions did. Many sites mention a patch which allows a value to be set in the squid.conf file which determines how Squid behaves if a monitored network connection is unavailable. If at all possible I'd really rather stick to the official squid release. If I do this, can I acheive the ability to let users browse cached content even if the origin server for this content is down? If so can anyone point me in the right direction of where to look? Thanks for any advice, Regards, nry _ Find a cheaper internet access deal - choose one to suit you. http://www.msn.co.uk/internetaccess
RE: [squid-users] Wb_group error message in cache.log
Nothing in the smbd.log file. This message shows up randomly giving no notice to any particular user. Just curious if this is any issue or not. -Mark -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 02, 2003 9:22 AM To: Mark Pelkoski Cc: [EMAIL PROTECTED] Subject: RE: [squid-users] Wb_group error message in cache.log Not really.. Does it happen for all users or just some? Is there any log messages from Samba in the Samba or messages log files? Regards Henrik On Tue, 2 Dec 2003, Mark Pelkoski wrote: DOES ANYBODY HAVE AN IDEA ABOUT THIS??? -Original Message- From: Mark Pelkoski Sent: Wednesday, November 26, 2003 10:27 AM To: [EMAIL PROTECTED] Subject: [squid-users] Wb_group error message in cache.log List, I keep seeing this error in my cache.log a couple of times a day. Is this normal or do I have a problem? I require my users to belong to a certain NT group in order to use Squid. I wasn't seeing it when I tested it with 70 users. Now I have 800+ users. (wb_group)[9464](wb_check_group.c:231): Warning: Can't enum user groups. TIA. -Mark
[squid-users] Parent-sibling structure with squidGuard in the parent
Hi, we had a squid cache running on a RedHat box, for our entire organization in a central location with squidGuard filtering contents in this box. Now we have implemented 3 Windows box in regional offices and have setup squid in this boxes like siblings of central squid. This tree machines haven't acces to Internet, so it requests all cache fails to the central one. The cache_peer line in squid.conf is: cache_peer parentSquid parent80 3130 no-query no-digest no-netdb-exchange We want to make content filtering only in the central squid because there aren't a squidGuard port to Windows. It's possible to do that? Regards, José Gerez Departamento de Sistemas de TRAGSATEC e-mail: [EMAIL PROTECTED] Tlf.: +34 1 3963507 Fax: + 34 1 3963410
Re: [squid-users] authentication problem and Server redirected too many times (20) error message
Did you run this test as the cache_effective_user or as root? If as root, make sure to run the test as your cache_effective_user. Regards Henrik On Tue, 2 Dec 2003, Rami Jaamour wrote: I did that already. It gives ERR on wrong username/password pairs and OK on the correct one. Henrik Nordstrom wrote: On Mon, 1 Dec 2003, Rami Jaamour wrote: I do configure Mozilla to use the proxy, giving it the host name and port and it worked in the past before I did the authentication, but when Squid is configured to require authentication, then the browser (both mozilla and IE) keep prompting for username and password. Is my squid.conf correct to do the proxy authentication? Then most likely there is a configuration error. First test is if the password file is correcly created. Start the auth_param basic program command manually and then type a username password pair as input. Regards Henrik
RE: [squid-users] Wb_group error message in cache.log
On Tue, 2 Dec 2003, Mark Pelkoski wrote: Nothing in the smbd.log file. winbind is logging to the log.winbindd log file, not smbd.log. This message shows up randomly giving no notice to any particular user. Just curious if this is any issue or not. If you do not have any complaints from users it most likely is not an issue.. Regards Henrik
Re: [squid-users] authentication issues using winbind and ntlm
On Tue, 2 Dec 2003, Jim Crippen wrote: I don't know if this has already been answered but I was unable to find anything about it. I've setup squid-2.5.STABLE4 with Samba 3.0.0 using winbind for authentication. Everything works fine, except, every page accessed first enters 2 TCP_DENIED entries in the access log. This is due to how NTLM authentication works. On each new client connection there is first two denied requests while NTLM tries to negotiate the authentication. We could add filters to squid not logging these, but then we risk both logging interesting details in case of problems and to allow hackers to probe the proxy without getting noticed. I wanted to know if there is a way around this as when I add back in the following acl acl test url_regex /etc/blacklist and deny access to it, I can not get the username recorded in the access log. You can if you blacklist after requiring authentication.. The two questions are not related. Regards Henrik
Re: [squid-users] Parent-sibling structure with squidGuard in the parent
On Tue, 2 Dec 2003, José Gerez Morata wrote: Now we have implemented 3 Windows box in regional offices and have setup squid in this boxes like siblings of central squid. This tree machines haven't acces to Internet, so it requests all cache fails to the central one. See the Squid FAQ on how to use Squid within a firewall when doing this.. We want to make content filtering only in the central squid because there aren't a squidGuard port to Windows. It's possible to do that? It is how it works in the setup you have described. Regards Henrik
Re: [squid-users] How to make squid serve cached pages even if Internet connection is unavailable?
On Tue, 2 Dec 2003, Chris Wilcox wrote: I've done some google trawling on this and it appears that the current Squid 2.x release doesn't seem to support 'offline' browsing via the cache as well as older versions did. Many sites mention a patch which allows a value to be set in the squid.conf file which determines how Squid behaves if a monitored network connection is unavailable. There is the offline_mode directive, and this can be toggled on/off via cachemgr. If at all possible I'd really rather stick to the official squid release. If I do this, can I acheive the ability to let users browse cached content even if the origin server for this content is down? Yes, but the chances are very high that the content the users are looking for is not cached as most index pages these days are dynamically generated and not cachable. Caching still works great for images, attachments and other static content. Regards Henrik
[squid-users] Windows Update Problem
Greetings All, We have experienced an interesting problem with Windows Update. Essentially, the service fails when the client (W2K / IE6) uses the proxy server and succeeds when it bypasses the proxy. After you click Scan for Updates the web server replies with something like (sorry I don't have the exact error in front of me) an unknown error has occurred. The access.log and cache.log don't show anything out of the ordinary (access.log excerpt is below). I have gotten around the problem temporarily by including: acl windowsupdate dstdomain .windowsupdate.microsoft.com no_cache deny windowsupdate in squid.conf The mailing list archives have some similar problems that point to cache_dir being too small (running out of cache space) but I don't believe that is my problem: cache_dir aufs /usr/local/squid/cache0 48000 16 256 cache_dir aufs /usr/local/squid/cache1 48000 16 256 #df -h|grep cache /dev/sdb1 67G 37G 27G 58% /usr/local/squid/cache0 /dev/sdc1 67G 37G 27G 58% /usr/local/squid/cache1 #./squid -v Squid Cache: Version 2.5.STABLE1-20030102 configure options: --enable-storeio=ufs,aufs,diskd --enable-snmp Any suggestions would be most welcome. Thanks, Grant - access.log excerpt: Tue Dec 2 15:30:36 2003 30 10.10.14.113 TCP_MEM_HIT/200 3592 GET http://windowsupdate.microsoft.com/ - NONE/- text/html Tue Dec 2 15:30:36 2003 32 10.10.14.113 TCP_MEM_HIT/200 2391 GET http://windowsupdate.microsoft.com/redirect.js - NONE/- application/x-javascript Tue Dec 2 15:30:36 2003102 10.10.14.113 TCP_MISS/302 428 GET http://v4.windowsupdate.microsoft.com/default.asp - DIRECT/207.46.244.222 text/html Tue Dec 2 15:30:36 2003174 10.10.14.113 TCP_MISS/200 8383 GET http://v4.windowsupdate.microsoft.com/en/default.asp - DIRECT/65.54.249.61 text/html Tue Dec 2 15:30:36 2003 35 10.10.14.113 TCP_MEM_HIT/200 3854 GET http://v4.windowsupdate.microsoft.com/shared/js/Redirect.js - NONE/- application/x-javascript Tue Dec 2 15:30:36 2003129 10.10.14.113 TCP_HIT/200 22132 GET http://v4.windowsupdate.microsoft.com/shared/js/top.js - NONE/- application/x-javascript Tue Dec 2 15:30:37 2003 51 10.10.14.113 TCP_HIT/200 520 GET http://v4.windowsupdate.microsoft.com/shared/js/top.vbs - NONE/- text/vbscript Tue Dec 2 15:30:37 2003106 10.10.14.113 TCP_MISS/200 1173 GET http://v4.windowsupdate.microsoft.com/shared/js/survey.js? - DIRECT/65.54.249.61 application/x-javascript Tue Dec 2 15:30:37 2003136 10.10.14.113 TCP_MISS/200 1496 GET http://v4.windowsupdate.microsoft.com/en/footer.asp - DIRECT/65.54.249.61 text/html Tue Dec 2 15:30:37 2003188 10.10.14.113 TCP_MISS/200 7109 GET http://v4.windowsupdate.microsoft.com/en/toc.asp? - DIRECT/65.54.249.61 text/html Tue Dec 2 15:30:37 2003245 10.10.14.113 TCP_MISS/200 4351 GET http://v4.windowsupdate.microsoft.com/en/mstoolbar.asp? - DIRECT/207.46.244.222 text/html Tue Dec 2 15:30:37 2003178 10.10.14.113 TCP_MISS/200 1872 GET http://v4.windowsupdate.microsoft.com/en/splash.asp? - DIRECT/207.46.244.222 text/html Tue Dec 2 15:30:37 2003 71 10.10.14.113 TCP_MEM_HIT/200 558 GET http://v4.windowsupdate.microsoft.com/shared/css/footer.css - NONE/- text/css Tue Dec 2 15:30:37 2003 70 10.10.14.113 TCP_HIT/200 2656 GET http://v4.windowsupdate.microsoft.com/shared/js/mstoolbar.js - NONE/- application/x-javascript Tue Dec 2 15:30:37 2003105 10.10.14.113 TCP_HIT/200 9547 GET http://v4.windowsupdate.microsoft.com/shared/js/toc.js - NONE/- application/x-javascript Tue Dec 2 15:30:37 2003113 10.10.14.113 TCP_HIT/200 12615 GET http://v4.windowsupdate.microsoft.com/shared/js/content.js - NONE/- application/x-javascript Tue Dec 2 15:30:37 2003 98 10.10.14.113 TCP_HIT/200 448 GET http://v4.windowsupdate.microsoft.com/shared/images/toc_endnode.gif - NONE/- image/gif Tue Dec 2 15:30:37 2003 98 10.10.14.113 TCP_HIT/200 1578 GET http://v4.windowsupdate.microsoft.com/shared/css/hcp.css - NONE/- text/css Tue Dec 2 15:30:37 2003139 10.10.14.113 TCP_HIT/200 1573 GET http://v4.windowsupdate.microsoft.com/shared/css/toc.css - NONE/- text/css Tue Dec 2 15:30:37 2003 51 10.10.14.113 TCP_HIT/200 5463 GET http://v4.windowsupdate.microsoft.com/shared/css/content.css - NONE/- text/css Tue Dec 2 15:30:38 2003200 10.10.14.113 TCP_HIT/200 2054 GET http://v4.windowsupdate.microsoft.com/shared/css/mstoolbar.css - NONE/- text/css Tue Dec 2 15:30:38 2003166 10.10.14.113 TCP_HIT/200 449 GET http://v4.windowsupdate.microsoft.com/shared/images/mstoolbar_curve.gif - NONE/- image/gif Tue Dec 2 15:30:38 2003168 10.10.14.113 TCP_HIT/200 6059 GET http://v4.windowsupdate.microsoft.com/shared/images/mstoolbar_icp.gif - NONE/- image/gif Tue Dec 2 15:30:38 2003 82 10.10.14.113 TCP_HIT/200 874 GET http://v4.windowsupdate.microsoft.com/shared/images/mstoolbar_ms.gif - NONE/- image/gif Tue Dec 2 15:30:38 2003192 10.10.14.113 TCP_MISS/200
[squid-users] test
Please delete this mail --- things you heard, never believe... ...things you saw, believe the half. - network administrator nelson rolando león monserrate yahoo! [EMAIL PROTECTED] icq 166497000 home (0680) 373518 work 835 8100 - 02
Re: [squid-users] authentication problem and Server redirected too many times (20) error message
I ran this test again as 'rjaamour' the cache effective user (as you can notice from my conf file) and it still succeeds on correct username/password pairs. Thank you for your help. Rami Henrik Nordstrom wrote: Did you run this test as the cache_effective_user or as root? If as root, make sure to run the test as your cache_effective_user. Regards Henrik On Tue, 2 Dec 2003, Rami Jaamour wrote: I did that already. It gives ERR on wrong username/password pairs and OK on the correct one. Henrik Nordstrom wrote: On Mon, 1 Dec 2003, Rami Jaamour wrote: I do configure Mozilla to use the proxy, giving it the host name and port and it worked in the past before I did the authentication, but when Squid is configured to require authentication, then the browser (both mozilla and IE) keep prompting for username and password. Is my squid.conf correct to do the proxy authentication? Then most likely there is a configuration error. First test is if the password file is correcly created. Start the auth_param basic program command manually and then type a username password pair as input. Regards Henrik -- Rami Jaamour SOAPtest http://www.parasoft.com/jsp/products/home.jsp?product=SOAP Development ParaSoft Corporation http://www.parasoft.com