Re: [squid-users] why squid does not support sendfile() ?
Weibin Yao wrote: I'am using squid-2.7. I has checked the configure reference and found nothing about sendfile(). Why squid does not support sendfile()? especially the HIT request. On 26.01.10 21:26, Amos Jeffries wrote: 1) Blocking call. Squid needs to support more than one client request simutaneously. is it blocking anywhere? 2) speed. sendfile is limited linearly by disk IO speeds, blocking the entire time. does it matter for content fetched from disk? I think that sendfile is for this cases the most effective option (e.g. from disk direct to network card memory). I understand it can be an issue in 3.x where squid wants to implement own caching, but wonder if sendfile couldn't help here as you indicate. 3) HTTP protocol. The current design of Squid stores the headers and data together. They cannot be altered correctly according to protocol requirements during a sendfile() call. you can read, process and write headers and THEN call sendfile for the rest of content. The problem is with chunking which it not supported on client connections yet, iirc. 4) collapsed forwarding. multiple clients may be receiving the same identical object from Squid simultaneously, or even different parts of the same object. should not be a problem with sendfile, should it? 4) object location. not all HIT objects are from files. some may be in memory, or a range of something partially received by another client. 5) I think ;-) Yes sendfile is only applicable on content fetched from the disk. Apparently nobody implemented sendfile in squid yet and apparently nobody will do it, but I wonder if all those reasons are really that problematic... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete
Re: [squid-users] transparent+manual proxy on single squid
On Wed, Jan 27, 2010 at 9:45 AM, goody goody think...@yahoo.com wrote: Pls guide me that whether can i run the single squid cache in transparent + manual mode at time or not? If yes then how? On 27.01.10 11:00, Kinkie wrote: Transparent or interception? Interception, yes. Just point the clients to it. Transparent, not sure. squid is always transparent from the HTTP point of view, unless you use *CAP. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept.
Re: [squid-users] transparent+manual proxy on single squid
On Wed, Jan 27, 2010 at 9:45 AM, goody goody think...@yahoo.com wrote: Pls guide me that whether can i run the single squid cache in transparent + manual mode at time or not? If yes then how? On 28.01.10 00:36, goody goody wrote: From transparent i mean that user do not enter proxy settings in browser whereas in manual user have to. that can be configured by WPAD too. interception means that squid will intercept clients' connections to HTTP servers (which often causes many troubles). Many people understand this under word transparent but it's incorrect since HTTP (which we are still talking about, correct?) defines the word transparent differently. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question!
Re: [squid-users] SSLBump.. could it be used for transparent proxying?
On 01/13/2010 10:30 AM, Dimitri Syuoul wrote: Ive been reading over this new feature. It is unclear to me if this can be used for transparently proxying SSL (by this I mean not configuring any proxy in the computers of the clients.. it is ok if clients get cert warnings). Yes, SSL Bump can be used in a transparent environment. Due to a large number of certificate warnings, complex sites that use multiple secure servers on one page are barely usable without dynamic SSL certificate generation though. On 27.01.10 11:02, Shawn Wright wrote: Can you explain this part please? We currently have a production squid 2.6-20 server in non-transparent mode with AD authentication, to proxy http and https traffic for 600 users. As part of our migration to wireless, we are investigating going to an entirely transparent proxy, using WCCP2 on a Cisco C6500 to redirect traffic. I realize we will lose authentication, but instead plan to use ACLs based on source VLAN, and rely on DHCP/radius logs to track specific requests to user auth where necessary (not often). Our current server sees ~120 req/s with 600 users and a 1Gbps link (although usage is typically only 30Mbps sustained). Will SSL Bump and dynamic cert generation allow us to replace our current proxy with fully transparent on squid 3.1? Does the cert generation result in a performance hit? If you want to proxy HTTPS, you must note that you will break your users' privacy. They may want to kill and/or sue you for that. You will have to decrypt/encrypt their connections instead of remote servers (ordinary https proxying uses tunnelling using CONNECT request). You must provide certificate(s) for the remote server(s) which you must generate (and sign by the authority clients will trust) when needed. You can't know the private key of remote servers, that's why you must generate all the stuff. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: Let God Debug It!.
Re: [squid-users] squid help: https, ftp problem
On 29.01.10 17:40, David C. Heitmann wrote: i have problems with connection to https and ftp sites with squid :( How does the problem look like? Are you trying to use squid as transparent proxy for https and FTP? my squid.conf file is in attachement. quite useless without description of the problem. Maybe even with the description. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer
Re: [squid-users] Squid complaining of not able to find libssl.so.
On 30.01.10 11:51, Rajesh Nair wrote: I am facing this wierd in starting squid I have the squid compiled with ssl enabled Os/distribution ? The compilation all works fine but when I execute the squid it complains of not able to find the libssl.so.0.9.8. This is despite the fact that the mentioned library is there on the system with the dir properly appended to LD_LIBRARY_PATH I don't think using this variable is a good idea... $ echo $LD_LIBRARY_PATH /lib:/lib64:/usr/lib:/usr/lib64:/usr/local/lib:/usr/local/ssl/lib I'd prefer /lib64 before /lib, but not in $LD_LIBRARY_PATH. e.g. solaris uses -r option to specify where to search for libraries at runtime. $ locate libssl.so.0.9.8 /home/rnair/squid_files/openssl-0.9.8b/libssl.so.0.9.8 /lib/libssl.so.0.9.8 /lib/libssl.so.0.9.8e /lib64/libssl.so.0.9.8e /usr/local/ssl/lib/libssl.so.0.9.8 do they all really exist? why isn't there /lib64/libssl.so.0.9.8 ? what does ldd /usr/local/squid/sbin/squid say? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901
[squid-users] Is OpenDNS efficient for squid?
Is there any problem with using opendns server as the dns_nameserver in squid? Is it slower than using the local hosts namersevrers? I have an issue with dns timeouts for 1 or 2 websites and am having to restart the dns cache (nscd) every 6 hours to flush it. I thought adding the nameservers to the squid.conf would bypass this issue. _ Do you have a story that started on Hotmail? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
[squid-users] DNUMTHREADS
Is it recommended to recompile squid and increase the DNUMTHREADS value? I read that 30 could easily be used on a 500MHz machine and my machine is more than 2GHz so would it give an improvement to squid performance. I have been reading through this document here, which recommends various changes including using the reiserfs filesystem. My machine is CentOS. http://blog.last.fm/2007/08/30/squid-optimization-guide _ Do you have a story that started on Hotmail? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
[squid-users] OpenSSL license
Greetings to all. Will there be any license compatibility issues in using openssl with Squid? I plan to build Squid with enable-ssl support but happened to bump into an old discussion on this. http://www.squid-cache.org/mail-archive/squid-dev/200406/0011.html;. As i'm not an expert on this, I wish to hear from the group if there will be any potential license violation if we want to use Squid to provide https-proxy support. Best Regards, Kiran
Re: [squid-users] Is OpenDNS efficient for squid?
Hi, On Sun, Feb 07, J. Webster wrote: Is there any problem with using opendns server as the dns_nameserver in squid? Is it slower than using the local hosts namersevrers? I have an issue with dns timeouts for 1 or 2 websites and am having to restart the dns cache (nscd) every 6 hours to flush it. I thought adding the nameservers to the squid.conf would bypass this issue. you can savely disable nscd. I had some trouble with nscd till I disabled it. I think you don't get any performance issues. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] cache manager access from web
I have followed the tutorial here: http://wiki.squid-cache.org/SquidFaq/CacheManager and set up acls to access the cache manager cgi on my server. I have to access this externally for the moment as that is the only access to the server that I have (SSH or web). The cache manager login appears when I access: http://myexternalipaddress/cgi-bin/cachemgr.cgi I have set the cache manager login and password in the squid.conf # TAG: cache_mgr # Email-address of local cache manager who will receive # mail if the cache dies. The default is root. # #Default: # cache_mgr root cache_mgr a...@aaa.com cachemgr_passwd aaa all #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl cacheadmin src 88.xxx.xxx.xx9/255.255.255.255 #external IP address? acl to_localhost dst 127.0.0.0/8 # Only allow cachemgr access from localhost http_access allow ncsa_users http_access allow manager localhost http_access allow manager cacheadmin http_access deny manager However, whenever I enter the password and select localhost port 8080 from the cgi script I get: The following error was encountered: Cache Access Denied. Sorry, you are not currently allowed to request: cache_object://localhost/ from this cache until you have authenticated yourself. _ Do you have a story that started on Hotmail? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
Re: [squid-users] WARNING: got unused STORE_META type 10
On Fri, Feb 05, 2010 at 01:12:09PM -0600, Ryan McCain wrote: We use a Websense plugin that only supports 2.5 and 2.6. The websense plugin works fine with 2.7 - it is astounding that they still have not addressed the issue since it have been like this for years, literally. The problem is that Websense does not handle the encoding of the username that squid introduced in the 2.6 timeframe, to work around the problem I use a redirector chain. First in the chain is a small script that rewrites any %5c sequences to be \ in the username, then the rewritten data is passed into the websense redirector. This is good enough for us because our usernames do not contain any spaces or other characters liable to be encoded. I have provided these details to Websense support on a couple of occasions on their request. I keep hoping they will fix their redirector one day. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: [squid-users] Is OpenDNS efficient for squid?
- Dieter Bloms sq...@bloms.de wrote: Hi, On Sun, Feb 07, J. Webster wrote: Is there any problem with using opendns server as the dns_nameserver in squid? Is it slower than using the local hosts namersevrers? I have an issue with dns timeouts for 1 or 2 websites and am having to restart the dns cache (nscd) every 6 hours to flush it. I thought adding the nameservers to the squid.conf would bypass this issue. you can savely disable nscd. I had some trouble with nscd till I disabled it. I think you don't get any performance issues. -- Gruß Dieter We switched to OpenDNS in December, after years of using our own djbdns servers, and have not seen any issues. The server provides access to 650 campus users over a 1Gb link, with typically 100Req/s throughout the day. Our hope is that OpenDNS will reduce the time spent on ACL maintenance in squid, and allow us to drop some ACLs completely. -- Shawn Wright I.T. Manager, Shawnigan Lake School http://www.shawnigan.ca
[squid-users] problem with IP_Filters Header file
Am trying to compile squid to allow transparency using this command ./configure --enable-ipf-transparent on a MAC mini running 10.5.8 am getting a error WARNING: Cannot find necessary IP-Filter header files Transparent Proxy support WILL NOT be enabled How can i solve this, how can I install the IP headers file, I already have the installer but which distribution do I use for a mac -- View this message in context: http://n4.nabble.com/problem-with-IP-Filters-Header-file-tp1472646p1472646.html Sent from the Squid - Users mailing list archive at Nabble.com.