Re: [squid-users] blacklist

[FredB]

 
 Hi all.
 
 Currently I have 3 servers running with squid and haproxy balancing
 ahead of them.
 It works perfectly.
 Now I want to block porn sites, viruses, external proxies, etc ...
 I tried dansguardian and squidguard, but slows down my squid and I do
 not like.
 
 I can use?
 
 A simple acl with domains of
 http://squidguard.mesd.k12.or.us/blacklists.tgz lowered (for example)
 
 An ICAP server?
 
 Thank you.
 

Hi,

Dansguardian slow ? I agree for SquidGuard but I'm using Dansguardian without 
problem with 700 requests/second max (average 450 r/s) 
If your hardware is too light see something like opendns or better with 
dnsmasq, only for domains but faster than light and you can mix with 
dansguardian or acl for objects and urls.

Fred

Re: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?

[Amos Jeffries]

On 5/03/2012 8:33 p.m., Jiang Wen Dong wrote:

This is not what I want.
I want proxy_auth user maxconn=100, others maxconn=50.


Yes. That is what the config I wrote does.

# if user has connections = 100,  deny even if logged in
# else if user is logged in,  allow (up to 100)
# else if connections = 50,  deny more than 50 connections

(extra lines are for good security, allowing random person on The 
Internet 50 connections is not good)

# else other local clients, allow
# else deny

Amos


-邮件原件-
发件人: Amos Jeffries

On 05.03.2012 14:16, Jiang Wen Dong wrote:

My English is not good, hope you can understand what I'm saying.

I want to set default maxconn=50, and maxconn=100 for proxy_auth user.

If I set default maxconn before proxy_auth, then proxy_auth user get
maxconn=50, not maxconn=100.

If I set default maxconn after proxy_auth, every user get a auth
dialog window, which I do not want it show for !proxy_auth user.

How to set different maxconn number of proxy_auth user from default
maxconn?


You are thinking about this backwards. Place the widest everybody
limitations first. Then the highest privileged allow permissions. Then repeat 
as you gradually restrict things.

Like this:

   acl login proxy_auth REQUIRED
   acl 100cc maxconn 100
   acl 50cc maxconn 50

# nobody allowed more than 100 connections
   http_access deny 100cc

# login users the only ones allowed more than 50
   http_access allow login
   http_access deny 50cc

# then other LAN clients...
   http_access allow localnet

# everything not permitted yet is not trusted for any access.
   http_access deny all

Amos

Re: [squid-users] blacklist

[Esteban Torres Rodríguez]

El día 5 de marzo de 2012 09:11, FredB fredbm...@free.fr escribió:

 Hi all.

 Currently I have 3 servers running with squid and haproxy balancing
 ahead of them.
 It works perfectly.
 Now I want to block porn sites, viruses, external proxies, etc ...
 I tried dansguardian and squidguard, but slows down my squid and I do
 not like.

 I can use?

 A simple acl with domains of
 http://squidguard.mesd.k12.or.us/blacklists.tgz lowered (for example)

 An ICAP server?

 Thank you.


 Hi,

 Dansguardian slow ? I agree for SquidGuard but I'm using Dansguardian without 
 problem with 700 requests/second max (average 450 r/s)
 If your hardware is too light see something like opendns or better with 
 dnsmasq, only for domains but faster than light and you can mix with 
 dansguardian or acl for objects and urls.

The bbdd of dansguardian is not free. am I wrong?


 Fred

[squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?

[Jiang Wen Dong]

Thank you.
But there's still a problem, !proxy_auth user will see a auth dialog window, 
that is not what I want.
I want !proxy_auth user pass trough, without auth dialog window.


Jiang Wendong (姜文栋)
IT Dept.
Tel: 010-5822-3486/3481
Mobile: 13811249966
E-Mail: wendong.ji...@td-tech.com / jiangwend...@huawei.com



-邮件原件-
发件人: Amos Jeffries [mailto:squ...@treenet.co.nz]
发送时间: 2012年3月5日 17:11
收件人: squid-users@squid-cache.org
主题: Re: [squid-users] 答复: [squid-users] How to set different maxconn number of 
proxy_auth user from default maxconn?

On 5/03/2012 8:33 p.m., Jiang Wen Dong wrote:
 This is not what I want.
 I want proxy_auth user maxconn=100, others maxconn=50.

Yes. That is what the config I wrote does.

# if user has connections = 100,  deny even if logged in # else if user is 
logged in,  allow (up to 100) # else if connections = 50,  deny more than 50 
connections

(extra lines are for good security, allowing random person on The Internet 50 
connections is not good) # else other local clients, allow # else deny

Amos

 -邮件原件-
 发件人: Amos Jeffries

 On 05.03.2012 14:16, Jiang Wen Dong wrote:
 My English is not good, hope you can understand what I'm saying.

 I want to set default maxconn=50, and maxconn=100 for proxy_auth user.

 If I set default maxconn before proxy_auth, then proxy_auth user get
 maxconn=50, not maxconn=100.

 If I set default maxconn after proxy_auth, every user get a auth
 dialog window, which I do not want it show for !proxy_auth user.

 How to set different maxconn number of proxy_auth user from default
 maxconn?

 You are thinking about this backwards. Place the widest everybody
 limitations first. Then the highest privileged allow permissions. Then repeat 
 as you gradually restrict things.

 Like this:

acl login proxy_auth REQUIRED
acl 100cc maxconn 100
acl 50cc maxconn 50

 # nobody allowed more than 100 connections
http_access deny 100cc

 # login users the only ones allowed more than 50
http_access allow login
http_access deny 50cc

 # then other LAN clients...
http_access allow localnet

 # everything not permitted yet is not trusted for any access.
http_access deny all

 Amos


CAUTION: This message may contain privileged and confidential information 
intended only for the use of the addressee named above. If you are not the 
intended recipient of this message you are hereby notified that any use, 
distribution or reproduction of this message is prohibited. If you have 
received this message in error please notify the sender of this message 
immediately.   (  ©TD Tech Co.,Ltd)
重要提示：此邮件及附件具保密性质，包含商业秘密、受法律保护不得泄露。如果您意外收到此邮件，特此提醒您此邮件的机密性，请立即通知我们并从您的系统中删除此邮件及附件。如果您不是此邮件应当的收件人，请注意不可对此邮件及其附件进行利用、复制或向他人透露其内容。
   (  ©TD Tech Co.,Ltd)

Re: [squid-users] blacklist

[Ralf Hildebrandt]

* Esteban Torres Rodríguez mortenol.tor...@gmail.com:

  Dansguardian slow ? I agree for SquidGuard but I'm using Dansguardian 
  without problem with 700 requests/second max (average 450 r/s)
  If your hardware is too light see something like opendns or better with 
  dnsmasq, only for domains but faster than light and you can mix with 
  dansguardian or acl for objects and urls.
 
 The bbdd of dansguardian is not free. am I wrong?

What is bbdd?
-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Re: [squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?

[Amos Jeffries]

On 5/03/2012 10:38 p.m., Jiang Wen Dong wrote:
Thank you. But there's still a problem, !proxy_auth user will see a 
auth dialog window, that is not what I want. I want !proxy_auth user 
pass trough, without auth dialog window.


Dialog window is a browser feature. Nothing to do with Squid.
You can use this workaround to prevent Squid asking for credentials:
  http_access allow login all

But then you have no way to perform login.

You could change this part:
  http_access allow login
 http_access deny 50cc

to:
  http_access deny 50cc login

so login popup only appears after 50 connections is reached. Users who 
can login get the extra connections, users who cant get an annoying 
popup each time the try to go past 50.


Amos

 Jiang Wendong (姜文 
栋) IT Dept. Tel: 010-5822-3486/3481 Mobile: 13811249966 E-Mail: 
wendong.ji...@td-tech.com / jiangwend...@huawei.com -邮件原件- 
发件人: Amos Jeffries [mailto:squ...@treenet.co.nz] 发送时间: 2012年3 
月5日 17:11 收件人: squid-users@squid-cache.org 主题: Re: [squid- 
users] 答复: [squid-users] How to set different maxconn number of 
proxy_auth user from default maxconn? On 5/03/2012 8:33 p.m., Jiang 
Wen Dong wrote:
This is not what I want. I want proxy_auth user maxconn=100, others 
maxconn=50. 
Yes. That is what the config I wrote does. # if user has connections 
= 100, deny even if logged in # else if user is logged in, allow (up 
to 100) # else if connections = 50, deny more than 50 connections 
(extra lines are for good security, allowing random person on The 
Internet 50 connections is not good) # else other local clients, allow 
# else deny Amos
-邮件原件- 发件人: Amos Jeffries On 05.03.2012 14:16, Jiang 
Wen Dong wrote:
My English is not good, hope you can understand what I'm saying. I 
want to set default maxconn=50, and maxconn=100 for proxy_auth user. 
If I set default maxconn before proxy_auth, then proxy_auth user get 
maxconn=50, not maxconn=100. If I set default maxconn after 
proxy_auth, every user get a auth dialog window, which I do not want 
it show for !proxy_auth user. How to set different maxconn number of 
proxy_auth user from default maxconn? 
You are thinking about this backwards. Place the widest everybody 
limitations first. Then the highest privileged allow permissions. 
Then repeat as you gradually restrict things. Like this: acl login 
proxy_auth REQUIRED acl 100cc maxconn 100 acl 50cc maxconn 50 # 
nobody allowed more than 100 connections http_access deny 100cc # 
login users the only ones allowed more than 50 http_access allow 
login http_access deny 50cc # then other LAN clients... http_access 
allow localnet # everything not permitted yet is not trusted for any 
access. http_access deny all Amos 
CAUTION: This message may contain privileged and confidential 
information intended only for the use of the addressee named above. If 
you are not the intended recipient of this message you are hereby 
notified that any use, distribution or reproduction of this message is 
prohibited. If you have received this message in error please notify 
the sender of this message immediately. ( ©TD Tech Co.,Ltd) 重要提示： 
此邮件及附件具保密性质，包含商业秘密、受法律保护不得泄露。如果您意外收 
到此邮件，特此提醒您此邮件的机密性，请立即通知我们并 从您的系统中删除 
此邮件及附件。如果您不是此邮件应当的收件人，请注意不可对此邮件及其附件 
进行利用、复制或向他人透露其内容。 ( ©TD Tech Co.,Ltd) 

Re: [squid-users] transparent proxy in squid3

[Amos Jeffries]

On 5/03/2012 4:29 p.m., pplive wrote:

Dear Amos,

On Sun, Mar 4, 2012 at 9:44 PM, Amos Jeffries wrote:

On 05.03.2012 06:40, pplive wrote:

Dear Amos,

Thanks a lot! By looking at your URL, I have enter the following
commands in my squid3 machine (my HTTP service is at PORT 8080), the
squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at
10.0.2.1, HTTP client (nodes) is at 10.0.1.1:

yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp
--dport 8080 -j ACCEPT
yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080
-j DNAT --to-destination 10.0.3.1:3128
yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport
3128 -j DROP


snip



However, the proxy still has some problem, when we start wget from the
HTTP client
yeung@nodes:~$ wget 10.0.2.1:8080
--2012-03-04 09:31:39--  http://10.0.2.1:8080/
Connecting to 10.0.2.1:8080... ^C


So far good (modulo the testing with port-8080 factor).



yeung@nodes:~$

We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the
following message:
09:31:39.384558 IP nodes-links.51902  noder-linkr.http-alt: Flags
[S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
38022185 ecr 0,nop,wscale 6], length 0
09:31:42.379034 IP nodes-links.51902  noder-linkr.http-alt: Flags
[S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
38022935 ecr 0,nop,wscale 6], length 0

It seems that there were some HTTP-alt traffic coming in from the
switch, but no HTTP traffic going out of the squid3 machine.


Is this a dump of all packets involving port 8080? or did you add an IP
address or interface direction to hide some packets?

Yes, I use 'sudo tcpdump -i eth0', and I have skip some LLDP messages
as follows (as the squid3 machine is connected to a programmable
switch):



Does Squid already have a cached copy of the URL object being used as a
test?

There is nothing in access.log


I'm thinking it is probably something in the kernel security controls 
then. SELinux can block interception because it is an MITM attack on the 
clients. Also rp_filter can block the TCP connections in strange places 
and show up like this. Did you restart the networking on the squid box 
after changing sysctl.conf (/etc/init.d/networking restart)


Amos

Re: [squid-users] blacklist

[Esteban Torres Rodríguez]

El día 5 de marzo de 2012 10:39, Ralf Hildebrandt
ralf.hildebra...@charite.de escribió:
 * Esteban Torres Rodríguez mortenol.tor...@gmail.com:

  Dansguardian slow ? I agree for SquidGuard but I'm using Dansguardian 
  without problem with 700 requests/second max (average 450 r/s)
  If your hardware is too light see something like opendns or better with 
  dnsmasq, only for domains but faster than light and you can mix with 
  dansguardian or acl for objects and urls.

 The bbdd of dansguardian is not free. am I wrong?

 What is bbdd?

Sorry,

DB no. List of domains. I've tried Dansguardian with this list of domains:

http://dansguardian.org/?page=blacklist

http://urlblacklist.com/

 --
 Ralf Hildebrandt                   Charite Universitätsmedizin Berlin
 ralf.hildebra...@charite.de        Campus Benjamin Franklin
 http://www.charite.de              Hindenburgdamm 30, 12203 Berlin
 Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

[squid-users] Roadmap Squid 3.2

[FredB]

Hi all,

Amos, like I said in bug report, Squid 3.2 is very stable with your last fix, 
and Alex's patch which is not already included in truck, and I would like to 
know the schedule for an official stable release, approximately of course 
(before this summer, end of year ?)

I had reported some problems with rock store but maybe it can be consider like 
an experimental feature for the moment ? 

Thanks 

Fred

[squid-users] squid with squidguard issue

[Muhammad Yousuf Khan]

can some one plz help. i followed
http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny
squid 2.7 and squidguard 1.2.0

i write the below line at the end of squid.conf
redirect_program /usr/bin/squidGuard

i denied ads in squidGuard.conf and addme.com is a domain which i
am sure is in the list of blocklist database.
now when i go to addme.com it just open the website (which i dont want though)

here is squidGuard.conf rule.

dest adult {
domainlist  ads/domains
#   urllist /var/lib/squidguard/db/blacklists/porn/urls
#   expressionlist  adult/expressions
redirecthttp://google.com

}

here is squidguard log. /var/log/squid/squidGuard.log

2012-03-05 08:06:53 [4180] squidGuard 1.2.0 started (1330952813.099)
2012-03-05 08:06:53 [4180] recalculating alarm in 30187 seconds
2012-03-05 08:06:53 [4180] squidGuard ready for requests (1330952813.101)
2012-03-05 08:06:53 [4182] destblock good missing active content, set inactive
2012-03-05 08:06:53 [4182] destblock local missing active content, set inactive
2012-03-05 08:06:53 [4182] init domainlist /var/lib/squidguard/db/ads/domains
2012-03-05 08:06:53 [4182] loading dbfile /var/lib/squidguard/db/ads/domains.db
2012-03-05 08:06:53 [4182] squidGuard 1.2.0 started (1330952813.107)
2012-03-05 08:06:53 [4182] recalculating alarm in 30187 seconds
2012-03-05 08:06:53 [4182] squidGuard ready for requests (1330952813.108)

here is access.log.the thing which is making me confuse that redirect
tag is not present which suppose to be there. however i can not find
any redirect tag in default 2.7 squid.conf file. can u please tell me
what is going on and how can i redirect or can solve the issue

1330953994.304640 10.51.100.240 TCP_CLIENT_REFRESH_MISS/200 1910
GET http://www.addme.com/favicon.ico - DIRECT/69.43.161.4 image/x-icon


Thanks,

[squid-users] Re: squid with squidguard issue

[Muhammad Yousuf Khan]

url_rewrite_program /usr/sbin/squidGuard
url_rewrite_children 5

this also doesn't work



On Mon, Mar 5, 2012 at 6:40 PM, Muhammad Yousuf Khan sir...@gmail.com wrote:
 can some one plz help. i followed
 http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny
 squid 2.7 and squidguard 1.2.0

 i write the below line at the end of squid.conf
 redirect_program /usr/bin/squidGuard

 i denied ads in squidGuard.conf and addme.com is a domain which i
 am sure is in the list of blocklist database.
 now when i go to addme.com it just open the website (which i dont want 
 though)

 here is squidGuard.conf rule.

 dest adult {
        domainlist      ads/domains
 #       urllist         /var/lib/squidguard/db/blacklists/porn/urls
 #       expressionlist  adult/expressions
        redirect        http://google.com

 }

 here is squidguard log. /var/log/squid/squidGuard.log

 2012-03-05 08:06:53 [4180] squidGuard 1.2.0 started (1330952813.099)
 2012-03-05 08:06:53 [4180] recalculating alarm in 30187 seconds
 2012-03-05 08:06:53 [4180] squidGuard ready for requests (1330952813.101)
 2012-03-05 08:06:53 [4182] destblock good missing active content, set inactive
 2012-03-05 08:06:53 [4182] destblock local missing active content, set 
 inactive
 2012-03-05 08:06:53 [4182] init domainlist /var/lib/squidguard/db/ads/domains
 2012-03-05 08:06:53 [4182] loading dbfile 
 /var/lib/squidguard/db/ads/domains.db
 2012-03-05 08:06:53 [4182] squidGuard 1.2.0 started (1330952813.107)
 2012-03-05 08:06:53 [4182] recalculating alarm in 30187 seconds
 2012-03-05 08:06:53 [4182] squidGuard ready for requests (1330952813.108)

 here is access.log.the thing which is making me confuse that redirect
 tag is not present which suppose to be there. however i can not find
 any redirect tag in default 2.7 squid.conf file. can u please tell me
 what is going on and how can i redirect or can solve the issue

 1330953994.304    640 10.51.100.240 TCP_CLIENT_REFRESH_MISS/200 1910
 GET http://www.addme.com/favicon.ico - DIRECT/69.43.161.4 image/x-icon


 Thanks,

[squid-users] SQUID TPROXY not working when URL is hosted on the same machine running SQUID

[Vignesh Ramamurthy]

Hello,

We are using squid to transparently proxy the traffic to a captive
portal that is residing on the same machine as the squid server. The
solution was working based on a NAT REDIRECT . We are moving the
solution to TPROXY based now as part of migration to IPv6. The TPROXY
works fine in intercepting traffic and also successfully able to allow
/ deny traffic to IPv6 sites. We are facing a strange issue when we
try to access a URL in the same machine that hosts the squid server.
The acces hangs and squid is not able to connect to the URL. We are
having AOL webserver to host the webpage.

All the configurations as recommended by the squid sites are done.
- Firewall rules with TPROXY and DIVERT chian has been setup as below

ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -m tos --tos 0x20 -j ACCEPT
ip6tables -t mangle -A PREROUTING  -i eth0.20 -p tcp --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 8085
ip6tables -t mangle -A PREROUTING -j ACCEPT

- Policy routing to route proxied traffic to the local box is also
done as recommended
16383:  from all fwmark 0x1 lookup 100
16390:  from all lookup local
32766:  from all lookup main

ip -6 route show table 100
local default dev lo  metric 1024
local default dev eth0.20  metric 1024


Squid configuration used is standard and have provided below a
snapshot of cache.log. Running squid in full debug level with max
logging. I have provided the final set of logs for this transaction.
The URL accessed in the test is
http://[2001:4b8:1::549]/sample_page.adp.

Appreciate any assistance / pointers to solve this. Please do let me
know if any additional information is required.

--
cache.log-
2012/03/05 04:29:26.320 kid1| HTTP Server REQUEST:
-
GET /sample_page.adp HTTP/1.1
User-Agent: w3m/0.5.2
Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, multipart/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: [2001:4b8:1::549]
Via: 1.0 nmd.tst26.aus.wayport.net (squid/3.2.0.15-20120228-r11519)
X-Forwarded-For: 2001:4b8:1:5:250:56ff:feb2:2cfc
Cache-Control: max-age=259200
Connection: keep-alive


--
2012/03/05 04:29:26.320 kid1| Write.cc(21) Write:
local=[2001:4b8:1:5:250:56ff:feb2:2cfc]:43673
remote=[2001:4b8:1::549]:80 FD 13 flags=25: sz 417: asynCall
0x871f6e8*1
2012/03/05 04:29:26.320 kid1| ModPoll.cc(149) SetSelect: FD 13,
type=2, handler=1, client_data=0x84df560, timeout=0
2012/03/05 04:29:26.320 kid1| HttpStateData status out: [ job7]
2012/03/05 04:29:26.321 kid1| leaving AsyncJob::start()
2012/03/05 04:29:26.321 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:26.321 kid1| The AsyncCall MaintainSwapSpace
constructed, this=0x871ff48 [call204]
2012/03/05 04:29:26.321 kid1| event.cc(261) will call
MaintainSwapSpace() [call204]
2012/03/05 04:29:26.321 kid1| entering MaintainSwapSpace()
2012/03/05 04:29:26.321 kid1| AsyncCall.cc(34) make: make call
MaintainSwapSpace [call204]
2012/03/05 04:29:26.321 kid1| event.cc(344) schedule: schedule: Adding
'MaintainSwapSpace', in 1.00 seconds
2012/03/05 04:29:26.321 kid1| leaving MaintainSwapSpace()
2012/03/05 04:29:27.149 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:27.149 kid1| The AsyncCall memPoolCleanIdlePools
constructed, this=0x871ff48 [call205]
2012/03/05 04:29:27.149 kid1| event.cc(261) will call
memPoolCleanIdlePools() [call205]
2012/03/05 04:29:27.149 kid1| entering memPoolCleanIdlePools()
2012/03/05 04:29:27.149 kid1| AsyncCall.cc(34) make: make call
memPoolCleanIdlePools [call205]
2012/03/05 04:29:27.150 kid1| event.cc(344) schedule: schedule: Adding
'memPoolCleanIdlePools', in 15.00 seconds
2012/03/05 04:29:27.150 kid1| leaving memPoolCleanIdlePools()
2012/03/05 04:29:27.165 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:27.165 kid1| The AsyncCall fqdncache_purgelru
constructed, this=0x871ff48 [call206]
2012/03/05 04:29:27.165 kid1| event.cc(261) will call
fqdncache_purgelru() [call206]
2012/03/05 04:29:27.165 kid1| entering fqdncache_purgelru()
2012/03/05 04:29:27.165 kid1| AsyncCall.cc(34) make: make call
fqdncache_purgelru [call206]
2012/03/05 04:29:27.165 kid1| event.cc(344) schedule: schedule: Adding
'fqdncache_purgelru', in 10.00 seconds
2012/03/05 04:29:27.166 kid1| leaving fqdncache_purgelru()

Best Regards,
Vignesh

[squid-users] SQUID TPROXY option does not work when URL is on the same machine as SQUID

[Vignesh Ramamurthy]

Hello,

We are using squid to transparently proxy the traffic to a captive
portal that is residing on the same machine as the squid server. The
solution was working based on a NAT REDIRECT . We are moving the
solution to TPROXY based now as part of migration to IPv6. The TPROXY
works fine in intercepting traffic and also successfully able to allow
/ deny traffic to IPv6 sites. We are facing a strange issue when we
try to access a URL in the same machine that hosts the squid server.
The acces hangs and squid is not able to connect to the URL. We are
having AOL webserver to host the webpage.

All the configurations as recommended by the squid sites are done.
- Firewall rules with TPROXY and DIVERT chian has been setup as below

ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -m tos --tos 0x20 -j ACCEPT
ip6tables -t mangle -A PREROUTING  -i eth0.20 -p tcp --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 8085
ip6tables -t mangle -A PREROUTING -j ACCEPT

- Policy routing to route proxied traffic to the local box is also
done as recommended
16383:  from all fwmark 0x1 lookup 100
16390:  from all lookup local
32766:  from all lookup main

ip -6 route show table 100
local default dev lo  metric 1024
local default dev eth0.20  metric 1024


Squid configuration used is standard and have provided below a
snapshot of cache.log. Running squid in full debug level with max
logging. I have provided the final set of logs for this transaction.
The URL accessed in the test is
http://[2001:4b8:1::549]/sample_page.adp.

Appreciate any assistance / pointers to solve this. Please do let me
know if any additional information is required.

2012/03/05 04:29:26.320 kid1| HTTP Server REQUEST:
-
GET /sample_page.adp HTTP/1.1
User-Agent: w3m/0.5.2
Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, multipart/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: [2001:4b8:1::549]
Via: 1.0 nmd.tst26.aus.wayport.net (squid/3.2.0.15-20120228-r11519)
X-Forwarded-For: 2001:4b8:1:5:250:56ff:feb2:2cfc
Cache-Control: max-age=259200
Connection: keep-alive


--
2012/03/05 04:29:26.320 kid1| Write.cc(21) Write:
local=[2001:4b8:1:5:250:56ff:feb2:2cfc]:43673
remote=[2001:4b8:1::549]:80 FD 13 flags=25: sz 417: asynCall
0x871f6e8*1
2012/03/05 04:29:26.320 kid1| ModPoll.cc(149) SetSelect: FD 13,
type=2, handler=1, client_data=0x84df560, timeout=0
2012/03/05 04:29:26.320 kid1| HttpStateData status out: [ job7]
2012/03/05 04:29:26.321 kid1| leaving AsyncJob::start()
2012/03/05 04:29:26.321 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:26.321 kid1| The AsyncCall MaintainSwapSpace
constructed, this=0x871ff48 [call204]
2012/03/05 04:29:26.321 kid1| event.cc(261) will call
MaintainSwapSpace() [call204]
2012/03/05 04:29:26.321 kid1| entering MaintainSwapSpace()
2012/03/05 04:29:26.321 kid1| AsyncCall.cc(34) make: make call
MaintainSwapSpace [call204]
2012/03/05 04:29:26.321 kid1| event.cc(344) schedule: schedule: Adding
'MaintainSwapSpace', in 1.00 seconds
2012/03/05 04:29:26.321 kid1| leaving MaintainSwapSpace()
2012/03/05 04:29:27.149 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:27.149 kid1| The AsyncCall memPoolCleanIdlePools
constructed, this=0x871ff48 [call205]
2012/03/05 04:29:27.149 kid1| event.cc(261) will call
memPoolCleanIdlePools() [call205]
2012/03/05 04:29:27.149 kid1| entering memPoolCleanIdlePools()
2012/03/05 04:29:27.149 kid1| AsyncCall.cc(34) make: make call
memPoolCleanIdlePools [call205]
2012/03/05 04:29:27.150 kid1| event.cc(344) schedule: schedule: Adding
'memPoolCleanIdlePools', in 15.00 seconds
2012/03/05 04:29:27.150 kid1| leaving memPoolCleanIdlePools()
2012/03/05 04:29:27.165 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:27.165 kid1| The AsyncCall fqdncache_purgelru
constructed, this=0x871ff48 [call206]
2012/03/05 04:29:27.165 kid1| event.cc(261) will call
fqdncache_purgelru() [call206]
2012/03/05 04:29:27.165 kid1| entering fqdncache_purgelru()
2012/03/05 04:29:27.165 kid1| AsyncCall.cc(34) make: make call
fqdncache_purgelru [call206]
2012/03/05 04:29:27.165 kid1| event.cc(344) schedule: schedule: Adding
'fqdncache_purgelru', in 10.00 seconds
2012/03/05 04:29:27.166 kid1| leaving fqdncache_purgelru()

Re: [squid-users] transparent proxy in squid3

[pplive]

Dear Amos,

I did restart the networking.

When I just to review all iptables settings, from tcpdump we can see

09:35:23.830038 IP nodes-links.37711  noder-linkr.http-alt: Flags
[S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val
59678297 ecr 0,nop,wscale 6], length 0
09:35:26.827763 IP nodes-links.37711  noder-linkr.http-alt: Flags
[S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val
59679047 ecr 0,nop,wscale 6], length 0
09:35:28.828079 ARP, Request who-has noder-linkr tell nodes-links, length 46

I think the nodec1 (my squid3 machine) is even able to start an ARP query.

My OS is Ubuntu, kernel version
yeung@nodec1:/etc/squid3$ uname -r
2.6.32-34-generic-pae

I have checked the rp_filter setting, it has been disabled.

Sorry for causing you trouble.

Best,
Alex


On Mon, Mar 5, 2012 at 4:56 AM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 5/03/2012 4:29 p.m., pplive wrote:

 Dear Amos,


 On Sun, Mar 4, 2012 at 9:44 PM, Amos Jeffries wrote:

 On 05.03.2012 06:40, pplive wrote:

 Dear Amos,

 Thanks a lot! By looking at your URL, I have enter the following
 commands in my squid3 machine (my HTTP service is at PORT 8080), the
 squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at
 10.0.2.1, HTTP client (nodes) is at 10.0.1.1:

 yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp
 --dport 8080 -j ACCEPT
 yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080
 -j DNAT --to-destination 10.0.3.1:3128
 yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
 yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport
 3128 -j DROP

 snip


 However, the proxy still has some problem, when we start wget from the
 HTTP client
 yeung@nodes:~$ wget 10.0.2.1:8080
 --2012-03-04 09:31:39--  http://10.0.2.1:8080/
 Connecting to 10.0.2.1:8080... ^C


 So far good (modulo the testing with port-8080 factor).


 yeung@nodes:~$

 We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the
 following message:
 09:31:39.384558 IP nodes-links.51902  noder-linkr.http-alt: Flags
 [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
 38022185 ecr 0,nop,wscale 6], length 0
 09:31:42.379034 IP nodes-links.51902  noder-linkr.http-alt: Flags
 [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
 38022935 ecr 0,nop,wscale 6], length 0

 It seems that there were some HTTP-alt traffic coming in from the
 switch, but no HTTP traffic going out of the squid3 machine.

 Is this a dump of all packets involving port 8080? or did you add an IP
 address or interface direction to hide some packets?

 Yes, I use 'sudo tcpdump -i eth0', and I have skip some LLDP messages
 as follows (as the squid3 machine is connected to a programmable
 switch):


 Does Squid already have a cached copy of the URL object being used as a
 test?

 There is nothing in access.log


 I'm thinking it is probably something in the kernel security controls then.
 SELinux can block interception because it is an MITM attack on the clients.
 Also rp_filter can block the TCP connections in strange places and show up
 like this. Did you restart the networking on the squid box after changing
 sysctl.conf (/etc/init.d/networking restart)

 Amos

Re: [squid-users] transparent proxy in squid3

[pplive]

Dear Amos,

To see whether there were some internal firewall in my system , I
tried a simpler topology, i.e.,

Client (10.0.0.1) (eth0) - (eth0) Squid3 (eth1) - (eth0) Server (10.0.0.2)

I just follow the setting in
http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 8080 -j redirect --redirect-target ACCEPT

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j REDIRECT
--to-port 3128

According to tcpdump, we can see the packets are forwarded to port 3128
(I use wget 10.0.0.2:8080 at the client)

14:04:50.282381 IP 10.0.0.1.33088  10.0.0.10.3128: Flags [S], seq
388132433, win 5840, options [mss 1460,sackOK,TS val 1028407 ecr
0,nop,wscale 6], length 0
14:04:53.212426 IP 10.0.0.1.33088  10.0.0.10.3128: Flags [S], seq
388132433, win 5840, options [mss 1460,sackOK,TS val 1029157 ecr
0,nop,wscale 6], length 0

Still, I am confusing of using one NIC, how can I redirect the packets
to port 3128.

Thanks a lot!

Best regards,
Alex

On Mon, Mar 5, 2012 at 4:19 PM, pplive p2pne...@googlemail.com wrote:
 Dear Amos,

 I did restart the networking.

 When I just to review all iptables settings, from tcpdump we can see

 09:35:23.830038 IP nodes-links.37711  noder-linkr.http-alt: Flags
 [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val
 59678297 ecr 0,nop,wscale 6], length 0
 09:35:26.827763 IP nodes-links.37711  noder-linkr.http-alt: Flags
 [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val
 59679047 ecr 0,nop,wscale 6], length 0
 09:35:28.828079 ARP, Request who-has noder-linkr tell nodes-links, length 46

 I think the nodec1 (my squid3 machine) is even able to start an ARP query.

 My OS is Ubuntu, kernel version
 yeung@nodec1:/etc/squid3$ uname -r
 2.6.32-34-generic-pae

 I have checked the rp_filter setting, it has been disabled.

 Sorry for causing you trouble.

 Best,
 Alex


 On Mon, Mar 5, 2012 at 4:56 AM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 5/03/2012 4:29 p.m., pplive wrote:

 Dear Amos,


 On Sun, Mar 4, 2012 at 9:44 PM, Amos Jeffries wrote:

 On 05.03.2012 06:40, pplive wrote:

 Dear Amos,

 Thanks a lot! By looking at your URL, I have enter the following
 commands in my squid3 machine (my HTTP service is at PORT 8080), the
 squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at
 10.0.2.1, HTTP client (nodes) is at 10.0.1.1:

 yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp
 --dport 8080 -j ACCEPT
 yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080
 -j DNAT --to-destination 10.0.3.1:3128
 yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
 yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport
 3128 -j DROP

 snip


 However, the proxy still has some problem, when we start wget from the
 HTTP client
 yeung@nodes:~$ wget 10.0.2.1:8080
 --2012-03-04 09:31:39--  http://10.0.2.1:8080/
 Connecting to 10.0.2.1:8080... ^C


 So far good (modulo the testing with port-8080 factor).


 yeung@nodes:~$

 We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the
 following message:
 09:31:39.384558 IP nodes-links.51902  noder-linkr.http-alt: Flags
 [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
 38022185 ecr 0,nop,wscale 6], length 0
 09:31:42.379034 IP nodes-links.51902  noder-linkr.http-alt: Flags
 [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
 38022935 ecr 0,nop,wscale 6], length 0

 It seems that there were some HTTP-alt traffic coming in from the
 switch, but no HTTP traffic going out of the squid3 machine.

 Is this a dump of all packets involving port 8080? or did you add an IP
 address or interface direction to hide some packets?

 Yes, I use 'sudo tcpdump -i eth0', and I have skip some LLDP messages
 as follows (as the squid3 machine is connected to a programmable
 switch):


 Does Squid already have a cached copy of the URL object being used as a
 test?

 There is nothing in access.log


 I'm thinking it is probably something in the kernel security controls then.
 SELinux can block interception because it is an MITM attack on the clients.
 Also rp_filter can block the TCP connections in strange places and show up
 like this. Did you restart the networking on the squid box after changing
 sysctl.conf (/etc/init.d/networking restart)

 Amos

Re: [squid-users] Roadmap Squid 3.2

[Amos Jeffries]

On 06.03.2012 02:07, FredB wrote:

Hi all,

Amos, like I said in bug report, Squid 3.2 is very stable with your
last fix, and Alex's patch which is not already included in truck, 
and

I would like to know the schedule for an official stable release,
approximately of course (before this summer, end of year ?)


The checklist I have to work by is at 
http://wiki.squid-cache.org/ReleaseProcess#Squid-3
We are looping around at the freeze stage (3), waiting to reach 0 
major+ bugs before we can start the stable release countdown stages 
(4+).



We are intending 3.2 to supersede and obsolete all 3.x and 2.x series 
releases. Which means there are just over 50 bugs rated major or higher 
which need to be confirmed as fixed in 3.2, or downgraded before 3.2 can 
start its stability countdown.


  A lot of these bugs, particularly 2.x ones, just need somebody to 
check and verify that the described behaviour is not reproducible in 3.2 
anymore. At which point they can be closed against target of 3.2. 
Another half dozen or so got closed this month, but there are many more 
to go.


  This is a task nearly anyone can do. You just need a network setup 
similar to the reporters.



Anyone interested in a bug marathon for the next 6-8 weeks?




I had reported some problems with rock store but maybe it can be
consider like an experimental feature for the moment ?


It is experimental until there has been at least one stable cycle of 
wide use to wrinkle out any minor bugs and edge cases. If the bug you 
have reported can be considered normal or lower then it will not block 
the stable release. Keeping in mind that the shared memory change is a 
feature affecting everybody, so the precise location of the bug impacts 
its importance a lot.


Amos

Re: [squid-users] Re: squid with squidguard issue

[Amos Jeffries]

On Mon, Mar 5, 2012 at 6:40 PM, Muhammad Yousuf Khan wrote:

can some one plz help. i followed
http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny
squid 2.7 and squidguard 1.2.0

i write the below line at the end of squid.conf
redirect_program /usr/bin/squidGuard

i denied ads in squidGuard.conf and addme.com is a domain which 
i

am sure is in the list of blocklist database.
now when i go to addme.com it just open the website (which i dont 
want though)



NOTE: squidGuard is not part of Squid and is not supported by the Squid 
Project.


For support please contact the squidGuard user help.

Amos

Re: [squid-users] Implement Tproxy on Debian squeeze

[E.S. Rosenberg]

2012/3/2 Yucong Sun (叶雨飞) sunyuc...@gmail.com:
 I think what happens is the document seems to be wrong, the kernel
 already has TPROXY compiled in , look for /boot/config-   and
 search for TPROXY, it should says m.

 for the iptables rules, you will need to use mangle table, there's no
 tproxy table anymore.

 as such

 iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port
 proxyport  \
              --tproxy-mark 0x1/0x1


 on my machine ubuntu 10.04 LTS,  Linux fullcenter 2.6.32-37-server
 #81-Ubuntu SMP Fri Dec 2 20:49:12 UTC 2011 x86_64 GNU/Linux
 I have TPROXY 4.1.0 included, not sure about debian.

 [5282830.948528] NF_TPROXY: Transparent proxy support initialized, version 
 4.1.0
 [5282830.948533] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.


 However, I do want to add an additional question , suppose my proxy
 machine will be acting as network gateway to my LAN,  can I simply
 archive the same effect by simply
 -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT
 127.0.0.1:  ??? why was tproxy needed in the first place?
As far as I understood it you would use tproxy if you want to expose
your internal IPs to the other side, so if for instance my internal
network is actually a publicly routable block and I don't want to NAT
that then you use tproxy, whereas the effect of the rule you write
above is basically NAT in that the original source will be invisible
to the destination.

But I may not have understood things right...
Regards,
Eli

 Thanks.

 On Fri, Mar 2, 2012 at 9:33 AM, David Touzeau da...@touzeau.eu wrote:

 There is bad news, backports did not change something according Tproxy
 Only kernel 3.2x is available on backports repository.

 apt-get install -t squeeze-backports linux-image-3.2.0-0.bpo.1-686-pae
 apt-get install -t squeeze-backports upgrade
 reboot
 my kernel is now
 Linux squid32.localhost.localdomain 3.2.0-0.bpo.1-686-pae #1 SMP Sat Feb 11
 14:57:20 UTC 2012 i686 GNU/Linux


  iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY
 --on-port 80
 WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be
 ignored in a future release.
 iptables v1.4.8: can't initialize iptables table `tproxy': Table does not
 exist (do you need to insmod?)
 Perhaps iptables or your kernel needs to be upgraded

 grep -i iptables /boot/config-`uname -r`
 CONFIG_IP_NF_IPTABLES=m
 CONFIG_IP6_NF_IPTABLES=m
 # iptables trigger is under Netfilter config (LED target)

 SNIF, SNIF


 Le 02/03/2012 17:03, David Touzeau a écrit :

 iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
 TPROXY --on-port 80

Re: [squid-users] transparent proxy in squid3

[Amos Jeffries]

On 06.03.2012 11:09, pplive wrote:

Dear Amos,

To see whether there were some internal firewall in my system , I
tried a simpler topology, i.e.,

Client (10.0.0.1) (eth0) - (eth0) Squid3 (eth1) - (eth0) Server 
(10.0.0.2)


I just follow the setting in

http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 8080 -j redirect --redirect-target ACCEPT


ACCEPT on the layer-2 bridging is to handle the packet entirely at 
that low layer.


It needs to be DROPed out of the bridging layer into to iptables 
layer handling before NAT can change the IP/port and routing can shift 
it to INPUT path where Squid gets it.





iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j REDIRECT
--to-port 3128

According to tcpdump, we can see the packets are forwarded to port 
3128

(I use wget 10.0.0.2:8080 at the client)

14:04:50.282381 IP 10.0.0.1.33088  10.0.0.10.3128: Flags [S], seq
388132433, win 5840, options [mss 1460,sackOK,TS val 1028407 ecr
0,nop,wscale 6], length 0
14:04:53.212426 IP 10.0.0.1.33088  10.0.0.10.3128: Flags [S], seq
388132433, win 5840, options [mss 1460,sackOK,TS val 1029157 ecr
0,nop,wscale 6], length 0

Still, I am confusing of using one NIC, how can I redirect the 
packets

to port 3128.


NAT is a special system which can change packets on both bridging and 
routing layers but does not itself make them change layer.


 So what the above trace shows is that packets arriving are NAT/NAPT 
changed as they flow through the bridge. But not anything else.



tcpdump gets packets before any of the iptables etc handling gets done 
to them. So its useful to verify that the packets are arriving and/or 
leaving the NIC as expected. but not much help deciphering what is 
happening to them in the middle around where Squid sits.

 We have to rely on ebtables/iptables LOG functionality for those bits.


I'm sorry I can't be of much more help. Beyond suggesting to try later 
versions of the software including kernel I've run out of ideas.


Amos

[squid-users] domain list 'optimizer'

[E.S. Rosenberg]

I'm just wondering if anyone ever wrote a tool to optimize the various
huge lists provided by different people or even self built lists...

What do I mean by optimize?
When the list is of type dstdomain and contains entries:
www.domain.ex
www2.domain.ex
www-dumb.domain.ex
x.www.domain.ex
www3.domain.ex

If you know that domain.ex is actually a domain of whatever the list
type is you can just change all those entries into one .domain.ex
entry...

Regards,
Eliyahu - אליהו

Re: [squid-users] Implement Tproxy on Debian squeeze

[Amos Jeffries]

On 06.03.2012 11:42, E.S. Rosenberg wrote:

2012/3/2 Yucong Sun (叶雨飞):

I think what happens is the document seems to be wrong, the kernel
already has TPROXY compiled in , look for /boot/config-   and
search for TPROXY, it should says m.

for the iptables rules, you will need to use mangle table, there's 
no

tproxy table anymore.


There was never a TPROXY table. It has always been the mangle table, 
with TPROXY *target*.





However, I do want to add an additional question , suppose my proxy
machine will be acting as network gateway to my LAN,  can I simply
archive the same effect by simply
-iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT
127.0.0.1:  ??? why was tproxy needed in the first place?



As far as I understood it you would use tproxy if you want to expose
your internal IPs to the other side, so if for instance my internal
network is actually a publicly routable block and I don't want to NAT
that then you use tproxy, whereas the effect of the rule you write
above is basically NAT in that the original source will be invisible
to the destination.

But I may not have understood things right...



Sort-of. Exposure is only limited to the in and out ports of Squid.  
TPROXY can work alongside proper address-only NAT to gain the address 
obfuscation if you want it. Or with any kind of firewalls for actual 
security.


You would also use TPROXY if you needed to do traffic interception for 
protocols other than IPv4.



For OS where transparent proxy works there is no more technical reasons 
to use NAT. OpenBSD 5.x for example seem to have jumped the whole 
upgrade process and no longer support NAT interception at all, using 
divert sockets which is their version of TPROXY, across the main set 
of system tools.


Amos

Re: [squid-users] Implement Tproxy on Debian squeeze

[E.S. Rosenberg]

2012/3/6 Amos Jeffries squ...@treenet.co.nz:
 On 06.03.2012 11:42, E.S. Rosenberg wrote:

 2012/3/2 Yucong Sun (叶雨飞):

 I think what happens is the document seems to be wrong, the kernel
 already has TPROXY compiled in , look for /boot/config-   and
 search for TPROXY, it should says m.

 for the iptables rules, you will need to use mangle table, there's no
 tproxy table anymore.


 There was never a TPROXY table. It has always been the mangle table, with
 TPROXY *target*.




 However, I do want to add an additional question , suppose my proxy
 machine will be acting as network gateway to my LAN,  can I simply
 archive the same effect by simply
 -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT
 127.0.0.1:  ??? why was tproxy needed in the first place?


 As far as I understood it you would use tproxy if you want to expose
 your internal IPs to the other side, so if for instance my internal
 network is actually a publicly routable block and I don't want to NAT
 that then you use tproxy, whereas the effect of the rule you write
 above is basically NAT in that the original source will be invisible
 to the destination.

 But I may not have understood things right...



 Sort-of. Exposure is only limited to the in and out ports of Squid.
  TPROXY can work alongside proper address-only NAT to gain the address
 obfuscation if you want it. Or with any kind of firewalls for actual
 security.

 You would also use TPROXY if you needed to do traffic interception for
 protocols other than IPv4.


 For OS where transparent proxy works there is no more technical reasons to
 use NAT. OpenBSD 5.x for example seem to have jumped the whole upgrade
 process and no longer support NAT interception at all, using divert
 sockets which is their version of TPROXY, across the main set of system
 tools.
That is assuming the TPROXY machine sits on the line of the machines
going out, if it's just a firewall that is redirecting all port 80
traffic to the proxy on a different subnet you would still use it I
would think?

Thanks,
Eli

 Amos

Re: [squid-users] Implement Tproxy on Debian squeeze

[Amos Jeffries]

On 06.03.2012 12:54, E.S. Rosenberg wrote:

2012/3/6 Amos Jeffries squ...@treenet.co.nz:

On 06.03.2012 11:42, E.S. Rosenberg wrote:


2012/3/2 Yucong Sun (叶雨飞):


I think what happens is the document seems to be wrong, the kernel
already has TPROXY compiled in , look for /boot/config-   and
search for TPROXY, it should says m.

for the iptables rules, you will need to use mangle table, there's 
no

tproxy table anymore.



There was never a TPROXY table. It has always been the mangle table, 
with

TPROXY *target*.





However, I do want to add an additional question , suppose my 
proxy

machine will be acting as network gateway to my LAN,  can I simply
archive the same effect by simply
-iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT
127.0.0.1:  ??? why was tproxy needed in the first place?



As far as I understood it you would use tproxy if you want to 
expose
your internal IPs to the other side, so if for instance my 
internal
network is actually a publicly routable block and I don't want to 
NAT

that then you use tproxy, whereas the effect of the rule you write
above is basically NAT in that the original source will be 
invisible

to the destination.

But I may not have understood things right...




Sort-of. Exposure is only limited to the in and out ports of 
Squid.
 TPROXY can work alongside proper address-only NAT to gain the 
address

obfuscation if you want it. Or with any kind of firewalls for actual
security.

You would also use TPROXY if you needed to do traffic interception 
for

protocols other than IPv4.


For OS where transparent proxy works there is no more technical 
reasons to
use NAT. OpenBSD 5.x for example seem to have jumped the whole 
upgrade
process and no longer support NAT interception at all, using 
divert
sockets which is their version of TPROXY, across the main set of 
system

tools.

That is assuming the TPROXY machine sits on the line of the machines
going out, if it's just a firewall that is redirecting all port 80
traffic to the proxy on a different subnet you would still use it I
would think?


If by line you mean the packet flow at a virtual level, yes. TPROXY 
is similar to a virtual bridge. Interception in any form assumes the 
packets are reaching the machine somehow.


Actually bridging the packets across a box with TPROXY on it is the 
easy way to configure it. Policy routing is the slightly harder way. 
Only difference in these installations between the TPROXY of the NAT is 
what properties routing logics need to make decisions on.


Amos

Re: [squid-users] Roadmap Squid 3.2

[david]

On Tue, 6 Mar 2012, Amos Jeffries wrote:


On 06.03.2012 02:07, FredB wrote:

Hi all,

Amos, like I said in bug report, Squid 3.2 is very stable with your
last fix, and Alex's patch which is not already included in truck, and
I would like to know the schedule for an official stable release,
approximately of course (before this summer, end of year ?)


The checklist I have to work by is at 
http://wiki.squid-cache.org/ReleaseProcess#Squid-3
We are looping around at the freeze stage (3), waiting to reach 0 major+ 
bugs before we can start the stable release countdown stages (4+).



We are intending 3.2 to supersede and obsolete all 3.x and 2.x series 
releases. Which means there are just over 50 bugs rated major or higher which 
need to be confirmed as fixed in 3.2, or downgraded before 3.2 can start its 
stability countdown.


I haven't checked in the last several months, but has there been any 
progress on the fact that ACLs are so much more expensive to evaluate in 
3.x than in 1.x or 2.x?


David Lang

Re: [squid-users] squid with squidguard issue

[jeffrey j donovan]

On Mar 5, 2012, at 8:40 AM, Muhammad Yousuf Khan wrote:

 can some one plz help. i followed
 http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny
 squid 2.7 and squidguard 1.2.0
 
 i write the below line at the end of squid.conf
 redirect_program /usr/bin/squidGuard

okay

 
 i denied ads in squidGuard.conf and addme.com is a domain which i
 am sure is in the list of blocklist database.
 now when i go to addme.com it just open the website (which i dont want 
 though)
 
 here is squidGuard.conf rule.
 
 dest adult {
domainlist  ads/domains
 #   urllist /var/lib/squidguard/db/blacklists/porn/urls
 #   expressionlist  adult/expressions
redirecthttp://google.com
 
 }

you need to supply a source and destination. basically who is allowed to access 
squidguard. and then tell squidguard what to do with the clients 
request,..allow or deny.

eg; 
dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log


#
# SOURCE ADDRESSES:

src admin {
ip  10.1.1.1
}

src fooclients {
ip  10.132.0.0/16 10.155.0.0/16 
}

src freedomzone { 
ip  10.154.1.0/24 10.154.2.0/24
}
# DESTINATION CLASSES:
#
dest whitelist {
domainlist  whitelist/domains
}
dest education {
domainlist education/schools/domains
urllist education/schools/urls
}
dest denied {
domainlist  denied/domains
urllist denied/urls
redirecthttp://10.0.2.3/surfb1.html
log deniedaccess.log
}

acl {
admin {
pass any
}

fooclients {
passwhitelist education !denied any
} else {
pass any
}
freedomzone {
passwhitelist education !pornexp !porn any
redirect http://staff2.beth.k12.pa.us/index.html
} else {
pass any
}

default {
pass none
redirect http://10.0.2.3/index.html
}
}




 
 here is squidguard log. /var/log/squid/squidGuard.log
 
 2012-03-05 08:06:53 [4180] squidGuard 1.2.0 started (1330952813.099)
 2012-03-05 08:06:53 [4180] recalculating alarm in 30187 seconds
 2012-03-05 08:06:53 [4180] squidGuard ready for requests (1330952813.101)
 2012-03-05 08:06:53 [4182] destblock good missing active content, set inactive
 2012-03-05 08:06:53 [4182] destblock local missing active content, set 
 inactive
 2012-03-05 08:06:53 [4182] init domainlist /var/lib/squidguard/db/ads/domains
 2012-03-05 08:06:53 [4182] loading dbfile 
 /var/lib/squidguard/db/ads/domains.db
 2012-03-05 08:06:53 [4182] squidGuard 1.2.0 started (1330952813.107)
 2012-03-05 08:06:53 [4182] recalculating alarm in 30187 seconds
 2012-03-05 08:06:53 [4182] squidGuard ready for requests (1330952813.108)
 
 here is access.log.the thing which is making me confuse that redirect
 tag is not present which suppose to be there. however i can not find
 any redirect tag in default 2.7 squid.conf file. can u please tell me
 what is going on and how can i redirect or can solve the issue
 
 1330953994.304640 10.51.100.240 TCP_CLIENT_REFRESH_MISS/200 1910
 GET http://www.addme.com/favicon.ico - DIRECT/69.43.161.4 image/x-icon
 
 
 Thanks,

Re: [squid-users] squid with squidguard issue

[Benjamin E. Nichols]

Well you could use squids built in blacklist capabilities instead of
adding complexity by trying to us squidGard or DansGuardian,
particularly if your a noob at squid. Ive taken a look at them and
decided that its too much effort to try and implement, Rather, this is
how ive done it.


Try this instead, its what I do.

created a blacklist file, and place it somewhere, mine is in my squid dir

/etc/squid3/squid-block.acl  (u can name it whatever u want of course)

add a few test entries to this file in the following format

.pornsite.com
.unwantedsite.com
.whatevershit.com
.someshitwebsite.com

the . will ensure thatwww.pornsite.com  or any subdomain is also blocked.


So next add these  lines to your squid.conf

#blacklist by haxradio.com==

acl blacklist dstdomain /etc/squid3/squid-block.acl
http_access deny blacklist

#==

then do

squid3 +k reconfigure   (assuming that your running squid3.x series)

Voila, you are blocking sites using a black list my friend.

btw, just ignore the stupid warning messages. they do not affect the
functionality of this feature and ive learned
to just ignore them.

Thanks to Amos for  helping me to properly do this.





On 03/05/2012 05:19 PM, jeffrey j donovan wrote:

On Mar 5, 2012, at 8:40 AM, Muhammad Yousuf Khan wrote:

   

can some one plz help. i followed
http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny
squid 2.7 and squidguard 1.2.0

i write the below line at the end of squid.conf
redirect_program /usr/bin/squidGuard
 

okay

   

i denied ads in squidGuard.conf and addme.com is a domain which i
am sure is in the list of blocklist database.
now when i go to addme.com it just open the website (which i dont want though)

here is squidGuard.conf rule.

dest adult {
domainlist  ads/domains
#   urllist /var/lib/squidguard/db/blacklists/porn/urls
#   expressionlist  adult/expressions
redirecthttp://google.com

}
 

you need to supply a source and destination. basically who is allowed to access 
squidguard. and then tell squidguard what to do with the clients 
request,..allow or deny.

eg;
dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log


#
# SOURCE ADDRESSES:

src admin {
ip  10.1.1.1
}

src fooclients {
ip  10.132.0.0/16 10.155.0.0/16
}

src freedomzone {
ip  10.154.1.0/24 10.154.2.0/24
}
# DESTINATION CLASSES:
#
dest whitelist {
domainlist  whitelist/domains
}
dest education {
domainlist education/schools/domains
urllist education/schools/urls
}
dest denied {
domainlist  denied/domains
urllist denied/urls
redirecthttp://10.0.2.3/surfb1.html
log deniedaccess.log
}

acl {
admin {
pass any
}

fooclients {
passwhitelist education !denied any
} else {
pass any
}
freedomzone {
passwhitelist education !pornexp !porn any
redirect http://staff2.beth.k12.pa.us/index.html
} else {
pass any
}

default {
pass none
redirect http://10.0.2.3/index.html
}
}




   

here is squidguard log. /var/log/squid/squidGuard.log

2012-03-05 08:06:53 [4180] squidGuard 1.2.0 started (1330952813.099)
2012-03-05 08:06:53 [4180] recalculating alarm in 30187 seconds
2012-03-05 08:06:53 [4180] squidGuard ready for requests (1330952813.101)
2012-03-05 08:06:53 [4182] destblock good missing active content, set inactive
2012-03-05 08:06:53 [4182] destblock local missing active content, set inactive
2012-03-05 08:06:53 [4182] init domainlist /var/lib/squidguard/db/ads/domains
2012-03-05 08:06:53 [4182] loading dbfile /var/lib/squidguard/db/ads/domains.db
2012-03-05 08:06:53 [4182] squidGuard 1.2.0 started (1330952813.107)
2012-03-05 08:06:53 [4182] recalculating alarm in 30187 seconds
2012-03-05 08:06:53 [4182] squidGuard ready for requests (1330952813.108)

here is access.log.the thing which is making me confuse that redirect
tag is not present which suppose to be there. however i can not find
any redirect tag in default 2.7 squid.conf file. can u please tell me
what is going on and how can i redirect or can solve the issue

1330953994.304640 10.51.100.240 TCP_CLIENT_REFRESH_MISS/200 1910
GET http://www.addme.com/favicon.ico - DIRECT/69.43.161.4 image/x-icon


Thanks,
 
   

Re: [squid-users] Roadmap Squid 3.2

[Amos Jeffries]

On 06.03.2012 14:15, david wrote:

On Tue, 6 Mar 2012, Amos Jeffries wrote:


On 06.03.2012 02:07, FredB wrote:

Hi all,
Amos, like I said in bug report, Squid 3.2 is very stable with your
last fix, and Alex's patch which is not already included in truck, 
and

I would like to know the schedule for an official stable release,
approximately of course (before this summer, end of year ?)


The checklist I have to work by is at 
http://wiki.squid-cache.org/ReleaseProcess#Squid-3
We are looping around at the freeze stage (3), waiting to reach 0 
major+ bugs before we can start the stable release countdown stages 
(4+).



We are intending 3.2 to supersede and obsolete all 3.x and 2.x 
series releases. Which means there are just over 50 bugs rated major 
or higher which need to be confirmed as fixed in 3.2, or downgraded 
before 3.2 can start its stability countdown.


I haven't checked in the last several months, but has there been any
progress on the fact that ACLs are so much more expensive to evaluate
in 3.x than in 1.x or 2.x?

David Lang


regex optimizations was done after your last message. Since your 
worst-case tests had many regex I was hoping to hear back from you about 
whether that was significant progress or more was needed.


The other major optimizations have been mostly in request and DNS 
handling.


Amos

Re: [squid-users] Re: squid with squidguard issue

[Amos Jeffries]

On 06.03.2012 14:46, Benjamin E. Nichols wrote:

Well you could use squids built in blacklist capabilities instead of
adding complexity by trying to us squidGard or DansGuardian,
particularly if your a noob at squid. Ive taken a look at them and
decided that its too much effort to try and implement, Rather, this 
is

how ive done it.


Try this instead, its what I do.

created a blacklist file, and place it somewhere, mine is in my squid 
dir


/etc/squid3/squid-block.acl  (u can name it whatever u want of 
course)


add a few test entries to this file in the following format

.pornsite.com
.unwantedsite.com
.whatevershit.com
.someshitwebsite.com

the . will ensure that www.pornsite.com or any subdomain is also 
blocked.


(Attached is a copy of my own blacklist I use to block porn,
malicious sites, and advertisements combined from several published
blacklists that I have allready formatted for squid using sed and
awk.)

So next add these  lines to your squid.conf

#blacklist by haxradio.com==

acl blacklist dstdomain /etc/squid3/squid-block.acl
http_access deny blacklist

#==

then do

squid3 +k reconfigure   (assuming that your running squid3.x series)



Er, -k


Voila, you are blocking sites using a black list my friend.

btw, just ignore the stupid warning messages. they do not affect the
functionality of this feature and ive learned
to just ignore them.


Which warning messages?


Amos

Re: [squid-users] Roadmap Squid 3.2

[david]

On Tue, 6 Mar 2012, Amos Jeffries wrote:


On 06.03.2012 14:15, david wrote:

On Tue, 6 Mar 2012, Amos Jeffries wrote:


On 06.03.2012 02:07, FredB wrote:

Hi all,
Amos, like I said in bug report, Squid 3.2 is very stable with your
last fix, and Alex's patch which is not already included in truck, and
I would like to know the schedule for an official stable release,
approximately of course (before this summer, end of year ?)


The checklist I have to work by is at 
http://wiki.squid-cache.org/ReleaseProcess#Squid-3
We are looping around at the freeze stage (3), waiting to reach 0 major+ 
bugs before we can start the stable release countdown stages (4+).



We are intending 3.2 to supersede and obsolete all 3.x and 2.x series 
releases. Which means there are just over 50 bugs rated major or higher 
which need to be confirmed as fixed in 3.2, or downgraded before 3.2 can 
start its stability countdown.


I haven't checked in the last several months, but has there been any
progress on the fact that ACLs are so much more expensive to evaluate
in 3.x than in 1.x or 2.x?

David Lang


regex optimizations was done after your last message. Since your worst-case 
tests had many regex I was hoping to hear back from you about whether that 
was significant progress or more was needed.


Ok, I'll check things.

I will point out that even when I changed my tests to have no regexes in 
them there was still a very large performance hit from the ACL checking.


David Lang


The other major optimizations have been mostly in request and DNS handling.

Amos

Re: [squid-users] Roadmap Squid 3.2

[Ed W]

Is Squid-3.2.0.15 the most stable release to be using for deployment 
on the bleeding edge, or is 3.2.0.12 still the safest bet?  In the past 
you have given some guidance as builds have moved into new functionality 
vs bug squashing phases?


Are you imminently about to release 3.2.016?

Does someone have some big picture comments on rock store - benefits, 
any known issues?


Cheers

Ed W

Re: [squid-users] transparent proxy in squid3

[pplive]

Dear Amos,

Thanks for your great hint of tcpdump gets packets before any of the
iptables etc handling gets done to them and  We have to rely on
ebtables/iptables LOG functionality for those bits

Now I start debugging iptables, using
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j LOG
--log-prefix TEST: 

from node-s (sender), we run [node-s (sender), 10.0.1.1, node-r,
10.0.2.1 (receiver), the squid3 machine is 10.0.3.1]

wget 10.0.2.1:8080

while we still see
19:20:09.439059 IP nodes-links.40520  noder-linkr.http-alt: Flags
[S], seq 4014254024, win 5840, options [mss 1460,sackOK,TS val
68449700 ecr 0,nop,wscale 6],
in tcpdump, we see nothing in the iptables log

in contrast, if we run 'wget 10.0.3.1:8080' (directly connect to 8080
port of squid3 machine, although there is no service)
we see information in both tcpdump
19:26:51.347175 IP nodes-links.41022  nodec1-tblink-l9.http-alt:
Flags [S], seq 1779139991, win 5840, options [mss 1460,sackOK,TS val
68550176 ecr 0,nop,wscale 6], length 0
19:26:51.347287 IP nodec1-tblink-l9.http-alt  nodes-links.41022:
Flags [R.], seq 0, ack 1779139992, win 0, length 0

and iptables log

Mar  5 19:24:09 nodec1 kernel: [28094.303462] TEST: IN=eth0 OUT=
MAC=00:04:23:ae:cc:38:00:0e:0c:68:a8:58:08:00 SRC=10.0.1.1
DST=10.0.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62692 DF PROTO=TCP
SPT=41021 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0
Mar  5 19:24:09 nodec1 kernel: [28094.303495] TEST: IN=eth0 OUT=
MAC=00:04:23:ae:cc:38:00:0e:0c:68:a8:58:08:00 SRC=10.0.1.1
DST=10.0.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62692 DF PROTO=TCP
SPT=41021 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0


Can we conclude the error was happened due to
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j LOG
--log-prefix TEST: 
cannot pick up the 8080 packet forwarded by the switch? Can some
packet loss happen before this step?

I am sorry I am not very familiar with the linux kernel/system...and
bother you so much trouble...

Thanks a lo!

On Mon, Mar 5, 2012 at 5:57 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 06.03.2012 11:09, pplive wrote:

 Dear Amos,

 To see whether there were some internal firewall in my system , I
 tried a simpler topology, i.e.,

 Client (10.0.0.1) (eth0) - (eth0) Squid3 (eth1) - (eth0) Server
 (10.0.0.2)

 I just follow the setting in


 http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables

 brctl addbr br0
 brctl addif br0 eth0
 brctl addif br0 eth1

 ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
 --ip-destination-port 8080 -j redirect --redirect-target ACCEPT


 ACCEPT on the layer-2 bridging is to handle the packet entirely at that
 low layer.

 It needs to be DROPed out of the bridging layer into to iptables layer
 handling before NAT can change the IP/port and routing can shift it to INPUT
 path where Squid gets it.




 iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j REDIRECT
 --to-port 3128

 According to tcpdump, we can see the packets are forwarded to port 3128
 (I use wget 10.0.0.2:8080 at the client)

 14:04:50.282381 IP 10.0.0.1.33088  10.0.0.10.3128: Flags [S], seq
 388132433, win 5840, options [mss 1460,sackOK,TS val 1028407 ecr
 0,nop,wscale 6], length 0
 14:04:53.212426 IP 10.0.0.1.33088  10.0.0.10.3128: Flags [S], seq
 388132433, win 5840, options [mss 1460,sackOK,TS val 1029157 ecr
 0,nop,wscale 6], length 0

 Still, I am confusing of using one NIC, how can I redirect the packets
 to port 3128.


 NAT is a special system which can change packets on both bridging and
 routing layers but does not itself make them change layer.

  So what the above trace shows is that packets arriving are NAT/NAPT changed
 as they flow through the bridge. But not anything else.


 tcpdump gets packets before any of the iptables etc handling gets done to
 them. So its useful to verify that the packets are arriving and/or leaving
 the NIC as expected. but not much help deciphering what is happening to them
 in the middle around where Squid sits.
  We have to rely on ebtables/iptables LOG functionality for those bits.


 I'm sorry I can't be of much more help. Beyond suggesting to try later
 versions of the software including kernel I've run out of ideas.

 Amos

[squid-users] 答复: [squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?

[Jiang Wen Dong]

I can't make it work :(

What I want is this:

#

acl 100cc maxconn 100
acl 50cc maxconn 50
acl 20cc maxconn 20

acl ip_dst dst ...
acl website dstdom ...

acl ip_src src ...
acl user proxy ...
acl login proxy_auth REQUIRED

#

# This part must set before any http_access of proxy_auth, so auth window never 
popup to !proxy_auth user
# This part limit maxconn=20 to !proxy_auth user only, no effect to proxy_auth 
user

http_access deny 20cc !proxy_auth user only
http_access allow ip_dst
http_access allow website

#

# Special IP or login user limit maxconn=100
http_access deny 100cc
http_access allow login ip_src
http_access allow user

# Common login user limit maxconn=50
http_access deny 50cc
http_access allow login

http_access deny all



Jiang Wendong (姜文栋)
IT Dept.
Tel: 010-5822-3486/3481
Mobile: 13811249966
E-Mail: wendong.ji...@td-tech.com / jiangwend...@huawei.com


-邮件原件-
发件人: Amos Jeffries [mailto:squ...@treenet.co.nz]
发送时间: 2012年3月5日 17:51
收件人: squid-users@squid-cache.org
主题: Re: [squid-users] 答复: [squid-users] 答复: [squid-users] How to set different 
maxconn number of proxy_auth user from default maxconn?

On 5/03/2012 10:38 p.m., Jiang Wen Dong wrote:
 Thank you. But there's still a problem, !proxy_auth user will see a
 auth dialog window, that is not what I want. I want !proxy_auth user
 pass trough, without auth dialog window.

Dialog window is a browser feature. Nothing to do with Squid.
You can use this workaround to prevent Squid asking for credentials:
   http_access allow login all

But then you have no way to perform login.

You could change this part:
   http_access allow login
  http_access deny 50cc

to:
   http_access deny 50cc login

so login popup only appears after 50 connections is reached. Users who can 
login get the extra connections, users who cant get an annoying popup each time 
the try to go past 50.

Amos

  Jiang Wendong (姜文
 栋) IT Dept. Tel: 010-5822-3486/3481 Mobile: 13811249966 E-Mail:
 wendong.ji...@td-tech.com / jiangwend...@huawei.com -邮件原件-
 发件人: Amos Jeffries [mailto:squ...@treenet.co.nz] 发送时间: 2012年3
 月5日 17:11 收件人: squid-users@squid-cache.org 主题: Re: [squid- users] 答复:
 [squid-users] How to set different maxconn number of proxy_auth user
 from default maxconn? On 5/03/2012 8:33 p.m., Jiang Wen Dong wrote:
 This is not what I want. I want proxy_auth user maxconn=100, others
 maxconn=50.
 Yes. That is what the config I wrote does. # if user has connections
 = 100, deny even if logged in # else if user is logged in, allow (up
 to 100) # else if connections = 50, deny more than 50 connections
 (extra lines are for good security, allowing random person on The
 Internet 50 connections is not good) # else other local clients, allow
 # else deny Amos
 -邮件原件- 发件人: Amos Jeffries On 05.03.2012 14:16, Jiang Wen Dong
 wrote:
 My English is not good, hope you can understand what I'm saying. I
 want to set default maxconn=50, and maxconn=100 for proxy_auth user.
 If I set default maxconn before proxy_auth, then proxy_auth user get
 maxconn=50, not maxconn=100. If I set default maxconn after
 proxy_auth, every user get a auth dialog window, which I do not want
 it show for !proxy_auth user. How to set different maxconn number of
 proxy_auth user from default maxconn?
 You are thinking about this backwards. Place the widest everybody
 limitations first. Then the highest privileged allow permissions.
 Then repeat as you gradually restrict things. Like this: acl login
 proxy_auth REQUIRED acl 100cc maxconn 100 acl 50cc maxconn 50 #
 nobody allowed more than 100 connections http_access deny 100cc #
 login users the only ones allowed more than 50 http_access allow
 login http_access deny 50cc # then other LAN clients... http_access
 allow localnet # everything not permitted yet is not trusted for any
 access. http_access deny all Amos
 CAUTION: This message may contain privileged and confidential
 information intended only for the use of the addressee named above. If
 you are not the intended recipient of this message you are hereby
 notified that any use, distribution or reproduction of this message is
 prohibited. If you have received this message in error please notify
 the sender of this message immediately. ( ©TD Tech Co.,Ltd) 重要提示：
 此邮件及附件具保密性质，包含商业秘密、受法律保护不得泄露。如果您意外收
 到此邮件，特此提醒您此邮件的机密性，请立即通知我们并 从您的系统中删除
 此邮件及附件。如果您不是此邮件应当的收件人，请注意不可对此邮件及其附件
 进行利用、复制或向他人透露其内容。 ( ©TD Tech Co.,Ltd)


CAUTION: This message may contain privileged and confidential information 
intended only for the use of the addressee named above. If you are not the 

Re: [squid-users] Roadmap Squid 3.2

[Amos Jeffries]

On 06.03.2012 15:58, Ed W wrote:

Is Squid-3.2.0.15 the most stable release to be using for
deployment on the bleeding edge, or is 3.2.0.12 still the safest bet?


.15 is IMO back on par with .12 for issues. Both needing some nasty 
issues patching before any production testing. see below about .16.


Frederick has been supplying most of the feedback for .15, so his 
happiness is a good sign. There are others (self-included) using it 
without hitting the same bugs so YMMV but the bump is over and my 
reservations about advising general upgrades from the earlier beta are 
gone.



In the past you have given some guidance as builds have moved into 
new

functionality vs bug squashing phases?


I give what guidance as I can in the Squid X is available 
announcements for all releases (signup to squid-announce or squid-users 
lists to get those). Covering what major changes have taken place, who 
will benefit most by upgrading to it and a rough impression of urgency.





Are you imminently about to release 3.2.016?


Very, very imminent.



Does someone have some big picture comments on rock store - benefits,
any known issues?


In overview it is equivalent to COSS with an SMP support upgrade. We 
expect roughly the same performance benefits out of it, but have no 
speed comparison available (volunteer project?).


http://wiki.squid-cache.org/Features/RockStore has the overview and a 
list of limitations. Bugzilla has a few bugs.



Amos

Re: [squid-users] 答复: [squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?

[Amos Jeffries]

On 06.03.2012 16:40, Jiang Wen Dong wrote:

I can't make it work :(



Lets get the point about the popup clear.

  Getting the browser *never* to popup is impossible. The browser can 
decide to popup at any time, based on any kind of auth-related problems 
it has. If the user decides to clear their password managers storage, it 
will popup. If the user is on a machine without good connectivity to the 
login server, it will popup. There is nothing you can do to prevent it.


  In order to use login tests Squid is required to ask the browser for 
login at least once. If the browser has *no* login or cannot find one 
available for use it *will* make use of the popup at that point in order 
to ask the user for one.


  *IF* the browser has access to some credentials already *AND* they 
are of a type your Squid is offering to accept, it will send those and 
no popup happens. This is where the ACL workaround in Squid take effect, 
preventing Squid from asking a second time. Normally the browser only 
has one set of credentials and a second question will encourage its 
decision to use the popup.


  That is why and how Squid can have a hack for avoiding popups.

Understand?



Second point. VERY important.

 In HTTP logins are not per-user. They are per *request*. The first 
request on a new connection usually does not have any credentials, even 
if the user is sending credentials on many other connections already.


 Also, the modern browsers usually have an optimization that after they 
successfully send some credentials to re-use them for later requests. 
This is a *maybe*, we can usually rely on it for pipelined requests on 
one connection, but not always and we cannot rely on credentials being 
sent already on a brand new connection.


  This will cause you problems with your 20cc rules section...


What I want is this:


#

acl 100cc maxconn 100
acl 50cc maxconn 50
acl 20cc maxconn 20

acl ip_dst dst ...
acl website dstdom ...

acl ip_src src ...
acl user proxy ...
acl login proxy_auth REQUIRED



Also, every proxy_auth ACL you have can trigger Squid to ask for 
credentials.


 - login ACL
 - user ACL ?



#

# This part must set before any http_access of proxy_auth, so auth
window never popup to !proxy_auth user
# This part limit maxconn=20 to !proxy_auth user only, no effect to
proxy_auth user

http_access deny 20cc !proxy_auth user only
http_access allow ip_dst
http_access allow website



You did not mention the 20cc limit earlier.

Since 20cc is smaller than 100cc and 50cc it *will* be matching when 
they are supposed to be permitting access. In order to use it before 
them and the auth section you will have to make these allow lines. A 
few tricks with '!' and test order can allow your website and ip_dst 
permissions to be the deciding factor whether 20cc matters.


Like so:

  # allow if less than 20 connections AND going to website
  http_access allow !20cc website

  # allow if less than 20 connections AND going to ip_dst
  http_access allow !20cc ip_dst





#

# Special IP or login user limit maxconn=100
http_access deny 100cc
http_access allow login ip_src
http_access allow user

# Common login user limit maxconn=50
http_access deny 50cc
http_access allow login

http_access deny all



Amos