[squid-users] Prevent squid from adding headers
Hi list, I'm using squid proxy in a debugging context. So I've configured it to not cache anything. However, squid still adds headers to all my requests and responses. I'd like to see the response *exactly* as it came from the web server, and I'd like the web server to receive my request exactly as I sent it. This means I want squid not to add Via, X-Cache and X-Cache-Lookup headers. Answers I've read to this problem boil down to using header_access to strip out a header. However, if a response comes back with a via header from the loadbalancer at the server side, then I want to see it... So I don't want to ban the header, I just want squid to be absolutely silent. Is that possible without modifying the source? Best, -- jan
Re: [squid-users] config help on squid-3.1.8 on Tomato router
I totally agree. Just hoping someone could say what exactly. Problem #2 had to do with the hosts name redirecting the device name to the ipv4 and ipv6 addresses. I have a unique name to the ipv4 and the problem went away. Sent from my iPhone On Dec 8, 2011, at 3:41 PM, Amos Jeffries wrote: > On 9/12/2011 8:37 a.m., Jason Ianacone wrote: >> I am running squid 3.1.8 (non-transparent) on a Tomato based router. I >> connect to my router via SSH (PuTTY). In the GUI I have a tunnel setup >> to forward port 444 to 3128. I have a couple of small problems that >> bother me. >> >> 1. I run a WHS on my LAN. When I am connected to the >> SSH and I type in 192.168.0.2 (the WHS) in Firefox, it connects no >> problem. When I type in .homeserver.com, I get a connection refused >> (146) error. I get the same error if I type in my WAN IP as well. >> >> 2. For my SSH tunnel setup, I have 444 forwarded to 192.168.0.1:3128. This >> works perfect. If I change it to forward 444 to WNR3500L:3128, which is >> my device name, I get an "access denied" error. So I am connecting to >> the proxy, but it doesn't like it for some reason. >> >> Any help would be appreciated. > > This description reads as if you have configured the proxy or firewall to > block access via non-LAN IPs. > > The help you seek is in the config files somewhere. > > Amos >
Re: [squid-users] MAC addresses as the only ACL restriction
Hi, MAC address filtering will only work on the same LAN segment. The mac address for your IP will be the gateway of the squid server if you are connecting remotely. Cheers, Pieter On Thu, 8 Dec 2011, Inter Node wrote: Hello everyone, I have a question (and it may be a stupid one), but here goes. I use squid on my server for privacy reasons when I surf the web. I currently use IP addresses as my access restriction; only my home IP has access to my squid server. I was thinking of transitioning to MAC addresses for ACL purposes, so that I can use my proxy when I'm on the bus or at work. Are MAC addresses any less secure as an ACL restriction than IP addresses? Thank you for your time!
[squid-users] MAC addresses as the only ACL restriction
Hello everyone, I have a question (and it may be a stupid one), but here goes. I use squid on my server for privacy reasons when I surf the web. I currently use IP addresses as my access restriction; only my home IP has access to my squid server. I was thinking of transitioning to MAC addresses for ACL purposes, so that I can use my proxy when I'm on the bus or at work. Are MAC addresses any less secure as an ACL restriction than IP addresses? Thank you for your time!
Re: [squid-users] config help on squid-3.1.8 on Tomato router
On 9/12/2011 8:37 a.m., Jason Ianacone wrote: I am running squid 3.1.8 (non-transparent) on a Tomato based router. I connect to my router via SSH (PuTTY). In the GUI I have a tunnel setup to forward port 444 to 3128. I have a couple of small problems that bother me. 1. I run a WHS on my LAN. When I am connected to the SSH and I type in 192.168.0.2 (the WHS) in Firefox, it connects no problem. When I type in .homeserver.com, I get a connection refused (146) error. I get the same error if I type in my WAN IP as well. 2. For my SSH tunnel setup, I have 444 forwarded to 192.168.0.1:3128. This works perfect. If I change it to forward 444 to WNR3500L:3128, which is my device name, I get an "access denied" error. So I am connecting to the proxy, but it doesn't like it for some reason. Any help would be appreciated. This description reads as if you have configured the proxy or firewall to block access via non-LAN IPs. The help you seek is in the config files somewhere. Amos
Re: [squid-users] Kerberos auth and users in another AD domain
(sorry for the thread break, I loosed original messages and cannot find the Message-ID) Amos, thanks for your hints. I did some tests to connect to a kerberos enabled squid from a windows client not within the AD domain: squid auth setup is: negotiate squid_kerb_auth ntlm basic (ldap) As negotiate is proposed and IE support it, it always try to authenticate with negotiate and so it fails every time. I tried to invert the auth order, putting basic at first, IE always try negotiate (when Firefox just use the first one). With the negotiate,ntlm,basic order, firefox seems to try different methods, because after three tries of login in, it works. If I remove negotiate, then I can authenticate using ntlm by specifying as username DOMAIN\user. So as I understand, the only way to go is to have two squids: - one with kerberos for 'domain' users (with ntlm fallback for clients not knowing negotiate support, but ntlm and with basic fallback for client without negotiate/ntlm support) - and a second one with only basic auth
[squid-users] config help on squid-3.1.8 on Tomato router
I am running squid 3.1.8 (non-transparent) on a Tomato based router. I connect to my router via SSH (PuTTY). In the GUI I have a tunnel setup to forward port 444 to 3128. I have a couple of small problems that bother me. 1. I run a WHS on my LAN. When I am connected to the SSH and I type in 192.168.0.2 (the WHS) in Firefox, it connects no problem. When I type in .homeserver.com, I get a connection refused (146) error. I get the same error if I type in my WAN IP as well. 2. For my SSH tunnel setup, I have 444 forwarded to 192.168.0.1:3128. This works perfect. If I change it to forward 444 to WNR3500L:3128, which is my device name, I get an "access denied" error. So I am connecting to the proxy, but it doesn't like it for some reason. Any help would be appreciated.
Re: [squid-users] crash squid-3.1.18
Hi Amos, On 2011-12-08 10:04, Amos Jeffries wrote: > On 8/12/2011 8:44 p.m., Knop, Uwe wrote: >> i create a bugreport for this error >> http://bugs.squid-cache.org/show_bug.cgi?id=3442 >> >> assertion failed: external_acl.cc:841: "ch->auth_user_request" > > This is fixed already. Just winding its way down through QA. > Thanks for the info that 3.1 needs it as well as 3.2 where it was found. I applied patch squ...@treenet.co.nz-20111208111329-4p5ugr1bj8lxdd8i (¹) but here Squid 3.1.18 still dies on every request. backtrace: #0 0xb7746424 in __kernel_vsyscall () #1 0xb7479640 in raise () from /lib/i686/cmov/libc.so.6 #2 0xb747b018 in abort () from /lib/i686/cmov/libc.so.6 #3 0x0811670f in death (sig=11) at tools.cc:398 #4 #5 0x0814185b in authenticateValidateUser (auth_user_request=0x85b2170) at UserRequest.cc:104 #6 0x08141ab2 in authenticateUserAuthenticated (auth_user_request=0x85b2170) at UserRequest.cc:246 #7 0x08141ec4 in AuthUserRequest::authenticate (auth_user_request=0x85b20bc, headertype=HDR_PROXY_AUTHORIZATION, request=0x8588540, conn=0x85ae9f0, src_addr=@0x85b2018) at UserRequest.cc:450 #8 0x08142759 in AuthUserRequest::tryToAuthenticateAndSetAuthUser (auth_user_request=0x85b20bc, headertype=HDR_PROXY_AUTHORIZATION, request=0x8588540, conn=0x85ae9f0, src_addr=@0x85b2018) at UserRequest.cc:524 #9 0x0812f8a0 in AuthenticateAcl (ch=0x85b1ff8) at Acl.cc:50 #10 0x080943e0 in ACLExternal::ExternalAclLookup (checklist=0x85b1ff8, me=0x8354a00, callback=0x8091680 , callback_data=0x85b1ff8) at external_acl.cc:1252 #11 0x08094e4a in ExternalACLLookup::checkForAsync (this=0x81e80a0, checklist=0x85b1ff8) at external_acl.cc:1450 #12 0x08152937 in ACLChecklist::checkForAsync (this=0x85b1ff8) at Checklist.cc:178 #13 0x08153175 in ACLChecklist::matchAclList (this=0x85b1ff8, head=0x8357a00, fast=false) at Checklist.cc:229 #14 0x08153530 in ACLChecklist::matchAclListSlow (this=0x85b1ff8, list=0x8357a00) at Checklist.cc:202 #15 0x08153564 in ACLChecklist::checkAccessList (this=0x85b1ff8) at Checklist.cc:172 #16 0x08153602 in ACLChecklist::check (this=0x85b1ff8) at Checklist.cc:92 #17 0x080937f1 in externalAclHandleReply (data=0x8480358, reply=0x83c2a20 "OK") at external_acl.cc:1226 #18 0x080b3d6c in helperHandleRead (fd=39, buf=0x83c2a20 "OK", len=3, flag=COMM_OK, xerrno=0, data=0x83c29a8) at helper.cc:856 #19 0x0812da25 in CommIoCbPtrFun::dial (this=0x83c4a84) at CommCalls.cc:183 #20 0x0811fb46 in AsyncCall::make (this=0x83c4a68) at AsyncCall.cc:34 #21 0x08122276 in AsyncCallQueue::fireNext (this=0x838eda0) at AsyncCallQueue.cc:53 #22 0x08122408 in AsyncCallQueue::fire (this=0x838eda0) at AsyncCallQueue.cc:39 #23 0x08091197 in EventLoop::runOnce (this=0xbf869648) at EventLoop.cc:130 #24 0x08091260 in EventLoop::run (this=0xbf869648) at EventLoop.cc:94 #25 0x080ded42 in SquidMain (argc=1, argv=0xbf869764) at main.cc:1418 #26 0x080df37a in main (argc=-1217635500, argv=0x29) at main.cc:1176 and cache.log: 2011/12/08 16:45:04.388| authenticateAuthenticate: This is a new checklist test on FD:11 2011/12/08 16:45:04.388| authenticateValidateUser: Validating Auth_user request '0x9650818'. (squid)[0x8116619] [0xb7739400] (squid)[0x814185b] (squid)[0x8141ab2] (squid)[0x8141ec4] (squid)[0x8142759] (squid)[0x812f8a0] (squid)[0x80943e0] (squid)[0x8094e4a] (squid)[0x8152937] (squid)[0x8153175] (squid)[0x8153530] (squid)[0x8153564] (squid)[0x8153602] (squid)[0x80937f1] (squid)[0x80b3d6c] (squid)[0x812da25] (squid)[0x811fb46] (squid)[0x8122276] (squid)[0x8122408] (squid)[0x8091197] (squid)[0x8091260] (squid)[0x80ded42] (squid)[0x80df37a] /lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7457455] (squid)(__gxx_personality_v0+0x199)[0x804ce21] FATAL: Received Segment Violation...dying. CPU Usage: 2.648 seconds = 0.916 user + 1.732 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): total space in arena:2560 KB Ordinary blocks: 2501 KB 16 blks Small blocks: 0 KB 6 blks Holding blocks: 8860 KB 7 blks Free Small blocks: 0 KB Free Ordinary blocks: 58 KB Total in use: 11361 KB 444% Total free:59 KB 2% Shall I open a new bug for this? Jan ¹) http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10418.patch -- Jan Sievers | Freie Universität Berlin | siev...@zedat.fu-berlin.de Zentraleinrichtung für Datenverarbeitung | http://www.zedat.fu-berlin.de
[squid-users] icap problem with 3.1.18
After upgrading to 3.1.18 (+adaption compile patch) the following url never stops loading in the browser http://x.ligatus.com/cgi-bin/ivw/CP/11260-365/83-1056/129647-107545-_129709-105679-_128565-101085-// If I bypass the ICAP server for this url (which is indeed a redirect to http://x.ligatus.com/blank.gif) all works fine. 3.1.16 works with ICAP, the url is loaded immediately. Any idea? Thanks Daniel
[squid-users] URL parsing crashing squid 3.2.0.13... snapshot
Hi, 2011/12/08 10:05:13 kid5| Starting Squid Cache version 3.2.0.13-20111206-r11454 for x86_64-unknown-linux-gnu... 2011/12/08 10:05:13 kid5| Process ID 6007 2011/12/08 10:05:13 kid5| Process Roles: worker 2011/12/08 10:05:13 kid5| With 49152 file descriptors available 2011/12/08 10:05:13 kid5| Initializing IP Cache... 2011/12/08 10:05:13 kid5| DNS Socket created at 0.0.0.0, FD 7 2011/12/08 10:05:13 kid5| Adding nameserver 150.237.84.21 from squid.conf 2011/12/08 10:05:13 kid5| Adding nameserver 150.237.198.2 from squid.conf 2011/12/08 10:05:13 kid5| helperOpenServers: Starting 5/20 'helper- mux.pl' processes 2011/12/08 10:05:13 kid5| helperOpenServers: Starting 0/10 'basic_pam_auth' processes 2011/12/08 10:05:13 kid5| helperOpenServers: No 'basic_pam_auth' processes needed. 2011/12/08 10:05:13 kid5| Logfile: opening log daemon:/logs/access.log 2011/12/08 10:05:13 kid5| Logfile Daemon: opening log /logs/access.log 2011/12/08 10:05:13 kid5| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2011/12/08 10:05:13 kid5| Store logging disabled 2011/12/08 10:05:13 kid5| WARNING: disk-cache maximum object size is unlimited but mem-cache maximum object size is 32.00 KB 2011/12/08 10:05:13 kid5| Swap maxSize 4060160 + 262144 KB, estimated 332484 objects 2011/12/08 10:05:13 kid5| Target number of buckets: 16624 2011/12/08 10:05:13 kid5| Using 32768 Store buckets 2011/12/08 10:05:13 kid5| Max Mem size: 262144 KB [shared] 2011/12/08 10:05:13 kid5| Max Swap size: 4060160 KB 2011/12/08 10:05:13 kid5| Version 1 of swap file with LFS support detected... 2011/12/08 10:05:13 kid5| Rebuilding storage in /cache/5 (CLEAN) 2011/12/08 10:05:13 kid5| Using Least Load store dir selection 2011/12/08 10:05:13 kid5| Set Current Directory to /usr/local/squid/ var/cache/squid 2011/12/08 10:05:13 kid5| Loaded Icons. 2011/12/08 10:05:13 kid5| IcmpSquid.cc(255) Open: Pinger socket opened on FD 24 2011/12/08 10:05:13 kid5| Ready to serve requests. 2011/12/08 10:05:13| pinger: Initialising ICMP pinger ... 2011/12/08 10:05:13| pinger: ICMP socket opened. 2011/12/08 10:05:13 kid5| Store rebuilding is 19.10% complete 2011/12/08 10:05:13 kid5| Done reading /cache/5 swaplog (21442 entries) 2011/12/08 10:05:13 kid5| Finished rebuilding storage from disk. 2011/12/08 10:05:13 kid5| 21442 Entries scanned 2011/12/08 10:05:13 kid5| 0 Invalid entries. 2011/12/08 10:05:13 kid5| 0 With invalid flags. 2011/12/08 10:05:13 kid5| 20983 Objects loaded. 2011/12/08 10:05:13 kid5| 0 Objects expired. 2011/12/08 10:05:13 kid5| 0 Objects cancelled. 2011/12/08 10:05:13 kid5| 447 Duplicate URLs purged. 2011/12/08 10:05:13 kid5|12 Swapfile clashes avoided. 2011/12/08 10:05:13 kid5| Took 0.13 seconds (158376.61 objects/sec). 2011/12/08 10:05:13 kid5| Beginning Validation Procedure 2011/12/08 10:05:13 kid5| Completed Validation Procedure 2011/12/08 10:05:13 kid5| Validated 20983 Entries 2011/12/08 10:05:13 kid5| store_swap_size = 848684.00 KB 2011/12/08 10:05:13 kid5| Accepting HTTP Socket connections at local=150.237.85.249:3128 remote=[::] FD 9 flags=1 2011/12/08 10:05:13 kid5| Accepting HTTP Socket connections at local=150.237.84.13:3128 remote=[::] FD 11 flags=1 2011/12/08 10:05:13 kid5| Accepting HTCP messages on 0.0.0.0:4827 2011/12/08 10:05:13 kid5| Sending HTCP messages from 0.0.0.0:4827 2011/12/08 10:05:14 kid5| storeLateRelease: released 0 objects 2011/12/08 10:05:16 kid4| Starting Squid Cache version 3.2.0.13-20111206-r11454 for x86_64-unknown-linux-gnu... 2011/12/08 10:05:16 kid4| Process ID 6016 2011/12/08 10:05:16 kid4| Process Roles: worker 2011/12/08 10:05:16 kid4| With 49152 file descriptors available 2011/12/08 10:05:16 kid4| Initializing IP Cache... 2011/12/08 10:05:16 kid4| DNS Socket created at 0.0.0.0, FD 7 2011/12/08 10:05:16 kid4| Adding nameserver 150.237.84.21 from squid.conf 2011/12/08 10:05:16 kid4| Adding nameserver 150.237.198.2 from squid.conf 2011/12/08 10:05:16 kid4| helperOpenServers: Starting 5/20 'helper- mux.pl' processes 2011/12/08 10:05:16 kid4| helperOpenServers: Starting 0/10 'basic_pam_auth' processes 2011/12/08 10:05:16 kid4| helperOpenServers: No 'basic_pam_auth' processes needed. 2011/12/08 10:05:16 kid4| Logfile: opening log daemon:/logs/access.log 2011/12/08 10:05:16 kid4| Logfile Daemon: opening log /logs/access.log 2011/12/08 10:05:16 kid4| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2011/12/08 10:05:16 kid4| Store logging disabled 2011/12/08 10:05:16 kid4| WARNING: disk-cache maximum object size is unlimited but mem-cache maximum object size is 32.00 KB 2011/12/08 10:05:16 kid4| Swap maxSize 4060160 + 262144 KB, estimated 332484 objects 2011/12/08 10:05:16 kid4| Target number of buckets: 16624 2011/12/08 10:05:16 kid4| Using 32768 Store buckets 2011/12/08 10:05:16 kid4| Max Mem size: 262144 KB [shared] 2011/12/08 10:05:16 kid4| Max Swap size: 4060160 KB 2011/12/08 10:05:
Re: [squid-users] crash squid-3.1.18
On 8/12/2011 8:44 p.m., Knop, Uwe wrote: Hi, i create a bugreport for this error "http://bugs.squid-cache.org/show_bug.cgi?id=3442": assertion failed: external_acl.cc:841: "ch->auth_user_request" bye UK This is fixed already. Just winding its way down through QA. Thanks for the info that 3.1 needs it as well as 3.2 where it was found. Amos
