[squid-users] Anonymous FTP and login pass url based
Hi, I use squid3.1.18 / dansguardian 2.10.1.1 on Centos 5.7 and I meet a problem with FTP. When I connect to a ftp site in anonymous through a web browser, no soucy. When I connect to a ftp site with no anonymous configured as default, with ftp://login:pass@ftp-site through a web browser, no soucy. ftp_epsv parameter is off (default on). The popup appears on the screen. But when I connect to a ftp site using anonymous as default and if I'm using login/password to access a specific folder, ftp://login:pass@ftp-site not works. It seems that if anonymous is ok on the ftp site, not using login/password of the url ftp://login:pass@ftp-site. My compilation options Default ./configure --prefix=/usr/share/squid --bindir=/usr/sbin --sbindir=/usr/sbin --sysconfdir=/etc/squid --localstatedir=/var --libdir=/usr/lib64/squid --datarootdir=/usr/share --docdir=/usr/share/doc/squid-3.1.11 --enable-delay-pools --enable-cache-digests --disable-ident-lookups --enable-follow-x-forwarded-for --enable-icmp --enable-useragent-log --with-pidfile=/var/run/squid.pid --with-logdir=/data/squid/log --with-large-files --enable-ssl --with-default-user=squid --enable-linux-netfilter --enable-esi Try ./configure --prefix=/usr/share/squid --bindir=/usr/sbin --sbindir=/usr/sbin --sysconfdir=/etc/squid --localstatedir=/var --libdir=/usr/lib64/squid --datarootdir=/usr/share --docdir=/usr/share/doc/squid-3.1.18 --enable-delay-pools --enable-cache-digests --enable-follow-x-forwarded-for --enable-icmp --enable-useragent-log --with-pidfile=/var/run/squid.pid --with-logdir=/data/squid/log --with-large-files --enable-ssl --with-default-user=squid --enable-linux-netfilter --enable-esi --enable-auth=basic --enable-ident-lookups Regards, Guillaume
Re: [squid-users] about the IMS request
On Fri, Dec 16, 2011 at 2:08 PM, Amos Jeffries wrote: On 16/12/2011 4:36 p.m., Jeff Pang wrote: Hello, if the site-arch is: original-server -squid1 -squid2 -client NOTE: this is a *reply* pathway. IMS is a *request*. When client send an IMS request to squid2, will squid2 pass it to squid1 then to original-server? Thanks. The IMS effectively stops at squid2. Whether squid2 does a new IMS for itself or a full fetch from squid1 depends on whether squid2 already has a copy of that object, whether that copy is fresh or stale or newer than the IMS date. All those considerations are calculated, then a request is either satisfied by squid2 or a request created from a combination of the squid2 and client requirements is passed to squid1. squid1 then does its own handling on the request sent by squid2. Amos On 16/12/2011 8:08 p.m., Jeff Pang wrote: Thank you Amos for the always kind answer. Sorry my actual question, when client issue a reload request, does this request passed by squid2 and squid1 then to the original server? Thanks. Usually. It can be converted to an IMS by any proxy. Amos
Re: [squid-users] Anonymous FTP and login pass url based
On 16/12/2011 9:28 p.m., Al Batard wrote: Hi, I use squid3.1.18 / dansguardian 2.10.1.1 on Centos 5.7 and I meet a problem with FTP. When I connect to a ftp site in anonymous through a web browser, no soucy. When I connect to a ftp site with no anonymous configured as default, with ftp://login:pass@ftp-site through a web browser, no soucy. ftp_epsv parameter is off (default on). The popup appears on the screen. But when I connect to a ftp site using anonymous as default and if I'm using login/password to access a specific folder, ftp://login:pass@ftp-site not works. It seems that if anonymous is ok on the ftp site, not using login/password of the url ftp://login:pass@ftp-site. So what is the problem then? Amos
[squid-users] Re : [squid-users] Anonymous FTP and login pass url based
Hi Amos, Thanks for your answer. My problem is if a ftp site use both default anonymous and login/password, squid not send login/password and only use anonymous. I tried without Squid proxy and login/password in url based is ok for this ftp site. Guillaume - Mail original - De : Amos Jeffries squ...@treenet.co.nz À : squid-users@squid-cache.org Cc : Envoyé le : Vendredi 16 Décembre 2011 9h54 Objet : Re: [squid-users] Anonymous FTP and login pass url based On 16/12/2011 9:28 p.m., Al Batard wrote: Hi, I use squid3.1.18 / dansguardian 2.10.1.1 on Centos 5.7 and I meet a problem with FTP. When I connect to a ftp site in anonymous through a web browser, no soucy. When I connect to a ftp site with no anonymous configured as default, with ftp://login:pass@ftp-site through a web browser, no soucy. ftp_epsv parameter is off (default on). The popup appears on the screen. But when I connect to a ftp site using anonymous as default and if I'm using login/password to access a specific folder, ftp://login:pass@ftp-site not works. It seems that if anonymous is ok on the ftp site, not using login/password of the url ftp://login:pass@ftp-site. So what is the problem then? Amos
Re: [squid-users] Re : [squid-users] Anonymous FTP and login pass url based
On 16/12/2011 10:15 p.m., Al Batard wrote: Hi Amos, Thanks for your answer. My problem is if a ftp site use both default anonymous and login/password, squid not send login/password and only use anonymous. I tried without Squid proxy and login/password in url based is ok for this ftp site. Guillaume Ah. Thanks. Can you provide an FTP protocol sequence displaying the error? You can get a cache.log trace of FTP with debugs_options 9,2 in any of the recent Squid releases. Amos
RE: [squid-users] Squid not allowing WLM (windows live messenger) to go through. any tip ?
Thanks for your advice. though that's the page i followed to add destinations to allow. they're already set in the config and a rule to allow to CONNECT to port 443 and 1863 already exists. Some users are able to sign in, others cannot. and no deny hit is showing in access.log so i can troubleshoot. PS: i tried using AMSN today, i was able to sign in though the contact list couldn't be loaded. even though i can see in access.log a CONNECt to contacts.live.com:443 as well as another server which hosts my contact list Date: Fri, 16 Dec 2011 08:22:08 +0700 From: ebed...@gmail.com To: squ...@treenet.co.nz; squid-users@squid-cache.org Subject: Re: [squid-users] Squid not allowing WLM (windows live messenger) to go through. any tip ? The page i write on my email before is for an old WLM. Here's for WLM 2010 http://support.microsoft.com/kb/2027572 On 15/12/2011 19:47, Roland RoLaNd wrote: We are using a config script for our proxy, with the proxy being a Squid Proxy Server configured to allow traffic through, and in specific, ports 1863 and 443.. I have tried the following to fix this issue as many forums have suggested: Checking and unchecking the Automatically detect settings option in the LAN Settings of the machine's local Internet Properties. Leaving both the Automatically detect settings and Use automatic configuration script options checked. Uninstalling Windows Live Messenger and the Live Essentials suite and re-installing those. Flushing the local DNS cache. Clearing all internet caching and history. Even after trying all the above the problem persists. The users are still able to use the Messenger service through their Hotmail accounts over the web and when accessing Live Messenger at home on the same machine. Not sure what to try or where to approach this from anymore and was wondering if anyone managed to solve this issue already and could provide some tips. Any help would be much appreciated. Thanks in antecipation!
[squid-users] squidclient mgr:info squid performance
Hi Amos, Sir, Thanks for your kind response.As always you share your great guidance. On 16/12/2011 12:51 a.m., Benjamin wrote: Hi, what is the meaning for Select loop called: 730321522 times, 0.117 ms avg squidclient mgr:info Connection information for squid: Number of clients accessing cache:0 Number of HTTP requests received:32626996 Number of ICP messages received:0 Number of ICP messages sent:0 Number of queued ICP replies:0 Number of HTCP messages received:0 Number of HTCP messages sent:0 Request failure ratio: 0.00 Average HTTP requests per minute since start:22877.7 Average ICP messages per minute since start:0.0 Select loop called: 730321522 times, 0.117 ms avg - Is it showing that , squid does in/out for objects with this (730321522) times. is it right perception? Squid has performed 730321522 tests to check for I/O events, an average of every 0.117ms. That is all. Several read/write/connect/close/DNS handling events may have happened on each of those checks. My full output of squidclient mgr:info. Please tell me that my squid is performing well or do i need to do more tuning or something? squidclient mgr:info HTTP/1.0 200 OK Server: squid Mime-Version: 1.0 Date: Thu, 15 Dec 2011 11:42:25 GMT Content-Type: text/plain Expires: Thu, 15 Dec 2011 11:42:25 GMT Last-Modified: Thu, 15 Dec 2011 11:42:25 GMT X-Cache: MISS from CACHE-Engine X-Cache-Lookup: MISS from CACHE-Engine:3128 Connection: close Squid Object Cache: Version 3.1.10 Start Time:Wed, 14 Dec 2011 11:56:16 GMT Current Time:Thu, 15 Dec 2011 11:42:25 GMT Connection information for squid: Number of clients accessing cache:0 Number of HTTP requests received:32626996 Number of ICP messages received:0 Number of ICP messages sent:0 Number of queued ICP replies:0 Number of HTCP messages received:0 Number of HTCP messages sent:0 Request failure ratio: 0.00 Average HTTP requests per minute since start:22877.7 Okay. 381rps aint too shabby. Highest-performance should be able to reach at least 950rps with a lot of fine tweaking and tuning, but of course that depends on the clients actually being there making request and relatively fast themselves. What are the fine tweaking and tunning required from squid side and os side to achieve more performance to get 950rps. Average ICP messages per minute since start:0.0 Select loop called: 730321522 times, 0.117 ms avg Cache information for squid: Hits as % of all requests:5min: 33.2%, 60min: 32.1% Fairly good for a forward proxy. You might be able to tweak it up into the 40+% range. But that depends on the clients traffic to determine what you can do and what will work. What do u suggest to achieve more cache hit? Hits as % of bytes sent:5min: 21.0%, 60min: 17.7% Memory hits as % of hit requests:5min: 16.0%, 60min: 16.0% Memory hits is where you get the most speed. You might want to see what is causing this to be low and see if you can tune it up a bit. But again, that depends on the clients traffic. As we have total memory 12 GB, and firstly i assign 8gb to squid and 4 gb for OS.But many times in high load , i see that in free -mto there was remaining free memory is very less. so then i set 2. gb for squid and rest of for OS but in that case also at high load i can see same less memory remaining in free -mto. i can see much ram in cached tab in free -mto output. Kindly suggest me to what to do with get best performance from memory side by OS and squid way Disk hits as % of hit requests:5min: 64.4%, 60min: 64.1% Storage Swap size:304802412 KB Storage Swap capacity:77.7% used, 22.3% free Storage Mem size:2535920 KB Storage Mem capacity:100.0% used, 0.0% free Um. 2.5GB of RAM caching going on and ony giving you 16% hit ratio. This does not seem great. Mean Object Size:28.43 KB Requests given to unlinkd:0 Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 0.24524 0.25890 Cache Misses: 0.35832 0.35832 Cache Hits:0.00919 0.00919 Near Hits: 0.15048 0.15048 Not-Modified Replies: 0.0 0.0 DNS Lookups: 0.13638 0.13638 DNS appears to be slow. ~130ms. I would hope for at least one more zero after the decimal point, making it under 100ms on average. But this may be limited by the amount of time already spent processing requests, so it depends. I configured dnsmasq for dns caching.What else i need to do to tune dns to get more performance? Amos My complete squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl SSL_ports port 443 acl Safe_ports port 80# http acl
[squid-users] Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based
Hi, This is the log of the ftp connection to ftp site that accepts anonymous and login/pass (ftp://login:pass@ftpsite in url). Only Anonymous is used. Not my login / password. On a ftp site with anonymous login denied, user / password appear in log. - log of the ftp site with anonymous and login / pass authorized : 2011/12/16 13:46:53.474| ftp 220 FTP Server ready. 2011/12/16 13:46:53.474| ftp USER anonymous 2011/12/16 13:46:53.500| ftp 331 Anonymous login ok, send your complete email address as your password 2011/12/16 13:46:53.500| ftp PASS Squid@ 2011/12/16 13:46:53.548| ftp 230 Anonymous login ok, restrictions apply. 2011/12/16 13:46:53.548| ftp TYPE A 2011/12/16 13:46:53.575| ftp 200 Type set to A 2011/12/16 13:46:53.575| ftp PASV 2011/12/16 13:46:53.601| ftp 227 Entering Passive Mode (86,66,22,5,238,97). 2011/12/16 13:46:53.627| ftp LIST 2011/12/16 13:46:53.653| ftp 150 Opening ASCII mode data connection for file list 2011/12/16 13:46:53.744| ftp 226 Transfer complete 2011/12/16 13:46:53.744| ftp QUIT 2011/12/16 13:46:53.771| ftp 221 Goodbye. - log of the ftp site with login / pass authorized only : 2011/12/16 13:50:09.781| ftp 220 FTP 2011/12/16 13:50:09.781| ftp USER login 2011/12/16 13:50:09.810| ftp 331 Password required for login 2011/12/16 13:50:09.810| ftp PASS password 2011/12/16 13:50:09.871| ftp 230 User login logged in 2011/12/16 13:50:09.871| ftp TYPE A 2011/12/16 13:50:09.906| ftp 200 Type set to A 2011/12/16 13:50:09.906| ftp PASV 2011/12/16 13:50:09.933| ftp 227 Entering Passive Mode (86,65,55,2,183,40). 2011/12/16 13:50:09.963| ftp LIST 2011/12/16 13:50:09.990| ftp 150 Opening ASCII mode data connection for file list 2011/12/16 13:50:10.024| ftp 226 Transfer complete 2011/12/16 13:50:10.024| ftp QUIT 2011/12/16 13:50:10.055| ftp 221 Goodbye. Regards, Guillaume - Mail original - De : Amos Jeffries squ...@treenet.co.nz À : squid-users@squid-cache.org Cc : Envoyé le : Vendredi 16 Décembre 2011 10h22 Objet : Re: [squid-users] Re : [squid-users] Anonymous FTP and login pass url based On 16/12/2011 10:15 p.m., Al Batard wrote: Hi Amos, Thanks for your answer. My problem is if a ftp site use both default anonymous and login/password, squid not send login/password and only use anonymous. I tried without Squid proxy and login/password in url based is ok for this ftp site. Guillaume Ah. Thanks. Can you provide an FTP protocol sequence displaying the error? You can get a cache.log trace of FTP with debugs_options 9,2 in any of the recent Squid releases. Amos
Re: [squid-users] Squid 3.2.0.14 beta is available
On Dec 15, 2011, at 12:04 AM, Amos Jeffries wrote: On 15/12/2011 4:28 a.m., Guy Helmer wrote: undefined reference to `__sync_fetch_and_sub_4 Thank you. Apparently that is related to GCC version. Which gcc version are you building with? Amos The stock compiler on FreeBSD 8.x is still gcc 4.2.1 + GPLv2 patches. I think the issue with FreeBSD on i386 is that the compiler is configured to generate code for the 80386 CPU (without any 486 or later features) by default. Thanks, Guy This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.
[squid-users] Forard proxy config questions
Hello everyone, I'm new to squid. I think I have it configured to do what I want, but I wanted to run my squid.conf options (pertinent parts only) by more experienced eyes to double-check. I'm running squid (2.7.STABLE7) as a forward proxy on my personal computer, with the sole purpose of caching frequently-used static content from a few specific sites. Nothing else should get cached. Furthermore, once the content is cached, it does not need to be revalidated. Here goes: # List sites to be cached acl cache_us dstdomain a.example.com acl cache_us dstdomain b.example.com # Allow access from my computer only http_access allow localhost http_access deny all # Only cache cache_us cache deny !cache_us # Once cached, do not revalidate offline_mode on A couple of questions: * From my scan of the log files, this appears to work. Any reason why it won't work, hidden pitfalls, etc.? * With offline_mode on, I'm assuming that other cache-tuning options (e.g., max_stale, refresh_pattern, minimum_expiry_time, etc.) are irrelevant; squid will cache matching content once, always fetch it from the cache in the future, and never revalidate it. Right? * How/where are validation requests logged? Thanks in advance.
Re: [squid-users] Forard proxy config questions
On 17/12/2011 5:39 a.m., J Smith wrote: Hello everyone, I'm new to squid. I think I have it configured to do what I want, but I wanted to run my squid.conf options (pertinent parts only) by more experienced eyes to double-check. I'm running squid (2.7.STABLE7) as a forward proxy on my personal computer, with the sole purpose of caching frequently-used static content from a few specific sites. Nothing else should get cached. Furthermore, once the content is cached, it does not need to be revalidated. Here goes: # List sites to be cached acl cache_us dstdomain a.example.com acl cache_us dstdomain b.example.com # Allow access from my computer only http_access allow localhost http_access deny all # Only cache cache_us cache deny !cache_us # Once cached, do not revalidate offline_mode on A couple of questions: * From my scan of the log files, this appears to work. Any reason why it won't work, hidden pitfalls, etc.? The usual pitfalls of force-caching things which are borderline for cacheability. Broken page contents when any piece of the original page changes. The best way to achieve caching performance is to alter the origin server(s) for these sites to produce cache-controls allowing their content to be cached for the correct timespan. * With offline_mode on, I'm assuming that other cache-tuning options (e.g., max_stale, refresh_pattern, minimum_expiry_time, etc.) are irrelevant; squid will cache matching content once, always fetch it from the cache in the future, and never revalidate it. Right? They are still relevant. Squid just does not erase the cached content and serves up stale objects without explicit permission from the origin when failures occur. * How/where are validation requests logged? It shows up in the access.log as the result codes (TCP_*) with the REFRESH or RELOAD sub-tag when each transaction finishes. http://wiki.squid-cache.org/SquidFaq/SquidLogs#Squid_result_codes has the details on what these tags are and mean. Amos
Re: [squid-users] Squid not allowing WLM (windows live messenger) to go through. any tip ?
what is your squid version? I'm using v3.1.16, here what i found in my network. If i use direct connection to the internet, and i set my firewall to redirect port 80 to 3128 (squid local port), my WLM won't connect but if use proxy connection to the internet, my WLM will work perfectly. I'm using squid with intercepting connection enabled on localhost and my NIC. This doesn't happen on version 2.7 On 16/12/2011 17:27, Roland RoLaNd wrote: Thanks for your advice. though that's the page i followed to add destinations to allow. they're already set in the config and a rule to allow to CONNECT to port 443 and 1863 already exists. Some users are able to sign in, others cannot. and no deny hit is showing in access.log so i can troubleshoot. PS: i tried using AMSN today, i was able to sign in though the contact list couldn't be loaded. even though i can see in access.log a CONNECt to contacts.live.com:443 as well as another server which hosts my contact list Date: Fri, 16 Dec 2011 08:22:08 +0700 From: ebed...@gmail.com To: squ...@treenet.co.nz; squid-users@squid-cache.org Subject: Re: [squid-users] Squid not allowing WLM (windows live messenger) to go through. any tip ? The page i write on my email before is for an old WLM. Here's for WLM 2010 http://support.microsoft.com/kb/2027572 On 15/12/2011 19:47, Roland RoLaNd wrote: We are using a config script for our proxy, with the proxy being a Squid Proxy Server configured to allow traffic through, and in specific, ports 1863 and 443.. I have tried the following to fix this issue as many forums have suggested: Checking and unchecking the Automatically detect settings option in the LAN Settings of the machine's local Internet Properties. Leaving both the Automatically detect settings and Use automatic configuration script options checked. Uninstalling Windows Live Messenger and the Live Essentials suite and re-installing those. Flushing the local DNS cache. Clearing all internet caching and history. Even after trying all the above the problem persists. The users are still able to use the Messenger service through their Hotmail accounts over the web and when accessing Live Messenger at home on the same machine. Not sure what to try or where to approach this from anymore and was wondering if anyone managed to solve this issue already and could provide some tips. Any help would be much appreciated. Thanks in antecipation! attachment: ebedsat.vcf
Re: [squid-users] STABLE squid repo location?
tor 2011-12-15 klockan 11:48 -0500 skrev Michael Altfield: I think I might have found it here (https://code.launchpad.net/~squid/squid= /3.1), but I'm not sure if this is the STABLE repository. If it is, can som= eone please explicitly say so in the README of the repo or on the wiki (htt= p://wiki.squid-cache.org/BzrInstructions). If not, please let me know where= to find it. The official source repository for Squid-3 is the bazaar repository at bzr.squid-cache.org/squid3/ where you find 3.1 in branches/SQUID_3_1 But launchpad is an automatic mirror of the same, and contains exactly the same information with just a slight delay, and much better connectivity. And as others have mentioned you can also view the changesets from our web page, divided per release. This view is slightly filtered to hide automatic derived changes with no impact on the code as such. http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_17.html http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_18.html Any specific change you are looking for? Regards Henrik
Re: [squid-users] Session not transferred when redirected by a website
fre 2011-12-16 klockan 12:50 +0700 skrev Widhiyanto, Projo: I have a problem with certain website that doesn't seem to maintain session when it is redirected after a login process. Login was successful, but once you got redirected, the session is lost - and you got logged out. However the problem is only seen if I am using a parent cache (which is a Squid proxy of my ISP). One possible cause to this is if the site encodes the requesting IP in the session, and you allow your first Squid to go direct bypassing the parent. Setting prefer_direct off, or never_direct allow all, may help in such case. But it this is the cause then it's really a bug in the web site as source IP may vary pretty randomly when requests is forwarded via a mesh of proxies or when the client is roaming between different networks. Regards Henrik
[squid-users] Re : [squid-users] Anonymous FTP and login pass url based
Please try testing this with squidclient or another dumb http client. The major browsers are all pretty braindead in different manners when it comes to non-anonymous FTP URLs and can confuse matters greatly. Regards Henrik
Re: [squid-users] STABLE squid repo location?
lör 2011-12-17 klockan 03:44 +0100 skrev Henrik Nordström: tor 2011-12-15 klockan 11:48 -0500 skrev Michael Altfield: I think I might have found it here (https://code.launchpad.net/~squid/squid= /3.1), but I'm not sure if this is the STABLE repository. If it is, can som= eone please explicitly say so in the README of the repo or on the wiki (htt= p://wiki.squid-cache.org/BzrInstructions). If not, please let me know where= to find it. The official source repository for Squid-3 is the bazaar repository at bzr.squid-cache.org/squid3/ where you find 3.1 in branches/SQUID_3_1 bzr.squid-cache.org/bzr/squid3/ even,.. But launchpad is an automatic mirror of the same, and contains exactly the same information with just a slight delay, and much better connectivity. And as others have mentioned you can also view the changesets from our web page, divided per release. This view is slightly filtered to hide automatic derived changes with no impact on the code as such. http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_17.html http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_18.html Any specific change you are looking for? Regards Henrik