Re: [squid-users] Mark log entries for redirected sites
Hello Amos, On Friday, 1. April 2011 02:52:42 Amos Jeffries wrote: Is there a way to specially mark redirected entries in the log file? Both if the above are identical content going to the user. The first one if re-written contains the body with lies in it. The second is saying to the client that the lie is still to be believed. Ok. Thanks for your reply! Redirection produces a 301/302/307 status in the logs for the original URL followed by another such as the 200 for the redirected URL. 304 etc normally show up on the redirected URL, but thats not set in stone they can do the two-request from some clients. Well, I didn't see a 301/302/307 in the logs though I did get the blocked redirect page handed out by squidGuard. It sounds like you have actually implemented a re-writer. Which lies to the client about where content came from. Ok I assume you are wanting this to get a report of the trouble URLs which are getting past the filter? A log produced by the filter would be the best place for that kind of information. It gets given the client IP to work with as well so can do the IP-URL-redirected URL mapping much more easily. Actually I want to do it a bit differently: If f.e. someone blocked facebook.com during main business hours, they still show up in the access_log and in the reports created from it. As more and more sites include Like this on facebook buttons which refer to facebook.com, it looks like users are accessing facebook.com even though they aren't. So I want to adapt the report software to ignore sites which are already blocked. This can only be solved if the log entries are somehow marked. Cheers, Thomas
Re: [squid-users] Mark log entries for redirected sites
Hallo, Thomas, Du meintest am 01.04.11: [...] Well, I didn't see a 301/302/307 in the logs though I did get the blocked redirect page handed out by squidGuard. [...] Actually I want to do it a bit differently: If f.e. someone blocked facebook.com during main business hours, they still show up in the access_log and in the reports created from it. As more and more sites include Like this on facebook buttons which refer to facebook.com, it looks like users are accessing facebook.com even though they aren't. But that's a squidGuard problem, no squid problem. Perhaps it's a problem of your special reporting program. For reporting I use SARG and squish. For squish it might be very simple excluding facebook entries; the program gets its date via a simple cat command. Viele Gruesse! Helmut
[squid-users] Why need this for get auth-sync between squid and dansguardian?
I'm modifying the squid.conf file of my proxy server for replace basic auth for ntlm auth. All work fine in squid, but when I use dansguardian, I've noticed that dansguardian doesn't get the username if I remove this lines from squid.conf: external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R -b dc=domain -D cn=proxy,cn=proxy,dc=domain -w proxy -f ((objectclass=person) (sAMAccountName=%v)(memberof=cn=%a,ou=proxy,dc=domain)) -h 1.1.1.1 acl ldapLimited external ldap_group notAlowed acl ldapTotal external ldap_group alowed http_access allow ldapTotal all Note: 1.1.1.1 is dc ip address I thought that this lines affects only to basic authentication since it already was wrote before I start to implement the NTLM auth. Anybody can explain me what this lines are doing exactly? I revised the ldap groups refered in this lines (ldapLimited and ldapTotal) and it are empty. Regards, F.J
[squid-users] RE: Reverse Proxy Log Analytics
Hello.. Im trying to find a program that will give me better log analysis for a reverse proxy (accelerator). Im thinking Im going to end up having to write my own script but wondered if there is anything out there before I do. Im looking to see how many actual hits there were how many times the request was passed to the real server etc.. The setup is 2 Reverse proxies round robining to 5 web servers. Any help would be appreciated. Justin.
[squid-users] replacing Apache httpd
Hi all, I am new to squid, so I hope you don't feel offended if this is a beginner's question. ;-) I am trying to replace a Apache httpd server, who works as a delegating proxy. Let me explain the scenario shortly: internet - Apache httpd delegator - server[1-3] Because, to the outside, we have just one ip-address, the httpd delegator forwards the request according to the URL to one of the internal server, i.e. wiki.example.com is forwarded to server1, dms.example.com is forwarded to server2. This is done with virtual-hosts and rewrite rules, i.e. for server1: RewriteRule ^(.*)$ http://wiki/$1 [L,P] As you can see here, the request is delegated to an internal server called wiki. What I am trying to do now is to replace the Apache httpd delegator with squid. What I've done so far is to configure squid as an accelerator and declared the corresponding nodes: acl wiki_sites dstdomain wiki.example.com http_port 80 accel defaultsite=example.com vhost http_access allow wiki_sites cache_peer wiki parent 80 0 no-query originserver forceddomain=wiki name=wiki forwarded_for on cache_peer_access wiki allow wiki_sites Forwarding the request works as expected, but there is one problem: server1 (the (t)wiki server) adds now a wrong base url in the html header: base href=http://wiki; / This doesn't happen with the apache delegator. So, finally my question: how is it possible to configure squid, in a way that the base url is as it was before: base href=http://wiki.example.com; / I need the URL from the outside (internet), not from the internal (intranet). I really appreciate your help. Thanks a lot. Best regards, Daniel
RE: [squid-users] replacing Apache httpd
Would you maybe need to put cache_peer wiki parent 80 0 no-query originserver forceddomain=wiki.example.com name=wiki rather than cache_peer wiki parent 80 0 no-query originserver forceddomain=wiki name=wiki -Original Message- From: Daniel Plappert [mailto:plapp...@denkformat.de] Sent: Friday, April 01, 2011 9:22 AM To: squid-users@squid-cache.org Subject: [squid-users] replacing Apache httpd Hi all, I am new to squid, so I hope you don't feel offended if this is a beginner's question. ;-) I am trying to replace a Apache httpd server, who works as a delegating proxy. Let me explain the scenario shortly: internet - Apache httpd delegator - server[1-3] Because, to the outside, we have just one ip-address, the httpd delegator forwards the request according to the URL to one of the internal server, i.e. wiki.example.com is forwarded to server1, dms.example.com is forwarded to server2. This is done with virtual-hosts and rewrite rules, i.e. for server1: RewriteRule ^(.*)$ http://wiki/$1 [L,P] As you can see here, the request is delegated to an internal server called wiki. What I am trying to do now is to replace the Apache httpd delegator with squid. What I've done so far is to configure squid as an accelerator and declared the corresponding nodes: acl wiki_sites dstdomain wiki.example.com http_port 80 accel defaultsite=example.com vhost http_access allow wiki_sites cache_peer wiki parent 80 0 no-query originserver forceddomain=wiki name=wiki forwarded_for on cache_peer_access wiki allow wiki_sites Forwarding the request works as expected, but there is one problem: server1 (the (t)wiki server) adds now a wrong base url in the html header: base href=http://wiki; / This doesn't happen with the apache delegator. So, finally my question: how is it possible to configure squid, in a way that the base url is as it was before: base href=http://wiki.example.com; / I need the URL from the outside (internet), not from the internal (intranet). I really appreciate your help. Thanks a lot. Best regards, Daniel
[squid-users] Does ICP HIT mean the content is fresh?
Hi ALL, When an ICP request is sent to Squid , does squid check the freshness of the object ? e.g. icp request for object object in hashmap object is fresh return hit or does it just check if the object is in the hash map and then return a hit? Cheers
[squid-users] Autenticate user not apear in access.log
I have squid 3.1.6 and use basic authentication. For many request not apear the authenticate user in access.log I using the default log format.
Re: [squid-users] Tuning for very expensive bandwidth links
Hi So the remote (client) side proxy would need an eCAP plugin that would modify the initial request to include an ETag. This would require some ability to interrogate what we have in cache and generate/request the ETag associated with what we have already - do you have a pointer to any API/code that I would need to look at to do this? I'm unsure sorry. Alex at The Measurement Factory has better info on specific details of what the eCAP API can do. If I wanted to hack on Squid 3.2... Do you have a 60 second overview on the code points to examine with a view to basically: a) create an etag and insert the relevant header on any response content (although, perhaps done only in the case that an etag is not provided by upstream server) b) add an etag header to requests (without one) - ie we are looking at the case that client 2 requests content we have cached, but client 2 doesn't know that, only local squid does. Just looking for a quick heads up on where to start investigating? IIRC we have Dimitry with The Measurement Factory assisting with HTTP compliance fixes. I'm sure sponsorship towards a specific fix will be welcomed. How do I get in contact with Dimitry? The one public eCAP adapter we have bee notified about happens to be for doing gzip. http://code.google.com/p/squid-ecap-gzip/ Hmm.. I did already look this over a bit - very nice and simple API, shame there aren't a huge bunch of ecap plugins sprung up? The limitation seems to be that the API is really around mangling requests/responses, but there isn't obviously a way to interrogate squid and ask it questions about what it's caching? Even if there were then you also have a race condition that you might say to upstream that we have content X in cache, but by the time the response comes back that content might have been removed..? Seems that at least parts of this might need to be done internally to squid? Just to be clear, the point is that few web servers generate useful etags, and under the condition that bandwidth is the limiting constraint (plus a hierarchy of proxies), then it might be useful to generate (and later test) etags based on some consistent hash algorithm? Thanks Ed W